Comment by tzs

> If we aren't going to do a national registry that services can query to get back only a "yes or no" on whether a user is of age or not, then we need regulation to prevent the storage of ID information.

Querying a national registry is not good because the timing of the queries could be matched up with the timing of site logins to possibly figure out the identities of anonymous site users.

A way to address this, at the cost of requiring the user to have secure hardware such as a smart phone or a smart card or a hardware security token or similar is for your government to issue you signed identity documents that you store and that are bound cryptographically to your secure hardware.

A zero knowledge protocol can later be used between your secure hardware and the site you are trying to use that proves to the site you have ID that says you are old enough and it is bound to your hardware without revealing anything else from your ID to the site.

This is what the EU had been developing for a few years. It is currently undergoing a series of large scale field trials, with release to the public later this year, with smart phones as the initial secure hardware. Member starts will be required to support it, and any mandatory age verification laws they pass will require sites to support it (they can also support other methods).

All the specs are open and the reference implementations are also open source, so other jurisdictions could adopt this.

Google has released an open source library for a similar system. I don't know if it is compatible with the EU system or not.

I think Apple's new Digital ID feature in Wallet is also similar.

We really need to get advocacy groups that are lobbying on age verification bills to try to make it so when the bills are passed (and they will be) they at least allow sites to support some method like those described above, and ideally require sites to do so.