HB 2112 (Age Verification for adult content) written testimony and followup
My written testimony expands on the testimony I gave during the hearing. This is a very-slightly-edited version with some fixes for editing errors. I had been using Proton Docs for creating this, but there was a system-wide outage right before the hearing ... yikes! Fortunately I had a backup copy, but it wasn't quite up to date, so I wound up losing a bit of stuff and didn't realize it until after submitting testimony. Oops. I emailed the cleaned-up version separately to legislators on the committee.
Rep. Leavitt, the bill's prime sponsor, responded to my email, and I followed up with additional email – included below.
You can see my live-skeeting of the hearing on Bluesky, or as a single nicely-formatted page here.
Chair Walen, Ranking Member McClintock, and members of the Committee,
I'm Jon Pincus of Bellevue. I run the Nexus of Privacy newsletter, and am testifying CON on HB 2112.
I agree with the goals of the bill; the harms are real. But this bill does not keep children safe. So I agree with Danni Askini of Gender Justice League: let's work together to craft a bill that does make kids and teens in Washington safer -- and be a role model for other states.
Age verification requirements put everybody's data at risk -- kids and teens as well as adults. As Julie Barrett of Conservative Ladies of Washington highlighted, Washington has a very strong constitutional right to privacy and strong existing privacy legislation like My Health My Data. Sending identity information to age verification software providers in other states could also undercut the protections of Shield Law and Keep Washington Working. We can't just blindly follow Texas' lead on this.
The privacy issues with Texas' HB 1181, the basis for HB 2112, are discussed in the amicus brief Center for Democracy and Technology, the Internet Society and others filed to the Supreme Court in Free Speech Coalition v. Paxton.⁰. For example HB 1181 -- and the similar language in HB 2112 --
- "does not prevent the entities that “perform[ ] the age verification” from transmitting or even selling the commercially valuable data obtained from a visitor’s government IDs and browsing activity to commercial data brokers or advertising firms."
- "offers no protections for website visitors from the retention, transmission, or sale of their data by other entities that obtain their data but do not perform the age verification. For example, as the trial court found, “any intermediary between the commercial websites and the third-party verifiers [that obtains the visitors’ identifying information and/or browsing activity] will not be required to delete the identifying data”
- has a non-retention requirement that "offers little protection for the security and privacy of website visitors’ data." The brief's section on HB 1181’s Non-retention Requirement Is Insufficient to Address These Risks" goes into detail on this.
The claim that third-party verification providers don't keep data are incorrect. Iain Corby of the Age Verification Providers Association suggestion that Discord didn't do it right because they didn't use his clients' solutions doesn't change the facts that hackers successfully targeted Discord's age verification provider and got at least 70,000 images of people's government IDs. Discord Breach Sparks Age Verification & Third-Party Privacy Concerns¹ reports that
"the incident was traced to an external customer service vendor who had access to Discord’s support and trust teams. This vendor was responsible for handling user inquiries that included age verification appeals, giving attackers a pathway to sensitive data."
Zero-knowledge proofs are interesting, but still at a very early stage and not yet widely adopted. As researchers from Brave Research write in The limits of zero-knowledge for age-verification² (November 2025):
"Zero-knowledge proofs (ZKPs) are often advanced as a technical remedy, promising privacy-preserving attestations of age or eligibility. Yet their deployment in practice exposes both conceptual and practical limits. Credential-based systems anchored in centralized authorities risk exclusion, create new control points, and threaten user privacy. At the same time, many ZKP proposals remain fragile, raising concerns about soundness, composability, and long-term sustainability."
The article's case studies of failures in existing systems are illuminating. Similarly, EFF's Age Verification in the European Union: The Commission’s Age Verification App³ describe EU's scheme of using ZKPs as making "several questionable assumptions," and suggests that "this rush to implementation before the research matures puts all of the users at risk."
Moving beyond privacy, Rep. Santos' point about the biases of these systems is incredibly important. And not just racial bias! The coalition letter from 90 civil rights and privacy organizations condemning ID-checking bills (citing effectiveness, censorship, and privacy concerns⁴) that another testifier previously mentioned highlights "for vulnerable communities, a biometric scan or an ID upload can serve as a huge obstacle, especially for low-income, unhoused, and undocumented people."
So please do not advance this bill – or any other bill with age verification or "harmful to minors" clauses. Instead, let's focus on solutions that really do make Washington's kids and teens safer online.
Thank you for the opportunity to testify. I look forward to working with you and your colleagues on this issue throughout the session.
Jon Pincus, Bellevue
Follow-up email
Rep. Leavitt quickly responded to my mail, pointing out that HB 1181 had been held constitutional (true enough, we didn't even try to argue against HB 2112's constitutionality), that Washington's bill was even tighter, and that she's working on draft language that will strengthen it. She copied the whole committee on it, and so did I in my reply.
Thanks for the quick response, Rep. Leavitt, and I look forward to seeing the new language! While I am critical of this specific bill (and age verification in general), I very much support your focus on online safety and willingness to take on this challenging issue. The testimony from parents who have lost their children is searing, and my heart goes out to them watching them relive their trauma. We have differences of opinion on the effectiveness and downsides of an age verification approach, but I very much agree that the problem is real and we need to find a way to make progress.
Agreed, the Court upheld Texas' HB 1181 6-3 (with Justices Kagan, Sotomayor, and Jackson dissenting) and determined that the impact on free speech does not violate the first amendment. I'd still strongly encourage people to read some of the key sections from the amicus brief CDT and Internet Society submitted - https://www.supremecourt.gov/DocketPDF/23/23-1122/326510/20240920161551554_23-1122%20Amicus%20Brief.pdf While I may have missed some differences in the HB 2112 text (and if so my apologies) it seems to me that they still apply.
For example Section 2's non-retention language is exactly the same as HB 1811's: "A commercial entity or third party that performs age verification required by this chapter may not retain any identifying information of the individual."
As the amicus brief points out, this language doesn't prevent Mr. Corby's clients – or other less-scrupulous age verifiers – from "transmitting or even selling the commercially valuable data obtained from a visitor’s government IDs and browsing activity to commercial data brokers or advertising firms."
And while I didn't discuss it in my testimony, the amicus brief also has a very good discussion of the burdens these bills place on adult speech. Just because the majority on the Court decided they're constitutional doesn't mean that we should adopt them in Washington state! Take the situation that Danni Askini mentioned, where restrictions on adult content led to Gender Justice League's site being unavailable. Regardless of what they want in Texas, and what the conservatives on the court say is constitutional, does that really align with our states' values? And of course it's not just Gender Justice League, it also affects sites run by organizations with even less resources but still providing valuable educational and support information.
At any rate ... while I personally am skeptical that these problems can be fixed with this bill – or an age verification framework in general – others who spoke were more optimistic. So as I say, I'm looking forward to seeing the revised language! If possible, it would be wonderful if you could share it publicly several days in advance of the executive session so that we have time to analyze it in detail and see whether it does indeed address the concerns.
Jon Pincus, Bellevue
² https://brave.com/blog/zkp-age-verification-limits/
³ https://www.eff.org/deeplinks/2025/04/age-verification-european-union-mini-id-wallet