With many jurisdictions introducing age verification laws for various things on the internet, a lot of questions have come up about implementation and privacy. I haven’t seen anyone come up with a real working example of how to implement it technically/cryptographically that don’t have any major flaws.
Setting aside the ethics of age verification and whether or not it’s a good idea - is it technically possible to accurately verify someone’s age while respecting their privacy and if so how?
For an implementation to work, it should:
- Let the service know that the user is an adult by providing a verifiable proof of adulthood (eg. A proof that’s signed by a trusted authority/government)
- Not let the service know any other information about the user besides what they already learn through http or TCP/IP
- Not let a government or age verification authority know whenever a user is accessing 18+ content
- Make it difficult or impossible for a child to fake a proof of adulthood, eg. By downloading an already verified anonymous signing key shared by an adult, etc.
- Be simple enough to implement that non-technical people can do it without difficulty and without purchasing bespoke hardware
- Ideally not requiring any long term storage of personal information by a government or verification authority that could be compromised in a data breach
I think the first two points are fairly simple (lots of possible implementations with zero-knowledge proofs and anonymous signing keys, credentials with partial disclosure, authenticating with a trusted age verification system, etc. etc.)
The rest of the points are the difficult ones. Some children will circumvent any system (eg. By getting an adult to log in for them) but a working system should deter most children and require more than a quick download or a web search for instructions on how to circumvent.
The last point might already be a lost cause depending on your government, so unfortunately it’s probably not as important.
So… the same flaw we abused to have our older friends buy us booze and cigarettes when we were underage lol I’ll still take it. You’re not going to get a perfect solution that works all the time. Point is HARM REDUCTION.
REDUCTION.
Not a perfect, flawless, impossible to abuse system. Just a system that helps to make it a bit more difficult and then hope that parents take care of the rest. Some will always still slip through, thems the breaks.
Yeesh I thought I was a nerd but reading some of the replies in this thread it’s like some people never even thought how to get access to alcohol and smokes when they were underage. Never even mind porn. We had older friends buy us those magazines too.
But why create a system which inconveniences everyone, introduces privacy leakage, and which would be inadequate to curb the problem? Sure the comparison with booze and cigarettes at point of sale sounds like it accomplishes the same thing to restrict access to adults, but one kid buying a six pack with a fake ID can only share it with a few friends, and if they try to buy multiple kegs for a party with the whole school, there’s is probably some more scrutiny, and of course the cost, which makes it unlikely. Compare this to a code which could be texted to an entire class the moment someone gets their hand on one.
And from an implementation side, if platforms and services exist which don’t comply with the law, for example 4chan [https://www.ofcom.org.uk/online-safety/illegal-and-harmful-content/investigation-into-4chan-and-its-compliance-with-duties-to-protect-its-users-from-illegal-content], then implementing these restrictions will just push kids to the unregulated platforms. It’ll have the unintended outcomes, and take away the controls from the parents, which will do more harm than good.