Search papers, labs, and topics across Lattice.
This paper conducts the first empirical security assessment of age verification systems mandated by regulations for adult websites, revealing significant vulnerabilities in their implementation. The study combines ecosystem mapping, adversary modeling, and empirical testing across four countries, highlighting systemic weaknesses in various verification methods, including document-based and biometric approaches. Key findings indicate that these systems fail to provide adequate security against low-cost attacks, raising serious privacy concerns for users' sensitive identity-related data.
Current age verification systems for adult content are alarmingly insecure, exposing users to significant privacy risks from low-cost attacks.
Age verification is rapidly emerging as a central regulatory instrument for protecting minors online, with several jurisdictions mandating its deployment for access to adult and pornographic content. This regulatory direction raises significant privacy concerns, as it risks binding sensitive content access to identity-related attributes. It also introduces security risks, since age-verification mechanisms are often outsourced to third-party providers with limited transparency into the robustness of their verification processes. In this work, we conduct, to the best of our knowledge, the first exploratory security assessment of regulation-mandated age-verification mechanisms deployed by adult websites. Rather than treating age verification as a purely regulatory question, we empirically examine whether current deployments provide security guarantees commensurate with the privacy risks of relying on sensitive identity-related data. Our methodology combines ecosystem mapping, adversary modeling, and empirical testing across four countries, covering document-based verification, biometric age estimation, indirect signals, and website-workflow integration. Our results reveal systemic weaknesses across mechanisms and integrations under realistic threat assumptions, including failures against low-cost, widely accessible attacks. Finally, we derive concrete guidelines and design directions for mitigating the security and privacy risks exposed by current age-verification deployments.