New U.S laws designed to protect minors are pulling millions of adult Americans into mandatory age-verification gates to access online content, leading to backlash from users and criticism from privacy advocates that a free and open internet is at stake. Roughly half of U.S. states have enacted or are advancing laws requiring platforms — including adult content sites, online gaming services, and social media apps — to block underage users, forcing companies to screen everyone who approaches these digital gates.
And because someone will probably ask, this is my understanding of how it would work for age verification (I am not an expert):
There are 3 parties in this scenario. The Estonian state, Meta, and a 3rd party (which is currently a real 3rd party, but work is being done to allow this to be a digital wallet on your device, that you control)
The state issues your 3rd party a magic cryptographic cert that has all your personal data like dob
Meta issue an age challenge: Not “what’s your dob” but rather “Are you old enough to use this service?”
3rd party show you exactly what Meta are requesting and give you the option to approve or deny the request
If you approve, the 3rd party generate a new cert that JUST says “Yes I’m of age” and nothing else.
Because it’s been generated from the states magic cert it can be verified with their public key.
Meta don’t get more info than they need, the state can’t see that you’ve logged into Meta, but you’ve successfully proved you’re old enough to use the service.
The current weak point is that the 3rd party can absolutely see all of it, but there’s no reason the 3rd party has to be an external service. It could absolutely be an app on your device.
You still need to prove yourself to the state, but you’d have to do that to get an id card in the first place. It’s WAAAAY better than trusting all the different porn sites and social media services individually to not leak or misuse your data
The problem isnt just that the third party can abuse their access to your information, it’s that it is digitally stored and certifiable at all
The most secure data providers in the world have all basically had data breaches by now - including the IRS and US government. There is no party that can guarantee data security, even if they themselves are benevolent.
And for what purpose are we willing to gut privacy online? So it’s marginally more difficult for minors to obtain porn?
GTFO. De-anonymization has always been the goal, not ‘protecting the children’.
I fundamentally disagree with this. First off, that ship has sailed. Your data is already digitally stored. The problem is that it’s stored outside of your control and accessible without your consent. This system addresses those issues.
There is no technical reason your data ever needs to be on a device that is outside of your control. The 3rd party is just a local app, with local data storage. In other words there shouldn’t BE a massive database that can be breached. Sure, your device can still be breached, or stolen, but so can your physical wallet. Your device being stolen shouldn’t leak my data.
I’m not. I’m trying to explain that giving up privacy is NOT a requirement for age verification
I’m actually thinking about social media. There’s plenty of data to suggest that underage access causes severe harm, that can and has led to suicides. This is a problem with a body count.
100% agree. I just want people to understand that it IS a smokescreen. “Age verification” is a GOOD IDEA that is being used as a cover. Recognize the underlying threat, absolutely, but also recognize the good idea that’s being used to hide it.
Sorry, I just don’t agree with this, either. It isn’t just that it’s a third party, it’s that verification necessarily ties your device to your personal identity at all. No matter how you store the actual identity data, there needs to be an identifier associated with every device/account. I’d be fine if the OS just asked for my age and didn’t verify it with my state-issued ID - but if there’s any cross-checking involved that’s a dealbreaker.
If there were any possibility that a state actor had interest in identifying my personal identity of this account, and there was a record that pointed to my name, SSN, or other unique personal identifiers, i’d be absolutely fucked. There are really good reasons not to want social media accounts tied to real, verifiable identities - even if you think social media should be limited to adults (i’m not on willing to concede this, for what it’s worth).
It doesn’t matter if the data is stored on your local device - if it’s being verified by a state authority at all, that’s a huge problem.
I think you’ve misunderstood. Neither of these statements is true
That’s the whole point. This isn’t possible. There are NO identifiers ANYWHERE that link your account to your real world credentials.
It’s not. At least not in the way you’re thinking. You are issued a file, like you are issued an id. This could be done from any device anywhere, and could theoretically be copied and moved around to other devices. This file is cryptographically SIGNED by the state.
Meta then send you a request with their own cert.
The third party then generates a 3rd cert that JUST verifies that you are of age, and contains NO other PII. It uses a combination of signatures from the request and your credentials file to generate this.
The result is that Meta can verify that this new cert was generated in response to their request, that it was based off of an authentic state credentials file, and that the user is of age. That’s it. Not the exact date of birth, no names, addressses, ssns or anything. JUST “user is >16.” There are no identifiers, and no way to tie it back to you IRL.
The state get absolutely no indication that any of this has gone down at all. The 3rd cert is verified off of a universal public key
A state issuing a cert file has to be able to verify that it goes to the intended person. The state would have to know the ID of the person they’re issuing it to, otherwise it wouldn’t function as intended. Similar to blockchain wallets - they are anonymous all the way up to the point of fiat exchange, where most state actors can still end up ID’ing wallet owners.
Even if you try obscuring that information via encryption, it still gets signed by a ‘trusted’ authority at the end of the chain.
Even in theory this is a shit idea.
Yes you need to prove yourself to the issuer, but that’s no different to proving yourself to the dmv to get a driver’s license. But this is the START of the process, not the end.
Once that process is done, like with a drivers license, the issuer gets no further information on what you do with it.
A SECONDARY cert that contains no PII is what Meta get sent.
Even if Meta sent that cert to the state, the ONLY information they could get from it is that it was state issued, and that it was issued to someone over 16.
The point isn’t to obscure the information, it’s to not send it in the first place.
There is no relation to the blockchain. There is no “chain” here to trace back. This is just an extension on regular old school cryptography. The only provable link is that the parent cert was generated by an authority. There is no way to tell if a 3rd cert was generated with your parent cert or mine
I dont see how the second cert that goes to the site is useful if it isnt still associated with the first, but I also wouldnt trust the state to abide by an untraceable standard to begin with because identifying individuals by their accounts is in their interest.
I get where the enthusiasm for cryptography is coming from, but I think it’s misplaced.
Oh 100% I do not trust the current govt. to do this properly! Like I’ve said elsewhere today, I just want people to know that it IS possible, and the idea that you HAVE to give up privacy to keep kids safe online is a false dilemma.
As for the second certs usefulness, it’s got enough information in it to prove that the parent cert was issued by a trusted issuer. It’s like a stamp of approval. A really bad analogy is if I take an official birth certificate, and cut it up in such a way that the official seal and the year are still connected by a thread of paper. You can tell that it was an official document issued to someone born in 1990 for example, but nothing else. Again, that’s a really bad analogy because it’s not a new cert, and contains the birth year, so it’s not the same.
This is all based on something called Zero Knowledge Proofs, that I don’t even pretend to completely understand, but it’s a whole field of study, meant to solve exactly this kind of problem. Currently watching this myself
How about a system where I can go physically to a shop, show them my id, then the clerk allows me to buy a box of tokens that I picked up myself from the shelf.
I can pay with cash, the clerk just looks at my face and ID, nothing gets entered into the system.
Then I have a bag of tokens that could have various expire dates. Some could last years. They are not tied to any person in anyway but only adults could access them.
And yes, I can totally give it to some kids, but that’s no different than me buying kids alcohol.
I mean, yes, it’s the same process. It’s just moving the convenience store to your phone, and instead of being issued a physical ID by the dmv or whoever, you’re given a digital one. To be clear, that ID, and therefore your information is stored locally on your device, not in a server somewhere.
While I would trust that for a FOSS app, it would be too easy for a proprietary app to just “backup” your data.
With the physical method, everyone can be sure they are anonymous through common sense.
Sure, but I have 2 counterpoints:
There’s no reason the 3rd party app needs to be proprietary. This is starting to get technical, but my understanding is that you get a cert from the requester, and it’s the combination of that with the state issued magic cert that’s used for validation. The 3rd party app is essentially just a calculator. It doesn’t need any certs of its own
That’s an implementation detail. My argument is that it’s the implementation that’s the real cause for concern here, not the idea