Comment by lachiflippi
3 hours ago
I've been really enjoying all these articles proposing solutions to anonymous age verification, mainly because most of them are written as if this has never been implemented in the real world. German IDs support age verification that just returns a yes/no response to the question "is this user above the age of 18," and not a single service in the entire country supports it.
Anonymous age verification isn't a technical problem to be solved, as it's already been solved, it's a societal problem in that either the companies or the politicians pushing for age verification don't want to support it.
This is immensely counter-intuitive to many Americans. They wrongly assume that digital IDs are some Biblical apocalyptic level invasion of privacy, when every state ID database is already 1) linked to Federal ones, and 2) full of the same data on your driver's license anyway.
I've tried to explain this to people, that a digital ID done well is better than the fraud-enabling 1960's hodgepodge in use that has served fraudsters better than citizens for 30 years. They set their teeth and refuse based on use of the word "digital" in the title alone.
It will take generational change for the US to get something as banal as a digital ID already in use in dozens of countries, for no other reason than mindless panic over misunderstanding everything about digital ID systems, how IDs even work, and how governments work.
Oh, that's not the half of it. In my own country, digital ID adoption was a political hot topic for a long time after the Orthodox Church realized that the new chips contain 12-digit long IDs that might contain the sequence 666. This despite everyone in the country having a legal ID with a number code that can also happen to contain this same sequence - but somehow the mere possibility of this happening in the digital IDs sparked a huge outrage and made politicians avoid the topic for quite a while.
I just recently used my ID to register for a lottery website using the AusweissApp the first setup was a bit annoying, but once you are registered its actually easy to use and apparently you don't even need a phone you can use a card reader on your PC as well
I wish all governments would just run identity services and mandate usages that return anonymous attestations. Age being the most obvious attestation but something like residence status could also be useful.
Something as simple as a JWT with claims (and random uuid id) would work
It can't be quite that simple because you have a couple additional problems to solve - (effectively restating bits of the article poorly and partially)
1. You don't want these to be replayable (give your JWT to someone else to use) so they need to be bounded in some ways (eg intended website, time, proof it came from you and not someone else).
2. You don't want the government to know which website you're going to, nor allow the government and the website to collaborate to deanonymize you (or have the government force a website to turn over the list of tokens they got). So the government can't just hand you a uuid that the website could hand back to them to deanonymize.
The SD JWT and related specs solve for these, which is how mDL and other digital IDs can preserve privacy in this situation.
It's also gateway to push more. Once APIs are in place and databases are full, what's another "check" or a bit of info to add ?
Surely the safety of children is worth it right ?
If it is the case that German IDs supporting selective disclosure aren't seeing adoption for services then it needs to looked at what the friction is or even just because it's optional. It doesn't necessarily have to be an ulterior motive. It'd be easy to be called out as conspiratorial otherwise.
Right now with age assurance laws and online services there has been no singular approach beside falling back to use of government ID that any country has required. Each country has just said 'here are the minimum criteria, choose what you want' and left it up to services to comply.
So what have services chosen? The least friction and cheapest existing solution to be compliant. For most services that's been using readily available facial scanning services and government IDs as fallback. Not all of them of course but it's so scattered that it makes it difficult for a person to know what they'll need for one service vs another (and perhaps even avoid use of a service if their approach doesn't align with the person's values).
Without mandating better minimum privacy criteria governments can just point to the fact they're not preventing such tech from being used and leave it at that. But solutions also need to be affordable to adopt for a wide range of sites/services and have good support (interfaces, etc) around them to catch on so it's not just entirely whether tech exists per se.
>Anonymous age verification
Anonymity from whom? Does the German government doesn't know that Gunter Shmidt has just verified his age to the site GreatBDSMPartiesInBerlinForDragQueens.com ? Even if they obtain the logs from the site?
I remember reading in tech magazines about the "foss" acheivement which went on to become Aadhar. Remember this was prior to 2007 I think.
The idea was your id would be an autehnticator of sorts. You need to verify yourself, the website asks Aadhar if the person is genuine, the website returns binary yes no. Same for you, is gender male? Or ages above 18?
They would not return any other data.
In the end, it became just another "formality" and tool for politicians and to flex muscles.
People ended up taking photocopies of your card "just in case" and "that's the norm" even when it was said that's a bad idea.
People still do Aadhar kyc but it is in hands of politicians now and the bureaucracy.
The problem with these "yes/no" systems is that they also involve the websites you visit calling up a centralized party and asking if you're old enough. This is fine if the websites aren't interested (or if you really trust your government with your web browsing history), but gets unfortunate if you don't want to share that information.