160 lines
18 KiB
Markdown
160 lines
18 KiB
Markdown
# What We Found and Why It Matters
|
|
|
|
This is a plain language summary of an investigation into age verification laws being passed around the world. The investigation used 470 public sources across 16 files, drawing from government databases, court records, corporate registries, legislative records, and investigative journalism. Every claim below links to its source.
|
|
|
|
## What are age verification laws?
|
|
|
|
Governments are passing laws requiring websites, apps, and even phone operating systems to verify how old you are before you can use them. The stated reason is protecting children from harmful online content. The laws are real. The harm to children is real. But the investigation found that the system being built to "verify your age" is actually a surveillance infrastructure that collects biometric data, government IDs, and behavioral profiles from everyone, not just children.
|
|
|
|
## Who is behind these laws?
|
|
|
|
One person, a British filmmaker turned politician named Baroness Beeban Kidron, wrote the original age verification code in the UK. That code was then copied into California law. Her foundation, called 5Rights, then spent three years campaigning to pass a similar law in Brazil. The same template is being pushed in Australia, the EU, Indonesia, Canada, and other countries.
|
|
|
|
A US government filing (called a FARA filing) confirmed that Kidron's UK-based foundation directly lobbied California legislators, wrote materials for elected officials, and negotiated the language of the law.
|
|
|
|
Source: FARA filing https://efile.fara.gov/docs/7427-Short-Form-20240627-4.pdf
|
|
|
|
Kidron also co-led the creation of a technical standard (IEEE 2089.1) that age verification companies must meet. The person running the certification program for that standard is simultaneously the head of the age verification industry's trade group (the AVPA). So the same network writes the law, writes the standard, runs the certification, and sells the compliance tools. The companies paying trade group dues profit from the laws the trade group's partners write.
|
|
|
|
Source: IEEE 2089.1 working group https://sagroups.ieee.org/2089-1/
|
|
Source: AVPA standards page https://avpassociation.com/standards-for-age-verification/
|
|
|
|
## Who pays for it?
|
|
|
|
A small number of wealthy foundations fund the advocacy organizations pushing these laws in multiple countries at the same time. Pierre Omidyar (the eBay founder) funds advocacy groups in both the US and Brazil. The Oak Foundation (based in Switzerland) funds Kidron's 5Rights, child safety groups in Brazil, and sits on the board of WeProtect, a 100-country alliance pushing the same agenda. In Brazil, two branches of one banking family (the Itau/Setubal family, who control Latin America's largest bank) fund different advocacy groups that all pushed for the same law.
|
|
|
|
Source: Omidyar/Luminate funding Data Privacy Brasil https://luminategroup.com/investee/data-privacy-brasil
|
|
Source: Omidyar/Imaginable Futures partnering with Instituto Alana https://imaginablefutures.com/partners/instituto-alana/
|
|
Source: Oak Foundation child safety funding https://oakfnd.org/keeping-children-safe-online/
|
|
Source: Fundacao JLES funding coalition https://fundacaojles.org.br/n/noticia.php?id=19
|
|
|
|
## What happened in Brazil?
|
|
|
|
Brazil passed its age verification law (called the Digital ECA) in September 2025. It took effect March 17, 2026. The law requires not just websites, but phone operating systems (Android, iOS, Windows, Linux) to verify your age.
|
|
|
|
The lawmaker who shaped the final text (the "rapporteur") has a criminal conviction for receiving stolen medical supplies. He is a defendant in a fraud case involving R$48 million in suspected money laundering during COVID. He declared R$107.5 million in personal assets but had a court order for failing to pay R$6,306.48 in child support. He has 93 court cases on record. No one in the media questioned why this person was chosen to write child protection legislation.
|
|
|
|
Source: Criminal conviction https://www.portalaz.com.br/colunas/39/direto-da-redacao/56923/jadyel-alencar-sofre-derrota-no-trf1-ja-ha-maioria-para-confirmar-con/
|
|
Source: COVID fraud charges https://www.mpf.mp.br/pi/sala-de-imprensa/noticias-pi/justica-federal-recebe-denuncia-do-mpf-por-fraudes-na-compra-de-materiais-para-combate-a-covid-19-no-piaui
|
|
Source: Child support arrest order https://cidadeverde.com/noticias/404893/juiz-decreta-prisao-de-jadyel-da-jupi-por-divida-de-pensao-a-filhos-menores-deputado-nega
|
|
|
|
Meta (the company that owns Facebook and Instagram) had a lobbyist who secretly wrote amendments to weaken the law. These amendments were filed under a different politician's name. The secret authorship was discovered because the lobbyist forgot to remove his name from the document file's metadata.
|
|
|
|
Source: Intercept Brasil https://www.intercept.com.br/2025/08/14/deputado-bolsonarista-emenda-lobista-meta-lei-criancas-internet/
|
|
|
|
The investigation cross-referenced five separate news reports and found that every single politician Meta was documented meeting on the day the law was voted is either under criminal investigation or has been convicted of a crime. One was indicted for embezzlement (his group listed a baby as a board member of a fake charity to steal government money). Another had R$469,700 in cash seized by police, then backdated a property sale to explain it.
|
|
|
|
Source: Gayer indictment https://www.cnnbrasil.com.br/politica/pf-indicia-deputado-gustavo-gayer-por-desvio-de-cota-parlamentar/
|
|
Source: Cavalcante cash seizure https://www.cnnbrasil.com.br/politica/entenda-operacao-da-pf-contra-sostenes-e-jordy-sobre-desvio-de-cotas/
|
|
Source: Backdated deed https://www.brasil247.com/brasil/lider-do-pl-formalizou-venda-de-imovel-apos-acao-da-pf-que-apreendeu-r-430-mil-em-especie
|
|
|
|
Five days before this research was completed, Brazil's president appointed a former Meta executive as Finance Minister. Dario Durigan ran WhatsApp's public policy from 2020 to 2023, then moved into the Finance Ministry in 2023, and was made minister on March 19, 2026. He now oversees the government advertising budgets that paid Meta R$35.8 million in 2025.
|
|
|
|
Source: Durigan appointment https://www.otempo.com.br/politica/governo/2026/3/20/saiba-quem-e-dario-durigan-nomeado-como-novo-ministro-da-fazenda-do-governo-lula
|
|
|
|
## Who actually checks your age?
|
|
|
|
Private companies, not the government, verify your identity under these laws. The investigation found that several of these companies have troubling backgrounds.
|
|
|
|
Persona, an American company backed by billionaire Peter Thiel (who co-founded the CIA-linked surveillance firm Palantir), was caught running 269 separate checks on every person it verifies. These checks include scanning your face against government watchlists, screening you for "adverse media" in categories like terrorism, and automatically filing reports with US and Canadian financial intelligence agencies. The company's internal projects were codenamed "Project SHADOW" and "Project LEGION." Persona has a direct partnership with Serpro, Brazil's government data processing service, giving it access to Brazilian citizens' biometric records.
|
|
|
|
Source: Persona exposure https://cybernews.com/privacy/persona-leak-exposes-global-surveillance-capabilities/
|
|
Source: Persona-Serpro partnership https://www.prnewswire.com/news-releases/persona-partners-with-serpro-to-combat-identity-fraud-in-brazil-301628227.html
|
|
|
|
AU10TIX, which handles identity verification for X (Twitter), TikTok, and Uber, was founded by veterans of Israel's internal security agency (Shin Bet). The company suffered a data breach lasting 18 months where admin credentials were posted publicly on Telegram and still worked when researchers tested them.
|
|
|
|
Source: AU10TIX intelligence connections https://stateofsurveillance.org/articles/corporate/au10tix-x-verification-israeli-intelligence-2025/
|
|
Source: AU10TIX data breach https://www.malwarebytes.com/blog/news/2024/06/driving-licences-and-other-official-documents-leaked-by-authentication-service-used-by-uber-tiktok-x-and-more
|
|
|
|
Meta uses Yoti for Instagram age verification. Yoti is certified under the IEEE standard that Kidron co-led. Yoti's revenue grew 62% in 2025, driven significantly by the Instagram contract. So the money flows from the law Kidron wrote, through the standard she co-chairs, to the company certified under that standard, paid by the largest social media company in the world.
|
|
|
|
Source: Yoti revenue growth https://www.biometricupdate.com/202601/yoti-records-62-revenue-growth-in-2025
|
|
Source: Yoti Instagram partnership https://www.yoti.com/blog/helping-instagram-offer-new-ways-to-verify-age/
|
|
|
|
## Where does your data go?
|
|
|
|
In Brazil, all of this verification data flows through Serpro, a government-owned data processor that holds biometric records (photos, fingerprints) on 85 million citizens. Serpro keeps logs showing which company checked which citizen's identity and when. When millions of Brazilians verify their age on different platforms, Serpro will hold a map showing which citizens use which services.
|
|
|
|
Brazil's intelligence agency (ABIN) previously requested access to 76 million citizens' records through Serpro. The federal highway police bought a copy of the entire 80-million-person biometric database for R$205,722.80 without publishing the purchase in any transparency portal. In February 2026, a Serpro employee was caught accessing Supreme Court justices' tax records.
|
|
|
|
Source: ABIN data request https://www.intercept.com.br/2020/06/06/abin-carteira-motorista-serpro-vigilancia/
|
|
Source: Police biometric purchase https://www.intercept.com.br/2023/05/02/prf-desrespeita-lei-e-compra-copia-da-base-de-dados-biometricos-de-todos-os-motoristas-com-cnh-no-brasil/
|
|
Source: Serpro employee breach https://www.serpro.gov.br/menu/noticias/noticias-2026/serpro-se-posiciona-sobre-investigacao-envolvendo-acesso-indevido-a-dados-fiscais
|
|
|
|
Serpro's computer systems run on Amazon Web Services hardware. The deal was arranged by an AWS executive named Sean Roche, who previously served as vice-director of the CIA's technology division. A US law called the CLOUD Act allows US courts to order any American company to hand over data stored on its servers anywhere in the world. Legal scholars in Brazil have pointed out that putting government data on American cloud infrastructure does not protect it from US government access.
|
|
|
|
Source: CIA-AWS-Serpro connection https://capitaldigital.com.br/serpro-discute-nuvem-soberana-com-ex-diretor-da-cia-atual-executivo-da-aws/
|
|
Source: CLOUD Act sovereignty analysis https://www.conjur.com.br/2026-mar-03/localizar-o-servidor-no-brasil-nao-e-suficiente-para-soberania-digital/
|
|
|
|
## What about UNICEF?
|
|
|
|
UNICEF, the United Nations children's agency, hosts the main global fund pushing these laws ($83 million+). UNICEF's executive director chairs the fund's board. UNICEF lobbied Brazil to pass its age verification law. UNICEF also runs a joint program with the Itau banking family, the same family that funds the advocacy group that pushed for the law.
|
|
|
|
But UNICEF's own policy paper from December 2025 states that "age estimation measures using biometric data pose an unacceptable risk and should not be used." The same organization that lobbied for the law says the methods the law requires are unacceptably risky.
|
|
|
|
Source: UNICEF lobbying for PL 2628 https://www.unicef.org/brazil/comunicados-de-imprensa/unicef-pede-urgencia-na-aprovacao-do-projeto-de-lei-de-protecao-de-criancas
|
|
Source: UNICEF warning against biometrics https://www.unicef.org/documents/policy-note-drawing-line-digital-spaces
|
|
|
|
## What about the banks?
|
|
|
|
Barclays, one of the UK's largest banks, holds approximately $2 billion worth of shares in Palantir (the surveillance company Peter Thiel co-founded with CIA venture capital money). Palantir was just given access to process data from the UK's Financial Conduct Authority, the regulator that oversees Barclays. The bank holds shares in the company processing its own regulator's data.
|
|
|
|
Barclays also participated in Meta's first bond offering ($10 billion in 2022) and shares real-time fraud intelligence data with Meta through a program called Stop Scams UK. Barclays participates in OneID, a UK age verification service run by an AVPA member company.
|
|
|
|
Source: Barclays Palantir shares https://www.thenerve.news/p/palantir-uk-companies-investment-pension-fund-billions-legal-general-barclays-aviva-peter-thiel
|
|
Source: Palantir FCA contract https://www.theregister.com/2026/03/23/palantir_fca/
|
|
|
|
## What does Meta actually want?
|
|
|
|
Meta's internal documents, revealed during a February 2026 trial, show that in 2018 the company wrote "if we wanna win big with teens, we must bring them in as tweens." A 2020 review found 11-year-olds were four times more likely to keep returning to Facebook than older users. Approximately 4 million children under 13 were using the platform in the US. 216 million users had an "unknown" age. Nick Clegg, Meta's former president of global affairs, described age restrictions in an internal email as "practically impossible to enforce."
|
|
|
|
Source: Zuckerberg trial https://www.cnn.com/2026/02/18/tech/meta-mark-zuckerberg-testifies-social-media-addiction-trial
|
|
Source: Meta trial documents https://time.com/7336204/meta-lawsuit-files-child-safety/
|
|
|
|
At the same time, Meta spent $26.3 million on US federal lobbying in 2025 pushing for age verification laws that require phone operating systems (made by Apple and Google) to check ages, not Meta's own platforms. Meta funds the child safety groups that advocate for these laws (through the Tech Coalition) while also funding a legal group (NetChoice) that sues to block the same laws in at least 27 US states.
|
|
|
|
Source: Meta lobbying spend https://www.opensecrets.org/federal-lobbying/clients/summary?id=D000033563
|
|
Source: Two Faces of Big Tech https://accountabletech.org/research/the-two-faces-of-big-tech/
|
|
|
|
Meta also produced a fake document claiming that a Brazilian internet regulation bill would ban Bible passages. Three internal sources confirmed Meta created it. The document was delivered on paper "to leave no traces." A trade group whose members include Meta publicly took the blame. The entire Evangelical Caucus in Brazil's Congress mobilized against the bill based on this false claim, and the bill was pulled from the agenda.
|
|
|
|
Source: Agencia Publica https://apublica.org/2025/09/how-big-tech-killed-brazils-fake-news-bill/
|
|
Source: Coletivo Bereia fact-check https://coletivobereia.com.br/conteudo-falso-com-uso-da-biblia-contra-projeto-de-lei-foi-oferecido-por-representantes-do-facebook-meta-a-deputados/
|
|
|
|
## What about VPNs?
|
|
|
|
A VPN (Virtual Private Network) is a tool that encrypts your internet connection and hides your location. People use VPNs to protect their privacy, access information in countries with censorship, and prevent companies from tracking them. VPNs are the main way people can avoid geographic age verification requirements.
|
|
|
|
On 21 January 2026, Baroness Kidron drove amendments through the UK House of Lords that passed 207 to 159 in the Children's Wellbeing and Schools Bill. These amendments would:
|
|
|
|
Ban VPN services for anyone under 18. Every VPN provider serving the UK market would have to verify the age of all its users. If you cannot prove you are an adult, you cannot use a VPN in the UK.
|
|
|
|
Require "tamper-proof system software" on all smartphones and tablets sold in the UK. This means every phone would have software built into the operating system that scans for child abuse material. This is device-level surveillance built into the hardware.
|
|
|
|
Ban social media for everyone under 16.
|
|
|
|
Kidron said: "Consultation is the playground of the tech lobbyist and inaction is the most powerful tool in politics."
|
|
|
|
Source: State of Surveillance https://stateofsurveillance.org/articles/government/uk-lords-vpn-ban-surveillance-software-2026/
|
|
|
|
The VPN ban triggered a 1,400% surge in UK VPN signups as people anticipated losing access to privacy tools. Privacy organizations including the Open Rights Group opposed the measures. These amendments are currently moving between the House of Lords and the House of Commons.
|
|
|
|
This connects directly to the rest of the investigation. If you cannot use a VPN, you cannot avoid geographic age verification. Brazil's Digital ECA caused Linux distributions to block Brazilian users entirely. The UK VPN ban closes the last escape route: you must identify yourself to use the internet, and you cannot hide behind a VPN to avoid doing so. The same person (Kidron) who writes the laws requiring you to identify yourself also drives the laws eliminating the tools you could use to avoid identification.
|
|
|
|
## Why does this matter to ordinary people?
|
|
|
|
These laws affect everyone, not just children. To prove you are an adult, you must submit government ID, biometric data (face scans, fingerprints), or allow behavioral tracking. That data is collected by private companies with intelligence agency connections, stored on cloud infrastructure accessible to foreign governments, and logged by government data brokers who have already been caught sharing data with intelligence agencies without authorization.
|
|
|
|
Several Linux operating systems have already started blocking users in Brazil because volunteer-run software projects cannot comply with the law.
|
|
|
|
Source: Linux distros blocking Brazil https://linuxiac.com/linux-distributions-begin-blocking-brazil-access-over-new-digital-law/
|
|
|
|
The same pattern is repeating in country after country: the same organizations advocate for the laws, the same funders pay for the advocacy, the same companies sell the verification tools, and the same data brokers collect the results. No transparency mechanism in any country captures these flows. Brazil has no lobbying law. The UK charity behind it all does not disclose its EU lobbying budget. The technical standard's working group membership is restricted. The Brazilian tech lobby publishes no financial statements despite being funded by the world's largest technology companies.
|
|
|
|
## What is not being claimed
|
|
|
|
This investigation does not claim that child exploitation is not real. It is. This investigation does not claim that the people involved have evil intentions. Many of them sincerely believe they are protecting children. What the investigation documents, using 470 public sources, is that the system being built to protect children also functions as a mass surveillance infrastructure, that the people building it have financial and political conflicts of interest, and that no democratic process in any affected country has considered these connections because no one had mapped them before.
|
|
|
|
The children are real. The exploitation is real. The protection is not what it appears to be.
|
|
|
|
This investigation was compiled on 24 March 2026. All source documents are published at https://tboteproject.com/git/hekate/surveillance-findings
|