Cryptographically there are techniques that let you prove you're one of the several hundred million adults in the US that don't reveal anything about which adult you are. It's much less complicated than bitcoin.
I'm bringing this up because it's the perfect litmus test to show whether you really care about age verification, or if you want personal trackability for all internet behavior.
I'd be okay with this for certain situations (e.g. a forum that doesn't want to foreign agitators to pretend they are US voters), but the whole porn thing is a ridiculous farce because there are still going to always be millions of non-us porn sites that don't enforce US laws.
Not really. There are ways to prove ownership of one of several hundred million tokens. If you give out this many tokens, the odds that some will be stolen or sold must be fairly close to 1.
Agreed. But obtaining such a token/proof would still be an additional barrier kids would have to actively bypass, so while I don't think that's the best implementation I don't think it's correct to say there's no value there.
My bigger concern would be who gets to issue these tokens. If it's limited to a particular government, then that doesn't work very well on a global internet. And making the internet not global (blocking adults from accessing foreign websites that don't adhere to your scheme) is kinda authoritarian IMO.
If we're going to do age verification and blocking of adult sites, it needs to be local to the user's device (and thus under the control of parents, not governments).
E.g. Instead of mandating sites verify users, we mandate internet-capable devices sold to kids have certain content restrictions, the same way we mandate you can't sell alcohol to kids. To make this more effective than existing content filtering, implement some kind of legally-enforced content-labeling standards websites have to follow to be whitelisted on these devices. This way the rights, freedoms, and privacy of adults using adult devices is unaffected.
Chat GPT would be happy to explain "Rate-limited anonymous credentials" to you. Just because you can't think of something doesn't mean brilliant mathematicians can't.
Can you send a link or explain how this can be done?
As a not super tech savvy parent I find it impossible to keep my son off screens. He always finds a workaround. So I'm a fan of age verification especially after reading The Anxious Generation, despite all the hate it gets from hacker news.
Age verification actually gets almost no hate. Society-wide surveillance gets a lot; age verification just happens to be the "think of the children" excuse to shoe-horn in the society-wide surveillance. As OP described, if the age verification is implemented as a "zero-knowledge proof" then we have age verification without society-wide surveillance and nobody is complaining.
Not OP and I don't claim a cryptographically secure solution. However https://news.ycombinator.com/item?id=46223051 is as good as the controls around other age-restricted products IRL: alcohol, tobacco, and adult magazines. And it preserves anonymity.
He’s talking about zero knowledge proofs - it’s a neat use of graph coloring where you send an encrypted proof that a graph can be colored with three colors and no neighbors with the same color. The verifier makes a challenge to prove two nodes don’t have the same color, and the prover provides a key to decrypted just those two nodes. This process is repeated a number of times (with new colored graphs) until the verifier approaches certainty that the prover will always be able to show all nodes have neighbors with different colors.
This coloring problem is NP complete and somehow the thing the prover is proving is encoded in the graph structure. At the end of the day, the only thing the verifier is sure of is that the prover can make the three colored graph, 1 bit that corresponds to the thing the verifier wants to know (eg - does the prover have a token that can show they are over 18).
This is far from the best way to do it, but this is a much easier to understand example of how it could be done without having to read about math:
There's a type of token called a JWT that's really common nowadays, which is composed of 3 parts: Metadata describing encryption for the third part, the actual base64-encoded data, and the encrypted signature. The second part would include "is over 18" and "expiration date" to limit reuse/abuse, and is trivially decoded by anyone to confirm there's no personal information in there.
You'd get this token from your government site and copy/paste it into the site needing verification. The government site would provide a standard public key that can be used with the third part of the JWT to confirm it hasn't been tampered with (verification is built-in to JWT libraries). There would only be one public key that rarely changes, allowing the site to cache it, preventing the government site from correlating users based on timestamps - they never see the JWT from the other site (verification is done locally), and the other site would only need to pull the public key once for however many thousands of people use it.
...that said technical issues aside, I kinda feel like this would be the most acceptable version simply because it doesn't require the average user to trust the math - they could go to a JWT-decoding website and look at it themselves.
In my opinion, access to internet should always be behind a device controlled by an adult. And it should be this adult's responsibility to set appropriate restrictions for minors.
In theory that sounds right; but as a parent with two young teens I can tell you that in practice this is really really hard -- your teens can get around whatever restrictions you might set, bringing you down to either 1) taking away their phone altogether, 2) turning off the internet altogether (while at home), 3) trying some parental control app (none of which work that well or are inconvenient to use in practice). The only thing I've successfully managed to set up is a blocker on the router that shuts off access to their devices at night (so they go to sleep at a reasonable hour). During the day is just way too complicated.
So we talk about it and try to get them to manage it themselves. They're not unwilling, but the addiction of continuous scrolling is really hard to break. It's not even that the content is terrible, it's more just the mindless zombies -- like sitting all day on the couch watching TV. And they don't even have an IG or TT account (and won't be getting one for a long time) -- this is YouTube (which now has endless scrolling like TT) which I don't want to block altogether because there's other helpful resources on there.
I've always been an early adopter, and was on BBS and IRC and all that back in the day, love the fact that the Internet is a place you can easily set up your own blog and all that, but recently I've honestly come to f*ing hate the internet in general and social media in particular.
This is something I am conflicted about as a parent.
My daughter is still a baby, so the problem is still a few years away. But I don't know how to best handle it.
In some ways, I see social media as more poisonous to the brain than alcohol or tobacco. So, forbidding - or heavily limiting - internet access sounds like a plan.
On the other hand, part of me being a parent is teaching her how to navigate the world. And part of that, wether I like or not, is using the internet. Having contact with the communication tools that exist.
The world is full of sons of bitches. If I don't teach her how to deal with that, I would be raising an idiot.
Still, a problem for the future me to ponder over.
Yea, I think anyone who grew up at the start of the internet in homes realises just how different it is now, and that teaching your kids about how to be safe online etc is an important part of parenting. But we are at the point where we have some parents who always had access to what it is now, and don't see it as a bad place.
"Stranger Danger" is no longer don't get into a van with someone who promises you sweets kinda thing.
Agreed. My kids are young right now, but I'm wondering if we can just have a shared family room computer like in the 90s. (school-based laptops might thwart this, but maybe by the time they're school-aged people will realize that constantly putting kids in front a screen is a bad thing to do?)
Yep, I bought a separate all-in-one computer that is in the living room, in full view of everyone else, so we can keep an eye on what is going on when they are using it.
We also have pi-hole running that blocks a lot of things, and can turn on and off certain domains (so they can play roblox etc for a short while, then its blocked again) and their devices are pretty locked down
You can be pretty effective with not much - school laptops can be router-blocked to the needful, the main familyroom computer can be visible to all but also have rudimentary DNS blocking, etc.
The key is to be open about it and “more” than reasonable; allow things when requested that aren’t harmful.
If we’re too perfect at protecting them from the world they’ll have no tools to deal with the world, which they will have to do eventually.
Even if they don’t share a computer you can still set up their own computers in a shared space. We don’t put tvs in bedrooms either just to keep those rooms for reading/sleeping. Added bonus of keeping computers in common spaces is that your kids won’t disappear into their rooms one day and never come back out.
You can have a shared family room computer! It works really well. No screens in the bedroom is a great idea. iPhones with strict Screen Time settings are awesome when the kids get old enough to use a phone for communication but not old enough to handle a phone with games and the full Internet
With my family, I shut down and threw away my last PC; too many security head aches. I bought the cheapest large screen iPad(s) and promptly locked them down. One of my best decisions.
I think the parent should decide what the level of control is and what is appropriate for their child. I don't think we need to set up laws for everyone in the world.
I'm really glad you're not in charge of making laws. The one thing you can do as a parent is override most age restrictions. You can give your child alcohol, you can take them to R rated movies, you can let them watch NC-17 movies at home, you can buy them M video games, you can just straight up buy them porn. But then parents have a legal requirement to restrict their child's internet access to whatever the government happens to approve of—utter nonsense.
We should then make laws that parents must tell their kids to clean their room. Next we can make laws that parents must tell their children to eat their veggies. What about chore laws? Teeth brushing laws? Stop arguing with your sister laws! More laws!
we trained our kids to avoid bad words we taught them to be ashamed of bad pictures, we put porn mags in a hidden location, we put sextoys in hidden location, we locked the pay channels on the cable box, but this internet thing came along and all of that is on there, we didnt lock the computer, or put it somewhere hidden, or the router, or the modem, we didnt lock the box for the service dropline, or for the starlink terminal, we decided to complain until pushing the entire service for everyone into the lock up, not only the kids.
How does that work in practice? I've tried to do this at home. It doesn't work at all. It's not the 90s any more- there isn't one PC sitting on a desk with a modem attached to a phone line that you need to wait for 30 seconds to dial up and establish a connection before you're online...
Now you have ubiquitous WiFi and cellular connectivity across dozens of devices in a typical household. Even refrigerators have built in web browsers now. Parental controls are a joke, treated as an afterthought at best - nonexistent at worst. Oh, and the school system provides your kids with a Chromebook with Internet access starting in elementary school.
It's victim blaming at its finest IMO. Yeah, we can all point fingers at the parents who sit their kids down with an iPad. But there's many of us who struggle to limit screen time, working against the profit motive of trillions of dollars of corporations. It's a losing battle.
Edit: crazy. Instead of providing an answer to my question of "how do you do this in practice" I get downvoted. Goes to show that there are no real solutions, just a bunch of morality police and victim blaming. Yes, parents are the victims here. The tools are inadequate and trillions of dollars of incentives are lined up against them.
No, I think what they want is not to have the rest of us have to jump through hoops (and sacrifice privacy) to achieve the same thing. Some of us don't have kids (or live in a household with any), so passing a law that potentially limits our internet access to solve a "problem" that already is dubious is ridiculous.
Here [1] is the zero knowledge solution. It has existed for ages but not adopted likely due to not providing a name, SSN, location and credit card. No third parties, no dependency on CDN's, no sharing or leaking ... anything.
Given that solution is unlikely to be legislated into action I would suggest people are just going to share adult content on Usenet, Tor, P2P, within G/PG rated video games by plonking down a virtual theater and streaming from a throw-away VM and fully automating syncing with LFTP+mirror+SFTP, sharing USB NVME drives, mobile ephemeral websites over WiFi and other methods when people get tired of this Top/Bottom relationship lobbyists want us to participate in. As a plus side, driving people underground means zero tracking, rules, taxes, obligations, leaking email addresses, etc...
I think that the improved version of age verification is to ask the yes/no question to a government third party based on a signed payload that your local device offers the service. The government already has your identifying data, they only need to certify on behalf of which person the question is asked.
I mean most mobile devices have already accepted closed ROMs in their baseband and all/most browsers that try to interact with streaming sits require Widevine . As longas its going to hapen one way or another better it be local , and not a gov thing or a monopoly.
At the end of the day the tool should be there enforcement down to the relevant local authorities or not.
If I remember right, a problem with this is that you need to get those proofs by submitting your id or similar, you only get a limited amount of proofs at a time, they expire in maybe a few months, and you can only get them using a government specific app that is only for "secure" devices. Instead of being tracked by the site you're being tracked by the government, you now need a Google Android phone in order to browse adult sites on your PC, and depending on your habits you may need to re-show your id potentially multiple times a day unless you opt to being tracked by the sites instead.
It really should be just once that you need to show your id and then you should be able to generate as many proofs as you need whenever you need on any computer device, but they have an obsession on making very sure that it cannot be circumvented, as if it was insanely important.
Exactly, on my Play Station I setup for my son I enter his real birthday, then Sony knows what can he do in the Store or chat etc. So we could have the big tech Apple, Google, Microsoft, Canonical ensure to make an idiot prof setup screen and the parent is responsible to set the age of the birthday of the child if they give a device to them . Then the store can be filtered and the browser can have a standard way of adding in the headers an age range or something.
Big tech did not want to cooperate to do this for some weird reason so now we get a much more complicated solution.
Yes I know that if your kid uses a live USB stick he could watch porn on his laptop but IMO is much easier for such a smart kid to find a website that does not respect the browser headers and torrent adult content.
I don’t like this article. Irrelevant technical nuance is comingled with a philosophical opposition. The technical issues are all solvable. The free speech argument is foolish too: if limiting who can jerk off to pornography is an issue of free speech, surely so is limiting who can enter a bar and converse with the patrons.
Opposition to ID checks because you believe the internet should be open and free is reasonable but this article twists itself into knots throwing everything at the wall. And it is reasonable to believe it is a free speech issue. But we can’t say, at the same time, that the same arguments don’t apply outside of the internet.
(Convenience stores scan ID, bars scan ID, hotels take copies of passports…)
These are new things, not old things. The idea that stores and bars should be able to record for all eternity the identities of the people who have purchased things from them is just as much of a horror. They can sell that information to anyone.
> hotels take copies of passports…
This is not really a new thing, although it is a fairly new thing (i.e. within the last 40 years, since cheap enough photocopiers.) But it comes from laws about keeping track of who is staying in temporary accommodation, 100 years ago you would have had to sign the register.
I am not that fond of stores scanning my ID data either. I’m over 21, there’s no question about it. Per policy, they’ll have my name and address in some log too, and with my photos and gait on camera and probably my license plates. What does all of that do for me? Are you safer because I am being recorded?
I like the (disputed) comment elsewhere on this page, requiring parents to parent. They aren’t my kids.
If you have the money definitely get yourself a passport card. Stores can’t scan them and they only contain a pointer to personal info in some government database.
The free speech argument is that these ID checks aren't just being applied to porn sites; there's a push to make social media websites (probably the largest hubs of free speech in the modern world) do them too. That's a much bigger deal. It'd be like if you had to show your ID to a police officer in order to enter exit your front door.
Are we to assume that the people at the EFF haven't heard of how European nations, like Denmark, are building government infrastructure to verify your age without disclosing sensitive information?
Are we also at assume that the EFF fail to see the similarity of age-gating porn websites and age-gating entrance to strip clubs?
That doesn't seem likely to me, and I find it way more likely that the EFF is purposefully excluding the best argument against their chosen position.
The core issue here, as often, is that it pits ethical and economic concerns against one another. There has been a systemic choice by web/tech companies to prioritize maximum profit, often at the expense of necessary user support and compliance. Because of that, user support/relations are deficient and there is little accountability for what they're doing, even if, as we often read here, a tech company cancels user accounts, projects, or monetary accounts, without anyone or anywhere to appeal. Age verification presents the same problem. If companies maintained a professional, human-centered user relations function, they could implement a non-intrusive, real-time validation process.
If we were in the real world, with for example a barman needing an ID, that single person could confirm the age without copying or indefinitely keeping the ID card. The digital equivalent would be a decent support representative who could conduct a live brief video interaction to confirm a user's age, without even storing a copy of the ID, and who could even require the parents to be there with the minors signing in. That would address both the need for verification and the data minimization problem.
Yes, that would cost the companies a lot of money, but that would solve both problems at the same time: verifying the user's age and ensuring privacy. And guess what, the same person could also serve as an entry point for other issues that no one can really appeal against now, like the frozen accounts and other horror stories mentioned above. Yes, parental control is necessary, but it is insufficient. Zero-Knowledge Proof thingies could allow a device to validate parts of the process, but the possibilities of circumventing this are so enormous and endless that they look to me as completely insecure (and using a third party validating this adds another layer of trouble).
The most effective way would be to reintroduce a human element in the process, but we have already given up, because we are at the mercy of the web companies due to their free tools. The governments trying to introduce some ethics to those processes are not the problem at all, they should be commended for that. We are the problem because we accept that what should be the web companies' responsibilities is not being fulfilled because we don't want them to make less money as we would lose some freebies. That's on us, not on the laws. So the answer to "Why isn't online age verification just like showing your ID in person?" is : because we collectively accept it is not exactly showing our ID in person.
That's kind of the point of all this. They force websites to enact the verification because they have leverage over businesses that they don't have over citizens, and then they expect that the citizens will hate it so much that they don't go to the "bad" sites at all. "Thank you for your cooperation!"
ETA: (accidental submit; sorry) I'm in the same boat! Not entering my ID information into any website, much less ones they've got on the list. And so they've successfully boxed us in. At least for me, I intend to raise hell about it aside from just not sharing PIA, but I don't have any delusions of it's effect.
Readit News
I'm bringing this up because it's the perfect litmus test to show whether you really care about age verification, or if you want personal trackability for all internet behavior.
I'd be okay with this for certain situations (e.g. a forum that doesn't want to foreign agitators to pretend they are US voters), but the whole porn thing is a ridiculous farce because there are still going to always be millions of non-us porn sites that don't enforce US laws.
My bigger concern would be who gets to issue these tokens. If it's limited to a particular government, then that doesn't work very well on a global internet. And making the internet not global (blocking adults from accessing foreign websites that don't adhere to your scheme) is kinda authoritarian IMO.
If we're going to do age verification and blocking of adult sites, it needs to be local to the user's device (and thus under the control of parents, not governments).
E.g. Instead of mandating sites verify users, we mandate internet-capable devices sold to kids have certain content restrictions, the same way we mandate you can't sell alcohol to kids. To make this more effective than existing content filtering, implement some kind of legally-enforced content-labeling standards websites have to follow to be whitelisted on these devices. This way the rights, freedoms, and privacy of adults using adult devices is unaffected.
Certificates prove that a website/server (and sometimes the client) are who they say they are.
We force the website to renew their certificate from an issuer every year so that stolen tokens/certificates are less of a problem.
The issuer can protect or hide the identity of the certificate owner, and doesn't get any information about which clients accessed a server.
As a not super tech savvy parent I find it impossible to keep my son off screens. He always finds a workaround. So I'm a fan of age verification especially after reading The Anxious Generation, despite all the hate it gets from hacker news.
But it sounds like your wish is to keep your kid off screens in general, which I don't think age verification would accomplish.
Age verification actually gets almost no hate. Society-wide surveillance gets a lot; age verification just happens to be the "think of the children" excuse to shoe-horn in the society-wide surveillance. As OP described, if the age verification is implemented as a "zero-knowledge proof" then we have age verification without society-wide surveillance and nobody is complaining.
https://en.wikipedia.org/wiki/Zero-knowledge_proof
This coloring problem is NP complete and somehow the thing the prover is proving is encoded in the graph structure. At the end of the day, the only thing the verifier is sure of is that the prover can make the three colored graph, 1 bit that corresponds to the thing the verifier wants to know (eg - does the prover have a token that can show they are over 18).
There's a type of token called a JWT that's really common nowadays, which is composed of 3 parts: Metadata describing encryption for the third part, the actual base64-encoded data, and the encrypted signature. The second part would include "is over 18" and "expiration date" to limit reuse/abuse, and is trivially decoded by anyone to confirm there's no personal information in there.
You'd get this token from your government site and copy/paste it into the site needing verification. The government site would provide a standard public key that can be used with the third part of the JWT to confirm it hasn't been tampered with (verification is built-in to JWT libraries). There would only be one public key that rarely changes, allowing the site to cache it, preventing the government site from correlating users based on timestamps - they never see the JWT from the other site (verification is done locally), and the other site would only need to pull the public key once for however many thousands of people use it.
...that said technical issues aside, I kinda feel like this would be the most acceptable version simply because it doesn't require the average user to trust the math - they could go to a JWT-decoding website and look at it themselves.
You meant logical criticism?
So we talk about it and try to get them to manage it themselves. They're not unwilling, but the addiction of continuous scrolling is really hard to break. It's not even that the content is terrible, it's more just the mindless zombies -- like sitting all day on the couch watching TV. And they don't even have an IG or TT account (and won't be getting one for a long time) -- this is YouTube (which now has endless scrolling like TT) which I don't want to block altogether because there's other helpful resources on there.
I've always been an early adopter, and was on BBS and IRC and all that back in the day, love the fact that the Internet is a place you can easily set up your own blog and all that, but recently I've honestly come to f*ing hate the internet in general and social media in particular.
My daughter is still a baby, so the problem is still a few years away. But I don't know how to best handle it.
In some ways, I see social media as more poisonous to the brain than alcohol or tobacco. So, forbidding - or heavily limiting - internet access sounds like a plan.
On the other hand, part of me being a parent is teaching her how to navigate the world. And part of that, wether I like or not, is using the internet. Having contact with the communication tools that exist.
The world is full of sons of bitches. If I don't teach her how to deal with that, I would be raising an idiot.
Still, a problem for the future me to ponder over.
"Stranger Danger" is no longer don't get into a van with someone who promises you sweets kinda thing.
We also have pi-hole running that blocks a lot of things, and can turn on and off certain domains (so they can play roblox etc for a short while, then its blocked again) and their devices are pretty locked down
The key is to be open about it and “more” than reasonable; allow things when requested that aren’t harmful.
If we’re too perfect at protecting them from the world they’ll have no tools to deal with the world, which they will have to do eventually.
You can't.
There are also a ton of tricks and workarounds it's super frustrating.
That's the implication of making a law.
Now you have ubiquitous WiFi and cellular connectivity across dozens of devices in a typical household. Even refrigerators have built in web browsers now. Parental controls are a joke, treated as an afterthought at best - nonexistent at worst. Oh, and the school system provides your kids with a Chromebook with Internet access starting in elementary school.
It's victim blaming at its finest IMO. Yeah, we can all point fingers at the parents who sit their kids down with an iPad. But there's many of us who struggle to limit screen time, working against the profit motive of trillions of dollars of corporations. It's a losing battle.
Edit: crazy. Instead of providing an answer to my question of "how do you do this in practice" I get downvoted. Goes to show that there are no real solutions, just a bunch of morality police and victim blaming. Yes, parents are the victims here. The tools are inadequate and trillions of dollars of incentives are lined up against them.
It would make sense to have the enduser verification ondevice with a simple reply to any online property : Passed age verification/or not.
Otherwise the centralization and eventual leak of this data is a can of worms in waiting.
Given that solution is unlikely to be legislated into action I would suggest people are just going to share adult content on Usenet, Tor, P2P, within G/PG rated video games by plonking down a virtual theater and streaming from a throw-away VM and fully automating syncing with LFTP+mirror+SFTP, sharing USB NVME drives, mobile ephemeral websites over WiFi and other methods when people get tired of this Top/Bottom relationship lobbyists want us to participate in. As a plus side, driving people underground means zero tracking, rules, taxes, obligations, leaking email addresses, etc...
[1] - https://news.ycombinator.com/item?id=46152074
1) It is vulnerable to modifications and hacks on the local device that get it to send back a "yes" result without actually verifying anything
OR
2) It requires the device to use some kind of closed, proprietary system that allows the service to guarantee that #1 cannot happen
Now, in general, the tech world is pretty happy to accept #2, but many of the people around here would object to it on very reasonable grounds.
At the end of the day the tool should be there enforcement down to the relevant local authorities or not.
It really should be just once that you need to show your id and then you should be able to generate as many proofs as you need whenever you need on any computer device, but they have an obsession on making very sure that it cannot be circumvented, as if it was insanely important.
How European can it be?
This looks like a private consortium of usual suspects Tales and T-Systems squandering taxpayers money, not an official thing.
Currently, it does not implement ZKP, and further requires proprietary Google Play Integrity use, making it an absolute toxic cesspool.
Deleted Comment
Big tech did not want to cooperate to do this for some weird reason so now we get a much more complicated solution.
Yes I know that if your kid uses a live USB stick he could watch porn on his laptop but IMO is much easier for such a smart kid to find a website that does not respect the browser headers and torrent adult content.
Opposition to ID checks because you believe the internet should be open and free is reasonable but this article twists itself into knots throwing everything at the wall. And it is reasonable to believe it is a free speech issue. But we can’t say, at the same time, that the same arguments don’t apply outside of the internet.
(Convenience stores scan ID, bars scan ID, hotels take copies of passports…)
These are new things, not old things. The idea that stores and bars should be able to record for all eternity the identities of the people who have purchased things from them is just as much of a horror. They can sell that information to anyone.
> hotels take copies of passports…
This is not really a new thing, although it is a fairly new thing (i.e. within the last 40 years, since cheap enough photocopiers.) But it comes from laws about keeping track of who is staying in temporary accommodation, 100 years ago you would have had to sign the register.
I like the (disputed) comment elsewhere on this page, requiring parents to parent. They aren’t my kids.
It could be through a header, or something like this: https://developer.chrome.com/blog/digital-credentials-api-or...
However, I have the feeling that none of these solutions will get wide enough buy in and adoption to be a viable solution to website owners.
Are we also at assume that the EFF fail to see the similarity of age-gating porn websites and age-gating entrance to strip clubs?
That doesn't seem likely to me, and I find it way more likely that the EFF is purposefully excluding the best argument against their chosen position.
ETA: (accidental submit; sorry) I'm in the same boat! Not entering my ID information into any website, much less ones they've got on the list. And so they've successfully boxed us in. At least for me, I intend to raise hell about it aside from just not sharing PIA, but I don't have any delusions of it's effect.