[Wowfunhappy]

Could you be more specific as to what you're imagining? I don't personally see a way to verify someone's age which doesn't involve either credit card verification, photo id verification, or some sort of facial recognition. If you know enough about someone to verify their age—even to a relatively low degree of accuracy—you probably know enough to pinpoint who they are in general.

Heck—in most cases, we can't even tell the difference between humans and bots anymore! And it's true that we basically accept that some bots will slip through the cracks—but identifying bots also strikes me as significantly easier than identifying children.

[Aaargh20318]

The way identity wallets work:

The government issues an eID to your wallet. The ID is signed by the government and linked to the device to prevent transferring the credential. A public/private key-pair is generated by the secure enclave in your phone, the public key along with proof of possession of the private key is included in the request for the government eID. The government signs individual attributes combined with the public key with the government private key. The government certificate containing the public key is, well, public.

One of the attributes is ‘over_18’ (In the EU eID scheme countries can add other over_XX attributes if they want, but over_18 is mandatory).

When a website wants to requests attributes, in this case the over_18 attribute, they send a request to the user’s wallet app, including a challenge. The wallet sends back a package including the government-signed attribute, which contains the device public key and the over_18 attribute plus a response to the challenge (proving the credential didn’t get transferred).

The website only sees the ‘over_18’ attribute, which is backed by the government signature. They don’t see any other attributes (the wallet app shows in advance which attributes you are sharing). The government never sees which website wants to know if you’re 18+.

Of course this is all a bit simplified, check OIDC4VCI and OIDC4VP for details.

The only real issue is the wallet app and device binding. Because a compromised device could allow credentials to be transferred some form of attestation of device and wallet app is required. In practice this means no rooted/jailbroken phones.

[Aurornis]

> The website only sees the ‘over_18’ attribute, which is backed by the government signature

Not true. The device's public key is also sent, which functions as a stable device identifier.

We've spent years trying to get away from stable tracking IDs and fingerprinting. Returning to a system where devices are sending a stable ID to a website to prove ownership is a step backward.

There are proposed mitigations like issuing multiple sets of credentials or rotating them, but we're not going to get an infinite number of keypairs for every website or session in the secure enclave in practice.

Another reason why these proposals aren't getting much uptake is that they aren't addressing what the lawmakers are pursuing: They don't want anonymous authorization tied to the device. They want IDs tied to accounts and a way to discourage people from sharing IDs. In the anonymous systems it only takes one person a few minutes to put an over-18 identity into a device and there's no way to determine if someone is abusing the system by stealing IDs or if someone's 18 year old brother is setting up all of their younger brothers' phones for $5 each.

The situation gets stickier when you acknowledge that it's not possible to limit all of these websites to only mobile phone devices with secure enclaves that are not jailbroken. Once you open a door to desktop devices and other OSes accessing these sites, you open the door to replaying and proxying attacks, where someone will produce those `over_18` attestations on-demand for you, possibly for a minimal price. This brings us back to the public stable identifier to discourage fraud, which means governments won't be happy to issue as many keypairs as we want, which means we're back to semi-stable fingerprints.

[Aaargh20318]

> Not true. The device's public key is also sent, which functions as a stable device identifier.

This is covered by allowing for single-use credentials. IIRC the EU personal IDs will use this. Basically, the wallet requests a batch of single-use eIDs that all use different device key-pairs. Each credential is only used for one request and then deleted. The wallet will automatically request new credentials in batches when they run out. The old key-pairs are deleted along with the credential so you don’t run out of space in the secure enclave.

> Another reason why these proposals aren't getting much uptake

I’m not sure what you mean by not much uptake, EU countries are required to issue and accept them for official business by the end of 2026

[horsawlarway]

> In practice this means no rooted/jailbroken phones.

Personally - this is less acceptable to me than just having the site collect my image/id.

I'd support just putting the id in a dedicated device (ex - gov issues smart key) or just accepting that sometimes people will share id info (just like... physical ids).

It doesn't even close all the doors to transferring ids - since I can still just hand someone a phone (just like... physical ids).

[echoangle]

If you use physical ids to verify your identity, they normally verify that your face matches the image on the id, no? That’s not possible for web id.

[Wowfunhappy]

> The only real issue is the wallet app and device binding. Because a compromised device could allow credentials to be transferred some form of attestation of device and wallet app is required. In practice this means no rooted/jailbroken phones.

Yeah, and no Linux PCs, no custom builds of web browsers (which would effectively become open source in theory only)—basically the end of any kind of open platform. I would much rather just scan my ID!

[chollida1]

How does this work without a phone? I do 99% of my computer work, like now, not on a phone.

Do regular desktop and laptop computers have the same secure enclave feature?

[irusensei]

>The government issues an eID to your wallet

So people in dubious legal circumstances are locked out the internet?

[skinfaxi]

Couldn't the public key be used as an identifier for tracking?

[inigyou]

> which contains the device public key

And there it is.

[ninalanyon]

So now I have to have a mobile phone?

[sonic45132]

I feel the idea of public key encryption could be done without a phone but the device locking makes it harder to transfer the token off device. Like the parent comment said, I think 90% is all we can aim for. Nothing is going to be perfect.

[maccard]

Secure Enclave on a mobile phone, or an NFC smart card both work fine. It could be your passport, drivers license, national ID, whatever.

[rustyminnow]

Could probably be implemented by a smartcard or yubikey-like device as well. Shoot, just build it into my state issued ID card.

[intrasight]

Identity wallets can be made to work anywhere.

[pluralmonad]

And one you don't fully own/control. Fully owned devices will be unsupported, obviously.

[petemill]

Sounds like what a government issued card should be used for, which seems fine

[izacus]

You can have an ID card. Just like for buying alcohol and cigarettes.

[john_strinlai]

>Could you be more specific as to what you're imagining?

sure, i'll put my favorite two. though you'll find much more detailed and thought-out versions of these (and others) in the dozens of other giant threads on the same topic.

- buy a card with a UUID from anywhere that sells alcohol/tobacco that is valid for some period of time. most people are comfortable with flashing their ID at the clerk. the UUID card is non-identifying.

- websites issue content tags, browsers consume them, you enter your age into the OS during setup.

[donmcronald]

> buy a card with a UUID from anywhere that sells alcohol/tobacco that is valid for some period of time

Why should I pay continuously to prove I'm an adult? And those cards will be getting sold to kids faster than you can blink. I bet a lot of parents would buy them for their kids.

[drdexebtjl]

> I bet a lot of parents would buy them for their kids.

Good. I should be able to make judgement calls about what my children can or can’t access outside of school.

It’s better if they do it under my supervision than against my back, aided by a predator whose only moat is lending their ID, or their face.

[sdeframond]

> I bet a lot of parents would buy them for their kids.

That changes the default from "anyone can do anything" to "gotta ask parents". Defaults matter at scale. It adds friction.

[john_strinlai]

>And those cards will be getting sold to kids faster than you can blink.

there's a reason i said 90% and not 100% effective. alcohol and tobacco get resold to kids, too.

[fl4regun]

What makes you think this will be close to 90%? Unless these cards are expensive I don't see that happening.

[john_strinlai]

>What makes you think this will be close to 90%? Unless these cards are expensive I don't see that happening.

its obviously just an illustrative guess. but if the penalty of possessing the card is similar to underage possession of alcohol/tobacco, and larger penalties if a store/person is found providing a card to someone underage, i see no reason why it wouldnt have a similar success rate as alcohol/tobacco.

[inigyou]

Why possess the card when you can just buy the UUID on the dark web

[CPLX]

Why should you pay for an internet connection, or a computing device with a screen? This isn't a serious counterargument.

[fluoridation]

Because those things cost money to make and to maintain, whereas there's no intrinsic cost to prove one is an adult.

[CPLX]

Yes there is.

You need to pay for a drivers license or a passport and so on. So there is an intrinsic cost to prove who you are where you are from and what your birthday is already.

You have to pay for all sorts of small things to participate in normal society. This isn't a serious criticism.

By definition this is not a life critical thing, it's something that is procured in order to access specific services on the internet, which is not free.

[cogman10]

And honestly, all these should ultimately just be done client side in the browser. After the browser has verified "User is x or user is over 21" there's no reason to then send that information to the website.

Let websites issue a "window.isUserOver(16)" call once and then move forward based on the response to that query.

[Wowfunhappy]

This would require browser attestation, wouldn't it? Otherwise kids are just going to download a custom build of Chromium where `window.isUserOver(16)` is always `True`.

[cogman10]

Some probably will. 99% of them don't even know what "Chromium" is.

This doesn't have to be perfect.

[Wowfunhappy]

Right now, they don't know. They're going to learn very quickly when they want to use some website and they can't.

We agree it doesn't need to be 100% perfect. But it needs to be at least, like, 60% perfect, right? And unless you make it at least a bit hard to bypass, it will stop virtually no one.

[mindslight]

No, it only "requires" browser attestation if we taken it as a given that the onus is on tech companies for verifying who they are talking to - ie identity verification that most of these schemes boil down to regardless of how cute they're dressed up.

To effectively keep adult content away from kids, it merely requires secure boot and closed app stores, which are already widespread. And they are only required on the devices actually given to kids, rather than every single computing device.

But this proposal has another problem: it's easy for a website to run isUserOver(n) in a loop to derive the exact age. And on a persistent account, it can be queried every day to derive an exact birthday! Which comes back to my main point that the only technical schemes we should be considering are ones where information strictly flows one way - the website/app supplies information to the browser/OS, which then [may] implement parental control policy. anything else fundamentally boils down to a mandate for identity verification.

[Wowfunhappy]

> To effectively keep adult content away from kids, it merely requires secure boot and closed app stores, which are already widespread. And they are only required on the devices actually given to kids, rather than every single computing device.

...I guess I don't really see the difference.

Closed app stores are widespread on some platforms but certainly not others, and I for one would really like them to not spread any further.

[mminer237]

This is how California is legislating it—requiring the OS to let an admin set the user's age, then let browsers and through them, websites, to query that setting.

[inigyou]

You can get their exact age by binary search.

[ekr____]

Typically these APIs are designed so you can't make arbitrary queries, but rather there are fixed age brackets.

[utopiah]

> UUID card is non-identifying.

Kids aren't going to trade Pokemon cards in the playground anymore...

[choo-t]

Well, they could trade identifying ones too or even stollen ID cards if you want to go this way.

They could also trade porn-filled thumb drive or old-school glossy paper magazine. There no way to prevent kid's exposure to stuff at a 100% success rate.

There no way to avoid exposure completely

[dana-s]

I'm just left wondering, how would that be different than buying a phone? Most kids also don't have money to spend on devices, that's all coming from adults, how would the UUID work any different? In my view it seems we'll just reach the current state as with phones.

[oliwarner]

That's because you're treating AV as a system that must be 100% correct immediately. This isn't banking or an election.

As soon as you loosen off the requirements to "reasonable effort", you can start looking at account age, facial features, social attestation, and include retrospective tools to revisit someone's verification if they get in and start acting like a child. Heuristically messy but far from impossible to demand a stronger form of verification if their original might have been borderline.

The goal is broad coverage, not complete. Screening doesn't have to get 100% to have an effect.

[Wowfunhappy]

I understand it doesn't need to be 100% correct. But I think what you're describing is either (A) going to be very privacy invasive, (B) going to create problems for lots of adults, or (C) going to be precisely as effective as a checkbox saying "I agree I am over 18 years old".

[zug_zug]

Sure here's one example of decentralizing it -- it's going to be overly simple just as a toy example to show how easy it could be:

Whenever you want to prove your adult you go to "am I an adult.gov" and you use your credit card or whatever to prove you are an adult. At which point you get a 1-time 5-digit code that is UNIVERSAL TO EVERY SINGLE HUMAN and good for 1 hour (everybody who uses the site gets the same code that hour).

Then when you want to look at porn or something, you use this code. Boom simple and done.

There are even much better much more private techniques that use cryptography, and AI is happy to explain these graduate-degree level topics to you at your own pace.

Of course there are situations where people steal things, and use deep-fakes, etc, but those exist in every model.

[akmiller]

Same code for all people for 1 hour and you don't think we'd immediately have rotating codes to pass the gate?

[dpoloncsak]

I'd setup the .onion in a heartbeat. Take crypto donations, cash out in Monero

[malwrar]

Headline news: children infiltrate the universal adult one time password scheme for porn, parents panic! Turns out the 18 year olds started selling access to their younger friends, who resold it to their younger friends.

[sowbug]

Hopefully it would be less of a criticism of the system, and more spurring people to ask questions like "Wait, why did you leave a hunting knife on the coffee table?"

Design a scheme that equips parents with better tools to be better parents, rather than one that reduces the scope of parenting responsibilities.

[john_strinlai]

this happens with alcohol and tobacco every day. i cant think of the last time it reached headline news.

[malwrar]

My point is that the entire check is bypassed easily and instantly, and in the meantime the government gets data that someone _will_ figure out how to make personally identifying for adults, or will argue for changes to make it so. Alcohol age limits are a simple physical check for a vice that everyone accepts those who want it can get at. I’d rather demand that device manufacturers give parents effective controls before we try solving this problem by identifying internet users wholesale.

[pwg]

It does not reach headline news because everyone just accepts that the "filter" is imperfect.

But, for some reason, little twelve year old Jimmy obtaining access to porn evokes some kind of far more visceral reaction in Jimmy's parents (or if not Jimmy's parents, some "busybody" who wants to "protect all the children") than Jimmy managing to get himself a pack of Salem's or a Pabst Blue Ribbon tallboy.

[john_strinlai]

right, that's exactly what i was getting at with my original comment. none of the laws we have are 100% effective. so i find it weird that this specific topic always devolves into "well some kid will be able to get access, so your proposal sucks".

[lotu]

Using existing parental controls parents could set their kids age and that could be used for the age controls. Could the parents let the kids around the age gate? Sure but they could do that even if a government ID and camera was required. This actually might be more effective than a lot of these systems because other adults could not let the kids use their IDs

[inigyou]

Existing parental controls don't work - new ones would have to be created.

[netrap]

Perfect is the enemy of the good, right? I mean a page header or some other simple means to identify "adult" vs not is good for most cases? Just thinking about it.. obviously it can be bypassed but is there a good enough?

[blahaj]

Cryptographically blinded age verification with a government signed digital ID

[armchairhacker]

Make unrestricted devices like alcohol: you need ID to buy (but the box containing the device you’re sold is indistinguishable from any other, so the device may have a UUID but it can’t be traced to your ID); kids caught with unrestricted devices in school have them confiscated; maybe fine parents, but I think discouragement and banning in schools is enough. Kids can have restricted devices, distinguished from unrestricted by appearance in a way that’s hard to fake.

[Wowfunhappy]

I don't know, treating general-purpose computers like alcohol seems a lot more dystopian to me. Does this extend to PC components? Can I build a machine and put Linux on it?

[intrasight]

> Can I build a machine and put Linux on it?

Maybe for the next few years you'll be able to do that. Analogy: back in the day you could just build your own airplane and fly it around. There were no regulations.

[armchairhacker]

Do most kids have the ability and motivation to build their own machines?

AFAIK you don’t need ID to buy juice, sugar, and yeast to make your own alcohol, so I think it should be the same for computer parts.

[impure-aqua]

> Do most kids have the ability and motivation to build their own machines?

I and pretty much everyone else in my childhood TeamSpeak server did at roughly 14 years of age.

[armchairhacker]

Did the people in your Teamspeak server have issues with concentration and socialization like most social media addicts today?

[michael1999]

Info-minimized oidc handshakes with certified identity providers could verify age-category of a user with no other information shared.

Consider "log in with apple" as it is today. Depending on what you share, a relying website might not even get your name or email.

[bbminner]

Yes, that was my thought as well when i was visiting UK and reddit kept asking me to verify my age. It might be even more private and non-trackable than that - if "age.id.gov" central authority effectively "provides a new random user id" (implementation may vary and does not need to have a "literal username") every time you try to use it / log into a website that needs to verify your age - this way websites can not even track you across platforms.

It seems like all the tech stack is there to implement a very simple and privacy-persevering solution.

It does not even smell of state censorship because a website does not have to check your age if it decides to be "non compliant".

Why isn't it implemented like that? Based on the comments it seems more like a "free-for-all implement-your-own-PPI-handling-thon".

This will ofc make life harder for a some groups of people - like people without / limited access to IDs etc. And i do not even argue that the whole thing is necessary.

But there seem to be vastly superior technical means to implement that, aren't there?

[inigyou]

The only way to know that is to trust Apple.

[dfxm12]

If you don't think a checkbox saying "I am 13 or older" is adequate, with all the behavioral tracking available to say Meta, they can tell well enough. OpenAI talks about this too: https://openai.com/index/our-approach-to-age-prediction/

Knowing who someone is in general is different from having a photo of their face or government ID confirmation.

[lo_zamoyski]

This is a classic case for one time ZKPs. Sure, you can't get around attestation, but the party that needs to verify that you meet age criteria doesn't need to know your age or other private information.

I presume you're concerned by the attesting party's knowledge of both the signature and identify information. Yes, in principle these can be linked, but in practice, it may be difficult or made very difficult, and today, very little of our online activity is really anonymous anyway. It is generally not too difficult to infer identity based on the content someone generates and the bread crumbs they leave behind.

Of course, if the intent is to use age verification as a wedge to monitor everyone, then it will be difficult politically to secure the protections needed to prevent that sort of data fusion.