With many jurisdictions introducing age verification laws for various things on the internet, a lot of questions have come up about implementation and privacy. I haven’t seen anyone come up with a real working example of how to implement it technically/cryptographically that don’t have any major flaws.
Setting aside the ethics of age verification and whether or not it’s a good idea - is it technically possible to accurately verify someone’s age while respecting their privacy and if so how?
For an implementation to work, it should:
- Let the service know that the user is an adult by providing a verifiable proof of adulthood (eg. A proof that’s signed by a trusted authority/government)
- Not let the service know any other information about the user besides what they already learn through http or TCP/IP
- Not let a government or age verification authority know whenever a user is accessing 18+ content
- Make it difficult or impossible for a child to fake a proof of adulthood, eg. By downloading an already verified anonymous signing key shared by an adult, etc.
- Be simple enough to implement that non-technical people can do it without difficulty and without purchasing bespoke hardware
- Ideally not requiring any long term storage of personal information by a government or verification authority that could be compromised in a data breach
I think the first two points are fairly simple (lots of possible implementations with zero-knowledge proofs and anonymous signing keys, credentials with partial disclosure, authenticating with a trusted age verification system, etc. etc.)
The rest of the points are the difficult ones. Some children will circumvent any system (eg. By getting an adult to log in for them) but a working system should deter most children and require more than a quick download or a web search for instructions on how to circumvent.
The last point might already be a lost cause depending on your government, so unfortunately it’s probably not as important.
I’m pretty sure there is already a cryptographic protocol that can do this, but that’s not the point. We do NOT need age verification in software, it makes no sense. We need parents to take care of their own children because why would open-source software do the job of failed parenting? It’s a social issue, not something that can be solved with technology. Or we would have put shock-collars on every kids when they don’t behave.
https://www.privado.id/use-cases/age-verification
As a parent, an extra layer of protection would be a positive. Balancing everything, and not leaving holes is hard enough, and I’ve yet to deal with the teenage phase.
As the same time, as a Netizen, the risk of abuse to datamine me is FAR too great.
The only way I would accept it is via zero knowledge proof type tokens. I can prove I am of age, but nothing more about me can be determined by any party.
The current laws seem aimed at using “protect the children” to remove anonymity from the web, and are a data miner’s wet dream.
Agreed, and for every site which would comply with these rules, there are 10-100 which won’t and are not able to be controlled in the jurisdiction. Teenagers will find a way to get around restrictions, and will go to sites which are less regulated, and possibly not have the controls in place to flag grooming interactions, promoting self harm, etc.
Great idea, let’s get parents to raise their kids.
Now, how do we suddenly make them actually do that? Last I checked this idea has been around about as long as people have been around but it’s still not happening.
Parenting matters, but it’s not the only layer of protection. We don’t rely solely on parents to keep kids from walking into bars or buying cigarettes, we have laws and systems to back them up. Why should the internet be different?
I can flash my id to a bartender who doesn’t need to take a copy or otherwise retain my PII to serve me. This isn’t how we do age attestation in most cases right now. We require a third party to issue and verify identity and said third parties have been show to be poor stewards of our identity.
You see, if we tell parents that it’s actually super important that they raise their kids, I’m sure they will do it. Just like if we tell everyone that a vaccine for a dangerous disease is a really good idea, everyone will just settle down and go get it.
How am I supposed to take care of my kids? My kid has got up at 3am and used his school device to do things I don’t want. The thing wasn’t supposed to be allow by the school but the bypass (web site not blocked) wasn’t one the school will find out and block. Bypasses like that spread fast in schools.
My point is that we can’t rely on parental oversight only because some plain won’t… and in your case, even actively trying may fail (it’s not your fault). And there’s always going to be loopholes in every system. Clever kids will get by most verifications, and if they don’t, that’s likely to mean the verification gets too invasive to be worth it. The best, though not perfect system is to have parental oversight + impartial verification + platform responsibility. This will reduce but not eradicate the problem.
Problem is an OS is not a useful part of this. My kids are perfectly able to install linux on a pi - and this is something I want to encourage in general (I don’t think they have, but they could), thus giving them root access - including access to things in the package repo that I may not approve of. It is a hard problem and I can’t always be there.
Need parents to use already existing parental controls and for society to blame parents more for incompetence
Yes it’s zero knowledge tokens, see cloudflare’s private access tokens
+1 only because I can’t upvote more.
I’ll add one on your behalf