[antitoxic]

I work at a European identity wallet system that uses a zero knowledge proof age identification system. It derives an age attribute such as "over 18" from a passport or ID, without disclosing any other information such as the date of birth. As long as you trust the government that gave out the ID, you can trust the attribute, and anonymously verify somebodies age.

I think there are many pros and cons to be said about age verification, but I think this method solves most problems this article supposes, if it is combined with other common practices in the EU such as deleting inactive accounts and such. These limitations are real, but tractable. IDs can be issued to younger teenagers, wallet infrastructure matures over time, and countries without strong identity systems primarily undermine their own age bans. Jurisdictions that accept facial estimation as sufficient verification are not taking enforcement seriously in the first place. The trap described in this article is a product of the current paradigm, not an inevitability.

[EmbarrassedHelp]

According to the EU Identity Wallet's documentation, the EU's planned system requires highly invasive age verification to obtain 30 single use, easily trackable tokens that expire after 3 months. It also bans jailbreaking/rooting your device, and requires GooglePlay Services/IOS equivalent be installed to "prevent tampering". You have to blindly trust that the tokens will not be tracked, which is a total no-go for privacy.

These massive privacy issues have all been raised on their Github, and the team behind the wallet have been ignoring them.

[godelski]

  > It also bans jailbreaking/rooting your device, and requires GooglePlay Services/IOS equivalent be installed to "prevent tampering".

Regulatory capture at its finest. Such a ruling gives Apple and Google a duopoly over the market.

Maybe worse, it encourages the push of personal computers to be more mobile like (the fact that we treat phones as different from computers is already a silly concept).

So when are we going to build a new internet? Anyone playing around with things like Reticulum? LoRA? Mesh networks?

[freakynit]

"Anyone playing around with things like Reticulum? LoRA? Mesh networks?"

I'm curious about the 'day after' scenario: what's the move if the state decides to regulate these into "illegality" because they bypass official channels? We have to remember that the devices aren't the problem... the real hurdle is the bureaucratic gatekeeping of communication. The problem are people, not devices.

[godelski]

It could be a difficult battle for them to fight. We'd just have to make it too costly. Make them go hunt down all the relays. Scatter them everywhere. A $5 ESP32 isn't a good relay but they still have to hunt it down and that'll cost a lot more than $5.

So the answer is the same as any war: you make it too expensive to keep fighting. It's the same reason a bunch of barely trained people in the desert won a war against a force with far greater military power. It's the same reason a bunch of jungle people defeated the country that just won a world war. It's also the same reason a bunch of rednecks defeated the largest military in the world (at the time) and were able to create an even larger empire.

It's not hard to make them give up. It's going to be a cat and mouse game but it already is

[theodric]

I appreciate what you're trying to say, but here's a counter-example: .22lr ammunition is also extremely inexpensive per unit, but I can't buy that at all in Ireland without extensive, recurring background checks and a demonstrated continuing need for access. If a government decides you don't get to have something, they are well within their power to effectively eliminate it. I can no more make an ESP32 at home than ammunition. I reckon it's harder, in fact.

[To the government Cornholio reading this and panicking because I mentioned a gun thing: no, I'm not threatening you.]

[leoedin]

As long as there's a country willing to build and sell ESP32s, I think it would be fairly easy to get hold of them. How does a customs agent distinguish between an ESP32 and another microcontroller? These things are in every gadget. Is a government really going to ban all electronics?

Just look at how ineffective governments are at stopping drugs. If people are motivated to smuggle things, they will. Is there going to be a booming black market in ESP32s? Probably not. But will motivated people manage to import them? Almost certainly.

[miki123211]

There's not enough people to care.

They have the propaganda advantage (think of the children, those who undermine the system are pedophiles by definition). They have the law (just reclassify such activity as aiding and abetting the distribution of child pornography). They have the scare tactics (nobody wants 30 years in prison and an entry on the sexual offender's register).

This war will be won with words and at most a few arrests, just to make an example, just like the war on terror and anonymous financial activity.

Privacy just doesn't matter for 99+% of the population as much as we think, which is very much unlike piracy or drugs for example. If this wasn't the case, we'd all be using Signal and Monero right now.

[godelski]

  > There's not enough people to care.

You'd be surprised at how few people it takes. You don't even need 10% of the population.

But what, you're going to give up without a fight?

Even if you won't fight then why fight for your enemy by telling others not to fight?

[freakynit]

This comes to mind at once: https://meshtastic.org/

But yes, your point is largely valid as long as enough people are willing to jump the ship.

[godelski]

So does the original thing I mentioned

https://reticulum.network/

[notyourwork]

Anyone remember when the discussions about classifying the internet as a utility and Akit’s stupid Reese cup coffee mug. It feels so long ago given how much has transpired since.

[m4rtink]

MeshCore is spreading quite rapidly - it uses solar powered repeaters and that helps a lot. :)

[godelski]

I'm kinda sold by reticulum since it's independent of a lot of factors. You can also bridge it with meshcore or meshtastic.

[m4rtink]

Yeah, there is definitely more projects now & they seem to be evolving quite rapidly. :)

[layla5alive]

"Bypass official channels!?" The overton window has moved so far!!!!

[briHass]

This is exactly the argument that is (correctly) levied against firearm restrictions.

[ndsipa_pomu]

> So when are we going to build a new internet?

Finally, the year of IPFS. Government messing too much with the internet will end up pushing people to use more "dangerous" internets that are completely unregulated and that is surely the opposite of the the stated purpose to protect young people.

[Hizonner]

IPFS doesn't even try to do any kind of anonymity or censorship resistance. In a practical sense it's probably worse than BitTorrent, although neither one of them is up to the task. Actually resilient data distribution is hard, and I don't think there are any systems that have all the needed elements.

... and if you create one, they can, and it's starting to look like they will, outlaw using it, regardless of what you use it for.

[ndsipa_pomu]

I should have said "I2P" instead of "IPFS".

[mapt]

https://www.youtube.com/watch?v=XTnYVh7K6xQ

There are (to make up a number) ten desirable properties of the modern internet, and so far it's "Pick two", but novel combinations of the things you mentioned offer "Pick three" or possibly "Pick four" if adoption picks up.

For text, phone, and even image communication in urban and suburban areas, it sounds like there's real promise here. But we're not going to achieve parity with a global fiber + datacenter network by any means.

You don't need all ten to, say, organize a revolt.

[godelski]

Hell, I don't know why we don't just start building a guerrilla network around the Bay. Just start gluing repeaters to things. You could do LoRA like in that video but even WiFi has decent range. Maybe not in the km range but it's also a $5 device. And we don't need to limit ourselves to that cheap of stuff.

We don't need to replace global fiber, we just need to demonstrate enough to inspire others. I'd be perfectly happy if we got just an old web text only system up.

Honestly, would be a lot easier if we could get encryption rules lifted from HAM operations. That's what's needed for long range, even if we won't get the high data rates. We don't need a YouTube to make a difference

[forgetfreeman]

A new internet to do what? What is the proposed goal of a new network?

[verisimi]

I would assume it would be not be regulated by government, so without constraints on age, restrictions on what you can do - you know, like reality.

And I know that government attempts to regulate reality too, but if you drive at 35 where the limit is 30, or speak to someone dodgy to get some marijuana or whatever, and get away with these and other heinous crimes, you're good!

The distinction really is whether you bake regulation into the technology or not. And it seems that technology is actually the new legal system. Or perhaps that should be the 'pre-legal system' as it won't allow you to do those things it determines as 'wrong'. Which is absolutely fine if you think government really does know best, or hell on earth for everyone else.

[forgetfreeman]

The last 35 years have very vividly demonstrated that there needs to be some adults in the room. Without exception every major tech company has implemented practices so overtly hostile to the userbase that the government has been more or less forced to get involved, mostly in the form of fines that have done very little to disincentivize whatever problematic bullshit the company in question was originally caught at. Suggesting that even less regulation would somehow magically cause tech firms to align goals with their userbase seems baseless to say the least.

[verisimi]

You seem to think that government and corporations are on opposing sides. I don't think this is the case. Governments want the data corporations collect. Both are encouraging the other. There are no adults in the room. Having (corporate or government) children in control of that every individual's private information won't help.

[godelski]

The internet is a global communication system. So to do what? To do exactly that. The difference though is that it isn't controlled by anyone. It doesn't need to be, so no one needs to have that power, no one should have that power. A global communication system where conversations are private by default, just like they are online.

The problem with the current system is that the information was just too free. You could just drop in on anyone's conversation, like it or not. People started hoarding that information and look what we got: surveillance capitalism. The system reinforces itself to watch you, to tell you what to do, what to think, not just what to buy. And the system just wants to keep growing, so it's just going to continue to do that more and more. Sure, there's some nice things we get for the loss of all our privacy, but it comes at the cost of your humanity. They'll be costs to this new system too. It won't be all rainbows and sunshine, but I think it'll be better than this gloomy smog ridden world we have now.

We live in a time where it's actually possible to have a functioning world with no kings. Personally, I'm tired of them, aren't you?

[forgetfreeman]

The infrastructure requirements around routing and switching equipment, transoceanic cables, and satellites mean someone not users has always been in control. Barring some form of anarcho-socialist mass movement around DIY long haul networking infrastructure this seems unavoidable.

The problem with the current system is the intersection of human nature and capitalism. Individuals have willingly adopted technology that aggressively surveils them in exchange for notional convenience and by and large are blandly unconcerned with the implications thereof. This also seems unavoidable as long as data collection and brokerage is permitted and profitable, and people value entertainment over critical thinking. This outcome was very accurately predicted by netizens when online advertisements first started popping up and a lot of time was spent wargaming what would happen if mass adoption lead to the net being a viable sales and marketing target.

After 35 years of observation I've had about enough of global communications systems and everything that comes from them. At this point there is very little one could say to convince me that the internet hasn't been one of our species largest fuckups.

[alisadev]

On one hand, I agree with you; The internet, in its current state, has probably more negative aspects to it than positive ones.

But, on the other hand, I don't think that I can completely ignore the good it has brought to the world. If a person is motivated enough, he can pretty easily navigate through propaganda simply by choosing to consume information from different sources (for example, reading about the us from both the us perspective and russian or chinese perspective).

Of course, the main reason there aren't many people who do that is both simple but also complex. People don't have enough time at which they aren't either exhausted from work or life in general; or stressing about something that has to do with capitalism (either money, wars, work and etc). So at the little amount of free time that they do have - they aren't going to challenge their beliefs (or at least, the beliefs of those who surround them); It's exhausting, and it's easier to just read the propoganda, feel better about yourself because a good propaganda always have someone else to blame - and continue with your day to day life (if one can even call that life; because to me it seems more accurate to call it "existence").

But in any case, what you've said reminded me of this post and how the internet positively impacted one person; so even though I doubt it'll convince anyone of anything - it's still a very heartwarming story: <https://jimmyhmiller.com/raised>

* English isn't my first language so I apologize if there's any grammar mistake.

[charcircuit]

>regulatory capture

It's not other operating systems fault that they failed to invest into security. They should try and catch up instead of blaming people for not trusting their security on "regulatory capture".

[godelski]

Buddy, you're on HN. No one is going to buy that bullshit here. Thanks for the laugh, but seriously, don't insult us like that again. We may be dumb, but not that dumb

[charcircuit]

Which is exactly why I have to advocate for it here. There are literally people on this website who think their operating is secure, but in actuality they are one curl | bash or npm install away from having all of their login credentials stolen. No matter how smart they think they are in being able to avoid malware, that strategy does not scale.

[sfdlkj3jk342a]

Bubblewrap containers to keep all of my environments separate on my laptop works just fine without giving up control to Google.

[raxxorraxor]

Your argument is not sensible as usage of curl | bash doesn't scale. Your argument is people should stay locked up to not be endangered through freedom. There is no intelligence found here.

[raxxorraxor]

Your argument is not sensible as usage of curl | bash doesn't scale.

[raxxorraxor]

Your argument is not sensible as usage of curl | bash doesn't scale. Your argument is people should stay locked up to not be endangered through freedom.

[account42]

You are also one lockpick away from having all valuables in your home stolen. So what?

[hiciu]

> EU's planned system requires highly invasive age verification

EUDI wallets are connected to your government issued ID. There is no "highly invasive age verification".

We are literally sending a request to our government's server to sign, with their private key, message "this john smith born on 1970-01-01 is aged over 18" + jwt iat. There are 3 claims in there. They are hashed with different salts. This all is signed by the government.

You get it with the salts. When you want to prove you are 18+ you include salt for the "is aged over 18" claim, and the signed document with all the salts and the other side can validate if the document is signed and if your claim matches the document.

No face scanning, no driver license uploading to god-knows-where, no anything.

> to obtain 30 single use, easily trackable tokens that expire after 3 months

This is the fallback mechanism. You are supposed to use bbs+ signatures that are zero knowledge, are computed on the device and so on. It is supposed to provide the "unlinkability". I don't feel competent enough to explain how those work.

> jailbreaking / "prevent tampering"

This is true. The eidas directive requires that secret material lives in a dedicated hardware / secure element. It's really not much different than what a banking app would require.

> You have to blindly trust that the tokens will not be tracked

This is not true, the law requires core apps to be opensource. Polish EUDI wallet has been even decompiled by a youtuber to compare it with sources and check if the rumors about spying are true. So you can check yourself if the app tracks you.

Also we can't have a meaningful discussion without expanding on definition of "tracking".

Can the site owner track you when you verify if you are 18+? Not really, each token is unique, there should be no correlation here.

Can the government track you? No, not alone.

Can the site owner and the government collude to track you? Yes they can! Government can track all salts for your tokens, site can collect all salts, they can compare notes. There are so called policy mitigations currently: audits and requirements for governments to remove salts from memory the moment stuff is issued.

Can they lie? Sure.

Can the site owner and the government collude to track you if you are using bbs+? No. Math says no.

Can they lie if you are using bbs+? Math says no.

[11mariom]

> Can the site owner and the government collude to track you? Yes they can! Government can track all salts for your tokens, site can collect all salts, they can compare notes. There are so called policy mitigations currently: audits and requirements for governments to remove salts from memory the moment stuff is issued.

It's not zero knowledge for me then. Also - if there is ANY possibility to track anyone. And/or centrally mark someone "nonverified" then it makes more problems than solves.

Even if I trust my govt (no way), even if it'd be fully ZK with no way to track anyone… still govt would have a way to just block some individual "because".

And the best part… Age verification will not solve "children problem". I think it's parents problem to take care of their children, AV will be pretty easy to bypass - kid will just borrow ID for a moment and… voila! Govts (or some people) are creating problem and solution that do not exists.

I do not like way internet went, I do not like more way it's headed now.

[irjustin]

I'll bite.

> It's not zero knowledge for me then. Also - if there is ANY possibility to track anyone. And/or centrally mark someone "nonverified" then it makes more problems than solves.

> Even if I trust my govt (no way), even if it'd be fully ZK with no way to track anyone… still govt would have a way to just block some individual "because".

Is this even actually possible? If you want any sort of identity verification you HAVE to trust someone, whether age or full ID. Literally impossible.

Zero trust systems in society don't work. If you don't care "who" then yes, zero trust is just fine... but then what's the point of "age verification"?

[kmijyiyxfbklao]

The whole point is that mandating websites to require age verification is more authoritarian than people are pretending it is.

[irjustin]

I was more responding to the part about not trusting your own gov cuz how do you build a system where you don't trust a central authority when identity is required.

I don't think it's possible.

[Hizonner]

You have to trust someone to verify age.

You don't have to trust somebody not to track how the resulting credential is used. And that is what "zero knowledge" means. It means that after you finish the protocol, nobody has learned anything but what they were supposed to learn (in this case, "the person at the other end of this connection is over 18"). If it leaks anything else about the person, it's not zero knowledge. If somebody learns which of the issued credentials was used, it's not zero knowledge. If parties can collude to get information they're not supposed to get, it's not zero knowledge.

It's a technical term of art, not some politician's bullshit. And it isn't complicated to understand.

[EmbarrassedHelp]

> This is not true, the law requires core apps to be opensource. Polish EUDI wallet has been even decompiled by a youtuber to compare it with sources and check if the rumors about spying are true. So you can check yourself if the app tracks you.

The "open source" apps connect to proprietary backends run by a third party that you have to blindly trust. If EUDI wallets were truly open source and free from blindly trusting any authority, then you could simply remove that requirement and issue your own tokens without the use of potentially malicious third party.

[hiciu]

> issue your own tokens

I mean, you can. It's like with TLS certificates. The standard is there. The code is there. You can issue your own.

The question is, who will trust you?

[summm]

It is not at all like TLS. With TLS you at least can get your own certificate signed by an official CA, and use that private key on whatever system you want.

[hiciu]

It is literally TLS in a trench coat with some json sprinkled on top.

Where I think we are not in agreement the question of "who to trust" and "for what purposes".

Are you going to trust me when I tell you that I'm over 18 if I provide you with the document signed by my cousin, Honest Ahmed?

Are you going to trust me when I show you the document signed by my government?

(this is the trick question, you don't have a choice, law says you must; there's a list of who you need to trust and for what purposes; like a certificate root store in your browser)

[girvo]

> It's really not much different than what a banking app would require.

I can use my banking services through the web. Codifying the Google/Apple monopoly in law is gross.

[techpression]

In the context of world politics and the hunt for sovereign hosting etc it also seems incredibly weird to put all of EUs identity handling in the hands of two American companies.

For clarity, the US could over night make all European digital wallets nonfunctional by requiring app stores to remove them and have them uninstalled remotely (iirc there is such a feature but it’s very rarely used). Likely? No, still a very strange thing to put into law though.

[egorfine]

> I can use my banking services through the web.

Not for much longer. Stealing your data on mobile device is way too lucrative for the banks to pass on. All while pretending it's done for security.

[girvo]

Sadly true, while scammers run rampant regardless. It’s depressing to watch everything get worse.

[wongarsu]

Many banks have gone the way of requiring 2FA on an unrooted phone, but giving you a way out by also offering you 2FA via smartcard (using a smartcard reader and a bank-issued card). I suspect a similar thing could be done here, with the smartcard providing the trusted hardware/secure element?

[Hizonner]

> Government can track all salts for your tokens, site can collect all salts, they can compare notes.

That is not zero knowledge. Given that actual zero-knowledge systems are well understood, the only reason to deploy a system that allows that would be if you planned to abuse it.

[dcow]

What is your definition of zero knowledge?

[cwillu]

https://en.wikipedia.org/wiki/Zero-knowledge_proof

[dcow]

By this definition bbs+ signatures are ZK.

[randunel]

Zero knowledge in such a system requires a minimum of 3 independent parties. There are quite a few solutions out there, I think the most developed ones are online voting systems, because tracking and de duplication is essential.

[nullsanity]

The impossibly high bar they set "Perfect" at in order to make it the enemy of good, and fight against any progress being made to keep children out of adult spaces.

That being said, it's my personal opinion that I'd love to simply have my device store a token and send it to any site when requested. I'd then like those sites to give me toggles to remove all non-verified content - and therefore my internet experience could be sans-juvenile squeakers.

[andrepd]

Great comment all around but

> jailbreaking / "prevent tampering"

> This is true. The eidas directive requires that secret material lives in a dedicated hardware / secure element. It's really not much different than what a banking app would require.

This is unacceptable. So much talk about independence from the US, you simply cannot make it a hard requirement to use the duopoly to be a citizen (as if it wasn't a quasi-hard requirement already)!

[spaqin]

Funny how they just handwave it like it's a totally normal thing, like the insane situation with banking apps. Most people don't care as they run with whatever's available without modification, but we still should fight for the right to run the code we want on devices we own.

[theodric]

Consider the car analogy: if you want to drive on public roads, you need to drive an attested, unmodified vehicle that complies with the relevant regulations. If you want to play around and modify the car, that's fine, but then you don't get to use it around other people. You're also not allowed to buy some random, unknown Chinese or Indian car and drive it on the road. People already accept this when framed as a safety issue. I suspect they care more about their cars than their phones, and won't care about the requirements on the phone anyway because they're not planning to modify it, and as long as WhatsApp and Instagram keep letting them exchange shopping list additions and pictures of vacation cocktails, then what's the problem?

To be clear, I'm not in favor of a participation-in-society ban for jailbreaking your phone, but there's already precedent for it.

[schroeding]

The analogy is a bit shaky IMO, as you can certify individual, heavily modified, foreign or even self-built cars in EU member states.

For cars, the local certification authority themselves decides what is road-worthy or not, not VW et al. You can add third party parts without the manufacturers consent. This is not the case for Android or iOS attestation, you're pretty much at the mercy of the foreign manufacturer and their local laws.

[andrepd]

Cars can and do kill 1,500,000 people every single year, equivalent to a jumbo jet full of people every couple hours, plus an equal number of crippled and injured, plus untold number of pollution deaths. That's a ridiculous comparison (if anything cars are not regulated enough). Who am I endangering when running microg on my phone??

[Confiks]

> This is the fallback mechanism. You are supposed to use bbs+ signatures that are zero knowledge, are computed on the device and so on.

You're mistaken. SD-JWT with linkable ECDSA signature is the main mechanism. An unlinkable signature scheme is being discussed on the fringes of the EUDI-project (whether it be BBS+ or Longfellow) and very bare-bones support for Longfellow has been added to the reference wallet a month ago. However the Implementing Acts have no support for such a mechanism yet, and most member states will only implement ECDSA based mechanisms (SD-JWT and ISO 18013) for the foreseeable future.

It's therefore very likely the EUDI wallet and/or a age verification solutions will launch with issuer linkable ("easily trackable") signatures.

See also this thread: https://news.ycombinator.com/item?id=45363275

[deaux]

> This is true. The eidas directive requires that secret material lives in a dedicated hardware / secure element. It's really not much different than what a banking app would require.

Most banking apps run on GrapheneOS, will this? Nearly all EU banking websites run on Firefox on Linux, will this?

Why did you not quote the App Store/Google Play Services part, which is much worse?

> There are so called policy mitigations currently: audits and requirements for governments to remove salts from memory the moment stuff is issued.

I'm sure this will be as diligently carried out as GDPR enforcement. [0].

[0] https://noyb.eu/en/project/dpa/dpc-ireland

[summm]

> jailbreaking / "prevent tampering"

Now your EU government requires you to have an unmodified Google or Apple device to use any age restricted services. Cementing the US mobile OS duopoly and locking out any free systems and desktop etc. forever.

Any governmental service taking part in this is a violation of civil rights and even if you don't care about those, maybe you care about digital sovereignty.

This is so lightly handwaved away, almost as if attention needs to be drawn away. By the looks of this I'd say the end of general computing might be the actual goal, and all the age verification is just yet another "think of the children" pretense?

[hiciu]

I totally agree that one of the biggest vulnerabilities in EU digital ID scheme are US corporations :).

[summm]

At least that establishes that you don't care about civil rights :|

[ori_b]

*corporations in general

[lejalv]

> This is true. The eidas directive requires that secret material lives in a dedicated hardware / secure element. It's really not much different than what a banking app would require.

Except the state is not a bank, of which there are many. The state is not optional, and trusting an American company with, of all things, the digital precondition for social existence, is suicidal.

[donmcronald]

> We are literally sending a request to our government's server to sign, with their private key, message "this john smith born on 1970-01-01 is aged over 18" + jwt iat. There are 3 claims in there. They are hashed with different salts. This all is signed by the government.

If the "18+ claim" can't be linked to your identity and doesn't have any rate limits, someone can set up a token-as-a-service to sell tokens on the black market.

> Government can track all salts for your tokens, site can collect all salts, they can compare notes. There are so called policy mitigations currently: audits and requirements for governments to remove salts from memory the moment stuff is issued.

> Can the site owner and the government collude to track you if you are using bbs+? No. Math says no.

How does the math say no? Big tech companies already log absolutely everything. What's going to stop the government from keeping all the salts they're issuing and then mandating that site operators add the salts to their existing logs?

> Can they lie? Sure.

Well, they've lied to us over and over when it comes to surveillance, so I think at this point it's reasonable to assume they're lying unless it's technically impossible. Where's the in-person key verification that used to be in Whatsapp? How do the authorities get notified when someone makes a poorly thought out joke using Snapchat private messages before getting on a plane? Why is there a war on end-to-end encryption?

We're going to pay a fortune for these supposed zero knowledge systems and that's what it's about. Select companies are going to get paid to issue tokens and the scale is going to create a few new billionaires.

The people in charge are going to gain a ton of power when they betray everyone and disenfranchise us.

[hiciu]

> someone can set up a token-as-a-service to sell tokens on the black market

They can! Singing requires either PIN or finger on the fingerprint, and signed "proof" is valid for like 60 seconds. This whole end-to-end attestation with play integrity is supposed to make setting up token-as-a-service things impractical.

> What's going to stop the government from keeping all the salts they're issuing and then mandating that site operators add the salts to their existing logs?

> How does the math say no

BBS+ signatures. Hashes you receive from the government and hashes you send to the site operator are different and not correlated.

[gucci-on-fleek]

> Singing requires either PIN or finger on the fingerprint, and signed "proof" is valid for like 60 seconds. This whole end-to-end attestation with play integrity is supposed to make setting up token-as-a-service things impractical.

So how would I use this on Linux then? Because I'd be rather unhappy if a bunch of websites became unusable on Linux due to government-mandated security restrictions.

My (Canadian) government's health portal already refuses to load if you use Linux (despite it being 100% web-based), meaning that I'm completely unable to book vaccinations or view procedure results without workarounds. Luckily it only checks the user agent, so it's pretty easy to override this right now, but that wouldn't be possible if cryptography/attestation were involved.

[theodric]

> how would I use this on Linux

Governments and businesses have already decided that it's fine to mandate that you own an unmodified smartphone made by one of the major manufacturers, so it's not much of a stretch to assume that they will also eventually require you to run an attested OS image made by one of the two major manufacturers. The fact that some run Linux internally isn't going to help your case: governments do a lot of things internally that you're not allowed to do. I used to watch cops in Amsterdam park on the sidewalk to go get a kebab, for example.

[Confiks]

> This whole end-to-end attestation with play integrity is supposed to make setting up token-as-a-service things impractical.

Indeed according to some (i.e. the Commission) it's supposed to, but they should know better. And many member state wallet developers do know better.

Play Integrity can easily be bypassed unless you want to exclude a very large amount of users – especially disadvantaged people using older phones – because there are many vulnerable phones in use by those users, and you only need one to build such an age attribute faucet.

See also this comment: https://news.ycombinator.com/item?id=45363853

[txrx0000]

> We are literally sending a request to our government's server to sign

You've already lost. You're at the government's mercy. They can simply refuse to sign.

"Mr. John Smith, we noticed you've published some poorly-worded comments online. Why are you locked out of your account, you say? Oh, that's just an unfortunate technical issue with our signing system, happens all the time. Anyway, this is a friendly reminder for you to improve your online etiquette. Have a nice day."

[MadxX79]

There's really two cases here.

You live in a democracy?

YES) the violation you describe is verifiable to a journalist. You publish story, and you keep the government accountable.

NO) Why are you even discussing if age verification is a good idea or not, you freak. It's not really up to you anyway. Go fix your country first.

[sunaookami]

You mean the journalists that are pro age-verification and pro banning everything that's slightly critical and constantly demonize everyone going against them?

[theodric]

Plenty of democracies in Europe and elsewhere regularly and repeatedly fail to actually represent the desires and interests of the citizenry, but they keep getting reelected anyway. Why should this time be any different?

[AdelaideSimone]

I'm sure they do fail, but at least they have the theoretical ability for citizens to more directly challenge crimes comitted by the government itself. Unlike the U.S., which removed it by statutes, most other common law countries, and all civil law countries, citizens retain the ability to force criminal prosecution (either by private prosecution or by appeal to a magistrate with proof a crime has been committed).

[echelon]

Do you trust today's democracy to be a democracy tomorrow?

Never. Cede. Ground. You'll never get it back, and one day the rights will be gone.

[XorNot]

Age verification in Australia had like 70% popularity.

That is an astounding consensus in a system which regularly decides elections by 51%.

You're not getting mandated from up high: it is democratically enormously popular to do this.

[sapphicsnail]

Or you live in a democracy so you throw a fit until your government backs down. No amount of journalists is going to change the US or the UK at this point.

[raxxorraxor]

Didn't work for EU or US surveillance.

[Aurornis]

Thanks for posting this.

The inherent problem with all zero knowledge identity solutions is that they also prevent any of the safeguards that governments want for ID checking.

A true zero knowledge ID check with blind signatures wouldn't work because it would only take a single leaked ID for everyone to authenticate their accounts with the same leaked ID. So the providers start putting in restrictions and logging and other features that defeat the zero knowledge part that everyone thought they were getting.

[hiciu]

> A true zero knowledge ID check with blind signatures

That is not true and "true zero knowledge ID check" + "age verification" with blind signatures is what's being implemented by the EU ID project.

So someone's id leaks. It happens. In EUDI there are things called "cryptographic accumulators of non-revocation proofs". If your ID leaks it goes into the accumulator. Similar to the certificate revocation lists. During check, you include claims "im over 18" and "my id is not in the accumulator".

This is included in the standard.

This is also (I can only assume) one of the reasons why EUDI wallets require play integrity / attestation / secure element on the device. So your private key won't be easily leaked and no one can steal your ID.

[Aurornis]

You're assuming the leak was accidental, the person knows about it, and they didn't intend for others to use it.

What happens when someone sets up a marketplace where people can sell those blind signatures using their ID for $2 each? And then kids just pay $2 to have someone else blindly use their ID to validate the account, because supposedly the system is structured so that nobody can tell which ID was used or tie it back to the account?

[namibj]

E.g. the German ID card can all on it's own, just using a server certificate configured/parametrized for this and signed by the government, do a simultaneous pseudonym passkey mint and age gate check. That way you could easily block ID reuse; note that the passkey is locked to the card not the person as it's cryptographically derived from the pair of the card's private internal key, and the server's private key that goes to the certificate.

Access to this part of the card is secured by PAKE between the transport layer (TLS) encrypting and user interface providing NFC reader (for example phone with the app, or dedicated hardware) using a PIN.

[hiciu]

That's where the google play integrity / attestation comes into the effect.

In theory you cannot export your private key from the device (from the secure element), so for each $2 someone would have to quickly unlock their phone, scan code via the app and so on.

[coppsilgold]

Private keys from secure elements leak all the time. There will be a flawed implementation that someone exploits, an insider will smuggle a key out etc.

This is why true zero-knowledge systems for this sort of thing aren't practical and will never be. Because a SINGLE leak will break it and there will be no way to even detect it.

The attestation systems you reference don't even allow true zero knowledge attestation, they involve a trusted intermediary to convert your burned-in private key to a temporary key which you use for attestation with a third party.

And the temporary key isn't even a product of a blind signature. And it's rate limited. So if a service selling these temporary keys shows up they will be able to easily trace it to the burned-in key responsible - then revoke it and if possible initiate legal action.

This also means that whenever you register to a service using one of these schemes you are registering with your real identity, it's only a question of how hard and how many parties need to collude to extract it.

And in the event that they really do blindly sign tokens generated on your device, then their scheme will not survive adoption. As it gets adopted, the value of these blind signatures will rise and services that sell them will pop up. There will be no way of tracing the sold blind signature to the compromised/colluding device and rate limiting will merely necessitate a farm of such devices as opposed to a single leaked key.

*Note that Blind Signatures are Zero Knowledge.

[Confiks]

> That is not true and "true zero knowledge ID check" + "age verification" with blind signatures is what's being implemented by the EU ID project.

You are mistaken. In the EUDI wallet project, unlinkable signature schemes are currently being discussed among cryptographers and a month ago Longfellow very basic support for Longfellow has been merged into the reference wallet.

You're making it seem that unlinkable signatures are very established and the default, while they are not. They're not yet properly defined, experimental and mostly unimplemented by member states. Linkable ECDSA signature are currently the default in the EUDI wallet project.

[jajuuka]

I mean that's kind of a problem with ANY solution. There will be workarounds and ways to break it. There is no perfect solution outside someone standing over you while on the internet. We need to look at this more like age checks on porn sites and gaming platforms where you just put in a birthdate. Obviously someone can lie, but that point isn't to be a perfect wall but a hurdle to clear to make sure users are aware of the content and that any sort of nanny software to block if set up.

[Aurornis]

> I mean that's kind of a problem with ANY solution. There will be workarounds and ways to break it.

That's unnecessarily reductive.

Yes, every solution will have problems, but not all solutions have similar problems.

If a solution has problems such that it can be immediately reduced to security theater and bypassed by any teenager who cares, it's just extra hassle and privacy degradation for the rest of us.

These details matter. If a weak solution is regulated into law and the government discovers kids are easily bypassing it, they will immediately pivot into requiring more restrictions on it.

[jajuuka]

Extra hassle is manageable. Sites or programs that want you to put in a birthday are extra hassle but objectively better than something like submitting an ID. Privacy degradation is also manageable as well. It just depends on the solution.

We've had decades of age gating being "are you 18+ or not" yet it is only now that talks of something more enforceable are coming up. This discussion is largely about how one can create a sense of safety and protection. For the more extreme end it's face scans and submitting ID. Even though these are bypassed by any teenager who cares they are still being pushed seriously because it instills that sense of safety and protection for children. Security theater is just a part of managing the internet and not going away unfortunately.

[EmbarrassedHelp]

> age checks on porn sites and gaming platforms where you just put in a birthdate

That's the only solution that truly protects user privacy and security. Video games and especially mature content should not require age verification. People's lives can be permanently destroyed over perfectly legal sexual fantasies, and thus anything that increases the risk of the information being tracked is unacceptable.

[dogcomplex]

This specific problem is solved by requiring that any anonymous ZK ID once used for an account be marked on an immutable ledger preventing multiple uses of the same ID. Sharing it would be pointless as multiple attempts to use it get burned. Yet none of those sites know who you are, only that you have a unique valid ID pass. They just have to check any login attempts against that ledger - easy enough.

[donmcronald]

> They just have to check any login attempts against that ledger - easy enough.

So like CT logs, but several orders of magnitude bigger? I thought centralized TLS revocation lists failed due to scale. How will this differ?

[namibj]

Just crypto tie them to the server/site and let them do it, CRLs were an issue due to distribution to every device, not because of a hastable like sparse set structure being too much. Also this isn't every connection, but only every time you (attempt to) verify your age.

[StopDisinfo910]

> It also bans jailbreaking/rooting your device, and requires GooglePlay Services/IOS equivalent be installed to "prevent tampering".

The EUDI spec is tech neutral.

What the EUDI mandates is a high level of assurance under the eIDAS 2.0 regulation and the use of a secure element or a trusted execution environment to store the key.

[raxxorraxor]

my users .ssh folder is secure enough. Take it or leave it.

[Vinnl]

> It also bans jailbreaking/rooting your device, and requires GooglePlay Services/IOS equivalent be installed to "prevent tampering".

IIRC that was only for a prototype or reference implementation.

[KoolKat23]

I'm sorry to say it but the fact it bans jailbreaking/rooting your device really makes me believe "think of the children" isn't their real goal.

There's some clever kids out there but come on.

[chrishare]

Link?

[EmbarrassedHelp]

https://github.com/eu-digital-identity-wallet/av-doc-technic...

https://www.forbes.com/sites/federicoguerrini/2025/08/10/who...

[donmcronald]

> It derives an age attribute such as "over 18" from a passport or ID, without disclosing any other information such as the date of birth.

How? If it’s analyzes my ID 100% client side I can fake any info I want. If my ID goes to a server, it’s compromised IMO.

I think the zero proof systems being touted are like ephemeral messaging in Snapchat. That is, we’re being sold something that’s impossible and it only “works” because most people don’t understand enough to know it’s an embellishment of capabilities. The bad actors will abuse it.

Zero proof only works with some kind of attestation, maybe from the government, and there needs to be some amount of tracking or statistics or rate limiting to make sure everyone in a city isn’t sharing the same ID.

Some tracking turns into tracking everything, probably with an opaque system, and the justification that the “bad guys” can’t know how it works. We’ve seen it over and over with big tech. Accounts get banned or something breaks and you can’t get any info because you might be a bad guy.

Does your system work without sending my ID to a server and without relying on another party for attestation?

[myrion]

There's no dynamic analysis done, necessarily. In the Swiss design, fex, SD-JWTs are used for selective disclosure. For those, any information that you can disclose is pre-hashed and included in the signed credential. So `over_18: true` is provided as one of those hashes and I just show this to the verifier.

The verifier gets no other information than the strictly necessary (issuer, expiry, that kind of thing) and the over 18 bit, but can trust that it's from a real credential.

That's not strictly a zero knowledge proof based system, though, but it is prvacy-preserving.

[phanimahesh]

The issuer knows everything and can help track if the wish to. The issue here is lack of trust in any corporate or government entity.

[myrion]

Well, yes, if they use something completely different to what's published and designed.

But no, we're not talking about the case where there's no trust at all in the government, because then you don't get verifiable credentials at all. We're talking about building privacy-preserving credentials that actually have a use.

[runako]

> If it’s analyzes my ID 100% client side I can fake any info I want. If my ID goes to a server,

amplifying your point, there is effectively no way for the layperson to make this distinction. And because the app needs to send data over an encrypted channel, it would be difficult at best for a sophisticated person to determine whether their info is being sent over the wire.

[XorNot]

This is a fairly weak argument though: the layperson also cannot verify the software updates we push to their phone/computer or any number of other critical devices in the chain.

All of this is reputation management: if technical experts broadly agree the system does what it says, then all of us have to accept that in aggregate that's probably good enough and significantly better then many other areas.

[donmcronald]

> And because the app needs to send data over an encrypted channel, it would be difficult at best for a sophisticated person to determine whether their info is being sent over the wire.

Devices are built from the ground up to prevent even sophisticated users from tapping them to verify we aren't being lied to. The average person thinks that "hackers" will mobilize if things get too bad and they're completely wrong.

Tamper proof, encrypted chains of trust start from the second a device gets power and it's infecting everything from appliances to phones to computers. Get ready for a future where your rented toaster has parts serialization that can't be bypassed.

[ori_b]

Oh -- how do I ensure that the device is running only the software I installed, with exactly the patches I added, rather than a possibly malicious vendor -- for example, if the local government of the country I'm visiting has a court order for phone vendors to silently backdoor phones, it would be nice to know that only the software I personally signed is running.

As someone that patches their OS on the regular, this would be pretty interesting.

[bitmasher9]

Attestation from government sounds like the ideal solution. This could actually provide _more_ privacy because we can begin using attestation for things we currently use IDs for such as “Has the privilege of driving a car” or “Can purchase alcohol”

[Aurornis]

Amazing how fast these systems go from "zero knowledge" to "route the request through the government system every time you use your ID"

[hiciu]

there is no "route the request through the government system every time you use your ID".

you get your sd-jwt document signed once and you reuse it for like 30 days or so.

[Aurornis]

I was responding to the comment above mine, which was calling for attestation from the government for specific privileges.

> you get your sd-jwt document signed once and you reuse it for like 30 days or so

So it still gets routed through the government once a month if you plan on using it.

[hiciu]

Yes we are still talking about attestation from the government for the specific privilege part.

You get your document with fields like "can drive", "is over 18" and so on. It's valid for some time; physical ID is valid for like 10 years and then you have to get a new document, this digital one is valid for lets say 30 days and if it expires you get a new one.

Then you present only those fields you want, when you want, without anyone talking to the government at all. All the other party needs to check is "is the document valid" and "do presented fields match the document". Like checking a tls certificate for a given domain name or purpose.

Strictly speaking there is no "routing through the government" of any information. The government just "issues a certificate" valid for X days without knowledge with whom, how or when you are using it.

[summm]

Technically, if your phone needs to be remote attested, it can be considered a government system, not a user's system.

[hiciu]

That's true, but it never really was your system, right? It's government issued app on a government approved device.

[XorNot]

Except it wouldn't need to be every request. Just the first one.

All these services have accounts, and the only time you need to do an age check is when the account is created.

[antitoxic]

Yes it does actually. You load your ID into your phone with the MRZ and NFC. The cryptographic proof inside your ID is used to verify that it was issued by an official government. So your ID is not being sent to a central server.

The reusing another ID is an issue. In some countries they will have a in person check to verify only you can load your ID into your phone. But then you still have the problem of sending a verification QR code to someone else and have them verify it. This might be solved by rolling time-gated QR codes and by making it illegal to verify someone else's verifications. But this is a valid concern and a problem that still needs solving.

[andrepd]

> If my ID goes to a server, it’s compromised IMO

Might be breaking news, but the state already has your passport ID in a server.

[elric]

I feel like you're glossing over a lot of uncomfortable but important implementation details here. None of this works without effectively banning personal computing and tying the whole system to secure attestation (which in practice means non-jailbroken apple & android devices). No thanks.

Can we go back to defaulting to parenting instead of nanny-states? Maybe make "age sensitive" websites include this fact into a header (or whatever) so that parents can decide who in their household can access which content. Instead of having some overreaching corpo-government implementing draconian "verification" systems.

If I want to live under the thumb of a strongly verified "benevolent" dictatorship, I'll move to China. No need to create a second China at home.

[uniq7]

In your system, can companies verify age offline, or do they need to send a token to the Government's authority to verify it (letting the Government identify and track users)?

Switzerland is working on a system that does the former, but if Government really wants to identify users, they can still ask the company to provide the age verification tokens they collected, since the Government hosts a centralized database that associates people with their issued tokens.

[tgsovlerkhgsel]

Aren't the companies also expected to do revocation checking, essentially creating a record of who identified where, with a fig leaf of "pseudonymity" (that is one database join away from being worthless)?

[myrion]

The revocation checking is implemented in a way where the government doesn't know who you checked and you can even cache the information (if that's good enough for you) so they won't notice at all.

[tgsovlerkhgsel]

Either the spec changed since I last checked or I confused it with something else, you're right. They're basically using CRLs.

For unlinkability, I think the plan is to essentially issue single use IDs/"certificates", but it's not implemented in the Beta.

[myrion]

That assumes the companies store the individual tokens, as does the government. Neither of which are part of the design, but could be done if both sides desired it.

The Swiss design actually doesn't store the issued tokens centrally. It only stores a trust root centrally and then a verifier only checks the signature comes from that trust root (slightly simplified).

[uniq7]

If companies are required to verify age, then it's in their best interest to store all tokens, just in case they are ever accused of not verifying it.

The Swiss E-ID system stores people identifiers and token status lists in their so-called "Base Registry". From https://swiyu-admin-ch.github.io/technology-stack/#credentia...

> Decentralized Identifiers (DID) developed by the W3C represent an identifier standard that provides a subject-controlled method for identifying individuals, organizations, or objects online. In the swiyu Trust Infrastructure, DIDs are utilized as a standard identifier for issuers and verifiers. They are centrally hosted on the swiyu Base Registry.

> In this protocol, the trusted authority issues certifications (“trust statements”) concerning the identity (i.e., who is the real-world identity controlling a DID) and legitimacy (i.e., who is allowed to issue or verify credentials of a specific VC schema) about an entity as SD-JWT VC and publishes these trust statements in the trust registry.

> Token Status Lists are signed, maintained and published by the credential issuers but hosted on the Base Registry.

[myrion]

That's not how that works - they can prove they check by showing logs, rather than VPs. There's even legal limits on what identifiers they can store and for how long. But even ignoring that, they'd be storing only very limited disclosures.

The base registry stores identifiers of issuers and verifiers, not credential holders.

Even the status register does not contain the tokens themselves:

> Within these status lists, each index (i.e., status entry) documents the validity of one VC. The corresponding index is captured in the VC’s metadata to allow for a decentralized status information retrieval that does not require verifiers or the VC holder to contact the issuer.

Of course, each issuer needs to maintain a list of the credentials they have issued in order to be able to ever revoke them. That's unavoidable.

[uniq7]

> But even ignoring that, they'd be storing only very limited disclosures.

Just to be clear, here I am not concerned about the verifiers, I am concerned about the authority (Government).

> The base registry stores identifiers of issuers and verifiers, not credential holders.

If the verifiers provide the verification tokens to the Government, can't the Government identify the original issuer even if they don't store them? Don't these tokens contain the DID of the issuer? Please correct me if I'm wrong, maybe I didn't get this part right.

> That's not how that works - they can prove they check by showing logs, rather than VPs

Logs can be manipulated, VPs can't. If I had a company and I was forced to verify users, I'd try to store those VPs for as long as possible, for my own protection.

> There's even legal limits on what identifiers they can store and for how long

I was not aware of this. Is that documented anywhere?

[ndriscoll]

At least the US bills I've read make it illegal to store any information provided as part of age verification. Are the EU versions not the same?

[agentifysh]

this is slightly better but not the hero we want or need. zeero knowledge proofs are improvement over uploading raw documents, trust is still an issue here. why should users have to authenticate with a government-backed identity wallet to access platforms to play games or access a website in the first place. we didnt have any of these guards in the 90s and early 2000s and everybody turned out just fine . in fact the average gen z is in a lot worse place than we used to be despite that we had complete raw algorithm supervision free access to the internet with far more disturbing content (remember ogrish and KaZaA)

The average person does not understand the math behind zero-knowledge proofs. They only see that state infrastructure is gatekeeping their web access. Furthermore, if the wallet relies on a centralized server for live revocation checks, the identity provider might still be able to log those authentication requests, effectively breaking anonymity at the state level.

On a practical level, this method verifies the presence of an authorized device rather than the actual human looking at the screen. Unless the wallet demands a live biometric scan for every single age check, they will simply bypass the system using a shared family computer or a parent's unlocked phone. We used to find our way around any sort of nanny software (remember net nanny)

what you are describing still remains a bubble and I really hope Americans aren't looking at EU for any sort of public policy directions here.

[SiempreViernes]

> we didnt have any of these guards in the 90s and early 2000s and everybody turned out just fine

One of the most highly valued tech companies of today makes a software that sometimes talks its user's into killing themselves. Some guy put "uwu notices bulge" on a bullet casing and shot Charlie Kirk: things turned out fine indeed.

[ajsnigrutin]

People killed both themselves and others way before the internet even existed.

Requiring everyone to show their id on every website will not change that. It will limit free speech though.

[stevenjgarner]

If the age verification is going to mandate government issued ID, the government issuer can be the Trust Anchor issuing a Digitally Signed Credential for the zero knowledge proof - using any available open source zero-knowledge process:

1) zkcreds-rs (zk-creds) [1]

2) zkLogin (Sui Foundation) [2]

3) TLSNotary [3]

4) DECO (Chainlink/Cornell) [4]

5) Anon-Aadhaar [5]

[1] https://github.com/rozbb/zkcreds-rs

[2] https://github.com/mystenlabs/sui/tree/main/sdk/zklogin

[3] https://github.com/tlsnotary/tlsn

[4] https://chain.link/education/zero-knowledge-proof-zkp#preser...

[5] https://github.com/anon-aadhaar/anon-aadhaar

[dahauns]

Apologies that I'm latching onto your post for visibility, but for the sake of discussion - the European Identity Digital Wallet project specification and standardisation process is in the open and lives on github (yeah, the irony isn't lost on me :) ):

https://github.com/eu-digital-identity-wallet

https://eudi.dev/latest/

Everything's very much WIP, but it aims to provide a detailed Archictecture and Reference Framework/Technical Specifications and a reference implementation as a guideline for national implementations:

https://github.com/eu-digital-identity-wallet/eudi-doc-archi...

https://github.com/eu-digital-identity-wallet/eudi-wallet-re...

https://github.com/eu-digital-identity-wallet/eudi-doc-stand...

You'll find several (still evolving) Technical Specifications regarding ZKPs (including a discussion area) in the latter.

[shevy-java]

> Jurisdictions that accept facial estimation as sufficient verification are not taking enforcement seriously in the first place.

Or they want to spy on people.

[dom96]

That's really awesome. I hope that soon we will also have humanity verification without sacrificing our anonymity.

With LLMs and paid actors wreaking havoc on social media I do think that social media needs pivot towards allowing only human users on it. I wrote about this here: https://blog.picheta.me/post/the-future-of-social-media-is-h...

[molszanski]

> work at a European identity wallet system that uses a zero knowledge proof age identification system

> derives an age attribute such as "over 18" from a passport or ID, without disclosing any other information

Well, as soon someone points their chinaphone camera on a passport, it is already over.

This whole setup is a nightmare fuel.

You want to check over 18? Fine, let adults set their kids devices in a "child" mode. Problem solved.

No need to create a stasi dreamland.

[nemomarx]

This is true, but I think it's more that those jurisdictions don't actually care about something solving this securely so much as they want face scans for other purposes?

[erremerre]

You mean that system that requires either to use an original unmodified Android phone, or a iOS phone and it does not work in absolutely anything else?

[antitoxic]

No it is open-source and portable to any platform you want. We currently support iOS and Android through Play store and F-droid, but that is just because most of the market is there at the moment.

[erremerre]

What about the "App and device verification based on Google Play Integrity API and Apple App Attestation" that was in the readme?

Was this discarded? Is it not necessary anymore? Can someone without writing their own implementation use the app without using any of those two?

[antitoxic]

I think we are talking about different things here. I think you are referencing the eu-digital-identity-wallet, which is a reference implementation. Our identity wallet precedes this wallet and never had this requirement.

[hellojesus]

What about devices without a hardware-based trusted computing module? Am I now limited to what hardware I can run before I even get to my custom software?

[budududuroiu]

> As long as you trust the government that gave out the ID

I'm a citizen of a European Union member, I trust my government to issue me an ID and use said ID in my interactions with the state, I do not trust my state with anything more than that.

[antitoxic]

That is exactly the trust I mean. You need to trust that country X gives out valid IDs. If you have sketchy company Y giving out IDs to everyone, you probably would not trust any attributes derived from that ID. If you trust that a country gives out valid IDs, you can trust the information derived from that ID. You do not really need to trust your government any more than that for this system to work.

[budududuroiu]

Ok, I will do my homework on the proposal of the EU Identity Wallet but from my skimming on topics about it, it the tokens derived from my ID would be able to de-anonymise me online.

[raxxorraxor]

What if the government also stores connection info of everyone?

[johnnyanmac]

You have a much more trustworthy government than mine, sadly.

[rat9988]

This part of trust was not about you trusting the government though so it is okay.

[eleveriven]

As soon as age-gated access depends on a government-issued credential, you're implicitly tying participation to state identity infrastructure

[gigel82]

Where can we learn more about your architecture?

Someone brought up the need for device attestation for trust purposes (to avoid token smuggling for example). That would surely defeat the purpose (and make things much much worse for freedom overall). If you have a solution that doesn't require device attestation, how does that solve the smuggling issue (are tokens time-gated, is there a limit to token generation, other things)?

[antitoxic]

We do not require an attestation and things like token smuggling is still a problem we need to solve. We have a system that prioritizes unlinkability. So an issuer cannot track the attribute they give you. And a verifier cannot link multiple disclosures with the same attribute. This privacy really helps things like token smuggling however. Time-gated tokens may increase the difficulty, but will probably not make it impossible. Making it illegal to verify someone else's qr codes could also help of course.

[chrishare]

It's this I believe: https://www.w3.org/TR/vc-data-model-2.0/

[gigel82]

A Verifiable Credential fundamentally doesn't solve the problem of "sharing", "smuggling". All it takes is one verified adult to "leak" their VC somewhere, and millions of underage people would be able to use it to "prove" they are over 18.

This would only work with something like MS TPM 2 / Apple Secure Enclave (device attestation), which is anti-freedom by design. I was curious if they found a way around that (maybe with time/rate limits, or some actual useful use of blockchain tech).

[Seattle3503]

You could use an oblivious pairwise pseudonym, and then you do not require hardware attestation. But that does essentially limit one ID to one account per service.

[blackqueeriroh]

Lmao how is the Secure Enclqve anti-freedom?

[gigel82]

Besides the privacy argument (the claim that the UID can't be used for tracking via derivation is shaky at best, and not much different than MS's EK), there is the freedom argument: as in, who owns the device - the user, or Apple?

If Apple can remotely lock the device that an user bought mistakenly (for example because some corporation somewhere fat-fingers some entries), that fundamentally means the user doesn't own the device they bought and paid for. Add on top DRM and all the other evil that comes along with attestation.

Plus, you can still disable TPM2 (if you don't want to run Windows on your machine), you can never disable Apple's implementation.

[hellojesus]

I'd like to add we are discussing communication over the internet. It is an open standard. I should be allowed to build my own pcb without a secure element and talk to anyone over http so long as I am abiding by the correct rfcs.

[tenthirtyam]

I would much prefer to see a ZK system that, by design, CANNOT reveal info neither to the website nor to the authority. e.g. in the new EU system, it is (afaik) conceivable that the ID authority could collude with social network providers, or with government or with police etc. That's not great IMO.

How about a system like Google Authenticator in which google knows nothing about which websites I'm logging into. Except, obviously, it'd have to be some kind of cryptographically signed response. e.g., website puts up a QR code (according to some standard) asking "is the user 18+", I scan with the phone, and the ID app, without accessing internet (like google authenticator) responds.

I suppose that might need a secure computing environment, so no rooted phone etc. But, of course, there's a simple workaround. Any adult can give their phone to a child. As long as that vulnerability is there, there's no such thing as a guarantee on the responses no matter what way you build it.

[orthogonal_cube]

I was working on a similar concept as a hobby project with PKI. The idea being that governments would have a digital registry with citizen information and issue a certificate to be stored in a Secure Enclave on a device.

When a client attempts to access an age-restricted URL, the server redirects to a custom URI scheme which begins a negotiation for requesting verification. The server signs a message and provides it to the client. The client verifies there’s not additional info or metadata before encrypting. It then forwards to the government server. The government server decrypts the message and signs a response. This goes back to the client which forwards to the server.

I haven’t fully ironed out all the details but got so far as nearly completing the server-client negotiation. The tricky part is ensuring each stage prevents MitM tampering while allowing the client to see what is in a request so that there’s no metadata which would allow a site to track the user, nor a government to track sites a user accesses.

[account42]

If the website and state want to collude to track the user they don't need to send any in-band metadata.

[viktorcode]

I have a few questions.

In that system does the age verification result come with some sort of ID linked to my government issued ID card? Say, if I delete my account on a platform after verifying and then create a new one, will the platform get the same ID in the second verification, allowing it to connect the two and track me? Or is this ID global, potentially allowing to track me through all platforms I verified my age on?

What a verification process looks like from the user perspective? Do I have to, as it happens now, pull out my phone, use it as a card reader (because I don't have a dedicated NFC device on my computer), enter the pin, and then I'll be verified on my computer so I can start browsing social media feed? Or, perhaps, you guys have come up with a simpler mechanism?

[antitoxic]

The wallet ecosystem is still really varied at the moment. Our implementation is unlinkable. So an issuer cannot track where you use the attribute. And a verifier cannot see that you've used the same attribute multiple times with their system. This is great for privacy and tracking protection, but not so great for other things. For example, people sending their QR codes to other people with the correct attribute (like maybe an underage person sending an 18+ check to an adult), is hard to solve for because they are unlinkable.

Most systems right now have you load data in your phone. Then when a check happens, you scan a QR code. You then get a screen on your phone saying X wants to know Y and Z about you, do you want to share this information? Then you just choose yes or no.

For your social media example. You would just get a QR code on your pc, then pull out your phone, scan and verify, then start browsing social media on your pc.

[myrion]

In the Swiss system, it depends on what they verified. If they required your full ID, that has a document number like a passport and they could track that.

If they did the right thing and only asked for the over 18 bit, then they wouldn't have a trackable identifier.

[Seattle3503]

You are describing a situation where a pairwise pseudonymous identifier is generated. I don't think any real system does this with government IDs, but it might be possible.

[miki123211]

I think there's a tradeoff triangle here, not dissimilar to Zooko's triangle or the CAP theorem, where the three aspects are age verification, privacy, and the freedom to run custom software on devices of your choosing.

You can have no system at all, which gives you freedom and privacy, but not age verification. You can have ID uploads, which give you age verification and freedom, but not privacy. You can have a ZKP-based system, which gives you age verification and privacy, but not freedom. This is because you need a way to prevent one unscrupulous ID owner from issuing millions of valid assertions for any interested user.

[yard2010]

In Amsterdam 1850 the municipality kept track of people's names, address, age, gender and religion (bevolkingsregister). It meant nothing at this time, but 90 years later the Nazi used these lists to murder jewish people going house by house. Thanks for the partisans setting this archive ablaze, life were saved.

I'm not saying it's right or wrong, you tell me, I just want to point at this random timeline.

[nicbou]

I shudder when I think of how effective the Stasi would have been in the digital age. The only thing checking them was the labour demands of surveillance.

[elric]

When Trump came into power a second time, and the ICE-nazification became apparent, I reached out to my government and asked them what they were doing to make it harder for "Trumpism" to happen here. No reply. Just crickets.

Hoovering up less data would be a really fucking good start. There's something about babies and bathwater, but by god this has proven to be very dangerous bathwater time and time again.

[nicbou]

Immigrants do not have an ID for up to a few years when they move to Germany. Just this week the Berlin immigration office stopped issuing plastic residence cards for budget reasons, so people get a sticker in their passport.

Passport recognition is also spotty. The ID verification providers used by banks do not recognise Indian passports.

Will we exclude a few million people because it’s too expensive to verify that they are over 18?

Add this to “falsehoods programmers believe about ID verification”.

[egorfine]

> Will we exclude a few million people because it’s too expensive to verify that they are over 18?

Yes. We absolutely will. KYC services is something that no one wants and everyone hates, thus there is no motivation to make it better. And if any, "better" might mean more invasive, because that means more data to mine and sell.

So, sure, excluding millions of people from KYC because it's cheaper to reject them than it is to study their documents - is the right decision business wise.

I am speaking as a person in the very same position.

[dahauns]

In Austria you don't need an Austrian passport/Personalausweis for a Digital ID registration. Your original passport (or equivalent) in combination with a certificate of residence, student permit or similar is fine.

[puchatek]

No, we will exclude a few people because Germany doesn't have its shit together when it comes to digital stuff. Then hopefully people will complain and things will improve.

[Terretta]

Not only EU -- Digital ID on iPhone does this today, and is accepted by many USA airports for travel, etc., with rollout for DLs.

[blackqueeriroh]

Huh?

[Vinnl]

One question I have, that perhaps you might be able to answer (though I see you've gotten too many replies to this comment already): I'm aware of a number of such systems being developed, and "is over 18" is always the example given.

Are there, say, two other potential use cases that anyone has come up with yet?

[dogcomplex]

Correct. A ZK Proof backed identity system is a significant bump up in both privacy and security to even what we have right now.

Everyone does realize we're being constantly tracked by telemetry, right?

A proper ZK economy would mitigate the vast majority of that tracking (by taking away any excuse for those in power to do so under the guise of "security") and create a market for truly-secure hardware devices, while still keeping the whole world at maximal security and about as close to theoretical optimum privacy as you're going to get. We could literally blanket the streets with cameras (as if they aren't already) and still have guarantees we're not being tracked or stored on any unless we violate explicit rules we pre-agree to and are enforceable by our lawyers. ZK makes explicit data custody rules the norm, rather than it all just flowing up to whatever behemoth silently owns us all.

[nubg]

Explain how the plastering of streets with cameras can be done in a privacy-preserving way?

[andrepd]

Well it could. Laws that simply ban any public-facing camera from doing anything except write to encrypted storage, which can only be opened with a court warrant.

I know laws are boring and tech is exciting, but sometimes there's no technological solution to a societal problem. Good old laws, police, fines, prison, is all you need.

[vaylian]

First let me clearly state that I appreciate the amount of thought you guys are putting into creating better systems that have high privacy guarantees. I concede to you, that in some situations, your system leads to better privacy.

But I don't look at this on a purely technological level. These identity-based systems are instruments of control. Right now everything is still in flux with how these tools will be used and how accessible they are to the general population and the many minorities therein. I simply don't trust our politicians to do the right thing short-term and long-term. The establishment of the GDPR has been a major victory for better privacy legislation and now the Commission wants to hollow it out. The Commission also wants chat control to increase the amount of mass surveillance in Europe.

There is a potential future, where we all win. But I am highly skeptical, that in the current political climate, we will end up there.

[ceramati]

This is really cool and I want it for inter-government identification. Eg country B can check a ZK proof that I'm a citizen of country A, allowed to drive, not a criminal, have a degree, etx

[wolvoleo]

I just don't want to have to ID myself at every corner of the internet. Whether the site receives my details or not.

I've heard they even want to mandate periodic re-checks now which is insane. The internet should remain free.

Besides, if parents don't want to give access to social media they can just not give their kids a phone, or just use the many parental control features available on it. Every phone has this these days.

And even if the government wants to ban this stuff for all kids (which I would not agree with but ok I don't have kids so I don't really care and parents do seem to want this), they don't have to enforce it this way. They can just make the parents liable if the kids are found to have access.

To me this is just another attempt at internet censorship and control.

[nialv7]

ZK proof can't solve the TOCTOU problem.

[eimrine]

What is wrong with inactive accounts, why do they need to be deleted?

[puchatek]

This is the way. It annoys me to no end when e.g. the German chancellor demands clearnames in social media. The real issue are bots and algorithmically enhanced reach. Proof of personhood in a privacy-preserving way is enough to fix this. But it should be mandatory for social media in the EU. You don't need to expose people to the doxxing mob to protect our democracy.

Tbh, when I read that "platforms face a choice between excluding lawful users and monitoring everyone." I don't have much understanding.

No gov. ID, no participation. It's not like you cannot go outside and talk to people anymore so let's not pretend that being on insta is some sort of universal human right and anybody barred from it is some sort of terrible tragedy.

[sunaookami]

No one would be foolish enough to trust their government nor the EU. You should be ashamed of working for such "people". Thanks for helping implementing a surveillance state.

[defrost]

You don't have to trust your government to employ them, the key is to bake in and maintain rigorous checks and balances, demand transparency, routinely audit and fire people for corruption, etc.

[raxxorraxor]

For me it is disqualified for usage because I need to buy into a Google or Apple ecosystem. At least the reference implementation does. This is just the next level of enshitification. And no, I don't need a digital blockwart at all.

And I have zero illusion privacy is compromised, it is trivial to identify devices these days, so it doesn't even work technically.

Next sentence we hear some empty bickering about digital sovereignty. This is all bullshit.

[antitoxic]

We support F-droid, so you could get a degoogled android version and use that to load the app on your phone. The app could also be ported to other platforms, but right now there is really no market for it.

[raxxorraxor]

That sill forces me into a Google ecosystem. F-Droid is better than the Play Store, but issues remain.

There is certainly a market for desktop OS as well. This creates a market for freedom.gov, shady as it is.

[deaux]

Good luck finding the single government in the world that actually wants that, rather than it being a pretext for control that is too sweet to pass up. If you manage to find them, post an article on HN about it as top places to move to.

The system you're describing is good for the masses, not for those with power.

[HeartofCPU]

> As long as you trust the government…

You should never trust the government

[padjo]

The requirement to use google or apple services is a deal breaker. If I can't verify my age using an EU wallet without having an account with a US tech company what is the point of any of this?

[brunoborges]

Yeah, but how to convince investors that trusting the government-issued ID is good enough? /s