Tag Archives: age-restricted

Device Based Age Verification

So Pornhub announced a couple of days ago that as of 1/1/25, Florida will be blocked from accessing the site. It has something to do with requiring Florida residents to enter their driver’s license (or NDID) numbers into the site in order to verify one’s age.

So it raises the question: is it supposed to simply decode the number to extract a birthdate, which could be done quite simply (and would be easy to evade), or will it have to actually validate it which would require either a service provided by the state or by a 3rd-party, and either one opens the door all kinds of bad things like:

  • User tracking.
  • Problems of the remote service goes down or experiences connectivity issues.
  • Cost – who gets paid for this wonderful service?
  • Denial of Service – what if the service provider suddenly decides to stop working with Pornhub or some other content provider?

Not to mention people stealing and sharing “known good” driver license numbers.

Placing the “user not authorized for this content” system on the user’s device feels like a better solution.  Given cooperation between the device, OS, and a web browsers, it could be implemented with relative ease as a special, reserved, read-only cookie (e.g. __device_is_age_restricted) that always has one of two values: yes if the user is age-restricted, no if not.   If a site asks for that cookie and it tests true, the site can refuse content, redirect the user elsewhere, etc.  The website would need to decide how to respond if the cookie is not present, but could refuse to provide context just to be safe.

If it is presented as an opt-in service, when parents purchase devices for their children, they can specify that the device be configured as age-restricted, and browsers could check for that state and present the cookie accordingly when requested. 

This would not require any new technologies, infrastructure, or anything like that – browsers and websites already know how to handle cookies, and it does not sound all that hard to implement on the device as an API method that could be called by the browser.  This would even enable apps to use that same API to determine how to operate, if at all (e.g. to prevent purchases of the device user is not old enough to execute any contract of purchase).

This sounds like a really easy problem to solve.  Why do people keep making things harder than they need to be?