The key problem with this entire issue is that it's basically a morality law. There are classes of crimes that, over time, society has discovered simply do not have an enforcement mechanism less damaging than the harm they are seeking to prevent.
An example is Adultery. Most people will agree that it is morally wrong to cheat on your spouse. The reason civilized countries no longer have adultery laws is not because a majority of people support the crime, it's that the level of control a government needs to exercise over its citizenry to actually enforce such a law is repugnant. The state must proscribe definitions of infidelity ( human sexuality being the mess it is, this alone is a massive headache), then engage the state apparatus to surveil people's intimate lives, and then provide a legal apparatus that prevents abuse via allegation. And for what? So that people's feelings are a little less hurt?
The juice simply is not worth the squeeze.
So it goes for age restrictions. Age verification creates massive potential for invasion of privacy, blackmail, censorship, and more, necessitating a massive state censorship apparatus to block foreign content, and for what? So that little Timmy's forced back into trading nudie mags at the bus stop? To save parents the onerous effort of telling their kids "no"?
I think that's a bit of rationalizing. I don't thinks there's much evidence that Adultery is no longer a criminal offense because people were concerned about privacy or government control.
It's that people became more secular, Adultery is considered a sin and not a crime, and modern countries instituted separation between religious and secular laws.
Adultry was always a morality law, it's just that most morality laws are derived from religion.
Morality laws, by their nature, require an iron fist to enforce. Because they have no rational consequences or proven tangential harms, we have to police the mind. Which is very difficult to do.
Thats not to say that immoral things should always be legal. Murder is immoral too.
But murder isn't just immoral, that's the difference. Its also a real thing that does real harm we can measure and see.
As a Brit I'd say the recent law isn't like that. When I was a kid, pre internet, the porn was restricted by putting it on the top shelves and tell staff not to sell them to kids, likewise X rated movies etc. It worked fine. Adults didn't have to show ID to go to the movies. If a 16 year old got in to an X film no one cared.
The modern law is an attempt at an internet equivalent. It's not using the courts to police adultery.
It's perfectly legitimate for the state to have laws where preventative enforcement is not really possible. Like, we can't surveill everyone such that we can stop murder, but we wouldn't want to do without laws against it.
There are also a lot of differences between adultery (a p2p activity between individuals, usually with no compensation) and the activities of a business like pornhub which is a big platform with lots of employees and multiple large revenue streams. It seems both reasonable and feasible to me to regulate the latter.
For this specific issue (harm to childen through greatly increased access to porn via electronic devices) I think of it more like selling cigarettes to under 18s - it's worth doing something about the problem! - but like you I believe that the proposed age verification laws are not a great solve for the actual problem.
We already don't sell porn to kids. Having an Internet connection requires an adult to buy it and verify their identity and residence.
What you're actually asking for is for the store clerk to follow you home and watch you smoke the cigarette to make sure you don't give it to your kid.
> harm to children through greatly increased access to porn via electronic devices
I'm curious what harm that would be. As a teen, I once watched a porn movie with my parents, just out of interest. After I've seen it, I became deeply disinterested. Real life is much more interesting. Kids are not stupid, they know these scenarios are completely fictional. And the novelty wears off really quickly.
The big problem I have with laws like the UK has been that they solve a non-issue at the cost of large infrastructure and potential privacy problems.
Teenagers have been looking at porn since forever. It's practically a trope of teens stealing their parents' porn mags. I don't think any of this has actually caused major societal issues.
The proposed solutions merely require that a teen steal their parent's identification, briefly, to create a porn account and move on. Heck, they can probably buy that information online if they are innovative enough. They certainly will be selling access to their porn accounts to their classmates. And even if they don't go through all that trouble, getting a porn mag is still pretty possible in the UK.
That makes this just a bad law. It doesn't meaningfully stop the problem it's meant to stop and it's expensive and intrusive. Even if privacy preserving age verification was bulletproof and perfect, you still have the access holes all over.
And then there's the simple fact that other nations exist. Yes, mainstream sites will put up protections, but what about the sealand porn site? Unless the UK wants a great firewall (ala the chinese firewall), they simply aren't going to stop this problem. Even then, VPNs are common knowledge at this point due to streaming.
It's 2025 and we're still discussing people's access to porn because of some conservatives, whereas we should be discussing how technology could actually be used to improve world.
Unbelievable. Let people watch their thing if they want to, jeez.
Yes, and that's why in sexually repressed time periods like the 1950s, women were significantly less oppressed. Wait...
Its tough, because we can make arguments that porn is bad, but we also know for a fact that purity culture is one of the cornerstones of the patriachy.
Do we really want to ramp purity culture back up on the off chance it makes people like BDSM or something slightly less?
Having a device in your pocket that you take everywhere with no stigma to being seen with it yet it has unlimited access to any genre of porn you can think of is hardly comparable to finding a 90s porn mag in a bush from time to time, so you can't really say this has been happening forever.
Erotic novels have been discreet for a while. It's also not been usual to have a laptop in public since the 90s. There are definitely pictures of people perusing porn on trains (visible in reflections).
Briefcases were also a thing as have been strip clubs since forever. Quick access to porn hasn't been a problem since the printing press was invented.
So in Germany we have an ID card with a PIN, NFC and a government app. Website owners can request to be able to use this feature. They then get a certificate from the government that has the fields they are allowed to request stored within it.
Websites can request data from the user by sending that certificate, it opens the app, it shows you the categories of data to be send, you hold your ID card to the phone, enter the PIN, and the certificate is uploaded to the ID card which verifies it. If its valid, the ID sends back the data that is specified in the certificate.
You then get presented with exactly the data that is going to be sent to the website. You can then agree or disagree. So far that is only used to log in to government websites.
This way the government does not know which sites you visit, and you only send your age to the website.
The problem with schemes like these is that it is reasonably easy to come up with something which is pretty close, yet still missing some crucial details.
- You do not want the government to know which websites you visit. This rules out any kind of redirect / forwarding via a government website or app.
- You do not want websites to correlate their requests, as that would allow for cross-website tracking. Request data from website A should be completely useless to website B. This rules out most regular certificate schemes.
- You do not want a website to correlate multiple data requests, as that would allow websites to create some kind of supercookie. Requests should be completely independent, and two requests from the same user should be indistinguishable from requests from two different users.
- You do not want to lose privacy when the government and the website work together. The request should still be anonymous when the two collaborate, or else there can be no reasonable assumption of privacy. This rules out most clever pass-a-one-time-code schemes.
- You want the request to be unique and time-bound. It should not be possible to replay a response, either to the same website or a different one.
- You do not want to send more data than strictly necessary. If a website needs to know if you are 18 or older, it should only receive a boolean flag.
Getting some of those properties is easy. Getting all of them at the same time? Nearly impossible. And the worst part is that I almost certainly forgot a handful of requirements!
The technical issues are workable, the really difficult issue is none of the big stakeholders really care about the level of privacy you describe. Priorities like audit compatibility, cost of deployment, etc all end up governing what standards get adopted.
Edit: And as Doctorow points out there are a host of other issues that arise from actually deploying a working system.
You're doing the thing where you hold age-verified requests to an unreasonably high standard of privacy, ignoring the status quo.
The absolute majority of porn viewers access a mainstream site like Pornhub through their home or mobile ISP, which is required to verify the owners identity. So in practice, if you're an average user (note: Hacker News users aren't average users) your ISP already knows which porn sites you visit, and your privacy is dependent entirely on your ISP not sharing that information with the government or other organizations.
If you look closely you'll see that none of your concerns are actually valid.
> You do not want the government to know which websites you visit. This rules out any kind of redirect / forwarding via a government website or app.
Technically trivial (e.g. using Referer-Policy: origin).
> You do not want websites to correlate their requests
Impossible to guarantee today.
Yes, this sucks, but this is not a failure of age verification.
> You do not want a website to correlate multiple data requests
This isn't the norm today. For example, Pornhub today already doesn't work without cookies. That doesn't stop users from flocking to it.
Still, it _would_ be technically possible to provide this; see Cloudflare Turnstile for an example. But nobody cares; neither mainstream users nor site owners want stateless websites.
> as that would allow websites to create some kind of supercookie.
No it wouldn't.
> You want the request to be unique and time-bound. It should not be possible to replay a response, either to the same website or a different one.
Technically trivial.
> You do not want to send more data than strictly necessary. If a website needs to know if you are 18 or older, it should only receive a boolean flag.
Technically trivial.
So to summarize: literally all of your concerns are easily dismissed as either easily solvable or already part of how the web works. None of it is pertinent to the topic of age verification.
It's even more restrictive than than, for age verification you only get back whether the person is above the age limit or not, it's a boolean response.
So I think from that view the eID works pretty well, it provides the minimal necessary information. The bigger issue with something like this is if you use them to enforce real name policies or stuff like that.
Presumably the request contains some nonce, otherwise this is trivial to replay?
But even then, I can volunteer my ID, keep it permanently attached to a computer running a server that allows certain requests (like the boolean age check), and then provide an API / client that allows anyone anywhere to use it to pass.
No risk to me (none of my data leaks), presumably no rate limits (the card has no way to track time; at best it could store recent request timestamps but I doubt it does).
In fact even better, use stolen or lost cards. Owner will get a new one, but the old one has no way of knowing it's voided. We can build a network that is able to sign whatever info (age, gender, city, name) you want, as long as we have one ID with such info.
...Unless the government is specifically looking out for this, that's easy to game by just submitting a bunch of requests for age validation with incrementing ages.
Is that worth it? No idea—but I'm willing to bet some surveillance advertisers think it's worth it.
I completely agree it's technologically feasible in basically every continental European country (as we all have some form of biometric IDs), but do you want to have to do that every time you open a private tab to look at porn? Do you want to not be able to clear your browser cookies without going through that process all over again for basically every website? Do you want to extend 2FA into 3FA with your national ID acting as the third factor so you can view "sensitive" content?
Don't get me wrong, I love diving into the technical details just as much as anybody else here. I've learned something new almost every time there's a comment thread on the subject .
But the technical details are a distraction. That this is happening at all is the forest the technical crowd is going to miss for the trees.
Preserving some semblance of privacy on the internet is already hard enough. We do not need systems like this to encroach any farther; risks of personal privacy is so great and could be caused by such a simple innocent and subtle configuration mistake.
The ID card also has this amazing function where you can log in to sites using the card without revealing your identity, and even merging the databases from two sites does not allow two users to be identified as the same natural person: https://www.personalausweisportal.de/Webs/PA/EN/business/tec...
I have never seen a website offering login using this function, though ;-)
> This way the government does not know which sites you visit
Hmm. It's not clear from the description that it is so. The government knows which site sent the request and authenticates your card, which is tied to your identity, right?
-the ID card which trusts the government PKI and has its own private key and certificate
- the application that does some certificate checks and facilitates communication between the card and an eID server
- an eID server which is connected to the PKI and regularly received short lived certificates to present to the card, does revocation checks, validity checks and a bunch of other stuff. Also provides a list of fingerprints of TLS certificates of eID services allowed for the session
- an eID service which opens a session with the eID server indicating requested data and ultimately receives this data from the eID server. They own the legalese certificate of which data they have access to.
- maybe another provider wrapping all this and the required certifications,. compliance and hardware into an easy to use API. But could also all be the same.
It could be argued that the government has influence on the eID server providers - which do the actual communication with the card and are the first to receive the data before passing it on - via access to the necessary PKI, but they're not directly involved in the communication.
That certificate retrieved from the government has no personal information attached to it. It's essentially empty, only defining what information will be requested from the user.
The certificate is passed to the user's ID card where that information is populated, the document is cryptographically signed, and returned to the requesting party after the user reviews and approves the transaction.
Interesting. How does the revocation of lost/stolen cards interact with the anonymous design of the age attestation?
If an enterprising 19-year-old sold their card and PIN to a 15-year-old and reported it lost to get a replacement, presumably there's some mechanism to stop the 'lost' card being used as proof of age?
The card communicates with an eID server via the app. This server is connected to the PKI and receives a new certificate daily-ish and also has a revocation list of blocked IDs. There's a ridiculous amount of regulation for hosting one yourself, so you get that service from one of the two or three who provide it as a service.
ID data this eID server received from the card is then sent to the eID service that initiated the session, which may either be the entity who needs it, or another service provider who wraps another set of regulation requirements and complex eID server API calls into an easy to use API for their customers.
ID data isn't actually shown to the user in the app unless it's a custom implementation that loops it all the way back from the service provider at the end.
That would be an unlikely scenario. No one would just sell their ID just like that because you have to go to the police to make a report on what happened exactly which then gets distributed in whole Europe and also getting a new ID is quite a procedure and costly unfortunately
This might be fine, especially if it was restricted to a specific subset of websites, but I presume that (especially in Germany !) the ID card is not mandatory, and neither are smartphones, and pushing both of them towards being nearly socially mandatory requirements is a very bad idea, especially in a context where iPhones / Androids are somehow still not only effectively legal in the EU, but even dominant.
I agree about smartphones, but ID cards actually are effectively mandatory in Germany (per Wikipedia, you don't need one if your primary address on record is in another country, or if you have a passport). The situation in the neighbouring Czech Republic is the same, and I think many other European countries have similar laws.
I'd refine Doctorow's claims to "Privacy preserving age verification is bullshit in the Common Law Anglo world".
You are completely correct that civil law jurisdictions have already solved this: Germany, Estonia, and many others have the all the requirements: a register of all persons available to the central authority, and crypto infrastructure to make it work.
What's missing from the UK, Canada, USA, etc. is the first part! It is hard to believe if you live in Germany, but there really is no big master list of people in those countries. There are many (many, many) lists, linked badly by many different ids. The tax registry, pension registry, drivers license registry, and visa registry are some of the big ones.
Things could be so much simpler if we had such a thing, but the politics between here and there are basically impossible.
why don't you think this would work? Technically this is basically "the (SP) site trusts another (IDP) site to sign/encrypt a JWT containing some custom assertions". The user would go to the SP, get a signed blob (session nonce / expiry / whatever), take that to the IDP, log in there, IDP creates a JWT with the original blob plus any assertion you allow, you post the JWT back to the SP, SP decrypts the IDP packet, gets its own nonce, ties you to the session, done.
There are also obviously better ways (https://blog.cloudflare.com/privacy-pass-standard/ possibly some variation of zero knowledge proofs) but technically this seems like a solvable problem. Money wise the IDP or in general verifier can charge users for an account and/or generated assertions.
Even if you could do this in every single country (it would already be extremely hard to actually do this in the United States reliably, and I can only imagine it is basically a non-starter in a lot of developing countries) it does pose so, so, so many problems.
- How can you ensure the system can't be abused if there's no identifying information passed? Don't get me wrong, this is also a problem with current systems, maybe even worse. But if it's privacy preserving, ... Almost all kids under 18 have parents or guardians. Almost all of those parents or guardians are 18 or older. So literally all you have to do to bypass age verification is steal their ID for a few minutes? There are also a myriad of solvable problems that aren't guaranteed to be solved without care, like ensuring that the same ID is not used 100,000 times.
- This is a job that is best suited for the government to handle. The internet is global though, and there are a lot of governments. In the U.S., there is in fact not one federal ID, but instead we use state IDs. I assume that means you now need to handle around 50 different state IDs to be able to verify someone's identity, but it actually gets even worse than that, because some people will have IDs, and some will have drivers licenses, because oddly enough that's just how we structure IDs here. People without drivers licenses may have state IDs which are often intentionally visibly distinct to make sure they can't be mistaken for the other. In states I'm aware of, you'll never have both, the driver's license acts as a state ID if you have one. Now scale that to every country on Earth.
- As insane as it may sound, there are plenty of people who don't have essentially any form of ID. You might think I'm over-estimating the numbers with "plenty", but even just in the United States, it's literally over 2.5 million, off the top of my head. (No idea what the best source is here.) The closest thing we have that every citizen is supposed to have is Social Security, but that isn't really usable as a form of ID for various reasons. (And frankly it's a pretty terrible means to verify someone's identity at all anymore in the Internet age, but oh well.)
I'm totally sympathetic to the fact that people really don't want their kids browsing porn on the Internet, but children basically can't pay for Internet access or afford iPhones. I think it's insane that people keep suggesting using advanced cryptography, zero-knowledge proofs, privacy pass tokens or whatever else for a problem that so clearly needs to be solved socially and not technically. (And obviously, only the surface-level aspects of this are really about porn. We all know it's deeper than that, and if it wasn't, the UK would readily exempt Wikimedia from these requirements. I hope nobody here is deluding themselves into thinking this is a noble effort.) You are literally giving your children a device that can easily obtain porn and letting them use it unsupervised. It's not like it was a secret: Avenue Q told you everything you needed to know. I get that raising kids is hard and society pressures you to do this, but isn't that the problem you'd rather tackle?
The problem is that we've let this idea that you can solve the problem like this enter the mainstream, and now that we have, even smart and reasonable people may accidentally convince themselves that it is tractable just because it is technically feasible to devise such a system. This is bad because we're going to waste a lot of energy repeating ourselves on thinking about the entirely wrong way to look at things.
> Almost all kids under 18 have parents or guardians. Almost all of those parents or guardians are 18 or older. So literally all you have to do to bypass age verification is steal their ID for a few minutes?
Presumably this is the purpose of the PIN, which I assume is in the owner's head, not on the card (otherwise it would be redundant with the NFC chip).
> all you have to do to bypass age verification is steal their ID for a few minutes?
There are numerous interesting and/or problematic aspects of this, but this question is perhaps the least interesting.
If your kid, or anyone else really, steals your ID then age verification is the least of your problems. They could transfer all your money, move house, get married, change your name or a myriad of other much more serious things. Willingly letting your kid use your ID would be borderline illegal and not an insurance in the world would cover it.
> literally over 2.5 million
These people have never borrowed a book, visited a doctor, paid taxes or opened a bank account? There are many things in society that require validating who you are. Surely they have some form of ID. Perhaps just a more insecure one than a cryptographically signed.
I don't think a federal identity is as far fetched as you make it sound, for better and for worse.
> In the U.S., there is in fact not one federal ID, but instead we use state IDs.
That's only partially true. We also have federal IDs: passports, passport cards, permanent resident cards, DoD Ids, Transportation Worker IDs. There's also some other federally issued IDs listed as Real ID compliant [1], but I've never seen them so I didn't list them.
I'm confused. Author puts crypto backdors and IDP with ZKP into the same bucket and calls it "nerding harder". But why? You can have identity provider, several European countries do and you can have subcredentials. You literally can nerd harder here.
Sure, there is a strong ideological argument why you should not have strong identities required in the internet in general (or even in offline) and on porn sites specifically, but the argument is not technical.
These 'anonymity' technologies are laughably worthless - sure ZKP might provide mathematical proof that it's impossible to find out who the subject is, but embed a tracking cookie and fingerprinting script into both the porn site, and the online grocery - and there you go, you have irrefutable cryptographic evidence of how John Doe likes to spend his evenings.
But it is. In those European countries, IDPs and certification authorities are one and the same entity. So the technical requirement of privacy evaporates, the government will always know who is proving their age to which porn site.
That’s easy to fix. The IdP and the checking service do not have to be the same. The checking service can be a 3rd party that works with IdP verifying facts on behalf of regulated services like porn sites. The job of IdP is to certify the facts and do KYC for checkers to ensure they don’t cheat. The regulated service can ask customer which checker do they use and then ask the checker. The customer may have a long term relationship with preferred checker on a market where multiple checkers exist and reputation matters for being competitive. This way checker is incentivized to maintain privacy and does not have conflicts of interest like the government. Government agencies can still investigate customers but they will need a court order to get the data from checkers.
IDPs and certificate authorities can be the same with no problem if you design your protocol so that the porn sites do not see your certificates. E.g., IDP issues you signed identity credentials. To prove age to the porn site a ZKP is used to prove to the porn site that you have signed credentials that give you age as 18+ but without giving the porn site any information other than that.
The ZKP approach is what the EU is doing.
Note that in the article the objection to ZKP systems is not that they don't work correctly (because they do work). It is that it can be hard for some people to obtain IDs, it may cost to much for some sites, it could be hard to regulate IDPs effectively, and things like that.
I don't know why you are downvoted. And even more disappointingly, it is interesting how easily people overlook the fact that this is happening in lockstep across the globe, obviously the goal is to deanonymize the internet.
I can't wait for the next generation that will enjoy "nerding out" on how to best patrol every neighborhood with drones.
Let's put NFC tags on everyone at birth, we can then nerd out harder.
To me it seems like Cory Doctorow is demanding perfection, and saying that because we can't achieve perfection in age verification, we can't do age verification at all. That isn't going to stop people from trying, and we will end up with a worse system overall. IMO this is a common pitfall of techno-idealists.
Technologies like the mdl standard [1] can attest to age without revealing the users identity.
As Cory points out, its still possible for kids to swipe someones ID and use that. There are probably practical solutions that are good enough. Android, iOS, and parents could work together to deal with the problem of stolen IDs. If mdl is implemented on devices such that they are managed by the device OS, that would lead to auditability. Parents can ask their child to see their phones ID app, which will show full roster of IDs on the child's device. If a parent sees an ID that shouldn't be there, they can have a conversation about it. In this way the law would be about empowering parents to shape their child's online experience. This is just a straw-man example solution, but there may be better ones.
The other objections I saw could be worked through in a similarly pragmatic fashion.
This is probably going to be good enough for most folks, and its probably a good thing to keep children away from pornography and such. And IMO coming up with a "good enough" solution will flush out all the bad actors who are hiding behind the excuse of "save the children" when really they want to build up an record of everyone's browsing history. But by denying any solution to a real problem, we let the bad actors hide amongst the well-intentioned folks who are trying to do the right thing.
> To me it seems like Cory Doctorow is demanding perfection, and saying that because we can't achieve perfection in age verification, we can't do age verification at all.
Not we can't, but we shouldn't. All the current solutions are terrible, and are either trivial to fool or mass surveillance machines. We shouldn't be stupid enough to go for either option because it'll either cost a fortune while giving us nothing, or cause immeasurable harm when the National Porn Viewing Database inevitably gets used to blackmail everyone.
We're trying to (poorly) use technology to solve a social problem. If we can't figure out a way to do so using technology without significant downsides, then perhaps we shouldn't be using technology to solve the problem at all.
> Not we can't, but we shouldn't. All the current solutions are terrible, and are either trivial to fool or mass surveillance machines. We shouldn't be stupid enough to go for either option because it'll either cost a fortune while giving us nothing, or cause immeasurable harm when the National Porn Viewing Database inevitably gets used to blackmail everyone.
It seems like we could get "good enough" solutions that would reduce the amount of explicit material we show to kids, as well as push back the age where children are first exposed. I don't think a good technical implementation will require a "National Porn Viewing Database", but that's what we will end up if engineers and technologists dig in their heels and say "no". It is already happening in places like France and Texas.
> We're trying to (poorly) use technology to solve a social problem. If we can't figure out a way to do so using technology without significant downsides, then perhaps we shouldn't be using technology to solve the problem at all.
Technology created this social problem; its given us unprecedented access to explicit material. These aren't playboy's under the bed. Technology can help remediate.
And how well has this worked in practice? How would you even identify violations, if you're not requiring websites to store the user's real-world identity?
Large websites do not care even the slightest bit about how accurate the verification method is. They have zero incentive to genuinely get rid of underage users. If anything, they want to keep them - they are prime advertising real estate! Websites have every incentive to implement the age check in the cheapest and most half-baked way possible. As long as they are able to prove on paper that they are doing some form of age verification, they have met their requirements. Got a 90% false positive rate? Working as intended!
The only people getting fines are the small websites who can't afford to pay a 3rd party verification service. This'll shut down your local hobbyist communities, which only drives more visitors to the large megacorp websites.
Yeah, it seems like Doctorow presents arguments that a good IDP system is complicated, but begins and concludes by saying it's impossible.
It kinda seems the internet has real, longstanding problems stemming from the inability to verify anything about anything online. For the most blatant example, a website admin can never permanently ban a troll or criminal (they just sign up under a new name).
It makes one wonder how Doctorow reconciles the internet as it is with his stand against adopting some kind of IDP system.
A lot of the big players have enacted nearly permanent bans. I'd have to look up the specifics, but generally the process is:
1. Require an approved phone number upon signup or instant account "permanent suspension"
2. Require video of face and you holding id card
3. Associate "forever identifiers" in android with past accounts and ban your new, functional account if it shows up on a device that was previously associated with a banned account. I'm not sure if Apple has similar hard-reset-surviving identifies.
4. Ban accounts that somehow got passed your prior checks but you have reason to suspect they aren't conforming to normal behavior.
I think all these practices are bad, bad, bad, so I don't use any sites that require them, but that is mostly how Meta and other large social networks operate these days. I assume they do it for surveillance reasons, associating an account with the correct person to get more money out of their data, but since the precedence exists, it makes it that much easier for other sites to follow.
Common pitfall? It’s why these techno-idealists are loudmouthed on the internet, but don’t get respect anywhere politically. If you want to gain ground politically, you need to at least acknowledge what the problem is, or is perceived to be, and offer a real solution. “Nope we can’t do that because of this 0.1% edge case” doesn’t qualify. “Apple should just dump all schematics online regardless of what China might do” doesn’t qualify. “The internet is great at it is, and your political concerns are invalid” doesn’t qualify.
Yeah, it feels like a junior engineer fresh out their undergrad algorithms course. The business isn't going to grind to a halt and wait until you build the perfect solution.
I think it shows the difficulty of implementing it for everyone. But Apple and Google’s cell phone implementations would probably cover most people in some countries when finished, and then there will be a long tail of people who will need cheats and workarounds.
You’d be screwed if you didn’t have any friends who could help you cheat.
Remember when they passed a bunch of really strong anti-terrorism bills in the US after 9/11 and we were all super sure that it was a great idea because they promised us they'd show restraint and only use the powers they were giving themselves against the worst of the worst, then they declared vandalism to be terrorism (https://www.reuters.com/world/us/trump-says-he-will-buy-new-...)?
That's how I expect "privacy-preserving age verification" to go. It's the narrow end of the wedge. Once privacy-preserving age verification is in place there will be some reason to get rid of the privacy, and we will have a fully tracked and identified internet.
If you're a web person who understands SSL, privacy-preserving age verification can be explained by analogy.
It's a system which requires a central agency, probably a government agency, analogous to a certificate authority.
You are authenticated with that agency; it has personal info about you. But you are externally identified by some impersonal identifier, not your name.
The agency issues you a certificate binding this identifier to an assertion like "is over 18 years old".
When you interact with a site that wants to know whether you are over 18 years old, you present the certificate. The site can see that it's signed by the authority and that it has the assertion that you are over 18.
You can't just give that site someone else's certificate because it has to be the one tied to the abstract identity you are presenting (which contains no personal info; it's some kind of UUID or whatever). Plus the cert can be bound to a specific device and such.
The cert has a private keys with which you can prove that you own that cert; or at least that you are the authenticated operator of a device to which that cert was issued.
It's something like that. I may have some key details wrong. The main idea is that some brokerage that does have info about you can attest that you are over 18 without revealing any of the personal info via certificate-like objects.
It sounds like, in theory, the system can achieve good privacy in age verification. But not perfect age verification; people will find ways around it.
A grown up can certify themselves to be over 18 and then hand the device to a teenager; and such an operation can likely be scaled to some extent. And of course no cryptographic system can eliminate the possibility that minors are looking at the screen of a device operated by an adult, who may even step out of the way to let them operate it.
> (which contains no personal info; it's some kind of UUID or whatever)
And now all the websites have an uncircumventible and highly reliable fingerprinting scheme to track you across literally anywhere. Only identity thieves care about whatever data the agency would be safeguarding: linking up accounts between websites is more than enough for anyone else who would want to abuse that information.
I'm pretty sure I don't have all the details right. There is a zero-knowledge proof which allows a browser session to assert that the user is over 18 without using any static bits that allow for fingerprinting.
Readit News
An example is Adultery. Most people will agree that it is morally wrong to cheat on your spouse. The reason civilized countries no longer have adultery laws is not because a majority of people support the crime, it's that the level of control a government needs to exercise over its citizenry to actually enforce such a law is repugnant. The state must proscribe definitions of infidelity ( human sexuality being the mess it is, this alone is a massive headache), then engage the state apparatus to surveil people's intimate lives, and then provide a legal apparatus that prevents abuse via allegation. And for what? So that people's feelings are a little less hurt?
The juice simply is not worth the squeeze.
So it goes for age restrictions. Age verification creates massive potential for invasion of privacy, blackmail, censorship, and more, necessitating a massive state censorship apparatus to block foreign content, and for what? So that little Timmy's forced back into trading nudie mags at the bus stop? To save parents the onerous effort of telling their kids "no"?
It's simply not worth it.
It's that people became more secular, Adultery is considered a sin and not a crime, and modern countries instituted separation between religious and secular laws.
Morality laws, by their nature, require an iron fist to enforce. Because they have no rational consequences or proven tangential harms, we have to police the mind. Which is very difficult to do.
Thats not to say that immoral things should always be legal. Murder is immoral too.
But murder isn't just immoral, that's the difference. Its also a real thing that does real harm we can measure and see.
The modern law is an attempt at an internet equivalent. It's not using the courts to police adultery.
There are also a lot of differences between adultery (a p2p activity between individuals, usually with no compensation) and the activities of a business like pornhub which is a big platform with lots of employees and multiple large revenue streams. It seems both reasonable and feasible to me to regulate the latter.
For this specific issue (harm to childen through greatly increased access to porn via electronic devices) I think of it more like selling cigarettes to under 18s - it's worth doing something about the problem! - but like you I believe that the proposed age verification laws are not a great solve for the actual problem.
What you're actually asking for is for the store clerk to follow you home and watch you smoke the cigarette to make sure you don't give it to your kid.
Now it doesn't seem so reasonable.
I'm curious what harm that would be. As a teen, I once watched a porn movie with my parents, just out of interest. After I've seen it, I became deeply disinterested. Real life is much more interesting. Kids are not stupid, they know these scenarios are completely fictional. And the novelty wears off really quickly.
Teenagers have been looking at porn since forever. It's practically a trope of teens stealing their parents' porn mags. I don't think any of this has actually caused major societal issues.
The proposed solutions merely require that a teen steal their parent's identification, briefly, to create a porn account and move on. Heck, they can probably buy that information online if they are innovative enough. They certainly will be selling access to their porn accounts to their classmates. And even if they don't go through all that trouble, getting a porn mag is still pretty possible in the UK.
That makes this just a bad law. It doesn't meaningfully stop the problem it's meant to stop and it's expensive and intrusive. Even if privacy preserving age verification was bulletproof and perfect, you still have the access holes all over.
And then there's the simple fact that other nations exist. Yes, mainstream sites will put up protections, but what about the sealand porn site? Unless the UK wants a great firewall (ala the chinese firewall), they simply aren't going to stop this problem. Even then, VPNs are common knowledge at this point due to streaming.
Bad law, bad effects, and a pointless fight.
Unbelievable. Let people watch their thing if they want to, jeez.
There are MUCH more important problems on Earth.
It degrades and oppresses all women.
Its tough, because we can make arguments that porn is bad, but we also know for a fact that purity culture is one of the cornerstones of the patriachy.
Do we really want to ramp purity culture back up on the off chance it makes people like BDSM or something slightly less?
Briefcases were also a thing as have been strip clubs since forever. Quick access to porn hasn't been a problem since the printing press was invented.
Websites can request data from the user by sending that certificate, it opens the app, it shows you the categories of data to be send, you hold your ID card to the phone, enter the PIN, and the certificate is uploaded to the ID card which verifies it. If its valid, the ID sends back the data that is specified in the certificate.
You then get presented with exactly the data that is going to be sent to the website. You can then agree or disagree. So far that is only used to log in to government websites.
This way the government does not know which sites you visit, and you only send your age to the website.
- You do not want the government to know which websites you visit. This rules out any kind of redirect / forwarding via a government website or app.
- You do not want websites to correlate their requests, as that would allow for cross-website tracking. Request data from website A should be completely useless to website B. This rules out most regular certificate schemes.
- You do not want a website to correlate multiple data requests, as that would allow websites to create some kind of supercookie. Requests should be completely independent, and two requests from the same user should be indistinguishable from requests from two different users.
- You do not want to lose privacy when the government and the website work together. The request should still be anonymous when the two collaborate, or else there can be no reasonable assumption of privacy. This rules out most clever pass-a-one-time-code schemes.
- You want the request to be unique and time-bound. It should not be possible to replay a response, either to the same website or a different one.
- You do not want to send more data than strictly necessary. If a website needs to know if you are 18 or older, it should only receive a boolean flag.
Getting some of those properties is easy. Getting all of them at the same time? Nearly impossible. And the worst part is that I almost certainly forgot a handful of requirements!
Edit: And as Doctorow points out there are a host of other issues that arise from actually deploying a working system.
The absolute majority of porn viewers access a mainstream site like Pornhub through their home or mobile ISP, which is required to verify the owners identity. So in practice, if you're an average user (note: Hacker News users aren't average users) your ISP already knows which porn sites you visit, and your privacy is dependent entirely on your ISP not sharing that information with the government or other organizations.
If you look closely you'll see that none of your concerns are actually valid.
> You do not want the government to know which websites you visit. This rules out any kind of redirect / forwarding via a government website or app.
Technically trivial (e.g. using Referer-Policy: origin).
> You do not want websites to correlate their requests
Impossible to guarantee today.
Yes, this sucks, but this is not a failure of age verification.
> You do not want a website to correlate multiple data requests
This isn't the norm today. For example, Pornhub today already doesn't work without cookies. That doesn't stop users from flocking to it.
Still, it _would_ be technically possible to provide this; see Cloudflare Turnstile for an example. But nobody cares; neither mainstream users nor site owners want stateless websites.
> as that would allow websites to create some kind of supercookie.
No it wouldn't.
> You want the request to be unique and time-bound. It should not be possible to replay a response, either to the same website or a different one.
Technically trivial.
> You do not want to send more data than strictly necessary. If a website needs to know if you are 18 or older, it should only receive a boolean flag.
Technically trivial.
So to summarize: literally all of your concerns are easily dismissed as either easily solvable or already part of how the web works. None of it is pertinent to the topic of age verification.
So I think from that view the eID works pretty well, it provides the minimal necessary information. The bigger issue with something like this is if you use them to enforce real name policies or stuff like that.
But even then, I can volunteer my ID, keep it permanently attached to a computer running a server that allows certain requests (like the boolean age check), and then provide an API / client that allows anyone anywhere to use it to pass.
No risk to me (none of my data leaks), presumably no rate limits (the card has no way to track time; at best it could store recent request timestamps but I doubt it does).
In fact even better, use stolen or lost cards. Owner will get a new one, but the old one has no way of knowing it's voided. We can build a network that is able to sign whatever info (age, gender, city, name) you want, as long as we have one ID with such info.
Edit: unless there’s a blind middleman that has tight data policies?
Is that worth it? No idea—but I'm willing to bet some surveillance advertisers think it's worth it.
Don't get me wrong, I love diving into the technical details just as much as anybody else here. I've learned something new almost every time there's a comment thread on the subject .
But the technical details are a distraction. That this is happening at all is the forest the technical crowd is going to miss for the trees.
Preserving some semblance of privacy on the internet is already hard enough. We do not need systems like this to encroach any farther; risks of personal privacy is so great and could be caused by such a simple innocent and subtle configuration mistake.
I have never seen a website offering login using this function, though ;-)
But then again, who wants to use their ID card for some trivial non government site just to create an account
Hmm. It's not clear from the description that it is so. The government knows which site sent the request and authenticates your card, which is tied to your identity, right?
-the ID card which trusts the government PKI and has its own private key and certificate
- the application that does some certificate checks and facilitates communication between the card and an eID server
- an eID server which is connected to the PKI and regularly received short lived certificates to present to the card, does revocation checks, validity checks and a bunch of other stuff. Also provides a list of fingerprints of TLS certificates of eID services allowed for the session
- an eID service which opens a session with the eID server indicating requested data and ultimately receives this data from the eID server. They own the legalese certificate of which data they have access to.
- maybe another provider wrapping all this and the required certifications,. compliance and hardware into an easy to use API. But could also all be the same.
It could be argued that the government has influence on the eID server providers - which do the actual communication with the card and are the first to receive the data before passing it on - via access to the necessary PKI, but they're not directly involved in the communication.
Deleted Comment
The certificate is passed to the user's ID card where that information is populated, the document is cryptographically signed, and returned to the requesting party after the user reviews and approves the transaction.
If an enterprising 19-year-old sold their card and PIN to a 15-year-old and reported it lost to get a replacement, presumably there's some mechanism to stop the 'lost' card being used as proof of age?
The card communicates with an eID server via the app. This server is connected to the PKI and receives a new certificate daily-ish and also has a revocation list of blocked IDs. There's a ridiculous amount of regulation for hosting one yourself, so you get that service from one of the two or three who provide it as a service.
ID data this eID server received from the card is then sent to the eID service that initiated the session, which may either be the entity who needs it, or another service provider who wraps another set of regulation requirements and complex eID server API calls into an easy to use API for their customers.
ID data isn't actually shown to the user in the app unless it's a custom implementation that loops it all the way back from the service provider at the end.
You are completely correct that civil law jurisdictions have already solved this: Germany, Estonia, and many others have the all the requirements: a register of all persons available to the central authority, and crypto infrastructure to make it work.
What's missing from the UK, Canada, USA, etc. is the first part! It is hard to believe if you live in Germany, but there really is no big master list of people in those countries. There are many (many, many) lists, linked badly by many different ids. The tax registry, pension registry, drivers license registry, and visa registry are some of the big ones.
Things could be so much simpler if we had such a thing, but the politics between here and there are basically impossible.
There are also obviously better ways (https://blog.cloudflare.com/privacy-pass-standard/ possibly some variation of zero knowledge proofs) but technically this seems like a solvable problem. Money wise the IDP or in general verifier can charge users for an account and/or generated assertions.
I do. (Just barely.)
I don't have a Personalausweis. (You only need to have either a passport or an ID card, not both.)
- How can you ensure the system can't be abused if there's no identifying information passed? Don't get me wrong, this is also a problem with current systems, maybe even worse. But if it's privacy preserving, ... Almost all kids under 18 have parents or guardians. Almost all of those parents or guardians are 18 or older. So literally all you have to do to bypass age verification is steal their ID for a few minutes? There are also a myriad of solvable problems that aren't guaranteed to be solved without care, like ensuring that the same ID is not used 100,000 times.
- This is a job that is best suited for the government to handle. The internet is global though, and there are a lot of governments. In the U.S., there is in fact not one federal ID, but instead we use state IDs. I assume that means you now need to handle around 50 different state IDs to be able to verify someone's identity, but it actually gets even worse than that, because some people will have IDs, and some will have drivers licenses, because oddly enough that's just how we structure IDs here. People without drivers licenses may have state IDs which are often intentionally visibly distinct to make sure they can't be mistaken for the other. In states I'm aware of, you'll never have both, the driver's license acts as a state ID if you have one. Now scale that to every country on Earth.
- As insane as it may sound, there are plenty of people who don't have essentially any form of ID. You might think I'm over-estimating the numbers with "plenty", but even just in the United States, it's literally over 2.5 million, off the top of my head. (No idea what the best source is here.) The closest thing we have that every citizen is supposed to have is Social Security, but that isn't really usable as a form of ID for various reasons. (And frankly it's a pretty terrible means to verify someone's identity at all anymore in the Internet age, but oh well.)
I'm totally sympathetic to the fact that people really don't want their kids browsing porn on the Internet, but children basically can't pay for Internet access or afford iPhones. I think it's insane that people keep suggesting using advanced cryptography, zero-knowledge proofs, privacy pass tokens or whatever else for a problem that so clearly needs to be solved socially and not technically. (And obviously, only the surface-level aspects of this are really about porn. We all know it's deeper than that, and if it wasn't, the UK would readily exempt Wikimedia from these requirements. I hope nobody here is deluding themselves into thinking this is a noble effort.) You are literally giving your children a device that can easily obtain porn and letting them use it unsupervised. It's not like it was a secret: Avenue Q told you everything you needed to know. I get that raising kids is hard and society pressures you to do this, but isn't that the problem you'd rather tackle?
The problem is that we've let this idea that you can solve the problem like this enter the mainstream, and now that we have, even smart and reasonable people may accidentally convince themselves that it is tractable just because it is technically feasible to devise such a system. This is bad because we're going to waste a lot of energy repeating ourselves on thinking about the entirely wrong way to look at things.
Presumably this is the purpose of the PIN, which I assume is in the owner's head, not on the card (otherwise it would be redundant with the NFC chip).
There are numerous interesting and/or problematic aspects of this, but this question is perhaps the least interesting.
If your kid, or anyone else really, steals your ID then age verification is the least of your problems. They could transfer all your money, move house, get married, change your name or a myriad of other much more serious things. Willingly letting your kid use your ID would be borderline illegal and not an insurance in the world would cover it.
> literally over 2.5 million
These people have never borrowed a book, visited a doctor, paid taxes or opened a bank account? There are many things in society that require validating who you are. Surely they have some form of ID. Perhaps just a more insecure one than a cryptographically signed.
I don't think a federal identity is as far fetched as you make it sound, for better and for worse.
That's only partially true. We also have federal IDs: passports, passport cards, permanent resident cards, DoD Ids, Transportation Worker IDs. There's also some other federally issued IDs listed as Real ID compliant [1], but I've never seen them so I didn't list them.
[1] https://publicpoint.fnal.gov/get-connected/Shared%20Document...
Sure, there is a strong ideological argument why you should not have strong identities required in the internet in general (or even in offline) and on porn sites specifically, but the argument is not technical.
The ZKP approach is what the EU is doing.
Note that in the article the objection to ZKP systems is not that they don't work correctly (because they do work). It is that it can be hard for some people to obtain IDs, it may cost to much for some sites, it could be hard to regulate IDPs effectively, and things like that.
I can't wait for the next generation that will enjoy "nerding out" on how to best patrol every neighborhood with drones.
Let's put NFC tags on everyone at birth, we can then nerd out harder.
Technologies like the mdl standard [1] can attest to age without revealing the users identity.
As Cory points out, its still possible for kids to swipe someones ID and use that. There are probably practical solutions that are good enough. Android, iOS, and parents could work together to deal with the problem of stolen IDs. If mdl is implemented on devices such that they are managed by the device OS, that would lead to auditability. Parents can ask their child to see their phones ID app, which will show full roster of IDs on the child's device. If a parent sees an ID that shouldn't be there, they can have a conversation about it. In this way the law would be about empowering parents to shape their child's online experience. This is just a straw-man example solution, but there may be better ones.
The other objections I saw could be worked through in a similarly pragmatic fashion.
This is probably going to be good enough for most folks, and its probably a good thing to keep children away from pornography and such. And IMO coming up with a "good enough" solution will flush out all the bad actors who are hiding behind the excuse of "save the children" when really they want to build up an record of everyone's browsing history. But by denying any solution to a real problem, we let the bad actors hide amongst the well-intentioned folks who are trying to do the right thing.
[1] https://en.wikipedia.org/wiki/Mobile_driver%27s_license
Not we can't, but we shouldn't. All the current solutions are terrible, and are either trivial to fool or mass surveillance machines. We shouldn't be stupid enough to go for either option because it'll either cost a fortune while giving us nothing, or cause immeasurable harm when the National Porn Viewing Database inevitably gets used to blackmail everyone.
We're trying to (poorly) use technology to solve a social problem. If we can't figure out a way to do so using technology without significant downsides, then perhaps we shouldn't be using technology to solve the problem at all.
It seems like we could get "good enough" solutions that would reduce the amount of explicit material we show to kids, as well as push back the age where children are first exposed. I don't think a good technical implementation will require a "National Porn Viewing Database", but that's what we will end up if engineers and technologists dig in their heels and say "no". It is already happening in places like France and Texas.
> We're trying to (poorly) use technology to solve a social problem. If we can't figure out a way to do so using technology without significant downsides, then perhaps we shouldn't be using technology to solve the problem at all.
Technology created this social problem; its given us unprecedented access to explicit material. These aren't playboy's under the bed. Technology can help remediate.
The govt doesn't care how you verify age only that you don't sell to minors.
Large websites do not care even the slightest bit about how accurate the verification method is. They have zero incentive to genuinely get rid of underage users. If anything, they want to keep them - they are prime advertising real estate! Websites have every incentive to implement the age check in the cheapest and most half-baked way possible. As long as they are able to prove on paper that they are doing some form of age verification, they have met their requirements. Got a 90% false positive rate? Working as intended!
The only people getting fines are the small websites who can't afford to pay a 3rd party verification service. This'll shut down your local hobbyist communities, which only drives more visitors to the large megacorp websites.
It kinda seems the internet has real, longstanding problems stemming from the inability to verify anything about anything online. For the most blatant example, a website admin can never permanently ban a troll or criminal (they just sign up under a new name).
It makes one wonder how Doctorow reconciles the internet as it is with his stand against adopting some kind of IDP system.
1. Require an approved phone number upon signup or instant account "permanent suspension"
2. Require video of face and you holding id card
3. Associate "forever identifiers" in android with past accounts and ban your new, functional account if it shows up on a device that was previously associated with a banned account. I'm not sure if Apple has similar hard-reset-surviving identifies.
4. Ban accounts that somehow got passed your prior checks but you have reason to suspect they aren't conforming to normal behavior.
I think all these practices are bad, bad, bad, so I don't use any sites that require them, but that is mostly how Meta and other large social networks operate these days. I assume they do it for surveillance reasons, associating an account with the correct person to get more money out of their data, but since the precedence exists, it makes it that much easier for other sites to follow.
Common pitfall? It’s why these techno-idealists are loudmouthed on the internet, but don’t get respect anywhere politically. If you want to gain ground politically, you need to at least acknowledge what the problem is, or is perceived to be, and offer a real solution. “Nope we can’t do that because of this 0.1% edge case” doesn’t qualify. “Apple should just dump all schematics online regardless of what China might do” doesn’t qualify. “The internet is great at it is, and your political concerns are invalid” doesn’t qualify.
Why? If you do not believe it is a problem that's just like apologizing when you haven't done anything wrong.
https://www.cs.columbia.edu/~smb/papers/age-verify.pdf
I think it shows the difficulty of implementing it for everyone. But Apple and Google’s cell phone implementations would probably cover most people in some countries when finished, and then there will be a long tail of people who will need cheats and workarounds.
You’d be screwed if you didn’t have any friends who could help you cheat.
That's how I expect "privacy-preserving age verification" to go. It's the narrow end of the wedge. Once privacy-preserving age verification is in place there will be some reason to get rid of the privacy, and we will have a fully tracked and identified internet.
It's a system which requires a central agency, probably a government agency, analogous to a certificate authority.
You are authenticated with that agency; it has personal info about you. But you are externally identified by some impersonal identifier, not your name.
The agency issues you a certificate binding this identifier to an assertion like "is over 18 years old".
When you interact with a site that wants to know whether you are over 18 years old, you present the certificate. The site can see that it's signed by the authority and that it has the assertion that you are over 18.
You can't just give that site someone else's certificate because it has to be the one tied to the abstract identity you are presenting (which contains no personal info; it's some kind of UUID or whatever). Plus the cert can be bound to a specific device and such.
The cert has a private keys with which you can prove that you own that cert; or at least that you are the authenticated operator of a device to which that cert was issued.
It's something like that. I may have some key details wrong. The main idea is that some brokerage that does have info about you can attest that you are over 18 without revealing any of the personal info via certificate-like objects.
It sounds like, in theory, the system can achieve good privacy in age verification. But not perfect age verification; people will find ways around it.
A grown up can certify themselves to be over 18 and then hand the device to a teenager; and such an operation can likely be scaled to some extent. And of course no cryptographic system can eliminate the possibility that minors are looking at the screen of a device operated by an adult, who may even step out of the way to let them operate it.
And now all the websites have an uncircumventible and highly reliable fingerprinting scheme to track you across literally anywhere. Only identity thieves care about whatever data the agency would be safeguarding: linking up accounts between websites is more than enough for anyone else who would want to abuse that information.