1. 64
    What's wrong with EU age verification? (Nothing) blog.vrypan.net
  1.  

    1. 105

      There is a point in this article that I agree with completely and utterly: if you are against age verification in principle, no solution can possibly be good for you. I can confirm it.

      1. 11

        What do you think is the strongest argument in opposition to verifying ages assuming they're done in a completely privacy-preserving way?

        1. 79
          1. slippery slope: today it's age, tomorrow it's citizenship or real name
          2. you need to guarantee that the attestation process is accessible to everyone
          1. 55

            Regarding #1, even before the EU wallet is available, the commission already tried to enable any Relying Party to request any available information from your ID, while also weakening your ability to use pseudonyms (because unlike what the article claims, ZKPs are not "the" EU's approach, they're just a (tacked-on) part).

            And #2 is fundamentally not possible, there are hundreds of thousands of people in Europe (not even counting tourists) who do not have legal documents and who will be denied access to online resources, expression and community as soon as age-based social media bans come in force, placing them in an even more precarious position.

            As an aside, the EU ID wallet also excludes people with a phone OS not sanctioned by Google or Apple. There are of course very few of those, but this is a great way of ensuring it stays this way :)

            1. 32

              And let's not forget people with no phone or not willing to own one. Online access should be human right (in my book) and this means it must be accessibly for even the smallest minority. Also agree with you it must not enforce any specific corporate hardware on anybody. (I think this also holds for the software part -- it can only be a protocol but not a software from your "friendly" government.)

              1. 12

                And technical skill. Who's going to help grandpa access his porn?

                1. 4

                  Or his chats

                2. 3

                  I don't think it's impossible to make it work on OS not sanctioned by Google or Apple, the process fundamentally only collects a signed identity statement from you. This would normally be in your EU ID Wallet, but doesn't have to be. In theory you could also obtain a zip archive with a bunch of the signatures by showing your ID at a post office (this is already an established process in Germany that accepts passports and ID cards of tourists) or possibly even customs and immigraiton endpoints, so you could get them loaded up when you land with your airplane (since all three are usually at airports).

              2. 29

                Echoing chinmay's slippery slope concern: this could be a way to take away more and more freedom from minors. We have a duty of care towards children but this can be very easily confused with a right to control them

                1. 26

                  I think the whole idea that there's certain content no people under 18 should be allowed to access is silly. I don't really care if a 16 year old is watching porn, or a 12 year old is watching some violent movie.

                  If a specific thing is not appropriate for a specific child, then either the child or their guardians should be able to spot that and look for something else instead. I think it's better to focus on giving people (including children) the tools they need to make that decision instead. This is already how movie ratings work (at least in the UK).

                  This also avoids (or at least lessens) the obvious power of governments to use this for censorship. The existence of trans people like me is often considered an inherently 'adult' topic - If laws like this were in place when I was growing up, I would've spent even longer without any community or understanding of myself.

                  1. 24

                    In my opinion, all people who are entitled to verifying my age can do it by other, more physical means. Same applies to every other person on the planet. I simply don't accept that random nobody out there is entitled to know my personal data. I prefer others not being completely sure that I am not a dog.

                    1. 10

                      A structure described as zero knowledge seems to prevent anybody from knowing anything except "this dog is reliably over 18"

                      1. 32

                        Which is exactly one piece of information more then they ought to have.

                        There is a common trope in fantasy: knowing demon's name allows one to command that demon. While demons don't really exist, this trope is so popular because it reflects one of fundamental principles of our society: infotmation translates into control. The more information about yourself you provide, the more control over yourself you allow, and the less control over yourself you retain. While knowledge of your age doesn't really provide a lot of leverage over you, the general approach should be the same as with all other information: before sharing it you need to decide whether you really need to provide it, whether the recipient really needs it and whether they can really be trusted with keeping it private.

                        1. 2

                          By the tortured logic of 'information translates into control', marketing agencies control all of society lol. This just doesn't hold up to even basic scrutiny

                          1. 15

                            Given this proposal seems to have been the result of $2 bn worth of Meta lobbying, Meta being one of the big players in online advertisement and marketing (along with Google), is it really so far fetched?

                            1. -4

                              lobbying is done with money, not with information, hope this helps.

                              1. 8

                                And what would you say the value of that information is, given that it justifies $2bn in lobbying spend?

                                1. -3

                                  The plumbing industry in the US generates nearly $200b in revenue annually. The amount of Control they have over Society is just despicable. They even have Information about what kinds of pipes people have in their house so it's like a double whammy

                                  1. 5

                                    Sorry, I missed something. How much is the plumbing industry spending on lobbying for the ability to catalogue the pipes in my house?

                                    1. 0

                                      They have the information, they have the control.

                        2. 29

                          Zero-knowledge architectures do not work in the presence of collusion between the parties providing and verifying the zero-knowledge attestations. And that’s a huge problem because there’s an enormous financial incentive to try to link this information to other things.

                          As people have pointed out elsewhere, that one-bit signal is also enough to get someone’s date of birth if you get multiple attempts. Were you over 18 yesterday? No? What about today? Yes? Okay, now I know your date of birth.

                          If I know your date of birth and electoral roll (public) for the area with your GeoIP, I can probably get your legal name. If I can’t, one or more other pieces of data should be enough.

                          1. 4

                            Isn't it possible in theory (and done in practice too?) to have zero-knowledge age verification that's also not linked with an identity, so that "you were not 18 yesterday", and "you are 18 today" is not something that you can actually make use of?

                            1. 4

                              Only if you're accessing a site that doesn't create accounts, and those are largely out of scope.

                              1. 3

                                If you mean that a site where you created an account at 16, knows that today you are over 18, yes, this is a problem. Tbf, a site that you have been using for years can probably know a lot more: how you moved from city A to city B, how during the summer you access it from location C, not to mention your interactions with the site itself.

                                I don't deny that "you were not 18 yesterday, you are today", is an additional signal (but it may also mean, only today you decided to provide proof of age), but I consider it a minor one for any service you use with an account.

                                1. 4

                                  Even without an account, any site that leaves a tracking cookie can get this signal. And any site that ties the attestations to residential households can get a signal that someone in the house has become 18. If you're in a single-child house, being the person who is under 18 on that IP is unique information.

                      2. 21

                        Twofold (nb, I'm in the US, not the EU):

                        1. There is no "completely privacy-preserving way". I don't care about this slippery slope, I care about the privacy problems that are introduced immediately.
                        2. Age-gating porn is one thing. But that is the slippery slope, because bad faith actors can say "porn == sex == anything sexual == anything mentioning non-heteronormative relationships". And this is one of those slippery slopes that has already, repeatedly, in so many ways, slipped. Speaking as somebody who is not a libertarian, this is a severe liberty hazard.
                        1. 3

                          I honestly hear this. One of the few concerns shared here that I actually relate to.

                          That said, let's see the maximum harm done, in case of abuse of power:

                          • people < 18 may be deprived of getting access to material that many of us agree it should not be out of their reach, like art including nude, or non-heteronormative relationships.
                          • no impact on anyone > 18.

                          Not great, but not disastrous, either (compared to "the government knows every site everyone visits" for example, or even "my 13-year old has been exposed to things that have given him a twisted view of what sex is, before he even had it", or "my kid does not dare to go out because she thinks she is ugly", etc)

                          Eventually however, you have to take into consideration the social and cultural context. Many EU laws would not work in the US, many US laws would not work in EU. Not to mention other parts of the world. Different sites would be age-restricted if the same framework was applied in Iran, EU, or US.

                          1. 12

                            Eventually however, you have to take into consideration the social and cultural context.

                            Once the mechanism is available, it will be available everywhere, so it can be abused somewhere. And I think people are really not so different across countries. (To answer what you said in a reply to one of my other posts, this is why I care about this, even though I'm in the US.) Abuse of power, from national governments to parents, exists everywhere. There are children everywhere who need resources that aren't available locally, including resources that their parents and local authorities don't want them to have. The Internet has been great for providing access to such things regardless of age or location. If some level of harm has to come with that, maybe that's just the way it has to be. I think the worst of the harms -- addiction loops, gambling mechanics, and algorithmic radicalization -- should be regulated independently of age.

                            1. 10

                              Not great, but not disastrous, either

                              I disagree. Children are people. If we created a mechanism to gatekeep elderly people or disabled people from participating in some part of society, citing that "this is good for them", people would be rightfully outraged

                              1. 7

                                What technical measures are you imagining that would restrict this technology from blocking access to those under 18? Why not 27, or 98?

                                1. 6

                                  Not great, but not disastrous, either (compared to "the government knows every site everyone visits" for example, or even "my 13-year old has been exposed to things that have given him a twisted view of what sex is, before he even had it", or "my kid does not dare to go out because she thinks she is ugly", etc)

                                  To me it seems exactly the same as your last two examples. All three are about giving children a distorted view of society that in turn distorts their view of themselves. I would argue queer children are in fact more vulnerable in this case due to their already being a marginalised group.

                              2. 17

                                It's very simple. Age verification introduces centralized control gates everywhere on the internet. These gates control who can talk to whom, and when. Even if they are perfectly privacy-preserving, they turn the right to communicate into the privilege of having a centrally issued access token to communicate. In other words, they turn citizens who enjoy constitutional rights into serfs who are conditionally granted privileges. By whom, you might ask? By whoever is in power. That could be a person or party that wants you dead because you have the wrong gender, sexuality, religion, or political views. There is plenty of prior art in authoritarian and fascist regimes that illustrates how dangerous such information control is. Nothing more needs to be said about this because the problem is so clear-cut.

                                1. 10

                                  Personally I collaborated with a lot of people that I met on forums when I was a teenager, and it made a massive impact on me and I learnt a ton.

                                  Many teenagers who are bullied or suppressed go to social media to find refuge, and in a lot of cases they find it there and it may help them feel less lonely and find the support they need.

                                  1. 9

                                    What do you think is the strongest argument in opposition to verifying ages assuming they're done in a completely privacy-preserving way?

                                    We already have age verification for these websites. There's a banner asking you if you're an adult. Isn't that enough?

                                    Pushing the identification at the device level doesn't solve the problem of a kid lying. They'll find ways to circumvent all that, what then?

                                    1. 13

                                      Kids find ways. That's part of growing up. We all did as kids things that our parents did not allows to do. We stayed up when we were supposed to be asleep. We watched an adult movie at a friend's house. We sneaked out when we were supposed to be at home.

                                      But friction is important. It's different when a teenager mages to seek out once, vs not having any curfew.

                                      So, yes, kids find ways to bypass parental controls, and screen time, and they will find ways to bypass age verification, but drawing the line and adding considerable friction is important and makes a difference.

                                    2. 9
                                      1. Turnkey totalitarianism risk increases with the lowering number of players one has to capture. Age verification requirements open the slippery slope.
                                      2. This is fundamentally something parents have to sort out with locked down devices. If you really want a nanny state make it illegal to give a non-locked down device (not yet in the market, but could come with demand!) to your kid instead of mandating an internet lockdown. Shifting the burden onto the entire population imposes unacceptable costs and constraints on adults to compensate for failures of parental supervision.
                                      1. 9

                                        Why do you think ages are the only thing you'd want to verify? Now that we're building the technical infrastructure, can you think of any attributes that a government may want to use to control what sites you are allowed to visit?

                                        1. 1

                                          Citizenship for online voting?

                                          1. 8

                                            Gender, if you happen to be a repressive theocracy? Or maybe there are simply sites that contradict the desired government narrative, and then your existence is a sufficient attribute.

                                        2. 2

                                          Regulating social networks instead.

                                          1. 2

                                            If you regulate the social network requiring it to have age verification then it'll implement something really stupid like "upload your government ID to us don't worry it's safe"

                                            1. 2

                                              You regulate the content on the social network, and penalize the social network on failures to police itself or the algorithms. Like it has been done with other mediums in the past.

                                          2. [Comment removed by author]

                                          3. 5

                                            I'm against not having age verification in principle, but I still don't think that all solutions are good.

                                            This EU thing seems to be good, though. I kinda hope it becomes mandatory ASAP but also recognize that for practical reasons that might not happen.

                                          4. 80

                                            The blog post justifies all of this with online spaces that harm people via manipulation, addiction loops, gambling mechanics, grooming, harassment, algorithmic radicalization, which the blog post itself admits are harmful to adults.

                                            I do not understand how trying to exclude teenagers from the subset of spaces that you can control via legislation among the spaces potentially exhibiting some of these characteristics, using age as a proxy for their likelihood of being harmed there, denying them community and resources (particularly important to already vulnerable groups, such as queer adolescents) and/or pushing them towards spaces that evade your control is any better than… legislating against these harmful behaviors and thereby helping everybody?

                                            It's great when a blog starts with a false dichotomy after calling any criticism "uninformed or deliberately misleading"…

                                            1. 27

                                              pushing them towards spaces that evade your control is any better than…

                                              I think such spaces will largely cease to exist with ISP-level blocks, age verification for VPNs, etc.

                                              My annoyance with the whole age verification discussion/introduction is that almost nobody talks of the root cause: companies run by tech feudalists that make kids (and adults) addicted by continuous dopamine shots. IMO, rather than introducing age verifications, algorithmic-driven feeds that are optimized for addiction (Youtube Shorts, Tiktok, Facebook, etc.) should be outlawed. They are harmful to both kids and adults and rip apart the fabric of democracy by mainstreaming lies, fakes, inciting polarization, etc.

                                              We should stop allowing people to make billions by destroying society.

                                              1. 6

                                                This! It looks like the problem is now to big to ignore for politics and now they must do something. And this means signaling action towards the problem. But as always in this game to really change the established root cause is to "radical" (or seems impossible, unthinkable, etc.). Whom ever actually try to change this will commit political suicide and they know it. So to enforce new rules is much easier then forbid the status quo. Signaling action by imposing sanctions to a small minority group (which also cannot vote) is a good move if you play politics..

                                                1. 2

                                                  I think the EU doesn't want to do that out of fear of how the US will react. They're already angry about this entire "digital sovereignty" thing.

                                                2. 8

                                                  We can't ban everything that might be harmful. As a society, we accept that adults should be able to able to make their own choices, most of the time.

                                                  Let's take gambling or alcohol as an example. In my country (Norway), the government may try to dissuade you from harmful activities by taxing it more, and making it more inconvenient. But the government also funds services aimed at helping those who struggle. If they had instead banned it entirely, it would have caused outrage and shifted it to illegal markets.

                                                  So, we generally allow adults to choose for themselves, even though some of them may be subjected to harm. Kids on the other hand: the society generally accepts that children isn't fully developed and must be protected from their own harmful choices (they're allowed to decide more, and thus get some minor harm, the older they get). That's why children can't buy alcohol or even scratch lottery tickets in the physical world.

                                                  I recognize that some of the online world should probably be better regulated for everyone, including adults. But I also think that some parts should be off limits to children, while at the same time would be outrageous to ban for adults.

                                                  1. 25

                                                    Kids on the other hand: the society generally accepts that children isn't fully developed and must be protected from their own harmful choices

                                                    Sure, but who decides what is harmful? Parents? The government? What happens if the two disagree?

                                                    The example of queer content / support groups online is a good one to illustrate the point, I think -- lots of parents in the UK are unsupportive (or worse) if their children come out as transgender. With pervasive age verification, the online spaces those children would use to access resources on transition and community would be blocked off, and those children would probably die instead. (and the sorts of people pushing age verification, at least in our country, would probably rejoice at it...)

                                                    Most of the examples of serious online harm that are pushed as an example for why age verification should be a thing are either already illegal, or are hosted in jurisdictions that don't care about your laws anyway. And more mundane shit like "the kids are spending too long doomscrolling on tiktok" is a combination of a parenting problem and a failure of governments to effectively regulate social media platforms. But age verification looks on the surface of it to be easier than fixing both of those things, and it'll also do a bunch of harm to marginalised communities, so...

                                                    1. 2

                                                      Age verification would allow adults to use the Internet, not prohibit them from using it.

                                                    2. 2

                                                      "uninformed or deliberately misleading" refers to saying or implying that age verification will be done by presenting some kind of identity document, the same way KYC-requirements are satisfied today. Very few articles describe the technology used in each case, and the technical solutions between EU, UK, and various US states are quite different.

                                                    3. 46

                                                      Just a thought: What if we made online platforms liable for harm to the people? What if they were responsible for all the hate, misogyny, and radicalization?

                                                      If the platforms stopped hosting all of the content, if they stopped optimizing for engagement/rate bait to maximize clicks and ad engagement - maybe the internet wouldn’t be so fucking harmful for people out there (not just kids. Everyone.)

                                                      1. 12

                                                        If we made online platforms liable for users' harms, all small, non-profit social spaces, including this one, would disappear in a year or two. The US's Section 230 protects independent communities because it "creat[es] broad immunity that allows the early dismissal of many legal claims" rather than being a defense subject to ruinous, draining litigation. If every coffeshop was liable for harm done on its premises, dumped lovers would bankrupt everything smaller than Starbucks. You would see less harm in the same way that paving over a playlot results in fewer injured children.

                                                        1. 2

                                                          If we made online platforms liable for users' harms

                                                          I think there is a difference between:

                                                          • "liable for [any] users' harms"
                                                          • "liable for [consistent, massive] users' harms"

                                                          I am consistently disappointed to hear/read people concluding that "f(x)" is an inconceivable solution to a problem because when x is very large bad things happen. Just put boundaries on x then and see things get better. Obviously this is a simple metaphor, but I think it gets the point across.

                                                          I think more broadly, people should start accepting that imperfect solutions are valid when not doing anything is clearly worse.

                                                          1. 1

                                                            Yeah, it’s true that I wouldn’t want this to happen. My thinking was mostly derived from a European perspective, where people don’t sue "all the time" and there’s more onus on the accusing side.

                                                            I don’t think it would immediately have to result in this kind of situation you’re describing (and we both don’t want). I don’t want to debug legal ideas in lobste.rs threads, but I could envision different rules depending om platform size and media types (text forum vs images vs videos…).

                                                            1. 2

                                                              I don't think it matters whether the liability would be enforced by private action or regulators, the destruction would be the same.

                                                          2. 6

                                                            What if we made online platforms liable for harm to the people?

                                                            Online platforms have carve-outs for liability, e.g. Section 230 of the Communications Decency Act of 1996 in the US (and similar elsewhere, but that one is the blue print many of the others are based on.)

                                                            It might be useful to reconsider what constitutes such a platform: The idea is that because they're merely providing user generated content, they're not responsible - as long as they delete harmful stuff once they're told about it.

                                                            Is that still the case when their feed algorithms decide what is shown? I'd say that an editorial decision like that (no matter if made by a person or an algorithm) should come with editorial responsibilities, too.

                                                            1. 39

                                                              Section 230 was based on common carrier laws. These made sense: the postal service is not liable for the contents of parcels it carries. If you send illegal drugs via the post, you are 100% liable, not the post office. The same applies to the telephone network. If you plan a terrorist act over the phone, the phone company cannot be charged as a conspirator.

                                                              Common carrier liability exemption comes with a legal requirement that you must be neutral. You must carry any parcel / message / whatever without reference to its content. You may not prioritise messages based on content (you can charge more for heavier parcels or for faster delivery, but you must make those charges uniform).

                                                              I am completely happy with the common carrier rules.

                                                              But the ad platforms like Facebook and X are not common carriers. They are publishers. They choose what to amplify. They block people who have not violated any law. They should be liable for any illegal or harmful content that they distribute.

                                                              1. 10

                                                                But the ad platforms like Facebook and X are not common carriers. They are publishers. They choose what to amplify. They block people who have not violated any law. They should be liable for any illegal or harmful content that they distribute.

                                                                That's what I'm saying. The feed is on them, but they hide behind "that counter-point to the anti-democratic deluge we're putting in front of everybody is just as accessible - if you know and bother to access it directly" to pretend that they're still common carriers. Hitchhiker's Guide, basement, leopard, something something.

                                                                1. 9

                                                                  I don't think it's correct that Section 320 was based on common carrier laws. I haven't seen it in what I've read of the contemporary debates or records like Kosoff's. The Telecommunications Act of 1996 that included Section 230 classified the internet as a Title I "information services" rather than a Title II "common carrier services". The reclassification didn't start until the FCC's Open Internet Order in 2015.

                                                                  The explicit goal of 230 was to avoid the consequences of Stratton Oakmont that held Prodigy liable for user content because they had moderated. You can read it in the Congressional Record at the introduction of the Cox-Wyden amendment that became Section 320. It is very specific and prescient:

                                                                  The court said, ``No, no, no, no, you are different; you are different than CompuServe because you are a family-friendly network. You advertise yourself as such. You employ screening and blocking software that keeps obscenity off of your network. You have people who are hired to exercise an emergency delete function to keep that kind of material away from your subscribers. You don't permit nudity on your system. You have content guidelines. You, therefore, are going to face higher, stricker liability because you tried to exercise some control over offensive material.

                                                                  This description is the exact same argument @freddyb posted (and I replied to). If liability is imposed on internet communities as advocated, expect any surviving American internet communities to be bleached of any topic or opinion considered too complex or inappropriate for a preschooler in the most socially restrictive social group of the country.

                                                                  1. 5

                                                                    But the solution there is not to repeal Section 230, but to improve it. Yes, repealing Section 230 would allow us to hold Meta, Twitter, YouTube, etc. liable, but it would harm everything else - including the sites we're discussing this on!

                                                                    1. 2

                                                                      It only needs to be applied: Just reconsider if Facebook, Instagram, X, YouTube, ... are platforms or, simply by virtue of their editorial decisions, publishers.

                                                                      The platform part can remain protected as platform as usual. The algorithm doing the "publishing" (i.e. front page, personalized feed, ads etc) and its output? Editorial control → editorial responsibility.

                                                                    2. 3

                                                                      I don't even really know where to start with how much is wrong in this post.

                                                                      No, Section 230 is not based on common carrier laws. Section 230 is based on an extremely broad conception of the 1st Amendment to the US Constitution, and on a strain of legal thinking that is repulsed by the idea that people might be punished for speech.

                                                                      No, Section 230 does not care about "platform" versus "publisher" distinctions. Section 230 does not require that a site or service be neutral. Section 230 does not require that it be unbiased. Section 230 does not require that it be fair. Section 230 does not require that it be consistent. Section 230 does not even require that they try to do any of these things.

                                                                      If I wanted to set up a forum and openly arbitrarily ban anyone or remove any post I don't like, at any time, for any reason including my inconsistent personal whim and mood at the moment, I would absolutely not be acting like a common carrier, but I absolutely would be protected by Section 230.

                                                                      And that ultimately is the backbone of much of what we now take for granted about the internet. Without it, sites like this one simply would not exist, because the existence of moderation rules on this site would, under the prior Prodigy precedent, make the site be potentially legally liable for the contents of any posts the moderators choose to leave up, and the only safe way to play that game is not to leave up any posts at all.

                                                                  2. 3

                                                                    This is a debate that has been going on for a long time over section 230 in the US. In short, the has US opted to treat online platforms as neutral carriers, like a phone company, rather than as publishers like a newspaper. If a newspaper publishes a libelous article, they are legally responsible for it because they have exercised editorial control. On the other hand, if a person says something slanderous over a phone line, we don't hold the phone company legally responsible because they are a neutral carrier, they just get your sound waves from here to there, they don't have editorial control. Treating the internet and online discussion boards as neutral carriers rather than publishers was one of the key factors that enabled forums and social networking sites to exist in the first place without the fear of being sued into oblivion for something a random member did before a mod got around to banning them.

                                                                    Particularly for large platforms like YouTube, Facebook, Instagram, etc, it is logistically impossible to have a human vet every comment or private message or video. So the only feasible path forward if you held them liable for users' content on the platform would be to move away from an open internet with user content and towards a smaller number of vetted content producers and mass automated censorship, which would still not be adequate to prevent people from circumventing it or drawing people off-platform to be further radicalized.

                                                                    The one area where I think the legal framework of "neutral carrier" is a bit less plausible is algorithmic content promotion. We know that companies with recommendation algorithms are doing a lot of subjective judgement calls about which content they want to promote and which content they want to bury. A Facebook feed that displays your friends' posts in chronological order is acting as a neutral carrier. A feed that uses a carefully designed algorithm that selectively promotes one political viewpoint over another or even one emotional vibe over another is starting to look a lot more like a publisher with editorial control than a neutral carrier.

                                                                    1. 3

                                                                      They should be. I think that you only have social media platforms in mind.

                                                                      There are online services and platforms that are not illegal, they just aren't suitable for kids. Betting sites for example. Or content that is just not appropriate for a 9 years old. There are many cases where as a parent you have to say, "no, this is not for you yet", and more and more of these cases are online in the last decade.

                                                                      1. 20

                                                                        content that is just not appropriate for a 9 years old

                                                                        And who's going to decide what that is? The parents, who might be against the child's sexual orientation for completely invalid reasons? The politicians, who represent the parents more than they represent the kids? A 9-year-old LGBTQ kid should be able to find relevant content regardless of what their parents think. The Internet is possibly the best tool we've yet invented for liberating kids from their parents and other local authorities (self-appointed religious authorities for example). Let's not take that away from future generations.

                                                                        1. 2

                                                                          While I agree with your goals, I don't think I agree with your points. You are asking the question but it needs an answer! Who will decide what is good for the kids when they cannot do that for themselves yet? You seem to suggest that the answer is "nobody" but while I have no references, I am pretty sure that is scientifically wrong.

                                                                          1. 17

                                                                            Since no authority can be reliably trusted to decide what's good for kids, I think I'm willing to accept some harm in order to ensure that marginalized kids find what they need. But let's kill the worst of the harms, for everyone: the addiction loops, gambling mechanics, and algorithmic radicalization.

                                                                            1. 3

                                                                              In EU countries, we generally agree that there are authorities that decide if our kids are fed properly, if they go to school as the law demands, if they are neglected, at what age they can drive, and buy tobacco, if they are allowed to carry guns, and many other things.

                                                                              Maybe where you live is different, but remember, this is an EU directive, and it only applies to EU, so it probably doesn't affect you.

                                                                              1. 4

                                                                                The EU "cookie law" affected my experience of basically every commercial website I go to. That is a minor annoyance; restricting traffic has much graver consequences and therefore demands much higher (IMO, insurmountable) standards.

                                                                            2. 3

                                                                              "scientifically" wrong? This is a question of ethics not science.

                                                                              1. 0

                                                                                I meant the question of what is better for the child, which should have a scientific answer.

                                                                                1. 3

                                                                                  Same difference. Science cannot answer questions about what is "better" for anyone.

                                                                                  1. 0

                                                                                    True, like smoking, not everybody dies of cancer and some people really enjoy it. So clearly, for some people smoking is a net positive and science cannot answer the question for whom.

                                                                                    1. 4

                                                                                      And this is why we should ban harmful things like smoking and pastries.

                                                                            3. -3

                                                                              A 9-year-old LGBTQ kid should be able to find relevant content regardless of what their parents think.

                                                                              No, they definitely should not.

                                                                              1. 12

                                                                                Different scenario then: A child suffering from physical abuse at home should be able to find resources on how to safely get out of that situation.

                                                                                1. 2

                                                                                  That's the type of service that requires no age verification by definition, isn't it?

                                                                                  1. 10

                                                                                    One would think so. But then, giving kids such ideas could deprive "authorities" (such as parents) their God™ Given Right to exert discipline (behind closed doors), so who knows what happens when the 39% (to pick a number from a 2020 US study) "who had positive attitudes toward physical punishment" get in charge…

                                                                                    1. 2

                                                                                      Good thing that it's not up to their parents in this case. Any decent country (and I would argue EU countries, with all their faults are decent) would make ensure that these types of online services and resources are not age limited.

                                                                                      I would bet that ALL EU countries already have phone lines where a kid can call and get help from experts, no questions asked.

                                                                                      1. 7

                                                                                        Decent countries do not always stay that way. Germany's unfortunately up and coming fascist Afd party is explicitly against children's rights.

                                                                                        One should consider what bad future governments can do with a given technology.

                                                                                    2. 1

                                                                                      By who's definition?

                                                                                      Keep in mind that this infrastructure is usable by anyone, not just people who think like you. Do you trust the definitions that Afghanistan would come up with? China? Pakistan? North Korea? America? Pick any other actor you want here.

                                                                                      1. 1

                                                                                        It's an EU directive, applied to EU. Neither Iran, nor Afghanistan would like to implement something that gives so many protections to users, anyway.

                                                                                        1. 6

                                                                                          Never mind Iran or Afghanistan, how comfortable do you feel about Poland and Hungary?

                                                                                          1. 3

                                                                                            Can you explain what technical measures prevent these countries from demanding that the infrastructure built here is not used in their context?

                                                                                            Realize that it's a lot easier to get someone to flip a switch than it is to get them to spend months to years building infrastructure.

                                                                                2. 8

                                                                                  Well, a betting site requires you to pay money or connect a payment system upfront using a working bank account. I would guess that's a great age verification tool right there.

                                                                                  1. 3

                                                                                    Gambling also takes the form of in-game purchases like loot boxes.

                                                                                  2. 2

                                                                                    There's a difference between the parents saying it and some random enforcement mechanism that sends data to whomever.

                                                                                    Compliant sites can already provide guidance via https://rtalabel.org/ and have "parental control" enabled devices enforce it. Non-compliant sites¹ wouldn't bother collecting age information anyway.

                                                                                    There used to be more fine-grained schemas for age / audience appropriateness, but they languished. Could still be brought up again: have the data tell who is supposed to read it, then make the client make the decision.

                                                                                    ¹ since you brought up betting sites: gambling is huge on the "ignore the rules" side of business

                                                                                    1. 4
                                                                                      1. Most parents if not all, are even less aware. If you have teenage kids, you know that (if you're lucky, and if you're capable, and if you do have a good relationship with your kids) you have to learn about a lot of online "dangers" that never crossed your mind before.

                                                                                      2. This is the equivalent to saying that in the physical world, just label it ALCOHOL, ADDICTIVE, TOBACCO, and leave it up to the parents to decide if their kid is allowed to buy it. Parents have a huge responsibility, but they also need help.

                                                                                      3. If you check the EU blueprint, thy mention other, more fine grained attestations, but this out of the focus of my post.

                                                                                      4. Yes, betting sites have huge incentives to ignore legislation. This doesn't mean we don't have to add friction. The usual argument (which I also support) is that adding some friction by introducing huge privacy risks is not worth it. But it seems that in this case, privacy risks are very low to zero.

                                                                                      1. 6

                                                                                        This is the equivalent to saying that in the physical world, just label it ALCOHOL, ADDICTIVE, TOBACCO, and leave it up to the parents to decide if their kid is allowed to buy it. Parents have a huge responsibility, but they also need help.

                                                                                        There are a few crucial differences between "physical" and "digital". The biggest for this question: in the physical world, "move" is free and "copy" is not while in the digital world, it's exactly the other way around ("move" is typically "copy + delete"). This means that when I present data in the physical world, the inspector (e.g. the cashier in the store that checks if I'm old enough to buy alcohol) would have to go through extra trouble to note down the information they received, while on a website, they have to go through extra trouble to "forget" the same information.

                                                                                        Yes, betting sites have huge incentives to ignore legislation. This doesn't mean we don't have to add friction. The usual argument (which I also support) is that adding some friction by introducing huge privacy risks is not worth it. But it seems that in this case, privacy risks are very low to zero.

                                                                                        The accessibility risk remains rather high, though. Your "digital" example starts out with "An authorized issuer verifies your age once and issues a signed credential:"

                                                                                        Well… What happens if they don't?

                                                                                        1. 2

                                                                                          Well… What happens if they don't?

                                                                                          If your local government refuses to give you a certificate you are entitled to get, then there are laws, and at least you know who to shout at.

                                                                                          What you describe is not much different than saying "and what happens if they refuse to give me a driver's license" in order to argue that anyone should be allowed to drive without a license. I respect if you believe there should be no government at all. That's practically what the intro says "If you think age verification should not exist at all", the rest of the discussion is pointless.

                                                                                          1. 10

                                                                                            If your local government refuses to give you a certificate you are entitled to get, then there are laws, and at least you know who to shout at.

                                                                                            The German government recently proudly announced some driver's license app. It only works on "verified" devices, and they see no reason to change it.

                                                                                            Now, that's not a problem for driver's licenses, as long as the default is the plastic card thingy. But a friend of mine has an unlocked smartphone. I don't have a smartphone at all.

                                                                                            At 90% (or 95%, or 99%, doesn't matter) market penetration, they might well decide that having the app on your phone, talking to the car via NFC ought to be mandatory to track that only authorized folks can drive a car. For safety.

                                                                                            But what they really enforce is that you have a contract with Apple or Google.

                                                                                            A big problem in all that is that the politicians who drive such initiatives aren't exactly digitally literate. And as long as digitally illiterate busybodies like v.d.Leyen have a chance to perculate up the political food chain (she's big on the "think of the children" arguments and infamous for making a mess with her insistence that things go her way), I'm not interested in them having any say on how computing is supposed to work.

                                                                                        2. 2

                                                                                          Separate reply for separate tangent: Websites can set up labels that aid parental control systems, and your claim is that this doesn't work because "most parents are not aware."

                                                                                          So you're assuming that kids will get devices that are, in some way, running an adult account, and not using Apple's Parental Controls, Google's Family Link, Microsoft's Family Safety or any other such mechanism.

                                                                                          What makes you think that these "unaware parents" won't just add their "I'm an adult" credentials to the account to make any complaints go away, either (or reuse their personal adult account on the kid's device. Or share the device, with no account separation - both of which amount to the exact same outcome)?

                                                                                          But as soon as they set up a "kids account" (and some systems are really pointing in that direction, e.g. ChromeOS: https://i.dell.com/sites/csimages/App-Merchandizing_esupport_flatcontent_Images/all/choose-chromeos-setup.png) , the system can do enforcement locally, no fancy data transfer required.

                                                                                          Basically you're arguing that parents are both too naïve to set up protections for their kids and savvy enough to set things up correctly for the age verification to verify their kids and not themselves.

                                                                                          1. 2

                                                                                            Sure, you can do this. Every approach has its pros and cons.

                                                                                            I would love to see a comparison table between an attestation-based solution and a device-based solution.

                                                                                            One thing that I consider important is that a device-based solution depends on any OS working according to some guidelines, which favors the big established ones, both on mobile and desktop. An attestation-based solution places little to no burden on the OS and apps, which I prefer for various reasons.

                                                                                            1. 4

                                                                                              One thing that I consider important is that a device-based solution depends on any OS working according to some guidelines, which favors the big established ones, both on mobile and desktop. An attestation-based solution places little to no burden on the OS and apps, which I prefer for various reasons.

                                                                                              Attestation-based solutions depend on the attester trusting your OS and app, and they will be content supporting a "some-9s" amount of platforms and ignore the rest.

                                                                                              Device based solutions depend on the parent making a choice that suits their parenting style, with the default options (that tech-illiterate parents would gravitate to) offering robust configurations out of the box.

                                                                                              For that reason I kinda suspect (with anecdotes supporting my suspicion) that building client-side restrictions places fewer burdens than having to appease some semi-central authority that has no interest in talking with you.

                                                                                    2. 3

                                                                                      You'd still have to get the US on board, which seems unlikely. Or if you try blocking the harm that comes from the US, you get threatened with tariffs or abducted or something. Not to say it's not worth trying, but such a complex problem needs to be attacked from multiple directions.

                                                                                    3. 32

                                                                                      If you think age verification should not exist at all, the technical details won't matter to you. No implementation will be acceptable, because the objection is to age gates themselves, not to any particular mechanism.

                                                                                      Ah, see, but I reject it on principle because I don't believe there can be an appropriate technical solution. It also pushes the onus of content regulation even further onto the consumer when many of the harms of the internet are targeting everyone, not just children. Attestation is great, provided everyone is documented, always with access to those documents, with devices considered "sufficiently secure" to process that attestation, accessing websites deemed acceptable to use that attestation, and sufficient education to understand when a request for that document is legitimate. Any technical solution that we normalise will be abused by tech companies and scammers simply because they have done so in the past without real consequences for them doing so, and will be abused by lobbyists to narrow the range of "acceptable" services and devices.

                                                                                      1. 7

                                                                                        I run my own operating systems with custom patches. Will these be "sufficiently secure" for me to participate in society?

                                                                                        1. 4

                                                                                          See: GrapheneOS troubles with Play Store attestation (in short: "no chance")

                                                                                      2. 29

                                                                                        A 9-, 10-, or 14-year-old is not ready to wander the open internet without limits.

                                                                                        We should not withhold from future generations the best parts of the childhood and adolescence that many of us had, that brought many of us to where we are now. I wandered a local BBS (that was connected to other BBSes via FIDOnet-like networks) without limits starting at age 12 (in 1993), and the 1995 open Internet without limits starting at age 14. And I might have started the former sooner if my mother had bought a PC with a modem sooner. So let's kill the addiction loops, gambling mechanics, and algorithmic radicalization, for everyone, and make the good parts of the Internet available to everyone without restriction, so future generations can have better than what we had.

                                                                                        1. 2

                                                                                          Are you saying we should have an internet for kids? Because I am here for it.

                                                                                          1. 23

                                                                                            Not a separate Internet for kids. Instead, we should get back to when the Internet was safe for kids, before the addiction loops, gambling mechanics, and algorithmic radicalization, and then move forward from there to give future generations something better than most of us had: access to the full, global Internet, with content that some people only think is safe for adults but without the harmful things I listed above, on fully unlocked general-purpose personal computers, much earlier than most of us had these things.

                                                                                        2. 41

                                                                                          You can’t slap cryptography over it and make it safe. Every single “think of the children” proposal knows “even kids who steal their parent’s id”, and so requires websites to record photos. Note, the wording may be something like “do image recognition to verify the owner”, and there’s nothing about recording anything in that. Until you get sued with a claim that you aren’t verifying or your verification was bad, in which case you have records.

                                                                                          There are things that you can do, but that isn’t the point. Censorship works in two ways: sites having to ID you so that you can be tracked is one, but the other is “make it too expensive/risky to have the site at all”.

                                                                                          See homophobes with the “protect the children” garbage.

                                                                                          • The ID requirement makes it hard/impossible for children to access content that says anything other than they are diseased criminals
                                                                                          • Running a site now means you need to be able to afford the security to recorded the information to defend yourself, also to afford the lawsuits saying you’re not adequately censoring

                                                                                          An argument based on maths that fails to handle “a user must prove that the id being presented is there’s”. Is skipping the single most important step in the entire process.

                                                                                          1. 19

                                                                                            I am over 18. Can I get one of these ids and then sign whatever requests I feel like? If so, the scheme is privacy-preserving but ineffectual.

                                                                                            1. 9

                                                                                              On a macro scale I think the necessary activation energy of "I need to bother my older sibling to set up a tiktok account" would still meaningfully reduce usage. Enough to warrant all the other negatives that come with this? Well, probably not.

                                                                                              1. 6

                                                                                                They don't need an older sibling. Just someone or some service online who is willing to anonymously sign whatever they receive automatically.

                                                                                                1. 6

                                                                                                  My point isn't that you need an older sibling, but that any kind of speed bump would still have an effect on usage. Needing to use some service like that is still such a speed bump, and if the goal is to get fewer kids using social media (or gambling, or whatever "vice" you want to pick) it's still doing something.

                                                                                                  1. 16

                                                                                                    While I am not accusing you of this tactic, it is definitely the case that proposals to do /something ineffectual/ are used by authoritarians as wedges so that next year they can say "that was ineffectual, we must do something more".

                                                                                                    1. 1

                                                                                                      Fair. I do think all the complicated infrastructure, privacy issues, access issues, etc. make this bad policy. And potential expansion for even worse use seems bad too.

                                                                                                      If they were serious they could start with something way easier like requiring the most addictive parts of these things (infinite scroll, algorithmic feeds) to be disabled by default and opt in only. Still a speed bump, but without building a continental verification apparatus.

                                                                                                    2. 6

                                                                                                      When I was a teen everyone in public schools learned how to modify the DNS settings on their devices to access websites on the school block list.

                                                                                                      In USA getting some dude in a van to make you a hokey fake ID so you can drink due to their Draconian prohibition laws is common.

                                                                                                      I don't think "ask Joe he'll hook you up" is the speed bump you think it is.

                                                                                                2. 5

                                                                                                  Yes, but they will reach for remote attestation and other drm tech to make it harder. It will not be possible for alternate wallet implementations, or even running it on a non-mainstream platform.

                                                                                                  Effectively creating a legal mandate to agree with google and apple terms of services, having to have a smart phone from this douopoly to use social media, and in the future whatever other services we figure the system is good for. Pornography, online video games, renting movies.

                                                                                                  If you get banned by google tough luck! If you use linux, tough luck!

                                                                                                  1. 4

                                                                                                    Yeah, posts like this seem determine to forget the difficult part is not connecting a number to a person, it’s the step in which you initially provide the number is the person the id represents.

                                                                                                    1. 1

                                                                                                      Last I checked into the European Proposal, you would obtain a block of signatures at a time from a trusted party (ie, citizen's office or similar, and IIRC the idea is that this can be done without needing a trusted wallet in a sanctioned OS, you could do something like PostIdent and show your ID at the post office in exchange for the signatures stored in an encrypted file, in theory). Something like 1000 signatures, each valid once. If you need more you can get another block. And each signature would be privacy preserving.

                                                                                                      1. 5

                                                                                                        That's not what the article proposes. And it's not privacy-preserving.

                                                                                                    2. 16

                                                                                                      I think that the article makes a core, yet unstated assumption: that EU member states will use zero knowledge proofs to implement the age verification in a privacy-preserving way.

                                                                                                      As far as I can tell, nothing stops each member state to implement the age verification mechanism as it sees fit. Even the Digital Identity Wallet reference app is just a reference, where ZKPs are just one strategy of proving possession of a valid credential. Technically, nothing stops a member state to just.. not use ZKPs and force everyone to login through the state's government portal at all times (á la OpenID Connect) every time an attestation is required.

                                                                                                      This is not without precedent; in my country digital signatures are implemented not cryptographically as in most EU countries, but literally as a gigantic government server storing each and every document, stamped with a PNG and a link to the government server to prove authenticity.

                                                                                                      Expecting states to bother doing this correctly is a big ask, IMHO, and this is what makes me wary about any and all such measures.

                                                                                                      1. 7

                                                                                                        Even the Digital Identity Wallet reference app is just a reference, where ZKPs are just one strategy of proving possession of a valid credential.

                                                                                                        And not even a priority because it was added recently to the reference Android app, and not yet supported on iOS: https://github.com/eu-digital-identity-wallet/av-app-ios-wallet-ui/issues/18

                                                                                                        1. 3

                                                                                                          These, and other concerns are mentioned.

                                                                                                          On the bright side, your country will have to comply to a better, more secure framework. If you don't mind, which country is it?

                                                                                                          1. 9

                                                                                                            Greece. And trust me, they won't.

                                                                                                            They even killed 57 kids on 2023 (https://en.wikipedia.org/wiki/Tempi_train_crash), and no one was punished. The governing party is currently under EPPO investigation for farming subsidy scandals (https://www.dw.com/en/greek-government-in-crisis-after-eu-subsidy-scandal/a-73095982) and they are doing everything underhanded to stop it. If they were innocent they wouldn't try so hard, it's not even funny.

                                                                                                            The same government (literally the same people, under different party banners) acts completely unpunished for the last 40 years. And even after the train crash, the minister of transportation ostensibly resigned, only to be a candidate again (and get voted back!) with the same party ~6 months later.

                                                                                                            I honestly don't believe they will bother.

                                                                                                            EDIT: I forgot, there is also a wiretapping scandal going on, like a mini-Watergate. Of course, the same ruling party. With this, I have no reason to trust that they wish to preserve privacy rights.

                                                                                                            Furthermore, government officials are officially in favor of dissolving any kind of user privacy rights: https://wired.com.gr/article/i-ellada-thelei-na-katargisei-tin-anonymia-sto-diadiktyo-einai-kali-idea/ (in Greek)

                                                                                                            1. 2

                                                                                                              [...] in my country digital signatures are implemented not cryptographically as in most EU countries, but literally as a gigantic government server storing each and every document, stamped with a PNG and a link to the government server to prove authenticity.

                                                                                                              Hm, that's not the case... is it? Greece follows the eIDAS framework. The system uses pretty standard PKI signatures and web interface is very helpful. Authentication is also reasonably well implemented IMO. The QR code allows non-technical parties to check the document's authentication easily. It's by all accounts a feature, not a bug.

                                                                                                              ps. I share your anxieties about Greece.

                                                                                                              1. 2

                                                                                                                Well, technically Greece follows eIDAS, but almost no public-facing gov service accepts eIDAS signatures. Most public servants have no idea what to do with them, so in practice they reject them.

                                                                                                                The gov server upload is better UX, yes, but the fact that signatures are not cryptographic means that:

                                                                                                                • documents can be easily tampered with in case of a security breach (which has happened before)
                                                                                                                • signatures are centrally managed and not independently verifiable; the government (or a malicious actor in case of a breach, or even yourself if phished) can technically sign things on your behalf that you didn't consent to
                                                                                                                1. 3

                                                                                                                  Well, technically Greece follows eIDAS, but almost no public-facing gov service accepts eIDAS signatures.

                                                                                                                  Maybe they will in the future, maybe not. I'm not sure what kind of services do you have in mind here.

                                                                                                                  Most public servants have no idea what to do with them, so in practice they reject them.

                                                                                                                  IMO all the public servants need is an interface.

                                                                                                                  [...] signatures are not cryptographic [...]

                                                                                                                  Isn't it? Here is an example of a document that I signed today:

                                                                                                                  $ pdfsig allagi-parochou-signed.pdf
                                                                                                                  
                                                                                                                  Digital Signature Info of: allagi-parochou-signed.pdf
                                                                                                                  Signature #1:
                                                                                                                    - Signature Field Name: Signature20260630131843
                                                                                                                    - Signer Certificate Common Name: Ministry of Digital Governance
                                                                                                                    - Signer full Distinguished Name: CN=Ministry of Digital Governance,OID.2.5.4.97=VATEL-997001671,O=Ministry of Digital Governance,L=Athens,ST=Attica,C=GR
                                                                                                                    - Signing Time: Jun 30 2026 13:18:43
                                                                                                                    - Signing Hash Algorithm: SHA-256
                                                                                                                    - Signature Type: ETSI.CAdES.detached
                                                                                                                    - Signed Ranges: [0 - 1037212], [1072554 - 1073215]
                                                                                                                    - Total document signed
                                                                                                                    - Signature Validation: Signature is Valid.
                                                                                                                    - Certificate Validation: Unknown issue with Certificate or corrupted data.
                                                                                                                  

                                                                                                                  Seems like a signed PDF file. Your problem is validation failure? My guess that importing these certs will take care of local cert validation.

                                                                                                                  documents can be easily tampered with in case of a security breach (which has happened before)

                                                                                                                  Interesting, can you share more info?

                                                                                                                  signatures are centrally managed and not independently verifiable

                                                                                                                  That's true but expecting from average to generate and manage his own signature is a bit like expecting from a patient to understand how the oxidation of salicylic acid work.

                                                                                                                  1. 2

                                                                                                                    Maybe they will in the future, maybe not. I'm not sure what kind of services do you have in mind here.

                                                                                                                    Say e.g. you need to sign a sworn statement and email it to a public service as part of an application process for benefits. The application gets rejected because the public servant on the other side doesn't know what an eIDAS signature is and can't see the gov.gr PNG, so they redirect you to gov.gr.

                                                                                                                    Seems like a signed PDF file. Your problem is validation failure?

                                                                                                                    Oh interesting, I didn't think to check the files generated by gov.gr themselves, I stand corrected. When the service launched I think they didn't embed a signature in this way. Looks like they fixed it. Progress.

                                                                                                                    Interesting, can you share more info? Many examples (Greek):

                                                                                                                    https://www.kathimerini.gr/society/reportaz/564067006/i-skiodis-ekstrateia-kyvernokataskopeias-kai-i-ellada/ The SYZEFXIS government intranet (where a ton of sensitive info is located) was breached.

                                                                                                                    https://www.secnews.gr/220390/panellinio-sxoliko-diktio-sch-gr-hacking-epithesi/. Not the best source but I remember the SQLi and data leak.

                                                                                                                    https://www.kathimerini.gr/society/561442918/kyvernoepithesi-ston-dimo-thessalonikis-kleidosan-archeia-toy-esoterikoy-diktyoy-zitontas-lytra/, ransomware on the municipality of Thessaloniki (second largest city in Greece).

                                                                                                                    That's true but expecting from average to generate and manage his own signature is a bit like expecting from a patient to understand how the oxidation of salicylic acid work.

                                                                                                                    I agree but that's fixable, no? IIRC other countries use cryptographic keys where the private key is embedded in the ID card. Signature gets authorized by matching fingerprint on a scanner (e.g. cell phone) with stored fingerprint data on the ID card. No central juicy target to hack, works offline, and no way for someone to track you unless they somehow gather every document you ever signed. No management too as the key can be rotated/revoked when the ID is lost or expires.

                                                                                                        2. 14

                                                                                                          Eh. I don’t really disagree in principle with the blog post, and I agree it would be nice to have a privacy-preserving age verification system. I’m just really, really skeptical that it will be implemented correctly in the real world!

                                                                                                          The author even helpfully includes a list of implementation problems that would compromise privacy at the end of the post. If age verification becomes legislatively mandated, I am very worried that some or all of those problems would be accepted in the name of expediency and protecting young people.

                                                                                                          If you think that a bad age verification system is worse than no age verification (and I do), then IMHO pushing back against the concept at the start is more politically feasible than trying to thread that needle.

                                                                                                          1. 13

                                                                                                            A 9-, 10-, or 14-year-old is not ready to wander the open internet without limits.

                                                                                                            Lots of kids are being abused *by their parents and access to the Internet in some cases their only lifeline. Normalising this restriction makes it easier for those bad parents to abuse their kids.

                                                                                                            Children can't drive, drink, gamble, or enter certain venues before a certain age.

                                                                                                            I don't agree that talking to other human beings is like drinking and driving, and I think you should be ashamed of yourself if you have ever given a child the impression that talking to human beings should be regulated if that's the best you've got.

                                                                                                            1. 1

                                                                                                              Lots of kids are being abused *by their parents and access to the Internet in some cases their only lifeline. Normalising this restriction makes it easier for those bad parents to abuse their kids.

                                                                                                              How is not allowing a 12-year old to enter a betting site make it easier for their abusive parent to abuse them?

                                                                                                              I don't agree that talking to other human beings is like drinking and driving, and I think you should be ashamed of yourself if you have ever given a child the impression that talking to human beings should be regulated if that's the best you've got.

                                                                                                              I rarely talk to the human beings that appear on pornhub, but your mileage may vary.

                                                                                                              1. 8

                                                                                                                A lot of this discussion is coming from the perspective of the US, where any LGBTQ informational content (in text! Not even talking about sex acts!) can be considered pornography, if not by law then by public policy. You can say that's just because the US is uniquely bad, but it's certainly not beyond the pale for European far-right parties.

                                                                                                            2. 13

                                                                                                              Kids are good at getting what they want, if they ask enough times someone will do it

                                                                                                              1. 17

                                                                                                                Perhaps some are, but does that mean we should, for example, sell alcohol directly to all kids? Personally I do not think all kids are equally motivated, have the same goals, or are equally capable of working toward long term goals.

                                                                                                                1. 13

                                                                                                                  Someone is more likely to make a Roblox account for a kid than sell them alcohol as well

                                                                                                              2. 13

                                                                                                                ZKP leaves no reason I couldn't attest that everyone in the EU is 39 years old, and you basically need to have identity and device attestation to even begin to mitigate this. The slippery slope is built into the technology itself.

                                                                                                                The shape of the architecture works for something like verifying payments or signing legal documents, since I have a strong interest in not allowing random 3rd parties to make payments with my money or sign contracts in my name, but for age attestation, I lose nothing if I attest on behalf of someone else.

                                                                                                                1. 12

                                                                                                                  If the verification is truly ZKP and there's no UUID attached, what prevents someone from just selling verifications? If there's a UUID you can build a profile and it's no longer anonymous..

                                                                                                                  Most likely this will require TPM, which requires Google / Apple to approve your identity, what happens if you live outside of that? I intentionally live like that, so that means I can't access some pages anymore?

                                                                                                                  1. 4

                                                                                                                    This exactly, and it's even happening right now... And when Roblox added age grouping they are also selling accounts for each age group https://lzt.market/roblox/?age_verified=yes https://lzt.market/roblox/?age_group[]=%3C13&age_verified=no

                                                                                                                  2. 11

                                                                                                                    What's wrong with censorship? If you can enforce censorship for a part of the population, you can enforce it for the rest when you decide you want to.

                                                                                                                    1. 9

                                                                                                                      I wish adults would stop trying to police and control minors. Y'all stripe and chip away agency from people who can't say no to you because apparently you're the grown-ups here around and you know better what they should and should not access, both software and hardware.

                                                                                                                      My god, the kids are fine. They are fine. There is so many more ways to build a better future for the next generations of people than to help paving the way to even more control and surveillance in everyone's life.

                                                                                                                      1. 9

                                                                                                                        If I'm a parent, my child and I get to decide what they should and should not be able to access. Not a content provider, certainly not a centralized authority somewhere who is defining what is "age-appropriate."

                                                                                                                        There is no biological switch that suddenly turns on at 18 (or whatever the age limit is) in someone's brain that says, "OK, now I am ready to watch porn and gamble and chat with strangers." And if there were, it definitely wouldn't turn on at the same age for everyone. In most people, the frontal cortex isn't fully developed until they're 26 or so. Can you imagine telling a 25yo they can't watch porn?

                                                                                                                        Age verification itself is a heuristic, and not a very good one. It should not be used as a stand-in for the important, nuanced, private conversations that must happen between children and their guardians. And it definitely should not be used to centralize control over access.

                                                                                                                        1. 2

                                                                                                                          How old are your children?

                                                                                                                          1. 10

                                                                                                                            None of your business.

                                                                                                                            1. 2

                                                                                                                              Fair, but depending on their age, you have probably seen more than one times when there was actually as if a switch turned. And you have also done various things about them because the state requires you to do.

                                                                                                                              1. 8

                                                                                                                                You're right, I have seen that happen. Sometimes it seems like some switch or other turns on every day! :)

                                                                                                                                I think your point is that parents are legally required to take developmentally appropriate steps for their children, such as enroll them in school. And while I agree that parents should generally follow this outline, I actually don't agree with the implication that any one body, i.e. the state, should be able to compel me to do it. The social benefit of public education is very high, but the social costs of the current implementation or any implementation I can imagine are high as well, and that's the core problem.

                                                                                                                                I live in the US, where there is a lot of racist and eugenicist baggage in the design of the education system. While I am happy for the (decreasing) benefits we get from public education, I do not trust the Dept. of Education to make decisions for my family. I would similarly not trust any governing body with the power to decide what my children can or cannot access online.

                                                                                                                                The question of whether it's developmentally appropriate is besides the point, because again, age is a heuristic, and there are different criteria for different levels of responsibility, and where and how to draw those lines should be up to parents and their children. There is quite literally no way to legislate such rules in a way that is humane and culturally sensitive.

                                                                                                                                The very existence of a central authority making these decisions strips children and parents of agency, and opens up the possibility of abuse of that authority.

                                                                                                                        2. 7

                                                                                                                          I have yet to see a solution that either isn't anonymous or is vulnerable to one bloke helping hundreds of kids be verified as adults.

                                                                                                                          And by anonymous I of course mean that even if the government and age-checker collude, they can't find out who is behind which user/session.

                                                                                                                          1. 4

                                                                                                                            This is anonymous, even if the government and the age-checker collude, there is no way to correlate the identity and the session. It's how a zero-knowledge proof like zkSNARK works.

                                                                                                                            Now, if you mean the government is giving a backdoored wallet that does not do what it says it does, yes, it can. But you don't have to use the govt-provided wallet either, they have published the source code on GitHub.

                                                                                                                            1. 4

                                                                                                                              So it fulfills requirement A, but does it stop people from letting a bunch of children use their ID to verify themselves as adults?

                                                                                                                              1. 3

                                                                                                                                But you don't have to use the govt-provided wallet either, they have published the source code on GitHub

                                                                                                                                As we've discussed in many other threads, this is probably absolutely not the case

                                                                                                                                1. 2

                                                                                                                                  Do you have a citation for this claim, because absolutely nothing that I’ve read about this algorithm class suggests that it is secure in the presence of collusion and communication via out-of-band channels. In particular, each token that the age checker generates is unique and it’s trivial for them to share a mapping between that token and identity with a third party.

                                                                                                                                  In fact, I don’t believe it is possible to design a ZK scheme that has the desired property. Either each attestation is unique (or is a member of a small set), in which case deanonymisation in the presence of collusion is trivial, or attestations are not unique, in which case they are trivially forgeable.

                                                                                                                                  1. 1

                                                                                                                                    The wallet can create a new zkSnark proof every time, based on the attestation it already holds.

                                                                                                                                    1. 4

                                                                                                                                      I see, so that includes a random factor that means that you can't tie new proof to the original attestation, but you can still check the property. But if the attestation leaks (e.g. security vulnerabilities in the wallet), you can regenerate every proof that the wallet has generated?

                                                                                                                                      That's somewhat less bad, though I still strongly disapprove of moving parental decisions to someone else's control. We set the correct precedents when home movie rental came along, we don't need to do the opposite now.

                                                                                                                                    2. 1

                                                                                                                                      You don't need snarks and all that, I think you just need a bunch of one time use blind signatures.

                                                                                                                                      And afaik those should provide complete unlinkability, since the unlinking step happens in the client wallet.

                                                                                                                                2. 7

                                                                                                                                  Why are all these solutions always starting with the stance that we all have to walk around with our IDs everywhere?

                                                                                                                                  You could enforce adult websites to publish X-Parental-Guidance: headers, and then have browsers / OSes respect it.

                                                                                                                                  Same effect, without putting the whole society under a privacy-leaking blanket.

                                                                                                                                  1. 2

                                                                                                                                    But in this case, the government will have to approve the OSes and browsers that are legal, right? Because if I can just download an other browser on my computer and visit any site, it doesn't help much. I find the much more dangerous.

                                                                                                                                    1. 4

                                                                                                                                      It's reasonable to expect a social norm that parents should not give their children administrative permission over their devices in order to install another browser. On mobile devices, which are overwhelmingly the most popular platform for youngsters by my understanding, that's probably actually good enough. On desktop, portable browsers easily get around this and we can expect kids to start learning what those even are quickly enough, but they come with their own inconveniences and that kind of intentional rulebreaking behavior is a perfectly normal part of growing up that we shouldn't be expecting to defeat through technical means. Just make it a crime to market a browser for this purpose and you defeat the economic incentives that would otherwise lead corporations to drive kids toward that behavior for reasons other than natural curiosity or rebelliousness.

                                                                                                                                      1. 4

                                                                                                                                        On Linux, you can prevent portable apps by mounting /home and e.g. /tmp noexec. On Windows, group policy, I believe.

                                                                                                                                      2. 4

                                                                                                                                        No, not at all, any more than a DVD player must be government authorised and will refuse to play DVDs with a certain rating without a government-issued token.

                                                                                                                                        We put age recommendations on DVDs (and VHS tapes before that) so that parents have the ability to make informed choices about what their children watch.

                                                                                                                                        If web sites that provide adult content are required to provide headers that specify the kind of content, browsers are entirely free to ignore them, but parents are also able to set up their children’s systems to use only browsers that reject pages with certain things in the headers.

                                                                                                                                        If Facebook has to send X-Parental-Guidance: AddictiveAlgorithm FarRightRadicalisation, it’s up to parents to decide whether to allow their children to install arbitrary software on their device and, if not, to define whether this is something that their browser must respect.

                                                                                                                                        1. 1

                                                                                                                                          There's a lot of things the government can do. They can sponsor and mandate proper protection on children's devices. Create a free parental control software. Create awareness programs so that it becomes the default among children. Ban devices in schools. Fine parents if children are caught with unblocked devices.

                                                                                                                                          Notice how none of this takes the adult's freedoms away.

                                                                                                                                          Anyways, I'm pretty sure with the current trend and modes of thinking, we will end up with both the government-approved devices, and the digital passports that will be required for everything, from filling taxes to buying toilet paper.

                                                                                                                                          1. 1

                                                                                                                                            Well, fining parents if children are caught with unblocked devices does take away a parent's freedom to trust their child. Broadly speaking, though, yeah - trying to centralize identity management like this is so completely unnecessary to achieve the stated policy goal of empowering parents to protect their children that that can't be the real motivation.

                                                                                                                                            EDIT: Realizing that may have come off as more of a vague accusation than I intended, I'll be clear - I think the real motivation is to implement the control over what all children can view that the concerned parents want exerted on what their own children can view. I don't think most reasonable people supporting this sort of thing actually want the surveillance state it creates, they're just willing to accept that as a cost of protecting their children, though I think it will fail to do that and still create the surveillance state.

                                                                                                                                      3. 6

                                                                                                                                        Other threads have gone into the issues better than I can, but I wanted to mention that if it's going to be done sensibly, an unattested operating system level API that browsers can use is far better. It avoids building centralized systems of control, while still giving parents a tool they can use to influence what their children can see because the parent controls this step during device setup. Obviously, there will be tools out there or clever children who can bypass it by manipulating the traffic their browser sends, but for most this kind of solution adds plenty of friction to accomplish the social goal of signalling that something is inappropriate, especially if the relevant law makes it illegal to distribute software marketed as forging the request header or whatever.

                                                                                                                                        1. 4

                                                                                                                                          As an occasional admin of small 18+ spaces, I would absolutely love to have a service where I can feed in an IP address and efficiently get the legal domain of the address and an API to verify user age that satisfies legal standards for this address, for free.

                                                                                                                                          Any commercial service is unviable. Any regional solution is unviable. Anything that requires me to sign up and provide identifying information as to why I want to check this is unviable. Anything that requires me to deduce the country of origin for a user, instead of an IP, is unviable.

                                                                                                                                          If the EU provides this service, or even just a service that lets me validate that an IP is in the legal domain of an EU age verification scheme, I will happily use it. It'd take a huge load off my back.

                                                                                                                                          1. 6

                                                                                                                                            It will not be based on IP, but yes, you will get an API that let's you validate that "this session id is verified to be associated with an adult".

                                                                                                                                            1. 2

                                                                                                                                              I mean, IP is what I have, lol. The first step is I need to actually decide if an incoming request is in the jurisdiction of the age verification API. Use geocoding and pray?

                                                                                                                                              Like, if the scheme wants to be viable for small operators it needs to release something like an 18+ age gate proxy on Github that actually works for worldwide requests while age-gating EU requests. Optimally with other validation schemes where those have jurisdiction.

                                                                                                                                              1. 10

                                                                                                                                                There are two problems with IP (actually more):

                                                                                                                                                1. Any household with kids, also have adults, so one IP is shared between them.
                                                                                                                                                2. When you ask a "EU API" if my IP is allowed to visit your site, you actual tell them I'm visiting your site, Now, this is a huge privacy concern.
                                                                                                                                                1. 2

                                                                                                                                                  Sure if there are kids there are also adults, but those adults should not be allowed to access anything that isn't safe for kids. Otherwise the adult may hand the device to a child and give them access.

                                                                                                                                                  1. 1

                                                                                                                                                    Again, IP is what physically arrives at my network port.

                                                                                                                                                    I mean, I agree with the problems. But that's why I specifically want a universal age gate proxy, not a "digital wallet" that assumes away the hardest step.

                                                                                                                                                  2. 3

                                                                                                                                                    The design is Open Sourced, so I would expect a 18+ age gate to be available either officially, or by independent devs: https://github.com/eu-digital-identity-wallet

                                                                                                                                              2. 4

                                                                                                                                                My primary solution to most of this is to legislate that all algorithmic feed offerings must be bought and paid for by the end user: and that "free-trials" of the "For-You" pages et al. are strictly not allowed; and bundles for multiple app that go below the legal minimum are also not allowed.

                                                                                                                                                Content can only be recommended to non-paying users ONLY after they have clicked into a piece of content that they already follow in a "more like this" manner.

                                                                                                                                                Imagine if you had to pay £0.50 per month for every single algorithmic feed for every app. And yes, big tech will probably just use bot accounts to astroturf platforms and attempt to force recommendation that way but at least 1) it will cost them, 2) it will be easier to go after them to prove; 3) they will damage their own trust even further.

                                                                                                                                                In my opinion, the only way to heal the internet is to drive people back towards curating their own feeds and people pointing each other organically to content in trusted environments.

                                                                                                                                                1. 4

                                                                                                                                                  A much better solution would be to require something like an ESRB rating in a DNS TXT record, and provide easy ways to filter them at the browser, OS, and network level. Sure, you can circumvent that, but it’d still be much better than what we have now.

                                                                                                                                                  Services could have sub domains with different ratings.

                                                                                                                                                  It seems to work well enough for movies and video games.

                                                                                                                                                  1. 4

                                                                                                                                                    I agree with most of the points but the ZK proofs need to be specified at law-level, not just in the appendix.

                                                                                                                                                    1. 4

                                                                                                                                                      The fundamental issue with these age verification laws is that they are trying to enact technical solutions to solve social problems.

                                                                                                                                                      And I'm not at all sure that the problems are as large as they are portrayed. This has the feel of a moral panic, and it feels like one that's being pushed by organizations to deflect from other kinds of more meaningful legislation that would tackle deeper associated issues.

                                                                                                                                                      1. 1

                                                                                                                                                        Why does everyone think that it's all about "the platforms" (i.e. instagram, tiktok, etc)? They are an issue, but not the only one. You have porn (nothing against it, but not everything, at any age), you have ai chat that replaces their actual human interactions, you have betting, and so many other types of sites... I often feel that the people engaging in the discussion don't have teenagers.

                                                                                                                                                        1. 3

                                                                                                                                                          Because we largely all agree that current social media have huge problems, not only for children but society at large, in a way we don't all agree on pornography, AI chat bots, and betting (which usually require KYC processes anyways, and the ones who don't won't be opting into an EU age checking tool), being similarly sized problems.

                                                                                                                                                          Most of the laws and the EU angle for this age verification system is currently focused and constrained to "dangerous social media". So of course the discussion is focused on how to actually tackle the problems on social media. Not just taper over it temporarily for a subset of kids for a few years and then having the same problem when they turn 16 or 18 or whatever.

                                                                                                                                                          You're right that once we have this system it will inevitably be expanded to be used for more and more types of services. But that's not currently up for debate, and is frankly a negative aspect of the system.

                                                                                                                                                      2. 4

                                                                                                                                                        Many possible issues with an implementation, but with zero-proofs it indeed could be done right, maximally preserving privacy - not solution to all of our current privacy problems, but definitely a step in the right direction :)

                                                                                                                                                        1. 6

                                                                                                                                                          Except without locking down the device on which that ZKP resides, nothing stops someone who wants to rebel against this from exposing an API for anyone to attest their age. Which is why these ZKP approaches insist on a blessed Google Android or Apple phone.

                                                                                                                                                          1. 1

                                                                                                                                                            How anyone? Aren't ZKP in this context bind to a particular account/identity and piece of data? Can you elaborate on the mechanics you have in mind?

                                                                                                                                                            1. 5

                                                                                                                                                              Its impossible to have anonymity, untrusted devices, and making the tokens unsharable.

                                                                                                                                                              It's a pick two kind of situation.

                                                                                                                                                              Anyone who can get valid credentials can give them to anyone else. Because the services cant know who it belongs to

                                                                                                                                                              1. 1

                                                                                                                                                                I guess it might be partially solved by time-restricted proofs like we do with JWTs (access and refresh), but it minimizes the risk, not eliminating it. Still, it might be a good tradeoff - probably there are some other interesting and pragmatic workarounds with acceptable tradeoffs as well

                                                                                                                                                                1. 5

                                                                                                                                                                  No, it is actually impossible. The time delay is fundamental to ensuring anonymity, and even if you were to do it synchronously, nothing stops a third party "cracked" wallet from serving those requests similarily live.

                                                                                                                                                                  The pragmatic workaround is to not care, and let people share these tokens. Because no matter what technical solution you try to implement you cant stop someone from just handing a minor an unlocked account or device.

                                                                                                                                                                  Just like alcohol, in the end you rely on everyone refusing to buy it for children, not just the shops you directly regulate

                                                                                                                                                                  1. 1

                                                                                                                                                                    Indeed, it seems that trusting the device (or the wallet on the device) is critical.

                                                                                                                                                                    This does not block third party wallets, but it will require the wallets to be notarized by an authority (for example, getting certificate the wallet will use when connecting to the attestation service, in order to get the attestation).

                                                                                                                                                                    This is a good point to open a public discussion, on the pros and cons, and possible solutions. (This is actually the only concern raised here that has given me second thoughts, not on privacy, but reliance on established players.)

                                                                                                                                                                    1. 3

                                                                                                                                                                      Could you elaborate on how you theorize one would get a third party app notarized in practice, and how that would help?

                                                                                                                                                                      Are you just talking about it being possible for a second actor to make a wallet app, as long as they have a relationship with the government (as token issuer), and that they only let their app run on locked down operating systems?

                                                                                                                                                                      In my model for this there's no reason to require permission for this unless you use that system to enforce unsharability, which requires total control over the entire stack. Completely ruling out any open ecosystem from using it. But maybe you have some idea I haven't thought of.

                                                                                                                                                                      There being multiple first party applications is a given, different nations will have different apps and systems. When I said third party I meant an independent solution not related to the issuer nor the sanctioned national wallet developers.

                                                                                                                                                                      If I was forced to design something like this I would make it a protocol that I would hope each operating system vendor integrated natively, akin to passkeys.

                                                                                                                                                                      With a flourishing wallet ecosystem that isn't controlled centrally by an authority you also weaken the slippery slope argument, since adding more types of attestations and changing the system would have higher costs, and you might not even be able to convince everyone to go through with such changes. A website cant opt into a less private option if half their users use wallets which only support the secure ones.

                                                                                                                                                                      1. 1

                                                                                                                                                                        Thanks for the constructive discussion.

                                                                                                                                                                        Now, the problem is age verification isn't an authentication problem, it's a collusion-resistance problem. What we are describing is a scenario where the users themselves are the attackers (I give my adult attestation/credentials/certificate/whatever to a minor). This is not the case with other types of authentication, for example my mail or my bank credentials, because the user there is trusted they will not do it voluntarily.

                                                                                                                                                                        So, the problem is: how can I create an attestation that the holder can not transfer to an other, even if they want? I can either bind it to them (biometric for example) which opens the door to privacy issues, or I trust the chain of custody (wallet, device, etc).

                                                                                                                                                                        1. 2

                                                                                                                                                                          Don't. It's not a productive direction of engineering. Build social systems that don't try to take tools away from parents just because you, personally, don't see a need to ever have that tool.

                                                                                                                                                                    2. 1

                                                                                                                                                                      Forgive my ignorance, but why zero knowledge proofs can't be time-restricted and expire after certain time?

                                                                                                                                                                      1. 3

                                                                                                                                                                        They can absolutely expire after a time period, but you want this period to be as large as possible.

                                                                                                                                                                        Creating the blind signatures, or the secret involved in the ZKP involves communicating with the authority.

                                                                                                                                                                        In this situation that means connecting over the internet with your ip address, logging in with your government ID somewhere.

                                                                                                                                                                        Then you do some magic on the device that unlinks or otherwise does not share the information with the social media you're authenticating to.

                                                                                                                                                                        If you then immediately turn around and use the token, they can't know its you cryptographically, but if you were one of, or maybe the only one who grabbed an authentication token in the validity period, you can do a timing or correlation attack and still figure out who did it.

                                                                                                                                                                        You want the set of people who it could be to be as large as possible. So you need to let people download (or maybe generate) many unlinkable proofs in bulk, which are valid for preferably months or years, so that the set of possible people would be very large

                                                                                                                                                          2. 3

                                                                                                                                                            It is maybe useful to talk about this issue from another angle: digital attestations capable of replacing a wet signature in the eyes of the law. This is a more useful project for the government to attempt as there's lots of ecommerce and people entering into contracts online every day and it sidesteps all the "think of the children" rhetoric with age verification.

                                                                                                                                                            The challenging part of the issue here is not technology but UX. Suppose this takes the form of a government-issued security token. You now have to get this in the hands of people, it has to be useful for the elderly and you have to deal with rotation and revocation when someone inevitably loses their token. It's hard stuff, I'm not going to claim to know the answers, but I think the debates about how to do it will be much more interesting than the ones about age verification.

                                                                                                                                                            But the digital attestation approach has its own, similar slippery slope. You'll get huge demand from it at the beginning from ecommerce firms looking to reduce fraud or at least provide a more reliable identity that they can sue should their counterparty be in breach of contract. But once there's critical mass you'll see $SOCIAL_MEDIA_WEBSITE require it for ordinary use as a way to cut down on spam and ad fraud. It's a one-time technology implementation that ends their game of cat and mouse with spammers, it can't be beat as a cost-cutting measure. Now you're fully down the slope of attesting your government ID just to do anything on the internet.

                                                                                                                                                            I think this better gets at the heart of what actually drives demand for both age verification and ecommerce digital attestations: they're ways for companies to reduce their costs, with age verification avoiding legal liability for serving minors and digital attestation reducing spam and fraud. The question to us as individuals is where should the balance of these costs lay: is it on us, requiring us to attest ourselves to reduce fraud rates for third parties, or do we keep it on the businesses' side of the equation by requiring them to eat a potentially unavoidable loss when someone gets through their fraud or spam defenses?

                                                                                                                                                            1. 2

                                                                                                                                                              Putting aside if it's necessary, proportional, or well intentioned.

                                                                                                                                                              There's really a super simple solution which doesn't require any (additional) cryptography, and would be just a robust (or not) as the one proposed by the EU:

                                                                                                                                                              1. Require websites or apps that allow access to resources you wish to block for children to expose the risk level using some standardised mechanism, and block access if the client/OS doesn't advertise support for the mechanism. For websites this could be a pair of request and response headers. The client would advertise support for a jurisdiction's flavour of content restriction policies, and the server would reply with the list of policies that must be applied. For applications this could be an API. Clearly given the mess of cookie prompts now visible on the internet, this is firmly within the realm of possibilities. Although, given the mess of cookie prompts, it's obvious why nobody came up with it.
                                                                                                                                                              2. Require web browsers and app stores to respect these tags and block access to that content when configured to do so. And require that configuration to be simple for adults to set up.
                                                                                                                                                              3. Make sale of any device capable of out-of-the box internet access illegal to sell to children, just like we already do with the sale of knives, alcohol, etc.
                                                                                                                                                              4. Make it a legal obligation of parents to not give their children access to devices which are unrestricted, just like it's their legal obligation not to give their children unrestricted access to alcohol.

                                                                                                                                                              This does not require any new infrastructure, only some minor changes to software. It does not require anyone's day-to-day privacy to be even at risk of being infringed. It does not require owning a stock Apple or Google Android phone. It does not require getting ZKP right. It does not require a blog post defending the approach.

                                                                                                                                                              The weird California law, that everyone mocked and cried about, was literally almost doing it right.

                                                                                                                                                              1. 3

                                                                                                                                                                #2 is the tricky part imo.

                                                                                                                                                                a. You practically make it a legal requirement that software (or at least, browsers) has to be downloaded from an App Store. b. You add one more compliance requirement to app stores.

                                                                                                                                                                Where does this leave any new browser? Can I download it from GitHub? Where does this leave OSes that don't have an App Store? Should I go to jail for giving my daughter a linux laptop?

                                                                                                                                                                And #4:

                                                                                                                                                                Sounds fine on paper, but how do you enforce it at the very basic level? Allow police to check your kid's phone? Allow your neighbors to accuse you of giving your kid an unlocked phone or an linux PC?

                                                                                                                                                                Otoh, the EU proposal makes it very easy: Anyone can verify if a site requests and respects the age-verification protocol.

                                                                                                                                                                We are humans, and there will always be loopholes. A parent that allows his kid to drink alcohol, does not lock his gun (not so much an EU problem), gives them his credit card, or caves in and approves with his wallet the attestation. Sure. All these things happen, and they will happen. But overall, I think the EU framework is doing the best that can be done, without causing collateral damage in privacy, competition, or innovation.

                                                                                                                                                                1. 3

                                                                                                                                                                  a. You practically make it a legal requirement that software (or at least, browsers) has to be downloaded from an App Store.

                                                                                                                                                                  You don't. The onus for compliance currently is on websites and applications. It can stay that way.

                                                                                                                                                                  Adults would be unaffected, and so would all software which only intends to be used by adults. The only people affected would be people who host software downloads.

                                                                                                                                                                  There's even an idea here where you could even require devices in child-safe mode to prevent running software which doesn't advertise itself as API aware. And likewise, browsers could prevent access to any website which doesn't advertise itself as such. This alternative would not even require any changes to anyone's website if they simply wanted to be adult-only.

                                                                                                                                                                  Yes, this means that children would be unable to download arbitrary software, unable to download and install a Linux distribution, and unable to see most of the web. But assuming you agree that this is a worthwhile pursuit, that it's well intentioned, and proportional (I don't) then this seems fair game, and with the above alteration might work even better.

                                                                                                                                                                  The open source world isn't stopped from implementing this stuff, and would be able to implement this entirely with open source libraries, it would still be on the parents to decide if the Linux distribution they chose for their kid is safe enough for their kid. As fundamentally it would still be the responsibility of the parents.

                                                                                                                                                                  Also, the current EU solution proposes (at least it did when I last looked at it) tying you to an iPhone or a Google blessed Android phone because they want to use hardware attestation to verify an untampered OS before letting you use your TPM for your component of the ZKP. And would require you to run a signed build of their App, which while Open Source, doesn't give you any software freedoms.

                                                                                                                                                                  b. You add one more compliance requirement to app stores.

                                                                                                                                                                  They already have this as a compliance requirement, self imposed to some extent. It would be a minor variation on it to extend it to software which lets you access the web. In fact, this proposal would drop the requirement for the app store to have this as a broader compliance requirement in a sense, they would only need to vet apps that claim to support the API. The OS would just need to implement a child safe mode, which would require any software that runs to advertise its use of the API.


                                                                                                                                                                  Really you only need to legally obligate the parents, and people selling computer hardware pre-installed with software that can communicate with the unrestricted internet. The rest of the problem could maybe solve itself if you are unreasonably optimistic about the functioning of our markets.

                                                                                                                                                                  If parents wanted to give their children access to a computing device, they would be obliged by the law to supervise them or give them unsupervised access to an appropriately locked down device. This would bring demand for devices that can be easily appropriately locked down. It's likely that this would lead to some system by which websites and applications can advertise their safety.

                                                                                                                                                                  The whole point of adding the header protocol and some "laws" surrounding applications is to avoid the situation where we end up with 100 different disparate protocols, or privately managed lists you need to pay your way into. Websites hosting porn that misrepresent themselves as being child safe, or (alternatively, if you use the approach I originally proposed) don't advertise themselves as child unsafe would get in legal trouble, just like they currently would need to do for the current approaches to work.

                                                                                                                                                                  I think with a little bit of care, a law like this could be set up to work as intended, while having almost no unintended impact on individuals, open source, hardware freedom, etc.

                                                                                                                                                                  And #4:

                                                                                                                                                                  Sounds fine on paper, but how do you enforce it at the very basic level? Allow police to check your kid's phone? Allow your neighbors to accuse you of giving your kid an unlocked phone or an linux PC?

                                                                                                                                                                  Do Police currently go about brethalysing people's kids? Not that I know of, but maybe. Do they go around interrogating them on whether they own a knife? Presumably on rare occasions. Do neighbours currently sit there watching to see if you're leaving your kids unattended? If they're petty, yes.

                                                                                                                                                                  I don't see the problem.

                                                                                                                                                                  And, again, there's nothing stopping a Linux distribution from complying with the law, thereby making it safe for an adult to let their child use a computer with such a Linux distribution on it.

                                                                                                                                                                  The premise is, in effect, that access to certain parts of the internet is as bad as unrestricted access to alcohol, tobacco, narcotics, medication.

                                                                                                                                                                  And it's really important to point out that the EU approach doesn't really solve the core problem anyway. Children have been stealing their parents' bank cards, getting other people to buy them alcohol and porn magazines, creating fake IDs. If you don't lock down your phone, your kid can just borrow it and attest their age.

                                                                                                                                                                  I think you're falling for the nirvana fallacy, and so are all the legislators involved.

                                                                                                                                                                  But overall, I think the EU framework is doing the best that can be done, without causing collateral damage in privacy, competition, or innovation.

                                                                                                                                                                  But it literally requires a hardware with a TPM, and an attested software stack on top of that, or else the components of the ZKP can be extracted and just published on the internet, or exposed as an API, for anyone to attest anything, with the Government having no idea (at least in the API variant) of whose age proof is being abused.

                                                                                                                                                                  So it requires a locked down computing environment.

                                                                                                                                                                  Yeah, you have privacy. But good luck with your privacy when you have no freedom...?

                                                                                                                                                                  1. [Comment removed by author]

                                                                                                                                                                    1. 2

                                                                                                                                                                      Also, the current EU solution proposes (at least it did when I last looked at it) tying you to an iPhone or a Google blessed Android phone because they want to use hardware attestation to verify an untampered OS before letting you use your TPM for your component of the ZKP. And would require you to run a signed build of their App, which while Open Source, doesn't give you any software freedoms.

                                                                                                                                                                      Valid concern. It's currently more design-intent than hard enforcement and https://ageverification.dev says support for additional platforms is considered in future iterations, aiming for the widest possible range of devices to keep the solution digitally inclusive. BUT if that ever includes attestation-free paths for open OSes is not mentioned.

                                                                                                                                                                      But this is exactly what the last section of my post focuses on: There are many small details, and decisions that can make a huge difference. I'd rather focus on these, instead of shouting "no to age controls", when I see my kids friends dealing with serious issues due to lack of controls.

                                                                                                                                                                      1. 2

                                                                                                                                                                        My point is that there is a simpler solution, which doesn't require trusting the government to sanction "additional platforms ... in future iterations ..."

                                                                                                                                                                        The solution I propose for the most part also has about the same flaws/advantages in terms of its ability to "help" the "problem", while being simpler and not relying on trusting the government to let you use a non google/apple blessed phone.

                                                                                                                                                                2. [Comment removed by author]

                                                                                                                                                                  1. 1

                                                                                                                                                                    I am not against the idea of age verification, but I have more concerns about the safety of this enforcement. A smart kid will easily figure out a solution to bypass the controls (tor, proxy, etc.) that are exposing them to more problematic contents.

                                                                                                                                                                    1. 1

                                                                                                                                                                      I don't want to share this as a separate link, but if anyone is interested, I posted a follow up, largely based on the feedback in this thread.

                                                                                                                                                                      https://blog.vrypan.net/2026/07/01/260702-whats-wrong-with-eu-age-verification/

                                                                                                                                                                      1. 2

                                                                                                                                                                        But if the government adds all those controls to my device, wouldn't that make it rather easy for the government to collude with web services to identify me?

                                                                                                                                                                        1. 1

                                                                                                                                                                          Which control is the government adding to the device?

                                                                                                                                                                          1. 2

                                                                                                                                                                            You listed these:

                                                                                                                                                                            • In practice, let’s admit it, you'll have to use iOS or Android.
                                                                                                                                                                            • Probably the official government wallet.
                                                                                                                                                                            • Experimental mobile OSes are locked out of any site requiring age verification.
                                                                                                                                                                            • Alternative OSes could qualify, but only by getting EU-certified — which often defeats the point of running one.

                                                                                                                                                                            If you're limited to running the official governemnt version on only government approved OSes, that makes it easy for the governent to keep track.

                                                                                                                                                                            1. 1

                                                                                                                                                                              I you consider using iOS or Android gives the government control over your device, a) yes, b) 99.999% of the global population has already done it.

                                                                                                                                                                              Using the official wallet to hold government documents is what most people would expect. In my country we have a digital version of the national ID (you can show it and use it on your phone instead of carrying the plastic), and of course it's a government-issued app. In an ideal world we would have something like crypto wallets, where anyone can build one, but again it sounds like a reasonable compromise. You could have third party wallets, from a developer or a company you trust, but they will need to embed a government-issued certificate in them to prove they actually are what was approved.

                                                                                                                                                                              Can a malicious govt build a wallet that leaks information it was not supposed to leak? Yes. This is what I bring up reproducible builds, and signed source/metadata, that allows everyone to review the exact source code that was used to build the binary you run.

                                                                                                                                                                      2. 1

                                                                                                                                                                        I heard from someone that the EU ID wallet is actually not privacy-preserving, because the age-gated website has to make some call back to the 'government' to check the document has not been revoked, or something like that. I have forgotten what exactly they said to me. Does anyone know with certainty or is able to agree/disagree?

                                                                                                                                                                        1. 0

                                                                                                                                                                          Did you read the article? 😃