Letter to the Editor: there’s an alternative to S-209 choice of age verification

November 2, 2025

In response to the October 30, 2025 post from MediaPolicy.ca, I have some ideas on how Canada could proceed with accomplishing the objectives behind S-209, “An Act to restrict young persons’ online access to pornographic material”, while respecting user privacy and dramatically reducing the chances of a data breach.

Who am I? I’m a Java software developer with over 25 years of experience not only paid to write code, but participate design software solutions, assess requirements, work with product managers, and occasionally lead times. As part of our profession, we’re expected to proactively address potential security vulnerabilities, such as upgrading software libraries before they become outdated, and thus, more likely to be vulnerable.

Prologue:

First of all, I have no fundamental objections to restricting internet porn from minors via an age verification scheme that guarantees anonymity.

My issues with S-209 are how it captures many sites and services that are not primarily for porn, and how it risks violating user security and privacy, especially for those not seeking porn, by storing their age (and possibly identity) proofs on the internet, where they could be breached.

Maximizing Privacy and Limiting Data Breaches:

Any age verification scheme ought to maintain biometric data used as an input exclusively on the client device.

By client device I mean the phone, table, or PC used to access the internet, but on no server on the internet itself. In turn, this client-side software sends proof of the user’s age, in a way that can be authenticated as legitimate, to the site in question. This means no server on the internet would have the biometric data, such as a face scan or government ID.

This doesn’t eliminate risk, but since each piece of user-identifiable data is on one client device at a time, it means a far lesser incentive for bad actors to try to steal such data. That is, it’s far more work for far less benefit than targeting a single server.

Lower Compliance Costs for Sites Hosting Porn:

Any site that’s captured by this law would still have compliance costs, but would be much lower than what is currently proposed under S-209.

The client device vendors (Google, Apple, Samsung, etc) would be responsible for implementing this scheme. They’d be tasked with providing software for the sites in question, and those sites would simply have to install and configure this software in order to complete the verification process.

Blast radius of the law:

In addition, I propose there be clear guidelines for a site to opt out of being captured by this law.

Part of the controversy of S-210 and its current iteration S-209 is the number of sites captured by the statute. This would have included search engines and social media sites, which are light years away from primarily hosting porn but on which porn is hosted to a small degree.

In my opinion, the proposal to exempt search engines is insufficient, since many people including myself largely use AI instead of Google/Bing/DuckDuckGo searches. Also, social media has a whole series of non-porn uses. I believe the vast majority of AI and social media users are not interested in porn, at least, not while using those vehicles.

So what I propose is a way for any site, such as with news under the Online News Act Bill C-18, to opt out of this law by meeting guidelines to not expose porn at all to the users of those sites.

I admit to not having fully considered the mechanisms under which this would, but likely it would involve AI scanning for pornographic images and text. Obviously, it wouldn’t be 100% bulletproof, so sites would have to merely prove a good faith effort to accomplish this. Such sites could then offer premium versions, which would be captured by age verification mandates.

Furthermore, many computing devices are “headless” and quite simply can’t comply with an age verification scheme to access the internet. Among these devices are servers like NAS’s, which must access the internet for updates. There are also minitower PCs, which don’t come with cameras.

Final thoughts:

Many users have zero interest in porn, but are very adamant about accessing the internet anonymously, and are understandably wary of data breaches given the Discord experience in the UK.

Furthermore, many minors have a long list of legitimate reasons to access the internet, AI, and social media while having no interest in porn.

Why risk blocking non-porn seeking minors from accessing the internet, or make it harder for non-porn seeking adults to access the internet?

According to many polls, Canadians are wary of digital ID schemes. On the other hand, many are also rightfully concerned about minors accessing pornography.

The solutions to the stated objectors to the framers of S-209 is a client-based age authentication scheme that maintains biometrics and other age proofs on the client device, and off servers.

It also involves allowing any general site to make porn unavailable to the vast majority of its users and thus opt out of being captured by new porn-gating mandates.

Luke deGruchy, Cornwall, ON

Published by

Unknown's avatar

Howard Law

I am retired staff of Unifor, the union representing 300,000 Canadians in twenty different sectors of the economy, including 10,000 journalists and media workers. As the former Director of the Media Sector and as an unapologetic cultural nationalist, I have an abiding passion for public policy in Canadian media.

One thought on “Letter to the Editor: there’s an alternative to S-209 choice of age verification”

  1. Pingback: Canada’s age verification bill S-209 faces its first Parliamentary test – MediaPolicy.ca

Leave a comment