A company tasked with confirming users’ ages before they access adult content may be compromising their privacy by leaking detailed browsing data, according to a report by the nonprofit AI Forensics.
The group’s investigation highlights serious flaws in how some sites are complying with growing online age-check requirements, raising new concerns about surveillance and data exposure under the guise of protecting children.
More: The Digital ID and Online Age Verification Agenda
France’s law requires that users’ identities remain concealed, not just from adult websites, but from the age verification services themselves.
Known as “double anonymity,” this standard is meant to ensure that those performing the verification process have no knowledge of which websites users are visiting or what content they attempt to access.
But AI Forensics found that AgeGO, one of the verification systems in active use, doesn’t meet those expectations.
Instead, AgeGO’s system reportedly transmits precise details about the user’s activity, including the URL of the video being viewed and the name of the website.
The service also collects facial scans, IP addresses, browser details, and email addresses, then sends this data to Amazon Web Services.
The company, which operates out of Spain and follows looser UK-based privacy rules, did not respond to media inquiries, according to Politico EU.
Operators of adult sites in France say they were pushed to implement systems like AgeGO under tight deadlines following mounting pressure from Arcom, the national media regulator.
Speaking anonymously to Tech&Co, one such operator said, “We had warned in advance that it was not ideal, but the haste was such that we could not do otherwise.”
Since early this year, French users have been required to verify their age before accessing pornographic websites.
Several technical approaches have emerged, but not all of them respect the spirit, or the letter, of France’s privacy laws.
Although the CNIL, France’s data protection authority, and Arcom have yet to publicly address the issue, the latter has acknowledged to Le Parisien that it is reviewing the AI Forensics findings.
As the push for mandatory age checks spreads to more jurisdictions, privacy questions are mounting.
In the US, where the absence of a national privacy law creates wide variations in how personal data is handled, the Age Verification Providers Association is calling for a unified legal framework:
“It is harder to win trust in the US because there is no comprehensive federal privacy law, so people rely on a patchwork of state rules and sector laws. That inconsistency understandably breeds doubt about who holds personal data and for how long,” the group said in a statement this week.
Workarounds exist; privacy-conscious users can turn to paid VPNs or alternative DNS services to avoid local filtering.
