Is it completely impossible to do age verification without compromising privacy?

Submitted ⁨⁨2⁩ ⁨weeks⁩ ago⁩ by ⁨sheridan@lemmy.world⁩ to ⁨nostupidquestions@lemmy.world⁩

To be clear, I’m not advocating for online age verification. I’m very much against it in any form. I’m just curious from a technical standpoint if it’s possible somehow to construct an accurate age verification system that doesn’t comprise a user’s privacy? i.e., it doesn’t expose the person’s identity to anyone and leave behind a paper trail that can be traced to that person?

source

Comments

Sort:hotnew top

SorteKanin@feddit.dk ⁨2⁩ ⁨weeks⁩ ago
In principle it should be possible to do a zero-knowledge proof.

This means that the website asking for age verification asks a yes/no question like “Is this user 18+?” and the age verification service (like a digital ID provided by the government or whatever) answers “yes” or “no” accordingly, but without telling anything else about the user. Also, the verification service should ideally not know who asked for the age verification.

So the site you want to visit only knows the thing they need to know: Whether you are 18+ or not. Nothing else. And the age verification service only knows somebody asked for age verification and provided the answer, but do not know which site you visited.

This is all possible, but I don’t have high hopes this is the intended implementation of any government seeking age verification, so don’t get your hopes up.

source
- birdwing@lemmy.blahaj.zone ⁨2⁩ ⁨weeks⁩ ago
  The one who asked the verification service also shouldn’t know who the verification service is, imho.
  
  source
  - SorteKanin@feddit.dk ⁨2⁩ ⁨weeks⁩ ago
    I’m not sure that is feasible, because in order to trust the answer, I feel the asker must know and trust the one providing the answer. It sounds like you’re imagining a system with many different ID providers? What prevents me from creating my own provider that just answers “Yes”, even for people under 18? If the site asking does not know it is my fake ID service providing the answer, I’m not sure they can trust any answer.
    
    But I won’t pretend to be an expert on this topic, so perhaps it is feasible somehow.
    
    source
    -> View More Comments
  - Candice_the_elephant@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    Or the government sets up an age verification service that doesn’t store logs and only reports numbers in aggregate. The restricted site sends you and a unique id off to the government service, you verify there and it hands back the id & a yes/no token to the site.
    
    source
- chicken@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago
  There are some pretty strong arguments that even zk proof is a flawed way of preserving privacy though, in a variety of ways. It prevents pseudonymity by enabling one-user-one-account, and it leaves users vulnerable to being coerced to reveal their full online activities by handing over cryptographic keys.
  
  source
  - Wren@lemmy.today ⁨2⁩ ⁨weeks⁩ ago
    Got ready to read some bullshit,
    
    Vitalik Buterin
    
    nevermind. But damn, what a great read. I haven’t given much thought to on-chain ID in years and he lays it out pretty well. Still sounds like encrypted tokens are the way to go, but we all need to have multiple forms for it to protect anonymity.
    
    source
    -> View More Comments
- AtHeartEngineer@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  I worked in this field for 3 years, a lot of the core parts are written, but there are a few key pieces missing and no one has taken it to real production.
  
  You can use a passport in pretty much any country and prove you’re over a certain age. Here is a demo: github.com/dog-18/dog18
  
  The parts that are missing are primarily around making secure nullifier, which prevents someone from reusing identities, but also without revealing any private information. We were pursuing research that allowed nullifier generation in MPC where none of the servers or the users knew the “salt” that their identity was hashed with, so no one could recover the original piece of unique data (like their passport number) but it would also prevent them from signing up with multiple accounts. We got our funding cut pretty bad and management was a mess, so I left and that research I think was shut down. This really is the key part to actually make that viable in the real world though. It’s maybe a year worth of research and a year worth of production left to make that practical.
  
  source
- quick_snail@feddit.nl ⁨2⁩ ⁨weeks⁩ ago
  Does that mean the government sees all the sites I’ve visited?
  
  source
  - SorteKanin@feddit.dk ⁨2⁩ ⁨weeks⁩ ago
    No, that’s what I wrote as well. The identity service would not know what sites were visited or ideally not even how many sites were visited.
    
    source
- Strider@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  Indeed, technologically it is absolutely possible in multiple ways.
  
  But the tempting possibilities of doing more than that are just too great.
  
  source
- perviouslyiner@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  doesn’t this just raise the authentication requirements? like in the uk we got added checks for who was could work, and lots of deliveroo drivers shared the login + password of someone they knew who was verified.
  
  source
  - Hoimo@ani.social ⁨2⁩ ⁨weeks⁩ ago
    You could make it single-use tokens and rate limit individual users when they request too many tokens in a short time. Someone could still share their tokens with a friend, but it doesn’t scale to where thousands are verifying with some stranger’s id.
    
    source
  - Beacon@fedia.io ⁨2⁩ ⁨weeks⁩ ago
    I think it should be easy to identify when an account is being shared. For example if it's used from different ip addresses within a short amount of time
    
    source
Zachariah@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
Even if it works, it’s a solution without a problem. If I can afford internet access, I am mature enough to see anything on the internet, and I am mature enough to decide which users can access my internet-connected network and whether they can have access to the whole internet. That’s all the age verification needed ever.

The request for age verification by each website is purely about unnecessary control and censorship.

source
- quick_snail@feddit.nl ⁨2⁩ ⁨weeks⁩ ago
  Internet access is like $1 in most countries (Sim card data).
  
  I don’t know about you, but the tooth fairy gave me enough money to pay for internet access…
  
  source
  - Zachariah@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    And you had the capacity to pay for internet access?
    
    source
    -> View More Comments
ininewcrow@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago
The problem is not the system or the idea of age verification

The problem is that no one on earth can be trusted with that level of monitoring, control and power.

source
- edgemaster72@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  Nah you can totally trust me, I’m too lazy to do anything nefarious
  
  source
  - ininewcrow@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago
    Great! … the solution to our problems … let’s all trust edgemaster72
    
    source
    -> View More Comments
  - original_reader@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago
    Wait until you have that power and you’re made offers that are hard to resist.
    
    source
- AtHeartEngineer@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  You definitely can do this with cryptography, it’s a really hard problem, but I worked in this space for a number of years, it’s possible.
  
  source
  - ininewcrow@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago
    Like I implied, the problem isn’t the HOW to do it.
    
    The problem is in giving any one person, government, corporation or company this amount of power and control.
    
    And because it’s so powerful, no one who had it would want to give up control by making it anonymous or in objectively protecting privacy for the user.
    
    source
    -> View More Comments
groet@feddit.org ⁨2⁩ ⁨weeks⁩ ago
Super easy. Technology has existed for quite some time and was already used in the encrpytion of web traffic.

Basically: you sign up with your “age verification institution” (ideally a service of your government because they have your ID anyway and no profit motive). This involves createing a private key (reaaaaaaaaaaly long password that is saved in a file on your device) and saving the public key with that institution. They also check your ID to ensure your identity and your age.

When you want to visit a 18+ website, the website sends you a nonce (loooooong random number). You take that nonce and send it to the verifier, along with a signature of your private key (and the age they want you verified against). The verifier verifies your signature using your public key. They then sign the nonce with their own private key, thereby verifying, that you, the owner of your private key (whos identity and age they have verified) are above the asked age theshould. You then send the signed nonce back to the 18+ website and they can verifiy the signature to confirm that a trusted age verifier has verified your age.

The site never has access to your identity and the verifier never knows which site you visited, only that you wanted to visit a website that wants to know if you are of a certain age.

(The corresponding technology was used for OCSP Stapling in TLS verification … and has been discontinued last year because nobody was using it …)

source
- gandalf_der_12te@discuss.tchncs.de ⁨2⁩ ⁨weeks⁩ ago
  I doubt this doesn’t actually leave a paper trail.
  
  At some point, you send that nonce to an age-verifier service. So they can keep track of it, and if the 18+ website you visited at some point later wants to know your identity, they can ask the age-verifier service who asked for that nonce to be signed.
  
  This involves that two organizations are corrupt, however: both the 18+ website and the age-verifying service. Law could mandate that they both cooperate, however, thus creating a single point of (privacy) failure.
  
  I still believe it is doable, however. Check my other comment involving a piece of paper that is drawn from a box. My method relies on the fact that the age-verifying service doesn’t actually know which code they gave you, just that they gave you one. For digital services, seevices can always keep track of their input/output, which is not always possible in real life.
  
  source
- billwashere@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  Technically this works EXCEPT the required third party. Either it’s the government and you have to trust them with information of knowing everything that required age verification or its separate company that can and would sell your data to data brokers. Being free and NOT the government seems mutually exclusive.
  
  source
  - groet@feddit.org ⁨2⁩ ⁨weeks⁩ ago
    The verifier does not have the information which sites you use. That’s the point of the setup. All communication goes through you, never the site to the verifier directly. You only pass cryptographic values between them that does not include identifiable information (neither about you to the website, nor about the website to the verifier). The verifier knows who you are, the website knows that you are old enough. Nothing else.
    
    source
    -> View More Comments
  - Natanael@infosec.pub ⁨2⁩ ⁨weeks⁩ ago
    Zero-knowledge proofs still require that third party but only once, to issue it initially. Then the user can issue their own proofs locally
    
    source
    -> View More Comments
  - Knock_Knock_Lemmy_In@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    You can use a government issued certificate to generate your own age proofs without their involvement.
    
    source
Blackmist@feddit.uk ⁨2⁩ ⁨weeks⁩ ago
It can. Zero knowledge proofs have been around a while and are ideal for this.

They’ll try not to have that because data gathering is what they’re after, not keeping little Timmy from seeing some tits.

source
ameancow@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
In my ideal world, it’s not an issue because parents don’t let kids under a certain age or demonstrated maturity level have computers in their room alone, and even better, they teach their kids how to not have problems with predators, porn, and the deluge of online weirdness and have open, honest talks about how some things are dangerous because they prey on you, some things are dangerous because they get you hooked on certain feelings, and some things are dangerous because they give you false impressions of the world and relationships.

We’re about as close to that world as interstellar exploration, I know. Imagine having parents who you don’t feel afraid to talk to about mature topics and personal matters.

And all that aside, why is it such a big deal that kids not see boobs but they can see violence and gore? Why is it magically okay for Timmy Neckbeard to watch strangle-fetish porn night and day as soon as he turns 18? Why do we scream about how porn is ruining kids minds but we’re not taking down the grifting “masculinity influencers” with as much zeal as we’re going after pornhub and other sites that are mostly just consenting adults doing fun biological acts together? Why do we say porn companies are evil and not do anything to make it less evil like better regulations and resources since we know people are going to find ways to make and view it anyway?

Our species’ obsession with clear lines and labels is making us ignore where the actual problems are, we build fences around the outcomes not the sources. We create solutions to problems we don’t even want to look at directly. It’s like the government handing out umbrellas to combat the issue with the massive water main leak flooding the street.

source
- sleen@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago
  That’s because their bunch of hypocrites. The only thing they’re fuelled by is misinformation and greed. Emotional manipulation is their go to weapon because their macharvellistic ego only lives by that.
  
  Don’t get me started on discrimination which comes with this type of situation. Teens/adolescents being infantilised, and indoctrinated that they know fuck all then being lumped right in with children.
  
  But why should they explore their sexuality if they can read the bible instead - to remain pure. Of course, touching your Coochie will land you strait to the devil himself.
  
  At that point, the quote never have sex until you have married makes more and more sense. It is control from the first moment you become a teenager to the point where marriage becomes a thing. All because of this perceived purity (Even if the bible isn’t in its entirety pure).
  
  source
Modern_medicine_isnt@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
Nope, you always need a middle man to do the verification. That middle man has too much information.

Also, if you could solve for the middle man, there is no way to know the user belongs to the ID. It can easily be stolen.

source
- dickalan@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  I figured you were wrong so I asked an AI and it confirmed what the people below you were saying, you really do seem to be talking straight out of your ass
  
  Yes, it is technically possible to build an accurate, high-confidence age-verification system that does not compromise privacy in the traditional sense (i.e., no central database of IDs, no name/address/DOB stored by the site, no paper trail that can be subpoenaed or leaked). The core tool that makes this feasible is zero-knowledge proofs (ZKPs), specifically age-based ZK proofs.
  
  How a privacy-preserving age check actually works in 2025
  
  User proves age to a trusted credential issuer once
  
  Government digital ID (e.g., EU eIDAS wallet, some U.S. mobile driver’s licenses, Yoti, ID.me, etc.)
  
  The issuer cryptographically signs a statement like “This private key belongs to someone born before 2007-11-27” without ever revealing the exact birthdate. User generates a zero-knowledge proof
  
  Using their phone or browser, they create a proof that says:
  “I have a valid credential signed by [Trusted Issuer] that confirms I am 18+ (or 21+).”
  
  Nothing else is revealed: no name, no exact age, no birthdate, no issuer identity if you want to go fully anonymous. Website verifies the proof in <1 second
  
  The site checks the cryptographic signature and that the policy (“18+”) is satisfied.
  
  It learns literally nothing else about the person.
  
  Real-world implementations that already exist or are in late-stage pilots (November 2025):
  
  Worldcoin’s World ID “age 18+” orb-verified credential + ZK proof
  
  Polygon ID / zkBridge systems used by some adult sites
  
  SpruceID + Ethereum Attestation Service kits
  
  Gitcoin Passport + ZK age attestations
  
  Proof-of-Humanity + age minimum circuits
  
  Yoti + ZK prototype (demoed 2024–2025)
  
  Remaining practical hurdles (why it’s not universal yet)
  
  User has to have a compatible digital credential in the first place (adoption still <30% in most countries)
  
  Friction: first-time setup takes 2–10 minutes instead of 3 seconds
  
  Most adult sites don’t want to pay the (tiny) gas/verification fee or integrate the SDKs
  
  Regulatory gray zone in some jurisdictions that still mandate “know your customer” records
  
  Bottom line
  Technically: Yes, 100% possible today with zero-knowledge age proofs.
  Practically: It exists, works, and is slowly rolling out, but the porn industry and most social platforms still prefer cheap/frictionless (but privacy-invasive) methods or just do nothing.
  
  So the top reply in your screenshot (“you always need a middle man with too much information”) is outdated — cryptography has already solved the “middle man” problem. The real blocker now is deployment inertia, not theory.
  
  source
  - njm1314@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    Just for your edification anything you say after “so I asked an AI” is going to be ignored by most people. It just tells me everything that comes next is not going to be worthwhile. Might as well tell me your palm reader told you something.
    
    source
    -> View More Comments
  - Modern_medicine_isnt@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    Read back what you wrote. Your first line was about a trusted credential provider. Thats a middle man. Then you talk about creating a proof. Guess what, that phone and browser are known to spy on you excessively. That’s another middle man. And odds are that same phone or browser it what you will use to access something that needs the verification. So the same phone or browser has all parts of the information.
    And of course it’s pointless because anyone could steal an ID and get themselves a key. Or steal your phone… so it wouldn’t even prove anything.
    
    source
    -> View More Comments
  - phoenixz@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago
    
    you’re talking out of your ass so I asked an AI
    
    Pot, you are black! Signed, kettle
    
    source
  - TechLich@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    The big flaw in this strategy is that once you have set up a signed anonymous key from the government and you can make zero knowledge proofs with it, there’s nothing stopping you from distributing that key to every kid who wants it. If it’s in the browser or an app, etc. you can publish that signed key for anyone who wants to be over 18.
    
    PKI only works if the owner of the private key wants it to be private. It’s effective for things like voting or authenticating because the owner of the key doesn’t want anyone else to be able to impersonate them. But if it’s only for age…
    
    At that point, it might as well just be a file that says “I pinky promise that I’m over 18” that the government has signed and given to you.
    
    source
    -> View More Comments
- Saledovil@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago
  We could just make the middle man somebody who already needs that information, e.g. the IRS.
  
  source
  - Modern_medicine_isnt@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    You could, but that wouldn’t address OPs question. The IRS is known for giving info to other parts of the government to aid in prosecution. And the gov has shown they are terrible at cyber security, so you might as well just post your browser history on the web.
    
    source
blaggle42@lemmy.today ⁨2⁩ ⁨weeks⁩ ago
Yes. Look up “zero knowledge proofs”

source
- blaggle42@lemmy.today ⁨2⁩ ⁨weeks⁩ ago
  I mean “no, look up zero knowledge proofs”
  
  source
  - Darkenfolk@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago
    Yesn’t
    
    source
DeathByBigSad@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago
Its possible.

Open source front app + a secure element thing in the backgound.

You download an app. You verify your identity, then the app sets up a OTP thing with the shared secret seed lasting for 30 days. But every 30 seconds the OTP changes. Everyone doing a verification in these 30 days gets the same exact secret seed.

The seed hides in the secure element of your device. Every 30 seconds, it releases the new OTP to the Open source app. The app doesn’t connect to the internet once the OTP has already been set up. So nobody knows if you actually view the OTP code.

So the government only knows you have the verification OTP set up not which websites you visited, the website only knows you have a valid OTP from the government, but you could be any of the people in the past 30 days (which the company don’t even have access to).

Even if the company and government cooperates, they could only pin down the time of website registration and that you are one of the millions of people that did the verification and requested a OTP Seed.

(Idk the exact terminology for these things, but hopefully I make sense)

source
- anton@lemmy.blahaj.zone ⁨2⁩ ⁨weeks⁩ ago
  
  The seed hides in the secure element of your device. (it won’t be impossible to extract, but the average kid is not gonna be able hack a secure element).
  
  But only one person needs to “hack” it on their device to publish the key, allowing everyone to use it without “hacking” their own device.
  
  You can’t store a key on a device and keep it safe from the owner.
  
  source
qevlarr@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
It is possible, but the real goal is about removing anonymity altogether

source
grandel@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago
Yes, It should be a browser setting. If parental controls are enabled, access should be denied to the site.

source
Natanael@infosec.pub ⁨2⁩ ⁨weeks⁩ ago
Correct, as a cryptography nerd I can assure you that you MUST at minimum have a trusted verifier which met you in person at some point (such as whatever office you get your physical ID card at) and they have to have your information.

And then you’re trusting both Secure Element hardware and fancy cryptography where both must be flawless in order to protect the end user’s side of it, all while the end user now carries much more personal information with them than before

source
- Knock_Knock_Lemmy_In@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  The verifier does not know what exactly you are proving, when you are proving it or to whom.
  
  The service provided by the verifier is equivalent to a stamp on a piece of paper.
  
  source
  - Natanael@infosec.pub ⁨2⁩ ⁨weeks⁩ ago
    Bad terminology choice, I meant the cert issuer. Need to revise the language later. I was thinking of it in terms of who verifies your IRL identity. The issuer can only issue the cert after you met them and they checked your documentation, etc
    
    source
    -> View More Comments
ComradePenguin@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago
Yes. There are many solutions.

Maybe the absolutely easiest to implement is just a signed message from an authority (gov.). You click a button on the website that requires verification, get a new tab to a gov. site with no identifiers from the site redirecting you and get a message you copy. The copied message is then pasted in to the site requiring verification. The site can then verify the message at their servers.

source
- Scirocco@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  Hey benign and honorable govt!
  
  Please tell the website “kill-your-govt .net” that I am old enough to join the revolution!!!
  
  Kthxbai
  
  source
- ameancow@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  That still creates a chain that can be followed. If the site you’re trying to enter is ever compromised, there will be record of your government code and whatever tracking is used to verify that you have entered your code.
  
  I would be happy if the government was not involved in my online activities at all but I guess that ship is about to sail.
  
  source
  - quick_snail@feddit.nl ⁨2⁩ ⁨weeks⁩ ago
    See also: timing attacks
    
    source
- DoctorPress@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago
  This requires you to trust gov that they will not trace where the secret message is pasted.
  
  source
  - Uruanna@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    How about
    
    Middleman anonimizer, pornhub sends the message to a middleman, the middleman puts its own token on the request, sends that to the gov, the gov responds yes/no to the middleman on the authenticity of the message, the middleman forwards the response to pornhub. The gov doesn’t see pornhub, pornhub only gets the yes/no response, the middleman only sees the message with no ID and the response.
    
    source
  - ComradePenguin@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago
    If they can trace it, why would they need the code to do it? They know who you are already
    
    source
daniskarma@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago
It’s possible with certificates and 2fa issued by a government, which already have all your data, that would only verify that you are over 18.

We already have that in Spain, sort of. We have a government app where you have a digital id stored and you can make it create a verify qr that only shows if the user is over 18 or under 18, no more data. The qr only last 5 minutes active.

It is necessary? Not for internet access. That’s a duty of the one paying for internet in the household, not the government.

source
birdwing@lemmy.blahaj.zone ⁨2⁩ ⁨weeks⁩ ago
Zero-knowledge proof. Medium has an example, though unfortunately the article logs user data, so beware on that.

source
Nighed@feddit.uk ⁨2⁩ ⁨weeks⁩ ago
The government knows who you are. They know your age, your address and know you exist (probably).

You go to a site that requires ages verification. You say:please verify me with the government portal. You go to that portal to get a temporary id code to give to the site. The website says to the gov portal give me the name and age of the user with this temp ID. You approve that access. Portal sends age (or an issue over 16/18/21 etc flag) to the site.

Gov portal doesn’t need to know who the site is You don’t provide a unique ID to the website, just a temporary one. Site only gets the data you approve.

The process can do with some streamlining, busy should work in practice?

source
- AtHeartEngineer@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  Ya you could definitely do this way too. There is a standard that google came up with called private state tokens that would allow you to do this in a pretty clean way, if you were cool with using your governments portal.
  
  Essentially you would login to the govt portal, they would issue you some limited set of tokens (let’s say 5) that would expire after 30 days. You would go to an age restricted website and sign up and that would “burn” a token.
  
  You could use ZK on top of this to make sure that the same email address or some other “nullifier” piece of information was used, to prevent an 18 yo kid from selling their tokens to 17 yos.
  
  source
rowinxavier@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
There are tonnes of ways but honestly, the easiest way is to do it at the ISP level. Have an internet connection you don’t want used for adult material? Have an opt in service at the ISP to block XXX rated sites and maybe social media. If you are old enough to pay for your own internet you should not be required to jump through hoops to access what you want, but kids should not be thrown onto the internet without guardrails. Some kids will get around it but it would be an active choice, so most kids would not. And to be clear, this would be done at the ISP level where you already have verification of age built in to billing, so no additional privacy concern. Honestly, the fact that this is not the solution is what tells me all of this filtering is not about protecting kids, it is about centralisation and control along with pork barrelling for age verification companies.

source
- sleen@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago
  The kids are just bait for the masses, the big bad wolf doesn’t care about the safety. Control is what they’re after.
  
  Besides that the point about guardrails, is what I agree in. It would prove beneficial for kids until they become fully aware teenagers. It is also beneficial to note the lack of distinction between teens and kids within these laws. This is what truly makes this predatory - where the fully aware individuals are stripped off their rights.
  
  If they are going to take away the rights of our children, teens & adolescents, what is stopping them from taking away our rights?
  
  source
  - rowinxavier@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    Yeah, there is a massive difference between a 9 year old and a 14 year old. Someone who is 17 is not necessarily significantly different from an 18 year old, yet we have to draw the line somewhere. I think if you own and pay for the service it should be up to you at a service level, not up to the government to demand a random third party company be accessed to verify ID and so on. That third party company stands to make money while also being a wonderful target for hackers.
    
    source
    -> View More Comments
quick_snail@feddit.nl ⁨2⁩ ⁨weeks⁩ ago
Yes, but your government doesn’t want that.

source
sharkfucker420@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago
Its possible but it would defeat the point of age verification

source
- AtHeartEngineer@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  How?
  
  source
ilinamorato@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
I’m inclined to say no. Reducing the problem down to its most basic parts: Alice is authorized to talk to Bob, but Bob doesn’t know that. How can Alice prove it?

Bob has to assume that anyone asking to talk to him could be Mallory, who isn’t authorized to talk to him but will always answer “yes” if asked whether she is. So the authorization he gets has to be from a trusted third party; it can’t come from Alice.

Grace is a trusted third party. If Alice doesn’t care about privacy, and is okay with Grace knowing that Alice talked to Bob and with Bob knowing Alice’s identity, Alice can just tell Bob, “here’s proof that I’m Alice. Show this to Grace and she’ll confirm that I can be here.” This is SSO, essentially.

If Alice doesn’t want Bob to know who she is, but is ok with Grace knowing that Alice talked to Bob, she can ask Grace to give her a secret code, and give that code to Bob, who can check with Grace to know whether or not that code corresponds to someone who is authorized.

If Alice doesn’t want Grace to know that she’s talking to Bob, though, she runs into a problem. Because there’s no way for Grace to send Bob a message without knowing who Bob is, he can’t ask anonymously, and because there’s no way for Grace to confirm that Alice is authorized without knowing who she is, Grace will always know that Alice has asked for authentication to talk to Bob.

Adding Dave in as a trusted fourth party could solve the problem—Alice asks Dave to check with Grace, and lock his answer in a bag with a unique key that only Dave has. Then Grace could give the bag to Bob, who doesn’t need to know who Grace is to pass the bag to Dave and ask him to unlock it. But Alice would be trusting that Dave won’t keep records on which bag corresponds to which person.

I don’t think that’s a surmountable problem. I’ll have to think about it some more.

source
- Saledovil@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago
  Here’s my idea: Bob gives Alice a token, assigning her an unique random number n. Alice goes to Grace and tells her, “Somebody assigned me number n, can you verify that I’m allowed?” Grace then writes: “User n is allowed, signed Grace”. Alice then takes this letter and shows it to Bob. Bob now knows that Alice is allowed, but nothing else. Grace only knows that somebody wanted to know that Alice is allowed, not who that somebody is.
  
  Of note here: This system does nothing to protect against an allowed user helping a not allowed user to gain access, but I don’t think it’s possible to protect against traitorous users.
  
  source
  - Blackmist@feddit.uk ⁨2⁩ ⁨weeks⁩ ago
    This is called a nonce.
    
    Which as a Brit is a really bad name for anything used to access porn.
    
    source
    -> View More Comments
  - groet@feddit.org ⁨2⁩ ⁨weeks⁩ ago
    There is no system in the world that can fully prevent an authorized user to grant access to an unauthorized user. Even with an all time on camera and screensharing I can still find ways to have someone else control my computer while I “authorize” the connection with my face in the camera
    
    source
    -> View More Comments
  - gandalf_der_12te@discuss.tchncs.de ⁨2⁩ ⁨weeks⁩ ago
    The problem is that it leaves a paper trail.
    
    Grace also knows what number n got verified, and the identity of the user n. Later, the website can ask the age-verifying service who user n actually was. It requires that the age-verifying service cooperates with the website, though, but this could be mandated by law, which would create a single point of (privacy) failure.
    
    PS: i love your writing style. It’s so simple and clear :)
    
    Cryptography is a really complicated subject. You managed to express it very easily understandable.
    
    source
    -> View More Comments
  - ilinamorato@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    That could very well work, yes; but I think that would require Bob verifying Grace’s signature, and that would require trusting that Grace didn’t make a unique signature that she only used for Alice, and making a note of who verified it.
    
    There might be a way to verify those signatures with public keys in a way that didn’t require Bob to tell Grace that he was verifying the signature, which is still rattling around in my brain.
    
    source
    -> View More Comments
- gandalf_der_12te@discuss.tchncs.de ⁨2⁩ ⁨weeks⁩ ago
  See my comment in this thread involving drawing a piece of paper from a box in real life. Since nobody knows which piece of paper you draw from a box, if many people do this at the same time, it’s impossible to establish an one-to-one mapping between age-verifying tokens and people’s identities.
  
  source
pdqcp@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago
Yes, it is, see quark ID as an example of decentralized open source project by the city of Buenos Aires, in Argentina, which leverages zero knowledge proofs:

quarkid.org
github.com/ssi-quarkid

source
UsedCumSock@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago
Sign up for age verification platform and upload your government ID on the platform (let’s call this platform Age Verifier).

Age Verifier confirms you’re an adult, and lists you as an adult in their system.

Age Verifier purges your government ID and any PII on you. The only thing they keep is your basic account details and the fact that they’ve confirmed you’re an adult.

The next time you login to an adult site, you verify yourself by logging into Age Verifier’s platform. The adult site confirms with Age Verifier that you’re an adult, and you’re good to go.

This system probably works, but it’s not without its downsides. We’ll need a way to confirm that your government ID and PII is actually deleted on Age Verifier’s platform. A way to deal with this might be to make sure Age Verifier is never driven by profit so they’ll never need to look into selling people’s data. Maybe it could be ran by a non-profit? Or perhaps it can be ran by the government? But if you don’t trust the government, that could be an issue.

And I can also see an issue where one guy who keeps creating different Age Verifier accounts, verifying that the account is an adult, and then selling that account to people.
source
- xavier666@lemmy.umucat.day ⁨2⁩ ⁨weeks⁩ ago
  
  We’ll need a way to confirm that your government ID and PII is actually deleted on Age Verifier’s platform. IMO this is the hardest part to ensure in a transparent manner.
  
  source
gandalf_der_12te@discuss.tchncs.de ⁨2⁩ ⁨weeks⁩ ago
It is doable, i think. Consider:

You go to your local library. They verify you’re above the age limit (like they do at supermarkets when you try to buy alcohol: either look you in the face and recognize you’re clearly old enough, or have to show them some kind of id, details vary.)

You pick a code (put your hand in a box and draw a piece of paper at random). Nobody knows what code you picked except you. If lots of people do this at the same time, it’s impossible to accurately map codes to people’s identity.

You scan the code (like QR code) with your social media app that you use, and it associates the code with your account. Now everybody knows you have a valid code associated to your account, but nobody knows your identity.

The code could work something like a cryptographic signature, where you can show that you have a valid code without actually revealing the code, so others can’t simply copy it. That’s a technical detail that you need to leave to the programmers to accurately understand.

source
- leadore@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  That sounds logical, but I think there would be an immediate black market for valid codes that would be sold to minors.
  
  source
  - gandalf_der_12te@discuss.tchncs.de ⁨2⁩ ⁨weeks⁩ ago
    same for alcohol then?
    
    source
QuinnyCoded@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago
I’d say it’s impossible. Minors will ALWAYS find a way around it, even if it involves government IDs. The actual trick is finding if a “are you 18?” box is enough or not.

source
howrar@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago
Depends on how reliable you need this system to be. For example, do you need to handle the scenario where an adult verifies their age to access a website, then lets a minor use that website in their place? That would be a much harder problem to solve than if you just need to verify that an adult was present on the other end at one point in time. For the latter, device-based age verification seems to be trivial to set up from a technical standpoint.

source
Archangel1313@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago
It’s only possible as long as you trust the people you’re giving your information to. So…no.

source
- AtHeartEngineer@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  Not true, there are ways to do this privately with cryptography
  
  source
whotookkarl@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago
There are no registration or registry with individuals’ information if guardians use parental controls and adult sites and apps identify themselves as adult for those controls, check what their kids are doing online, and talk with them about dangerous people or content they might see to teach them how to stay safe.

source
altphoto@lemmy.today ⁨2⁩ ⁨weeks⁩ ago
We could go by width of feet… You take a foot picture, it goes to another user temporarily while they sign in. If they think that’s an adult then you’re in. Then they take a foot photo and the next random user sees their image and they have to judge if the image is an adult. But the image could also be a fake. If they identify a false positive they have to wait 5 minutes. And so on. If others need to login they could judge the same image already identified as adult. If they think its not an adult then that user’s logins is set to wait 5 minutes while two other users are snown the image. If those two users think its an adult then the user who said it was not an adult get to wait for 15 minutes. If however those two guys agree with it not being adult then that user gets permanently banned.

source
- altphoto@lemmy.today ⁨2⁩ ⁨weeks⁩ ago
  The users confirm others at random.
  
  source
AtHeartEngineer@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
If anyone is doing actual work trying to solve this please DM me, I’m interested in helping.

source