top | item 46956365

(no title)

spragl | 21 days ago

I have mentioned this before, but age verification can be solved by hash chains. They can prove age without compromising privacy.

It is crazy that the solutions Discord goes for are IDs and selfies. It definitely gives the impression that there are shady ulterior motives.

Hash chains are simple. If they were adopted, Discord would clearly be in bad faith taking the steps that they do now. If you search you will find quite a bit of information. My introduction to hash chains is for for age verification specifically: https://spredehagl.com/2025-07-14/

discuss

littlecranky67|21 days ago

The EU is working on a actual privacy-preserving initiative [0] that allows owners of ID wallets to verify their age, without their actual age or personal data being transmitted. The standard and reference implementations are open source on GitHub. Yet everybody screams uploading IDs and total government surveillance.

[0]: https://ec.europa.eu/digital-building-blocks/sites/spaces/EU...

ReptileMan|21 days ago

Dear littlecranky67, as overseer for your digital wallet, I am happy to inform you that the owner of the discord server kinkydwarfporn doesn't know who you are and your privacy is protected.

Signed your friendly EU official.

As long as someone in the chain is able to physically connect the dots it is game over for privacy.

rdm_blackhole|21 days ago

The same EU that is trying to backdoor every messaging app to "protect the children" TM? I 'll use their ID system on my dead body.

vasco|21 days ago

If the input is "give ID", what the software claims to do is almost meaningless since you cannot prove that software was running. What do I care that someone can tell me they built a privacy-first way of validating IDs/age if I cannot be sure that is the software they are running?

They can just as easily save the ID to disk and return "all good" for all I know.

spragl|21 days ago

No, the solution does not require that.

It requires that Bob proves posession of a private key, that only he has ever had. That private key could be generated specifically for the commitment that he got from Alice.

erfgh|21 days ago

Well your solution includes handwritten signatures and everyone being a handwriting expert so that they compare handwritten signatures. I wouldn't call this an elegant solution.

spragl|21 days ago

That is what the example uses. In the real world that would be a digital signature. Look under the heading "Fitting the parts together" to see what the real world solution could be like.

zelphirkalt|21 days ago

Even easier, just get tokens that carry no other information from ones government, and the government runs an API, that for a given token tells whether that token is valid. Can tokens be stolen? Maybe. Can your face be stolen? Today yes.

spragl|21 days ago

Hash-chains allows the solution to be token-less. You no longer need those per transaction information leaking API calls. You also avoid dependency on a single provider.

The communication in connection with a transaction would only go between the identity owner (Bob) and the provider (Cycle shop).

sebstefan|21 days ago

No API, they sign the tokens with the government's private key and you verify them with the government's public key

If discord needs to contact an API, then the government can associate the token with you, and you with discord, and know what you browse online. No thank you.

pbmonster|21 days ago

What's stopping kids from all using the token of that one older brother?

neuroelectron|21 days ago

Something like half of Israel's economy is intelligence gathering wtf do you think is happening here it's pretty obvious. economic leverage, surveillance, foreign influence, tech exports being used politically, etc.

mattstir|20 days ago

I'm not sure how hash chains would resolve the fundamental issue of needing to send your ID or similar to some random third-party company that does god-knows-what with it (probably stores it in a publicly accessible path with big "steal me" signs pointing at it). That they need to attest to your age means that they need to trust what your age is, which has really just moved the problem one layer deeper (as far as I can tell).

spragl|20 days ago

I assume by third party you mean the authority, and yes, the authority would need to know your personal information. At least enough of it to verify your age. So the ideal is that the authority is the entity that already knows your personal information. Like the entity that issued your passport to you, or the one that issued you drivers license.

But even if the authority was a private company, I think it would be an improvement compared to the current situation. In this situation your personal information would be held by this one company, and not whatever provider that needs to verify your age. Also, you would be able to use the commitments, that this private authority gave you, without any coordination afterwards. The authority would not know about your transactions.

stingraycharles|21 days ago

How would that mechanism work in practice, though? If every parent needs to become a trusted authority, wouldn’t that just move the goalpost? Who would be the trusted authority, and who would implement that?

I agree that the mechanism is elegant, but figuring out which entity should be trusted in a way that scales globally is somewhat difficult.

lrem|21 days ago

Realistically this would be another service attached to the government ID. Something like this does function in some European countries, doesn’t it?

IshKebab|21 days ago

The use of the parent is an example. In reality it would be some official age checking provider (maybe the government).

pbmonster|21 days ago

How difficult would it be to add further anonymization? Let's say I want to prevent the bike shop from building a usage profile on the basis of the age check (e.g. because I'm buying booze). Would I just need to get more chains from Alice, or is there an easy way to integrate e.g. group signatures into the scheme?

spragl|21 days ago

I think the way to go would be for Alice to give you lots of commitments. They are computationally light-weight to generate anyway.

That would at least be a good and also simple solution. Maybe there is a perfect solution, but then I dont know it.

zaxioms|21 days ago

If you wanted to implement this in real life, who plays the role of Alice?

spragl|21 days ago

I think that whatever organization that issues your passport, would be a natural choice for setting this up. But it could be some other authority. In a way it is the identity owners and the providers that decide who they will trust as authorities.

nicman23|21 days ago

this is just a think of the children attack