In 1973, in Miller v California (unrelated to US v Miller 1976),
the Supreme Court established a three-part guideline for determining when
something was legally obscene (as opposed to merely "indecent"):
For the internet, community standards
is the problem: what community?
This is in fact a huge problem,
though it was already a problem with mail-order.
As the Internet became more popular with "ordinary" users, there was mounting concern that it was not "child-friendly". This led to the Communications Decency Act (CDA) in 1996:
[it is forbidden to be someone who] uses any
interactive computer service to display in a manner available to a person
under 18 years of age, any comment, request, suggestion, proposal, image,
or other communication that, in context, depicts or describes, in terms
patently offensive as measured by contemporary community
standards...
The Supreme Court struck this down in 1997, because you just cannot have "community standards" applying to the internet. Another argument, which the Supreme Court has approved of in other contexts but not this one, was that you have a right to receive someone else's speech anonymously. (Most anonymous-speech cases have been about anonymity for the speaker.)
Fast forward to 2022, when Louisiana passed Act 440. On January 15, 2025, the Supreme Court had oral arguments on Texas' similar, but later, law. Here are some points about Louisiana's law:
As far as 1 is concerned, it's probably true, but data is sparse.
For 2, what is "harmful" to minors? Many people (well, some) feel that the constant criticism of the President of the United States by, say, the Washington Post is harmful to minors. But (3) is supposed to address that.
Note that 4(a) is about community standards again, but 4(b) pretty much spells it out. Did they miss anything? What does this do to breastfeeding videos?
In any event, the Supreme Court appears to be very sympathetic to the very similar Texas law.
England tried very hard to pass a similar law a few years ago, but it foundered on the impossibility of doing age-verification in anonymous way. Their most promising idea was that you could buy an age-verification card at, say, a newspaper kiosk. You'd show them your drivers license, and they'd sell the card. You'd enter the number on the card at your favorite porn site. You'd have to trust the card seller not to record your drivers' license. Another issue is that, once someone bought one card, its number could be widely shared.
It is still all but impossible to do age verification anonymously, so the Texas and Louisiana laws would mean that you potentially are revealing your actual, true identity to, say, Pornhub. If Pornhub collects this data (which the Louisiana law says they are not supposed to do), and it gets leaked, you're in serious social trouble.
[If a provider does not retain information about identities involved in age verification, how on earth would they ever prove that they'd been doing it?]
Although pornography age limits seem to be the primary issue, many states also have deep concerns about age limits for social-media access, including teen access to, say, Facebook.
Louisiana has created the LA Wallet, which is some sort of electronic identifier for age verification. Supposedly it is also for gambling, healthcare and covid-vaccination status. Its security is dubious. Other states typically farm the age-verification job out to third parties (such as Yoti, VerifyMy and InCode). In a lot of cases, you're supposed to enable your camera and hold up your drivers license and the verifier will compare that picture with you.
Pornhub will not use these third parties, though they do use LA Wallet. They have disabled service to states with age-verification requirements, except for Louisiana.
[By the way, lots of adults do not have state identification, so they will be left out. This is, by the way, what voter-ID laws count on.]
There are ways to establish that you know a password, for example, without actually revealing that password. Could "zero-knowledge age verification" be possible? The idea would be to prove that you have an ID number that is in a large set of ID numbers held by the other side, without revealing that number. But there are problems. One is how to avoid widely shared IDs, though perhaps allowing one ID per IP address would help.
Australia and the EU are working on age-verification "certificates". From www.biometricupdate.com/202501/euconsents-tokenized-age-verification-set-for-poc-at-upcoming-age-assurance-summit:
French data protection regulator CNIL proposed a double-blind solution, in which cryptographically signed age assurance certificates could be generated and provided to age-restricted websites without identifying or tracking the user.
Here is a bit more about the French approach, from linc.cnil.fr/demonstration-privacy-preserving-age-verification-process:
Thanks to the combination of these primitives, an authority can generate a public key, add members to that group and provide a certificate of their own public key which is valid through the main key of the group. Then, group members are able to sign challenges for users, who in turn will be able to prove they own a challenge signed by someone belonging to the group. This way, Zero Knowledge [ZK] proofs guarantee both pseudonymity for the authority that processed the signature (via the ZK propriety) and the fact that it is indeed a member of that group (via the soundness propriety, namely, that no one can forge a fake proof). As a result, the service-providing website is certain of the user’s age validity without actually knowing who certified it.
Unfortunately, in the United States these cryptographic approaches appear to be generally ignored.
Another approach is to use separate hardware devices for age verification, though this makes more sense for social-media age verification.
A common workaround is purchasing a VPN. This requires that you have a credit (or debit) card, which is itself sort of a proxy for being over 18. But not really; lots of minors have them. And it's expensive. [Your VPN provider knows what IP addresses you visit, and so probably knows if you go to Pornhub, but due to TLS almost certainly does not know what you watched. Pornhub knows what IP address you came from, and could in theory ask your VPN who was using that IP address at such-and-such a time, but that seems relatively unlikely.]
There's another weird workaround. With my Android phone, if I connect to WiFi then the physical location of that WiFi is pretty easy to figure out. But if I turn off the WiFi, and just use 5G, my IPv4 address appears to be in either Wisconsin or North Carolina, courtesy of the Wireless Data Service Provider Corporation. This is probably because my phone is using IPv6 to connect to one of these places, and then Network Address Translation to get out into the wider IPv4 world. Anyway, both states apparently do now have age-verification laws, but it is not clear if they are actually enforced.
Of course, there are also a number of pornography sites in Europe and Asia, beyond reach of US state laws.
Finally, the Louisiana law contains a provision that it applies only if at least one third of the content is unfit for minors. This leaves open the possibility of sites incorporating, say, a copy of the entirety of Wikipedia, so as to dilute the percentage of sexual content.
Most of the time, free speech is protected via the doctrine of strict scrutiny, which means that any government restrictions must be the least restrictive way to achieve the government's goals. Other doctrines are intermediate scrutiny and rational-basis scrutiny. Commercial speech, for example, might receive intermediate scrutiny, while time-and-place speech restrictions might receive rational-basis scrutiny.
The big question for the age-verification laws is which standard the Supreme Court will rule should apply.