If the hammer ever comes down on this issue, ie hardcore requirement for age verification, there are ways to do this while protecting privacy.
We are experimenting with bootstraping a PKI certificate trust chain for facilitating trust projection and information verification online. Think of it as the ability to do things like age verification at scale via a peer-2-peer ish mechanism instead of sending your government id to a service provider.
One experiment is with PGP key holders (for now Keybase key holders) as CAs:
I find claims of any technology being able to simultaneously validate your age while "respecting privacy" to be suspect at best. Even if the technology could work in theory, it would be built on top of an ecosystem designed around an ecosystem hell-bent on monetizing info about you.
Zero knowledge proofs can perform expressions that check values within a JSON tree without exposing any of those values to the requesting party, for instance "year of birth < 2005" can return true or false without returning the person's numeric birth year. Essentially the requesting party has the holder of the credential perform a computation, the result is guaranteed to be the result of each and every instruction over a target data structure (only knowing the hash and signature chain of the credential, so for instance your government issued id can be signed by your secretary of states public key)
Estonia has a really interesting government issued public key infrastructure where users can validate their identity with their physical ID card and a USB reader (maybe it's NFC by now?) but I don't think I've heard of the above scheme used in practice, just sat through a presentation at the internet identity workshop.
> the entire point of age laws is to stifle free speech and ruin privacy
Does it? I mean sure, it's a side-effect that some (most?) politicians might find desirable, but there's also people who just want to restrict access to adult material (not taking a position on whether it's a good or bad thing here). Most parents would probably agree with the latter even if they don't with the former.
> But the entire point of age laws is to stifle free speech and ruin privacy. Thus why every age law requires uploading an ID.
The age verification system currently undergoing large scale field trials in the EU does not require uploading ID. Every member of the EU is required to support that system, and any online age verification laws any member passes are required to allow its use.
I read, from a semi-reliable source, Lousiana has pretty good system for verifying age and protecting ID. But's focused on in-person ID for gambling.
The system was that they hired a company to make the cards, and assume civil liability for any privacy violations. They also required to the company to hold insurance in case of a claim.
So it fell to the insurance company to sign off on the standards, and allowed investors to make money by avoiding claims.
I might be half-remembering it but that seemed like a very good system.
Why so complex. ID cards could solve that issue, every European ID card has a powerful and programmable crypto processor / secure element inside and so do all ICAO compliant passports.
Have the website emit a random nonce (to guide against replay attacks / reuse) plus an information what is requested (name, DOB, address, some like the Croatian ID card even store photographs), the card prepares a response with that data, signs that using its private key (with a 2FA being possible as well by using a PIN/password) and returns it to the website.
The Croatian ID card doesn't even need a middleware because it doesn't do 2FA, you can ask it all of that by pure NFC communication. The German ID card requires a middleware ("AusweisApp", open source) for added protection though.
Age verification could indeed be implemented in other ways. The approach outlined above is for information verification and trust projection in general, meaning you can put just about any verified information on a certificate and it can be used online.
Here is a concrete example of how trustworthy certificates can be used online, this is my personal profile on bluesky with verification that is independent of the Blue sky service:
https://bsky.app/profile/bitlooter.bsky.social
If you click on the profile image you can enter that code into https://certisfy.com/app to verify the identity of the profile. That sticker could be on any online profile to prove high quality authenticity, it could for instance be on an e-commerce site to prove that the site isn't a scam.
The problem with this specific design is that it reveals your identity to the site, which is obviously undesirable from a privacy perspective.
For those who are interested one of my recent newsletter posts goes into a fair amount of detail about the various technical options here for using digital IDs in this context: https://educatedguesswork.org/posts/age-verification-id/
My concern with this is how far it goes and whether it has unintended side-effects.
There are a lot of situations in history where in retrospect being able to evade government oversight and restrictions turned out to be a good thing. During the Holocaust a number of Jews and other targeted populations were able to escape hostile territory because they were able to get forged passports and other documents, something that strong cryptography would make impossible (even in a perfectly privacy-preserving way).
I'm not sure how old you are or when you started in tech, but in my case I started as a kid and was able to build the skills that now gave me my career thanks to unrestricted Internet access (and sure, I saw pornography a few years earlier than I should have - didn't seem to have any measurable detrimental effect on me, especially not compared to the cigarettes and alcohol).
This wouldn't have been possible if age verification was properly implemented, since a lot of the resources that might be useful for someone to learn programming/sysadmin could also be used to circumvent age verification and thus would've been blocked, and I would probably be working a minimum wage job and/or engaging in crime to sustain myself as a result. If I had to choose whatever harmful effects from pornography versus having a min-wage job, I'll take the porn side-effects any day, at least I have a roof over my head.
In the US or elsewhere? I've known a lot of people who attended college at 16, and through friends with teenage children know even more these days. They attended (or are attending) schools in a variety of states.
I would not let my (hypothetical) 12 year old on Instagram. I also don't want to give Instagram (or any other site, since I don't use Instagram) my ID to view content on it.
It’s more interesting to me why nobody except sv elites can come to the same conclusion themselves regarding <12 year olds on instagram and instead seem to need the government to parent their kids
I hate this law and those like it, mostly because it shouldn’t be necessary for government to overstep like this. But when I look around… maybe it is
If the hammer ever comes down on this issue, ie hardcore requirement for age verification, there are ways to do this while protecting privacy.
We are experimenting with bootstraping a PKI certificate trust chain for facilitating trust projection and information verification online. Think of it as the ability to do things like age verification at scale via a peer-2-peer ish mechanism instead of sending your government id to a service provider.
One experiment is with PGP key holders (for now Keybase key holders) as CAs:
https://certisfy.com/app) is an in-browser app and all the cryptography happens in the browser.
Google and Apple already have private age verification so I think the time for experiments is past.
I find claims of any technology being able to simultaneously validate your age while "respecting privacy" to be suspect at best. Even if the technology could work in theory, it would be built on top of an ecosystem designed around an ecosystem hell-bent on monetizing info about you.
Zero knowledge proofs can perform expressions that check values within a JSON tree without exposing any of those values to the requesting party, for instance "year of birth < 2005" can return true or false without returning the person's numeric birth year. Essentially the requesting party has the holder of the credential perform a computation, the result is guaranteed to be the result of each and every instruction over a target data structure (only knowing the hash and signature chain of the credential, so for instance your government issued id can be signed by your secretary of states public key)
Estonia has a really interesting government issued public key infrastructure where users can validate their identity with their physical ID card and a USB reader (maybe it's NFC by now?) but I don't think I've heard of the above scheme used in practice, just sat through a presentation at the internet identity workshop.
15 replies →
Can age assurance be done privately and anonymously? Absolutely.
But the entire point of age laws is to stifle free speech and ruin privacy. Thus why every age law requires uploading an ID.
If it was just age, just require a credit charge of a $1 through an intermediary. Good for a year or whatever.
> the entire point of age laws is to stifle free speech and ruin privacy
Does it? I mean sure, it's a side-effect that some (most?) politicians might find desirable, but there's also people who just want to restrict access to adult material (not taking a position on whether it's a good or bad thing here). Most parents would probably agree with the latter even if they don't with the former.
13 replies →
> But the entire point of age laws is to stifle free speech and ruin privacy. Thus why every age law requires uploading an ID.
The age verification system currently undergoing large scale field trials in the EU does not require uploading ID. Every member of the EU is required to support that system, and any online age verification laws any member passes are required to allow its use.
I read, from a semi-reliable source, Lousiana has pretty good system for verifying age and protecting ID. But's focused on in-person ID for gambling.
The system was that they hired a company to make the cards, and assume civil liability for any privacy violations. They also required to the company to hold insurance in case of a claim.
So it fell to the insurance company to sign off on the standards, and allowed investors to make money by avoiding claims.
I might be half-remembering it but that seemed like a very good system.
Why so complex. ID cards could solve that issue, every European ID card has a powerful and programmable crypto processor / secure element inside and so do all ICAO compliant passports.
Have the website emit a random nonce (to guide against replay attacks / reuse) plus an information what is requested (name, DOB, address, some like the Croatian ID card even store photographs), the card prepares a response with that data, signs that using its private key (with a 2FA being possible as well by using a PIN/password) and returns it to the website.
The Croatian ID card doesn't even need a middleware because it doesn't do 2FA, you can ask it all of that by pure NFC communication. The German ID card requires a middleware ("AusweisApp", open source) for added protection though.
Age verification could indeed be implemented in other ways. The approach outlined above is for information verification and trust projection in general, meaning you can put just about any verified information on a certificate and it can be used online.
Here is a concrete example of how trustworthy certificates can be used online, this is my personal profile on bluesky with verification that is independent of the Blue sky service: https://bsky.app/profile/bitlooter.bsky.social
If you click on the profile image you can enter that code into https://certisfy.com/app to verify the identity of the profile. That sticker could be on any online profile to prove high quality authenticity, it could for instance be on an e-commerce site to prove that the site isn't a scam.
The problem with this specific design is that it reveals your identity to the site, which is obviously undesirable from a privacy perspective.
For those who are interested one of my recent newsletter posts goes into a fair amount of detail about the various technical options here for using digital IDs in this context: https://educatedguesswork.org/posts/age-verification-id/
In 2005, we decided that we were going to have Real ID by 2008. We're now looking at a 2027 completion date.
2 replies →
My concern with this is how far it goes and whether it has unintended side-effects.
There are a lot of situations in history where in retrospect being able to evade government oversight and restrictions turned out to be a good thing. During the Holocaust a number of Jews and other targeted populations were able to escape hostile territory because they were able to get forged passports and other documents, something that strong cryptography would make impossible (even in a perfectly privacy-preserving way).
I'm not sure how old you are or when you started in tech, but in my case I started as a kid and was able to build the skills that now gave me my career thanks to unrestricted Internet access (and sure, I saw pornography a few years earlier than I should have - didn't seem to have any measurable detrimental effect on me, especially not compared to the cigarettes and alcohol).
This wouldn't have been possible if age verification was properly implemented, since a lot of the resources that might be useful for someone to learn programming/sysadmin could also be used to circumvent age verification and thus would've been blocked, and I would probably be working a minimum wage job and/or engaging in crime to sustain myself as a result. If I had to choose whatever harmful effects from pornography versus having a min-wage job, I'll take the porn side-effects any day, at least I have a roof over my head.
Meanwhile I actually started college at 16 which is illegal in some locales.
> illegal in some locales.
In the US or elsewhere? I've known a lot of people who attended college at 16, and through friends with teenage children know even more these days. They attended (or are attending) schools in a variety of states.
I think "illegal" is a strong word. Some states don't allow it in public universities. I suspect they're fine with it at private universities.
6 replies →
(Not in Texas)
Did this apply to X (Twitter) at all?
It is interesting to me that we are running a giant social experiment with people's childhoods- something we know can only be done once.
Meanwhile the silicon valley elite admitted that they don't let their 12 year old daughter on Instagram...
Society has always been running giant social experiments on the next generation. That's what a culture is.
What are some key examples prior to the Internet?
7 replies →
I would not let my (hypothetical) 12 year old on Instagram. I also don't want to give Instagram (or any other site, since I don't use Instagram) my ID to view content on it.
It’s more interesting to me why nobody except sv elites can come to the same conclusion themselves regarding <12 year olds on instagram and instead seem to need the government to parent their kids
I hate this law and those like it, mostly because it shouldn’t be necessary for government to overstep like this. But when I look around… maybe it is
It's a collective action problem.
1 reply →
Just let the parents be responsible. Jesus.
Attach minor accounts to the account of the parent, make the parent say yes.
Ok, but you're saying two different things. You can't know a minor account is a minor account unless you require age verification.
Don't get me wrong - I support your proposal. But it requires massive state intervention.