[hn_throwaway_99]

While I strongly disagree with this NC law, and others, your analogy is a bad one.

As a society I think we've accepted that some things (cigarettes, alcohol, sex, etc.) should be restricted from children. That's a far cry from requiring ID every time I go to the grocery store. But, as long as I've been alive, you have had to show ID to purchase alcohol, and the sky hasn't fallen.

Again, I think these types of laws are particularly poorly thought out, but I don't buy the "slippery slope into dystopia" arguments, and I think there are better arguments against it.

[LammyL]

It is one thing to show ID. It is an other thing to show ID and have the details stored in a database in perpetuity by companies who don’t have huge budgets for data privacy and security.

[jxdxbx]

Zero-knowledge methods for verifying age are possible but there is almost no political will or interest in them. Sites would get a “yes” or “no” as to whether someone is of age, and no other information.

[BobaFloutist]

They could verify ID, associate you with an "ID verified" token, and immediately trash all the information they collected other than that token.

[Keeeeeeeks]

they could, but a law enforcement agent looking for a suspect will send a lot of subpoenas to every porn site. When a porn site says "we wipe that data instead of storing it," the law enforcement agent will say "what do you mean you wipe KYC and identity verification trails once you get them? Are you letting sanctioned people use your site and covering your tracks?"

Similar thing happened to Valve; people were trading gun skins, and regulators fined them for not having AML/KYC controls because the state argued "the business didn't do enough to stop money laundering."

This trickles out to porn companies (and the vendors that use them for identity verification), and implies that they need to store this data to prove that they didn't delete it to help terrorists.

[paulryanrogers]

Does this require users trust several parties? Any one of which could sell out, get a court order, be tapped en mass by the NSA?

[tzs]

It is possible to design a system where there are three parties, you, the site R that is requesting you prove your age, and a site D that you are willing to show documentation that will prove your age, with these properties:

1. There is no direct communication between R and D related to your proof of age. You will receive a message from R, send a message to D, receive a message from D, and send a message to R.

2. R gets no information other than (1) your age information, (2) what site D checked your documents, (3) the timestamps of when you exchanged messages with them.

3. The site D just gets (1) the documents you provide to prove your age, (2) a binary blob that you generate that is for all practical purposes random to anyone other than you [1], and (3) the timestamps of when you exchanged messages with them.

If someone compromises D all they get is copies of your documents (assuming D kept them) and those for all practical purposes random blobs (if they kept them), and timestamps. They don't get the identity of R, the site you were verifying your age to.

If someone compromises both R and D, they might try to match up timestamps to try to figure out who people really are. If D is busy enough and you add some delays in your message sending it should be possible to make this risk negligible.

[1] The blob is some data you receive from R, transformed by a random permutation chosen by you. To anyone who does not know the random permutation it is indistinguishable from random.

[notfed]

Yes. It is possible to implement zero-knowledge age verification securely. There are just exponentially more ways to do it insecurely, and we can assume that by default this is what will happen.

[Fatnino]

California is trying out something like this with their digital drivers license.

Basically, if you only want to verify age, you open the app in age verification mode. It will display your picture and a qr code but not your address and other sensitive info typically present on a drivers license. The participating* alcohol vendor then scans the qr code which only contains data like "over 21" and some sort of verification that the qr code isn't forged. I'm a bit hazy on how this last bit works but it really all pivots on how this bit is implemented. Could be good for privacy or a total nightmare.

*there are only 3 locations participating in this test phase, afaik

[LargeTomato]

It would be helpful to be able to digitally verify different types of identity. Where I live, how old I am, my real name, my nationality, etc. Give the user control over what information is being verified.

[nazka]

I am curious how this would work. Could you put me in the right direction in how this is done?

[miki123211]

THe simplest way is as follows:

1. There's a provider that already has your data (it could be the government, a bank, a phone carrier etc). If more than one provider is supported, there's a list of trusted providers somewhere.

2. Whenever a website needs an age check, it asks you to authenticate with one of the trusted providers. The provider gets a challenge (a random string).

3. If you authenticate successfully, the provider uses their public key to provide a cryptographic signature of the challenge. This signed challenge is then transmitted back to the website.

In a more advanced version of this system, the website also provides a boolean expression, like `country_of_residence not in forbidden_countries && (age > 21 || (age > 18 && country_of_residence != "us"))`, and providers promise not to return successful responses for users who don't fulfill the expression criteria.

[tedivm]

These days when you buy alcohol there's a good chance that data is being stored. A lot of restaurants and stores that sell alcohol scan or swipe cards as part of the purchase now.

Just one example: https://okcfox.com/news/local/cyber-security-experts-be-wary...

[no_time]

I wonder if merely paying with your credit card leaves a monetizable paper trail.

Does anyone know if Mastercard gets any data relating to whats actually being purchased? Or does the store get a globally unique ID to associate with every purchase made with a specific card?

[hn_throwaway_99]

Completely agree, and that's one reason I'm against these laws. But that's a very different argument from the one I was responding to.

[hattmall]

You had to show ID to buy porn magazines, go in a strip club or even the adult video rental room.

It's pretty insane that we have no check for an unlimited amount of free porn with all kinds of extremes.

It fucks up a lot of kids (and adults).

Showing porn to a random kid on the street would have you catch a charge if not something worse, but somehow on the Internet it's just fine?

[jzb]

"It's pretty insane that we have no check for an unlimited amount of free porn with all kinds of extremes."

And... we still don't. Porn is available through a lot of channels to anybody who knows how to look, all the NC law (and others) is doing is applying pressure to a handful of businesses and encouraging bad practices in the form of having to handle IDs.

I'm the first to acknowledge it's sometimes worth doing something imperfect if it'll improve things, even if it's not 100% effective. But this isn't likely to be 10% effective, much less 90% or 100% effective. Anybody who wants to can dredge up tons of porn on any number of other sites, torrents, etc.

As others have said, it's one thing to have to flash an ID at a convenience store or to enter a business where there's nudity, etc., but here you're requiring people to pass their info online. That's bad policy, and I doubt it's even in good faith that the legislators really think it'll do anything to curb access by those under 18.

It's designed to target sites like PornHub and to give government a cudgel against all kinds of content that most wouldn't consider "porn" to begin with. And they want to go after LGBTQ+ content on the basis that it's LGBTQ+ -- not that it's necessarily adult in nature. [1]

There's little chance that you're going to come anywhere close to preventing motivated people from seeing porn on the Internet laws and policy like this. If you have kids that you don't want accessing porn, then you need to take steps to monitor their access and have the hard conversations with them.

(I am less alarmist about the "dangers" of kids accessing porn, but I will agree that unfettered access at a young age especially if parents aren't teaching their kids adequately about sexuality and that porn isn't a good representation is not great.)

[1] https://www.techdirt.com/2023/08/17/masculine-policy-the-gop...

[dgacmu]

"NC legislature accidentally endorses Mullvad VPN" could be a parallel article to this one. It would be interesting if someone analyzed the growth in VPN use following the enactment of this law.

[jzb]

Indeed. I'm pretty sure VPN subscriptions had a nice little spike at the end of December in NC.

[whatshisface]

They are leaving it out where anyone can get it (if their parents aren't watching), not showing it to unsuspecting pedestrians. Maybe teenagers have too much autonomy online but it's the place of their parents to take it away from them - not the state of North Carolina.

[hattmall]

I think a reasonable analogy would be putting TV's playing porn outside of a school and covered them with a cloth and sign that said adults only. What would my liability be then? And I also sell advertising on the side of the tvs?

[JohnBooty]

    I think a reasonable analogy would be putting 
    TV's playing porn outside of a school and covered 
    them with a cloth and sign that said adults only.

Well, no. Anybody entering or leaving the school would have no choice but to see the covered TVs. Whereas porn is generally not showing up online unless you are looking for it.

Strongly suggest dropping the analogies entirely.

Like many digital concepts this just will never map cleanly to a real-world analogue.

This is like the millions of bad analogies related to music downloads back in the Napster days. Please, stop. This is an issue worth discussing, but every analogy is bad and every analogy pollutes and enshittifies the discussion.

[maxbond]

Though porn advertisements can pop up when you're just minding your own business. The other day a friend of mine was doing perfectly mundane research, and they were shown ads with full nudity. (Yes, I know, they should install an ad blocker, that's not the point.)

That I do think is pretty messed up, and potentially something to pass legislation about. Some people want to opt out of pornography altogether, and their choice should be respected. As should the choice of people who do consume pornography, but aren't choosing to do so at this moment.

[JohnBooty]

I don't know the answer but yeah, I'm definitely on your side about it being a problem.

I saw a bunch of super explicit stuff, unbidden, on my Twitter/X feed the other week and it made me not want to use it any more.

I love porn, but it absolutely should not be shown to me without my consent.

[whatshisface]

Based on the growth of some "romance boutiques," who seem to be able to open chain stores anywhere, the liability is nil.

[hattmall]

They allow kids to go in?

[whatshisface]

To be honest, I don't know - but the billboards are everywhere and not subtle at all.

[itishappy]

No, they check IDs.

Source: Was a kid.

[likeclockwork]

If you give your kids unrestricted access to a gun they can shoot themselves.

Why should minors be allowed on the internet unsupervised at all?

[kazinator]

> You had to show ID to buy porn magazines

Not to someone wearing a Google Glass device, taking a snapshot of it.

[stickfigure]

> It fucks up a lot of kids (and adults).

That which is asserted without evidence, can be dismissed without evidence.

[stickfigure]

At least here in the US, we don't legally restrict minors from having sex (with others of the same age). The other two are physical goods with well-studied and proven health effects. Porn is not like these things.

[ImpostorKeanu]

The core of OPs argument is that tracking is bad, not that ID/age verification is bad.

[ttymck]

You don't have to show ID if you look about 40 years old, generally.

[ImJamal]

As far as I know most of the laws don't provide an exception if you look old enough.