Hacker News new | ask | show | jobs
by palata 48 days ago
Reading the comments here, I see a lot of criticism along the line of "age verification doesn't work, it's completely stupid".

I believe it is counter-productive, because "not having age verification" is a lost battle. Unlike E2EE (where it is impossible to give access "only to the good guys"), it is possible to implement age verification in a privacy-preserving manner. And look at the ChatControl fight: even though it is not possible, we are still struggling to convince politicians of it. Good luck with age verification where it is actually possible to do something.

It should be a public service: just like the government issues IDs already, it should run the privacy-preserving system that allows citizens to prove their age. We should fight for that, otherwise we will get non-privacy-preserving systems managed by private companies (which is already starting).
3 comments
data-ottawa 48 days ago
I'm writing my (Canadian) MP to this effect.

There are a lot of issues with the UK approach. Privacy is a big one. But requiring this on every service is both a tax on the service and requires constantly authorizing stuff. That opens up the possibility for scams, data misuse, etc.

And no, saying we said to only use the data for verification clearly doesn't work. It didn't work for discord, or Persona, or Tea or AU10TIX or any others. Verification now means sharing that data with credit agencies and third party databases. Verification means keeping some data to resolve customer support disputes. There's data leakage for training and creating derived data products like biometric embeddings for future use.

Third party verification is a security nightmare.

I don't know why device based approvals abd controls aren't considered at all. Or really any privacy preserving technique.

And all this for ~54% efficacy?

link
EmbarrassedHelp 48 days ago
There is no such thing as privacy protecting or anonymous age verification. If you tell Canadian that such a thing is possible, they are guaranteed to harm privacy with any legislation they proposal. Just tell them no.
link
palata 47 days ago
> There is no such thing as privacy protecting or anonymous age verification

There most definitely is privacy-protecting age verification. You go to a government office, you show your ID, they give you a piece of paper that officially says "over 18 years old". Now you have a piece of paper that says you're over 18 but doesn't say who you are, and the government won't know where you use it.

On the Internet, the idea is the same, but with cryptography.

link
data-ottawa 47 days ago
There is, a dumb header flag sent by the browser that attests to the user being in an age group.

Fakeable? Sure. Fakeable by an average 13-16 year old on a parental locked device? No.

link
palata 47 days ago
By privacy-preserving, we usually mean that you get some kind of cryptographic token from an entity that knows who you are (and can attest that you are above age), and that token is anonymous, so when you use it to access a random service, that service cannot extract information about you from the token, except that you are above age.

It is possible, it just had to be implemented properly. We could complain about politicians not understanding that, of course. But if you spend 5 minutes reading complaints about age verification, you will see that nobody cares about understanding... if the people doesn't care, why would the politicians?

link
Tangurena2 48 days ago
That won't happen. Because the intent of the people pushing for "age verification" has nothing to do with the "think about the children" moral panic. It has to do with eliminating encryption and eliminating online anonymity. It is a dog whistle.

https://en.wikipedia.org/wiki/Dog_whistle_(politics)#

https://rationalwiki.org/wiki/Code_word

https://en.wikipedia.org/wiki/Moral_panic

link
palata 47 days ago
I disagree. Maybe that's the intent of some people.

Now go in the street and ask random people: "if there was a safe way to protect your children from accessing XYZ on the internet, do you think it would be a good thing?".

Clearly one very real problem for parents right now is that if all the other kids do it, then it's hard to prevent your kid from doing it ("everybody is on TikTok, they make fun of me because I have no clue what's happening there"). If you can prevent most of them from accessing the service, then suddenly it becomes normal for kids not to use it.

link
hellojesus 48 days ago
To date I haven't seen an implementation that preserves privacy and doesn't allow for easy bypass because person A generated infinite tokens and hands them out via a rest request.
link
palata 47 days ago
I have seen implementations that preserve privacy. But fundamentally it means that an adult could give a token to a kid, as you say. But how bad is that? We don't need a perfect system, we just need it to be good enough that it prevents most kids from accessing stuff they shouldn't access. Some kids will always find a way anyway.

A simple solution to "generate infinite token and hands them out via a rest request" could be one of:

* Rate-limit the token generation. Nobody needs thousands per day, right?

* Make it illegal to distribute tokens. The server sees if you request an abnormal amount of tokens, and... it knows who you are. Not too hard to investigate.

* Make "honeypots" that scare the children when they try to access/buy the token.

I don't think it makes the concept completely useless.

link
hellojesus 47 days ago
But you can't preserve privacy while rate-limiting token generation unless you have a way of identifying someone, which could be as simple as requiring an account.

And even if it's illegal to hand them out, it's not hard to set up a tor site to do it. I would be first in line to counter the state with such an implementation of this is the path we tread.

link
palata 47 days ago
I think you misunderstand what "privacy-preserving" means here. The whole point is that they CAN identify you (to verify your age), but in... well a privacy-preserving manner :-).

That is, one side knows who you are, but not what you do; the other side knows what you do, not who you are.

> And even if it's illegal to hand them out, it's not hard to set up a tor site to do it.

If a kid can use Tor to get a token, they most certainly can download with torrent or use a VPN to bypass the verification. But again, it doesn't have to be perfect, it just has to be effective for enough kids.

> I would be first in line to counter the state with such an implementation of this is the path we tread.

In a functioning democracy, people should vote instead of vandalising stuff. In a non-functional democracy, I guess don't complain if someone burns your car "to counter the state" some day if you think like this.

My point is that we should fight for privacy-preserving solutions. And the first step is to get informed about whether or not it is possible to verify the age in a privacy-preserving manner. Not to prepare for vandalism.

link
hellojesus 46 days ago
> The whole point is that they CAN identify you (to verify your age), but in... well a privacy-preserving manner :-).

But how can this be done so that the site and I'd verifier can't collude on a backchannel to unmask you?

> In a non-functional democracy, I guess don't complain if someone burns your car "to counter the state" some day if you think like this.

I don't advocate for destroying private property. Sharing tokens doesn't destroy property or ip/copyright.

link
palata 45 days ago
> But how can this be done so that the site and I'd verifier can't collude on a backchannel to unmask you?

Now we're talking :-). Look at Privacy Pass, it's interesting!

If you like RFCs, it's here: https://www.rfc-editor.org/rfc/rfc9576.html

Kagi has a nice explanation here: https://help.kagi.com/kagi/privacy/how-does-privacy-pass-wor...

link