Comment by thewebguyd

> If we aren't going to do a national registry that services can query to get back only a "yes or no" on whether a user is of age or not, then we need regulation to prevent the storage of ID information.

Querying a national registry is not good because the timing of the queries could be matched up with the timing of site logins to possibly figure out the identities of anonymous site users.

A way to address this, at the cost of requiring the user to have secure hardware such as a smart phone or a smart card or a hardware security token or similar is for your government to issue you signed identity documents that you store and that are bound cryptographically to your secure hardware.

A zero knowledge protocol can later be used between your secure hardware and the site you are trying to use that proves to the site you have ID that says you are old enough and it is bound to your hardware without revealing anything else from your ID to the site.

This is what the EU had been developing for a few years. It is currently undergoing a series of large scale field trials, with release to the public later this year, with smart phones as the initial secure hardware. Member starts will be required to support it, and any mandatory age verification laws they pass will require sites to support it (they can also support other methods).

All the specs are open and the reference implementations are also open source, so other jurisdictions could adopt this.

Google has released an open source library for a similar system. I don't know if it is compatible with the EU system or not.

I think Apple's new Digital ID feature in Wallet is also similar.

We really need to get advocacy groups that are lobbying on age verification bills to try to make it so when the bills are passed (and they will be) they at least allow sites to support some method like those described above, and ideally require sites to do so.

> If we aren't going to do a national registry that services can query to get back only a "yes or no" on whether a user is of age or not

And note that if we are, the records of the request to that database are an even bigger privacy timebomb than those of any given provider, just waiting for malicious actors with access to government records.

> When I go buy a beer at the gas station, all I do is show my ID to the cashier. They look at it to verify DOB and then that's it. No information is stored permanently in some database that's going to get hacked and leaked.

Beer, sure. But if you buy certain decongestants, they do log your ID. At least that's the case in Texas.

Depending on the gas station... I've been to at least a dozen in Texas where the clerk scanned the back of my DL for proof of age. I'm assuming that something is getting stored somewhere..

> When I go buy a beer at the gas station, all I do is show my ID to the cashier. They look at it to verify DOB and then that's it. No information is stored permanently in some database that's going to get hacked and leaked.

That's how it should be, but it's not how it is. Many places now scan your ID into their computer (the computer which, btw, tracks everything you buy). It may not go to a government database (yet) but it's most certainly being stored.

> We should still be able to verify age while remaining psuedo-anonymous.

That would completely defeat the purpose. The goal is to identify online users, not protect children.

I definitely don't disagree that the implementation is problematic, I'm just surprised it took this long for it to happen.

We should easily be able to, but the problem of tech illiteracy is probably our main barrier. To build such a system you’d need to issue those credentials to the end users. Those users in turn would eagerly believe conspiracy theories that the digital ID system was actually stealing their data or making it available to MORE parties instead of fewer (compared to using those ID verification services we have today).