j2kun
10 hours ago
There are at least some technological solutions here, such as anonymous credentials. [1] Modern versions of this technique allow one to associate metadata (like a proof of age exceeding a threshold) in such a way that the verifier can't even correlate repeated requests across users.
Governments that are serious about age verification and individual privacy (which, doubtful they truly are) should agree on a protocol and set up certificate issuers that are associated with a digital ID. Then age verification will not be an invasive procedure or risk data leaks or insider threats.
[1]: https://blog.cryptographyengineering.com/2026/03/02/anonymou...
andrewla
9 hours ago
The article talks about the possibilities of malicious cloning of these tokens by third parties, but fails to identify the much more common use case, and one that makes this scheme useless for age verification.
It's one thing to be concerned about someone stealing my credential, but another to prevent the transfer of these credentials, especially if they are limited use credentials.
The entire point of age verification systems is to prevent minors from accessing certain resources. I think we all know that this is basically impossible; but what these various governments and social media companies want to do is to make it high friction to do so.
The highest friction version of this is that the credential ties to a real world identity somehow; maybe locked behind legal barriers, etc., but if a minor is caught using someone's credential, then the person whose credential they are using can be investigated, and, if necessary, charged with a crime roughly equivalent to providing alcohol to a minor. Without the possibility of real world enforcement, none of these identity solutions can possibly work.
Keep dreaming of a technological solution -- there is none that does not lead to the world that FIRE is warning about, except to accept that we can only make a solution "good enough" and leave it at that, without expanding into full on identity verification. The solution here is likely to just try to provide better abilities for parents to monitor and limit their children's use of the internet. Let individual parents decide on the level of harm that they are willing to accept, and accept that there will be ways to work around this even if parents are vigilant, but just try to reduce it on the margins.
Aurornis
8 hours ago
Yes, this is the part of the issue that is so frequently ignored: Anonymous age verification schemes are easily defeated through proxying because there wouldn't be any consequences for selling your tokens. "Install this app on your phone and we'll pay you $1 per day" and it will mint your anonymous identity tokens and send them off to kids who want to buy them. If there's no way to track the tokens, there is no possibility of negative consequences.
So the schemes always start introducing features to reduce the anonymity of the tokens or make them more trackable in some way:
> The highest friction version of this is that the credential ties to a real world identity somehow; maybe locked behind legal barriers, etc., but if a minor is caught using someone's credential, then the person whose credential they are using can be investigated, and, if necessary, charged with a crime
Which requires that these identity tokens not be anonymous age-verification credentials. They become a traceable identity token tied to your government-issued ID.
grey-area
an hour ago
The tokens could be tied to the device and Apple account by a provider like Apple, in fact you don’t need to issue tokens, only provide a web api that Apple and other browser providers support, which attests age.
This is certainly something that can be solved technically if we want.
dvdkon
17 minutes ago
It sounds like your scheme would only allow browsing the "adult web" on locked-down, unmodified devices running government-approved software. Frankly, that's worse than even requiring ID.
DennisP
8 hours ago
> They become a traceable identity token
Not if you use a challenge-response protocol where the client returns a zero-knowledge proof of age, where the proof incorporates a random string sent by the website.
The traceable stuff is private information that the website never sees. If a minor is caught with it, then law enforcement has local access to the minor's hardware and can probably view the private data.
At that point, the private key can be put on a public revocation list. The zero-knowledge proof can include a proof that you're not on the revocation list. Once you've been revoked, you have to go through the hassle of setting this all up again, which might be enough incentive to keep it reasonably secure.
pastel8739
6 hours ago
This doesn’t stop the scheme the parent proposes, where adults install some proxy on their device and challenges are responded to on the parent device. Then the private key never leaves the parent device and all the child device has is the proxy software, which could be set up to not log any identifier of the key that it used
Epa095
44 minutes ago
I agree, but this is also clearly a increased barrier. Going back to OPs comment that perfection is impossible, the goal is to raise the bar, I would say that this is more than good enough.
7e
5 hours ago
Trusted computing fixes this.
franga2000
2 hours ago
Trusted computing is the biggest threat to privacy and liberty of them all!
mindslight
3 hours ago
The same way a lobotomy fixes a headache.
pastel8739
4 hours ago
How so?
LoganDark
an hour ago
Presumably, if you have a trusted application on a trusted device, the identifier was installed in a trusted way, the device is in trusted possession and the device won't be given to anyone else, trusted computing may be able, in certain cases, to make it more difficult for a remote minor to use the identifier.
7e
5 hours ago
Trusted computing fixes this up to the analog hole. Which is as much as you can expect.
lukan
21 minutes ago
We are talking about porn here. And the internet will be always full of it - and that can only be prevented by controlling all of it, or have each state have a golden firewall.
All of these solutions seem very complicated, for little benefit. So a anonymous age verification scheme, fine with me. But making it more complicatdd, because dark entities could capture and resell tokens .. seems a step in the direction of madness.
hacker_homie
7 hours ago
I thought a solution to this would be to use a physical smartcard to store the certificate(perhaps on your government ID). if the protocol is a challenge/response and the private key never leaves the card it would make proxying without the physical card more difficult.
wolvoleo
6 hours ago
Yeah great idea, having to get out your government ID every time you want to use a website.
prmoustache
an hour ago
A certificate could be anonymous and the website would only need to verify it against the born_before_2008_root_cert in 2026. You could issue has many certs as you want and all would have a validity of 1 year so that websites only have to install at the maximum 2 root certs.
faeyanpiraat
an hour ago
The “2008” part hit me hard
pastel8739
6 hours ago
If the smart cards required some human input to perform a signature maybe this could work. Otherwise there is nothing stopping someone from selling use of their card via some proxy software
ruszki
2 hours ago
Is this type of problem even solvable?
7e
5 hours ago
Trusted computing solves this problem handily.
AnthonyMouse
6 hours ago
> but if a minor is caught using someone's credential, then the person whose credential they are using can be investigated, and, if necessary, charged with a crime roughly equivalent to providing alcohol to a minor. Without the possibility of real world enforcement, none of these identity solutions can possibly work.
They don't work even then.
Suppose you completely eliminate privacy on the internet and require every domestic site to collect the name and social security number of everyone who visits. Then a child uses an adult's ID, regardless of whether it's with or without their knowledge. Is the child going to inform on themselves? No. Is the adult, when they don't even know about it? No. Is the adult, when they provided it on purpose? No.
That constitutes the entire set of people who would typically know that the person using the device isn't the person on the ID.
On top of that, we can punch an even bigger hole in it. Search engines, among other things, index other sites. Google is obviously the biggest but there are many others -- Bing, Marginalia, Brave, Swisscows, Yandex, Perplexity, Baidu, etc. They're run by adults and most of their users are adults, who reasonably expect to be able to turn off "safe search" if they want to. So some adult at each search engine would have to provide their ID to the crawler so it can index things inappropriate for children and show them to adult users. It would therefore be a fairly unremarkable and recurring thing to see the same ID make a zillion gigatons of requests.
But then you can't use "why is this person downloading 100 things from 100 computers at once" as an indication of anything nefarious happening, and anyone can still set up a service hosted on a foreign server that will serve adult content to anyone without an ID by serving it out of a cache. (And in the case where you're invading everyone's privacy, that service would also be very popular with adults.)
ian_holt
15 minutes ago
the article also mentions; <But the government puts much of the onus on social media platforms to ensure users understand the verification process and on users to read up to make sure they aren’t being scammed.>
Unfortunately, the said-government doesn't seem to worry about the fact that their own systems have been breached over the years
ajsnigrutin
7 hours ago
> The highest friction version of this is that the credential ties to a real world identity somehow; maybe locked behind legal barriers, etc., but if a minor is caught using someone's credential, then the person whose credential they are using can be investigated, and, if necessary, charged with a crime roughly equivalent to providing alcohol to a minor. Without the possibility of real world enforcement, none of these identity solutions can possibly work.
Buying alcohol for a minor implies knowledge and intent.
Getting the tokens out of a phone doesn't require the user to do any of that, the user just has to be frugal and keep the phone longer than it's supported by the manufacturer, until some local exploit is found again, and that token will be extracted and available online for everyone to use.
Parents buy those phones, phones could easily have a "user is a minor" setting (and a flag sent to all the sites that want one) with a password for parents to unlock stuff if needed. This would be set during the phones first set up, and it's done. But nope, the plan is for everyone to install a form if a digital ID on their phones, and once it's there, requiring full-name identification when registering is just one step away.
what
7 hours ago
Why can’t you just sell single use codes at gas stations/liquor stores/etc and they just check your ID before sale? Of course shady places can still sell them without ID check, but we have this problem already for liquor and tobacco.
johnc1
9 hours ago
There is a much easier solution that already exists - parental controls on children's devices. I honestly don't understand why is it not solving the problem?
Yes, parents are responsible to set this up. But parents are also responsible to lock their alcohol, drugs or guns, condoms, etc., and many other things.
Perhaps parental controls are not good enough? That's where the regulation could genuinely help - require child-certified devices to implement minimum set of parental controls, and make them easy to use.
kaashif
9 hours ago
That's not the problem governments are solving. They're solving the problem of convincing the public it's a good idea to end the anonymity of internet use.
johnc1
9 hours ago
I know! What puzzles me is responses every such article gets even on HN - let's build some cool tech that 95% of the general population and 100% of politicians won't even understand not to mention agree to.
Yes, government want to end anonymity and that's clear to some. But governments enjoy on a pretty broad support for this and many people supporting this believe it's a real problem. Suggesting to leave it unsolved or solve it in a way they can't trust or understand is only going to alienate them, making the government job easier.
I think suggesting a simple, cheap and effective solution to this problem that has no impact on privacy is a way better way to counter that. I think local parental controls fits the bill.
pessimizer
7 hours ago
> But governments enjoy on a pretty broad support for this
No they do not. They do an enormous amount of PR trying to convince people that they have it, though.
In the real world when there is a ton of support behind a position, you see representatives of it all over the place and they are pushing the agenda and the coverage. In the world of online age verification, you just see a bunch of lame duck politicians using procedure to sneak policy changes in and keep objections from being heard, and a few government contractor-surrogates writing op-eds (that they haven't read.)
When puritans go on the march, they're actually pretty loud. Most of the anti-social media people are hippy-dippy upper-middle class liberals who curse "screens," completely believed Cambridge Analytica's PR and think that Trump rules through mind control - who will be bothered by the end of anonymity; and the remainder are angry online right-wingers who think that they were censored by and as a result of social media. They're not marching together, they're not marching to have people identified when they're using the internet, neither of them are even prioritizing social media right now and they aren't putting pressure on anyone.
The fact that it's so unpopular is why there are lame ducks doing it. They're just assuring their fortunes on the way out, and the person on the way in will pretend like they had nothing to do with it even though it will be will be passed and implemented on their watch.
intended
2 hours ago
The bills are being raised and passing in more countries than just America though.
subscribed
8 hours ago
People on average aren't very smart and will happily support programs objectively harmful to them and everyone else because the government and a nice lady from the breakfast TV says it's necessary to think of someone's else's children watching porn (this soundbite is gross. I don't understand how it's okay for the serious people to repeat it).
pmg101
an hour ago
Of course it's accurate to say a lot of people aren't smart.
A lot of people also may or may not be smart but have limited knowledge of this area and limited time/effort to expend thinking about it.
I don't think you should rail against those things because they will always be true for every topic.
Instead, people who have understood the deeper implications of this, for instance the typical HN reader, need to connect with the average person, engage with rather than dismiss their child protection fears, while explaining the downsides.
Taking a high handed dismissive attitude will not help to shift public opinion.
subscribed
13 minutes ago
But I'm expressing my opinion on HN, not for the general public?
I thought that stating this, I believe, fact as a contributing factor in the creeping authoritarian climate would be understood without having to attach a handful of caveats and papers?
(you're contradicting yourself)
hdgvhicv
an hour ago
Once again blaming the tv which barely anyone watches rather than the algorithmic feed in their pocket 24 hours a day.
It’s not 1980 any more.
subscribed
17 minutes ago
Naah, "nice lady from the breakfast TV" is mostly[1] an allegory of the traditional media narrative, but you can't seriously deny the impact and importance of it?
If you deny for example Murdoch-owned media impact on the society, or the extent of the damage for example BBC did in the UK to the human rights or the discourse, I'd suggest reading more :)
[1] one TV programme I remember (I don't watch it): "Good Morning Britain is the UK's most talked about breakfast television show with a weekly audience reach of 4 million people." that's 10% of the age group 16-64 here, not too shabby-- and that's ONE tv.
BoobertScoobert
8 hours ago
That's why they are still appealing to sentiment rather than established research (which actively refutes the arguments they are making).
refurb
8 hours ago
Precisely. The people in power would love nothing more than to stop “disinformation” (facts that cause social unrest).
wolvoleo
6 hours ago
Yeah. Didn't you find your dad's dirty VHS tapes when you were young? I'm sure most of us did. And we turned out fine.
And no, porn isn't more extreme these days either. I remember seeing bukkake, golden showers etc on borrowed tapes and hacked pay TV. BDSM existed back then too. And I had some pics of a girls face surrounded by male members and their output. Never once did I think this would be a normal thing to do with my girlfriend once I got one.
And these things are still gonna happen. Teens are going to go through their dad's phone when he's sleeping, find his stack of Blu-ray's or vids on this computer. Even with all this age verification stuff. I don't understand why we suddenly think that's the end of civilization.
rapidaneurism
an hour ago
There is a bootlegger and baptist thing going on here. One understandable point of view is that of parents that control their kids' phones, but other parents in the community do not. Then their kids are the only ones in the class without tiktok or Instagram or something.
For those parents life is easier if nobody is allowed on these things.
prmoustache
an hour ago
I think their point is to protect kids who have parents so tech illiterate they do not know how to manage parental controls.
Having seen some parents I kind of believe it but not to the point of wanting to implement ID tracking on everything.
hdgvhicv
an hour ago
Have decent defaults. “Is this phone for a child” and “scan this wr from parents phone”. 90% of problems solved.
That said while Apple does a good job at parental controls, Microsoft is altered. Trying to have controls on Minecraft across a windows laptop and a switch involved a multi hour odyssey, creating tons of accounts for parent and child.
f6v
an hour ago
You've got to be really on the margin of society to not be able to set it up when every grandma and her dog use smartphones. There're about 1000 different ways to improve the lives of such people without making everyone use their government ID when scrolling Instagram.
kerridge0
3 hours ago
I was thinking that some kind of permanent physical attachment with passive electronics could be given to children, like an ankle bracelet used for home curfew, monkey's headband, a dogs shock collar, or just a nice bracelet, call it MoB, which couldn't be removed until they are of age. Devices they are given could be associated with those devices and not usable without them, if they disappear from passive scanning then they have been tin-foiled, etc etc. I've not seen any discussion of this type of approach which gives children something to aim for - freedom, and tallies with human historical culture as well.
schneehertz
44 minutes ago
My God, what a horrific and evil idea
Morromist
8 hours ago
I don't understand why the act of buying internet access isn't considered a parental control. I doubt very many kids are doing it or can.
Ok, but parents buy internet access and then let their kids use it, because the kids need it for school. So? The parents job is to keep their kids out of trouble. Learning how to keep track of what their kids access shouldn't be difficult, and maybe should be part of the obligation parents have, kind of like their obligated to teach their kids to drive before giving them the keys to a car. Its analogious to saying "kids shouldn't walk home from school or be let out of the house at all because they might wander into a nude beach or join a drug smuggling satanic cult". Most of us don't hold that view because we trust that kids can be taught to be vaguely responsible.
What's more: tools to shield the kids have been around for longer than most of the parents have been alive at this point. The problem is pretty much solved in multiple ways, and wouldn't even be a problem if parents only followed their basic responsiblities. Also it isn't a problem in the first place, I haven't seen any clear, undisputed evidence that shows that kids are degenerating into fiends because of looking at adult stuff on the internet.
fc417fc802
7 hours ago
> The parents job is to keep their kids out of trouble. Learning how to keep track of what their kids access shouldn't be difficult
Unfortunately it is, but we could fix that with only minimally invasive legislation. Right now you either whitelist which breaks half the internet on a recurring basis (things are constantly changing) or you blacklist which is swiss cheese. Either way you're relying on third parties.
I think it would be much better to legally mandate a certain minimum level of self classification for website operators along with a simple and extensible scheme for communicating such. It might also be useful to mandate that devices ship from the OEM with parental control software supporting that standard but honestly I doubt that's necessary - if their were a standardized and above all reliable signal available I think browsers and operating systems would rapidly adopt support for it.
johnc1
5 hours ago
Exactly! We already have content tags on TV/Movies, just extend it to the web and make mandatory.
I imagine it could be not trivial to enforce (esp. for offshore web) - but definitely easier than enforcing the same sites to implement much more complicated identity verification (while preferably also not leaking this data).
But that might not even be necessary. A small on-device AI can probably do a decent job classifying pretty much everything we don't want children to see - with and option for parents to override it when needed.
mindslight
2 hours ago
> I imagine it could be not trivial to enforce (esp. for offshore web)
It's quite trivial, actually - the parental control software is designed so that if there are no content tags, then the site does not display. The mandate for websites to tag their content would only need to apply to websites over a certain size, to bootstrap the network effects.
fc417fc802
an hour ago
The other option is for the major browsers to refuse to load pages that don't include the tag. I don't think it's a good thing that they can unilaterally dictate web standards but that's the reality so might as well take advantage of it for the better I guess.
mikestorrent
8 hours ago
The problem with this idea is that it assumes responsible parents, which are not a given. I agree with you completely - I don't want any kind of controls on the Internet - but we live in a world where we cannot actually rely on parents to fulfill what you would consider to be basic and reasonable expectations of parental duties.
DennisP
8 hours ago
For kids with parents like that, the internet is probably the least of their problems.
mikestorrent
2 hours ago
Exactly. Might be the only place they have a semblance of home.
fc417fc802
7 hours ago
They certainly have other problems however the internet is unique in that it drops the entire world directly in your living room. Even with irresponsible parents zoning laws keep most children away from things like casinos and strip clubs (at least until they can drive) and everyone benefits from community efforts to keep the neighborhood safe.
lemming
an hour ago
...parents are also responsible to lock their alcohol, drugs or guns...
No they're not - all those things are illegal for children nearly everywhere.
confidantlake
an hour ago
Why would you want to lock condoms?
ufocia
3 hours ago
Children can buy their own devices. School issued devices are not under parent control. Parental controls and school controls are laughable. There is no incentive for OS vendors/retailers to provide robust solutions to this problem. PII industry is essentially pushing regulatory capture.
_heimdall
9 hours ago
I wouldn't trust governments, today or in the future, to keep such a system private and I don't see a foolproof way of building some kind of audit mechanism into it to make sure the data is always truely private.
I've also always been curious how a truely anonymous identity verification could possibly work. At best for age verification, I could be given some kind of token that would still have to verify my age and be verifiable with a central authority to ensure my token is valid. The central authority could always keeper records of my token, revoke it whenever they please, and every entity that can verify the age associated with, or embedded into, the token knows at least some of my PII.
vkou
9 hours ago
> I've also always been curious how a truely anonymous identity verification could possibly work.
You go to a store. You show the clerk your id and give him a quarter. The clerk pulls a scratch-off ticket from the front of a ticket tape. The ticket contains a token identifier.
It's anonymous. The clerk or his POS system knows your name and age, but doesn't know your number. The vendor providing the tape doesn't know your number or your name. The system accepting the token knows your number, but doesn't know your name. The token is only valid for a day after use, so loss and transfer isn't much of an issue.
It's the exact same process by which you buy lottery tickets in a world where they don't need to verify your identity when you redeem them. The lottery has no idea who bought a particular ticket, only that a ticket was bought. The clerk knows you bought a ticket, but doesn't know which ticket.
Obviously, Eavesdropping Eve looking over your shoulder knows both your name and your ticket number, but that's not a practical attack.
Aurornis
9 hours ago
> It's anonymous. The clerk or his POS system knows your name and age, but doesn't know your number. The vendor providing the tape doesn't know your number or your name.
Where does this 3rd party identity token provider come from?
For government-issued identity tokens, there are not separate parties. It's just the government, and they can choose to link whatever they want in their internal system if they decide it's in the interests of national security.
You're also forgetting that lottery tickets are tracked. This is how they can announce which store sold the winning ticket before anyone steps forward with it. It would be trivial to match a buyer to the ticket if they wanted to inspect the records. In the case of a government identity token service, there isn't even a separation of parties providing the records. They do it all and can have all the data.
vkou
9 hours ago
> Where does this 3rd party identity token provider come from?
Some oracle whose job it is to print tokens and hand out rolls to the stores (and to the websystems). They would know which store got which roll, and which website authenticated it, but not who each ticket from that roll went to.
With a big enough roll, this is essentially anonymous.
Yes, lotteries know which store got the winning ticket, but they have no idea which of the patrons in the store got it. Not unless they ask Eve to get her telescopic lens and notepad out.
Aurornis
9 hours ago
I'm talking about identity token services.
You're saying the real solution is that we bring in a private, 3rd-party company to start checking our IDs to access websites now?
what
6 hours ago
It’s millions of third party companies checking ids. Anywhere that sells alcohol or tobacco could do it.
vkou
8 hours ago
I was asked if this problem can be solved in an anonymous manner. I gave a solution that is pretty anonymous and fairly cheap.
I am not actually advocating for it. I'm just saying how it's possible to solve it given those constraints.
simoncion
8 hours ago
> It's anonymous. The clerk or his POS system knows your name and age, but doesn't know your number.
What prevents a commercial "AI" security camera analysis firm from doing a decent job of linking footage of a store's customers to a likely subset of tokens, based on the knowledge of which tokens are sent to which store and how many tokens have been pulled off of the roll so far? Remember that you can design the token roll packaging so the easiest thing for a clerk to do is to pull off the rolls in the order in which they were shipped. Or -hell- you can design the token dispenser so that it phones home to the oracle that sent the roll to the store with the range of tokens in the roll when the roll is loaded into the dispenser (for "security purposes").
> It's the exact same process by which you buy lottery tickets in a world where they don't need to verify your identity when you redeem them.
I've seen many people buy lotto tickets. I've never seen anyone asked for ID. Perhaps the merchant is supposed to check for ID, but they don't. Relatedly:
> The clerk pulls a scratch-off ticket from the front of a ticket tape. The ticket contains a token identifier.
What prevents rolls of those tickets from falling off of a truck and either being handed out for free or at a substantial markup, no questions asked? [0]
In the real world, the system you propose absolutely will not function to the standards required by the people agitating for these systems. You can't "protect the children" if "children" can easily get their hands on anonymous access-granting tokens.
[0] The fact that this doesn't happen with lotto tickets often enough to be newsworthy is not a compelling counterexample. Stores make a decent amount of money selling those, and wouldn't want to get cut off from that revenue source by regularly "losing" shipments of tickets. What you propose doesn't make stores any money, so either you have to spend a bunch of money to induce them to carry the tokens [1], or you have to have harsh penalties for "losing" shipments of tokens. If you risk harsh penalties for choosing to sell the tokens, why even bother? Stores put up with the risk of selling booze because it's quite profitable... selling 5c or 0c tokens absolutely is not.
[1] Where does that money come from? From you and me, of course!
aspenmayer
8 hours ago
I’ve worked in the industry, so just adding some extra info, as I agree with you that the ticket system is not really less tracked than other systems, just differently tracked:
Lottery tickets don’t “fall off of trucks” or get “lost in the mail” because they aren’t valid for redemption until they’re activated at the POS terminal of a licensed store, and the lottery company knows which store receives each ticket roll, because they are shipped to known locations with tracking numbers and delivery verification and/or delivered in person by lottery employees. Even the rolls of blank lottery ticket receipt paper have different serial numbers every few inches, and it’s forbidden by policy to swap receipt paper between stores. All of these things are audited both regularly and randomly by state lottery officials.
simoncion
3 hours ago
> Lottery tickets don’t “fall off of trucks” or get “lost in the mail” because...
Oh yeah, true. A few minutes after I posted the comment, it occurred to me that lotto tickets always get scanned at the register, which is the obvious way to track their distribution and make it annoying to use a whole bunch of winning ones that fell off of a truck. Thanks for the first-hand industry info.
If it's effective, all that tracking and auditing can't be cheap. The lotto gets to pay for it with ticket sales... I don't expect folks would tolerate paying for that [0] for this "I'm an adult" token-distribution system.
[0] ...whether that payment is paid by the token purchaser or by the taxpayers, generally...
aspenmayer
2 hours ago
The scan at the time of purchase is just for tracking what the store owes to the state for the lottery system. The last ticket in each roll of tickets is scanned by the dedicated lottery terminal prior to being placed for sale in an admin mode activation function. The terminals themselves I am familiar with are Linux-based and seem to be thin clients which do everything remotely in real-time, because nothing works if the terminal is offline, from activation to redemption of tickets to win/loss checking. The terminal has its own dedicated wired Ethernet connection to a stand-alone Cradlepoint or other competitor brand cellular modem/router, which along with the terminal is all outsourced to a third party management company. (SGI is the only one I’m familiar with; there are likely others.) All of this is public info which could be gleaned from observing the terminals and their installation/operation, but I probably can’t say much more about them, but they are pretty neat and seem to work fairly reliably.
Now that you mention the auditing etc, a lottery system would probably be an easy way to get people to literally buy into an online ID scheme, not because it would necessarily be privacy-preserving, which would depend on implementation details, but because a not insignificant number of folks seem to like the chance to win money. Considering many states already have lottery systems, the ID code tickets could probably be provided alongside lottery tickets for free or nearly free, and employees already have the training to check/scan IDs. If there was an incentive such as the possibility to get discounts, win prizes, or tie-in purchases of some kind, I think it could work.
Many stores that sell lottery tickets also sell gift cards, so that technology could also be used instead or in addition to ID tokens at the point of sale. There are a lot of sponsorship opportunities available for cross-promotion.
“Please drink a verification can” was probably more prescient than was at first apparent. Mike Judge saw this whole thing coming from a mile away.
vkou
5 hours ago
You can also just follow people around and look in their windows. Nothing prevents that other than laws and rules and social norms.
> In the real world, the system you propose absolutely will not function to the standards required by the people agitating for these systems. You can't "protect the children" if "children" can easily get their hands on anonymous access-granting tokens.
What stops children from paying someone to buy beer and cigs for them? What's the difference between age-controlled liquor and an age-controlled token falling off the back of a truck?
You can introduce as many soft-verification systems as you want to tweak this. The roll of numbers doesn't become active unless installed in a dispenser that phones home when it is installed, for example. The empty bobbins containing the roll have to be returned to the oracle, and need to register installation in a dispenser. The dispenser can even count each dispensed ticket. The only requirement is that the sale and the process of paying for the sale isn't linked to the ticket. If you maintain that, the system is anonymous. If you break it, it's not.
simoncion
3 hours ago
> What stops children from paying someone to buy beer and cigs for them?
I preempted this line of questioning. I'll quote the section for you:
What you propose doesn't make stores any money, so either you have to spend a bunch of money to induce them to carry the tokens [1], or you have to have harsh penalties for "losing" shipments of tokens. If you risk harsh penalties for choosing to sell the tokens, why even bother? Stores put up with the risk of selling booze because it's *quite* profitable... selling 5c or 0c tokens absolutely is not.
[1] Where does that money come from? From you and me, of course!
> The only requirement is that the sale and the process of paying for the sale isn't linked to the ticket.
Unless you make it turbo-illegal to link those pieces of information (even weakly), then those two pieces of information will be linked lickety-split. As aspenmaver mentions, lotto tickets are activated at time of sale by phoning home to -I assume- the issuer of the ticket, providing a ready-made mechanism to correlate which tickets are sold to which person. When the people who are crying to protect the under-eighteen from the "evils" of computing notice that under-eighteens are -shock! outrage!- still exposed to that "evil" despite this token-distribution scheme, they will demand any such laws be weakened or eliminated.
[0] ...or fail to strictly follow all of the regs when giving one to a "Token Commission" officer doing an undercover buy, as absolutely happens with alcohol sales...
mindslight
3 hours ago
You go to the store. You give the clerk many quarters, and get the maximum number of tickets. You go online and sell the lot, perhaps for $20. Since the system preserves privacy, doing this carries no risk for you.
Eventually this becomes common knowledge and "something must be done". Facebook (the corpo sponsoring these age verification laws to absolve their own liability) and their ilk decide that the token system no longer meaningfully proves age. They switch to demanding full government ID in cleartext, as there is still no comprehensive privacy law that would prevent such a thing.
Every single approach that puts the onus on the company to verify age falls apart this way, possibly including a de facto mandate for remote attestation (ie say good bye to libre operating systems and browsers that aren't MSIE, Safari, or Chrome). The only workable systems are ones in which the onus remains on parents giving their kids networked computing devices to enable parental controls and/or otherwise monitor their kids' usage, with those parental controls based on information flowing strictly from the website to the user agent (eg a content tag that asserts "this page is suitable for kids").
(and I say this as a parent who is staring down having to deal with this problem in a short year or two)
aspenmayer
8 hours ago
> It's the exact same process by which you buy lottery tickets in a world where they don't need to verify your identity when you redeem them.
I’ve sold lottery tickets, and you have to be legal age to both buy and redeem them, so I’m not sure that this analogy or hypothetical solution is comparable to lottery tickets, nor is it likely to be the panacea you think it is.
I don’t think that the nascent online age verification schemes are good for society in general, either, but that’s not really the point you were making in your comment, so I don’t assume that you believe they’re good or bad, but simply advocating for a more privacy-preserving implementation. Which is kind of the whole point of the argument against bad implementations, but those who mandate and implement the systems likely view uniquely identifying people as a boon, whereas you and I probably don’t, which is why I am not hopeful that your ticket system will be used, because it will be higher friction for more people than uploading scans of their IDs and/or their face.
The ticket system, if implemented, would be used by so few people that the folks who do could likely be re-identified by Bluetooth tracking beacons and facial recognition in the same stores which they bought the ID tickets you suggest, and so I think the number of people who would escape tracking by any such means to be so few as to be a rounding error.
Those folks who do pursue this privacy hobby/fetish are statistically likely to ultimately mess up on their opsec eventually on a long enough timeline, so it’s hard to even imagine a scenario in which it matters either way what individual privacy activists do or don’t do from the point of view of the panopticon designers or implementers. Those not identified to a desired confidence interval by the mass surveillance system will just be retargeted for more sophisticated surveillance measures.
Despite how we rage, we’re still just rats in a cage.
More and more, the privacy debate feels like a quixotic struggle against giants, when everyone already knows that those giants are actually windmills; the majority of society now lives on reclaimed lands which rely on those windmills’ continued existence, and so no one cares about privacy in the way that you or I might care, because they are incapable of perceiving windmills as giants, nor do they have the intellectual or philosophical or political beliefs which would allow them to even entertain such perceptions even for the purposes of discussion. The privacy debate is beyond their ken.
gruez
10 hours ago
>Modern versions of this technique allow one to associate metadata (like a proof of age exceeding a threshold) in such a way that the verifier can't even correlate repeated requests across users.
If it's unlinkable, what's preventing someone from setting up a site that hands out anonymous tokens for anyone to use?
discodachshund
10 hours ago
Using cryptographic signatures from approved signers, like a government
gruez
10 hours ago
No, I'm meant me, using my 18+ ID to generate a bunch of tokens that can't be linked back to me, and then giving it to random < 18 year olds for the lulz.
quotemstr
9 hours ago
There are multiple approaches. One, which the Europeans use, hardware-locks the token. Each age attestation is unlinkable, but the cryptographic credentials you need to make the attestation aren't portable. Of course, this model requires a big statist apparatus that does implementation certification, but it does achieve the narrow goal of unlinkable, privacy-preserving age attestation that doesn't instantly decay to mass copying.
Other approaches are possible. I'm particularly keen on ones that treat attestations as anonymous digital currency and use cryptographic penalties like slashing to discourage copying post-hoc instead of relying on EU-style implementation certification.
There's a huge literature on the subject I don't want to reproduce here. The point is that yes, we do have the technology to do attestation without sacrificing privacy, which makes all the calls for non-privacy-preserving attestation awfully curious.
Terr_
9 hours ago
> as anonymous digital currency and use cryptographic penalties like slashing
Or make it so that tokens cannot be tested except by spending/burning them, which would significantly reduce (but not eliminate) a black market because it would be hard for any buyers to trust any sellers.
The best outcome here is going to rest on getting people to agree that "good enough" is the best outcome. We want a system that gets the broad social results (e.g. less brain-rot in the kids) without being so impossibly strict and overbuilt that it leads to an even-worse problem (e.g. authoritarian hellhole tools.)
Aurornis
9 hours ago
> One, which the Europeans use, hardware-locks the token.
I'm surprised anyone considers this viable.
It would limit access to those sites to a limited set of acceptable devices and operating systems.
I couldn't use my laptop, desktop, or a jailbroken phone.
Magnusmaster
6 hours ago
Exactly. And the funny thing is that the EU Age Verification App seems to be vulnerable to relay attacks anyway.
jszymborski
9 hours ago
I'm not familiar with this, but what your describing sounds similar to the hardware DRM keys used for protecting 4K streams from being downloaded from Netflix.
If so, this stuff is already broken, and imagine it would be pretty simple to apply the same principles here.
I'm probably wrong on this though I'm out of my depth
paulddraper
9 hours ago
The verification service would tie the token to the IP address/geolocation. It would also throttle the number of identifications, or expire old ones.
Yes, that can eventually be worked around, but not really that different than doing the verification today on someone else's device.
Aurornis
9 hours ago
> The verification service would tie the token to the IP address
So I'm constantly grabbing new tokens from the government every time I go from work WiFi to my cellular internet to the train WiFi and then home?
Sounds like a fantastic point for capturing more tracking data.
> /geolocation.
Which means I have to send my geolocation data to apps to confirm I can use my token?
Don't want that either.
> It would also throttle the number of identifications,
And if I move around too much in one day or change networks too often, I'm unable to log into anything until tomorrow?
paulddraper
an hour ago
> Which means I have to send my geolocation data to apps to confirm I can use my token?
No, you don't need to send it there.
Nursie
6 hours ago
> So I'm constantly grabbing new tokens from the government every time ...
Every time you set up an account, would generally be the idea. So relatively infrequently.
gruez
9 hours ago
>The verification service would tie the token to the IP address/geolocation
"Use this exact tor/vpn server"
>It would also throttle the number of identifications
So I can only wank off 5 times a day, or grant access to porn sites for 5 kids?
worble
9 hours ago
What's to stop you, using your 18+ ID from buying crates of alcohol and giving it to random < 18 year olds for the lulz?
Aurornis
9 hours ago
Because those <18 year olds will immediately flip and identify you to the cops to try to lighten their punishment.
The anonymous crypto token scheme does not have any trace-back mechanism like this at all. If there's no way to track those tokens back to you, why not sell them for $1 each on the internet to make some extra money?
gruez
9 hours ago
For one, I have to do it in meatspace so it's easily traced back to me, whereas anonymous tokens can't be traced back to me by design.
laughing_man
5 hours ago
The minute this scheme went into place, there would be sites based in one of the "stans" selling tokens for a couple bucks to whomever wanted to buy.
Retr0id
7 hours ago
Yes, this breaks the whole scheme. Anyone promoting it as a solution is delusional. There's a triangle of "robust", "private", and "practical" and you can only pick two. This one omits robust. The various mitigations people might suggest in response will have to sacrifice one of the other dimensions.
nemomarx
10 hours ago
As you say, it's doubtful governments want it to be private. So we should expect them to not use these kind of elegant solutions, and the public is generally not sophisticated enough to distinguish between the options already.
andai
9 hours ago
In what direction do the incentives point?
nemomarx
9 hours ago
There's two strong incentives - deanonymization for law enforcement is pretty useful so that's one. You want to make it easier to subpoena information about posters for various reasons, access to stores on different dates etc. Lots of reasons for that.
And you want to satisfy voters who are worried about children online or have heard scary things about anonymous criminals. You want to be seen to do something about those.
A distant third is that you want the system to be cheap and built up fast and relatively easy so voters don't complain about it.
All together this leads you to something like "any time a site needs to verify your age (based on this broad list of requirements) put in your government ID number / picture". The infrastructure already exists for that, banks need it, social media needs it, and the current president has agitated for it a few times now. If you're really aiming high you set up some digital ID attached to it that's easier for the users.
laughing_man
5 hours ago
>There's two strong incentives - deanonymization for law enforcement is pretty useful so that's one.
When you say it like that it sounds less scary than "deanoymization so the government can track down people saying things it doesn't like." Let's not forget the UK has more people in jail for things they said on the internet than Russia and China put together.
nemomarx
5 hours ago
Yeah the wording is a little broad, but the UK would call that law enforcement too.
Depends on your state and laws and you can look around at how that's going - maybe you'll have brought a first aid kit to the wrong event or helped print some zines and they want to check up on you now.
intended
2 hours ago
God, that sentence didn’t pass the sniff test, so I checked:
https://pa.media/blogs/fact-check/fact-check-international-d...
Don’t think that the claim stands up to scrutiny, since its comparing unlike things.
laughing_man
2 hours ago
Reading your link, "comparing unlike things" looks like spin to me. "It's different when we do it."
Geezus_42
9 hours ago
For who?
onetimeusename
9 hours ago
I don't think they are serious about privacy and even if they were I don't even want to distinguish between "children" and "adults" on the internet. Things seem to have worked fine up to this point, there doesn't appear to be a public demand for age verification, rather some murky corporations/NGOs/agencies pushing for this. I think it's pretty clear there is some other intention besides protecting children that is the goal here.
skybrian
8 hours ago
We should only need to distinguish devices with parental controls turned on from other devices, and rely on parents to set up the devices accordingly.
kaurimu
7 hours ago
By some stroke of luck, the NZ government recently put into place a robust privacy-preserving framework for digital identity [1].
They just launched the GOVT.NZ [2] app, and it contains a wallet that can store digital credentials. It's built by a local company called MATTR [3], who specialise in trust technology and exotic cryptography like zero-knowledge proofs. The first credential available this year will be a mobile drivers license, and we'll then be able to prove things about ourselves like whether or not we're over 18 (according to an accredited institution), completely privately over the internet and without sharing any other information.
I'm cautiously optimistic about the direction our digital ecosystem is heading in NZ :')
[1] https://www.publicservice.govt.nz/about-the-commission/gover...
[2] https://www.digital.govt.nz/digital-government/key-areas-of-...
rockskon
9 hours ago
Zero Knowledge Proofs are worthless for this.
Either they validate so little information that a single homeless person can authenticate the entire country or they validate so much information as to not have a significant privacy guarantee.
There is no in-between for ZKP validating someone's age.
teravor
9 hours ago
worthless is too strong.
the truth is that the two extremes you listed can be titrated.
if you use nullifiers you can trade some privacy for some security. basically you convert your true identity into a private token which you can use to authenticate aspects of yourself, the price being that the token can be tracked with some effort across services. better than just using your identity at least. if a token/nullifier is abused it can be revoked and then you have to jump through a bunch of hoops to get another.
there are some other trade offs that can be made.
rockskon
9 hours ago
Okay - so you verify age and what else?
What combination of details can you validate on that is meaningfully privacy-preserving and couldn't result in wide-spread re-use of tokens?
Additionally - what would prevent some kids from getting a homeless man in the city to hand them his ID, get a facial scan, and everything else you can think of to generate a token and then pass that token around?
ZKP are a cryptography-nerd's joy but are are categorically unsuitable for the purpose of age verification. I stand by this without the slightest reservation.
teravor
9 hours ago
the same thing that prevents them from doing reuse right now: platform detection mechanisms. the difference is that right now the identity of the subject is known whereas with ZKP (nullifier approach) only the dirty token is known and where that token was used.
rockskon
9 hours ago
So....what exactly would platform detection mechanisms be basing their decisions off of that wouldn't defeat the entire privacy-preserving premise of ZKP?
teravor
9 hours ago
multiple use of the same token on multiple accounts...?
tying multiple accounts and services together isn't ideal but its inarguably better than tying your real world identity to every single service.
rockskon
9 hours ago
Wait - so you're advocating for use of a persistent identifier tied to a person? How is that any different than what advertising networks do right now beyond giving them additional guaranteed information of your age bracket?
To clarify - it's not cryptographically necessary to present the same token for each and every transaction and serves to categorically defeat the entire privacy guarantee of ZKP.
It also makes it trivial to associate your ZKP token with your real identity.
teravor
8 hours ago
> use of a persistent identifier
> tied to a person
contrast this with the situation as it currently is (under ideal assumptions) where a central authority verifies your real identity and issues temporary rate limited tokens which are then saved by each service and can at any time be linked to you whenever the central authority can get the service to disclose the database entry. the nullifier will force the central authority to do an investigation about who the nullifier actually belongs to which may actually fail.
realistically I expect VPNs and Tor to just become more popular in response to such nonsense. I wouldn't be using government issued tokens for anything that isn't trivial to tie to your identity already: such as a personal bank access.
rockskon
8 hours ago
> at the terminus, yes. there is no other way to avoid the homeless problem you listed. by terminus I am referring to where a central authority vouches for unforgability. this does not mean advertisers will have a token they can use (see remote attestation infrastructure).
Where to even begin here....
To generate the token, it needs to be based on specific data. How do you prevent people from generating tokens based on fake data and submitting that to the "terminus" that you mention? We already have cases of people bypassing facial scan liveliness checks for banks using AI-generated footage.
What about validating tokens during the token enrollment process based on your government ID? Though that makes sure that poor or undereducated people who don't have such an ID are locked out of large swaths of Internet services.
Though there's also the matter of it being trivial to generate fake IDs using AI.
If you have no gatekeeping for the token enrollment process, anyone can submit an arbitrary number of new tokens.
And if you do have gatekeeping, you're right back to square one of needing to validate against more than just your age.
After all - the cryptography algorithms will be publicly known. If the only thing ZKP is validating against is age, it won't take long to figure out how to generate identifiers based on fabricated information.
> whether or not the terminus can tie a token to a real world identity will depend on how careless the user was and how much collusion there is between the terminus and the services. at the very least it will impose an investigation cost.
No it won't. A user submits a token to a server. The user also logs in with their e-mail address or phone number. Their email and/or phone number is hashed and it, along with the ZKP token and any additional information the website has on you, will be sent to data brokers.
This is the same as any other bit of information out there that data brokers collect on the internet. They just associate your new info with other info you are required to provide in order to use various services.
This will be automated and will cost next to nothing for data brokers to take advantage of.
> contrast this with the situation as it currently is (under ideal assumptions) where a central authority verifies your real identity and issues temporary rate limited tokens which are then saved by each service and can at any time be linked to you whenever the central authority can get the service to disclose the database entry. the nullifier will force the central authority to do an investigation about who the nullifier actually belongs to which may actually fail.
....what? What investigation by central authorities? You are talking of a system that would constantly mediate permissions for billions upon billions upon billions of devices across dozens of services and accounts per device.
You couldn't hire an army of people large enough to handle this and AI is infamously awful at detecting when a given image has been generated with AI.
> realistically I expect VPNs and Tor to just become more popular in response to such nonsense. I wouldn't be using government issued tokens for anything that isn't trivial to tie to your identity already: such as a personal bank access.
Their popularity would only rise in order to VPN into jurisdictions that don't enforce this. Assuming major websites don't just mandate age/identity verification for all new users regardless of jurisdiction just because it's easier and cheaper to apply one system to everyone.
Look - I know you mean well, but it is clear from this discussion you aren't familiar with cryptography, system security guarantees, Internet infrastructure scaling, or what would be needed to introduce new descriptive information about a person on the Internet and not have it become a new privacy risk.
This is an issue that has no tech-only solution. The specifics aren't just something to just figure out at a later date - the specifics are everything. And it's something that is enormously difficult to get right and extremely easy to get very, very wrong.
teravor
7 hours ago
> Look - I know you mean well, but it is clear from this discussion you aren't familiar with cryptography, system security guarantees, Internet infrastructure scaling, or what would be needed to introduce new descriptive information about a person on the Internet and not have it become a new privacy risk.
you also don't appear to know what a nullifier is, in a ZKP system you submit identifying information and a hash of a secret string. the CA adds the hash to a public database and in the future you prove you one of the members of the database with a nullifier - the anonymity-set is everyone in the database who entered it prior to your submission. this can also be done with a blind signature to the same effect.
there is no further point to this discussion.
rockskon
6 hours ago
> it's actually clear that you are the one who isn't familiar with this, I referenced remote attestation which you appear to know little about as it addresses the problem of identifying information (the service has no way to link tokens across without help from the CA).
You've promoted mutually exclusive concepts with regards to cryptography which is why I said you don't seem to understand it. And again - and again and again and again and again and again - what is the additional information you are authenticating based off of beyond age? Remote attestation provides absolutely zero privacy utility here whatsoever on its own! So you've remotely attested this ZKP key represents a person who is an adult. Creating another key based on that information alone is trivial to spoof - for it not to be trivial, it would require validating additional information!
What is your root of trust? What is the basis by which age is verified in a way that can't readily be spoofed?
> you also don't appear to know what a nullifier is, in a ZKP system you submit identifying information and a hash of a secret string. the CA adds the hash to a public database and in the future you prove you one of the members of the database with a nullifier - the anonymity-set is everyone in the database who entered it prior to your submission. this can also be done with a blind signature to the same effect.
That's nice and all for trivia on ZKP but how does that touch upon the problem being discussed?
The mechanics of ZKP are not relevant to the problem of ZKP being categorically worthless for the problem at hand. I don't say ZKP is worthless out of ignorance - more discussions about it won't change that.
The specifics of ZKP do not change the fact that you are validating either too little information to be useful for preventing fraud or too much to have privacy-preserving value.
> there is no further point to this discussion.
Evidently not.
We can't solve private age verification with blockchain tech. I'm happy you're so passionate about it, but it isn't a silver bullet.
JohnFen
9 hours ago
The problem is that you still have to trust something you don't control and can't verify that the technological solutions are correctly implemented and applied.
CGMthrowaway
5 hours ago
> There are at least some technological solutions here, such as anonymous credentials.
Identity verification is busy being rolled out across the entire developed world right now, and I have yet to see or hear about even one single mention of anonymous credentials in the discussion of any of the laws.
coldtea
6 hours ago
>There are at least some technological solutions here, such as anonymous credentials.
Technological solutions for what problem?
Nursie
5 hours ago
Yep, there are a variety of ways this can work well, but the overwhelming 'vibe' here at HN is a) that the tech is too complex and b) that governments actually want to end privacy anyway for their own nefarious reasons.
I find 'a' amusing as we'll often see in the same conversation that users appeal to parents to take responsibility and lock down their kids' access to things, as if that's trivial for non-tech folk and foolproof. It's also silly because the user interface to such a system doesn't need to show all that complexity.
And 'b' is often supported by some out of context quote that at first glance looks incriminating but doesn't actually mean much.
The saddest thing is that the article you link addresses most of the objections people have brought up in the thread, but few have read it.
sneak
5 hours ago
No. The point of these initiatives IS TO GET ID, not to protect children.
Anonymous credentials don’t allow the state to retaliate in the dark of night against protected expression that they don’t like. Anonymous credentials do not allow for that, so they are irrelevant.
andy99
10 hours ago
This seems to come up in every discussion, in practice it’s irrelevant both because it’s too complicated for normal people to understand, and because the point of all this nonsense really is identification so anything that defeats that will be a non starter.
bluefirebrand
9 hours ago
It doesn't have to be too complicated for normal people to understand.
Majority of people understand their SIN or SSN number or whatever, they understand they have a drivers license number. This could be built in such a way that it's basically just be another government issued "thing" that they have to know about and be able to produce when requested
Geezus_42
9 hours ago
Every government has been working on ways to identify and target individuals online since as long as the internet has existed. Governments are incentivized to continuously increase control. Why would you assume this is not yet another escalation towards their goal of being able to track and silence anyone who pushes back?
bluefirebrand
8 hours ago
I didn't comment at all on what the governments goals are
Edit: I agree with you 100%, but the fact that governments want to track people online has no bearing on how technically possible it is to build a system where they can't
An anonymous internet auth system (probably) won't get built, but it is possible to build
Geezus_42
6 hours ago
How is it possible to have something that both proves something about your identity but also does not allow ANYONE to deanonymize you?