Meta is deploying an AI system to detect underage users attempting to access age-restricted content by analyzing video and image submissions for physical markers like height, bone density, and facial characteristics. The move follows a Wired investigation where a child wearing a fake mustache successfully bypassed Meta's existing age-verification tools. The company currently uses government ID uploads, selfies, and third-party age estimation services, but says the new visual analysis layer adds friction for determined minors.

Meta did not disclose the accuracy rate of its new system or whether it has been tested against intentional adversarial inputs (props, makeup, camera angles, lighting tricks). The company also did not address how it will handle false positives across demographic groups or the privacy implications of storing video biometric data at scale.

This is security theater masquerading as child protection. The core problem: age is not a visual attribute you can reliably extract from an image. Height varies wildly within age groups. Bone structure requires skeletal imaging. Facial maturity is subjective and heavily influenced by genetics, nutrition, and ethnicity. Meta is building a system that will either fail at its job or fail at accuracy across populations.

The real issue is economic. True age verification (government ID + liveness checks + payment method validation) is expensive, invasive, and creates friction Meta wants to avoid. An AI system that claims to read age from a video lets Meta claim it tried while maintaining the frictionless experience that keeps engagement high. When the first lawsuit arrives over a child accessing NSFW content despite the AI check, Meta's defense will be 'the AI said no.' That's liability shifting, not child safety.

Meta wins short-term optics and may pass nominal regulatory scrutiny. Apple's Vision Pro and other biometric platforms win from normalized video submission. Adversarial ML researchers and bug bounties win opportunities to expose this system's weaknesses. Children and parents lose: neither group gets honest age verification, just security theater. Regulators lose credibility if they accept this as compliance. Privacy advocates lose another precedent for normalized biometric data collection.

Monitor whether Meta publishes accuracy breakdowns by age group, gender, and ethnicity. Watch for adversarial attacks (deepfakes, prosthetics, lighting manipulation) to defeat the system within 90 days of public testing. Track regulatory response in EU (DMA compliance) and UK (Online Safety Bill). Most important: whether any competitor (TikTok, Snap, Discord) implements similar systems, suggesting industry consensus that this is acceptable liability reduction.