Is it completely impossible to do age verification without compromising privacy?

Submitted ⁨⁨15⁩ ⁨hours⁩ ago⁩ by ⁨sheridan@lemmy.world⁩ to ⁨nostupidquestions@lemmy.world⁩

To be clear, I’m not advocating for online age verification. I’m very much against it in any form. I’m just curious from a technical standpoint if it’s possible somehow to construct an accurate age verification system that doesn’t comprise a user’s privacy? i.e., it doesn’t expose the person’s identity to anyone and leave behind a paper trail that can be traced to that person?

source

Comments

Sort:hotnew top

ComradePenguin@lemmy.ml ⁨1⁩ ⁨hour⁩ ago
Yes. There are many solutions.

Maybe the absolutely easiest to implement is just a signed message from an authority (gov.). You click a button on the website that requires verification, get a new tab to a gov. site with no identifiers from the site redirecting you and get a message you copy. The copied message is then pasted in to the site requiring verification. The site can then verify the message at their servers.

source
SorteKanin@feddit.dk ⁨15⁩ ⁨hours⁩ ago
In principle it should be possible to do a zero-knowledge proof.

This means that the website asking for age verification asks a yes/no question like “Is this user 18+?” and the age verification service (like a digital ID provided by the government or whatever) answers “yes” or “no” accordingly, but without telling anything else about the user. Also, the verification service should ideally not know who asked for the age verification.

So the site you want to visit only knows the thing they need to know: Whether you are 18+ or not. Nothing else. And the age verification service only knows somebody asked for age verification and provided the answer, but do not know which site you visited.

This is all possible, but I don’t have high hopes this is the intended implementation of any government seeking age verification, so don’t get your hopes up.

source
- Strider@lemmy.world ⁨2⁩ ⁨hours⁩ ago
  Indeed, technologically it is absolutely possible in multiple ways.
  
  But the tempting possibilities of doing more than that are just too great.
  
  source
- chicken@lemmy.dbzer0.com ⁨10⁩ ⁨hours⁩ ago
  There are some pretty strong arguments that even zk proof is a flawed way of preserving privacy though, in a variety of ways. It prevents pseudonymity by enabling one-user-one-account, and it leaves users vulnerable to being coerced to reveal their full online activities by handing over cryptographic keys.
  
  source
  - Wren@lemmy.today ⁨10⁩ ⁨hours⁩ ago
    Got ready to read some bullshit,
    
    Vitalik Buterin
    
    nevermind. But damn, what a great read. I haven’t given much thought to on-chain ID in years and he lays it out pretty well. Still sounds like encrypted tokens are the way to go, but we all need to have multiple forms for it to protect anonymity.
    
    source
    -> View More Comments
- birdwing@lemmy.blahaj.zone ⁨15⁩ ⁨hours⁩ ago
  The one who asked the verification service also shouldn’t know who the verification service is, imho.
  
  source
  - SorteKanin@feddit.dk ⁨14⁩ ⁨hours⁩ ago
    I’m not sure that is feasible, because in order to trust the answer, I feel the asker must know and trust the one providing the answer. It sounds like you’re imagining a system with many different ID providers? What prevents me from creating my own provider that just answers “Yes”, even for people under 18? If the site asking does not know it is my fake ID service providing the answer, I’m not sure they can trust any answer.
    
    But I won’t pretend to be an expert on this topic, so perhaps it is feasible somehow.
    
    source
    -> View More Comments
- perviouslyiner@lemmy.world ⁨14⁩ ⁨hours⁩ ago
  doesn’t this just raise the authentication requirements? like in the uk we got added checks for who was could work, and lots of deliveroo drivers shared the login + password of someone they knew who was verified.
  
  source
  - Beacon@fedia.io ⁨12⁩ ⁨hours⁩ ago
    I think it should be easy to identify when an account is being shared. For example if it's used from different ip addresses within a short amount of time
    
    source
daniskarma@lemmy.dbzer0.com ⁨2⁩ ⁨hours⁩ ago
It’s possible with certificates and 2fa issued by a government, which already have all your data, that would only verify that you are over 18.

We already have that in Spain, sort of. We have a government app where you have a digital id stored and you can make it create a verify qr that only shows if the user is over 18 or under 18, no more data. The qr only last 5 minutes active.

It is necessary? Not for internet access. That’s a duty of the one paying for internet in the household, not the government.

source
grandel@lemmy.ml ⁨2⁩ ⁨hours⁩ ago
Yes, It should be a browser setting. If parental controls are enabled, access should be denied to the site.

source
Zachariah@lemmy.world ⁨10⁩ ⁨hours⁩ ago
Even if it works, it’s a solution without a problem. If I can afford internet access, I am mature enough to see anything on the internet, and I am mature enough to decide which users can access my internet-connected network and whether they can have access to the whole internet. That’s all the age verification needed ever.

The request for age verification by each website is purely about unnecessary control and censorship.

source
ininewcrow@lemmy.ca ⁨15⁩ ⁨hours⁩ ago
The problem is not the system or the idea of age verification

The problem is that no one on earth can be trusted with that level of monitoring, control and power.

source
- edgemaster72@lemmy.world ⁨13⁩ ⁨hours⁩ ago
  Nah you can totally trust me, I’m too lazy to do anything nefarious
  
  source
  - original_reader@lemmy.zip ⁨11⁩ ⁨hours⁩ ago
    Wait until you have that power and you’re made offers that are hard to resist.
    
    source
  - ininewcrow@lemmy.ca ⁨12⁩ ⁨hours⁩ ago
    Great! … the solution to our problems … let’s all trust edgemaster72
    
    source
    -> View More Comments
DeathByBigSad@sh.itjust.works ⁨15⁩ ⁨hours⁩ ago
Its possible.

Open source front app + a secure element thing in the backgound.

You download an app. You verify your identity, then the app sets up a OTP thing with the shared secret seed lasting for 30 days. But every 30 seconds the OTP changes. Everyone doing a verification in these 30 days gets the same exact secret seed.

The seed hides in the secure element of your device. Every 30 seconds, it releases the new OTP to the Open source app. The app doesn’t connect to the internet once the OTP has already been set up. So nobody knows if you actually view the OTP code.

So the government only knows you have the verification OTP set up not which websites you visited, the website only knows you have a valid OTP from the government, but you could be any of the people in the past 30 days (which the company don’t even have access to).

Even if the company and government cooperates, they could only pin down the time of website registration and that you are one of the millions of people that did the verification and requested a OTP Seed.

(Idk the exact terminology for these things, but hopefully I make sense)

source
- anton@lemmy.blahaj.zone ⁨14⁩ ⁨hours⁩ ago
  
  The seed hides in the secure element of your device. (it won’t be impossible to extract, but the average kid is not gonna be able hack a secure element).
  
  But only one person needs to “hack” it on their device to publish the key, allowing everyone to use it without “hacking” their own device.
  
  You can’t store a key on a device and keep it safe from the owner.
  
  source
birdwing@lemmy.blahaj.zone ⁨15⁩ ⁨hours⁩ ago
Zero-knowledge proof. Medium has an example, though unfortunately the article logs user data, so beware on that.

source
Nighed@feddit.uk ⁨14⁩ ⁨hours⁩ ago
The government knows who you are. They know your age, your address and know you exist (probably).

You go to a site that requires ages verification. You say:please verify me with the government portal. You go to that portal to get a temporary id code to give to the site. The website says to the gov portal give me the name and age of the user with this temp ID. You approve that access. Portal sends age (or an issue over 16/18/21 etc flag) to the site.

Gov portal doesn’t need to know who the site is You don’t provide a unique ID to the website, just a temporary one. Site only gets the data you approve.

The process can do with some streamlining, busy should work in practice?

source
sharkfucker420@lemmy.ml ⁨15⁩ ⁨hours⁩ ago
Its possible but it would defeat the point of age verification

source
pdqcp@lemmy.dbzer0.com ⁨14⁩ ⁨hours⁩ ago
Yes, it is, see quark ID as an example of decentralized open source project by the city of Buenos Aires, in Argentina, which leverages zero knowledge proofs:

quarkid.org
github.com/ssi-quarkid

source
howrar@lemmy.ca ⁨13⁩ ⁨hours⁩ ago
Depends on how reliable you need this system to be. For example, do you need to handle the scenario where an adult verifies their age to access a website, then lets a minor use that website in their place? That would be a much harder problem to solve than if you just need to verify that an adult was present on the other end at one point in time. For the latter, device-based age verification seems to be trivial to set up from a technical standpoint.

source
- LifeInMultipleChoice@lemmy.world ⁨12⁩ ⁨hours⁩ ago
  If there was a certificate you could verify from the government once you had it it only verified with the site saying 18+/21+ type of thing, if have certificate allow in, I feel that should be more than enough. Profile on the device with the cert is logged in with passcode, fingerprint, faceid, password whatever… Just to have the cert attached to your user for the browser to verify it was there would cover it. It shouldn’t show birthdate, or any user data, just age over 21 - yes.
  
  source
UsedCumSock@sh.itjust.works ⁨15⁩ ⁨hours⁩ ago
Sign up for age verification platform and upload your government ID on the platform (let’s call this platform Age Verifier).

Age Verifier confirms you’re an adult, and lists you as an adult in their system.

Age Verifier purges your government ID and any PII on you. The only thing they keep is your basic account details and the fact that they’ve confirmed you’re an adult.

The next time you login to an adult site, you verify yourself by logging into Age Verifier’s platform. The adult site confirms with Age Verifier that you’re an adult, and you’re good to go.

This system probably works, but it’s not without its downsides. We’ll need a way to confirm that your government ID and PII is actually deleted on Age Verifier’s platform. A way to deal with this might be to make sure Age Verifier is never driven by profit so they’ll never need to look into selling people’s data. Maybe it could be ran by a non-profit? Or perhaps it can be ran by the government? But if you don’t trust the government, that could be an issue.

And I can also see an issue where one guy who keeps creating different Age Verifier accounts, verifying that the account is an adult, and then selling that account to people.
source
- xavier666@lemmy.umucat.day ⁨5⁩ ⁨hours⁩ ago
  
  We’ll need a way to confirm that your government ID and PII is actually deleted on Age Verifier’s platform. IMO this is the hardest part to ensure in a transparent manner.
  
  source
Archangel1313@lemmy.ca ⁨13⁩ ⁨hours⁩ ago
It’s only possible as long as you trust the people you’re giving your information to. So…no.

source