Age Checks Are Becoming Hacker Bait. We Need Smarter Rules, Not Bigger Data Piles

Age verification was meant to protect young people online. In practice, it is creating rich new targets. Every selfie, passport scan and credit card check that confirms a date of birth also concentrates enough personal data to fuel identity theft, fraud and deepfake abuse. Two recent breaches, at Discord and Tea, show how fragile the current approach has become. Both firms introduced age checks to satisfy new safety laws. Both ended up with caches of sensitive material that criminals crave.

The logic behind stricter verification is simple. Self declaration does not work. Legislators in the UK, Europe, France and Australia now push platforms to use stronger signals, such as document matching, face analysis or payment rails. The aim is sound. The execution is not. Each step toward stronger proof has loaded more risk into complex technical stacks, often stitched together with third party vendors and opaque data flows.

The third party problem

Most platforms do not build age checks from scratch. They plug in vendors that handle document scans, biometric comparisons and decisioning. This outsourcing can be sensible, but it multiplies the attack surface. A platform may promise minimal retention, yet its supplier may cache images for model training, dispute handling or uptime diagnostics. Contracts can insist on deletion, but deletion is hard to audit, especially across vendors based in other jurisdictions.

Discord’s incident highlights this fragility. The company introduced age checks to comply with the UK Online Safety Act. It later confirmed that tens of thousands of users may have had photo IDs exposed through a supplier. Tea, an app that requires a selfie and ID to register, reportedly had both images and content leaked. These cases are not outliers. Recent attacks on service providers for government, retail and defence have shown a consistent pattern. Criminals go where the data density is highest, and where accountability is most diffuse.

Guidance without teeth

Regulators are not blind to the risk. UK guidance urges platforms to verify age without collecting or storing personal data unless absolutely necessary. GDPR already leans toward data minimisation. Ofcom and the ICO have both published advice. Yet advice is not the same as enforceable architecture. When systems rely on cross border vendors, and when logs, backups and machine learning pipelines all copy fragments of the same identity data, promises about deletion and minimal retention strain credulity.

The gap is practical. Guidance tends to focus on policy. Attackers probe the implementation. If a supplier mirrors a database for resilience, or if a content delivery network caches images for performance, that can create new islands of risk. If an AI model is fine tuned on verification images, it can be hard to prove those images were purged from training sets later. Even when everyone acts in good faith, complexity invites error.

Biometrics and the deepfake dividend

The harms are evolving. Stolen selfies and passport scans once enabled relatively crude fraud. Today they feed far more capable criminal tooling. Voice clones trained from public clips, face swaps guided by leaked selfies, and synthetic IDs assembled from real document numbers all lift the success rate of phishing and account takeovers. Biometric reuse is uniquely toxic. You can change a password. You cannot rotate your face.

This is why age checks that rely on biometric uploads should be treated as critical infrastructure, not as a minor feature. The security bar must be higher than the norms of consumer web development. The same goes for vendor oversight. Platforms should expect to prove, not just assert, that images and scans were never stored, or were deleted irreversibly.

What a safer model looks like

There is a way to square safety with privacy, but it requires a shift in defaults.

1. Local first, ephemeral by design. Run age estimation on device where possible, return only a yes or no, and never export the raw image. If a document scan is unavoidable, encrypt it locally, send it for a single pass decision, and enforce cryptographic deletion with verifiable logs. Treat every copy as a liability.

2. Zero retention as the norm. Vendors should offer provable short lived processing with tamper evident deletion receipts. Contracts must mandate deletion across hot storage, backups, caches and training corpora, with penalties that hurt.

3. Proofs, not pictures. Use privacy preserving techniques, such as verifiable credentials and selective disclosure. A user presents a cryptographic attestation that they are over 18 from a trusted issuer, not a scan of a licence. Platforms validate the proof without learning the underlying data.

4. Separation of duties. Keep identity providers, content platforms and verification vendors in separate trust zones with audited interfaces. If one zone is breached, the blast radius should be limited.

5. Breach ready by default. Assume compromise and design for resilience. Watermark verification flows, monitor for unusual vendor access patterns, and publish clear deletion and response timelines. Users deserve prompt, plain language notification and practical support.

6. Regulation with enforcement power. Guidance must harden into standards with certification, testing and fines. Regulators should be able to audit vendor chains, demand technical proofs of deletion, and restrict biometric processing to audited implementations.

Less data, better safety

Age checks are not going away. Nor should they. Children deserve protections, and platforms need tools that actually work. The lesson from Discord and Tea is not that verification is doomed, it is that data hungry designs are brittle. Collect less. Keep it for less time. Prove it was deleted. Replace raw images with cryptographic proofs. Treat third parties as potential single points of failure, not as convenient shortcuts.

If policymakers want safer platforms, they must align incentives with minimisation and verifiability. If platforms want to keep user trust, they must invest in architectures that assume attackers are already circling the richest troves. The path forward is not more paperwork and larger databases. It is a smaller footprint, stronger math and fewer places to hide the evidence when something goes wrong.

Photo Credit: DepositPhotos.com