[janci]

Our state-issued eID cards are supposed to have a function that allows anonymous age verification to a trusted party. It should work like this: a requesting party sends a request signed by state-issued certificate to the ID card, the card verifies the request authenticity and responds with a signed confirmation of legal age and that signature then can be verified by the requester.

No personal information is shared.

While I do not aggree with pervasive age restrictions, this is a nice technical solution to privacy preserving age verification

[kallistisoft]

There's an issue with the flow you described; the party requesting verification shouldn't directly interact with the verifying agent (the state) as this leaks to the state the identity of the requesting 3rd party.

The correct flow for preserving anonymity is: the requesting party issues a challenge token to the user -- the token header describes the type of request (>=18yo?) and the token body is completely random(). The user then takes this token and has the challenge verified (signed) on their side, the signed token is then returned to the requester.

This way the state never knows the identity of the challenge issuer.

() Note that this scheme requires good faith on the part of the challenge issuer that the token body is actually random, although it would seem that a simple DH-key mechanism would patch this vulnerability.

[janci]

I think it is a tradeoff between "everybody can request age verification" and "only state-licensed parties can request age verification". I don't think everybody's ID card should tell anyone if the holder is adult or not, especially wirelessly

[hellojesus]

What prevents the requesting party from saving the random bytes and then connecting with the signing party to link the user with the service?

[Aloisius]

> No personal information is shared.

You'd know the state they're a legal resident of as they use state-specific keys used for signatures.

If the request allows checking arbitrary ages like Apple's, then you can get their age with a handful of requests. If one has to verify every visit, then you can get exact birthdate eventually.

If the one verifying has to pass data to the verifier site or the request to the verifier has any site/app/company-specific IDs (again, Apple), then you're leaking what you're visiting to the verifier.

And not to beat a dead horse, but as long as there are jurisdictions that don't require age verification in the world, children can easily use a free VPN or proxy to avoid checks altogether at which point, one has to ask, why do it at all?

[Y_Y]

> If the request allows checking arbitrary ages like Apple's, then you can get their age with a handful of requests. If one has to verify every visit, then you can get exact birthdate eventually.

If you assume a sensible rate limit, that entering the check is voluntary (and unlikely to fail), and that people age monotonically, then it's going to require a lot of cooperation from the victim to get more than a couple of bits of entropy.

I wouldn't trust Apple here regardless, since they are not the state and have their own separate interests.

[alwayslikethis]

You can get the age quite quickly with a binary search. If everyone is between 1 and 100, that's no more than 7 requests. The only way this wouldn't hurt privacy excessively is that it has to work the other way around. You, not the app, requests a verification token from a government API that only says you are above 18 which expires once in a while. The token should bear no other information about you and be single use so it cannot be correlated between different sites. For the US, it should also be on a federal level (the verification scheme, not the age verification requirement) to reduce the bits from knowing your state, which is a lot for small states.

[solidsnack9000]

"...at which point, one has to ask, why do it at all?"

It seems like this line of thinking would lead you to ask the same question of literally any law, wouldn't it?

Laws often don't rely on being 100%. Even though there is a law saying people need to wear a seat belt, they can just not wear it! So what's the point, &c, &c?

[Aloisius]

If you don't wear a seatbelt, you can be ticketed. Not only is enforcement practical, but it has a measurable impact on behavior.

If you use a VPN to visit a porn site to bypass age verification, you haven't broken the law as it applies to sites, not users. There will be no measurable impact on underage people visiting since the barriers to VPNs/proxies are almost nil while still costing money to enforce on non-tech savvy adults - an overall detriment to society.

Laws that are unenforceable and don't benefit society are bad laws.

[solidsnack9000]

Let me see if I understand the situation you're describing clearly. It seems like you're saying that all or most young people will be able to -- and be inclined to -- use VPNs to visit porn sites, and will do so.

They won't be able to visit porn sites in their own jurisdiction -- let us call it jurisdiction J -- because those sites have to perform age verification, but they will be able to visit porn sites in other jurisdictions, since they can send traffic that appears to originate in those jurisdictions. Those porn sites are not in J and so don't have to enforce J's rules.

When I think about this situation, though, it just seems like it would lead lawmakers to require VPN sites to perform age verification.

[solidsnack9000]

Regarding "Not only is enforcement practical...", I'm not sure enforcement is all that practical for this offense -- my understanding is that most instances of it are never caught and never charged.

[drdaeman]

Just curious: 1) which country/eID is this? and 2) does it send the date of birth back, or does it perform a zero-knowledge proof that the date of birth is greater or equal than a given value (current date minus age requirement)?

[jer0me]

A handful of states, including California, have a digital ID that can do this. It only sends the fact that you’re over a certain age.

There’s a video halfway down this page showing the process in Apple Wallet: https://learn.wallet.apple/id/ (notice “Age Over 21”)

[archon810]

The new laws, such as the one that just passed in Utah, require kids to get the consent of their parents to install apps. So now add that complexity to the flow.

https://apnews.com/article/utah-app-store-age-verification-7...

https://le.utah.gov/~2025/bills/static/SB0142.html

[cogman10]

Really comes down to "how sure do you want to be that the person is the right age"? Or the "how hard would it be for a preteen to buy beer?" test.

With an eID card, if it's just saying "yes, this person is old enough" then any teen can swipe a device with an eID card and start using it.

[lll-o-lll]

So it’s tied to biometrics/other 2nd factor as with passkeys. Wouldn’t stop mini-me of course…

[rs186]

So kids just memorize their parents' driving license when they don't pay attention, and this is bypassed, just like in the old days.

[djsjajah]

No. Kids would need to memorize the private key of their parents id card.

[hellojesus]

What stops me, a random person, from publishing my private key online for anyone to use?

[tremon]

Common risk awareness, one would hope. What's to stop a random criminal from using that private key to take out a big loan in your name?

[hellojesus]

I would assume that my private key for pricing my identity to random websites is different than that used to make financial transactions. Why would I ever elect to keep it the same?

[Jolter]

I don’t think that’s how a state e-ID works.