Comment by nashashmi
13 hours ago
We might need a centralized age verification system. A person verifies their age using an app. The app is on the phone of the user and confirms opening new account.
Then you have accounts that are age verified and accounts that are not age verified. Age verified accounts have the privilege of seeing sensitive content. Unverified accounts don’t have that privilege.
Some might see this as gravitating to bad laws. I see this as an attempt to address a prohibition on doing business.
> Then you have accounts that are age verified and accounts that are not age verified.
Creating an immediate market for age-verified accounts.
18 year old want some spare cash? Create a few dozen age verified accounts on your phone and sell them off for $1-2 each.
The next step is then tying logins to devices, and devices to identities. Then by using a website you must volunteer your identity. Dream come true for ad serving.
That might be a circumvention. But law is not about rooting out all circumventions. It is about intent to creating a certain system. Similar to sales tax. Just because there are ways around it, doesn’t make the law meaningless.
Id.me is a centralized Id verification system that is used for tax payers on IRS website.
That could be used here for age verification!
> Some might see this as gravitating to bad laws. I see this as an attempt to address a prohibition on doing business.
There is no contradiction, the way you address it is by giving up and gravitating to bad laws
It isn't centralized, but the emerging mDL/mID (ISO/IEC 18013-5) + Digital Credentials API (W3C) standards do enable sharing a “this device contains a secure credential for someone over 18 years of age” assertion, cryptographically signed by a government agency. Critically, this doesn't require sharing any other personal information.
As long as it can be done in the way that it remains accessible to both citizens and businesses and is highly enforceable, I'm in. The problem is that I'm not sure how it can actually be done...
Google and Apple are already building this.
A more appropriate route to that is to create incentives and grants for companies to be created that can accomplish this age verification infrastructure (ideally with its own privacy guarantees, etc), and make a declaration such as “in 5 years, you will be expected to validate and track the age group of all users on your platform. We have created grants to help create technology companies and a platform that will help to implement and privatize this service”.
That way you get both:
Or do it like the EU is doing with the EU Digital Identity Wallet, which has been tested in pilot programs since 2023, and which is expected to start being deployed to the general public next year.
Briefly, your government would give you a signed digital copy of your government ID document. This copy would be cryptographically bound to secure hardware you own, typically your smartphone. I'll assume a smartphone for the rest of this.
When you want to reveal some fact from your ID to a site, such as "my ID says that my birthday is at least 18 years in the past", your device and the site use a zero knowledge proof (ZKP) protocol to prove to the site that this is true for the signed digital ID that is bound to your device. Nothing else from or about your digital ID is conveyed to the site.
Once this is out it should be pretty easy for sites to implement age checks for EU users.
The EU system is all open source and they've got a reference implementation on Github somewhere.
Google has also recently released in open source library at https://github.com/google/longfellow-zk for building such systems.
The main thing to ensure privacy with these kind of systems is making it so that the entity that issues the digital ID to your device is an entity that you don't mind proving your ID to with your physical government ID. Ideal would be for this to be handled by the same government agency that issues the physical ID.
Second best would be entities like banks that you already trust with your ID.
Yeah, that should have been part of the bill.