| Internet-Draft | Age Restrictions as Internet Architectur | July 2025 |
| Nottingham | Expires 10 January 2026 | [Page] |
Jurisdictions around the world are considering (or already implementing) age restriction systems for Internet content. This document explores the architectural considerations that such systems are likely to encounter, and makes recommendations about the properties they should have, if they are to be a successful part of the Internet infrastructure.¶
This note is to be removed before publishing as an RFC.¶
Status information for this document may be found at https://datatracker.ietf.org/doc/draft-nottingham-iab-age-restrictions/.¶
information can be found at https://mnot.github.io/I-D/.¶
Source for this draft and an issue tracker can be found at https://github.com/mnot/I-D/labels/age.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 10 January 2026.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The young are often unprepared for the sorts of things they might find online.¶
Maturity, education, and the guidance of responsible adults can help children navigate online interactions, but age is often regarded as the best indicator of how able a person is to cope with exposure to content.¶
Increasingly, policymakers are proposing regulation that restricts what content young people can access online. A recurring theme in these efforts is that it is no longer considered sufficient to rely on self-assertions of age. A number of jurisdictions have enacted - or are in the process of enacting – laws that take steps to provide stronger guarantees that children are not exposed to certain content.¶
Age restrictions are already deployed on the Internet; for example, some Web sites already require some proof of age to create an account. However, when deployments become more widespread, they tend to have greater impact upon the Internet architecture. Systems that are designed for deployment in a single, homogenous domain rarely are suitable for the diversity of requirements and considerations that apply to Internet-scale systems.¶
Section 2 catalogues the aspects of Internet architecture that such systems should consider. Section 3 suggests the properties that an age restriction system should have to be a healthy part of the Internet infrastructure.¶
This section catalogues some aspects of the Internet architecture that age restriction systems should consider.¶
Inherently, any age restriction system involves controlling access to content and services on the Internet. That control -- along with the potential for access to information about people's activities online that comes with it -- is immensely valuable to various parties, often for purposes other than those that policymakers have in mind.¶
How and where that control is exercised thus becomes an important consideration.¶
For example, if an age restriction system requires verification by a single party, that party will have access to a significant amount of sensitive information about people's activities on the Internet. Such systems can be leveraged for a variety of purposes beyond those intended by policymakers -- both by that party itself, and by individuals, organized criminals, and nation-state actors who are able to perform successful cyber attacks against it.¶
It also means that any party operating the system has extraordinary access, and thus risk of abuse, especially if their incentives are not aligned with other participants in the system.¶
In both cases, having only one entity operating the system increases the associated risks dramatically, as this effectively centralizes control in their hands while simultaneously presenting a single target to attackers.¶
Thus, centralisation is a primary consideration for age restriction systems. Internet infrastructure is designed in a way to avoid centralization where it is technically possible, or to mitigate centralization risks where it is not. [CENTRALIZATION] explores these issues greater detail.¶
It is technically challenging to design an age restriction system that would be considered to meet the security and privacy requirements for Internet standards.¶
A system that exposes the list of services that a person uses to the entity that verifies their age puts that person at risk, because it allows the verifying entity to develop a profile of their Internet activity and track them. The risks here are similar to those seen on the Web, which the Internet standards community has spent considerable efforts in mitigating (see e.g., [RFC7258]).¶
A system that exposes attributes of the person whose age is being verified to the service they are accessing also creates privacy and security risks for them, because many services do not need access to those attributes, and are likely to abuse them. For example, an age verification system that also exposes the country a person is a citizen of allows sites to discriminate against that attribute, which is beyond the purpose of age restriction.¶
Exposing information about Internet users to third parties creates powerful incentives. In particular, commercial interests desire access to it to be able to track activity across the Internet so that this can be sold (to advertisers, insurers and others), and so they will use (and abuse) any facility that offers such information to learn about what people are doing.¶
Critically, even small amounts of information can aid these purposes, because they can be aggregated with other information (like IP addresses, browser characteristics, and so on) to create a unique identifier for each Internet user.¶
Many existant proposals for age restriction systems require its users to have certain capabilities -- for example, a personal smartphone, a government credential, or a camera with certain resolution.¶
When such requirements are imposed, some number of people will be disenfranchised from full use of the Internet – especially if age restriction becomes pervasive across many services.¶
For example, many people only have Internet access from public computers (such as those in libraries), and do not have exclusive or reliable access to a “smart” phone. Others lack government-issued identity documents that some schemes rely upon.¶
While such restrictions may be palatable in a closed system (such as on a single platform or in a single jurisdiction), they are not suitable for Internet-wide deployment.¶
If an age restriction system relies too much on legal controls rather than technical capabilities, those controls are likely to be inconsistently applied in different jurisdictions, leading to different experiences for Internet users around the globe.¶
Likewise, a solution that requires special access to computers (such as in “trusted platform modules” or otherwise mandates conformance on people’s computers introduces a risk of limiting the kinds of computers that can be used on the Internet – for example, Open Source Operating Systems and Web browsers are generally unable to provide such assurances.¶
While these tradeoffs may be reasonable in a single jurisdiction, too many differences between jurisdictions will create barriers to Internet-wide deployment of services, creating not only centralization risks, but also fragmentation risks -- that the Internet will work in different ways depending on where you are.¶
The Internet is designed to be used without permission, both be servers and clients. Easy-to-use age verification mechanisms risk creating a ‘papers please’ Internet, where a credential is required to access large portions of the Internet. Such an outcome would amplify the other harms listed.¶
This risk is heightened if there are incentives for sites to deploy it, such as access to non-age data.¶
Access to more granular age information also heightens many risks, because it makes a verification system simultaneously useful in a broader variety of cases, and more attractive for misuse, because it offers more information about users.¶
This document has no instructions for IANA.¶