Comment by spragl
17 days ago
I have mentioned this before, but age verification can be solved by hash chains. They can prove age without compromising privacy.
It is crazy that the solutions Discord goes for are IDs and selfies. It definitely gives the impression that there are shady ulterior motives.
Hash chains are simple. If they were adopted, Discord would clearly be in bad faith taking the steps that they do now. If you search you will find quite a bit of information. My introduction to hash chains is for for age verification specifically: https://spredehagl.com/2025-07-14/
The EU is working on a actual privacy-preserving initiative [0] that allows owners of ID wallets to verify their age, without their actual age or personal data being transmitted. The standard and reference implementations are open source on GitHub. Yet everybody screams uploading IDs and total government surveillance.
[0]: https://ec.europa.eu/digital-building-blocks/sites/spaces/EU...
Dear littlecranky67, as overseer for your digital wallet, I am happy to inform you that the owner of the discord server kinkydwarfporn doesn't know who you are and your privacy is protected.
Signed your friendly EU official.
As long as someone in the chain is able to physically connect the dots it is game over for privacy.
Your comment assumes there is an "overseer". There is not. Guys, read the technical documents. It is all standardized and open-source. I can code my own wallet.
3 replies →
The same EU that is trying to backdoor every messaging app to "protect the children" TM? I 'll use their ID system on my dead body.
Yes, that EU. It's very big. The left hand doesn't know what the right hand is doing.
This is just pointless whataboutism. There are smart devs and crypto experts designing a sound, privacy-friendly system that is open source. It does what is supposed to do and how everybody would want it to be implemented. Yet people reject it on irrational grounds for whatever negative aspect they associate the EU with.
6 replies →
If the input is "give ID", what the software claims to do is almost meaningless since you cannot prove that software was running. What do I care that someone can tell me they built a privacy-first way of validating IDs/age if I cannot be sure that is the software they are running?
They can just as easily save the ID to disk and return "all good" for all I know.
No, the solution does not require that.
It requires that Bob proves posession of a private key, that only he has ever had. That private key could be generated specifically for the commitment that he got from Alice.
Well your solution includes handwritten signatures and everyone being a handwriting expert so that they compare handwritten signatures. I wouldn't call this an elegant solution.
That is what the example uses. In the real world that would be a digital signature. Look under the heading "Fitting the parts together" to see what the real world solution could be like.
Even easier, just get tokens that carry no other information from ones government, and the government runs an API, that for a given token tells whether that token is valid. Can tokens be stolen? Maybe. Can your face be stolen? Today yes.
Hash-chains allows the solution to be token-less. You no longer need those per transaction information leaking API calls. You also avoid dependency on a single provider.
The communication in connection with a transaction would only go between the identity owner (Bob) and the provider (Cycle shop).
No API, they sign the tokens with the government's private key and you verify them with the government's public key
If discord needs to contact an API, then the government can associate the token with you, and you with discord, and know what you browse online. No thank you.
What's stopping kids from all using the token of that one older brother?
Same thing as using the ID or photo of the same older brother : Nothing.
3 replies →
Something like half of Israel's economy is intelligence gathering wtf do you think is happening here it's pretty obvious. economic leverage, surveillance, foreign influence, tech exports being used politically, etc.
I'm not sure how hash chains would resolve the fundamental issue of needing to send your ID or similar to some random third-party company that does god-knows-what with it (probably stores it in a publicly accessible path with big "steal me" signs pointing at it). That they need to attest to your age means that they need to trust what your age is, which has really just moved the problem one layer deeper (as far as I can tell).
I assume by third party you mean the authority, and yes, the authority would need to know your personal information. At least enough of it to verify your age. So the ideal is that the authority is the entity that already knows your personal information. Like the entity that issued your passport to you, or the one that issued you drivers license.
But even if the authority was a private company, I think it would be an improvement compared to the current situation. In this situation your personal information would be held by this one company, and not whatever provider that needs to verify your age. Also, you would be able to use the commitments, that this private authority gave you, without any coordination afterwards. The authority would not know about your transactions.
How would that mechanism work in practice, though? If every parent needs to become a trusted authority, wouldn’t that just move the goalpost? Who would be the trusted authority, and who would implement that?
I agree that the mechanism is elegant, but figuring out which entity should be trusted in a way that scales globally is somewhat difficult.
Realistically this would be another service attached to the government ID. Something like this does function in some European countries, doesn’t it?
It works quite well in Czechia. Upon verification request, you are redirected to a government site, where you select exactly what data (Full name, DOB, address ... ) you intend to share with the entity requesting the information.
I can imagine you could share just your DOB in such a case, while keeping your real identity private. In such a way Discord would learn only your age, keeping everything else from them.
Government learns that Discord was provided your data, but this is supposedly a trusted, regulated entity.
2 replies →
The use of the parent is an example. In reality it would be some official age checking provider (maybe the government).
Yes. I think that wahtever organization that issues your passport, would be a natural choice for setting this up.
But nothing prevents it from being a private company, although I cannot see a sound business model for it. Also it would need to project great credibility for customers to trust them with their information.
How difficult would it be to add further anonymization? Let's say I want to prevent the bike shop from building a usage profile on the basis of the age check (e.g. because I'm buying booze). Would I just need to get more chains from Alice, or is there an easy way to integrate e.g. group signatures into the scheme?
I think the way to go would be for Alice to give you lots of commitments. They are computationally light-weight to generate anyway.
That would at least be a good and also simple solution. Maybe there is a perfect solution, but then I dont know it.
If you wanted to implement this in real life, who plays the role of Alice?
I think that whatever organization that issues your passport, would be a natural choice for setting this up. But it could be some other authority. In a way it is the identity owners and the providers that decide who they will trust as authorities.
this is just a think of the children attack