Is there a way to prove your age without being identified/logging in? Surely some kind of OpenID style protocol can be invented for this with zero knowledge of personal information ending up with pornhub or which sites were being given age verification?
Even if every state started putting contactless chips into drivers licenses to provide anonymous age attestation, you'd still have the problem a kid can just use a parent's or older sibling's card.
And even if such cards did exist and they were considered legally adequate, you've still got the problem that nothing except smartphones can read them. And you've got the problem browsers don't support them, and app stores don't welcome porn-viewing apps.
Of course, this is all intentional - the religious anti-pornography groups that push for these laws consider it a good thing that complying with the law is essentially impossible. They want a full ban on pornography, but that would get struck down as unconstitutional, so they have to get a ban by indirect means.
> Is there a way to prove your age without being identified/logging in?
This comes up every time, but the purpose of the identity check is to ascertain (to the extent possible) that the person logging in is the person whose age you’re verifying.
If you completely separate identity from age checking using some cryptographic method, the loophole is that a single identity token with an adult age can now be used by everyone, everywhere to tell websites that they are above a certain age. So as soon as you did that, someone would just share (or steal) a token of valid age and post it online for everyone to use. Entire system subverted.
You could try to use a 3rd-party service that handles age check functions and implements some level of rate limiting to prevent this, but then you’re trusting that party to know about all of the porn websites and other places the person is trying to log in to. If that 3rd party is the government, well you’ve just created a convenient place for the government to collect stats about people logging in to porn websites.
> If you completely separate identity from age checking using some cryptographic method, the loophole is that a single identity token with an adult age can now be used by everyone, everywhere to tell websites that they are above a certain age
There a two counter techniques used to address that problem. Tokens can get time limited down to a number of seconds (10-30?), and a single token is only valid for one session at a given website (assuming the website honor those restriction on their side).
In addition, token providers may rate limit how many tokens a person may generate, and the application that request tokens may require a bit of work from the user (like typing a pin). Any person who need to do more age verification could be required to contact customer support to unlock such features, which also mean the provider can keep a closer eye on accounts that generate tokens in strange or abnormal patterns. Depending on how the market for identity providers are, different providers may provide different service and different levels of authentication.
In Sweden currently we are in a situation where there are multiple competing identify providers. They have to follow a certain certification, but the exact details of the technology varies a lot. There is a bit of talk to make those an open standard, including defining exactly what information the provider and the recipient should get. There is also the hope that the user application could be made generic, so switching/choosing provider becomes easy.
The problem with the technology in term of privacy is not so much in the protocols or cryptographic methods, but rather a social one. You can not create an fair identification system if all it does is ID control for porn sites, just as one can not create a VPN if all it can access is porn sites.
Most systems would require you to anonymously prove ownership of a the credential, not have an unchanging bearer token.
So yes, you could steal the private key I guess. But that is no worse than if you have to prove your identity; someone could get your password to your account.
One thing all the crypto coins show is that a central authority has its uses. What if you want to fix a bug in the protocol or upgrade it? What if due to some mistake you are identified as underage when you are over, or over when you are underage? There's nobody to reach out to.
A zero-trust protocol or computer system is all well and good, for some uses at least. A zero-trust society will not work. Or at least it will be significantly worse than societies with trust.
There are definitely components from the cryptocoin realm that could be repurposed in trust based systems.
zk proofs could be used to solve this problem.
- Govt runs a zk-prove-ident service
- User goes to PH and starts verification process
- PH does proof with Govt, this could be anonymous
Ideally the user's keys are part of their ID, if you lose your ID, you can get a new one. It's still a permissioned system, so no miners/stakers needed, we can make it possible to change/replace keys behind the scenes so the UX for the common people does not amount to "lose your keys, lose your money"
Someone would have to gather that data. It's not like a password that can be detached from physical reality. Your date of birth is somewhat inherent to your identity.
Setting aside the feasibility of an amendment and whether an administration would follow it, even just the ability to say yea or nay to anyone accessing information is chilling.
The government is not saying yea or nay, they are just providing proof of age or identity (not necessarily both, whatever the vendor website asks for, and the person allows).
Suppose I want to start a business where I don’t want the liability of having to deal with all the laws about minors. Then I can use the government API to only allow people over whatever age.
That's the intent of course, but it's just as easy to refuse to verify age for certain endpoints or provide incorrect verification. I'm trying to think how an authoritarian government would use this.
Any government can become authoritarian and start messing things up anytime. It’s not like identity/age verification API is cutting edge technology, any group in power that wants to use can use it now or anytime in the future.
That is not a reason for the government to not do something. We entrust them with nuclear weapons and aircraft carriers. Not to mention Snowden already proved the government has back doors into all the big tech companies, so it’s already not a secret who is visiting what website. And FISA courts and secret warrants under gag order and blah blah.
Whether that solves it just depends on who you're worried about having your data. Something like OpenID would keep your identifying data away from PornHub but it would allow the OpenID provider know when you visit PornHub.
For PornHub that also gives other companies, the OpenID providers, the power to censor PornHub but refusing to verify age or identity.
I dare say this would actually be even more harmful than Pornhub holding people's IDs, as it would then give OpenID immense power to track not only the fact that you watch porn, but also what other services you use as well...
That's my main gripe with OAuth and SSO logins. It's such an obvious tradeoff between convenience and centralizing power.
I don't really want GitHub knowing everything I sign into, but in some cases like Tailscale my only option is to tell GitHub about it or not use Tailscale.
Verifiable Credentials can be used in place of OpenID to allow a user to make verifiable attestations about themselves without the authority having to be present.
It would still have many of the same flaws as OpenID, but at least you accessing a site wouldnt notify the authority.
1. Introduce a X-PEGI HTTP header that sites can use to change the content. This would also be useful for other contexts such as cybercafes and whatnot.
2. Mandate that porn website abide by these headers.
3. Have responsible parents, lock their children's computers and add the appropriate header.
The adults then have access to the adult internet with no extra restrictions.
Yes. Apple has the tech already with their digital driver's license initiative. It's probably more secure at stopping kids from accessing porn because it involves the on device FaceID authentication of the ID holder and could be verified and attested to each session vs just punching in a DL or CC number.
We need only look at... (checks notes) every other profit driven company (thats all of them) to see how this will go when quarterly earnings are flat and/or falling
You can either have a zero knowledge system where the tokens are immediately compromised and widely shared that provides no authentication whatsoever, or you can have a system that has the ability to revoke compromised tokens that is not zero knowledge.
Or as we are likely to get, you can have a system that is both easily compromised and does not have zero knowledge, and the age verification industry is simply engaged in industrial scale lying to try and get themselves written into law...
The problem is that authority would be central, and that authority would know who you are. I think the questioner was looking for solutions that have no authority. Least of all centralized authority.
The problem will probably be adoption by services. It's a lot more tempting to get more information than just age, if you go through the hassle in the first place.
It's the whole of the EU, it's the new EU ID card standard, with biometrics and NFC on the card itself.
I'm not aware of any large scale user implementations of the protocol though (people have been getting compatible ID cards for years, but I don't know any software that uses them outside of probably cigarette vending machines in Spain). Do you know any?
> I'm not aware of any large scale user implementations of the protocol though (people have been getting compatible ID cards for years, but I don't know any software that uses them outside of probably cigarette vending machines in Spain). Do you know any?
I don't know if that's what you're talking about but, in Belgium for example, to fill taxes online and to do various other types of pointless administratrivia you must use your EID card, which you put in an EID card reader (typically connected by USB).
Now the EU-wide biometrics, a sheer horror (the EU court of justice ruled that the biometrics data can be used for other uses and stored in databases outside the card... although at first it was supposed to be private), isn't implemented all around the EU yet.
My EID car was emitted in 2016 and is valid until 2026 and definitely doesn't have any biometrics data in it. I don't know if the system shall already be put in place in 2026 when I'll have to renew it for another ten years.
My point being: biometrics and NFC are probably not present on a lot of EU citizens' ID cards... Yet. So, atm, it probably doesn't make much economical sense to support that system for random usecases like selling cigarettes or alcohol.
Filing my taxes is the only thing I use my EID for.
Then there are some EU countries using their own "2FA" authentication system for anything "government related" (taxes, car registration, company filings, banks login, social security, etc.), complete with physical devices, phone apps, webapps, etc. which aren't using the EU EID at all. Basically: an entire ID system, using 2FA, but bypassing the EID entirely.
I'd say overall it's still pretty much the wild west.
If your EID card has a photo on it, it has biometrics. The biometrics are the photo and fingerprints (if your country required them). The fingerprints are not accessible to terminals without a government certificate on them, but the photo can be read trivially. You can download one of many apps (ReadID or Regula Forensics are good options) to see what's on the card.
The standard is ICAO 8303 for how the data structures work. It's the same as ePassports. EU cards implement EAC for the fingerprints, which has a whole mutual auth PKI system.
