A door that never used to ask for a name
Imagine a nineteen-year-old worker in a small town. She is not trying to commit a crime. She wants to read a forum about unionising without her supervisor knowing, ask about sexual health without her family seeing the query, and discuss her identity somewhere she does not yet know anybody. Her alias is not a disguise for causing harm. It is the distance that lets her come closer.
She opens the page. It used to contain an email-and-password form. Now there is a door.
“Prove you are an adult.”
The site may not ask for her name. It may accept a facial-age estimate, bank card, document processed by a third party or credential that says only “over 18”. That technical distinction matters: verifying an attribute need not identify a person. From her side of the screen, she must decide who receives the proof, what that company will retain and what would happen if somebody joined the records tomorrow.
First door: an age without an identity, in theory
Child protection addresses real harm. A platform should not be able to recommend pornography, self-harm or predators to children and hide behind an “I am 18” button. Trouble begins when a reasonable duty becomes a general architecture for access.
In the United Kingdom, age-assurance duties under the Online Safety Act entered a decisive phase in July 2025. Ofcom required checks it considered highly effective to stop children reaching pornography and other harmful material. Permitted methods included facial-age estimation, photo identification, open banking, mobile operators and credit-card checks.
They do not all reveal the same information. Careful design can separate proof of age from browsing history and return only yes or no. Bad design can create a table joining face, document, IP address and page visited. Law may require minimisation; a company may promise deletion. Every new verifier still becomes another party that must be trusted, audited and secured.
The worker has no Ofcom legal team and cannot inspect the vendor. She sees a live camera. She must decide now.
Second door: the check spreads
Once available, infrastructure seeks more uses. A mechanism created for an extreme category of material can be applied to social networks, search engines, forums, shops or individual features. No conspiracy is required. Each platform wants to reduce legal exposure; each verification vendor needs a larger market; each regulator prefers a demonstrable control to a promise that is difficult to measure.
The UK rollout produced millions of checks each day and a rise in VPN downloads, according to The Guardian. Workarounds do not prove protection unnecessary. They show that a border easily crossed by someone with money, technical knowledge and a compatible phone weighs more heavily on those without them.
The network changes too. Small sites may close features or block countries rather than buy a system. Large platforms can absorb the cost and turn compliance into another advantage of scale. A policy presented as a limit on technology companies may strengthen those able to pay the customs charge.
Third door: convenient identity
The European Union is building another component. The European Digital Identity Wallet will hold and present public and private credentials through an app recognised across the Union. It can replace photocopies, simplify administration and disclose only necessary attributes. Compared with handing a full identity card to every website, cryptographic proof of age could be a real improvement.
Convenience leaves open the political question of which relationships will eventually require the wallet. Regulation 2024/1183 requires certain services to accept it under defined conditions, while citizens’ use is described as voluntary. Both can be true. A tool need not be legally compulsory to become difficult to avoid when banks, administrations, employers and platforms make it the fast route or the only practicable one.
The answer is not to reject every digital identity. It is to prevent function creep: a credential created for paying taxes should not become the routine key for reading, speaking, shopping and associating. Society needs to know who signs a public contract. It does not need the civil name behind every question, search or conversation.
Fourth door: the message leaves locked and arrives inspected
The worker gets through and writes to somebody else. The service advertises end-to-end encryption: only sender and recipient should read the content. Here another European conflict appears, the proposed Regulation to prevent and combat child sexual abuse, usually called CSAR or Chat Control.
Fighting child-sexual-abuse material is a public obligation. General scanning of private communication is another matter. If analysis happens before encryption on the phone itself, the technical door exists even when the message travels encrypted afterwards. If encryption is weakened for a legitimate end, the weakness cannot distinguish by itself among police with a warrant, an abusive partner, a spyware company and an authoritarian government.
Legislative debate has changed drafts and limits precisely because this objection is serious. The permanent framework was still under negotiation in July 2026, while the Council and Parliament also disputed the future of a temporary privacy derogation. It would be misleading to pretend every proposal already means reading every message, and reckless to accept that treating every conversation as pending inspection is the only way to protect children. The burden of proving necessity, proportionality and effectiveness belongs to whoever wants to open private communication.
Fifth door: “normal people do not need anonymity”
Our worker reaches the final argument. If she is doing nothing wrong, why should identification bother her?
Because anonymity is not impunity. Anonymity separates an intervention from civil identity; impunity removes consequences. A community can moderate abuse, preserve evidence with safeguards and pursue specific crimes without pre-emptively recording every participant’s documents.
Those who need that separation most are rarely those designing the system. A whistleblower needs it before collecting proof; a victim seeking an exit; a teenager unable to speak at home; a migrant afraid of data moving between authorities; a patient, dissident or union organiser. So does anyone who wants to change their mind without every previous version remaining attached to their name.
Identity controls do not distribute risk evenly. A leak may be an inconvenience for one person and a physical threat to another. A false positive can be solved with another card or exclude someone without compatible papers, a face read accurately by the model, or a bank account. “What are you hiding?” reverses the obligation. Whoever proposes observation must explain why, for how long, and with which appeal rights for the observed person.
The way out is not a lawless internet
Protecting children does not require a passport for browsing. Platforms can stop collecting their data and directing behavioural advertising at them. They can limit recommendations that prolong harmful sessions and answer for the design decisions behind them. When age must be proven, an attribute proof can do so without handing over a complete document. Intrusive investigation should target specific subjects under independent authorisation.
Those safeguards must be verifiable. The identity provider should not know which service you visit, and the service should receive no more than the requested attribute. Proofs must expire, with an alternative for anyone lacking the expected device or document. Reusing the data should cost more than respecting the prohibition. Where identity is unnecessary, the right to enter without it remains. Encryption must reach its recipient without an inspection desk in front of it.
The worker in the small town does not need the internet to stand outside law. She needs law to recognise the value of the space between her voice and her document. Without it, many people will not speak under their real names. They will not speak at all.
Online anonymity will not end with one decree banning it. It will end door by door, as each check looks tolerable in isolation and nobody remembers what it was like to enter without presenting a credential. Freedom will be lost in that corridor if we discuss only the security of each door and never ask why there are so many.