[boffinism]

This feels like it could be resolved by technology.

I am happy to identify myself to government entity A to prove my age, but I don't want A to know what sites I visit.

I want to visit site B, but I don't want to identify myself.

Is there no API that will allow B to verify my age via A, without A finding out what site B is, and without B finding out anything more than my age bracket?

[amanagnihotri]

OAuth 2.0 resolves this. The government can be in control of maintaining citizens' identities and citizens can likewise request claims from the government's auth server regarding their age or any other matter.

That claim as a signed message can be provided to third-party services which need only validate the signed message using the public key associated with the secret key that signed the claim message.

[MattPalmer1086]

I don't think oauth 2 would give the required privacy protection.

How would the flow go? Click on an age verification link on a site. It redirects to the gov site, where you authenticate and it returns a signed claim.

Now the government knows what sites you are visiting. Not something I suspect most people will want when accessing porn sites...

[amanagnihotri]

I refreshed my understanding of OAuth 2.0 and sure, its typical flows which are meant for convenience do not offer the level of privacy protection as you mention. But if we replace that convenience with some effort from the user, we can get the privacy protection as well.

The flow can be as follows:

The user authenticates itself via government's site and is presented with a page which lets them create government-signed messages using claims provided by the government.

The concerned site can generate a random string during their registration/verification process which they expect to be part of the signed message that the user is to provide them.

The user enters that random string on government's site and checks/selects the age claim for it to be included in the signed message. The government adds timestamp to it and a key id based on the private key which it used to sign the message.

The user posts the signed message on the concerned site during the registration/verification process. The site uses the government's well-known address to fetch the public key associated with the key id (mentioned in the signed message). It then uses the public key to verify the signed message alongside checking the timestamp for recency and presence of the exact random string in the signed message. Ultimately checking the age claim.

So now, instead of providing credit card details, the signed message was provided by the user which the concerned site can validate on its own without the government knowing.

[MattPalmer1086]

Well, that technically works, but it's unusable. And you would have to do that for every site that requires age verification.

It's not really oauth 2 either, even though it re-uses bits of it. There is no "flow"!

[amanagnihotri]

A FOSS browser extension developed and maintained by a non-profit organization, vetted/audited by other trusted third party entities can facilitate convenience in this flow, bringing the overall experience closer to a desirable state.

The websites which are to be restricted by government-imposed legalities can expose the claims they need during their registration/verification process and the browser extension can automatically retrieve those claims alongside other details as mentioned previously, and can auto-fill on the website for the user.

Since this extension acts as the intermediary client, it knows the parties involved but it preserves user's privacy accordingly due to its vetted nature and as a FOSS application.

Of course, there will be concerns regarding pushing people to use such things but if legality can force people to give out their credit card details on certain websites, then it can also push for such user-focused convenience ways to enforce the legal matters. Whether it will really happen is not in our power but technically it is a resolvable matter as put forth by the original comment.

[MattPalmer1086]

There are privacy preserving technologies that can do this.

See the work of Jan Camenisch for example: https://jan.camenisch.org

But I doubt anything so well thought out would be implemented for this. Current government suggestions are credit card checks, checking identity against government passport records, or your mobile phone service provider.

I don't even understand the mobile phone one. My son has a mobile phone, but I'm the account holder according to the phone company. He's too young to enter into contracts for a start!

[1_player]

This might be a more helpful link: https://en.m.wikipedia.org/wiki/Direct_Anonymous_Attestation

[MattPalmer1086]

I'd suggest his other work on IdentityMixer is more relevant here.

https://hyperledger-fabric.readthedocs.io/en/release-1.3/ide...

DAA solves a different problem.

[erulabs]

I suppose this would be a very neat usage of Zero-Knowledge Proofs.

If I can prove User is over 18 to App, without giving away who User is to App - that seems quite valuable. An "Ali Baba cave" for identity. (https://pages.cs.wisc.edu/~mkowalcz/628.pdf)

[mjfisher]

I believe they're talking about doing that, but contracting out to approved 3rd parties instead of the government for age verification. I still don't trust them to do it securely, and I worry deeply about the chilling effect it will have on the internet as a whole.

[asplake]

Pretty sure that’s already on its way. One way we avoid giving card details to untrustworthy sites is to use a third party verification service. Suspect that this is well enough known that the headline should be construed as clickbait.

[nly]

How quickly people forget...

https://en.wikipedia.org/wiki/Mozilla_Persona

[5560675260]

This is resolvable by technology only if your plan is to replace Chris Philp by OpenAI powered bill generator.