X-rated compliance theater

X-rated compliance theater

Simone Lavermicocca, Michele Carminati, and Stefano Longari’s 2026 preprint reports a black-box security evaluation of deployed age-verification systems on adult websites across four European countries. The preserved preprint covers document checks, facial age estimation, indirect signals, and website integration.

The tested systems were heterogeneous and frequently bypassable. Weaknesses included client-side gates, long-lived cookies, shareable verified accounts, temporary contact details, low-effort document attacks, and jurisdiction changes through a VPN. Stronger verification at enrolment did not repair a website that delivered content before checking authorization or reused transferable access artifacts.

The paper does not show that privacy-preserving verification is impossible. It argues that robustness and privacy require architectural separation: one party establishes age without learning the destination, while the site receives an unlinkable threshold proof without identity. No actor should be able to reconstruct both identity and browsing intent.

Its scope is an evolving sample of current adult-site deployments, not the production EU common solution. The finding is therefore evidence against trusting compliance labels or vendor claims without independent audit, not proof that every future implementation will fail.

The study supplies the deployment counterpoint to EU age verification framework 2026 and EDPB Statement 1 2025 on age assurance.

Sources

  1. arxiv.org