Programming

Who has age authority? A state agency or service. Like the state issues an ID with age.

Preferable, we want the user to interact with a website, that website request age authentication, but not the website to talk to the government, but through the user.

Thus, something/somewhat like

1. State agency issues a certificate to the user
2. User assigns a password to encrypt the user certificate
3. User connects to random website A
4. Random website A creates an age verification request signed to only be resolveable by state agency but sends it to the user
5. User sends the request to a state service with their user certificate for authentication
6. State agency confirms-signs the response
7. User passes the responds along to the random website A

There may be alternative, simpler, or less verbose/complicated alternatives. But I'm sure it would be possible, and I think it lays out how "double-blind"(?) could work.

The random website A does not know the identity or age of the user - only to the degree they requested to verify - and the state agency knows only of a request, not its origin or application - to the degree the request and user pass-along includes.

Sites are just going to ask people 'Are you over 16? (Y/N)'. Site is now legally covered, and that is all anyone cares about.

If the governments would get their shit together, we could have something like age assertion with the eid chips in our IDs. Imagine that. The important thing is that website.com just asks the government "is this user an adult?" And the government replies "yes". No information besides the relevant one is provided, and it's through a trusted authority.

Yeah, not gonna happen, just like using the keys in my Personalausweis to send encrypted mail.

It can't be. The entire concept is a Trojan horse to kill the anonymous internet.

Well Australia will probably so something privacy invading and fascist.

I guess if you want it to be somewhat private you could have some kind of hash or token generated from your identification information. I bet that would be fairly private

You can't.

Age verification is not compatible with any remotely acceptable version of the internet. It's an obscene privacy violation in all cases by definition.

Any implementation short of a webcam watching you while you use the site is less than trivial to bypass with someone else's ID while opening numerous massive tracking/security holes for no reason.

All I can think of are some variations of you trusting a service to validate your id and give you a token that just asserts your id has been validated.

But it's still not really privacy preserving because it relies on trusting both parties to not collaborate against your privacy. if at some point the id provider decides to start keeping records of what tokens were generated from your id, and the service provider tracking what was consumes with that token, then you can still put it all back together.

Not a cryptographic expert by any means but maybe something like this would work. This'd be implemented in common places people shop: supermarkets for instance. You'd go up to customer service and show your ID for visual confirmation only; no records can be created. In return the service rep would give you a list of randomised GUIDs against which the only permissible record can be "has been taken". Each time you need to prove your age you'd feed in one of those GUIDs.

Homomorphic encryption (zero knowledge cryptography) is a known solution to this problem.

https://crypto.stackexchange.com/questions/96232/zkp-prove-that-18-while-hiding-age

Frankly, the only sane option is an "Are you over the age of (whatever is necessary) and willing to view potentially disturbing adult content?" style confirmation.

Anything else is going to become problematic/abusive sooner or later.

Choose the classic "are you 18 or older" dialog. KISS.

My friend has worked with a government to create zero-knowledge proof from IDs. Turns out there's a lot of good software engineered to solve that problem.

The UX is still shit tho

It can't. It requires invasion of privacy to verify information about the individual they don't have the right to access.

Digital age verification goes against privacy. Let's not delude ourselves into thinking it can.

I seem to remember Leisure Suit Larry verified age using trivia questions that only older people would answer correctly. I know this because at 8 years old I guessed enough of them on my father's friends computer to play it.

A joke answer, but with the kernel of truth - IRL age verification often requires a trusted verifier (working under threat of substantial penalty) but often doesn't require that verifier to maintain any documentation on individual verification actions

https://chinwag.au/verification/

If I really had to, I would require everyone to whip out whatever assets of sexual maturity they happen to have, and let the computer analyze it and decide a maturity level.

I would also keep copies for blackmail purposes, because the world is a better place if we all mistrust this solution and anything remotely like it. It'll be in the legal fine print, which I'm confident no one will read.

Every answer (other than "trust the user to self identify") is at least remotely like mine, but I'm proposing we cut out the half-measures on the way.

To avoid personal consequences, the system I architect will probably wait on a dead-man-switch for me to die or be incarcerated.

Then it will publish everything it has ever seen, along with AI generated commentary. I'm confident that some of it will be hilarious, and I am hopeful that it will piss everyone off enough that we stop doing this kind of thing.

in blockchain tech, there's the concept of "zero knowledge proofs", where you can prove having certain information without revealing the info itself

Its possible to implement something that hides your actual age from a website, but the tricky part is hiding what website you're visiting from an identity provider.

Let's walk through a wrong solution to get some fundamentals. If you're familiar with SSO login, a website makes a request token to login the user and makes claims (these request pieces of user information.) One could simply request "is the user older than 18?" And that hides the actual age and user identity.

The problem is how do you hide what website you're going to from the identity provider? In most SSO style logins, you need to know the web page to redirect back to the original site. Thus leaking information about websites you probably don't want to share.

The problem with proposals that focus on the crypto is that they actually have to be implemented using today's browser and HTTP standards to get people to use them.