With many jurisdictions introducing age verification laws for various things on the internet, a lot of questions have come up about implementation and privacy. I haven’t seen anyone come up with a real working example of how to implement it technically/cryptographically that don’t have any major flaws.
Setting aside the ethics of age verification and whether or not it’s a good idea - is it technically possible to accurately verify someone’s age while respecting their privacy and if so how?
For an implementation to work, it should:
- Let the service know that the user is an adult by providing a verifiable proof of adulthood (eg. A proof that’s signed by a trusted authority/government)
- Not let the service know any other information about the user besides what they already learn through http or TCP/IP
- Not let a government or age verification authority know whenever a user is accessing 18+ content
- Make it difficult or impossible for a child to fake a proof of adulthood, eg. By downloading an already verified anonymous signing key shared by an adult, etc.
- Be simple enough to implement that non-technical people can do it without difficulty and without purchasing bespoke hardware
- Ideally not requiring any long term storage of personal information by a government or verification authority that could be compromised in a data breach
I think the first two points are fairly simple (lots of possible implementations with zero-knowledge proofs and anonymous signing keys, credentials with partial disclosure, authenticating with a trusted age verification system, etc. etc.)
The rest of the points are the difficult ones. Some children will circumvent any system (eg. By getting an adult to log in for them) but a working system should deter most children and require more than a quick download or a web search for instructions on how to circumvent.
The last point might already be a lost cause depending on your government, so unfortunately it’s probably not as important.
The German government ID card has an age verification function:
It only sends one bit to the requesting service: Yes, over 18 or No, not over 18.
And it doesn’t transmit back any data, so the state doesn’t know what services you access.
Since you are required to have an ID card and the state knows your age, this would be a pretty good option (in Germany).
Yeah this. I don’t know why people are trying to make this into some incredibly complicated multi step process.
How does this work to protect privacy though? Wouldn’t the site need to know who you are to be able to look you up with the government?
Or is it more like an SSO/Oauth callback style thing where you sign into the government and they send the “age bit” digitally signed and your browser gives it back the service? Either way the government would know when you’re accessing 18+ material and possibly what specific site you’re accessing? Or is there more to it?
The site doesn’t need to identify me, it only needs to know that a “Yes” bit was sent with a valid certificate from the government. And no data needs to be sent back to the government for that. The info is stored locally on a chip in the card.
If a child has access to my ID card, that’s on me.
Can phones read this chip? What if you’re on a standard computer?
Yes, phones can read it.
For a standard computer, you’ll need a USB RFID chip reader.