In its worst decision ever on demands for ID, the Supreme Court today upheld a Texas law that requires all visitors to some websites to provide the site operator with evidence of their identity and age.

In an opinion by Justice Thomas, six Justices found that requiring ID for age verification as a condition of viewing certain websites only “incidentally” burdens the rights of adults.

The majority reasons backward from the presumed legitimacy of ID requirements in other contexts, such as buying tobacco, that (A) weren’t at issue in this case, and (B) more importantly, don’t involve the exercise of First Amendment or any other rights:

Requiring proof of age is an ordinary and appropriate means of enforcing an age-based limit on obscenity to minors. Age verification is common when laws draw age-based lines, e.g., obtaining alcohol, a firearm, or a driver’s license…. Applying the more demanding standard of strict scrutiny would call into question all age-verification requirements, even longstanding in-person requirements.

As the dissent by Justice Kagan (on behalf of herself and Justices Sotomayor and Jackson) points out, this amounts to deciding on the desired outcome, and then adapting the criteria (in this case, the level of scrutiny applied to the law) to produce that result.

In rebuttal to the dissent on this point, the majority opinion wrongly claims that in-person demands for ID are “uncontroversial” and have never been challenged in court:

Finally, the dissent claims that we engage in “backwards,” results-oriented reasoning because we are unwilling to adopt a position that would call into question the constitutionality of longstanding in-person age-verification requirements. Not so. We appeal to these requirements because they embody a constitutional judgment—made by generations of legislators and by the American people as a whole—that commands our respect. A decision “contrary to long and unchallenged practice… should be approached with great caution,” “no less than an explicit overruling” of a precedent. Payne v. Tennessee, 501 U. S. 808, 835 (1991) (Scalia, J., concurring). It would be perverse if we showed less regard for in-person age-verification requirements simply because their legitimacy is so uncontroversial that the need for a judicial decision upholding them has never arisen.

But that’s not all that’s wrong with this law and this decision upholding it.

The decision and the dissent concern themselves primarily with what level of scrutiny should apply to age-verification laws. They don’t mention the distinction between “age” and “identity”, or the impact of the law on people who don’t have ID — a crucial issue raised in a friend-of-the-court brief by the Electronic Frontier Foundation and others.

For those without government-issued ID or a sufficiently detailed profile with a commercial data broker, “age-verification” amounts to a categorical bar to access to certain Web content.

As we’ve noted previously, “Regardless of whether it would be possible to set up a system by which individuals could provide evidence of age without individually identifying themselves, that’s not how any of the schemes currently being legislated or implemented will work in practice. In order to verify their age, each Internet user will be required to provide a unique digital personal identifier…. Age verification for adult content is a stalking horse for comprehensive content-based and personalized government control of Internet access.”

The Texas law applies to any “commercial entity that knowingly and intentionally publishes or distributes material on an Internet website”, which appears to include both the publisher and the hosting provider.

There’s no way for the publisher or provider of hosting services for a website to know which visitors to the site are located in Texas. To satisfy the Texas law, web publishers and hosting providers worldwide will either have to require ID from all visitors regardless of their location, or try to identify which visitors to the site are located in Texas, and block them or selectively require them to provide ID.

Because the law applies to both publishers and “distributors” (web hosting providers), hosting providers will be not only allowed but required to pass on identifying and location-tracking information about all visitors to site publishers, with no restrictions on how publishers or hosting providers can use, disclose, or or sell this data. The law could, but doesn’t, restrict use of this data to age verification, or restrict its disclosure or sale. Nor does the law restrict the ability of these companies to share this data with governments or to keep secret from individuals how or with whom data about them has been shared.

Some companies will welcome this as a pretext for commercial surveillance they already carry out and would love an excuse to universalize. If anyone objects to publishers’ or hosting providers’ commercial exploitation of visitor identity and location information, they now have the perfect excuses: “Everybody does it” and “The government made us do it.”