Many might’ve seen the Australian ban of social media for <16 y.o with no idea of how to implement it. There have been mentions of “double blind age verification”, but I can’t find any information on it.
Out of curiosity, how would you implement this with privacy in mind if you really had to?
Frankly, the only sane option is an “Are you over the age of (whatever is necessary) and willing to view potentially disturbing adult content?” style confirmation.
Anything else is going to become problematic/abusive sooner or later.
Not a cryptographic expert by any means but maybe something like this would work. This’d be implemented in common places people shop: supermarkets for instance. You’d go up to customer service and show your ID for visual confirmation only; no records can be created. In return the service rep would give you a list of randomised GUIDs against which the only permissible record can be “has been taken”. Each time you need to prove your age you’d feed in one of those GUIDs.
You can’t.
Age verification is not compatible with any remotely acceptable version of the internet. It’s an obscene privacy violation in all cases by definition.
Any implementation short of a webcam watching you while you use the site is less than trivial to bypass with someone else’s ID while opening numerous massive tracking/security holes for no reason.
A joke answer, but with the kernel of truth - IRL age verification often requires a trusted verifier (working under threat of substantial penalty) but often doesn’t require that verifier to maintain any documentation on individual verification actions
As in, you have to roll up to an “age verification bureau” and say “I’d like to sign up to $platform, please verify that I’m of legal age to use it and tell them so”, then you buy a “token” that you can enter upon signing up? Am I understanding that correctly?
I wasn’t thinking in detail, just addressing an assumption I think a lot of age verification discussions include, which is that the verifier would have to be trusted to maintain some sort of account for you, retaining your data etc.
I have no idea what the legislation says, but I’d be a happier privacy-conscious user if the verification platforms were independent (i.e. not in any other data business) and regulated, with a requirement they don’t retain my personal data at all (like the liquor store example)
So the verifier gathers data from you, matches it with a request from the platform, provides confirmation that some standard has been met, and deletes almost all personal information - I acknowledge that this may not rise to the double-blind standard of the original request
Edited to add:
-
you don’t have to ‘buy’ a token, the platform needs to pay verifiers as a cost of business
-
some other comments are asking how you prevent the verifier knowing the platform - to my mind you don’t, instead the verifier retains a request id record from the platform, but forgets entirely who you are
-
Sounds quite a lot like zero-knowledge proof
Here in Belgium we have cryptographically signed tokens on our legally mandated IDs.
You can use that token to do all sorts of things (my company uses them as authorship signatures for our quality system for medical devices), but if we had some standard like that, then we could have some software that would have a OTP based on that that is a huge list of valid OTPs in a website API or so, not linked to the token itself. (So you would have to trust this software that generates the OTP). You will get people using the same OTP, but that wouldn’t matter because it would just be a validity check. Lind of like the old product key generators for games.
Sure this could be abused or gotten around by a programmer or hack, but for 95% of the population it would be effective age verification without giving away any information or statistics. Sure, people could also abuse it and save a code and use it constantly, but then they would already have been verified. Sharing a code around would also happen with teens, but it would be far more effective than not, especially for the low stakes of age verification.
yes and no: the government already has systems in place that know your age, or they can pay 3rd parties to have maintain records… so yes kinda you’d have to verify with them or they’d already have them, but you wouldn’t need to do that for each platform: it’d likely act like a social login (“login with facebook” etc) where you just tap a button and have the service attest to identity details without providing the identity itself
Ah, easy then: lower the drinking age from 18 to 16.
It can’t. It requires invasion of privacy to verify information about the individual they don’t have the right to access.
Digital age verification goes against privacy. Let’s not delude ourselves into thinking it can.
If I really had to, I would require everyone to whip out whatever assets of sexual maturity they happen to have, and let the computer analyze it and decide a maturity level.
I would also keep copies for blackmail purposes, because the world is a better place if we all mistrust this solution and anything remotely like it. It’ll be in the legal fine print, which I’m confident no one will read.
Every answer (other than “trust the user to self identify”) is at least remotely like mine, but I’m proposing we cut out the half-measures on the way.
To avoid personal consequences, the system I architect will probably wait on a dead-man-switch for me to die or be incarcerated.
Then it will publish everything it has ever seen, along with AI generated commentary. I’m confident that some of it will be hilarious, and I am hopeful that it will piss everyone off enough that we stop doing this kind of thing.
So, send’em a dicpic and you’re in :)
Sites are just going to ask people ‘Are you over 16? (Y/N)’. Site is now legally covered, and that is all anyone cares about.
Just like porn and grog is Australia already .
Not to mention my space you needed to be over 16vor something so we all lied
My friend has worked with a government to create zero-knowledge proof from IDs. Turns out there’s a lot of good software engineered to solve that problem.
The UX is still shit tho
Any open projects you could point to on the subject or articles about the government efforts? I would love to learn more on that!
https://github.com/openpassport-org/openpassport
I need to get back to Florent to ask him about his advances but this is the repo he worked on! Seems pretty exciting !
Choose the classic “are you 18 or older” dialog. KISS.
in blockchain tech, there’s the concept of “zero knowledge proofs”, where you can prove having certain information without revealing the info itself
It cannot
Well Australia will probably so something privacy invading and fascist.
I guess if you want it to be somewhat private you could have some kind of hash or token generated from your identification information. I bet that would be fairly private
Who has age authority? A state agency or service. Like the state issues an ID with age.
Preferable, we want the user to interact with a website, that website request age authentication, but not the website to talk to the government, but through the user.
Thus, something/somewhat like
- State agency issues a certificate to the user
- User assigns a password to encrypt the user certificate
- User connects to random website A
- Random website A creates an age verification request signed to only be resolveable by state agency but sends it to the user
- User sends the request to a state service with their user certificate for authentication
- State agency confirms-signs the response
- User passes the responds along to the random website A
There may be alternative, simpler, or less verbose/complicated alternatives. But I’m sure it would be possible, and I think it lays out how “double-blind”(?) could work.
The random website A does not know the identity or age of the user - only to the degree they requested to verify - and the state agency knows only of a request, not its origin or application - to the degree the request and user pass-along includes.
It can’t be. The entire concept is a Trojan horse to kill the anonymous internet.