No Stupid Questions

In principle it should be possible to do a zero-knowledge proof.

This means that the website asking for age verification asks a yes/no question like "Is this user 18+?" and the age verification service (like a digital ID provided by the government or whatever) answers "yes" or "no" accordingly, but without telling anything else about the user. Also, the verification service should ideally not know who asked for the age verification.

So the site you want to visit only knows the thing they need to know: Whether you are 18+ or not. Nothing else. And the age verification service only knows somebody asked for age verification and provided the answer, but do not know which site you visited.

This is all possible, but I don't have high hopes this is the intended implementation of any government seeking age verification, so don't get your hopes up.

Even if it works, it’s a solution without a problem. If I can afford internet access, I am mature enough to see anything on the internet, and I am mature enough to decide which users can access my internet-connected network and whether they can have access to the whole internet. That’s all the age verification needed ever.

The request for age verification by each website is purely about unnecessary control and censorship.

The problem is not the system or the idea of age verification

The problem is that no one on earth can be trusted with that level of monitoring, control and power.

Super easy. Technology has existed for quite some time and was already used in the encrpytion of web traffic.

Basically: you sign up with your "age verification institution" (ideally a service of your government because they have your ID anyway and no profit motive). This involves createing a private key (reaaaaaaaaaaly long password that is saved in a file on your device) and saving the public key with that institution. They also check your ID to ensure your identity and your age.

When you want to visit a 18+ website, the website sends you a nonce (loooooong random number). You take that nonce and send it to the verifier, along with a signature of your private key (and the age they want you verified against). The verifier verifies your signature using your public key. They then sign the nonce with their own private key, thereby verifying, that you, the owner of your private key (whos identity and age they have verified) are above the asked age theshould. You then send the signed nonce back to the 18+ website and they can verifiy the signature to confirm that a trusted age verifier has verified your age.

The site never has access to your identity and the verifier never knows which site you visited, only that you wanted to visit a website that wants to know if you are of a certain age.

(The corresponding technology was used for OCSP Stapling in TLS verification ... and has been discontinued last year because nobody was using it ...)

In my ideal world, it's not an issue because parents don't let kids under a certain age or demonstrated maturity level have computers in their room alone, and even better, they teach their kids how to not have problems with predators, porn, and the deluge of online weirdness and have open, honest talks about how some things are dangerous because they prey on you, some things are dangerous because they get you hooked on certain feelings, and some things are dangerous because they give you false impressions of the world and relationships.

We're about as close to that world as interstellar exploration, I know. Imagine having parents who you don't feel afraid to talk to about mature topics and personal matters.

And all that aside, why is it such a big deal that kids not see boobs but they can see violence and gore? Why is it magically okay for Timmy Neckbeard to watch strangle-fetish porn night and day as soon as he turns 18? Why do we scream about how porn is ruining kids minds but we're not taking down the grifting "masculinity influencers" with as much zeal as we're going after pornhub and other sites that are mostly just consenting adults doing fun biological acts together? Why do we say porn companies are evil and not do anything to make it less evil like better regulations and resources since we know people are going to find ways to make and view it anyway? (These aren't questions for Lemmy but I would sure love to see communities start asking these questions to their elected representatives.)

Our species' obsession with clear lines and labels is making us ignore where the actual problems are, we build fences around the outcomes not the sources. We create solutions to problems we don't even want to look at directly. It's like the government handing out umbrellas to combat the issue with the massive water main leak flooding the street.

It can. Zero knowledge proofs have been around a while and are ideal for this.

They'll try not to have that because data gathering is what they're after, not keeping little Timmy from seeing some tits.

Its possible.

Open source front-interfacing app + a secure element thing in the backgound.

You download an app. You verify your identity, then the app sets up a OTP thing with the shared secret seed lasting for 30 days. But every 30 seconds the OTP changes. Everyone doing a verification in these 30 days gets the same exact secret seed.

The seed hides in the secure element of your device. (it won't be impossible to extract, but the average kid is not gonna be able hack a secure element) Every 30 seconds, it releases the new OTP to the Open source app. The app doesn't connect to the internet once the OTP has already been set up. So nobody knows if you actually view the OTP code.

So the government only knows you have the verification OTP set up not which websites you visited, the website only knows you have a valid OTP from the government, but you could be any of the people in the past 30 days (which the company don't even have access to).

Even if the company and government cooperates, they could only pin down the time of website registration and that you are one of the millions of people that did the verification and requested a OTP Seed.

(Idk the exact terminology for these things, but hopefully I make sense)

Yes. Look up "zero knowledge proofs"

Nope, you always need a middle man to do the verification. That middle man has too much information.

Also, if you could solve for the middle man, there is no way to know the user belongs to the ID. It can easily be stolen.

No, It should be a browser setting. If parental controls are enabled, access should be denied to the site.

It is possible, but the real goal is about removing anonymity altogether

Correct, as a cryptography nerd I can assure you that you MUST at minimum have a trusted verifier which met you in person at some point (such as whatever office you get your physical ID card at) and they have to have your information.

And then you're trusting both Secure Element hardware and fancy cryptography where both must be flawless in order to protect the end user's side of it, all while the end user now carries much more personal information with them than before

Yes. There are many solutions.

Maybe the absolutely easiest to implement is just a signed message from an authority (gov.). You click a button on the website that requires verification, get a new tab to a gov. site with no identifiers from the site redirecting you and get a message you copy. The copied message is then pasted in to the site requiring verification. The site can then verify the message at their servers.

It's possible with certificates and 2fa issued by a government, which already have all your data, that would only verify that you are over 18.

We already have that in Spain, sort of. We have a government app where you have a digital id stored and you can make it create a verify qr that only shows if the user is over 18 or under 18, no more data. The qr only last 5 minutes active.

It is necessary? Not for internet access. That's a duty of the one paying for internet in the household, not the government. If they have underage kids under their responsibility it's their duty to make sure that they get good education about what to see and what not and restrict access if needed. Having the government to universally interfere everyone it's just plain bad.

Zero-knowledge proof. Medium has a practical example, though unfortunately the article logs user data, so beware on that.

The government knows who you are. They know your age, your address and know you exist (probably).

You go to a site that requires ages verification. You say:please verify me with the government portal. You go to that portal to get a temporary id code to give to the site. The website says to the gov portal give me the name and age of the user with this temp ID. You approve that access. Portal sends age (or an is over 16/18/21 etc flag) to the site.

• Gov portal doesn't need to know who the site is.
• You don't provide a unique ID to the website, just a temporary one.
• as if codes are temporary, you must have access to the id/login now, not just at some point
• Site only gets the data you approve/it requested,.not everything.

The process can do with some streamlining, but should work in practice?

I'm inclined to say no. Reducing the problem down to its most basic parts: Alice is authorized to talk to Bob, but Bob doesn't know that. How can Alice prove it?

Bob has to assume that anyone asking to talk to him could be Mallory, who isn't authorized to talk to him but will always answer "yes" if asked whether she is. So the authorization he gets has to be from a trusted third party; it can't come from Alice.

Grace is a trusted third party. If Alice doesn't care about privacy, and is okay with Grace knowing that Alice talked to Bob and with Bob knowing Alice's identity, Alice can just tell Bob, "here's proof that I'm Alice. Show this to Grace and she'll confirm that I can be here." This is SSO, essentially.

If Alice doesn't want Bob to know who she is, but is ok with Grace knowing that Alice talked to Bob, she can ask Grace to give her a secret code, and give that code to Bob, who can check with Grace to know whether or not that code corresponds to someone who is authorized.

If Alice doesn't want Grace to know that she's talking to Bob, though, she runs into a problem. Because there's no way for Grace to send Bob a message without knowing who Bob is, he can't ask anonymously, and because there's no way for Grace to confirm that Alice is authorized without knowing who she is, Grace will always know that Alice has asked for authentication to talk to Bob.

Adding Dave in as a trusted fourth party could solve the problem—Alice asks Dave to check with Grace, and lock his answer in a bag with a unique key that only Dave has. Then Grace could give the bag to Bob, who doesn't need to know who Grace is to pass the bag to Dave and ask him to unlock it. But Alice would be trusting that Dave won't keep records on which bag corresponds to which person.

I don't think that's a surmountable problem. I'll have to think about it some more.

It's possible but it would defeat the purpose of age verification

Yes, but your government doesn't want that.

Yes, it is, see quark ID as an example of decentralized open source project by the city of Buenos Aires, in Argentina, which leverages zero knowledge proofs:

https://quarkid.org/
https://github.com/ssi-quarkid

It's only possible as long as you trust the people you're giving your information to. So...no.