400 Scientists Signed a Letter Saying Age Verification Is Mass Surveillance—Governments Are Ignoring Them

When 371 security and privacy academics from 29 countries publish an open letter calling a government policy "dangerous and socially unacceptable," you would expect legislators to pause. When those signatories include Ronald Rivest, the Turing Award winner whose RSA algorithm secures most of the internet's encrypted traffic, and Bart Preneel, president of the International Association for Cryptologic Research, you would expect them to listen carefully.

They did not.

The open letter, published in early March 2026, targets age verification mandates spreading across Europe and beyond. Its central argument is blunt: these laws do not protect children. They build mass surveillance infrastructure and hand the keys to governments and corporations.

What Age Verification Actually Requires

The letter's technical argument is precise and difficult to refute. Age verification, at its core, requires every user to present a government issued ID with cryptographic protection for every interaction on the internet. Every search query. Every message sent. Every article read.

This is not an implementation flaw that better engineering can fix. It is the fundamental architecture these laws demand. To prove someone is old enough to access a website, the system must know who they are, verify that identity against an authoritative database, and record the interaction. Multiply that across every website a person visits in a day, and the result is a comprehensive log of an individual's entire online life, authenticated by the state.

The academics are not warning about a hypothetical future. Eight EU countries are already implementing age verification in some form: the UK, France, Italy, Spain, Portugal, Finland, Germany, and Greece. In Italy and France, age verification is already mandatory for certain categories of websites.

Surveillance Infrastructure in Disguise

The letter's most damaging claim is that age verification is surveillance infrastructure masquerading as child protection. The distinction matters. Surveillance infrastructure, once built, does not stay limited to its original purpose.

The academics point out that VPN bans are the logical next step. If users can simply route their traffic through another country to bypass age checks, governments will move to restrict or ban VPN usage. This is not speculation. Authoritarian regimes have already used exactly this playbook to suppress dissent.

Banning VPNs does not just affect people trying to circumvent age gates. It strips protection from journalists communicating with sources, activists organizing under repressive governments, and whistleblowers who depend on encrypted tunnels to stay alive. The collateral damage is not a side effect. It is the predictable outcome of treating anonymity as a threat.

The letter also raises a structural concern about market concentration. Only large corporations can afford to implement the complex identity verification systems these laws require. Open source developers, like contributors to the Linux kernel or independent browser projects, cannot build government ID verification pipelines into their software. The result is further centralization of the internet around a handful of companies large enough to absorb the compliance costs.

Real World Failures Are Already Piling Up

The theoretical risks are alarming. The real world results are worse.

Discord implemented age verification requiring users to upload government issued photo IDs. The company then suffered a breach that exposed approximately 70,000 of those ID photos. Once a biometric document is stolen, there is no password reset. You cannot change your face.

In Australia, where social media bans for users under 16 took effect in late 2025, a 14 year old named Sarai Ades demonstrated the futility of the system publicly. Circumventing the restrictions was, in Ades's own words, "so much easier than we could have expected." The verification systems designed to lock out minors failed at their primary job while still collecting identity data from millions of adults.

In the UK, the data tells its own story. After age verification mandates took effect, daily VPN usage doubled from 650,000 to 1.4 million users. The mandates did not stop people from accessing content. They pushed users toward tools that made their traffic harder to monitor, while simultaneously creating a political argument for banning those tools.

Meanwhile, the private sector is moving ahead of the law. Companies including OpenAI, Roblox, and Discord are already implementing age checks in anticipation of future mandates, and Apple just embedded age verification directly into iOS for UK users, creating facts on the ground before the regulatory debate has concluded. Each implementation creates another database of identity documents, another attack surface, another breach waiting to happen.

What the Academics Recommend Instead

The letter does not simply criticize. It offers alternatives that the signatories argue would actually protect children without building surveillance infrastructure.

First, regulate social media algorithms. The harm to children from social media comes primarily from algorithmic amplification of harmful content, not from the mere existence of platforms. Requiring platforms to disable engagement maximizing algorithms for younger users addresses the actual problem without requiring identity verification.

Second, support local parental controls. Device level and household level controls allow parents to manage their children's internet access without requiring every adult in the country to submit identity documents. These tools already exist and can be strengthened without creating centralized databases.

The distinction is critical. Algorithmic regulation and parental controls target the specific mechanisms of harm. Age verification targets the identity of every user, a surveillance approach that is both disproportionate to the problem and demonstrably ineffective at solving it.

The Broader Implications

The 371 signatories understand something that legislators seem unwilling to confront: infrastructure built for one purpose will be used for others. A system that verifies your age today can verify your political affiliations tomorrow. A database of government IDs linked to browsing histories is not a child safety tool. It is a surveillance asset that any future government, regardless of its intentions, will be tempted to exploit.

For compliance officers navigating this landscape, the implications are immediate. Organizations operating across European jurisdictions face a patchwork of age verification mandates with no standardized implementation, no proven privacy preserving technology, and a growing body of evidence that the systems create more risk than they mitigate. The Discord breach is not an outlier. It is a preview.

The 371 academics who signed this letter are not fringe voices. They are the people who built the cryptographic systems that secure modern communications. When they say age verification is mass surveillance, they are not making a political argument. They are stating a technical fact.

Governments can ignore them. But the math will not change.