25 States Just Built America's Face-Scan Checkpoint — and Nobody Noticed

Half the country just built a face-scan checkpoint system, and most people have no idea it happened. Twenty-five U.S. states now require you to upload a driver's license or scan your face just to access certain websites. Nine of those laws passed in 2025 alone.

That means if you've unlocked your phone with your

That means if you've unlocked your phone with your face today, or handed your I.D. to a website to prove your age, you've already stepped into this system. And if you haven't, someone in your family probably has. These laws were sold as child safety measures. Protecting kids online. That framing makes it sound narrow and targeted. But the infrastructure being built underneath those laws isn't narrow at all. If that makes you uneasy, that's a reasonable response. Today I want to replace that unease with something more useful — a clear picture of what's actually being constructed, how it works, and why the accuracy of the technology isn't even the main concern anymore. So what exactly are these systems doing behind the scenes?

When a website needs to confirm you're old enough to access it, the platform picks one of two paths. Path one is inference. The system guesses your age using behavioral data, device signals, or facial analysis. Path two is formal identity verification. You upload a government I.D. or scan your face against a database. Most people assume the guessing approach is the less invasive option. And in some ways it is — you're not handing over a license. But inference swaps certainty for probability. According to N.I.S.T. benchmarking, facial age estimation has a mean absolute error of roughly one year and three months under controlled, ideal conditions. That sounds impressive. But in about one out of every five cases, the estimate is off by more than fourteen months. For a sixteen-year-old near the legal threshold, fourteen months is the difference between being blocked and being waved through. For anyone reviewing that decision later — a parent, an auditor, an investigator — there's no way to know which side of that error you landed on.

Now, the formal verification path has its own problems. When platforms collect actual I.D. photos and selfies, that data has to live somewhere. And breaches aren't hypothetical. In October 2025, Discord lost seventy thousand I.D. photos. A dating app leaked seventy-two thousand selfies. Those aren't passwords you can reset. Your face doesn't change. Once that biometric data is out, it's out permanently.

Some governments are trying a third approach

So some governments are trying a third approach. The European Union is building what's called a Digital Identity Wallet. It uses cryptographic proofs — basically math that lets you prove you're over eighteen without uploading your actual I.D. to anyone. The system confirms the fact without collecting the evidence. Compare that to the U.K.'s model, which requires you to upload your I.D. directly. That's a fundamental architectural choice. One approach — zero-knowledge attestation — doesn't store your data. The other — biometric matching — requires your face to be kept on file for comparison. For everyday users, that difference determines whether your face sits in a corporate database or never leaves your device. For professionals evaluating digital evidence, it determines whether there's even a biometric record to examine.

And this is where the landscape shifts in a way most people haven't noticed. The emerging industry standard isn't just "verify once at one website." It's what advocates call reusable age checks. You prove your age one time, at one checkpoint, and that proof becomes a portable credential. It follows you across platforms, across services, across contexts. Picture airport security. A T.S.A. agent checks your I.D. once, at one gate, for one flight. That's targeted screening. Now imagine every store, every restaurant, every venue in the country required the same facial scan — and your clearance from that single checkpoint was the only way through any door. That's the difference between a safety gate and a national identity layer. Age verification started as the first version. It's rapidly becoming the second.

Some industry voices want to push verification down to the device level, or the operating system, or the app store. That would keep individual platforms from collecting your I.D. directly. But it concentrates verification authority in the hands of a few massive companies — Apple, Google, a handful of others. Fewer data collection points, yes. But also fewer gatekeepers deciding who gets verified and how.