The UK's Online Safety Act is now forcing age verification across the internet, and the Discord fallout shows exactly what privacy advocates warned about: one bad implementation after another.Users are being asked to upload government IDs to third-party verification services, creating exactly the kind of centralized identity database that every security expert has warned against for decades.Age verification sounds reasonable until you actually think about the implementation. How do you prove you're over 18 online? The UK government's answer: upload your passport or driver's license to a private company you've never heard of, trust them to verify your age, and hope they delete the data afterward.What could possibly go wrong?Let's start with Discord. The platform is now requiring UK users to verify their age to access certain features. The verification is handled by third-party services that scan government-issued IDs. Now millions of people are handing their passports to verification startups, creating massive honeypots of identity data.I've built authentication systems. I know how hard it is to secure this kind of data. And I know that every large database of personal information eventually gets breached. It's not a question of if, it's a question of when.The Online Safety Act had good intentions. Protect kids from harmful content. Stop underage users from accessing inappropriate material. Make platforms accountable for child safety. All laudable goals.But the implementation is catastrophic. Instead of building privacy-preserving age verification—which is technologically possible using zero-knowledge proofs or government-issued tokens—the UK went with the simplest, most privacy-invasive approach possible.Upload your ID. Trust the verification company. Hope for the best.And it's not just Discord. Every platform operating in the UK now faces the same requirement. Social media, gaming platforms, streaming services—all of them asking for government IDs. All of them creating new databases of verified identities. All of them expanding the attack surface for identity theft.The alternative exists. Estonia has digital identity systems that can verify age without exposing full identity documents. Cryptographic protocols can prove "I am over 18" without revealing who you are. The technology for privacy-preserving age verification is real.But the UK chose the easy path over the secure path. And now every teenager trying to join a Discord server is uploading their passport to a verification startup they found via Google.This is what happens when regulators write laws without understanding technology. Good intentions. Catastrophic execution. And a privacy disaster that won't be apparent until the first major breach hits.Age verification can work. But not like this. Not with centralized databases of government IDs. Not with third-party verification services handling the most sensitive documents people own.The Online Safety Act wanted to protect kids. Instead, it's creating a surveillance infrastructure that will outlast the problem it was meant to solve. And the first generation to grow up with it won't even remember what privacy used to mean.