Age Verification isn't a technical problem to solve.
-
Age Verification isn't a technical problem to solve. If you think that, you're missing the point.
It's a social problem used by authoritarian governments as an excuse for population control and censorship.
It's a fundamental attack on free speech and democracy.
It must not be accommodated.
It must be stopped.#MassSurveillance #AgeVerification #Privacy #Democracy #HumanRights
@Em0nM4stodon What happened to "never tell anyone your age on the Internet"?
-
@edwiebe@mstdn.ca @dalias@hachyderm.io @Em0nM4stodon@infosec.exchange From what I understand, active verification does necessarily invade privacy.
But active verification is not necessary.
A mere social media ban under age X, if necessary, could simply be passed as a law, making the parents responsible for ensuring their children follow it. There already are existing laws of this kind for other areas of life. And as parents are responsible for supervising their children, they definitively can also be responsible here.
The opposite is true as well - while the child is supervised by their parents, such restrictions should not apply.
To support the ban, I still think it'd be useful to have an (optional at parents' discretion) software solution. Sure one could go all allowlist using e.g. Google Family Link, but I'd prefer if sites specified their purpose (and also some other properties, e.g. the severity of various kinds of NSFW content, potentially even at multiple levels of which the client can then pick one and specify in a header) for such software to use. That's trivial to do, it's just one file to be placed in the web server's root and it'll work. Could store it in DNS instead, whatever, don't care.
Furthermore, while at it, we could combine this with a technical solution for COPPA and other regulations that ban tracking and surveilling children online. Namely, revive Do-Not-Track, and have aforementioned software automatically set the header for minors.
But, I hear Big Tech say, then what if adults set the header too?
Then you don't effing track them either.
But... what if everyone sets it?
Then the people have spoken.Age verification doesn't take away anyone's Rights.
Maybe we don't need it. Maybe we do. That's a different discussion.
-
@dalias @divVerent @Em0nM4stodon Knowing how old someone is does not limit their speech nor their ability to vote (we verify age for that already, and for many other reasons). Age verification isn’t state censorship. I suppose it could be a way to limit anonymous speech. That isn’t a Right where I am from (nor is ‘free’ speech). I doubt anonymous speech is a Right anywhere.
I have no doubt it’s absolutely technically feasible in a way that infringes on no one’s privacy. Ultimately though, yes, it could be abused by bad actors. Like everything else in civilisation we need some balance of enforcement to deal with those people.
@edwiebe @divVerent @Em0nM4stodon There is no way to know how old someone is without attestation by some authority who knows their identity. This precludes participation by anyone not known to such an authority (undocumented, outside of jurisdiction, etc.) or for whom it is not safe to let that authority know they are participating. And this is only the tip of the iceberg.
You are dangerously wrong, and you should stop advocating about things you're dangerously wrong about.
-
Age verification doesn't take away anyone's Rights.
Maybe we don't need it. Maybe we do. That's a different discussion.
@edwiebe @divVerent @Em0nM4stodon @dalias It takes away all kinds of rights that you don't even realize you depend on
Like the right to live an unmonitored life
Maybe you *think* you don't have anything to hide.
Maybe you *think* you don't have anything that somebody with power over you wants
If you value anything in your life, you absolutely are relying on a right to privacy to protect it
-
Age verification doesn't take away anyone's Rights.
Maybe we don't need it. Maybe we do. That's a different discussion.
@edwiebe@mstdn.ca @Em0nM4stodon@infosec.exchange @dalias@hachyderm.io So who do you trust enough to present your ID to online? -
@edwiebe @divVerent @Em0nM4stodon There is no way to know how old someone is without attestation by some authority who knows their identity. This precludes participation by anyone not known to such an authority (undocumented, outside of jurisdiction, etc.) or for whom it is not safe to let that authority know they are participating. And this is only the tip of the iceberg.
You are dangerously wrong, and you should stop advocating about things you're dangerously wrong about.
@dalias @divVerent @Em0nM4stodon
If you're suggesting every jurisdiction should allow unrestricted access to everything because some jurisdictions are authoritarian then I disagree.
-
@edwiebe @divVerent @Em0nM4stodon There is no way to know how old someone is without attestation by some authority who knows their identity. This precludes participation by anyone not known to such an authority (undocumented, outside of jurisdiction, etc.) or for whom it is not safe to let that authority know they are participating. And this is only the tip of the iceberg.
You are dangerously wrong, and you should stop advocating about things you're dangerously wrong about.
@dalias @edwiebe @divVerent @Em0nM4stodon
while that's true, it is possible to make such an attestation without destroying privacy (see https://soatok.blog/2025/07/31/age-verification-doesnt-need-to-be-a-privacy-footgun/).
however, even if you do that, it'll still be morally wrong in most cases.and also, corporations are deliberately not going for the private solution, and governments are shifting the blame to users. the Czech government recently admitted social media is already illegal for teens (due to privacy laws), but they want new laws anyway.
-
@edwiebe @divVerent @Em0nM4stodon There is no way to know how old someone is without attestation by some authority who knows their identity. This precludes participation by anyone not known to such an authority (undocumented, outside of jurisdiction, etc.) or for whom it is not safe to let that authority know they are participating. And this is only the tip of the iceberg.
You are dangerously wrong, and you should stop advocating about things you're dangerously wrong about.
@dalias@hachyderm.io @edwiebe@mstdn.ca @Em0nM4stodon@infosec.exchange In theory one could do this with a "trusted" third party and blind signatures.
Let every country on the world run a CA for age verification. CA generates a certificate for your age that reveals nothing about your identity.
Present these certificates. Extra cryptography to be used so the certificate cannot be used as an user ID (i.e. each time you present it, the data sent has to be different). E.g. a "zero knowledge protocol". Not even the government that ran the CA should be able to find out which person is presenting their certificate.
All this is solvable, but:
- Nothing stops you from copying someone else's certificate. Even if this were TPM-backed and it were actually secure, nothing stops you from using someone else's computer.
- Websites need to trust _every single country's_ CA. Even if this were feasible, it'd quickly run into issues like "which CA to use for people in Taiwan", and e.g. recognizing one could get you into trouble with the other.
- If only one country hands out certificates for people who haven't reached the proper age yet, the entire system breaks down. And some country sure will do that - at least for people paying enough.
- None of the major companies would ever implement a privacy protecting scheme anyway, if they can instead do mass surveillance.
At that point, it basically gains nothing vs my approach of the ban simply implemented client-side and voluntarily. Parents either block social media for their children, or they don't (and supervision necessarily ends once children can afford their own phone and internet connection). I have ideas to simplify that, but solutions for that already exist right now. -
@edwiebe @divVerent @Em0nM4stodon @dalias It takes away all kinds of rights that you don't even realize you depend on
Like the right to live an unmonitored life
Maybe you *think* you don't have anything to hide.
Maybe you *think* you don't have anything that somebody with power over you wants
If you value anything in your life, you absolutely are relying on a right to privacy to protect it
@RandomDamage @edwiebe @divVerent @Em0nM4stodon @dalias People think they have nothing to hide, until suddenly they do.
-
@dalias @divVerent @Em0nM4stodon
If you're suggesting every jurisdiction should allow unrestricted access to everything because some jurisdictions are authoritarian then I disagree.
@edwiebe @dalias @divVerent I recommend watching this short video to understand better how the data we collect now can have a great impact on a government that turns authoritarian later: https://infosec.exchange/@Em0nM4stodon/116031435192287968
-
@dalias @divVerent @Em0nM4stodon
If you're suggesting every jurisdiction should allow unrestricted access to everything because some jurisdictions are authoritarian then I disagree.
@edwiebe@mstdn.ca @dalias@hachyderm.io @Em0nM4stodon@infosec.exchange You don't need rights until you do. -
@edwiebe @divVerent @Em0nM4stodon @dalias It takes away all kinds of rights that you don't even realize you depend on
Like the right to live an unmonitored life
Maybe you *think* you don't have anything to hide.
Maybe you *think* you don't have anything that somebody with power over you wants
If you value anything in your life, you absolutely are relying on a right to privacy to protect it
Age verification doesn't take away anyone's Rights. That's nonsense. No one on Earth has a Right to Use the Internet Anonymously.
-
@edwiebe@mstdn.ca @Em0nM4stodon@infosec.exchange @dalias@hachyderm.io So who do you trust enough to present your ID to online?
@divVerent
My Government(s). -
@dalias @edwiebe @divVerent @Em0nM4stodon
while that's true, it is possible to make such an attestation without destroying privacy (see https://soatok.blog/2025/07/31/age-verification-doesnt-need-to-be-a-privacy-footgun/).
however, even if you do that, it'll still be morally wrong in most cases.and also, corporations are deliberately not going for the private solution, and governments are shifting the blame to users. the Czech government recently admitted social media is already illegal for teens (due to privacy laws), but they want new laws anyway.
@Yuvalne @edwiebe @divVerent @Em0nM4stodon No, it is not possible. The ZPK bs is privacy-washing designed to bamboozle policy makers and privacy activists who don't understand math. Either it doesn't actually verify age (I can setup a proxy to hand out age proof verification tokens to anyone who wants them using my identity; I would absolutely do that if it were cryptographically safe) or something exposes to the token providing authority that I'm doing this and allows detection that someone else used my identity (thereby violating my privacy).
-
Age verification doesn't take away anyone's Rights. That's nonsense. No one on Earth has a Right to Use the Internet Anonymously.
@edwiebe @RandomDamage @divVerent @Em0nM4stodon Um, yes we do.
-
@edwiebe @RandomDamage @divVerent @Em0nM4stodon Um, yes we do.
@dalias @RandomDamage @divVerent @Em0nM4stodon
You don't understand what a "Right" is.
-
@edwiebe @RandomDamage @divVerent @Em0nM4stodon Um, yes we do.
@edwiebe @RandomDamage @divVerent @Em0nM4stodon "No one on Earth has a Right to Use the Internet Anonymously" is a manipulative, pro-fascist way of saying "no one who can't safely identity themselves has the right to use the internet".
-
@edwiebe @RandomDamage @divVerent @Em0nM4stodon "No one on Earth has a Right to Use the Internet Anonymously" is a manipulative, pro-fascist way of saying "no one who can't safely identity themselves has the right to use the internet".
@dalias @RandomDamage @divVerent @Em0nM4stodon
There's no reasonable way to respond to that.
-
@Yuvalne @edwiebe @divVerent @Em0nM4stodon No, it is not possible. The ZPK bs is privacy-washing designed to bamboozle policy makers and privacy activists who don't understand math. Either it doesn't actually verify age (I can setup a proxy to hand out age proof verification tokens to anyone who wants them using my identity; I would absolutely do that if it were cryptographically safe) or something exposes to the token providing authority that I'm doing this and allows detection that someone else used my identity (thereby violating my privacy).
@dalias@hachyderm.io @Yuvalne@433.world @edwiebe@mstdn.ca @Em0nM4stodon@infosec.exchange Precisely - also as I described.
The one way around that would be storing the secret for the ZKP in a TPM.
Yeah, right, with that you can still run your own proxy and provide the ZKP for someone else.
But it is possible to then also use some forms of remote attestation so this doesn't work. Like, yeah, you can forward the ZKP, but then only you can decrypt the connection and not your "customer", as the decryption key is in your TPM and can't get out.
Despite all that, in worst case you can run a web browser in a VNC session for others to use, with your age claim. Nothing can prevent that - other than the ZKP not being actually ZK.
And that, indeed, is why ZKP aren't gonna happen for this. Even if they're cryptographically ZK, they'll end up signing more than just the age - at which point it's a privacy violation again and also no stronger than merely claiming your age in the first place. -
@dalias @RandomDamage @divVerent @Em0nM4stodon
There's no reasonable way to respond to that.
@edwiebe @RandomDamage @divVerent @Em0nM4stodon Sure there is. By apologizing and admitting you've been posed on the wrong side of this by people who don't have yours, my, or any vulnerable people's best wishes at heart.
