Age Verification isn't a technical problem to solve.
-
@dalias @edwiebe @divVerent @Em0nM4stodon
while that's true, it is possible to make such an attestation without destroying privacy (see https://soatok.blog/2025/07/31/age-verification-doesnt-need-to-be-a-privacy-footgun/).
however, even if you do that, it'll still be morally wrong in most cases.and also, corporations are deliberately not going for the private solution, and governments are shifting the blame to users. the Czech government recently admitted social media is already illegal for teens (due to privacy laws), but they want new laws anyway.
@Yuvalne @edwiebe @divVerent @Em0nM4stodon No, it is not possible. The ZPK bs is privacy-washing designed to bamboozle policy makers and privacy activists who don't understand math. Either it doesn't actually verify age (I can setup a proxy to hand out age proof verification tokens to anyone who wants them using my identity; I would absolutely do that if it were cryptographically safe) or something exposes to the token providing authority that I'm doing this and allows detection that someone else used my identity (thereby violating my privacy).
-
Age verification doesn't take away anyone's Rights. That's nonsense. No one on Earth has a Right to Use the Internet Anonymously.
@edwiebe @RandomDamage @divVerent @Em0nM4stodon Um, yes we do.
-
@edwiebe @RandomDamage @divVerent @Em0nM4stodon Um, yes we do.
@dalias @RandomDamage @divVerent @Em0nM4stodon
You don't understand what a "Right" is.
-
@edwiebe @RandomDamage @divVerent @Em0nM4stodon Um, yes we do.
@edwiebe @RandomDamage @divVerent @Em0nM4stodon "No one on Earth has a Right to Use the Internet Anonymously" is a manipulative, pro-fascist way of saying "no one who can't safely identity themselves has the right to use the internet".
-
@edwiebe @RandomDamage @divVerent @Em0nM4stodon "No one on Earth has a Right to Use the Internet Anonymously" is a manipulative, pro-fascist way of saying "no one who can't safely identity themselves has the right to use the internet".
@dalias @RandomDamage @divVerent @Em0nM4stodon
There's no reasonable way to respond to that.
-
@Yuvalne @edwiebe @divVerent @Em0nM4stodon No, it is not possible. The ZPK bs is privacy-washing designed to bamboozle policy makers and privacy activists who don't understand math. Either it doesn't actually verify age (I can setup a proxy to hand out age proof verification tokens to anyone who wants them using my identity; I would absolutely do that if it were cryptographically safe) or something exposes to the token providing authority that I'm doing this and allows detection that someone else used my identity (thereby violating my privacy).
@dalias@hachyderm.io @Yuvalne@433.world @edwiebe@mstdn.ca @Em0nM4stodon@infosec.exchange Precisely - also as I described.
The one way around that would be storing the secret for the ZKP in a TPM.
Yeah, right, with that you can still run your own proxy and provide the ZKP for someone else.
But it is possible to then also use some forms of remote attestation so this doesn't work. Like, yeah, you can forward the ZKP, but then only you can decrypt the connection and not your "customer", as the decryption key is in your TPM and can't get out.
Despite all that, in worst case you can run a web browser in a VNC session for others to use, with your age claim. Nothing can prevent that - other than the ZKP not being actually ZK.
And that, indeed, is why ZKP aren't gonna happen for this. Even if they're cryptographically ZK, they'll end up signing more than just the age - at which point it's a privacy violation again and also no stronger than merely claiming your age in the first place. -
@dalias @RandomDamage @divVerent @Em0nM4stodon
There's no reasonable way to respond to that.
@edwiebe @RandomDamage @divVerent @Em0nM4stodon Sure there is. By apologizing and admitting you've been posed on the wrong side of this by people who don't have yours, my, or any vulnerable people's best wishes at heart.
-
@dalias @RandomDamage @divVerent @Em0nM4stodon
You don't understand what a "Right" is.
@edwiebe@mstdn.ca @dalias@hachyderm.io @RandomDamage@infosec.exchange @Em0nM4stodon@infosec.exchange There is no right to use the internet at all, and as such there is no right to use it in any specific way either, sure.
However there is a right to participate in political discourse. It is the right to free speech. And this right must be ensured.
The safest way to ensure this right actually can be enjoyed by the people is to permit anonymity. -
@edwiebe@mstdn.ca @dalias@hachyderm.io @RandomDamage@infosec.exchange @Em0nM4stodon@infosec.exchange There is no right to use the internet at all, and as such there is no right to use it in any specific way either, sure.
However there is a right to participate in political discourse. It is the right to free speech. And this right must be ensured.
The safest way to ensure this right actually can be enjoyed by the people is to permit anonymity.@divVerent @RandomDamage @Em0nM4stodon @edwiebe There is a right to participate in public life and discourse, to speech and assembly in the venues that exist in the society you live in. To movement within the spaces that life happens in.
-
@dalias@hachyderm.io @Yuvalne@433.world @edwiebe@mstdn.ca @Em0nM4stodon@infosec.exchange Precisely - also as I described.
The one way around that would be storing the secret for the ZKP in a TPM.
Yeah, right, with that you can still run your own proxy and provide the ZKP for someone else.
But it is possible to then also use some forms of remote attestation so this doesn't work. Like, yeah, you can forward the ZKP, but then only you can decrypt the connection and not your "customer", as the decryption key is in your TPM and can't get out.
Despite all that, in worst case you can run a web browser in a VNC session for others to use, with your age claim. Nothing can prevent that - other than the ZKP not being actually ZK.
And that, indeed, is why ZKP aren't gonna happen for this. Even if they're cryptographically ZK, they'll end up signing more than just the age - at which point it's a privacy violation again and also no stronger than merely claiming your age in the first place.@divVerent @Em0nM4stodon @dalias @edwiebe the crypto discussion misses the point.
no corporation has went down this way, and that's a deliberate choice of them. countries introduce ID requirements for social media instead of going after corpos for collecting kids' data, and that's a deliberate choice of them.
and they all treat a flat age limit as a solution, as if when someone's 16 and a day it's suddenly okay to hook them up on this digital drug, and that's a deliberate choice of them.
-
@edwiebe @RandomDamage @divVerent @Em0nM4stodon Sure there is. By apologizing and admitting you've been posed on the wrong side of this by people who don't have yours, my, or any vulnerable people's best wishes at heart.
@dalias We're not talking about my best wishes. We're talking about Rights.
-
@edwiebe @divVerent @Em0nM4stodon @dalias It takes away all kinds of rights that you don't even realize you depend on
Like the right to live an unmonitored life
Maybe you *think* you don't have anything to hide.
Maybe you *think* you don't have anything that somebody with power over you wants
If you value anything in your life, you absolutely are relying on a right to privacy to protect it
@RandomDamage @edwiebe @divVerent @Em0nM4stodon @dalias People think they have nothing to hide
Till they realize who they're hiding it from.
-
@divVerent @Em0nM4stodon @dalias @edwiebe the crypto discussion misses the point.
no corporation has went down this way, and that's a deliberate choice of them. countries introduce ID requirements for social media instead of going after corpos for collecting kids' data, and that's a deliberate choice of them.
and they all treat a flat age limit as a solution, as if when someone's 16 and a day it's suddenly okay to hook them up on this digital drug, and that's a deliberate choice of them.
@Yuvalne @divVerent @Em0nM4stodon @edwiebe There are multiple points here, all important.
Abstinence-only approach to addictive shit.
Privacy and anonymity.
Right of people without identity (including children!) to participate in society & access information.
Capitalist platforms being abusive.
Etc.
None of these point to the awful "solutions" industry & government & normie simps for those two are pushing.
-
@divVerent @RandomDamage @Em0nM4stodon @edwiebe There is a right to participate in public life and discourse, to speech and assembly in the venues that exist in the society you live in. To movement within the spaces that life happens in.
-
Age verification doesn't take away anyone's Rights. That's nonsense. No one on Earth has a Right to Use the Internet Anonymously.
@edwiebe @divVerent @Em0nM4stodon @dalias
The right to privacy precedes the Internet and is not superceded by technology
Do you *really* want to die on this hill?
-
@divVerent @Em0nM4stodon @dalias @edwiebe the crypto discussion misses the point.
no corporation has went down this way, and that's a deliberate choice of them. countries introduce ID requirements for social media instead of going after corpos for collecting kids' data, and that's a deliberate choice of them.
and they all treat a flat age limit as a solution, as if when someone's 16 and a day it's suddenly okay to hook them up on this digital drug, and that's a deliberate choice of them.
@Yuvalne@433.world @Em0nM4stodon@infosec.exchange @dalias@hachyderm.io @edwiebe@mstdn.ca Well, Google does provide a "ZKP" solution.
But one that verifies that you are holding an ID document. While revealing its content.
Which isn't ZK in the sense that we would need here.
As said, I want a solution that works twofold:
- Legal requirement for parents to not let their children use certain social media platforms except while supervised. Think of this as comparable to movie ratings. If a platform doesn't like its age rating, it can change its feature set (e.g. remove ML-"curated" feeds).
- Voluntary supervision software for use by parents that can block inappropriate social media sites. Minor mandatory support by sites for such software (like a small file indicating what type of service this is, kinda like the old age-de.xml we once had). If parents want to supervise by other means, they can do that as well instead.
- Mandatory support by social media sites to disable tracking when requested by the clients. Said supervision software then shall set that flag, but users can also do that without such software. Sites must never be allowed to pressure users into removing this disablement request and to opt into tracking, which means, they must keep providing service even to users who opt out.
Of course, this solution allows anyone, regardless of age, to opt out of tracking. So it's already totally against anything Big Tech wants. And it's quite possible this solution will lead to the vast majority turning off tracking, which, you know, they really won't like.
And even with my solution care has to be taken to not accidentally reveal the entire birth date, e.g. by a user moving from one age bracket to another on a given day. I thus propose merely using the birth year and to live with some amount of inaccuracy (interpreting it in favor of allowing access, but also in favor of not tracking). -
@dalias These rights and freedoms (where I live) depend on verification of my identity. They don't apply, for example, to non-citizens.
@edwiebe Um, that's a fucked up taked and probably wrong. Even in the US, none of those rights are tied to citizenship or identity, but guaranteed to all persons. Even moreso in a UN sense of rights. But in any case we live in a world where the rule of law has broken down and trying to appeal to "rights" rather than what's right is just going to be surrendering to fascists who think they get to redefine those rights and who has them.
-
@Yuvalne@433.world @Em0nM4stodon@infosec.exchange @dalias@hachyderm.io @edwiebe@mstdn.ca Well, Google does provide a "ZKP" solution.
But one that verifies that you are holding an ID document. While revealing its content.
Which isn't ZK in the sense that we would need here.
As said, I want a solution that works twofold:
- Legal requirement for parents to not let their children use certain social media platforms except while supervised. Think of this as comparable to movie ratings. If a platform doesn't like its age rating, it can change its feature set (e.g. remove ML-"curated" feeds).
- Voluntary supervision software for use by parents that can block inappropriate social media sites. Minor mandatory support by sites for such software (like a small file indicating what type of service this is, kinda like the old age-de.xml we once had). If parents want to supervise by other means, they can do that as well instead.
- Mandatory support by social media sites to disable tracking when requested by the clients. Said supervision software then shall set that flag, but users can also do that without such software. Sites must never be allowed to pressure users into removing this disablement request and to opt into tracking, which means, they must keep providing service even to users who opt out.
Of course, this solution allows anyone, regardless of age, to opt out of tracking. So it's already totally against anything Big Tech wants. And it's quite possible this solution will lead to the vast majority turning off tracking, which, you know, they really won't like.
And even with my solution care has to be taken to not accidentally reveal the entire birth date, e.g. by a user moving from one age bracket to another on a given day. I thus propose merely using the birth year and to live with some amount of inaccuracy (interpreting it in favor of allowing access, but also in favor of not tracking).@divVerent @Yuvalne @Em0nM4stodon @edwiebe "Legal requirement for parents to not let their children use certain social media platforms except while supervised"
This is absolutely evil and immensely harmful to LGBTQ and NNT kids and you should feel bad for even suggesting it. I can't imagine what you'd want done to enforce such a law.
-
@divVerent @Yuvalne @Em0nM4stodon @edwiebe "Legal requirement for parents to not let their children use certain social media platforms except while supervised"
This is absolutely evil and immensely harmful to LGBTQ and NNT kids and you should feel bad for even suggesting it. I can't imagine what you'd want done to enforce such a law.
@dalias@hachyderm.io @Yuvalne@433.world @Em0nM4stodon@infosec.exchange @edwiebe@mstdn.ca And yet this requirement is already law in many countries.
E.g. in Germany, see § 832 BGB and § 171 StGB.
Parents are literally not allowed to let children do anything unsupervised. Just what supervision means is up to them, and can definitely also include methods such as "talking after the fact". -
@Yuvalne @edwiebe @divVerent @Em0nM4stodon No, it is not possible. The ZPK bs is privacy-washing designed to bamboozle policy makers and privacy activists who don't understand math. Either it doesn't actually verify age (I can setup a proxy to hand out age proof verification tokens to anyone who wants them using my identity; I would absolutely do that if it were cryptographically safe) or something exposes to the token providing authority that I'm doing this and allows detection that someone else used my identity (thereby violating my privacy).
@dalias @Yuvalne @edwiebe @divVerent @Em0nM4stodon I think the idea would be to only trust some 3rd parties to respond with ZKP on users' behalfs
