Assessing age assurance technologies
Wouter Lueks, Stephan Dreyer, Hannes Federrath, and Judit Simon’s 2026 survey compares age verification, age estimation, inference, and parental control across online, device-based, and credential-based architectures. The preserved preprint evaluates effectiveness, side effects, and social acceptance together.
The paper’s central conclusion is that no AAT is perfectly robust. VPNs, adult assistance, account sharing, and device transfer place an upper bound on effectiveness. Making circumvention impossible would require restrictions on general-purpose tools and open systems that would themselves damage privacy, anonymity, information access, and competition.
Where a check is justified, the authors prefer on-device parental controls, then device-based checks, then credential wallets with strong privacy guarantees. For legally restricted adult content, they regard credential proofs as the minimum acceptable mechanism because the service needs verifiable evidence without receiving the person’s identity.
For wallet proofs, the paper says high-level promises such as data minimization are insufficient. Rules should require selective disclosure, issuer and verifier unlinkability, user-controlled processing, no retention beyond the attestation, and open, publicly audited cryptographic protocols. It also warns that operating-system and platform companies could become dominant identity and compliance brokers.
The argument informs Age assurance and EU age verification and Internet privacy.