The parent company of Pornhub is calling on Apple, Google and Microsoft to build age verification into the devices they sell in Britain so that its checks to halt children accessing adult content are not limited to a site-by-site basis.
Sites have begun voluntarily adopting age requirements since the Digital Economy Act 2017 — which passed following evidence obtained by The Mail on Sunday of underage access — but these remain inconsistent and failing youngsters while creating fresh risks for privacy and censorship, according to MindGeek. The push shines a spotlight on a brewing policy battle over who should police age online: the individual websites or the operating systems and browsers that most people use every day.
What Pornhub asks of Apple, Google and Microsoft
Aylo, parent company of Pornhub, RedTube and YouPorn, wrote a letter to the three companies calling on them to enable what it described as a system where device makers verify the age of users once and pass along a simple “age signal” to websites through an application programming interface. Site-based checks are leaky and cumbersome by definition, the company’s chief legal officer, Anthony Penhale, said, while platform-level controls would be both more effective and more privacy protective.
Practically speaking, Aylo is requesting that the companies behind iOS, Android and Windows allow for an app or browser to verify whether someone falls within a certain age range without having to send sensitive personal data such as IDs or selfies. The same age signal, the company argues, should apply across native apps and the open web, in order to reduce friction among adults while making it more difficult for teenagers seeking to circumvent filters by hopping en masse over to another site.
Why site-based age checks face ongoing resistance
Dozens of jurisdictions around the world, including in the United States, have passed or proposed laws that would require adult sites to verify people’s ages through a government-issued form of identification, a credit card check or biological scan. France’s media regulator ARCOM and the UK’s Online Safety Act also envision “age assurance” at the level of individual sites, and an expanding number of U.S. states have implemented such requirements. But enforcement has been spotty, litigation continues and workarounds — VPNs, mirror sites and traffic shifting to overseas platforms — are common.
Both researchers and civil liberties groups alerted that by uploading identity documents to individual sites, it creates appealing troves for data thieves and chills lawful adult access. Both the Electronic Frontier Foundation and the Free Speech Coalition have argued that site-based laws produce overblocking and can drive users into more lightly regulated corners of the internet. Facing a few state laws, some adult sites have taken the step of temporarily blocking their content, rather than take on the liability that comes with maintaining it — revealing the very real costs of having a fragmented regime.
Meanwhile, exposure is widespread. A study from Common Sense Media found that an overwhelming majority of teenagers have already seen online pornography — and not infrequently before high school. Those figures highlight the policy conundrum: Even as there is more gatekeeping at the site level, teens can still find content, and adults encounter new obstacles and privacy trade-offs.
How device-level age assurance might work
On a device-first model, operating systems would do a one-time, on-device age check — accepting account data, parental settings or third-party credentials or privacy-preserving proofs — and then present to apps and websites either a binary or age-range attribute. It would not disclose the identity of the user, only that they are above some threshold such as 16+ or 18+.
This is consistent with tools the platforms already provide. Apple’s Screen Time and Communication Safety tools block explicit content and limit age-appropriate access. There are account-level controls in Google’s Family Link and SafeSearch. Family Safety by Microsoft offers content filters across Windows and Xbox. Scaling these systems up to a public, standardized age attestation system provided privacy-first would allow publishers to trust the firehose with only an assertion of age and have no need for collecting IDs.
It could rely on evolving standards such as verifiable credentials and token-bound tokens to limit the amount of data that would be collected. Organizations like the W3C and FIDO Alliance are already solving the problem of identity attestation at the protocol level, which could be used to support claims of age without needing to centralize personal data. Yet, it is not without thorny issues: shared household devices; the risk that someone might spoof another participant’s signal; jurisdictional discrepancies over the minimum age requirement; and a demand for independent audits and appeals.
The stakes for regulators and platforms in this debate
Regulators are looking for a tangible reduction in youth exposure, not just better paperwork. There could be an end-to-end, platform-level solution that is more comprehensive — one that applies consistently across browsers and apps — while removing some of the incentives for users to go from site to site in an effort to avoid checks. It could also help reduce the risk of data breaches by not having IDs held by publishers in bulk.
But giving gatekeeping power to the operating system vendors has its own issues as well. Policymakers will have to consider questions like whether a few technology titans should adjudicate age claims on the whole web; how to avoid anti-competitive lock-in; and what oversight ensures that the system is privacy-preserving and nondiscriminatory. We need transparency reports, third-party audits and open standards.
What comes next for age verification on devices and web
Aylo’s letters raise a debate that has been simmering among child-safety advocates, publishers and privacy groups for years. Apple has referred to current protections for teens and a child online safety white paper that emphasizes the responsibility of platforms, while not making publicly such a promise around universal age signaling. Google and Microsoft haven’t outlined if they’ll adopt a device-embedded verification structure in web and app domains.
The most credible short-term roadmap here isn’t option 1, but a pilot: voluntary, privacy-preserving age attribute surfaced by major browsers — with clean developer guidance and opt-in take-up on the part of publishers in regulated industries or domains. If the numbers indicate that there are fewer teens able to access while not overblocking adults or increasing surveillance, then regulators will steer things toward a model that more closely resembles that. If not, the convoluted patchwork of site-based mandates — and the legal and practical chaos it entails — will persist.
