Comment by gertrunde
4 months ago
I would like to think there there is a solution that can be engineered, in which a service is able to verify that a user is above an appropriate age threshold, while maintaining privacy safeguards, including, where relevant, for the age-protected service not to be privy to the identity of the user, and for the age verification service to not be privy to the nature of the age-protected service being accessed.
In this day and age, of crypto, and certificates, and sso, and all that gubbins, it's surely only a matter of deciding that this is a problem that needs solving.
(Unless the problem really isn't the age of the user at all, but harvesting information...)
Unfortunately, no amount of blockchains and zero-knowledge proofs can compensate for the fact that 15 year old has a 18 year old friend. Or the fact that other 15 year old looks older than some 20 year olds. Or the fact that other 15 year old's dad often leaves his wallet, with his driving license, unattended.
Over the next five years, you can look forward to a steady trickle of stories in the press about shocked parents finding that somehow their 15 year old passed a one-time over-18 age verification check.
The fact compliance is nigh-impossible to comply with is intentional - the law is designed that way, because the intent is to deliver a porn ban while sidestepping free speech objections.
None of these things are a problem.
> 15 year old has a 18 year old friend
Adults can be prosecuted for helping minors circumvent the checks.
> Or the fact that other 15 year old looks older than some 20 year olds
See Australian approach. Site can verify you and both government and site don't know who you are. No need for photo.
> shocked parents finding
No law is a replacement for bad parenting. But good parenting is easier with the right laws.
> a one-time over-18 age verification check
it can happen more than once non intrusively.
> Adults can be prosecuted for helping minors circumvent the checks.
If you skip the need for privacy protection and just retain a copy of the photo ID used to verify the account? Then sure.
But if age is validated in a way that preserves privacy? Then there's no evidence linking the adult to the crime.
1 reply →
[flagged]
By any means?
1 reply →
A humorous age verification quiz for the Leisure Suit Larry game.
My boss is a. a jerk. b. a total jerk. c. an absolute total jerk. d. responsible for my paycheck. Correct answer: d.
dated, and very politically incorrect...
https://allowe.com/games/larry/tips-manuals/lsl1-age-quiz.ht...
(scroll down past answers to questions and answers)
I'd say all of the above but my boss is very forgiving of me. It helps that I am self-employed.
Already exists in a lot of places. German national IDs for like 10 years or something like that have an eID feature. It's basically just a public/private key signing scheme. The government and a bunch of other trusted public providers are able to issue identities, you can sign transactions with them or verify your age to commercial service providers, or transfer some data if that's required with your consent. (https://www.personalausweisportal.de/Webs/PA/EN/citizens/ele...)
Estonia and South Korea I think also have similar features on their IDs, it's already a solved problem.
There is a solution and I am the developer:
https://news.ycombinator.com/item?id=40298552#40298804
Talking about it or explaining it is like pulling teeth; generally just a thorough misunderstanding of the notion....even though cryptographic certificates make the modern internet possible.
How are the certificates issued?
https://certisfy.com/partnership/
Any number of entities can be certificate issuers, as long as they can be deemed sufficiently trustworthy. Schools, places of worship, police, notary, employers...they can all play the role of trust anchor.
8 replies →
I don’t get it. What is to prevent a 9 year-old from buying a certificate and using it?
This video addresses that:
https://youtu.be/92gu4mxHmTY
All certificates are cryptographically linked to an identity-anchor certificate, meaning buying a certificate would require the seller reveal the private key tied to the identity-anchor certificate, a tall order I would argue.
In the case of stolen identity certificates, they can be revoked thus making their illegitimate utility limited.
3 replies →
Here is my solution:
Provide easy to use on-device content filtering tools so parents can easily control what their children can access (there are a few ways to do this through law, like requiring it from OS providers or ISPs or just writing these tools directly).
To make it easy, Discord can provide their services under both adults.discord.com and minors.discord.com so parents can more easily block only the 18+ version of Discord.
Require personal responsibility from parents to decide what is appropriate for their child.
The problem is who pays to maintain the system. There are systems that allow you to share your age anonymously (among other things) and they’re already widely used in Europe but the system knows what you’re using it for since the second party pays for the information, and some accounting info is needed for the billing. It would be completely illegal for the system to use that info for anything else though.
> a service is able to verify that a user is above an appropriate age threshold, while maintaining privacy safeguards
AFAIU, the German electronic ID card ("elektronischer Personalausweis") can do this, but it is not widely implemented, and of course geographically limited.
The problem is that it is much easier to implement such a check in a way which lets the verification service link the site to the user, with no discernable difference to the end user
e: I get the same feeling as I do reading about key escrow schemes in the Clipper chip vein, where nobody claimed it was theoretically impossible to have a "spare key" only accessible by warrant, but the resulting complexity and new threat classes [1] just was not worth it
[1] https://academiccommons.columbia.edu/doi/10.7916/D8GM8F2W
Transferring your age and a way to verify it to any third party is by definition a privacy violation. Doing so in a safe way is literally impossible since I don't want to share that information in the first place.
I feel like you could, theoretically, have a service that has an ID (as drivers license ID), perhaps operated by your government, that has an API and a notion of an ephemeral identifier that can be used to provide a digital attestation of some property without exposing that property or the exact identity of the person. It would require that the attestation system is trusted by all parties though, which is I think the core problem.
Wouldn't this require the API provider to know that tbe citizen is connecting to the app? Grindr users might be squeamish about letting the current US admin know about that.
2 replies →
This is not only theoretical, the German ID card ("elektronischer Personalausweis") can do exactly this.
Do you feel this way when you enter credit card information when making a purchase online?
Yes.
> Transferring your age and a way to verify it to any third party is by definition a privacy violation.
No it's not. Unless...
> Doing so in a safe way is literally impossible since I don't want to share that information in the first place.
...well then it is.
But it's not constructive to claim that proving your age to someone is by definition a privacy violation. If someone wants to prove their age to someone, then that's a private communication that they're entitled to choose to make.
It is true that if technology to achieve this becomes commonplace, then those not wishing to do so may find it impractical to maintain their privacy in this respect. But that doesn't give others the right to obstruct people who wish to communicate in this way.
Crypto comes up every time this topic is discussed but it misses the point.
The hard part is identifying with reasonable accuracy that the person sitting in front of the device is who they say they are, or a certain age.
Offloading everything to crypto primitive moves the problem into a different domain where the check is verifying you have access to some crypto primitive, not that it’s actually you or yours.
Any fully privacy-preserving crypto solution would have the flaw that verifications could be sold online. Someone turns 21 (or other age) and begins selling verifications with their ID because there is no attachment back to them, and therefore no consequences. So people then start imaging extra layers that would protect against this, which start eroding the privacy because you’re returning back to central verification of something.
That sounds like a reasonable compromise to me, it's already what happens with ID for pubs etc so I don't think it's much different to the status quo