[notepad0x90]

Have they never heard of "the boy who cried wolf"?

First of all, age verification is not mass surveillance, it is possible to verify your age without disclosing who you are to the site you're visiting, and without disclosing what site you visited to the government. There are even age verification services (and I do despise them fully, this should be a government provided service!) that use only facial features to determine your age (you can call it surveillance, but not "mass").

See, the thing is, no matter how good your intent is, no matter how noble your cause, if you use lies and half-truths to further your argument or resist change, it only serves to undermine it all. For example "They do not deserve surveillance," is so disingenuous, if a site is required to verify age, the only children whose age might be verified are those who might have been exposed to that harmful content otherwise anyways, they're not being selected for surveillance, no one is trying to spy on children (or could possibly benefit from doing so using this method, since it is so unreliable), but they're framing it as it is so.

This isn't like "DRM" or "the nsa is spying on everyone", and there is a big difference between Signal (how are they involved in all this? is this just opportunistic politicking?) being required to verify peer-to-peer messaging from a porn site or or a live-cam site for sex workers requiring both parties to be age verified (where children do get trafficked!!).

Don't get me wrong, I don't like the idea, i really hate it but the prevailing positions in areas of the internet like here is so irrational and unreasonable.

You can't flash your private parts at children, you can't take children to a strip club, they're required by law to check IDs (even night clubs are!!). if that same interaction happens on the internet, suddenly no age verification is needed?

Is it because this problem has been left unaddressed for so long that so many are just too used to "the old way of doing things" despite the ever increasing human suffering caused by lack of regulations and laws like this?

I hope legislators grow a pair and stand up to these tech-crusaders who will burn down the world so long as they feel their corner is safe and secure.

Shame on everyone who refuses to have a nuanced discussion on this and instead takes an all-or-nothing position against any sort of legislature that would reduce (not eliminate) the harm being done. To mean, such people are no different than catholics, teachers, administrators, and anyone else in a position to do something about harm against children but turned the other way because their little world would be too shaken otherwise. Hiding behind "mah privacy!!" doesn't absolve you of the responsibility to at least attempt to be nuanced about it, at least propose an actual solution instead of just "I don't what the solution is, but not this" or "parents are at fault, I don't care" or something lazy like that. I wish I didn't know that when it comes to their own interests, wannabe technocrats like these are ingenious in developing tech like homomorphic encryption, differential privacy and zero-knowledge-proofs; this isn't about anyone's privacy or mass surveillance, it's about preservation of the status quo, apathy and faulty slippery-slope fallacy thinking.

[big85]

> it is possible to verify your age without disclosing who you are to the site you're visiting, and without disclosing what site you visited to the government.

I can't believe people are really okay with a system where you have to show your real face to access websites. Cameras on phones went from a novelty to a government mandate so you can be observed.

There are various other potential methods to verify one's age, all of which are forbidden by OFCOM. Account age, zero-knowledge proofs, key signing, some kind of OAuth thing, physical tokens that require proof of age to buy, etc. The only permitted ones require your to link your real-life identity. This is a huge boon to the intelligence services and law enforcement.

Even among the few permitted verification methods, there are obstacles. Each site usually provides only one verification method at one verification provider. You may have to trust a company you never heard of before. Sometimes the photo fails (maybe their system thinks you don't look old enough) and they ask for ID too, or the photo fails and you are locked out of verification. Some services only allow credit card verification (e.g. Steam), so if you have poor credit you aren't able to even view the store page despite being of age.

What I say is, we don't need any of this. For thirty or so years we had client-side optional Parental Controls, and it worked fine. Many adult sites voluntarily use a <meta name="rating"> tag to ensure sites are correctly identified. The ability of adults to access adult content was not impeded. Parental Controls work better than verification because 1) many sites will not deploy age verification, and 2) it's trivial to overcome photo-based ID by holding your device up to a picture of an adult on a television set.

[dgroshev]

> There are various other potential methods to verify one's age, all of which are forbidden by OFCOM. Account age, zero-knowledge proofs, key signing, some kind of OAuth thing, physical tokens that require proof of age to buy, etc. The only permitted ones require your to link your real-life identity.

This is just not true. See 4.17 here, for example [1]

[1] https://www.ofcom.org.uk/siteassets/resources/documents/cons...

[notepad0x90]

> The only permitted ones require your to link your real-life identity. This is a huge boon to the intelligence services and law enforcement.

Then let's talk about THAT!! why is that not the discussion instead of "nah, we'll find a solution some other day, for now, let's not solve anything"??

> Even among the few permitted verification methods,

These laws are still being debated, what's permitted has not been decided, why is Signal not advocating for a privacy friendly alternative. Why are our options lose all privacy to the most horrible people ever who will do us harm versus let the children suffer!

> You may have to trust a company you never heard of before.

Why do I have to? Why can't the government itself issue something as simple as a timestamp CA certificate signature for a secret that expires every few weeks, requiring facial/ID verification directly with the government to generate a new secret? the site only needs to verify that the signature is correct. a signed token you show random sites. and this is the most naive idea i brought up for discussion without things like zkp even considered. Lawmakers aren't being told by the likes of Signal "there is a better way to do this, let's discuss" they're being told "ignore what all the scientists, research, law enforcement, social workers are telling you so we can watch porn in secret".

> For thirty or so years we had client-side optional Parental Controls, and it worked fine.

It absolutley did not work fine! the toll of human suffering is inexcusably abominable! I shudder in confusion between whose head i should rip off or why this damn planet hasn't been burned down to ashes already at the very thought of all that has been perpetrated using this technology. The internet multiplied and empowered many things, chief amongst them is human cruelty and apathy.

> For thirty or so years we had client-side optional Parental Controls, and it worked fine....

Save your breath, even amongst those who genuinely wish to do well, they have employees and user generated content they can't keep up with. There is no excuse for this. Forget about the tiny span in human history that is the past 30 years. How many people died of industrial accident at the begining of the industrial revolution, how many people died because of car accidents before all the car safety and traffic laws were in place. Take that and multiply that by like a billion and that might come close to painting a fair picture of the internet. Just because you don't see it, doesn't mean it doesn't happen. The internet isn't special, it's just a tool, a technology that connects people. Except billions are connected, and now they can abuse and harm each other across national borders , timezones and continents and maximize their profit from it.

HN and tech-world in general is like any other industry that caused massive suffering until it was regulated. I keep making the same simple comparison of a stripper IRL vs live cam porn over the internet, and no one in this thread even wants to attack that simple example that I picked because it isn't overly sensationalized and universally accepted that laws should force strip clubs to check IDs in any country on the planet. I didn't bring up pedos, human trafficking, revenge porn and so much more in between. and that's just the sexual dramatic stuff, not the seemingly harmless stuff that is easier to brush away and dismiss.

People can see your face and make decisions when they interact with you IRL, they can't over the internet. The problem is huge and the fact that the internet has been young and unregulated does not excuse looking the other way.

I can't believe I'm defending politicians' (however ill intended) agendas against HN/tech-world. but here we are. If things progress this route, I would even cheer as everyone (self included) loses any semblance of privacy or democracy because the alternative was these masses keeping looking the other way at human suffering instead of finding sensible middle grounds, especially when the tech is there. This is insane to me! things crypto-bros (both kind!) have been trying to make main stream like zkp and homomorphic encryption and so much more can actually solve a critical fault of the internet, and the choice is to just let people suffer instead of risking a potential slipper slope.

[bcjdjsndon]

> The internet multiplied and empowered many things, chief amongst them is human cruelty and apathy.

Bare in mind we aren't banning the internet, just kids on social media.

> Take that and multiply that by like a billion and that might come close to painting a fair picture of the internet

A billion people have died from.... the internet? Youve GOT to explain this one lol how exactly?

[notepad0x90]

> Bare in mind we aren't banning the internet, just kids on social media.

It's neither. it isn't social media only, there will be various sites that are age restricted, similar to IRL businesses.

> A billion people have died from.... the internet? Youve GOT to explain this one lol how exactly?

I didn't claim 'died', you assumed. I meant sum total of suffering and pain facilitated by it. The internet is just a "road", except it connected everyone. sex, violence, extortion, slavery, you name it. a decent argument could be made that in the past one or two decades alone more slaves were trafficked and traded than in the entire history of the transatlantic trade, except smartphones, wifi and 5G were used to facilitate trade and allow real-time live HD monitoring of the "merchandize" and advertisement to buyers thereof. think of it in terms of graph theory perhaps, edges and nodes and all. just in the past 30 or so years the planet's population doubled and all those "nodes" have the capability to form edges with all other nodes on demand, interact with and in engage in unregulated commerce (cryptocurrency doesn't help either).

[bcjdjsndon]

> think of it in terms of graph theory perhaps, edges and nodes and all.

So we should ban letters as well because of all the badness they facilitated? Lots of crime has used telephones, we should also ban telephones yes? Because graph theory's etc?

[notepad0x90]

again, bad faith argument.

as you said, the internet isn't being banned, so why would you stretch what i said to mean "ban letters"? sending letters to minors might require age verification if it were a real problem, you already need to verify your age to open a cell service, children can't sign up for mobile plans. you're trying to make this about something it's not so you can win an argument, I don't care who wins the argument, let's solve the problem. Your whataboutism doesn't have solutions attached to it, only winning of internet points.

[bcjdjsndon]

>People can see your face and make decisions when they interact with you IRL, they can't over the internet

Man you're just reaching at this point... Should we ban telephones, and written correspondence also? You're hysterical

[notepad0x90]

phone sex is already banned without credit card verification or if you sound like a minor for example. and you're being disingenuous as well, clearly this entire thread is not about "correspondence", i clearly said "interact", simply talking to kids IRL doesn't require ID verification either. But when you enter a bar, a night club, a sex store, buy alcohol at a convenience store, etc... or hang out at the play ground people can see your face and judge your age. You can't pretend to be another child at a playground as a grown person and fool everyone. If the actuality of people calling or mailing children to groom them like that was a reality, and tech existed to verify age over phone/mail, then absolutely, can you articulate a reason why that shouldn't be done other than you not wanting to be a tad bit inconvenienced?

Speaking of, do you know how common it was by all sorts of middle parties to listen in on POTS phone calls? or paper mail being intercepted by law enforcement? (not that I support either - just putting into context the history of surveillance and societal acceptance of it).

[bcjdjsndon]

> phone sex is already banned without credit card verification

And so is inciting a minor for sex, internet or not.

[EmbarrassedHelp]

There's no such thing as private or anonymous age verification. It doesn't exist.

[notepad0x90]

zero knowledge proofs exist, don't they? also it matters "private from whom, and what". You can make what sites you visit private from the government, and your identity a secret from the site, but the inverse isn't true, the government would know the identity, and the site would obviously know someone visited it.

The problem with this whole thing is the expectation of privacy online for interactions where their IRL equivalents don't have such an expectation. Even if there was no harm being done to anyone, it isn't a rational argument if you subscribe to the ideal of equal treatment under the law.

[Magnusmaster]

Zero knowledge proofs exist in theory, but none of these age verification laws that are introduced use them, probably on purpose. I'm certain that every government will want to know what sites everyone visits.

[notepad0x90]

but why does it have to be that way. why not have zkp age verification processes anyways, inconvenience aside, what's the harm. If they refuse to let us use them, they need to explain why. I don't disagree with the malicious intent you're talking about but we can have it so that they have no legitimate excuse to require collection of site visit data. all the emotion and fervor aside, why can't we talk about having this as a standardized process that excludes third parties.

Governments are banking on being able to purchase that site visit data anyways, bypassing their own laws that prohibit them to do surveil, we can require them by means of technology to comply with laws and for the last time resolve the "but the children" argument.

[trumpdong]

ZKP age verification doesn't verify because you can just copy someone else's token.

[notepad0x90]

it works if it is time-scoped and full age/id verification is done directly with the government. if you're malicious that way, you can likewise verify your id/face and just give a minor access after verifying anyways. you can get a zkp token that can prevent the site owner and the government from colluding and revealing your activity. zkp is one of many ways to solve this as well.

[lII1lIlI11ll]

You can also... ask someone else to pass selfie-age-verification during an account registration, no?

[trumpdong]

When it's not zero-knowledge they can see who registered the account and that it's not the same person who seems to be using the account.

[lII1lIlI11ll]

How would they know a minor is using an adult-verified Signal or, say, Youtube account?

[mysterium]

Thank you for writing this.

Of all the topics I’ve had to work with in my career, this one has caused me by far the most frustration. I like to think the hacker community is generally scientifically-minded and open to rational debate, but online discussion of this subject uniquely tends to cause people to hunker down, refuse to engage productively, and resort to name-calling. This might feel righteous, but ultimately leads to own-goals from us.

Firstly, to make one thing clear, it’s _absolutely_ possible to do age verification in a privacy-preserving manner. A technology called Privacy Pass exists that separates the roles in the age-verification question. This would make it possible to have a solution where the government can attest to your age without knowing what website you’re trying to visit (e.g. pornography, or an online casino, or just purchasing alcohol online). This is just a matter of fact. I’d recommend reading RFC 9576 for more details on the separation of roles here, it’s a really nice protocol.

There seems to be some misconception that privacy-preserving solutions for age verification aren’t permitted under various legislations. I don’t know where this comes from, but certainly Ofcom _mandates_ the minimisation of unnecessary data collection. This doesn’t mean that suboptimal technologies aren’t in use, but there’s certainly nothing precluding the use of fully privacy-preserving solutions.

We should be pushing for privacy-preserving age verification. It’s easy and convenient to say it’s the job of parents, and label anyone who doesn’t use parental controls as a bad parent, but at the end of the day, a government’s job is to look after its citizens regardless of whether they have good parents. If instead of engaging productively we stonewall the topic based on a vaguely-directed-but-intense distrust of Government, then governments will implement it anyway, and the solutions will be bad. We know this is the case, because it already happens.

I participated in a very productive workshop last year with representatives from government as well as various privacy-conscious companies, including Mozilla. I was pleasantly surprised at how productive we could be when we all worked together on this. We all walked away with a much better understanding of some of the problems, some of the nuances involved, and some possible paths forward.