The key problem with this entire issue is that it's basically a morality law. There are classes of crimes that, over time, society has discovered simply do not have an enforcement mechanism less damaging than the harm they are seeking to prevent.
An example is Adultery. Most people will agree that it is morally wrong to cheat on your spouse. The reason civilized countries no longer have adultery laws is not because a majority of people support the crime, it's that the level of control a government needs to exercise over its citizenry to actually enforce such a law is repugnant. The state must proscribe definitions of infidelity ( human sexuality being the mess it is, this alone is a massive headache), then engage the state apparatus to surveil people's intimate lives, and then provide a legal apparatus that prevents abuse via allegation. And for what? So that people's feelings are a little less hurt?
The juice simply is not worth the squeeze.
So it goes for age restrictions. Age verification creates massive potential for invasion of privacy, blackmail, censorship, and more, necessitating a massive state censorship apparatus to block foreign content, and for what? So that little Timmy's forced back into trading nudie mags at the bus stop? To save parents the onerous effort of telling their kids "no"?
I think that's a bit of rationalizing. I don't thinks there's much evidence that Adultery is no longer a criminal offense because people were concerned about privacy or government control.
It's that people became more secular, Adultery is considered a sin and not a crime, and modern countries instituted separation between religious and secular laws.
As a Brit I'd say the recent law isn't like that. When I was a kid, pre internet, the porn was restricted by putting it on the top shelves and tell staff not to sell them to kids, likewise X rated movies etc. It worked fine. Adults didn't have to show ID to go to the movies. If a 16 year old got in to an X film no one cared.
The modern law is an attempt at an internet equivalent. It's not using the courts to police adultery.
It's perfectly legitimate for the state to have laws where preventative enforcement is not really possible. Like, we can't surveill everyone such that we can stop murder, but we wouldn't want to do without laws against it.
There are also a lot of differences between adultery (a p2p activity between individuals, usually with no compensation) and the activities of a business like pornhub which is a big platform with lots of employees and multiple large revenue streams. It seems both reasonable and feasible to me to regulate the latter.
For this specific issue (harm to childen through greatly increased access to porn via electronic devices) I think of it more like selling cigarettes to under 18s - it's worth doing something about the problem! - but like you I believe that the proposed age verification laws are not a great solve for the actual problem.
The big problem I have with laws like the UK has been that they solve a non-issue at the cost of large infrastructure and potential privacy problems.
Teenagers have been looking at porn since forever. It's practically a trope of teens stealing their parents' porn mags. I don't think any of this has actually caused major societal issues.
The proposed solutions merely require that a teen steal their parent's identification, briefly, to create a porn account and move on. Heck, they can probably buy that information online if they are innovative enough. They certainly will be selling access to their porn accounts to their classmates. And even if they don't go through all that trouble, getting a porn mag is still pretty possible in the UK.
That makes this just a bad law. It doesn't meaningfully stop the problem it's meant to stop and it's expensive and intrusive. Even if privacy preserving age verification was bulletproof and perfect, you still have the access holes all over.
And then there's the simple fact that other nations exist. Yes, mainstream sites will put up protections, but what about the sealand porn site? Unless the UK wants a great firewall (ala the chinese firewall), they simply aren't going to stop this problem. Even then, VPNs are common knowledge at this point due to streaming.
It's 2025 and we're still discussing people's access to porn because of some conservatives, whereas we should be discussing how technology could actually be used to improve world.
Unbelievable. Let people watch their thing if they want to, jeez.
Having a device in your pocket that you take everywhere with no stigma to being seen with it yet it has unlimited access to any genre of porn you can think of is hardly comparable to finding a 90s porn mag in a bush from time to time, so you can't really say this has been happening forever.
So in Germany we have an ID card with a PIN, NFC and a government app. Website owners can request to be able to use this feature. They then get a certificate from the government that has the fields they are allowed to request stored within it.
Websites can request data from the user by sending that certificate, it opens the app, it shows you the categories of data to be send, you hold your ID card to the phone, enter the PIN, and the certificate is uploaded to the ID card which verifies it. If its valid, the ID sends back the data that is specified in the certificate.
You then get presented with exactly the data that is going to be sent to the website. You can then agree or disagree. So far that is only used to log in to government websites.
This way the government does not know which sites you visit, and you only send your age to the website.
The problem with schemes like these is that it is reasonably easy to come up with something which is pretty close, yet still missing some crucial details.
- You do not want the government to know which websites you visit. This rules out any kind of redirect / forwarding via a government website or app.
- You do not want websites to correlate their requests, as that would allow for cross-website tracking. Request data from website A should be completely useless to website B. This rules out most regular certificate schemes.
- You do not want a website to correlate multiple data requests, as that would allow websites to create some kind of supercookie. Requests should be completely independent, and two requests from the same user should be indistinguishable from requests from two different users.
- You do not want to lose privacy when the government and the website work together. The request should still be anonymous when the two collaborate, or else there can be no reasonable assumption of privacy. This rules out most clever pass-a-one-time-code schemes.
- You want the request to be unique and time-bound. It should not be possible to replay a response, either to the same website or a different one.
- You do not want to send more data than strictly necessary. If a website needs to know if you are 18 or older, it should only receive a boolean flag.
Getting some of those properties is easy. Getting all of them at the same time? Nearly impossible. And the worst part is that I almost certainly forgot a handful of requirements!
It's even more restrictive than than, for age verification you only get back whether the person is above the age limit or not, it's a boolean response.
So I think from that view the eID works pretty well, it provides the minimal necessary information. The bigger issue with something like this is if you use them to enforce real name policies or stuff like that.
I completely agree it's technologically feasible in basically every continental European country (as we all have some form of biometric IDs), but do you want to have to do that every time you open a private tab to look at porn? Do you want to not be able to clear your browser cookies without going through that process all over again for basically every website? Do you want to extend 2FA into 3FA with your national ID acting as the third factor so you can view "sensitive" content?
The ID card also has this amazing function where you can log in to sites using the card without revealing your identity, and even merging the databases from two sites does not allow two users to be identified as the same natural person: https://www.personalausweisportal.de/Webs/PA/EN/business/tec...
I have never seen a website offering login using this function, though ;-)
> This way the government does not know which sites you visit
Hmm. It's not clear from the description that it is so. The government knows which site sent the request and authenticates your card, which is tied to your identity, right?
Interesting. How does the revocation of lost/stolen cards interact with the anonymous design of the age attestation?
If an enterprising 19-year-old sold their card and PIN to a 15-year-old and reported it lost to get a replacement, presumably there's some mechanism to stop the 'lost' card being used as proof of age?
This might be fine, especially if it was restricted to a specific subset of websites, but I presume that (especially in Germany !) the ID card is not mandatory, and neither are smartphones, and pushing both of them towards being nearly socially mandatory requirements is a very bad idea, especially in a context where iPhones / Androids are somehow still not only effectively legal in the EU, but even dominant.
I'd refine Doctorow's claims to "Privacy preserving age verification is bullshit in the Common Law Anglo world".
You are completely correct that civil law jurisdictions have already solved this: Germany, Estonia, and many others have the all the requirements: a register of all persons available to the central authority, and crypto infrastructure to make it work.
What's missing from the UK, Canada, USA, etc. is the first part! It is hard to believe if you live in Germany, but there really is no big master list of people in those countries. There are many (many, many) lists, linked badly by many different ids. The tax registry, pension registry, drivers license registry, and visa registry are some of the big ones.
Things could be so much simpler if we had such a thing, but the politics between here and there are basically impossible.
Even if you could do this in every single country (it would already be extremely hard to actually do this in the United States reliably, and I can only imagine it is basically a non-starter in a lot of developing countries) it does pose so, so, so many problems.
- How can you ensure the system can't be abused if there's no identifying information passed? Don't get me wrong, this is also a problem with current systems, maybe even worse. But if it's privacy preserving, ... Almost all kids under 18 have parents or guardians. Almost all of those parents or guardians are 18 or older. So literally all you have to do to bypass age verification is steal their ID for a few minutes? There are also a myriad of solvable problems that aren't guaranteed to be solved without care, like ensuring that the same ID is not used 100,000 times.
- This is a job that is best suited for the government to handle. The internet is global though, and there are a lot of governments. In the U.S., there is in fact not one federal ID, but instead we use state IDs. I assume that means you now need to handle around 50 different state IDs to be able to verify someone's identity, but it actually gets even worse than that, because some people will have IDs, and some will have drivers licenses, because oddly enough that's just how we structure IDs here. People without drivers licenses may have state IDs which are often intentionally visibly distinct to make sure they can't be mistaken for the other. In states I'm aware of, you'll never have both, the driver's license acts as a state ID if you have one. Now scale that to every country on Earth.
- As insane as it may sound, there are plenty of people who don't have essentially any form of ID. You might think I'm over-estimating the numbers with "plenty", but even just in the United States, it's literally over 2.5 million, off the top of my head. (No idea what the best source is here.) The closest thing we have that every citizen is supposed to have is Social Security, but that isn't really usable as a form of ID for various reasons. (And frankly it's a pretty terrible means to verify someone's identity at all anymore in the Internet age, but oh well.)
I'm totally sympathetic to the fact that people really don't want their kids browsing porn on the Internet, but children basically can't pay for Internet access or afford iPhones. I think it's insane that people keep suggesting using advanced cryptography, zero-knowledge proofs, privacy pass tokens or whatever else for a problem that so clearly needs to be solved socially and not technically. (And obviously, only the surface-level aspects of this are really about porn. We all know it's deeper than that, and if it wasn't, the UK would readily exempt Wikimedia from these requirements. I hope nobody here is deluding themselves into thinking this is a noble effort.) You are literally giving your children a device that can easily obtain porn and letting them use it unsupervised. It's not like it was a secret: Avenue Q told you everything you needed to know. I get that raising kids is hard and society pressures you to do this, but isn't that the problem you'd rather tackle?
The problem is that we've let this idea that you can solve the problem like this enter the mainstream, and now that we have, even smart and reasonable people may accidentally convince themselves that it is tractable just because it is technically feasible to devise such a system. This is bad because we're going to waste a lot of energy repeating ourselves on thinking about the entirely wrong way to look at things.
I'm confused. Author puts crypto backdors and IDP with ZKP into the same bucket and calls it "nerding harder". But why? You can have identity provider, several European countries do and you can have subcredentials. You literally can nerd harder here.
Sure, there is a strong ideological argument why you should not have strong identities required in the internet in general (or even in offline) and on porn sites specifically, but the argument is not technical.
These 'anonymity' technologies are laughably worthless - sure ZKP might provide mathematical proof that it's impossible to find out who the subject is, but embed a tracking cookie and fingerprinting script into both the porn site, and the online grocery - and there you go, you have irrefutable cryptographic evidence of how John Doe likes to spend his evenings.
But it is. In those European countries, IDPs and certification authorities are one and the same entity. So the technical requirement of privacy evaporates, the government will always know who is proving their age to which porn site.
To me it seems like Cory Doctorow is demanding perfection, and saying that because we can't achieve perfection in age verification, we can't do age verification at all. That isn't going to stop people from trying, and we will end up with a worse system overall. IMO this is a common pitfall of techno-idealists.
Technologies like the mdl standard [1] can attest to age without revealing the users identity.
As Cory points out, its still possible for kids to swipe someones ID and use that. There are probably practical solutions that are good enough. Android, iOS, and parents could work together to deal with the problem of stolen IDs. If mdl is implemented on devices such that they are managed by the device OS, that would lead to auditability. Parents can ask their child to see their phones ID app, which will show full roster of IDs on the child's device. If a parent sees an ID that shouldn't be there, they can have a conversation about it. In this way the law would be about empowering parents to shape their child's online experience. This is just a straw-man example solution, but there may be better ones.
The other objections I saw could be worked through in a similarly pragmatic fashion.
This is probably going to be good enough for most folks, and its probably a good thing to keep children away from pornography and such. And IMO coming up with a "good enough" solution will flush out all the bad actors who are hiding behind the excuse of "save the children" when really they want to build up an record of everyone's browsing history. But by denying any solution to a real problem, we let the bad actors hide amongst the well-intentioned folks who are trying to do the right thing.
> To me it seems like Cory Doctorow is demanding perfection, and saying that because we can't achieve perfection in age verification, we can't do age verification at all.
Not we can't, but we shouldn't. All the current solutions are terrible, and are either trivial to fool or mass surveillance machines. We shouldn't be stupid enough to go for either option because it'll either cost a fortune while giving us nothing, or cause immeasurable harm when the National Porn Viewing Database inevitably gets used to blackmail everyone.
We're trying to (poorly) use technology to solve a social problem. If we can't figure out a way to do so using technology without significant downsides, then perhaps we shouldn't be using technology to solve the problem at all.
I think it shows the difficulty of implementing it for everyone. But Apple and Google’s cell phone implementations would probably cover most people in some countries when finished, and then there will be a long tail of people who will need cheats and workarounds.
You’d be screwed if you didn’t have any friends who could help you cheat.
Remember when they passed a bunch of really strong anti-terrorism bills in the US after 9/11 and we were all super sure that it was a great idea because they promised us they'd show restraint and only use the powers they were giving themselves against the worst of the worst, then they declared vandalism to be terrorism (https://www.reuters.com/world/us/trump-says-he-will-buy-new-...)?
That's how I expect "privacy-preserving age verification" to go. It's the narrow end of the wedge. Once privacy-preserving age verification is in place there will be some reason to get rid of the privacy, and we will have a fully tracked and identified internet.
If you're a web person who understands SSL, privacy-preserving age verification can be explained by analogy.
It's a system which requires a central agency, probably a government agency, analogous to a certificate authority.
You are authenticated with that agency; it has personal info about you. But you are externally identified by some impersonal identifier, not your name.
The agency issues you a certificate binding this identifier to an assertion like "is over 18 years old".
When you interact with a site that wants to know whether you are over 18 years old, you present the certificate. The site can see that it's signed by the authority and that it has the assertion that you are over 18.
You can't just give that site someone else's certificate because it has to be the one tied to the abstract identity you are presenting (which contains no personal info; it's some kind of UUID or whatever). Plus the cert can be bound to a specific device and such.
The cert has a private keys with which you can prove that you own that cert; or at least that you are the authenticated operator of a device to which that cert was issued.
It's something like that. I may have some key details wrong. The main idea is that some brokerage that does have info about you can attest that you are over 18 without revealing any of the personal info via certificate-like objects.
It sounds like, in theory, the system can achieve good privacy in age verification. But not perfect age verification; people will find ways around it.
A grown up can certify themselves to be over 18 and then hand the device to a teenager; and such an operation can likely be scaled to some extent. And of course no cryptographic system can eliminate the possibility that minors are looking at the screen of a device operated by an adult, who may even step out of the way to let them operate it.
How would setting up a primary credential with an identity provider differ from the process of registering to vote for USA citizens? All the discrimination opportunities and accountability issues seem to apply equally there.
The only privacy preserving option is to add a single RTA header on the server side. Laws could have required any site or service that has adult or user generated content to simply add RTA [1] headers and require clients to make a best effort to detect the headers and trigger parental controls if enabled. That's it. Not perfect, nothing is. All the liability could have gone to the parents where it belongs.
No third party traffic, nothing to leak, nothing to track. Simple as. Not everything has to be a service or a business model.
The problem is not only that it's impossible to make cryptography that's only secure when the good guys use it, it's that once cryptography is made insecure, it's insecure for everyone, forever.
I'm not a privacy hardliner, and I think the socially acceptable tradeoff between privacy and security have been well established before the computer era - if the police has a well-enough established suspicion against you - they can get a warrant and search your home. That's due process.
I would accept if there was a digital version of that which targeted not the encryption itself (which could be as strong as possible) - but the endpoints, like smartphones and computers.
Let's say police had a device which they could plug into your phone, which would send a specially signed message - a digital warrant, containing all the info a real warrant would - which be permanently be burned into the ROM of your phone, after which the phone would surrender its encryption keys, and the police could dump your unencrypted disk.
The phone would be then presented as evidence at the trial, and not following due process would be a cause for mistrial, no matter what they find there.
The general public would be safe in the knowledge that as long as the police isn't hauling them in, their secrets are safe, and the government would get the tools for what they claimed they wanted - a way to catch bad guys with digital tools.
Let's say every citizen has an account with their federal government, and the account can be accessed securely in some reasonable way (password, 2FA, hardware token, etc.).
The government can have a public-private RSA key pair specifically for "At least 18 years old". Once the user is authenticated, he can generate a nonce and a blinding factor, multiply them together to get a blinded random number, and upload that to the government for signing. He takes the signature and unblinds it, then submits the original nonce and unblinded signature to the adult website. The website confirms that the nonce and signature is valid according to the government's public key.
This system raises many questions. For example, preventing replay attacks, so the adult website will reject any nonce being reused, or mandating that a timestamp be a subcomponent of the nonce. There is the un-answerable question of how to handle the case where a legitimate adult offers valid signatures for someone else to use. There is also the question of, to what extent the adult website should be able to keep track of the underlying users (even in a hashed format) to monitor abuse, suspicious users who have too much activity, etc.
>politicians all over the world demanded a kind of impossible encryption
It's not impossible to design a cryptographic system where law enforcement is a party within it. The false dichotomy of encrypted or not encrypted in my opinion is used to shutdown the conversation since it's easy to argue why no encryption is bad. It's a strawman.
Fuck national ID cards and big mother, especially in the rising tide of authoritarianism and fascism where they will be used to inventory, abduct, deport, banish, and/or disappear people.
Even after reading the article, I think there are reasonable ways to set up a low cost system that uses zero-knowledge proofs to "prove" your age without disclosing your identity. I do think that you will need trusted entities and the system will only stop most, maybe 80 or 90 percent of children under 18 from seeing porn. But, if you do this, then maybe 99% of kids under the age of 14 will have a lot of difficulty viewing porn which is a good thing. There may be valid a slippery slope argument for not setting up the age validation system even if everything I said above is true.
Overall this article is completely correct and I agree with every point of it and have tried to make these arguments about the various ZKP proposers that I have encountered.
But I almost gave up early because he can't resist the urge to take a dig:
> For politicians to make good policy, they don't need to be technical experts: they need to have solid, independent, well-resourced expert agencies. Those would be the very agencies that Trump and Musk have DOGEd into oblivion ...
And then in the next paragraph blithely engages in some Gell-Mann amnesia
> But when it comes to tech policy, politicians get it all so goddamned wrong
Expert agencies formulating clean water policies are emphatically not the reason that we have potable water. Experts in actually doing the work of producing clean water are the ones that push the standards upstream. It's a subtle but important difference.
Look, it's not 2018 anymore, we survived a round of Trump and we'll survive this one and the world will not end and some things will get better and some things will get worse, but trying to tie everything back to how Trump has ruined everything is going to make your views look worse and worse as they age.
> "Privacy preserving age verification" is bullshit
it is possible if you accept that it only needs to be good enough
- it's fully okay if it can be deceived in all kinds of ways
- verifying only once per account is okay, if a adult passes their verified account to a child that their responsibility
- legally not just forbid but criminalize (with required prison sentence) the storing of any data except is adult yes/no from a age verification process
- allow a OS accounts to just tell applications (including websites) that "is 18", if a age verification was done in the account, also no singing or anything cryptographically, because again it's good enough no need to protect it against hacking, the main responsibility still lies with the parents
so then you can do a single age verification per OS account, once, and be done with
furthermore this verification could e.g. go through a process which might identify you identity but a) isn't allowed to pass anything but adult yes/no to anyone else b) isn't allowed to store that info c) on a storing it is a "criminal liability" level where a CTO ordering data collection would go to prison
through if you live in a country where everyone has a passport with NFC chips (e.g. all of EU) just adding a "adult yes/no" function(1) to it + a transparent (open source, non profit) app per country to bridge it to accounts which need verification would do the job without needing the extra strict criminalize abuse part.
Which brings us to the main problem:
- requiring politicians to accept a "good enough" solution, accept that the main responsibility still lies with the parent
- politicians not abusing it to spy on their population
- make laws to prevent companies from ab-using "age verification" to collect private data
and that seems indeed impossible
---
(1): Technically I think it does exist, somewhat in many passes already. But practically it not viable as it (I think) discloses too much information and has too much issues wrt. integrating it (wrt. certificate nonsense)
What a breathlessly overhyped post. Basically - yes we can do it technically, but there's big economic and social limitations on rolling something like it out.
Hard for sure, but not bullshit. I actually found it hard to read the post - it could have been a third as long and more useful and measured. But I guess it gets clicks.
[+] [-] OkayPhysicist|7 months ago|reply
An example is Adultery. Most people will agree that it is morally wrong to cheat on your spouse. The reason civilized countries no longer have adultery laws is not because a majority of people support the crime, it's that the level of control a government needs to exercise over its citizenry to actually enforce such a law is repugnant. The state must proscribe definitions of infidelity ( human sexuality being the mess it is, this alone is a massive headache), then engage the state apparatus to surveil people's intimate lives, and then provide a legal apparatus that prevents abuse via allegation. And for what? So that people's feelings are a little less hurt?
The juice simply is not worth the squeeze.
So it goes for age restrictions. Age verification creates massive potential for invasion of privacy, blackmail, censorship, and more, necessitating a massive state censorship apparatus to block foreign content, and for what? So that little Timmy's forced back into trading nudie mags at the bus stop? To save parents the onerous effort of telling their kids "no"?
It's simply not worth it.
[+] [-] Illniyar|7 months ago|reply
It's that people became more secular, Adultery is considered a sin and not a crime, and modern countries instituted separation between religious and secular laws.
[+] [-] tim333|7 months ago|reply
The modern law is an attempt at an internet equivalent. It's not using the courts to police adultery.
[+] [-] amelius|7 months ago|reply
[+] [-] Y_Y|7 months ago|reply
[+] [-] DeRock|7 months ago|reply
[+] [-] xyzzy123|7 months ago|reply
There are also a lot of differences between adultery (a p2p activity between individuals, usually with no compensation) and the activities of a business like pornhub which is a big platform with lots of employees and multiple large revenue streams. It seems both reasonable and feasible to me to regulate the latter.
For this specific issue (harm to childen through greatly increased access to porn via electronic devices) I think of it more like selling cigarettes to under 18s - it's worth doing something about the problem! - but like you I believe that the proposed age verification laws are not a great solve for the actual problem.
[+] [-] cogman10|7 months ago|reply
Teenagers have been looking at porn since forever. It's practically a trope of teens stealing their parents' porn mags. I don't think any of this has actually caused major societal issues.
The proposed solutions merely require that a teen steal their parent's identification, briefly, to create a porn account and move on. Heck, they can probably buy that information online if they are innovative enough. They certainly will be selling access to their porn accounts to their classmates. And even if they don't go through all that trouble, getting a porn mag is still pretty possible in the UK.
That makes this just a bad law. It doesn't meaningfully stop the problem it's meant to stop and it's expensive and intrusive. Even if privacy preserving age verification was bulletproof and perfect, you still have the access holes all over.
And then there's the simple fact that other nations exist. Yes, mainstream sites will put up protections, but what about the sealand porn site? Unless the UK wants a great firewall (ala the chinese firewall), they simply aren't going to stop this problem. Even then, VPNs are common knowledge at this point due to streaming.
Bad law, bad effects, and a pointless fight.
[+] [-] can16358p|7 months ago|reply
Unbelievable. Let people watch their thing if they want to, jeez.
There are MUCH more important problems on Earth.
[+] [-] unfitted2545|7 months ago|reply
It degrades and oppresses all women.
[+] [-] owisd|7 months ago|reply
[+] [-] mzhaase|7 months ago|reply
Websites can request data from the user by sending that certificate, it opens the app, it shows you the categories of data to be send, you hold your ID card to the phone, enter the PIN, and the certificate is uploaded to the ID card which verifies it. If its valid, the ID sends back the data that is specified in the certificate.
You then get presented with exactly the data that is going to be sent to the website. You can then agree or disagree. So far that is only used to log in to government websites.
This way the government does not know which sites you visit, and you only send your age to the website.
[+] [-] crote|7 months ago|reply
- You do not want the government to know which websites you visit. This rules out any kind of redirect / forwarding via a government website or app.
- You do not want websites to correlate their requests, as that would allow for cross-website tracking. Request data from website A should be completely useless to website B. This rules out most regular certificate schemes.
- You do not want a website to correlate multiple data requests, as that would allow websites to create some kind of supercookie. Requests should be completely independent, and two requests from the same user should be indistinguishable from requests from two different users.
- You do not want to lose privacy when the government and the website work together. The request should still be anonymous when the two collaborate, or else there can be no reasonable assumption of privacy. This rules out most clever pass-a-one-time-code schemes.
- You want the request to be unique and time-bound. It should not be possible to replay a response, either to the same website or a different one.
- You do not want to send more data than strictly necessary. If a website needs to know if you are 18 or older, it should only receive a boolean flag.
Getting some of those properties is easy. Getting all of them at the same time? Nearly impossible. And the worst part is that I almost certainly forgot a handful of requirements!
[+] [-] fabian2k|7 months ago|reply
So I think from that view the eID works pretty well, it provides the minimal necessary information. The bigger issue with something like this is if you use them to enforce real name policies or stuff like that.
[+] [-] input_sh|7 months ago|reply
[+] [-] tgp|7 months ago|reply
I have never seen a website offering login using this function, though ;-)
[+] [-] nottorp|7 months ago|reply
Hmm. It's not clear from the description that it is so. The government knows which site sent the request and authenticates your card, which is tied to your identity, right?
[+] [-] Hizonner|7 months ago|reply
[+] [-] michaelt|7 months ago|reply
If an enterprising 19-year-old sold their card and PIN to a 15-year-old and reported it lost to get a replacement, presumably there's some mechanism to stop the 'lost' card being used as proof of age?
[+] [-] zeeZ|7 months ago|reply
[+] [-] BlueTemplar|7 months ago|reply
[+] [-] michael1999|7 months ago|reply
You are completely correct that civil law jurisdictions have already solved this: Germany, Estonia, and many others have the all the requirements: a register of all persons available to the central authority, and crypto infrastructure to make it work.
What's missing from the UK, Canada, USA, etc. is the first part! It is hard to believe if you live in Germany, but there really is no big master list of people in those countries. There are many (many, many) lists, linked badly by many different ids. The tax registry, pension registry, drivers license registry, and visa registry are some of the big ones.
Things could be so much simpler if we had such a thing, but the politics between here and there are basically impossible.
[+] [-] pier25|7 months ago|reply
[+] [-] sidewndr46|7 months ago|reply
[+] [-] lisbbb|7 months ago|reply
[+] [-] jchw|7 months ago|reply
- How can you ensure the system can't be abused if there's no identifying information passed? Don't get me wrong, this is also a problem with current systems, maybe even worse. But if it's privacy preserving, ... Almost all kids under 18 have parents or guardians. Almost all of those parents or guardians are 18 or older. So literally all you have to do to bypass age verification is steal their ID for a few minutes? There are also a myriad of solvable problems that aren't guaranteed to be solved without care, like ensuring that the same ID is not used 100,000 times.
- This is a job that is best suited for the government to handle. The internet is global though, and there are a lot of governments. In the U.S., there is in fact not one federal ID, but instead we use state IDs. I assume that means you now need to handle around 50 different state IDs to be able to verify someone's identity, but it actually gets even worse than that, because some people will have IDs, and some will have drivers licenses, because oddly enough that's just how we structure IDs here. People without drivers licenses may have state IDs which are often intentionally visibly distinct to make sure they can't be mistaken for the other. In states I'm aware of, you'll never have both, the driver's license acts as a state ID if you have one. Now scale that to every country on Earth.
- As insane as it may sound, there are plenty of people who don't have essentially any form of ID. You might think I'm over-estimating the numbers with "plenty", but even just in the United States, it's literally over 2.5 million, off the top of my head. (No idea what the best source is here.) The closest thing we have that every citizen is supposed to have is Social Security, but that isn't really usable as a form of ID for various reasons. (And frankly it's a pretty terrible means to verify someone's identity at all anymore in the Internet age, but oh well.)
I'm totally sympathetic to the fact that people really don't want their kids browsing porn on the Internet, but children basically can't pay for Internet access or afford iPhones. I think it's insane that people keep suggesting using advanced cryptography, zero-knowledge proofs, privacy pass tokens or whatever else for a problem that so clearly needs to be solved socially and not technically. (And obviously, only the surface-level aspects of this are really about porn. We all know it's deeper than that, and if it wasn't, the UK would readily exempt Wikimedia from these requirements. I hope nobody here is deluding themselves into thinking this is a noble effort.) You are literally giving your children a device that can easily obtain porn and letting them use it unsupervised. It's not like it was a secret: Avenue Q told you everything you needed to know. I get that raising kids is hard and society pressures you to do this, but isn't that the problem you'd rather tackle?
The problem is that we've let this idea that you can solve the problem like this enter the mainstream, and now that we have, even smart and reasonable people may accidentally convince themselves that it is tractable just because it is technically feasible to devise such a system. This is bad because we're going to waste a lot of energy repeating ourselves on thinking about the entirely wrong way to look at things.
[+] [-] LtWorf|7 months ago|reply
[+] [-] Muromec|7 months ago|reply
Sure, there is a strong ideological argument why you should not have strong identities required in the internet in general (or even in offline) and on porn sites specifically, but the argument is not technical.
[+] [-] torginus|7 months ago|reply
[+] [-] thyristan|7 months ago|reply
[+] [-] Seattle3503|7 months ago|reply
Technologies like the mdl standard [1] can attest to age without revealing the users identity.
As Cory points out, its still possible for kids to swipe someones ID and use that. There are probably practical solutions that are good enough. Android, iOS, and parents could work together to deal with the problem of stolen IDs. If mdl is implemented on devices such that they are managed by the device OS, that would lead to auditability. Parents can ask their child to see their phones ID app, which will show full roster of IDs on the child's device. If a parent sees an ID that shouldn't be there, they can have a conversation about it. In this way the law would be about empowering parents to shape their child's online experience. This is just a straw-man example solution, but there may be better ones.
The other objections I saw could be worked through in a similarly pragmatic fashion.
This is probably going to be good enough for most folks, and its probably a good thing to keep children away from pornography and such. And IMO coming up with a "good enough" solution will flush out all the bad actors who are hiding behind the excuse of "save the children" when really they want to build up an record of everyone's browsing history. But by denying any solution to a real problem, we let the bad actors hide amongst the well-intentioned folks who are trying to do the right thing.
[1] https://en.wikipedia.org/wiki/Mobile_driver%27s_license
[+] [-] crote|7 months ago|reply
Not we can't, but we shouldn't. All the current solutions are terrible, and are either trivial to fool or mass surveillance machines. We shouldn't be stupid enough to go for either option because it'll either cost a fortune while giving us nothing, or cause immeasurable harm when the National Porn Viewing Database inevitably gets used to blackmail everyone.
We're trying to (poorly) use technology to solve a social problem. If we can't figure out a way to do so using technology without significant downsides, then perhaps we shouldn't be using technology to solve the problem at all.
[+] [-] wbl|7 months ago|reply
[+] [-] philjohn|7 months ago|reply
[+] [-] skybrian|7 months ago|reply
https://www.cs.columbia.edu/~smb/papers/age-verify.pdf
I think it shows the difficulty of implementing it for everyone. But Apple and Google’s cell phone implementations would probably cover most people in some countries when finished, and then there will be a long tail of people who will need cheats and workarounds.
You’d be screwed if you didn’t have any friends who could help you cheat.
[+] [-] BlueTemplar|7 months ago|reply
[+] [-] ratelimitsteve|7 months ago|reply
That's how I expect "privacy-preserving age verification" to go. It's the narrow end of the wedge. Once privacy-preserving age verification is in place there will be some reason to get rid of the privacy, and we will have a fully tracked and identified internet.
[+] [-] kazinator|7 months ago|reply
It's a system which requires a central agency, probably a government agency, analogous to a certificate authority.
You are authenticated with that agency; it has personal info about you. But you are externally identified by some impersonal identifier, not your name.
The agency issues you a certificate binding this identifier to an assertion like "is over 18 years old".
When you interact with a site that wants to know whether you are over 18 years old, you present the certificate. The site can see that it's signed by the authority and that it has the assertion that you are over 18.
You can't just give that site someone else's certificate because it has to be the one tied to the abstract identity you are presenting (which contains no personal info; it's some kind of UUID or whatever). Plus the cert can be bound to a specific device and such.
The cert has a private keys with which you can prove that you own that cert; or at least that you are the authenticated operator of a device to which that cert was issued.
It's something like that. I may have some key details wrong. The main idea is that some brokerage that does have info about you can attest that you are over 18 without revealing any of the personal info via certificate-like objects.
It sounds like, in theory, the system can achieve good privacy in age verification. But not perfect age verification; people will find ways around it.
A grown up can certify themselves to be over 18 and then hand the device to a teenager; and such an operation can likely be scaled to some extent. And of course no cryptographic system can eliminate the possibility that minors are looking at the screen of a device operated by an adult, who may even step out of the way to let them operate it.
[+] [-] JanisErdmanis|7 months ago|reply
[+] [-] Bender|7 months ago|reply
No third party traffic, nothing to leak, nothing to track. Simple as. Not everything has to be a service or a business model.
[1] - www.rtalabel.org/index.php?content=howtofaq#single
[+] [-] torginus|7 months ago|reply
I'm not a privacy hardliner, and I think the socially acceptable tradeoff between privacy and security have been well established before the computer era - if the police has a well-enough established suspicion against you - they can get a warrant and search your home. That's due process.
I would accept if there was a digital version of that which targeted not the encryption itself (which could be as strong as possible) - but the endpoints, like smartphones and computers.
Let's say police had a device which they could plug into your phone, which would send a specially signed message - a digital warrant, containing all the info a real warrant would - which be permanently be burned into the ROM of your phone, after which the phone would surrender its encryption keys, and the police could dump your unencrypted disk.
The phone would be then presented as evidence at the trial, and not following due process would be a cause for mistrial, no matter what they find there.
The general public would be safe in the knowledge that as long as the police isn't hauling them in, their secrets are safe, and the government would get the tools for what they claimed they wanted - a way to catch bad guys with digital tools.
[+] [-] nayuki|7 months ago|reply
Let's say every citizen has an account with their federal government, and the account can be accessed securely in some reasonable way (password, 2FA, hardware token, etc.).
The government can have a public-private RSA key pair specifically for "At least 18 years old". Once the user is authenticated, he can generate a nonce and a blinding factor, multiply them together to get a blinded random number, and upload that to the government for signing. He takes the signature and unblinds it, then submits the original nonce and unblinded signature to the adult website. The website confirms that the nonce and signature is valid according to the government's public key.
This system raises many questions. For example, preventing replay attacks, so the adult website will reject any nonce being reused, or mandating that a timestamp be a subcomponent of the nonce. There is the un-answerable question of how to handle the case where a legitimate adult offers valid signatures for someone else to use. There is also the question of, to what extent the adult website should be able to keep track of the underlying users (even in a hashed format) to monitor abuse, suspicious users who have too much activity, etc.
[+] [-] charcircuit|7 months ago|reply
It's not impossible to design a cryptographic system where law enforcement is a party within it. The false dichotomy of encrypted or not encrypted in my opinion is used to shutdown the conversation since it's easy to argue why no encryption is bad. It's a strawman.
[+] [-] ncdm_stldr|7 months ago|reply
Anyway, I am not in the side of control freaks, but still find the question interesting.
[+] [-] burnt-resistor|7 months ago|reply
[+] [-] irchans|7 months ago|reply
[+] [-] andrewla|7 months ago|reply
But I almost gave up early because he can't resist the urge to take a dig:
> For politicians to make good policy, they don't need to be technical experts: they need to have solid, independent, well-resourced expert agencies. Those would be the very agencies that Trump and Musk have DOGEd into oblivion ...
And then in the next paragraph blithely engages in some Gell-Mann amnesia
> But when it comes to tech policy, politicians get it all so goddamned wrong
Expert agencies formulating clean water policies are emphatically not the reason that we have potable water. Experts in actually doing the work of producing clean water are the ones that push the standards upstream. It's a subtle but important difference.
Look, it's not 2018 anymore, we survived a round of Trump and we'll survive this one and the world will not end and some things will get better and some things will get worse, but trying to tie everything back to how Trump has ruined everything is going to make your views look worse and worse as they age.
[+] [-] dathinab|7 months ago|reply
it is possible if you accept that it only needs to be good enough
- it's fully okay if it can be deceived in all kinds of ways
- verifying only once per account is okay, if a adult passes their verified account to a child that their responsibility
- legally not just forbid but criminalize (with required prison sentence) the storing of any data except is adult yes/no from a age verification process
- allow a OS accounts to just tell applications (including websites) that "is 18", if a age verification was done in the account, also no singing or anything cryptographically, because again it's good enough no need to protect it against hacking, the main responsibility still lies with the parents
so then you can do a single age verification per OS account, once, and be done with
furthermore this verification could e.g. go through a process which might identify you identity but a) isn't allowed to pass anything but adult yes/no to anyone else b) isn't allowed to store that info c) on a storing it is a "criminal liability" level where a CTO ordering data collection would go to prison
through if you live in a country where everyone has a passport with NFC chips (e.g. all of EU) just adding a "adult yes/no" function(1) to it + a transparent (open source, non profit) app per country to bridge it to accounts which need verification would do the job without needing the extra strict criminalize abuse part.
Which brings us to the main problem:
- requiring politicians to accept a "good enough" solution, accept that the main responsibility still lies with the parent
- politicians not abusing it to spy on their population
- make laws to prevent companies from ab-using "age verification" to collect private data
and that seems indeed impossible
---
(1): Technically I think it does exist, somewhat in many passes already. But practically it not viable as it (I think) discloses too much information and has too much issues wrt. integrating it (wrt. certificate nonsense)
[+] [-] kirito1337|7 months ago|reply
[+] [-] MattPalmer1086|7 months ago|reply
Hard for sure, but not bullshit. I actually found it hard to read the post - it could have been a third as long and more useful and measured. But I guess it gets clicks.