> Is there a way to prove your age without being identified/logging in?
This comes up every time, but the purpose of the identity check is to ascertain (to the extent possible) that the person logging in is the person whose age you’re verifying.
If you completely separate identity from age checking using some cryptographic method, the loophole is that a single identity token with an adult age can now be used by everyone, everywhere to tell websites that they are above a certain age. So as soon as you did that, someone would just share (or steal) a token of valid age and post it online for everyone to use. Entire system subverted.
You could try to use a 3rd-party service that handles age check functions and implements some level of rate limiting to prevent this, but then you’re trusting that party to know about all of the porn websites and other places the person is trying to log in to. If that 3rd party is the government, well you’ve just created a convenient place for the government to collect stats about people logging in to porn websites.
> If you completely separate identity from age checking using some cryptographic method, the loophole is that a single identity token with an adult age can now be used by everyone, everywhere to tell websites that they are above a certain age
There a two counter techniques used to address that problem. Tokens can get time limited down to a number of seconds (10-30?), and a single token is only valid for one session at a given website (assuming the website honor those restriction on their side).
In addition, token providers may rate limit how many tokens a person may generate, and the application that request tokens may require a bit of work from the user (like typing a pin). Any person who need to do more age verification could be required to contact customer support to unlock such features, which also mean the provider can keep a closer eye on accounts that generate tokens in strange or abnormal patterns. Depending on how the market for identity providers are, different providers may provide different service and different levels of authentication.
In Sweden currently we are in a situation where there are multiple competing identify providers. They have to follow a certain certification, but the exact details of the technology varies a lot. There is a bit of talk to make those an open standard, including defining exactly what information the provider and the recipient should get. There is also the hope that the user application could be made generic, so switching/choosing provider becomes easy.
The problem with the technology in term of privacy is not so much in the protocols or cryptographic methods, but rather a social one. You can not create an fair identification system if all it does is ID control for porn sites, just as one can not create a VPN if all it can access is porn sites.
Most systems would require you to anonymously prove ownership of a the credential, not have an unchanging bearer token.
So yes, you could steal the private key I guess. But that is no worse than if you have to prove your identity; someone could get your password to your account.
This comes up every time, but the purpose of the identity check is to ascertain (to the extent possible) that the person logging in is the person whose age you’re verifying.
If you completely separate identity from age checking using some cryptographic method, the loophole is that a single identity token with an adult age can now be used by everyone, everywhere to tell websites that they are above a certain age. So as soon as you did that, someone would just share (or steal) a token of valid age and post it online for everyone to use. Entire system subverted.
You could try to use a 3rd-party service that handles age check functions and implements some level of rate limiting to prevent this, but then you’re trusting that party to know about all of the porn websites and other places the person is trying to log in to. If that 3rd party is the government, well you’ve just created a convenient place for the government to collect stats about people logging in to porn websites.