With many jurisdictions introducing age verification laws for various things on the internet, a lot of questions have come up about implementation and privacy. I haven’t seen anyone come up with a real working example of how to implement it technically/cryptographically that don’t have any major flaws.
Setting aside the ethics of age verification and whether or not it’s a good idea - is it technically possible to accurately verify someone’s age while respecting their privacy and if so how?
For an implementation to work, it should:
- Let the service know that the user is an adult by providing a verifiable proof of adulthood (eg. A proof that’s signed by a trusted authority/government)
- Not let the service know any other information about the user besides what they already learn through http or TCP/IP
- Not let a government or age verification authority know whenever a user is accessing 18+ content
- Make it difficult or impossible for a child to fake a proof of adulthood, eg. By downloading an already verified anonymous signing key shared by an adult, etc.
- Be simple enough to implement that non-technical people can do it without difficulty and without purchasing bespoke hardware
- Ideally not requiring any long term storage of personal information by a government or verification authority that could be compromised in a data breach
I think the first two points are fairly simple (lots of possible implementations with zero-knowledge proofs and anonymous signing keys, credentials with partial disclosure, authenticating with a trusted age verification system, etc. etc.)
The rest of the points are the difficult ones. Some children will circumvent any system (eg. By getting an adult to log in for them) but a working system should deter most children and require more than a quick download or a web search for instructions on how to circumvent.
The last point might already be a lost cause depending on your government, so unfortunately it’s probably not as important.
You know how there are stores that sell restricted substances and verify your age by checking a provided ID? Have those same stores sell a cheap, sealed card with a confirmation code on it. You can enter that code online to verify any service. The code expires after a set period of time after it’s first use to prevent sharing and misuse.
This system would be as secure as the restrictions on the restricted substance, such as alcohol, so it should be fine for “protecting the children”
Were you ever a teenager? This would be abused immediately, unless the codes were single use, and in that case it’s a non-starter.
Yes, and one with unrestricted internet access. Can you elaborate on how someone underage would abuse this system? They can’t buy one at the store, can’t reuse one that has expired so finding one won’t help, and if theft is a concern they would just need to be secured like any other restricted good. I would say it’s at least as secure alcohol, tobacco, or firearms.
Alcohol / tobacco / firearms can’t be digitally shared or reproduced. Imagine a high school with a mix of 14 - 18 year olds. If an 18 year old can get a valid code without hassle, they can share it with their friends who are in the same class, but are still 17. Or maybe they’ll share it with a sibling who is 16. What’s to stop it spreading from there? It will probably take just an hour for half of the school to get access to the one code. If the system assumes that kids won’t directly or indirectly share their codes with one another, then the system doesn’t understand teenage behavior and is flawed.
So… the same flaw we abused to have our older friends buy us booze and cigarettes when we were underage lol I’ll still take it. You’re not going to get a perfect solution that works all the time. Point is HARM REDUCTION.
REDUCTION.
Not a perfect, flawless, impossible to abuse system. Just a system that helps to make it a bit more difficult and then hope that parents take care of the rest. Some will always still slip through, thems the breaks.
Yeesh I thought I was a nerd but reading some of the replies in this thread it’s like some people never even thought how to get access to alcohol and smokes when they were underage. Never even mind porn. We had older friends buy us those magazines too.
But why create a system which inconveniences everyone, introduces privacy leakage, and which would be inadequate to curb the problem? Sure the comparison with booze and cigarettes at point of sale sounds like it accomplishes the same thing to restrict access to adults, but one kid buying a six pack with a fake ID can only share it with a few friends, and if they try to buy multiple kegs for a party with the whole school, there’s is probably some more scrutiny, and of course the cost, which makes it unlikely. Compare this to a code which could be texted to an entire class the moment someone gets their hand on one.
And from an implementation side, if platforms and services exist which don’t comply with the law, for example 4chan [https://www.ofcom.org.uk/online-safety/illegal-and-harmful-content/investigation-into-4chan-and-its-compliance-with-duties-to-protect-its-users-from-illegal-content], then implementing these restrictions will just push kids to the unregulated platforms. It’ll have the unintended outcomes, and take away the controls from the parents, which will do more harm than good.
+1 At least in WA there are restrictions on licenced premises recording your ID, they are meant to just check it.
They wouldn’t need to record it at all.
Interesting idea. Could also give it out free with packs of beer like a golden ticket from Charlie And The Chocolate Factory.
And all across the whole world, 18 year old men will jump for joy when picking up birthday booze - “I can finally look at boobs on the internet!”