"Age verification is an impossibility, and an impossibly terrible idea with impossibly vast consequences for privacy and the open web..." - @pluralistic
-
"Age verification is an impossibility, and an impossibly terrible idea with impossibly vast consequences for privacy and the open web..." - @pluralistic
https://pluralistic.net/2025/08/14/bellovin/#wont-someone-think-of-the-cryptographers
I'm not entirely convinced by this. I think it is possible, but the government has to provide the age verification service. The argument assumes there will be several independent IDPs:
The most insurmountable of these obstacles is getting set up with an IDP in the first place – that is, proving who you are to some agency, but only one such agency
but what if there's only one, and it's the government's own e-ID system? They already know who you are, and there is inherently only one.So if a porn site wants to know if you're >18, they redirect you with that question to the e-ID site, where you login, and the e-ID site sends back that you are or aren't over 18.
The privacy hole there is that the government will know which porn sites you visit, but I think that can be solved with an anonymising proxy. The porn site knows your porn, your age and the proxy, but not you. The proxy only knows the porn site and the government. The government knows who you are and that a site wanted to know your age, but not which site.
The one remaining privacy hole is if you somehow get access to transaction timestamps from all three to compare. If they store those, which I'm not sure they should, but even if, it should take a warrant for the government to get access to that, and it should be impossible for anyone else.
If someone can shoot holes in this, please do. But if this works, the only way anonymous age verification can work, is if the government provides it. No government has any business demanding age verification without providing the means to do so.
-
I'm not entirely convinced by this. I think it is possible, but the government has to provide the age verification service. The argument assumes there will be several independent IDPs:
The most insurmountable of these obstacles is getting set up with an IDP in the first place – that is, proving who you are to some agency, but only one such agency
but what if there's only one, and it's the government's own e-ID system? They already know who you are, and there is inherently only one.So if a porn site wants to know if you're >18, they redirect you with that question to the e-ID site, where you login, and the e-ID site sends back that you are or aren't over 18.
The privacy hole there is that the government will know which porn sites you visit, but I think that can be solved with an anonymising proxy. The porn site knows your porn, your age and the proxy, but not you. The proxy only knows the porn site and the government. The government knows who you are and that a site wanted to know your age, but not which site.
The one remaining privacy hole is if you somehow get access to transaction timestamps from all three to compare. If they store those, which I'm not sure they should, but even if, it should take a warrant for the government to get access to that, and it should be impossible for anyone else.
If someone can shoot holes in this, please do. But if this works, the only way anonymous age verification can work, is if the government provides it. No government has any business demanding age verification without providing the means to do so.
@mcv @pluralistic @jwcph I don't think it's wise to build this type of systems based on how they could operate if everyone involved is acting honorably or even within the confines of the law. The abuse potential is too great.
I believe that hardware tokens will be the only way to actually have privacy preserving age verification, assuming something like a YubiKey could compute ZKPs. Get carded by a *person*, pick a random token from a basket, scan your fingerprint, and then you may leave.
-
@mcv @pluralistic @jwcph I don't think it's wise to build this type of systems based on how they could operate if everyone involved is acting honorably or even within the confines of the law. The abuse potential is too great.
I believe that hardware tokens will be the only way to actually have privacy preserving age verification, assuming something like a YubiKey could compute ZKPs. Get carded by a *person*, pick a random token from a basket, scan your fingerprint, and then you may leave.
@usernomnomnom @pluralistic @jwcph
That sounds a bit like the direction the EU seems to want to take with this: with an e-ID that lives on your smartphone. I don't know the details, but it feels less anonymous to me. I really want the system to only share the fact that the user is over a certain age limit. A hardware token sounds like it will be reused and therefore traceable.
-
"Age verification is an impossibility, and an impossibly terrible idea with impossibly vast consequences for privacy and the open web..." - @pluralistic
https://pluralistic.net/2025/08/14/bellovin/#wont-someone-think-of-the-cryptographers
@esoteric_programmer @jwcph Isn't that kind of the point though? Privacy is the enemy of surveillance, and that's the goal of pretty much every government. It was never about protecting anyone.
-
@esoteric_programmer @jwcph Isn't that kind of the point though? Privacy is the enemy of surveillance, and that's the goal of pretty much every government. It was never about protecting anyone.
-
@esoteric_programmer @jwcph There's still time to fight against it, or at least I hope there is.
-
@esoteric_programmer @jwcph There's still time to fight against it, or at least I hope there is.
@dangero @jwcph yeah, sure there is. If it passes, a webserver is fundamentally something that speaks https over port 443, a webserver is fundamentally not something that verifies your age and then speaks https. Meaning, well, those of us who care about privacy will have to use more obscure things, like anyone in authoritarian regimes did before us. However, this means that many people who we can't reach and who don't know how this stuff is done will be at a big disadvantage, which is why we must fight as hard as we can.
-
I'm not entirely convinced by this. I think it is possible, but the government has to provide the age verification service. The argument assumes there will be several independent IDPs:
The most insurmountable of these obstacles is getting set up with an IDP in the first place – that is, proving who you are to some agency, but only one such agency
but what if there's only one, and it's the government's own e-ID system? They already know who you are, and there is inherently only one.So if a porn site wants to know if you're >18, they redirect you with that question to the e-ID site, where you login, and the e-ID site sends back that you are or aren't over 18.
The privacy hole there is that the government will know which porn sites you visit, but I think that can be solved with an anonymising proxy. The porn site knows your porn, your age and the proxy, but not you. The proxy only knows the porn site and the government. The government knows who you are and that a site wanted to know your age, but not which site.
The one remaining privacy hole is if you somehow get access to transaction timestamps from all three to compare. If they store those, which I'm not sure they should, but even if, it should take a warrant for the government to get access to that, and it should be impossible for anyone else.
If someone can shoot holes in this, please do. But if this works, the only way anonymous age verification can work, is if the government provides it. No government has any business demanding age verification without providing the means to do so.
@mcv @pluralistic Shooting - or rather, @pluralistic already did: The internet is global, so... which government? If your idea is something like a physical passport, which you get in your country but other nations also honor, then I would like to point out that there's a colossal difference between a singular document you can carry with you vs. a digital ID floating in cyberspace that you need to deploy dozens & dozens of time every day. Also, it's fairly easy to acquire multiple passports.
-
J jwcph@helvede.net shared this topic
-
"Age verification is an impossibility, and an impossibly terrible idea with impossibly vast consequences for privacy and the open web..." - @pluralistic
https://pluralistic.net/2025/08/14/bellovin/#wont-someone-think-of-the-cryptographers
@jwcph @pluralistic
Applying the “purpose of a system is what it does” rule, one might wonder who benefits from hamstringing the best tool for genuine democracy that was ever invented.
It’s perhaps no coincidence that some of the biggest investors in rolling out these new directions are sovereign funds from Arab countries shocked and threatened by the Arab Spring, and mega-corps with strong anti-union stances, for example.
-
@usernomnomnom @pluralistic @jwcph
That sounds a bit like the direction the EU seems to want to take with this: with an e-ID that lives on your smartphone. I don't know the details, but it feels less anonymous to me. I really want the system to only share the fact that the user is over a certain age limit. A hardware token sounds like it will be reused and therefore traceable.
@mcv @pluralistic @jwcph From my pov, I'd rather use a separate thing that doesn't even have the hardware to connect to wifi, Bluetooth, no camera, no microphone, no access to my files etc over an app on my phone that could do a lot more damage if it's malicious. But as of today we haven't seen a good solution for anonymous age verification so your guess is as good as mine
-
@mcv @pluralistic @jwcph From my pov, I'd rather use a separate thing that doesn't even have the hardware to connect to wifi, Bluetooth, no camera, no microphone, no access to my files etc over an app on my phone that could do a lot more damage if it's malicious. But as of today we haven't seen a good solution for anonymous age verification so your guess is as good as mine
@usernomnomnom @mcv @pluralistic You're basically talking about a physical authenticator & I agree, seems much more secure - the problem is it's utterly impractical to identify yourself with such a thing every time you load up a new website, or even sub-page...
