[Aloisius]

> No personal information is shared.

You'd know the state they're a legal resident of as they use state-specific keys used for signatures.

If the request allows checking arbitrary ages like Apple's, then you can get their age with a handful of requests. If one has to verify every visit, then you can get exact birthdate eventually.

If the one verifying has to pass data to the verifier site or the request to the verifier has any site/app/company-specific IDs (again, Apple), then you're leaking what you're visiting to the verifier.

And not to beat a dead horse, but as long as there are jurisdictions that don't require age verification in the world, children can easily use a free VPN or proxy to avoid checks altogether at which point, one has to ask, why do it at all?

[Y_Y]

> If the request allows checking arbitrary ages like Apple's, then you can get their age with a handful of requests. If one has to verify every visit, then you can get exact birthdate eventually.

If you assume a sensible rate limit, that entering the check is voluntary (and unlikely to fail), and that people age monotonically, then it's going to require a lot of cooperation from the victim to get more than a couple of bits of entropy.

I wouldn't trust Apple here regardless, since they are not the state and have their own separate interests.

[alwayslikethis]

You can get the age quite quickly with a binary search. If everyone is between 1 and 100, that's no more than 7 requests. The only way this wouldn't hurt privacy excessively is that it has to work the other way around. You, not the app, requests a verification token from a government API that only says you are above 18 which expires once in a while. The token should bear no other information about you and be single use so it cannot be correlated between different sites. For the US, it should also be on a federal level (the verification scheme, not the age verification requirement) to reduce the bits from knowing your state, which is a lot for small states.

[solidsnack9000]

"...at which point, one has to ask, why do it at all?"

It seems like this line of thinking would lead you to ask the same question of literally any law, wouldn't it?

Laws often don't rely on being 100%. Even though there is a law saying people need to wear a seat belt, they can just not wear it! So what's the point, &c, &c?

[Aloisius]

If you don't wear a seatbelt, you can be ticketed. Not only is enforcement practical, but it has a measurable impact on behavior.

If you use a VPN to visit a porn site to bypass age verification, you haven't broken the law as it applies to sites, not users. There will be no measurable impact on underage people visiting since the barriers to VPNs/proxies are almost nil while still costing money to enforce on non-tech savvy adults - an overall detriment to society.

Laws that are unenforceable and don't benefit society are bad laws.

[solidsnack9000]

Let me see if I understand the situation you're describing clearly. It seems like you're saying that all or most young people will be able to -- and be inclined to -- use VPNs to visit porn sites, and will do so.

They won't be able to visit porn sites in their own jurisdiction -- let us call it jurisdiction J -- because those sites have to perform age verification, but they will be able to visit porn sites in other jurisdictions, since they can send traffic that appears to originate in those jurisdictions. Those porn sites are not in J and so don't have to enforce J's rules.

When I think about this situation, though, it just seems like it would lead lawmakers to require VPN sites to perform age verification.

[solidsnack9000]

Regarding "Not only is enforcement practical...", I'm not sure enforcement is all that practical for this offense -- my understanding is that most instances of it are never caught and never charged.