[HN Gopher] "Privacy preserving age verification" is bullshit
___________________________________________________________________
"Privacy preserving age verification" is bullshit
Author : Refreeze5224
Score : 193 points
Date : 2025-08-14 17:40 UTC (5 hours ago)
(HTM) web link (pluralistic.net)
(TXT) w3m dump (pluralistic.net)
| RajT88 wrote:
| Also, water wet.
| Muromec wrote:
| I'm confused. Author puts crypto backdors and IDP with ZKP into
| the same bucket and calls it "nerding harder". But why? You can
| have identity provider, several European countries do and you can
| have subcredentials. You literally can nerd harder here.
|
| Sure, there is a strong ideological argument why you should not
| have strong identities required in the internet in general (or
| even in offline) and on porn sites specifically, but the argument
| is not technical.
| thyristan wrote:
| But it is. In those European countries, IDPs and certification
| authorities are one and the same entity. So the technical
| requirement of privacy evaporates, the government will always
| know who is proving their age to which porn site.
| therein wrote:
| I don't know why you are downvoted. And even more
| disappointingly, it is interesting how easily people overlook
| the fact that this is happening in lockstep across the globe,
| obviously the goal is to deanonymize the internet.
|
| I can't wait for the next generation that will enjoy "nerding
| out" on how to best patrol every neighborhood with drones.
|
| Let's put NFC tags on everyone at birth, we can then nerd out
| harder.
| ivan_gammel wrote:
| That's easy to fix. The IdP and the checking service do not
| have to be the same. The checking service can be a 3rd party
| that works with IdP verifying facts on behalf of regulated
| services like porn sites. The job of IdP is to certify the
| facts and do KYC for checkers to ensure they don't cheat. The
| regulated service can ask customer which checker do they use
| and then ask the checker. The customer may have a long term
| relationship with preferred checker on a market where
| multiple checkers exist and reputation matters for being
| competitive. This way checker is incentivized to maintain
| privacy and does not have conflicts of interest like the
| government. Government agencies can still investigate
| customers but they will need a court order to get the data
| from checkers.
| crote wrote:
| And how is the general public supposed to verify that the
| IdP and checking service aren't collaborating? If it is
| _possible_ for a checking service to create a log, given
| how Big Tech has been treating user data, how can we ever
| trust that they _aren 't_ logging everyone's data?
|
| Reputation is irrelevant. Everyone is trustworthy - until
| they are not. The dark web is filled with data leaks from
| reputable parties.
| torginus wrote:
| These 'anonymity' technologies are laughably worthless - sure
| ZKP might provide mathematical proof that it's impossible to
| find out who the subject is, but embed a tracking cookie and
| fingerprinting script into both the porn site, and the online
| grocery - and there you go, you have irrefutable cryptographic
| evidence of how John Doe likes to spend his evenings.
| ivan_gammel wrote:
| As soon as fingerprinting becomes criminal offense, this will
| end quickly. Nobody big enough is going to risk that.
| Hamuko wrote:
| Isn't it basically illegal under the GDPR? You're not
| allowed to just collect data for the hell of it and need
| actual consent.
| torginus wrote:
| The GDPR is a fucking joke even on the best of days.
|
| If other laws were like it, they would be like: You're
| not allowed to steal (unless you really need to), but if
| you do, take as little as you can (as determined by you),
| and you have to give it back as soon as you can (again,
| according to you), and if the person you stole from wants
| it back, you have to (unless you have a good reason not
| to)
| tzs wrote:
| The porn site and the grocery can already embed a tracking
| cookie and do fingerprinting to match their visitors.
| JanisErdmanis wrote:
| How would setting up a primary credential with an identity
| provider differ from the process of registering to vote for USA
| citizens? All the discrimination opportunities and accountability
| issues seem to apply equally there.
| lmz wrote:
| The same people who argue this will also argue that voter ID
| rules are discriminatory.
| sltkr wrote:
| Are the laws that require you to show ID to buy alcohol,
| tobacco, fire arms, or gamble in casinos also discriminatory?
| Or is it only discriminatory when you prevent people without
| IDs from watching porn?
| mattnewton wrote:
| The definition of Porn by the state can change to include
| things that some people consider protected by the first
| amendment - right now there are a lot of state politicians
| or members of the house on record supporting classifying
| discussion of LGBTQ lifestyles as pornography for example.
|
| I think alcohol, tobacco and gambling here are mostly
| irrelevant, but the firearms is a better example because of
| the second amendment, where you have a clash between a very
| old right granted by the bill of rights clashing with
| modern societies beliefs.
| 9rx wrote:
| _> Are the laws that require you to show ID to buy alcohol,
| tobacco, fire arms, or gamble in casinos also
| discriminatory?_
|
| So long as it is done for a legitimate purpose and in good
| faith, generally no. As such, IDs are only expected where
| there is reasonable suspicion of possible violation. For
| example, there is no onus, with a few exceptions, to see an
| elderly person's ID to buy alcohol when there is no reason
| to think that they aren't below the minimum age.
|
| The exceptions haven't really been tested. It very well
| could be found discriminatory, and you could make a pretty
| good case that it is. Which is ultimately the same case
| being made earlier. Asking a no-question-about-it 50 year
| old to provide his ID to watch porn isn't really in good
| faith, is it?
| mattnewton wrote:
| Voter ID laws actually have a long history of being used for
| disenfranchisement of certain classes in the US (most notably
| former slaves and their descendants, but also women), so it's
| understandable there is scar tissue there. It gives the
| incumbent state another lever of power in our very close
| first-past-the-post winner-take-all elections. Americans
| don't need imagination to see how it could be abused, just a
| good history book.
| crote wrote:
| The problem with voter ID laws have rarely been with the ID
| itself. Very few people would have issue with a voter ID law
| which also guarantees that 100% of the population can easily
| obtain said ID at zero cost.
|
| The issue is that those laws are usually linked to _very
| specific_ forms of ID, which _just so happen_ to be easily
| available to certain demographic groups.
|
| Imagine a voter ID law where the only acceptable form of ID
| would cost $50.000 to purchase. Would you consider that fair
| and nondiscriminatory? What if you could only get the ID on
| the third Tuesday of the month, between 14:00 and 14:30, at a
| single location in the entire state? What if the ID required
| you to pass a certain kind of test, judged arbitrarily by a
| government official?
| Seattle3503 wrote:
| I agree "ensuring everyone has ID" is a separate problem that
| we should absolutely trying to tackle. We are already seeing
| people struggle with it absent any new ID schemes, eg in the
| case of trying to get access to banking. You can already get ID
| at a post office, maybe we should add other government
| facilities such as libraries.
| JoshTriplett wrote:
| That's absolutely true, and orthogonal to the problem that
| you shouldn't need to identify yourself to anyone in order to
| access arbitrary websites.
| Seattle3503 wrote:
| I don't think thats the proposal. The proposal is that you
| prove to websites that you are over 18 to see adult
| content.
| JoshTriplett wrote:
| "adult content" is the boogeyman, to try to make this
| harder to argue against. The actual net result is
| shutting down a wide variety of websites and making
| people identify themselves (to paid identity providers
| _conveniently provided_ by those who lobbied for this
| legislation) in order to access others, including Reddit,
| Discord, etc.
|
| _You should not need to identify yourself to access
| arbitrary websites, either to the website or to some
| third party._
| sltkr wrote:
| The "not everyone has an ID!" argument is such an American
| perspective. The vast majority of world citizens live in
| countries that require you to have some form of government ID
| anyway:
|
| https://en.wikipedia.org/wiki/List_of_national_identity_card.
| ..
|
| It seems pretty reasonable to leverage this into online
| identification.
|
| In fact, online ID is already used in the European Union for
| popular initiatives (see, e.g.,
| https://www.stopkillinggames.com/ ) and nobody seems to think
| this is "bullshit" or infeasible or any of the concerns that
| are lobbed at the age verification requirements.
| lmz wrote:
| It's more accurately a very Anglo perspective. The US, UK,
| AU, NZ, CA all do not have national ID cards.
| nemomarx wrote:
| if you had to register to vote to use Reddit or whatever people
| would complain about that constantly. and voter id laws are in
| fact controversial yes.
| charcircuit wrote:
| >politicians all over the world demanded a kind of impossible
| encryption
|
| It's not impossible to design a cryptographic system where law
| enforcement is a party within it. The false dichotomy of
| encrypted or not encrypted in my opinion is used to shutdown the
| conversation since it's easy to argue why no encryption is bad.
| It's a strawman.
| thyristan wrote:
| Then please prove the possibility by doing so.
|
| Up to now, there has only been intense wishful thinking by
| politicians, and strong "NOPE" by anyone with any kind of
| knowledge about cryptography. Either really everyone, including
| the likes of NSA, CIA and other spy services don't actually
| employ top cryptographers. Or they repeatedly tried and failed
| miserably. Or really nobody, including the spies, wants
| backdoored NOBUS encryption.
| loglog wrote:
| NSA does probably want it, and did probably standardized at
| least one such scheme in the past: Dual_EC_DRBG.
| JoshTriplett wrote:
| It's impossible to design a cryptographic system that does end-
| to-end encryption and has a backdoor that can never be misused.
| No technical solution will address the fact that it's failing
| at its one job.
| jgeada wrote:
| That is a bad faith argument.
|
| As soon as there is another untrusted party in the encryption,
| an in particular a party with a "skeleton key" that can decrypt
| anybody's message, then your encrypted communications are
| merely one leak away from being decoded by everybody else.
| aaronmdjones wrote:
| If there's one thing you can trust a government to do, it's
| to not be able to keep secrets for very long.
|
| https://www.vice.com/en/article/hackers-published-
| replicas-a...
| charcircuit wrote:
| You can do things like require the service to verify that the
| court order is valid before they gain the capability to
| decrypt a subset of messages that the court order allows them
| to see. There doesn't have to be a skeleton key.
| jgeada wrote:
| Right, just "nerd harder".
|
| The mathematics of encryption just doesn't play that way.
| crote wrote:
| What is the mathematical formula for a valid court order?
| How does it look different from a court order signed by a
| judge held at gunpoint? How does it look different from a
| court order signed by a dictator's minion? How does it
| prevent someone from tricking a judge into signing an order
| to decrypt message 2421425241 instead of 2421475241? What
| is stopping the service from accepting invalid court
| orders? What is stopping the service from just decrypting
| _everything_ for convenience?
| charcircuit wrote:
| >What is the mathematical formula for a valid court
| order?
|
| This is a political / social issue. A human has to
| decide.
|
| >How does it look different from a court order signed by
| a judge held at gunpoint?
|
| It doesn't. You could similarly hold developers at
| gunpoint to push malicous updates too or at users to give
| them their messages. Putting people at gunpoint is
| illegal.
|
| >How does it look different from a court order signed by
| a dictator's minion?
|
| Judges could have their own private key so it would be
| noticeable that the minions private key would not be
| trusted.
|
| >How does it prevent someone from tricking a judge into
| signing an order to decrypt message 2421425241 instead of
| 2421475241?
|
| It doesn't. This is solved by laws that make such an
| action illegal to do
|
| >What is stopping the service from accepting invalid
| court orders?
|
| They want to protect the privacy of their users so they
| should reject invalid court orders.
|
| >What is stopping the service from just decrypting
| everything for convenience?
|
| They would not have the keys LE has. So it could be setup
| such that LE's keys are required to decrypt something.
| layer8 wrote:
| The argument regarding general use of encryption for
| communication is that (a) law enforcement private keys would
| leak sooner or later, suddenly exposing everyone's past
| communication, and that (b) criminals would just use
| "forbidden" encryption ("if _x_ is outlawed, only outlaws will
| use _x_ ").
| charcircuit wrote:
| (a) LE keys don't have to be all powerful. It can require
| actions from other parties such as the company that is
| running the chat or a judge. It can limit the scope of who or
| what messages can be decrypted.
|
| (b) Perfect is the enemy of good. Smaller services won't have
| the same utility and network effects of large ones.
| crooked-v wrote:
| If you include law enforcement by default, the system becomes
| completely insecure literally the first time an agent is
| corrupt, lazy, or just gets access stolen from them.
| charcircuit wrote:
| You can design it such that the a single agent isn't able to
| decrypt anything. You can also do things like limiting the
| number of decrypted messages per period of time and more.
| Seattle3503 wrote:
| To me it seems like Cory Doctorow is demanding perfection, and
| saying that because we can't achieve perfection in age
| verification, we can't do age verification at all. That isn't
| going to stop people from trying, and we will end up with a worse
| system overall. IMO this is a common pitfall of techno-idealists.
|
| Technologies like the mdl standard [1] can attest to age without
| revealing the users identity.
|
| As Cory points out, its still possible for kids to swipe someones
| ID and use that. There are probably practical solutions that are
| good enough. Android, iOS, and parents could work together to
| deal with the problem of stolen IDs. If mdl is implemented on
| devices such that they are managed by the device OS, that would
| lead to auditability. Parents can ask their child to see their
| phones ID app, which will show full roster of IDs on the child's
| device. If a parent sees an ID that shouldn't be there, they can
| have a conversation about it. In this way the law would be about
| empowering parents to shape their child's online experience. This
| is just a straw-man example solution, but there may be better
| ones.
|
| The other objections I saw could be worked through in a similarly
| pragmatic fashion.
|
| This is probably going to be good enough for most folks, and its
| probably a good thing to keep children away from pornography and
| such. And IMO coming up with a "good enough" solution will flush
| out all the bad actors who are hiding behind the excuse of "save
| the children" when really they want to build up an record of
| everyone's browsing history. But by denying any solution to a
| real problem, we let the bad actors hide amongst the well-
| intentioned folks who are trying to do the right thing.
|
| [1] https://en.wikipedia.org/wiki/Mobile_driver%27s_license
| 2OEH8eoCRo0 wrote:
| All the govt needs to do is send fines to offenders and the
| industry will be forced to implement one or more solutions.
|
| The govt doesn't care _how_ you verify age only that you don 't
| sell to minors.
| wmf wrote:
| Experience with GDPR and DSA shows that the fines lag years
| behind the abuses.
| crote wrote:
| And how well has this worked in practice? How would you even
| identify violations, if you're not requiring websites to
| store the user's real-world identity?
|
| Large websites do not care even the _slightest_ bit about how
| accurate the verification method is. They have zero incentive
| to genuinely get rid of underage users. If anything, they
| want to keep them - they are prime advertising real estate!
| Websites have every incentive to implement the age check in
| the cheapest and most half-baked way possible. As long as
| they are able to prove _on paper_ that they are doing _some_
| form of age verification, they have met their requirements.
| Got a 90% false positive rate? Working as intended!
|
| The only people getting fines are the small websites who
| can't afford to pay a 3rd party verification service. This'll
| shut down your local hobbyist communities, which only drives
| more visitors to the large megacorp websites.
| gjsman-1000 wrote:
| > common pitfall of techno-idealists
|
| Common pitfall? It's why these techno-idealists are loudmouthed
| on the internet, but don't get respect anywhere politically. If
| you want to gain ground politically, you need to at least
| acknowledge what the problem is, or is perceived to be, and
| offer a real solution. "Nope we can't do that because of this
| 0.1% edge case" doesn't qualify. "Apple should just dump all
| schematics online regardless of what China might do" doesn't
| qualify. "The internet is great at it is, and your political
| concerns are invalid" doesn't qualify.
| Seattle3503 wrote:
| Yeah, it feels like a junior engineer fresh out their
| undergrad algorithms course. The business isn't going to
| grind to a halt and wait until you build the perfect
| solution.
| gjsman-1000 wrote:
| Let's take the pornography argument for example.
|
| Regardless of whether pornography is, or should be legal,
| _average exposure is now 11 years old._ That's average,
| many kids are even younger.
|
| If this even prevents 95% of kids from accessing
| pornography until they're 15 and get a debit card to buy a
| VPN, that's a win in the eyes of most parents and
| legislators. It doesn't need to be perfect, or even
| perfectly force you to be 18, to get the primary job done.
| Pointing to "a 16 year old can get around it with a VPN" is
| missing the point. It's not a surprise why that argument
| falls on deaf ears.
|
| Or, another one, "just use parental controls," _have you
| even tried this?_ Almost all parental controls are
| horrifically buggy, full of loopholes, and these kids can
| just borrow each other's technology. Apple's parental
| controls predate HTML5 (literally, HTML 4.01) and regularly
| don't work, sometimes even by their own admission. It also
| forces the parent to be in the role of a tech expert fluent
| in Microsoft, Apple, Google, Nintendo, and other products
| all at once. You might as well get CompTIA certified. That
| argument also falls on deaf ears.
| idle_zealot wrote:
| > Apple's parental controls predate HTML5 (literally,
| XHTML 4.01) and regularly don't work, sometimes even by
| their own admission. It also forces the parent to be in
| the role of a tech expert. That argument also falls on
| deaf ears.
|
| The solution, then, ought to be to pass a law requiring
| some sort of standardized parental controls that allow
| trivial set-and-forget management. Require device
| manufacturers/software distributors to sort out a "child
| mode" switch you can flip upon device initialization, in-
| your-face and unmissable, and then have apps/webpages be
| able to see whether the device reports it's in child
| mode. Does this not solve the "prevents 95% of kids from
| accessing pornography" threshold of effectiveness while
| being infinitely less invasive?
| gjsman-1000 wrote:
| It's a better argument, and would gain more political
| ground, than _do nothing._
|
| However, there's one major problem: Most families aren't
| actually using the multi-user capabilities of their
| devices. Many devices, like iPads or iPhones, just don't
| support multi-user at all.
|
| The result? Either parents are tech experts again, or
| have deep pockets to get everyone a device, or you're
| going to have a bunch of kids logged in as their parents
| on their devices (as is already the case). Of course,
| that defeats the policy goal. That's a non-starter,
| unless we agreed that a device manufacturer could force a
| biometric check when accessing an age-verified device
| account.
|
| Nobody has proposed such a thing; but if there was a good
| way of making sure that the age-verified user _is the
| actual person_ engaging with the age-verified account,
| then we might have progress in that direction.
|
| Personally though, I would really prefer to not have the
| government get any ideas whatsoever about dictating
| firmware or OS security or OS parental control
| requirements. Do you _really_ want your Linux
| distribution mandated to implement an age check firmware
| with phoning home requirements to a government parental
| control server?
| wvenable wrote:
| That's not a _major_ problem. Also, how does age
| verification fix things in that scenario if a child is
| using their parents device?
|
| If a parent can't be bothered to pin-lock their device or
| flip it into child mode then there is no technological
| solution. Now you're the one looking for the perfect
| solution that doesn't exist.
| gjsman-1000 wrote:
| > Also, how does age verification fix things in that
| scenario if a child is using their parents device
|
| Because the age is verified at the time of access;
| instead of once during initial setup. Odds are that the
| former will catch far more flies than the latter.
|
| Your employer probably does the same. Do they have you
| log in once when you set up your laptop, then comfortably
| happily say it's you for the next three years; or do they
| have you sign in every morning?
| wvenable wrote:
| > Because the age is verified at the time of access;
| instead of once during initial setup.
|
| Is that really how it works? Every single time you visit
| any website on the Internet or launch any app it's going
| to age ID you? I don't think that's right. You validate
| your account and then you login and you're good. If
| someone else uses your account, they are you.
|
| And as you said, people share devices but it's also
| usually one account per app per device. You have to go
| out of your way to sign out of each individual app or
| website.
| crote wrote:
| > You validate your account and then you login and you're
| good.
|
| ... which doesn't work, because it'll quickly lead to an
| enterprising 18-year-old highschooler selling pre-
| verified porn website accounts for $10.
| thewebguyd wrote:
| > Require device manufacturers/software distributors to
| sort out a "child mode" switch you can flip upon device
| initialization, in-your-face and unmissable, and then
| have apps/webpages be able to see whether the device
| reports it's in child mode.
|
| Wouldn't even need to develop anything new for this
| outside of a simplified UI over an MDM. Devices already
| support an incredible amount of monitoring and control,
| even iDevices, via MDMs.
|
| But MDMs are for now only business/enterprise products,
| and are priced as such.
|
| Makes me wonder if there's a market there for someone to
| just package up a consumer-focused, dead simple to use
| MDM. Enroll with QR code, set up some default policies,
| etc.
| wvenable wrote:
| > Regardless of whether pornography is, or should be
| legal, average exposure is now 11 years old.
|
| You make it sound like historically it was much later but
| actually even in the 1980s 11 years old was common. In
| fact, that matches my own personal experience from that
| era.
|
| > Or, another one, "just use parental controls," have you
| even tried this?
|
| Parental Controls is the right answer but absolutely
| agree that parental controls suck. As a parent, I'd love
| just any level of better control. I don't even care if I
| have different controls per manufacturer as long they're
| pretty complete and capable.
|
| If the EU can mandate USB-C, they can mandate all
| technologies include powerful and capable parental
| controls.
|
| There is no need for age verification -- parents know how
| old their children are. Parents are providing children
| with the devices and often the means of connectivity as
| well. This is and has always been a parenting problem. If
| the government wants to assist parents, I'm all for that.
| But age verification is not the answer.
| gjsman-1000 wrote:
| > mandate all technologies include powerful and capable
| parental controls
|
| That is, until Linux is also forced to come into
| compliance with said parental control standard, complete
| with all centralized reporting and remote restriction
| capabilities.
|
| > This is and has always been a parenting problem.
|
| What do governments do when everyone has the same
| parenting problem? Listen to industry idealists, like
| those who would call teenage smoking a "parenting
| problem," or crack down?
| wvenable wrote:
| > That is, until Linux is also forced to come into
| compliance with said parental control standard, complete
| with all centralized reporting and remote restriction
| capabilities.
|
| Linux is fine. Someone can build the ultimately perfect
| parental control software for Linux and I'll use it. The
| same cannot be said for Windows, Android, or iOS -- third
| party system cannot exist for those platforms that are
| sufficient unless they're made by Microsoft, Google, or
| Apple respectively. Perhaps we just have to mandate an
| open standard. In fact, I would prefer that.
|
| > What do governments do when everyone has the same
| parenting problem?
|
| The wrong thing. Always.
| crote wrote:
| > Linux is fine. Someone can build the ultimately perfect
| parental control software for Linux and I'll use it.
|
| You can't build a perfectly secure system and still
| respect the user's freedom. The perfect parental control
| system is _by definition_ also going to be the ultimate
| rootkit - or else you 'd just boot your own kernel which
| perfectly fakes the parental controls.
|
| In such a world you wouldn't be allowed to build your own
| OS, only boot a pre-approved image. The Linux community
| is not exactly likely to participate in this.
| wvenable wrote:
| No solution is perfect but we already have secure boot.
| It doesn't even have to mandate some pre-approved image;
| it just has to be an image that _I_ approve and lock.
| This is already a well solved problem for corporate
| environments.
|
| You miss the point. _I_ want all the power. Let me
| install and configure a Linux image of any sort and then
| lock it down. _I am root_. My kid is a mere user.
|
| There is nothing terribly difficult or even controversial
| about that.
| Hizonner wrote:
| > Almost all parental controls are horrifically buggy,
| full of loopholes, and these kids can just borrow each
| other's technology.
|
| ... and the centrally imposed, one-size-fits-all,
| politics-first age verification system you want will of
| course be free of bugs, loopholes, opportunities to
| borrow devices, or whatever.
|
| That's good, since you want to apply it to every single
| person on the Internet.
| AllegedAlec wrote:
| > If you want to gain ground politically, you need to at
| least acknowledge what the problem is, or is perceived to be,
| and offer a real solution.
|
| Why? If you do not believe it is a problem that's just like
| apologizing when you haven't done anything wrong.
| Barrin92 wrote:
| if you, like Cory Doctorow, are an activist there's two
| options. One you scream from a soapbox with no regard for
| what other people think in which case it's evident you're
| doing it for self-aggrandizement and attention, or you take
| into account what the sensibilities and problems are of the
| people you try to convince and work within that frame of
| reference.
|
| If you're campaigning for technological and/or political
| change you're in the business of changing peoples minds and
| if that doesn't matter to you, you've chosen an odd way to
| spend your time.
| Hizonner wrote:
| I think all members of your ethnic group are inferior and
| dangerous (if you identify with more than one ethnic
| group, pick one). I'm calling for legislation mandating
| that you all be rounded up and put in camps.
|
| If you want to argue against my proposal, please remember
| to stay within my frame of reference.
| wbl wrote:
| The MDL standard does not do what you think it does.
| thomassmith65 wrote:
| Yeah, it seems like Doctorow presents arguments that a good IDP
| system is _complicated_ , but begins and concludes by saying
| it's _impossible_.
|
| It kinda seems the internet has real, longstanding problems
| stemming from the inability to verify anything about anything
| online. For the most blatant example, a website admin can never
| permanently ban a troll or criminal (they just sign up under a
| new name).
|
| It makes one wonder how Doctorow reconciles the internet as it
| is with his stand against adopting some kind of IDP system.
| philjohn wrote:
| They also get who actually passed the bill wrong - it was the
| last Conservative government.
| crote wrote:
| > To me it seems like Cory Doctorow is demanding perfection,
| and saying that because we can't achieve perfection in age
| verification, we can't do age verification at all.
|
| Not we _can 't_, but we _shouldn 't_. All the current solutions
| are _terrible_ , and are either trivial to fool or mass
| surveillance machines. We shouldn't be stupid enough to go for
| either option because it'll either cost a fortune while giving
| us nothing, or cause immeasurable harm when the National Porn
| Viewing Database inevitably gets used to blackmail everyone.
|
| We're trying to (poorly) use technology to solve a social
| problem. If we can't figure out a way to do so using technology
| without significant downsides, then perhaps we shouldn't be
| using technology to solve the problem at all.
| dathinab wrote:
| > "Privacy preserving age verification" is bullshit
|
| it is possible if you accept that it only needs to be good enough
|
| - it's fully okay if it can be deceived in all kinds of ways
|
| - verifying only once per account is okay, if a adult passes
| their verified account to a child that their responsibility
|
| - legally not just forbid but criminalize (with required prison
| sentence) the storing of any data except is adult yes/no from a
| age verification process
|
| - allow a OS accounts to just tell applications (including
| websites) that "is 18", if a age verification was done in the
| account, also no singing or anything cryptographically, because
| again it's good enough no need to protect it against hacking, the
| main responsibility still lies with the parents
|
| so then you can do a single age verification per OS account,
| once, and be done with
|
| furthermore this verification could e.g. go through a process
| which might identify you identity but a) isn't allowed to pass
| anything but adult yes/no to anyone else b) isn't allowed to
| store that info c) on a storing it is a "criminal liability"
| level where a CTO ordering data collection would go to prison
|
| through if you live in a country where everyone has a passport
| with NFC chips (e.g. all of EU) just adding a "adult yes/no"
| function(1) to it + a transparent (open source, non profit) app
| per country to bridge it to accounts which need verification
| would do the job without needing the extra strict criminalize
| abuse part.
|
| Which brings us to the main problem:
|
| - requiring politicians to accept a "good enough" solution,
| accept that the main responsibility still lies with the parent
|
| - politicians not abusing it to spy on their population
|
| - make laws to prevent companies from ab-using "age verification"
| to collect private data
|
| and that seems indeed impossible
|
| ---
|
| (1): Technically I think it does exist, somewhat in many passes
| already. But practically it not viable as it (I think) discloses
| too much information and has too much issues wrt. integrating it
| (wrt. certificate nonsense)
| loglog wrote:
| No cryptographic verification is required for content blocking.
| Make it easy to set up a slightly locked down "child" account
| (e.g. one behind a MITM proxy that only lets through HTTP(S)
| and blocks some domains) by requiring it from every OS vendor.
| Label existing devices/software without it "18+".
| aktuel wrote:
| Not just age verification. The whole security circus is bs. Kids
| cannot go outside by themselves anymore. They have to wear
| helmets while being constantly monitored. None of it has brought
| us to a better place. Fuck it. Just fuck it.
| torginus wrote:
| The problem is not only that it's impossible to make cryptography
| that's only secure when the good guys use it, it's that once
| cryptography is made insecure, it's insecure for everyone,
| forever.
|
| I'm not a privacy hardliner, and I think the socially acceptable
| tradeoff between privacy and security have been well established
| before the computer era - if the police has a well-enough
| established suspicion against you - they can get a warrant and
| search your home. That's due process.
|
| I would accept if there was a digital version of that which
| targeted not the encryption itself (which could be as strong as
| possible) - but the endpoints, like smartphones and computers.
|
| Let's say police had a device which they could plug into your
| phone, which would send a specially signed message - a digital
| warrant, containing all the info a real warrant would - which be
| permanently be burned into the ROM of your phone, after which the
| phone would surrender its encryption keys, and the police could
| dump your unencrypted disk.
|
| The phone would be then presented as evidence at the trial, and
| not following due process would be a cause for mistrial, no
| matter what they find there.
|
| The general public would be safe in the knowledge that as long as
| the police isn't hauling them in, their secrets are safe, and the
| government would get the tools for what they claimed they wanted
| - a way to catch bad guys with digital tools.
| buzer wrote:
| > Let's say police had a device which they could plug into your
| phone, which would send a specially signed message - a digital
| warrant, containing all the info a real warrant would - which
| be permanently be burned into the ROM of your phone, after
| which the phone would surrender its encryption keys, and the
| police could dump your unencrypted disk.
|
| And when (not if) that device leaks whoever steals your phone
| will be able to get access all of the things in there.
| torginus wrote:
| I'd imagine such devices would be very tightly controlled,
| being hard to access for civilians, and lets say limited to 1
| such device per 1m people(which would also give you an idea
| of what sort of frequency this is supposed to be used).
|
| The keys for every phone would be stored in a central repo,
| with a separate key for every phoneX every decryptor(which
| has its own private key). Meaning you'd need a device and the
| central repo to access users data.
|
| But lets say they manage to build a bootleg version, what
| would be the criminal gain for them? Reading the data doesn't
| mean they can impersonate you, as the device wouldn't give
| you access to private keys used for authentication (lets even
| say these are deleted), only encryption.
|
| The criminals could brick your phone and read your texts.
| There's only very niche cases when this would be worth it to
| them, like you're the subject of a highly targeted
| intelligence gathering op.
| JoshTriplett wrote:
| > The problem is not only that it's impossible to make
| cryptography that's only secure when the good guys use it, it's
| that once cryptography is made insecure, it's insecure for
| everyone, forever.
|
| Correct.
|
| > Let's say police had a device which they could plug into your
| phone, which would send a specially signed message - a digital
| warrant, containing all the info a real warrant would - which
| be permanently be burned into the ROM of your phone, after
| which the phone would surrender its encryption keys, and the
| police could dump your unencrypted disk.
|
| You are now advocating for making phones insecure for everyone,
| forever. No.
| mzhaase wrote:
| So in Germany we have an ID card with a PIN, NFC and a government
| app. Website owners can request to be able to use this feature.
| They then get a certificate from the government that has the
| fields they are allowed to request stored within it.
|
| Websites can request data from the user by sending that
| certificate, it opens the app, it shows you the categories of
| data to be send, you hold your ID card to the phone, enter the
| PIN, and the certificate is uploaded to the ID card which
| verifies it. If its valid, the ID sends back the data that is
| specified in the certificate.
|
| You then get presented with exactly the data that is going to be
| sent to the website. You can then agree or disagree. So far that
| is only used to log in to government websites.
|
| This way the government does not know which sites you visit, and
| you only send your age to the website.
| fabian2k wrote:
| It's even more restrictive than than, for age verification you
| only get back whether the person is above the age limit or not,
| it's a boolean response.
|
| So I think from that view the eID works pretty well, it
| provides the minimal necessary information. The bigger issue
| with something like this is if you use them to enforce real
| name policies or stuff like that.
| hsbauauvhabzb wrote:
| That still results in the government knowing you connected to
| that website though.
|
| Edit: unless there's a blind middleman that has tight data
| policies?
| number6 wrote:
| I think it does not know. The app is open source and it
| just sends the Boolean. The government just gives out the
| id cards - they are not involved in the verification
| process
| Hamuko wrote:
| I know the whitelabel EU app is open source but are the
| derivatives going to be? As far as I understand it, every
| EU country will release its own version of the app.
| raron wrote:
| Not really (as far as the website and the government
| doesn't collaborate and share information with each other).
|
| AFAIK the EU age verification app works by requesting bunch
| of digitally signed "proof of age" tokens (openid
| verifiable credentials) from a government institution and
| sends (uses up) one when you want to prove your age to a
| website. The website can check the validity of these tokens
| without connecting to the government institution.
|
| They are even trying to do some form of blind signature or
| zero-knowledge proof to have better protections.
|
| https://ageverification.dev/av-doc-technical-
| specification/d...
|
| Age verification laws are easy to circumvent and they are
| bad for many other reason though.
| danaris wrote:
| ...Unless the government is _specifically_ looking out for
| this, that 's easy to game by just submitting a bunch of
| requests for age validation with incrementing ages.
|
| Is that worth it? No idea--but I'm willing to bet some
| surveillance advertisers _think_ it 's worth it.
| Sayrus wrote:
| I haven't read the spec so I'm not sure if you can request
| that or only 18+.
|
| However doing dozens of requests requires the user's
| approval each time which may raise red flags and I can
| imagine your certificate revoked.
| progbits wrote:
| Presumably the request contains some nonce, otherwise this is
| trivial to replay?
|
| But even then, I can volunteer my ID, keep it permanently
| attached to a computer running a server that allows certain
| requests (like the boolean age check), and then provide an
| API / client that allows anyone anywhere to use it to pass.
|
| No risk to me (none of my data leaks), presumably no rate
| limits (the card has no way to track time; at best it could
| store recent request timestamps but I doubt it does).
|
| In fact even better, use stolen or lost cards. Owner will get
| a new one, but the old one has no way of knowing it's voided.
| We can build a network that is able to sign whatever info
| (age, gender, city, name) you want, as long as we have one ID
| with such info.
| michael1999 wrote:
| I'd refine Doctorow's claims to "Privacy preserving age
| verification is bullshit in the Common Law Anglo world".
|
| You are completely correct that civil law jurisdictions have
| already solved this: Germany, Estonia, and many others have the
| all the requirements: a register of all persons available to
| the central authority, and crypto infrastructure to make it
| work.
|
| What's missing from the UK, Canada, USA, etc. is the first
| part! It is hard to believe if you live in Germany, but there
| really is no big master list of people in those countries.
| There are many (many, many) lists, linked badly by many
| different ids. The tax registry, pension registry, drivers
| license registry, and visa registry are some of the big ones.
|
| Things could be so much simpler if we had such a thing, but the
| politics between here and there are basically impossible.
| wizzwizz4 wrote:
| Those big (computerised) master lists were _really_ useful
| for the Holocaust: I 'm not sure it's a bad thing that some
| countries don't have them.
| crote wrote:
| Unfortunately the countries that don't have them, still
| have them.
|
| Your birth certificate is still stored _somewhere_. You 're
| still entered in a bunch of databases from the moment
| you're given birth to in a hospital. You still get a social
| security number, which you need to work, which you need to
| do to afford food.
|
| Sure, all those databases might not have a neat shared
| primary key, but that's definitely not going to stop future
| Holocaust 2.0 perpetrators from joining all those tables
| together.
| nottorp wrote:
| > This way the government does not know which sites you visit
|
| Hmm. It's not clear from the description that it is so. The
| government knows which site sent the request and authenticates
| your card, which is tied to your identity, right?
| babypuncher wrote:
| That certificate retrieved from the government has no
| personal information attached to it. It's essentially empty,
| only defining what information will be requested from the
| user.
|
| The certificate is passed to the user's ID card where that
| information is populated, the document is cryptographically
| signed, and returned to the requesting party after the user
| reviews and approves the transaction.
| crote wrote:
| If the ID card cryptographically signs it, doesn't that
| mean that it isn't anonymous?
|
| I assume it's a variant of PKI, with everyone trusting the
| government's root key, and each ID card storing a unique
| certificate signed by that root key. But an ID card will
| only have a _single_ certificate, so it would be trivial to
| see that multiple data snippets were signed by the same
| certificate - and therefore the same person. That would
| allow a website to track users across sessions - or even
| across websites.
| nottorp wrote:
| I'm not asking what goes to the site. Does the request to
| the goverment come from the site you visit? Can the
| government pair the site with your card? They know who they
| issued the card to.
| andy99 wrote:
| Yes seconded, I don't understand from the description how
| it's anonymous. There has to be some way the government
| doesn't know who they are verifying - I assume that's
| cryptographically possible but is that what's happening here?
|
| Regardless, there is a lot that can be inferred from
| patterns. Even telling the government every time you need
| your age verified leaks a huge amount of information (and for
| the record is incompatible with a free society)
| zeeZ wrote:
| There's:
|
| -the ID card which trusts the government PKI and has its own
| private key and certificate
|
| - the application that does some certificate checks and
| facilitates communication between the card and an eID server
|
| - an eID server which is connected to the PKI and regularly
| received short lived certificates to present to the card,
| does revocation checks, validity checks and a bunch of other
| stuff. Also provides a list of fingerprints of TLS
| certificates of eID services allowed for the session
|
| - an eID service which opens a session with the eID server
| indicating requested data and ultimately receives this data
| from the eID server. They own the legalese certificate of
| which data they have access to.
|
| - maybe another provider wrapping all this and the required
| certifications,. compliance and hardware into an easy to use
| API. But could also all be the same.
|
| It could be argued that the government has influence on the
| eID server providers - which do the actual communication with
| the card and are the first to receive the data before passing
| it on - via access to the necessary PKI, but they're not
| directly involved in the communication.
| pier25 wrote:
| There's no way this could be implemented globally.
| tetraodonpuffer wrote:
| why don't you think this would work? Technically this is
| basically "the (SP) site trusts another (IDP) site to
| sign/encrypt a JWT containing some custom assertions". The
| user would go to the SP, get a signed blob (session nonce /
| expiry / whatever), take that to the IDP, log in there, IDP
| creates a JWT with the original blob plus any assertion you
| allow, you post the JWT back to the SP, SP decrypts the IDP
| packet, gets its own nonce, ties you to the session, done.
|
| There are also obviously better ways
| (https://blog.cloudflare.com/privacy-pass-standard/ possibly
| some variation of zero knowledge proofs) but technically this
| seems like a solvable problem. Money wise the IDP or in
| general verifier can charge users for an account and/or
| generated assertions.
| jchw wrote:
| Even if you _could_ do this in every single country (it would
| already be extremely hard to actually do this in the United
| States reliably, and I can only imagine it is basically a non-
| starter in a lot of developing countries) it does pose so, so,
| so many problems.
|
| - How can you ensure the system can't be abused if there's _no_
| identifying information passed? Don 't get me wrong, this is
| also a problem with current systems, maybe even worse. But if
| it's privacy preserving, ... Almost all kids under 18 have
| parents or guardians. Almost all of those parents or guardians
| are 18 or older. So literally all you have to do to bypass age
| verification is steal their ID for a few minutes? There are
| also a myriad of solvable problems that aren't guaranteed to be
| solved without care, like ensuring that the same ID is not used
| 100,000 times.
|
| - This is a job that is best suited for the government to
| handle. The internet is global though, and there are _a lot_ of
| governments. In the U.S., there is in fact not one federal ID,
| but instead we use state IDs. I assume that means you now need
| to handle around 50 different state IDs to be able to verify
| someone 's identity, but it actually gets even worse than that,
| because some people will have IDs, and some will have drivers
| licenses, because oddly enough that's just how we structure IDs
| here. People without drivers licenses may have state IDs which
| are often intentionally visibly distinct to make sure they
| can't be mistaken for the other. In states I'm aware of, you'll
| never have both, the driver's license acts as a state ID if you
| have one. Now scale that to every country on Earth.
|
| - As insane as it may sound, there are plenty of people who
| don't have essentially any form of ID. You might think I'm
| over-estimating the numbers with "plenty", but even just in the
| United States, it's literally over 2.5 million, off the top of
| my head. (No idea what the best source is here.) The closest
| thing we have that _every_ citizen is supposed to have is
| Social Security, but that isn 't really usable as a form of ID
| for various reasons. (And frankly it's a pretty terrible means
| to verify someone's identity at all anymore in the Internet
| age, but oh well.)
|
| I'm totally sympathetic to the fact that people really don't
| want their kids browsing porn on the Internet, but children
| basically can't pay for Internet access or afford iPhones. I
| think it's _insane_ that people keep suggesting using advanced
| cryptography, zero-knowledge proofs, privacy pass tokens or
| whatever else for a problem that so clearly needs to be solved
| socially and not technically. (And obviously, only the surface-
| level aspects of this are really about porn. We all know it 's
| deeper than that, and if it wasn't, the UK would readily exempt
| Wikimedia from these requirements. I hope nobody here is
| deluding themselves into thinking this is a noble effort.) You
| are literally giving your children a device that can easily
| obtain porn and letting them use it unsupervised. It's not like
| it was a secret: Avenue Q told you everything you needed to
| know. I get that raising kids is hard and society pressures you
| to do this, but isn't that the problem you'd rather tackle?
|
| The problem is that we've let this idea that you can solve the
| problem like this enter the mainstream, and now that we have,
| even smart and reasonable people may accidentally convince
| themselves that it is tractable just because it is technically
| feasible to devise such a system. This is bad because we're
| going to waste a lot of energy repeating ourselves on thinking
| about the entirely wrong way to look at things.
| SamBam wrote:
| > Almost all kids under 18 have parents or guardians. Almost
| all of those parents or guardians are 18 or older. So
| literally all you have to do to bypass age verification is
| steal their ID for a few minutes?
|
| Presumably this is the purpose of the PIN, which I assume is
| in the owner's head, not on the card (otherwise it would be
| redundant with the NFC chip).
| jchw wrote:
| Look, I'm not trying to paint the picture that the problems
| aren't technically solvable; the fact that it kind of _is_
| is the part that makes this discussion so durable.
|
| I admit that PIN verification would make it harder to
| bypass the system, though to be honest with you, I think
| it's also not really hard to realize that some kids will
| still manage to figure out their parent's PIN numbers,
| which they will likely re-use for their bank cards and a
| bunch of other shit, because most people don't really want
| to have to come up with 10 different PIN numbers, and we
| all kinda get the idea that PIN numbers aren't really that
| secure in the first place. Adding a PIN number requirement
| is probably a wise idea, but it does make the system a bit
| more of a PITA for everyone as people will inevitably
| forget their PIN and need to reset it or what have you. And
| I reckon that's basically how each countermeasure for
| problems of these systems go, each one just adds a little
| bit more pain depending on how hell bent you are on making
| it work. (I think the PIN number is good enough for trying
| to prevent someone for stealing your identity with your ID
| card to an extent, but not as good against people you live
| with misusing your ID card.)
|
| Of course, you could keep going. You could try to come up
| with counter-measures to discourage someone from re-using
| their ID card for other people, and probably at least limit
| the impact of some of these issues to make the system
| _basically_ work.
|
| Even if you really do concoct the perfect solution for one
| country, you then have to make sure this problem gets
| solved correctly in every individual federal government,
| and then anyone who wants to offer adult content online has
| to individually handle identity verification across all
| countries that require it.
|
| Meanwhile, we already have a system where essentially
| _only_ adults can buy devices to connect to the Internet,
| and Internet service plans. You can 't even get a _debit_
| card in the U.S. without being at least 18 years of age.
| toast0 wrote:
| > In the U.S., there is in fact not one federal ID, but
| instead we use state IDs.
|
| That's only partially true. We also have federal IDs:
| passports, passport cards, permanent resident cards, DoD Ids,
| Transportation Worker IDs. There's also some other federally
| issued IDs listed as Real ID compliant [1], but I've never
| seen them so I didn't list them.
|
| [1] https://publicpoint.fnal.gov/get-
| connected/Shared%20Document...
| jchw wrote:
| That's not exactly what I mean though, I really mean to say
| that there's no federal ID that you can basically rely on
| people having. I totally get that there are actually
| federal IDs, and probably could've worded that a bit
| better.
|
| What I really mean is that among IDs you might expect every
| citizen to actually have, state IDs are basically the most
| reliable and even that only gets you around 99% of the way
| there.
| xorcist wrote:
| > all you have to do to bypass age verification is steal
| their ID for a few minutes?
|
| There are numerous interesting and/or problematic aspects of
| this, but this question is perhaps the least interesting.
|
| If your kid, or anyone else really, steals your ID then age
| verification is the _least_ of your problems. They could
| transfer all your money, move house, get married, change your
| name or a myriad of other much more serious things. Willingly
| letting your kid use your ID would be borderline illegal and
| not an insurance in the world would cover it.
|
| > literally over 2.5 million
|
| These people have never borrowed a book, visited a doctor,
| paid taxes or opened a bank account? There are many things in
| society that require validating who you are. Surely they have
| _some_ form of ID. Perhaps just a more insecure one than a
| cryptographically signed.
|
| I don't think a federal identity is as far fetched as you
| make it sound, for better and for worse.
| input_sh wrote:
| I completely agree it's technologically feasible in basically
| every continental European country (as we all have some form of
| biometric IDs), but do you want to have to do that every time
| you open a private tab to look at porn? Do you want to not be
| able to clear your browser cookies without going through that
| process all over again for basically every website? Do you want
| to extend 2FA into 3FA with your national ID acting as the
| third factor so you can view "sensitive" content?
| baby_souffle wrote:
| This guy gets it!
|
| Don't get me wrong, I love diving into the technical details
| just as much as anybody else here. I've learned something new
| almost every time there's a comment thread on the subject .
|
| But the technical details are a distraction. That this is
| happening at all is the forest the technical crowd is going
| to miss for the trees.
|
| Preserving some semblance of privacy on the internet is
| already hard enough. We do not need systems like this to
| encroach any farther; risks of personal privacy is so great
| and could be caused by such a simple innocent and subtle
| configuration mistake.
| michaelt wrote:
| Interesting. How does the revocation of lost/stolen cards
| interact with the anonymous design of the age attestation?
|
| If an enterprising 19-year-old sold their card and PIN to a
| 15-year-old and reported it lost to get a replacement,
| presumably there's some mechanism to stop the 'lost' card being
| used as proof of age?
| flopbob wrote:
| That would be an unlikely scenario. No one would just sell
| their ID just like that because you have to go to the police
| to make a report on what happened exactly which then gets
| distributed in whole Europe and also getting a new ID is
| quite a procedure and costly unfortunately
| LtWorf wrote:
| You don't sell the id, you login once on their computer.
| zeeZ wrote:
| There are some steps missing.
|
| The card communicates with an eID server via the app. This
| server is connected to the PKI and receives a new certificate
| daily-ish and also has a revocation list of blocked IDs.
| There's a ridiculous amount of regulation for hosting one
| yourself, so you get that service from one of the two or
| three who provide it as a service.
|
| ID data this eID server received from the card is then sent
| to the eID service that initiated the session, which may
| either be the entity who needs it, or another service
| provider who wraps another set of regulation requirements and
| complex eID server API calls into an easy to use API for
| their customers.
|
| ID data isn't actually shown to the user in the app unless
| it's a custom implementation that loops it all the way back
| from the service provider at the end.
| crote wrote:
| The problem with schemes like these is that it is reasonably
| easy to come up with something which is _pretty close_ , yet
| still missing some crucial details.
|
| - You do not want the government to know which websites you
| visit. This rules out any kind of redirect / forwarding via a
| government website or app.
|
| - You do not want websites to correlate their requests, as that
| would allow for cross-website tracking. Request data from
| website A should be completely useless to website B. This rules
| out most regular certificate schemes.
|
| - You do not want a website to correlate multiple data
| requests, as that would allow websites to create some kind of
| supercookie. Requests should be completely independent, and two
| requests from the same user should be indistinguishable from
| requests from two different users.
|
| - You do not want to lose privacy when the government and the
| website work together. The request should still be anonymous
| when the two collaborate, or else there can be no reasonable
| assumption of privacy. This rules out most clever pass-a-one-
| time-code schemes.
|
| - You want the request to be unique and time-bound. It should
| not be possible to replay a response, either to the same
| website or a different one.
|
| - You do not want to send more data than strictly necessary. If
| a website needs to know if you are 18 or older, it should only
| receive a boolean flag.
|
| Getting some of those properties is easy. Getting all of them
| at the same time? Nearly impossible. And the worst part is that
| I almost certainly forgot a handful of requirements!
| hedgehog wrote:
| The technical issues are workable, the really difficult issue
| is none of the big stakeholders really care about the level
| of privacy you describe. Priorities like audit compatibility,
| cost of deployment, etc all end up governing what standards
| get adopted.
|
| Edit: And as Doctorow points out there are a host of other
| issues that arise from actually deploying a working system.
| Hizonner wrote:
| Age and IP address are probably sufficient to uniquely identify
| most Internet users.
| lisbbb wrote:
| I guess I'm such a hard line anarchist that this sounds totally
| awful to me. Remember East Germany? Nope, none of you do...
| eqvinox wrote:
| > Remember East Germany? Nope, none of you do...
|
| I do. (Just barely.)
|
| I don't have a Personalausweis. (You only need to have
| _either_ a passport or an ID card, not _both_.)
| LtWorf wrote:
| And you think a crafty teenager can't get around that?
| kazinator wrote:
| If you're a web person who understands SSL, privacy-preserving
| age verification can be explained by analogy.
|
| It's a system which requires a central agency, probably a
| government agency, analogous to a certificate authority.
|
| You are authenticated with that agency; it has personal info
| about you. But you are externally identified by some impersonal
| identifier, not your name.
|
| The agency issues you a certificate binding this identifier to an
| assertion like "is over 18 years old".
|
| When you interact with a site that wants to know whether you are
| over 18 years old, you present the certificate. The site can see
| that it's signed by the authority and that it has the assertion
| that you are over 18.
|
| You can't just give that site someone else's certificate because
| it has to be the one tied to the abstract identity you are
| presenting (which contains no personal info; it's some kind of
| UUID or whatever). Plus the cert can be bound to a specific
| device and such.
|
| The cert has a private keys with which you can prove that you own
| that cert; or at least that you are the authenticated operator of
| a device to which that cert was issued.
|
| It's something like that. I may have some key details wrong. The
| main idea is that some brokerage that does have info about you
| can attest that you are over 18 without revealing any of the
| personal info via certificate-like objects.
|
| It sounds like, in theory, the system can achieve good privacy in
| age verification. But not perfect age verification; people will
| find ways around it.
|
| A grown up can certify themselves to be over 18 and then hand the
| device to a teenager; and such an operation can likely be scaled
| to some extent. And of course no cryptographic system can
| eliminate the possibility that minors are looking at the screen
| of a device operated by an adult, who may even step out of the
| way to let them operate it.
| irchans wrote:
| Even after reading the article, I think there are reasonable ways
| to set up a low cost system that uses zero-knowledge proofs to
| "prove" your age without disclosing your identity. I do think
| that you will need trusted entities and the system will only stop
| most, maybe 80 or 90 percent of children under 18 from seeing
| porn. But, if you do this, then maybe 99% of kids under the age
| of 14 will have a lot of difficulty viewing porn which is a good
| thing. There may be valid a slippery slope argument for not
| setting up the age validation system even if everything I said
| above is true.
| Seattle3503 wrote:
| Yeah, I think even if we only manage to delay the "age of first
| porn viewing" to something like 14-15, thats probably a win.
| jofla_net wrote:
| Maybe, but as a parent, I believe its an embarrassment to
| expect to radically retrofit a society in such ways as to
| make up for my own negligent lack of responsibility for my
| own children, which I do take quite seriously. Not to mention
| the myriad of resultant unintended consequences which
| invariably arise when such systems(of which i'm quite
| familiar) are brought to bear. Though I do speak from such a
| position of professional neutrality, as I would gain no
| benefit at all from implementing such a ubiquitously mandated
| system. Perhaps if things were different, I'd think
| otherwise.
| doright wrote:
| In my opinion "we need mandatory age verification" is an
| admission that we can't really address the overarching
| issue of parents that can't/won't parent at a good enough
| level. Narcissistic parenting without any added access to
| questionable content on a smartphone is still...
| narcissistic parenting. The definition of "parent better"
| differs between people and is often non-negotiable, even
| way before anything involving CPS occurs. Not to mention,
| the content being withheld will become available at
| adulthood anyway, and can still be harmful if the person
| has not been given the tools to navigate it well.
|
| Admittedly the bar is far higher with ubiquitous social
| media and smartphones. I'm not sure a parenting license
| system would ever work out in practice. Yet a lot of issues
| stemming from upbringing can cause irreversible harm and I
| don't feel like those root causes are brought up that much
| in the broader discussion about mental health symptoms.
|
| It pains me to think that some amount of debilitating
| childhood trauma is unavoidable, but content restriction at
| least _sounds_ like an actionable problem that doesn 't
| require uprooting the fabric of society to correct.
| crote wrote:
| On the other hand: Are you willing to pay hundreds of millions
| for developing the biggest data leak in human history, killing
| websites like Wikipedia in the process, while stopping only 10%
| of underage children from seeing porn?
|
| The current systems being put in place in the UK are privacy-
| invading and ineffective. In my opinion they are _worse_ than
| not having anything at all. I might be willing to change my
| viewpoint if something better comes along, but if a proper
| solution was so easy, why haven 't we seen a peer-reviewed
| reference design yet? What's stopping the nerds from nerding
| harder?
| skybrian wrote:
| You're probably better off just reading the paper he links to:
|
| https://www.cs.columbia.edu/~smb/papers/age-verify.pdf
|
| I think it shows the difficulty of implementing it for everyone.
| But Apple and Google's cell phone implementations would probably
| cover most people in some countries when finished, and then there
| will be a long tail of people who will need cheats and
| workarounds.
|
| You'd be screwed if you didn't have any friends who could help
| you cheat.
| nayuki wrote:
| I think this would be a perfect use-case for blind signatures.
| https://en.wikipedia.org/wiki/Blind_signature
|
| Let's say every citizen has an account with their federal
| government, and the account can be accessed securely in some
| reasonable way (password, 2FA, hardware token, etc.).
|
| The government can have a public-private RSA key pair
| specifically for "At least 18 years old". Once the user is
| authenticated, he can generate a nonce and a blinding factor,
| multiply them together to get a blinded random number, and upload
| that to the government for signing. He takes the signature and
| unblinds it, then submits the original nonce and unblinded
| signature to the adult website. The website confirms that the
| nonce and signature is valid according to the government's public
| key.
|
| This system raises many questions. For example, preventing replay
| attacks, so the adult website will reject any nonce being reused,
| or mandating that a timestamp be a subcomponent of the nonce.
| There is the un-answerable question of how to handle the case
| where a legitimate adult offers valid signatures for someone else
| to use. There is also the question of, to what extent the adult
| website should be able to keep track of the underlying users
| (even in a hashed format) to monitor abuse, suspicious users who
| have too much activity, etc.
| cogman10 wrote:
| The big problem I have with laws like the UK has been that they
| solve a non-issue at the cost of large infrastructure and
| potential privacy problems.
|
| Teenagers have been looking at porn since forever. It's
| practically a trope of teens stealing their parents' porn mags. I
| don't think any of this has actually caused major societal
| issues.
|
| The proposed solutions merely require that a teen steal their
| parent's identification, briefly, to create a porn account and
| move on. Heck, they can probably buy that information online if
| they are innovative enough. They certainly will be selling access
| to their porn accounts to their classmates. And even if they
| don't go through all that trouble, getting a porn mag is still
| pretty possible in the UK.
|
| That makes this just a bad law. It doesn't meaningfully stop the
| problem it's meant to stop and it's expensive and intrusive. Even
| if privacy preserving age verification was bulletproof and
| perfect, you still have the access holes all over.
|
| And then there's the simple fact that other nations exist. Yes,
| mainstream sites will put up protections, but what about the
| sealand porn site? Unless the UK wants a great firewall (ala the
| chinese firewall), they simply aren't going to stop this problem.
| Even then, VPNs are common knowledge at this point due to
| streaming.
|
| Bad law, bad effects, and a pointless fight.
| owisd wrote:
| Having a device in your pocket that you take everywhere with no
| stigma to being seen with it yet it has unlimited access to any
| genre of porn you can think of is hardly comparable to finding
| a 90s porn mag in a bush from time to time, so you can't really
| say this has been happening forever.
| cogman10 wrote:
| Erotic novels have been discreet for a while. It's also not
| been usual to have a laptop in public since the 90s. There
| are definitely pictures of people perusing porn on trains
| (visible in reflections).
|
| Briefcases were also a thing as have been strip clubs since
| forever. Quick access to porn hasn't been a problem since the
| printing press was invented.
| unfitted2545 wrote:
| > I don't think any of this has actually caused major societal
| issues.
|
| It degrades and oppresses all women.
| impossiblefork wrote:
| I don't necessarily disagree, but surely not more than not
| having it age limited?
| can16358p wrote:
| It's 2025 and we're still discussing people's access to porn
| because of some conservatives, whereas we should be discussing
| how technology could actually be used to improve world.
|
| Unbelievable. Let people watch their thing if they want to,
| jeez.
|
| There are MUCH more important problems on Earth.
| andrewla wrote:
| Overall this article is completely correct and I agree with every
| point of it and have tried to make these arguments about the
| various ZKP proposers that I have encountered.
|
| But I almost gave up early because he can't resist the urge to
| take a dig:
|
| > For politicians to make good policy, they don't need to be
| technical experts: they need to have solid, independent, well-
| resourced expert agencies. Those would be the very agencies that
| Trump and Musk have DOGEd into oblivion ...
|
| And then in the next paragraph blithely engages in some Gell-Mann
| amnesia
|
| > But when it comes to tech policy, politicians get it all so
| goddamned wrong
|
| Expert agencies formulating clean water policies are emphatically
| not the reason that we have potable water. Experts in actually
| doing the work of producing clean water are the ones that push
| the standards upstream. It's a subtle but important difference.
|
| Look, it's not 2018 anymore, we survived a round of Trump and
| we'll survive this one and the world will not end and some things
| will get better and some things will get worse, but trying to tie
| everything back to how Trump has ruined everything is going to
| make your views look worse and worse as they age.
| ratelimitsteve wrote:
| Remember when they passed a bunch of really strong anti-terrorism
| bills in the US after 9/11 and we were all super sure that it was
| a great idea because they promised us they'd show restraint and
| only use the powers they were giving themselves against the worst
| of the worst, then they declared vandalism to be terrorism
| (https://www.reuters.com/world/us/trump-says-he-will-buy-
| new-...)?
|
| That's how I expect "privacy-preserving age verification" to go.
| It's the narrow end of the wedge. Once privacy-preserving age
| verification is in place there will be some reason to get rid of
| the privacy, and we will have a fully tracked and identified
| internet.
| lisbbb wrote:
| I couldn't read past the dig at Trump, quite honestly. All that
| the Trump admin has done is reduce some of the massive bloat in
| the Federal Government, but people with TDS can't see it because
| they have this enormous blind spot of hatred built up in their
| minds. And if they have that kind of inability to think through
| real life in that regard, then they have other massive blind
| spots as well.
|
| I'm 100% against the modern Puritanism being pushed by statists.
| I think it's disgusting. Police your own kids, don't look at
| things you don't like, and let the rest of us be. Massive
| government surveillance systems are evil, and "government
| experts" are just assholes, to be brutally honest. It's make-work
| jobs at the taxpayers' expense, and we never actually could
| afford that "expert class" of know it alls meddlers.
| ncdm_stldr wrote:
| While I understand your point, I just wanted to point out that I
| am not sure if there is not technical solution to the problem. I
| wonder what can be done with a technology similar to this:
| https://huggingface.co/spaces/zama-fhe/encrypted_sentiment_a...
| Or this https://en.m.wikipedia.org/wiki/Zero-knowledge_proof Ok I
| didn't point the exact solution for the problem, but still it
| hints me that technical solutions may exist.
|
| Anyway, I am not in the side of control freaks, but still find
| the question interesting.
| OkayPhysicist wrote:
| The key problem with this entire issue is that it's basically a
| morality law. There are classes of crimes that, over time,
| society has discovered simply do not have an enforcement
| mechanism less damaging than the harm they are seeking to
| prevent.
|
| An example is Adultery. Most people will agree that it is morally
| wrong to cheat on your spouse. The reason civilized countries no
| longer have adultery laws is not because a majority of people
| support the crime, it's that the level of control a government
| needs to exercise over its citizenry to actually enforce such a
| law is repugnant. The state must proscribe definitions of
| infidelity ( human sexuality being the mess it is, this alone is
| a massive headache), then engage the state apparatus to surveil
| people's intimate lives, and then provide a legal apparatus that
| prevents abuse via allegation. And for what? So that people's
| feelings are a little less hurt?
|
| The juice simply is not worth the squeeze.
|
| So it goes for age restrictions. Age verification creates massive
| potential for invasion of privacy, blackmail, censorship, and
| more, necessitating a massive state censorship apparatus to block
| foreign content, and for what? So that little Timmy's forced back
| into trading nudie mags at the bus stop? To save parents the
| onerous effort of telling their kids "no"?
|
| It's simply not worth it.
| amelius wrote:
| Ok, but how long will it take the people in power to figure
| this out (again)?
| Illniyar wrote:
| I think that's a bit of rationalizing. I don't thinks there's
| much evidence that Adultery is no longer a criminal offense
| because people were concerned about privacy or government
| control.
|
| It's that people became more secular, Adultery is considered a
| sin and not a crime, and modern countries instituted separation
| between religious and secular laws.
| DeRock wrote:
| Adultery not being a crime goes far beyond its enforcement
| mechanism.
| MattPalmer1086 wrote:
| What a breathlessly overhyped post. Basically - yes we can do it
| technically, but there's big economic and social limitations on
| rolling something like it out.
|
| Hard for sure, but not bullshit. I actually found it hard to read
| the post - it could have been a third as long and more useful and
| measured. But I guess it gets clicks.
| causality0 wrote:
| From logical standpoint it seems pretty obvious that the person
| providing children access to porn is their parents when they give
| them an unfiltered internet connection, not the porn websites.
| God forbid we actually require parents to, you know, parent.
| tim333 wrote:
| >Others say they can estimate your age by using AI to analyze a
| picture of your face. This is a stupid idea for many reasons, not
| least of which is that biometric age estimation is notoriously
| unreliable when it comes to distinguishing, say, 16 or 17 year
| olds from 18 year olds.
|
| It doesn't matter it's unreliable telling 17 year olds from 18
| year olds. This thing is to reduce the amount of porn kids are
| exposed to. It's not like issuing a passport or something. As
| long as it sort of has some positive effect.
|
| I actually did the face picture thing for Reddit. Seemed to work
| ok, although I'm 61 so not too near the cutoff.
___________________________________________________________________
(page generated 2025-08-14 23:01 UTC)