The article claims this is what the ZKP scheme reveals:
> Here is cryptographic proof that I hold a valid credential proving I am over 18. You can verify the proof, but you learn nothing about who I am.
Is this true though? I am genuinely interested as I haven't looked into the details, but must the user not at least also disclose who the issuer of the credential is so the verifier can verify it against a public key? This also reveals at least the nationality of the user and could be misused to block access to foreigners using VPN.
Yes, of course. All credentials implicitly disclose the issuer by nature. A credential is by definition an attestation by an authoritative source, and meaningless without specifying that source.
Yes, any age verification or identity verification system can be used to implement geoblocking. It actually improves the situation. Currently services who want or need to block access to foreigners have no alternative than to block access to VPNs. With a suitable attestation, a service could choose to allow access from VPNs that come with such.
Absolutely nothing will prevent this. The situation is the same, and the same policing and laws about fraud and impersonation and 'enabling an underage person to...' will apply.
What is interesting is that checking physical ID places a burden on the bar. Bars get fined or worse if they do a poor job, or even just take the fall if the kids are more capable than the bouncers. With these attestations though, the government is takes responsibility. The connection is attested by gov to be legal, the gov can't turn around and claim it was illegal. They can't go after you, just the person who enabled the fraud.
> When children are very young, parents can set strict boundaries. But as kids move into their teens, parents also have an obligation to loosen them. Teenagers need spaces where they can act independently
Parent have an obligation to loosen the restrictions, and, what, the government has obligations to tighten them and deprive them of the spaces where they can act independently?
I don't care to talk about the premise itself. This reasoning is absurd.
But by what mechanism would one prove, when using such selective disclosures and zero-knowledge proofs to access an online service, that they are, in fact, the owner of said attestation?
The attestation should be at least the same level of security as access to your government services. ie. you trust it as least as much as you trust a scan of a passport.
The trick is that you don't need to prove anything. The government hands out an attestation that the holder meets criteria required to meet a government regulation. The government has taken responsibility. It is why you would require an EU attestation from EU users, and a US attestation from US users.
Overall "more verification" goes in the direction of "more surveillance".
The author described a narrow path that provides "kid safety in the internet" without sacrificing the general population privacy.
Is it technically possible to implement the way he suggests? Yes. Will it be implemented that way? No.
There are people who can affect the way this verification will be implemented who are genuinely interested in more surveillance, heck, remember chat control that is an ongoing fight in a very similar vein, there is a global desire in politicians to get more control over the communications.
To me the author seems either naive or straight up malicious.
But it is being implemented that way, and will hopefully remain that way if people who care keep paying attention. The article is pointing to the EU system currently being put together by a number of European countries.
The 'it can't be done' arguments are the worse. By spreading the idea that age verification can only be done by violating privacy means, we will end up with a system that violates privacy controlled by vested interests. Like the one already in place where you upload id. Politicians can easily sell out and will be cheered on as they entrench the system. But if that energy was spent pointing out the alternative, that we can do this in a privacy protecting way, then it can force politicians to legislate the right way. I'm looking forward to the EU system actually being rolled out, hopefully reaching their goal of remaining privacy protecting, so I can point to it and insist to my government that we can do better.
Except that within days of this service going live there's going to be a freeageverification.com that instantly generates an attestation proof for anyone for free. I fail to see how this is not untenable. You can compare it to geoblocks that can be circumvented using VPNs, but at least VPNs are costly to run and are usually paid services. With the implementation of verification (ZKP) described in the article, there is no cost to generate attestation proofs nor any limit on the number of proofs nor any way to stop a known-but-anonymous abuser from generating new proofs.
Maybe the EU knows it's untenable and is still moving forward because they will be able to demonstrate to the public that privacy enables abuse, creating pretext to make the system not private anymore after it's already been implemented.
The offline version proposed doesn’t even work. If the government issues untraceable “I’m an adult” cards there’s nothing stopping someone from acquiring one and immediately selling it to a minor. There’s also realistically nothing stopping someone from acquiring multiple and selling them to minors. “Oops, I lost my adult card again. I need a new one.” The solution is of course to make them revocable which means traceable.
The same applies online/digitally except that you can very likely distribute the same ID to many minors without getting a new one allocated.
I’m in the “we should protect kids online” camp, but I am not sure there’s a real way to do it without compromising privacy for everyone.
>I’m in the “we should protect kids online” camp, but I am not sure there’s a real way to do it without compromising privacy for everyone.
Of course there is, it's easy! You take a white list approach instead of an auth one. The default is that the general Internet is exclusively for adults. Anonymous = adult. Then use the DNS system to make a set of .kids ccTLDs, with government controlled registries. Then legal standards can be set for who gets a .kids.cc domain and what content is allowed, what meta-data is required, what services can be provided (which could be blanket stops, like no ads or social media under age 7, or granular, like "age 7-11 can only talk to registered educators or other children within given domains"), and so on. Then everything is in place to have router manufacturers give parents a super easy interface (and technical ones can do their own easily) to add their kids, have a password for each kid, and either automatically filter by general age, or let parents drill in and select specific categories or the like. And it'll all Just Work. Yeah it'll be a lot less stuff then on the main internet, but with government money to fund things and parent-based payment all abstracted from what kids see there will be as much as there was on PBS or the like back in the day.
So specific ID/passwords/parental control is exclusive to those who haven't reached majority. Once they do they an just dispense with it and access everything like we do right now. The entire approach being taken everywhere is 100% backwards, because it's not about the kids at all it's about control over adults.
Compromising privacy for everyone also means compromising privacy of kids as well. And their identity will be known to services that can target them with adds. These policy approaches are simply for surveillance.
This already happens with the existing system. Even before the internet, drivers licenses would get shared so under aged people could buy beer. The same laws, punishments and policing apply and really the best we can do unless you want to start tattooing id on people at birth.
So not a perfect system, but an improvement over the status quo.
I think it’s quite different. If I loan my license to my friend he could get it confiscated and I could be I trouble. I would certainly not loan it to someone I only know on-line.
I don’t see why you can’t have a chip in the ID to perform to age verification without exposing identity.
If the EU actually mandates each member country implements a ZKP for this then I am all for it.
Can they also provide other ZKPs? Specifically to attest that someone is a unique human being? Humanity verification is incredibly important to fight against propaganda online[1]
Sure. At the heart of it, the system just attests that a document is true. That document might say 'the holder of this token is over 18' or 'the holder of this token is a meat popsicle' or 'the holder of this token should look like this photo and is licensed to drive'. It could even attest your actual identity, which might be useful for banking purposes. The trick to preserving privacy is to only reveal the minimum necessary information.
It is an interesting idea you bring up. These sort of disinformation campaigns are making news everywhere, over and over, and this mechanism easily adapted. Like a blue check mark but actually useful, being able to tell social media posts written by a bot farm apart from social media posts written by an arsehole.
A friend and I were the first to have modems at age 12. And we had access to all kind of stuff on BBS and later in newsgroups.
That wasn't meant for our age group and yet there wasn't any harm done.
Others in our classes didn't roam there. (They were more into drinking, smoking and stealing in real life instead)
Guess who is heavily using social media today and unreflectively repeats fake news.
I think what parents should be more concerned about isn't explicit content in various forms (to a degree of course) and instead should be worried about the mounting peer pressures teens are subjected to by the usual social networks. That are instagram, tiktok and co.
Although this also hits people < 30 years as well and maybe older ones as well.
Although I would also think that a early contact might even build up some resistance here.
Free access to information is non negotiable. You can dress it up in whatever argument you like; safety, intellectual property rights, moral imperatives. Take your pick. Information will not be held back, it wasn't held back by any tyrannical regime of the past with much more asymmetrical access to control, not the banning of the printing press, the efforts of the Stasi to ban western music in East Germany, nor China's more recently attempted "Great Firewall", have worked. This also will not work.
I am not worried for myself and for others who are technically inclined, we will just silently find and implement solutions for ourselves and any others who have the energy and inclination to use them. This is worst, as usual, for the most vulnerable among us. Those most in need of the information which they will not be able to access.
Every freedom comes with risks and responsibilities, freedom of information maybe more than any, but the harms of limiting information are much more unacceptable than any caused by its unhindered natural flow.
You can propagandize and scheme to your hearts content. You can lobby your governments to implement your halfbaked schemes. But in the end it won't work... Because people like me and millions of other will just not comply. We will build our own networks if need be, but we will do just about anything rather than accept your terms.
These absolutist arguments will never be taken seriously. Almost everyone can find some form of information they want held back, criminalized and punished for enabling. 'Information wants to be free' died in the 90s when people realized some of the extreme crap this meant and decided to cast out from their societies. Of course it can't be stopped, but it can certainly be outlawed.
> When children are very young, parents can set strict boundaries. But as kids move into their teens, parents also have an obligation to loosen them. Teenagers need spaces where they can act independently, make decisions, and talk to others — where they can learn to navigate the world without a parent looking over their shoulder.
You are still responsible. If you allow your child more freedoms, you are still responsible if something bad happens. Your choice to loosen your parenting shouldn't become everybody else's problem. Some parents for example allow children to try a small quantity of alcohol - if your child is suddenly found drunk, they shouldn't ban alcohol for sale everywhere.
I would go the other way, if it's found as a parent that your child is drinking, smoking, etc, then this carries punishments for the parents. I think it should also be punished if they are found accessing online services targeted at adults.
> The digital version is the same idea, with cryptography. An authorized issuer verifies your age once and issues a signed credential:
Sounds great, but there is a clear agenda for digital IDs that 'they' are trying to shoehorn in with this "protect the kids" thing. They tried rolling it out digital IDs in the UK in 2006 [1].
As I said the other day, what really makes me suspicious is that most Western countries suddenly have the same idea at the same time. This isn't just some random politician wanting to protect children, this is an international concerted joint effort to roll out a form of mass censorship.
> So instead of fighting a system that is built to preserve privacy, we should be fighting to put the right checks in place — the ones that guarantee the implementation actually honors it.
The objective is the system itself. Once there is a control in place to stop you accessing these services/systems, changing the exact unlocking procedure is trivial and can be done gradually. We'll all just be frogs in slowly boiling pots.
> We already accept age restrictions elsewhere. Children can't drive, drink, gamble, or enter certain venues before a certain age. It is not absurd to think parts of the internet should be age-restricted too.
It isn't, but it is absurd that the first things we're talking about is banning kids from social media. "Children do not have a right to free speech" is not a defensible position. In fact it's the sort of thing that should get Nigel Uno and the Kids Next Door on your ass.
The problem is that the argument against child access to social media is a proxy for a different, larger problem: social media is not a public forum anymore. They make heavy use of automated editorialization over the content you're allowed to see, specifically to keep you engaged and addicted. This is absolutely harmful, but it's not uniquely harmful to kids and kids alone. When we regulate these harms for children only, what we're also saying is "Adults can fend for themselves, only children deserve protection".
And, to be clear, social media is more harmful to adults than it is to kids, if only because the stakes are higher. Targeted advertising is absolutely amazing for criminal scammers who want to find specific kinds of marks. This is only possible because we allow social media to accumulate massive amounts of data on people - basically, a privately-run Stasi.
I agree that zero-knowledge proofs would be the least harmful form of age surveillance.
Can I prove that some cryptographic token A) doesn't contain any more information other than what the article outlines and B) that the token itself can't be used as an ID tied to my identity in a government database?
No and no. So, I do not support schemes like this.
As a parent, I strongly disagree with the priorities of the people setting the policies for the age gates.
For instance, roblox is full of pedophiles. Minecraft displays pro-surveillance propaganda to my kid every time they run a game that does not let M$ read their messages.
Even “educational” sites like blooket do not bother to check their content for kid safety or accuracy.
I’d rather police this stuff myself, so I do.
Every implementation of age verification I have seen is counterproductive, and designed to take control away from parents in order to help companies monetize access to children.
The people creating these systems aren’t dumb. They work as designed, which means they are actively harmful to kids and society at large.
This is why age verification cannot be implemented by the vested interests. Rollout in Australia involved making the laws, but leaving the implementation up to the vested interests, and is a mess because of it. A privacy nightmare uploading government documentation to strangers, and companies just just punting responsibility to a designated fall guy ('3rd party trusted verification service'). And most of them don't want to implement things this way, because they don't want to be the next company taking a hit in the stock market because of a public data breach, but have no choice. When governments and societies want age verification, they need to actually take responsibility for it. Which seems to be what the EU is trying to do.
>AVI [Age Verification App Instances] SHOULD support the generation of Zero-Knowledge Proofs
Maybe I'm not seeing the full picture but as long there is a 'should', the whole thing is worthless. Keep in mind, national states need no implement their own solutions and AFAIK during the pilot phase ZKP was just skipped. Could be for other reasons (was not finished yet) but in the end a 'should' is a 'should' and no 'must'.
No kid under 20 will use a PC or Laptop for anything except for school work. All kids under 20 are on Cell Phones and nothing else. PC usually mean work to them, Cell Phones mean fun.
Cells will have age verification if they do not already have it yet the will. Also I think Cells have lots of other personal information (PI).
To me, Age Verification on PCs is a first step to moving these devices into a Cell Phone type of walled garden. World Govs. want to know what you are doing on all your devices. Luckily with Linux (most distros) and the BSDs, you can easily avoid being "watched".
The problem I see here is that many of the things in the "Things that would break the promise" section are pretty much guaranteed to occur - we don't have effective mechanisms to prevent them. Tracking and de-anonymization are big business and age verification mechanisms WILL be exploited for those purposes.
33 comments
[ 3.2 ms ] story [ 42.5 ms ] thread> Here is cryptographic proof that I hold a valid credential proving I am over 18. You can verify the proof, but you learn nothing about who I am.
Is this true though? I am genuinely interested as I haven't looked into the details, but must the user not at least also disclose who the issuer of the credential is so the verifier can verify it against a public key? This also reveals at least the nationality of the user and could be misused to block access to foreigners using VPN.
Yes, any age verification or identity verification system can be used to implement geoblocking. It actually improves the situation. Currently services who want or need to block access to foreigners have no alternative than to block access to VPNs. With a suitable attestation, a service could choose to allow access from VPNs that come with such.
And just like in those cases, what is to prevent someone who is of age giving their ID to someone underage?
What is interesting is that checking physical ID places a burden on the bar. Bars get fined or worse if they do a poor job, or even just take the fall if the kids are more capable than the bouncers. With these attestations though, the government is takes responsibility. The connection is attested by gov to be legal, the gov can't turn around and claim it was illegal. They can't go after you, just the person who enabled the fraud.
Parent have an obligation to loosen the restrictions, and, what, the government has obligations to tighten them and deprive them of the spaces where they can act independently?
I don't care to talk about the premise itself. This reasoning is absurd.
The trick is that you don't need to prove anything. The government hands out an attestation that the holder meets criteria required to meet a government regulation. The government has taken responsibility. It is why you would require an EU attestation from EU users, and a US attestation from US users.
The author described a narrow path that provides "kid safety in the internet" without sacrificing the general population privacy.
Is it technically possible to implement the way he suggests? Yes. Will it be implemented that way? No.
There are people who can affect the way this verification will be implemented who are genuinely interested in more surveillance, heck, remember chat control that is an ongoing fight in a very similar vein, there is a global desire in politicians to get more control over the communications.
To me the author seems either naive or straight up malicious.
The 'it can't be done' arguments are the worse. By spreading the idea that age verification can only be done by violating privacy means, we will end up with a system that violates privacy controlled by vested interests. Like the one already in place where you upload id. Politicians can easily sell out and will be cheered on as they entrench the system. But if that energy was spent pointing out the alternative, that we can do this in a privacy protecting way, then it can force politicians to legislate the right way. I'm looking forward to the EU system actually being rolled out, hopefully reaching their goal of remaining privacy protecting, so I can point to it and insist to my government that we can do better.
Maybe the EU knows it's untenable and is still moving forward because they will be able to demonstrate to the public that privacy enables abuse, creating pretext to make the system not private anymore after it's already been implemented.
The same applies online/digitally except that you can very likely distribute the same ID to many minors without getting a new one allocated.
I’m in the “we should protect kids online” camp, but I am not sure there’s a real way to do it without compromising privacy for everyone.
Of course there is, it's easy! You take a white list approach instead of an auth one. The default is that the general Internet is exclusively for adults. Anonymous = adult. Then use the DNS system to make a set of .kids ccTLDs, with government controlled registries. Then legal standards can be set for who gets a .kids.cc domain and what content is allowed, what meta-data is required, what services can be provided (which could be blanket stops, like no ads or social media under age 7, or granular, like "age 7-11 can only talk to registered educators or other children within given domains"), and so on. Then everything is in place to have router manufacturers give parents a super easy interface (and technical ones can do their own easily) to add their kids, have a password for each kid, and either automatically filter by general age, or let parents drill in and select specific categories or the like. And it'll all Just Work. Yeah it'll be a lot less stuff then on the main internet, but with government money to fund things and parent-based payment all abstracted from what kids see there will be as much as there was on PBS or the like back in the day.
So specific ID/passwords/parental control is exclusive to those who haven't reached majority. Once they do they an just dispense with it and access everything like we do right now. The entire approach being taken everywhere is 100% backwards, because it's not about the kids at all it's about control over adults.
So not a perfect system, but an improvement over the status quo.
I don’t see why you can’t have a chip in the ID to perform to age verification without exposing identity.
Can they also provide other ZKPs? Specifically to attest that someone is a unique human being? Humanity verification is incredibly important to fight against propaganda online[1]
1 - https://blog.picheta.me/post/the-future-of-social-media-is-h...
It is an interesting idea you bring up. These sort of disinformation campaigns are making news everywhere, over and over, and this mechanism easily adapted. Like a blue check mark but actually useful, being able to tell social media posts written by a bot farm apart from social media posts written by an arsehole.
Guess who is heavily using social media today and unreflectively repeats fake news.
Although this also hits people < 30 years as well and maybe older ones as well.
Although I would also think that a early contact might even build up some resistance here.
I am not worried for myself and for others who are technically inclined, we will just silently find and implement solutions for ourselves and any others who have the energy and inclination to use them. This is worst, as usual, for the most vulnerable among us. Those most in need of the information which they will not be able to access. Every freedom comes with risks and responsibilities, freedom of information maybe more than any, but the harms of limiting information are much more unacceptable than any caused by its unhindered natural flow. You can propagandize and scheme to your hearts content. You can lobby your governments to implement your halfbaked schemes. But in the end it won't work... Because people like me and millions of other will just not comply. We will build our own networks if need be, but we will do just about anything rather than accept your terms.
> When children are very young, parents can set strict boundaries. But as kids move into their teens, parents also have an obligation to loosen them. Teenagers need spaces where they can act independently, make decisions, and talk to others — where they can learn to navigate the world without a parent looking over their shoulder.
You are still responsible. If you allow your child more freedoms, you are still responsible if something bad happens. Your choice to loosen your parenting shouldn't become everybody else's problem. Some parents for example allow children to try a small quantity of alcohol - if your child is suddenly found drunk, they shouldn't ban alcohol for sale everywhere.
I would go the other way, if it's found as a parent that your child is drinking, smoking, etc, then this carries punishments for the parents. I think it should also be punished if they are found accessing online services targeted at adults.
> The digital version is the same idea, with cryptography. An authorized issuer verifies your age once and issues a signed credential:
Sounds great, but there is a clear agenda for digital IDs that 'they' are trying to shoehorn in with this "protect the kids" thing. They tried rolling it out digital IDs in the UK in 2006 [1].
As I said the other day, what really makes me suspicious is that most Western countries suddenly have the same idea at the same time. This isn't just some random politician wanting to protect children, this is an international concerted joint effort to roll out a form of mass censorship.
> So instead of fighting a system that is built to preserve privacy, we should be fighting to put the right checks in place — the ones that guarantee the implementation actually honors it.
The objective is the system itself. Once there is a control in place to stop you accessing these services/systems, changing the exact unlocking procedure is trivial and can be done gradually. We'll all just be frogs in slowly boiling pots.
[1] https://en.wikipedia.org/wiki/UK_Digital_ID
It isn't, but it is absurd that the first things we're talking about is banning kids from social media. "Children do not have a right to free speech" is not a defensible position. In fact it's the sort of thing that should get Nigel Uno and the Kids Next Door on your ass.
The problem is that the argument against child access to social media is a proxy for a different, larger problem: social media is not a public forum anymore. They make heavy use of automated editorialization over the content you're allowed to see, specifically to keep you engaged and addicted. This is absolutely harmful, but it's not uniquely harmful to kids and kids alone. When we regulate these harms for children only, what we're also saying is "Adults can fend for themselves, only children deserve protection".
And, to be clear, social media is more harmful to adults than it is to kids, if only because the stakes are higher. Targeted advertising is absolutely amazing for criminal scammers who want to find specific kinds of marks. This is only possible because we allow social media to accumulate massive amounts of data on people - basically, a privately-run Stasi.
I agree that zero-knowledge proofs would be the least harmful form of age surveillance.
No and no. So, I do not support schemes like this.
For instance, roblox is full of pedophiles. Minecraft displays pro-surveillance propaganda to my kid every time they run a game that does not let M$ read their messages.
Even “educational” sites like blooket do not bother to check their content for kid safety or accuracy.
I’d rather police this stuff myself, so I do.
Every implementation of age verification I have seen is counterproductive, and designed to take control away from parents in order to help companies monetize access to children.
The people creating these systems aren’t dumb. They work as designed, which means they are actively harmful to kids and society at large.
>AVI [Age Verification App Instances] SHOULD support the generation of Zero-Knowledge Proofs
Maybe I'm not seeing the full picture but as long there is a 'should', the whole thing is worthless. Keep in mind, national states need no implement their own solutions and AFAIK during the pilot phase ZKP was just skipped. Could be for other reasons (was not finished yet) but in the end a 'should' is a 'should' and no 'must'.
Source: https://ageverification.dev/av-doc-technical-specification/d...
No kid under 20 will use a PC or Laptop for anything except for school work. All kids under 20 are on Cell Phones and nothing else. PC usually mean work to them, Cell Phones mean fun.
Cells will have age verification if they do not already have it yet the will. Also I think Cells have lots of other personal information (PI).
To me, Age Verification on PCs is a first step to moving these devices into a Cell Phone type of walled garden. World Govs. want to know what you are doing on all your devices. Luckily with Linux (most distros) and the BSDs, you can easily avoid being "watched".
Agree or disagree, this is an earnest post about a relevant topic.