[bpfrh]

Really, how?

At some point someone will need to issue a key, which at some point will need to be verified against known good signatures.

These signatures will also need to be kept in case of lawsuirs/enforcement, so if somebody gets access they will know you visited that site

[michaelt]

The trick is to define "privacy-preserving age verification" in an extremely narrow way that ignores any other privacy concerns.

For example, imagine you put the same private key into the 'secure element' of every single iphone. You use code signing so that key is only unlocked when the phone is running unmodified iOS with all security updates. You use encryption and remote attestation for the front-facing camera and face id depth sensor. You use NFC to read government-authenticated age and appearance data from biometric passport chips (or digital ID cards) and you store it on-device.

Then, when you want to access pornhub, they send an age challenge to your device, your device makes sure your face matches the stored passport, and if so it signs the challenge with the private key.

Pornhub gets an Apple-signed attestation of age - but because every phone signs with challenges with the same private key, Pornhub can't link it to a particular phone or identity document.

So in a very narrow sense, privacy is preserved.

You can't use someone else's ID, as it checks your face every time. You can't fool it with a photo of the person because of the depth sensor. You can't MITM/replay the camera/depth data because the link is encrypted. You can't substitute software that skips the check with a rooted phone because of the code signing. Security holes can be closed by just pushing a mandatory OS update.

Sure, it doesn't work on PCs. Doesn't work on Linux, or on unlocked/rooted phones. It hands users' government ID documents over to Google and Apple. It requires people to carry foreign-made, battery powered, network connected GPS trackers (with cameras, microphones and speech recognition) with them. And there are non-negotiable terms of service everyone must agree to. But if you define "privacy-preserving" to ignore all that stuff and only consider whether Pornhub learns your identity, it's privacy-preserving.

[echelon]

All so kids can't access PornHub?

Jesus Christ.

14 year old me ran into porn on the internet all the time. It didn't turn me into a serial killer.

Meanwhile we let kids have exposure to algorithms that pervert their sense of self worth, get them addicted to dopamine and gambling, and make them feel inferior to their peers.

We have the wrong priorities as a society.

And this bullshit is going to turn us into a completely tracked, monitored, controlled bunch of cattle.

We're building 1984 and we're happy about it.

[palata]

Dude, a big reason for age verification is to prevent kids from accessing those "algorithms" you describe.

They will always be able to access porn, e.g. over torrent. It will just be a little less accessible, and maybe it won't hurt.

[fc417fc802]

"Think of the children" is the stated reason but not the actual reason. We've seen this pattern so many times that it's perplexing that people continue to fall for it.

If the children were the actual reason there are much less invasive solutions that enable reliable parental controls such as mandating self classification of content and fining service operators for inaccuracies.

Think for yourself and consider what the possible ulterior motives might be.

[palata]

What is perplexing is that people still don't realise that it is possible to do age verification in a privacy-preserving manner.

> Think for yourself and consider what the possible ulterior motives might be.

Sure, and in the meantime try to think and read about how privacy-preserving age verification actually works.

[echelon]

> Sure, and in the meantime try to think and read about how privacy-preserving age verification actually works.

This requires you build a whole apparatus around controlling what people can see, say, and do.

The concept of "slippery slope" is often called a logical fallacy, but in reality it's more than often not a fallacy at all. It's the manner in which you boil the frog.

I think it's something like over 50% of adults do not have kids now. Why should we put the majority of people - for the majority of their lives - at risk for a mere 20% of the population to "not see boobs", when good parenting will suffice?

Let's not put a cage around our freedoms. Let's ask parents to be more responsible. In the edge cases where that isn't sufficient, is that really as bad as what could happen to all of our liberties should we go down that path?

We're burning down the whole village because someone saw a cockroach.

[chmod775]

That key will get leaked. A key that has to go into every phone, even if done at the manufacturer and onto the TPM chip, will get out.

Also even if it doesn't get leaked directly, the security of TPM chips is not absolute. Secrets from them can theoretically be extracted given an attacker with sufficient means and motivation. Normally nothing that's on a typical TPM chip would warrant a project of that magnitude, but a widely used private key can change that equation.

Plus a TPM chip doesn't really have means to tell the phone isn't being lied to. You could swap out the actual phone camera hardware and sensors for a custom board that feeds the entire phone camera data of your choosing and it would be none-the-wiser.

[michaelt]

> That key will get leaked.

Maybe? But biometric passports, chip-and-pin payment cards and SIM cards seem to do reasonably well. And Apple can always push out a mandatory software update that rotates the key, if they need to.

> You could swap out the actual phone camera hardware and sensors for a custom board that feeds the entire phone camera data of your choosing and it would be none-the-wiser.

Apple's 'TrueDepth' cameras are serialised and paired with the rest of the device. The touch ID sensors were before that too.

I don't know the precise details, but reports from people trying to repair devices independently of Apple are that the phone is very much the wiser.

e.g. https://support.apple.com/en-gb/120567 https://www.reddit.com/r/iphonehelp/comments/1dl38kq/iphone_...

[chmod775]

> Apple's 'TrueDepth' cameras are serialised and paired with the rest of the device. The touch ID sensors were before that too.

That prevents trying to swap the module, but doesn't prevent swapping out the sensor on the module itself.

[palata]

There is no reason to talk about that system: it's nonsense. It's like inventing a bad encryption protocol and discuss about why it is bad.

Better learn about the good one, but I guess it's harder than making up nonsense.

[zyx321]

OR:

The website sends a request for age verification.

The app[1] on the user's device[2] forwards that request to the chip on the user's ID card. The user authorizes themselves with their 6 digit PIN stored on the card.

The chip produces a signed reply containing the following payload fields: `issuing_country:string` and `over_18:bool`

[1] https://github.com/Governikus/AusweisApp

[2] iPhone, Android, Windows, MacOS, Linux or FreeBSD

[fc417fc802]

What happens when I set up a tor hidden service that (in conjunction with some client software) stands in for a visitor's device and will proxy any requests back to my personal card? After all the payloads are anonymous so what's the risk to me?

[zyx321]

To prevent this sort of abuse, the server would have to request the `pseudonym` field, which contains a hash across the server identity and the card's secret salt, allowing the server to detect abuse but not to track the user across multiple services.

[palata]

It's probably even simpler than that: say normal users make a few requests once in a while (because they don't need thousands of tokens every day), and one user makes a ton of requests, then it is an indication that this user may be abusing the system.

It would probably be possible to use the service that the parent is suggesting and try to link it to requests to the server based on timing. But I don't even know if anyone would bother trying to identify the OP: probably it would just be enough to rate-limit the requests.

As always: it's easy to criticise, harder to actually get it right.

[palata]

Wait what? All the time you spent writing that nonsense could have been invested in reading about how it actually works.

[Scaled]

Parental controls on device are a better solution that work today and don't carry a risk of data breach.

[tjpnz]

Parental controls are intentionally gimped. They do the bare minimum while providing more than enough wiggle room for a tech savvy teenager. To implement a robust parental control scheme you need network level filtration which isn't something the average parent will know anything about.

[baranul]

I disagree with that, because the teenager should be the parent's responsibility, regardless of how smart or savvy they are. Parents should be talking to their children, communicating what their and society's expectations are. If the parents are attempting to exert technical control over their children, by home router for example, there should be websites or computer shops they can go to. If the parents don't care or are not smart enough to keep up with their teenager, then no type of state mandated gimmick will either.

Teenagers, at that level of intelligence or are that determined, will find ways to circumvent whatever control mechanisms a parent or school is attempting to use. At some point, it is a matter of the teenager respecting their parents and rules. Same for if you told a teenager do not drink and drive. You can setup all kinds of technical barriers to block drunk teenagers from driving, but if they are that "smart", those committed to bad behavior or law breaking will find ways.

[palata]

But again: if all the kids are on social media, is it enough for "good parent" to tell their kid that they should not go there?

From what I remember from being a kid myself, it definitely is not.

[harshreality]

They would be a solution if almost all parents used them, but parents don't want to socially isolate their kids since a lot of "social" activity is now on social media. It's kind of a prisoner's dilemma.

There's not necessarily wrong. Despite the vapid and damaging nature of most popular online media, isolating a child from it might have even worse social consequences when their real-life peer groups discover that they're not on social media or that their parents have neutered their phone. Some kids would turn out fine after that. Others would be socially destroyed for life (maybe with the right therapy they could become well-adjusted, but high quality therapy is rare).

[JoshTriplett]

> They would be a solution if almost all parents used them

No, they are a solution for parents who want to use them, and that's all they should be. Their existence demonstrates that it's possible to handle this without regulation, other than the desire of some people to inflict their preferences onto other people's kids.

[sumeno]

You haven't tried to use parental controls much have you? They are all terrible. They are insanely difficult to get set up properly and even when you do there are a lot of tradeoffs that come with it.

[JoshTriplett]

> even when you do there are a lot of tradeoffs that come with it

Absolutely, but those are nothing compared to the tradeoffs of putting attestation or identity verification (sometimes incorrectly described as "age" verification) on numerous sites and inflicting them on everyone.

[palata]

> but those are nothing compared to the tradeoffs

And my whole point is that it's possible to do age verification in a privacy-preserving manner, and before complaining about the tradeoffs, you should get informed about what they are.

[Asooka]

Parental controls can set browsers in "child mode" where the browser sends an "I am a child" header to the server and social networks etc. need to honour it. This has existed for twelve years already: https://blog.mozilla.org/netpolicy/2014/07/22/prefersafe-mak... . It can probably be amended with a more granular set of levels, but that would be the best way forward.

The problem of "parents are negligent" is also solved by existing laws which have fines for parents who are negligent towards their children, and governments absolutely love collecting fines, so all the incentives are properly aligned.

[malfist]

I should not have to surrender my anonymity because parents are too lazy to setup parental controls.

[palata]

And it's possible to do age verification in a privacy-preserving manner. I'm tired of repeating it, people should get informed before they complain.

We could totally discuss whether or not privacy-preserving age verification is a good thing. But we can't, because most people can't be arsed to read about what age verification implies, and complain about something that is fundamentally wrong (i.e. that they would have to surrender their anonymity).

[duskdozer]

How about we just ban entirely the harmful social media that we would need to attach all our IDs to our internet activity in order to protect the children? Very strange that that's not part of the discussion!

[palata]

Because privacy-preserving age verification is less extreme than banning them entirely. It should be strictly easier to get it accepted.

Except that people can't read for 5min and understand that age verification can be done in a privacy preserving manner.

[palata]

Zero knowledge proofs don't carry a risk of data breach, because they are zero knowledge.

[EmbarrassedHelp]

Your privacy has to be violated in order to receive the easily trackable ZKP tokens.

[palata]

> Your privacy has to be violated

No.

> the easily trackable ZKP tokens

If it's easily trackable, it's not ZK.

[raverbashing]

Are they a better solution? Yes

Do they work currently? Not really

Are they too complex for the avg joe to work out. Unfortunately yes. (Something about the smartest bears and the dumbest humans)

[Asooka]

Joe can walk into an Apple store (or wherever they purchased the device) and ask them to enable parental controls on it. We have people whose job it is to service computers and phones, they have been around for more than half a century. I am pretty sure most Joes don't service their cars either, yet they keep them road legal by visiting trained mechanics.

[AdrianB1]

As long as Joe has the right to vote, which is something more important and more complex, we cannot complain that parental control is too complex.

[drewgross]

It doesn't provide 100% privacy from everyone, but it does provide privacy from the web service: A worker at a physical store checks your ID, and if it says you are 18, they hand you a token with a unique key on it, which they have a stack of behind the counter. You put the unique key into the web service. It's not necessarily one time use, but if you don't want to risk correlation, you can use each one only once. It's just like alcohol sales, and has all the same failure modes as alcohol sales, but if it's good enough for alcohol sales it's good enough for web services.

[fc417fc802]

Well it probably needs a bit more complexity to avoid being trivially broken. Codes are one time use; the service has them attested by the token provider behind the scenes, and the provider is in turn under contract with the government. Tokens are also activated at the point of purchase similar to gift cards in order to prevent bulk theft and resale. A law in the vein of HIPAA prevents collusion between the retail establishment and the token provider.

[palata]

People, you have to read about zero knowledge proofs. Look at e.g. Privacy Pass.

> A law in the vein of HIPAA prevents collusion

No need if you use cryptography. This thing that, you know, works well for encrypting stuff? Spoiler: it can be used for age verification.

[rstuart4133]

>> A law in the vein of HIPAA prevents collusion > > No need if you use cryptography.

True for age verification, but not true in general. If you have something that can be used illegally, it's very handy to allow firms to rent / hire it out anyway but make the hirer responsible for any illegal activity.

An example is hiring a car, and the car is used to ram-raid a shop. Today this is solved by handing over a government ID to the rental company. Commit a crime in the car and they hand that over to police, but it has the sad side effect of handing over information to the car rental they can use to track you, and worse sell to others.

Using a zero knowledge proof for a valid driver's licence fixes the privacy problem, but at the expense of the hire company not being able to transfer responsibility for illegal activity onto the hirer. I suspect if that happened no one would hire out cars any more.

You can easily design something that is Zero Knowledge to the car hire firm, but includes an opaque token they can hand over to the government on lawful demand. It contains all the details needed to pursue the law breaking hirer. Thus there is still a role for the law here - you can't always do everything with crypto.

This is a very minor quibble - I agree completely with what I think is your main point. This Google change is a privacy disaster. It's a step towards an enshittified internet with the gateways onto it controlled by a few big tech firms.

But I don't think just yelling "just use ZK" is helpful. It's much harder than that - ZK is only part of the puzzle. Passkeys are currently caught up in the same attestation trap, and there is no workable solution in the offing. Banks and other high trust applications need some assurance your FIDO private key is being handled securely. The solutions on the table are Apple not doing attestation, or Google who does at the low low price of selling your true name to Google. Both "solutions" suck, horribly.

ZK proofs of things like licences and age have to solve the attestation problem, and solve extra stuff as well. I'm not holding my breath.

[palata]

> But I don't think just yelling "just use ZK" is helpful.

Agreed. I am just very frustrated, because I feel it is an important topic. And I wish I saw adult discussions about it. And instead, people who claim to be "tech-savvy" keep whining about the fact that it will fundamentally leak their ID everywhere. Like they somehow understood the point for E2EE, and repeat it here confidently. If tech-savvy people can't be bothered to understand how this works, why should politicians?

I have the same frustration with the anti-5G crowd yelling that it will boil your blood. There are many valid reasons to criticise 5G and have a constructive debate, but they choose to be wrong anyway.

[rstuart4133]

> If tech-savvy people can't be bothered to understand how this works

You underestimate your own abilities. Tech savvy doesn't mean they think much about crypto.

To get a feel for this I asked Gemini "If you were to survey a group of people who would be called "Tech Savvy", what percentage of them would be aware you could construct a zero knowledge proof for a person's age that revealed nothing beyond they were older than a given threshold?". The answer was 5%..10%. That rises to a surprising low 20%..30% for Software Engineers. It's only once you get to Software Engineers who write security systems that you get above 50%.

Gemini didn't give any references so those figures could be complete rubbish, but in my experience they seem on the high side. Many very experienced engineers I interact with clearly have not thought very deeply about how crypto systems interact with human trust. Granted understanding the implications of crypto is yet another step beyond understanding the maths, but I'm amazed at how many technology curious people haven't bothered to take that step.

The good pollies on the other hand probably have a very good intuitive feel for human trust systems and how to navigate them. They rely on engineers to tell them what is possible of course, and they won't care about the details. But what they will care about is whether the engineers can deliver the system they promised, and there I have to admit our track record is appalling. How many government IT initiatives have you seen deliver what was promised on time and on budget? So when you tell them you can build a ZK system that delivers in all these privacy promises, expect a very sceptical reception.

[nullc]

You can prove your signature is from a key which is in a member of an acceptable set without revealing which one. These schemes can also prevent excessive reuse, e.g. by you also proving that some linked value is a hashlike function of your private key, the date, and the domain, so if you sign multiple times for the same site in the same day your uses are linked, so someone can't just toss up an oracle that gives endless authentications.

Such systems are deployed in production by privacy preserving cryptocurrencies as its the same problem: Prove you're spending a coin that exists without revealing information about which one, and prove that you're not spending it multiple times.

Less private but easier to implement is just simple blind signing. Site asks you to give them a signature of their domain name, your account name, and date. You blind the data using a random number, go to google and identify yourself (e.g. solve a CAPTCHA, check your mobile device, age verify, whatever) and ask them to sign the blinded value-- they rate limit you and give you a signature. You unblind and provide to the site. Now the site knows you passed the google rate limit but nothing else, but google never learns what site you authenticated to.

The blindsigning approach is kinda lame because it requires active communication with a third party that learns you're online and authenticating to stuff. So I think it's generally less preferred but the cryptography is hardly any more complicated than an ordinary digital signature.

[maccard]

Ring cryptography does this - given a public key and a set of private keys you can attest that one of the keys signed it but not which one. This lets both Google and you generate a signature and say “this is attested”, without the person verifying it knowing _who_ signed it.

[nullc]

You likely need one other step beyond a plain ring signature, often called a linkable ring signature. If you use only a plain ring signature I could get one authenticated key and setup a site that gives away an unlimited number of access tokens with it, and you can't identify which key is doing so in order to kick it out.

A linkable ring signature lets you correlate multiple usage but only if they share a common 'context value'. Intelligent selection of the context value results in abusive use inevitably sharing a context so you can exclude or rate limit it, but honest use tends to not share a context so the privacy is preserved.

[andrepd]

All states/governments have basic records on their citizens and residents, including at least a name, dob, address, etc, at least for a passport, driver's license, if not an actual id card. Let's assume this is acceptable.

Then it's technically possible (and really not that difficult) for states to provide a service that issues zero-knowledge proofs of facts like "age > X".

[AdrianB1]

> Let's assume this is acceptable.

(partly off-topic rant) One can argue this is a false premise fallacy. For most of the time states did not have this information about their citizens and the world progressed quite nicely. The only argument to know stuff about citizens that don't drive (increasing numbers) nor travel abroad (different problem altogether) is to tax them?

One of the foundational differences between humans and cattle was you cannot brand (https://en.wikipedia.org/wiki/Livestock_branding) humans. Not physically, because we do it digitally and I see a slippery slope.

[andrepd]

The discussion was about age verification, not about the (rather more extreme) position that it's illegitimate for the state to hold information about its citizens.

> For most of the time states did not have this information about their citizens and the world progressed quite nicely.

This is quite untrue. State bureaucracies far predate the modern era.

[ForHackernews]

https://ageverification.dev/

> Unlinkability is achieved by design through Zero-Knowledge Proof cryptography see the "Privacy by design" section below.

[palata]

With cryptography. Look at e.g. Privacy Pass, there is an RFC about it.

[Arch-TK]

It should be possible with zero knowledge proofs.

The problem is that while you might be able to trust the crypto, the government won't trust you to do the crypto entirely by yourself. And this introduces avenues for deanonymisation. Moreover, collusion between the government and the entity making the age check can also theoretically deanonimize.

It's a complicated problem.

We continue to seek a technological solution to a parenting problem.

[palata]

> Moreover, collusion between the government and the entity making the age check can also theoretically deanonimize.

Hmmm... no? That's not how zero knowledge works.

[Arch-TK]

Not via breaking the ZKP, but via other methods of fingerprinting, which governments are very well positioned to enable.

[palata]

I feel like it becomes bad faith at some point. With a sufficiently advanced attack, you can be personally identified today. ZKP for age verification does not make this worse, does it?

It's a bit like saying "no but Signal is not really encrypted, because the government can extract some metadata by looking at the network around the server".

[brookst]

Look at Apple’s PAT: the website knows the service that did the attestation, but not the user. The service knows the user, but not the website. If you controlled both you can link the user, but otherwise you can’t.

[palata]

Yes, but they can still collude. It's possible to do age verification in a way that prevents that. Look e.g. at Privacy Pass.

[brookst]

PAT is Privacy Pass.

[palata]

Oh right, my bad. And how can they collude there?

[red_admiral]

Blind signatures would work, with a bit of effort.