like most proposed solutions, this just seems overcomplicated. we don't need "accessible cryptographic infrastructure for human identity". society has had age-restricted products forever. just piggy-back on that infrastructure.
1) government makes a database of valid "over 18" unique identifiers (UUIDs)
2) government provides tokens with a unique identifier on it to various stores that already sell age-restricted products (e.g. gas stations, liquor stores)
3) people buy a token from the store, only having to show their ID to the store clerk that they already show their ID to for smokes (no peter thiel required)
4) website accepts the token and queries the government database and sees "yep, over 18"
easy. all the laws are in place already. all the infrastructure is in place. no need for fancy zero-knowledge proofs or on-device whatevers.
to go on tiktok, you enter a UUID once onto your account, and thats it. the only person that sees your id card is the store clerk that glances at the birth date and says "yep, over 18" when you are buying the "age token" or whatever you want to call it. no copies of your id are made, it cant be hacked, theres no electronics involved at all. its just like buying smokes. theres no tie between your id and the "age token" UUID you received.
theres no fanciness to it, either. itd be dead simple, low-tech, cheap to implement, quick to roll out. all of the enforcement laws already exist.
>Why should I have to share more than required?
you shouldnt. having to prove age to use the internet is super dumb. but thats the way the winds are blowing apparently. if im gonna have to prove my age to use the internet, id much rather show my id to the same guy i buy smokes from (and already show my id to) than upload my id to a bunch of random services.
Having said that, I think having an "I'm of legal age" tickbox goes quite far enough.
For the ultra-controlling, setting up a "kid's account" using the tools already provided in mainstream OS's [0][1] is a fine option.
[0] <https://www.microsoft.com/en-us/microsoft-365/family-safety>
[1] <https://support.apple.com/guide/mac-help/set-up-content-and-...>
no, it is exactly as protective as the protections for purchasing alcohol or buying smokes or other controlled substances/products.
buying smokes/alcohol when underage is obviously harder than "click this box". (did you ever try to buy smokes/alcohol when underage? you cant just go up to the clerk at the store when you are 14 and say "trust me bro, im 18/19/21".)
>Anyone who is of legal age can buy UUIDs and pass them around to folks who are not.
same for smoking and alcohol. i could go to the store right now and buy smokes, then hand them to my 10 year old.
we have laws already in place to punish selling smokes/alcohol to underagers, and laws for consuming smokes/alcohol when underage. we can apply those laws to your internet-age-token.
most people seem fine with the current trade-off for smokes/alcohol. i see no reason why tiktok needs to be treated as more dangerous than either.
>Having said that, I think having an "I'm of legal age" tickbox goes quite far enough.
i agree with this and everything you said afterwards. id rather not have any of it.
Right. That's exactly as protective as that tickbox. [0] As I mentioned, any of-age person can distribute those UUIDs to people who are not of-age. Unlike with the proposed ID-collection-and-retention schemes (that are authoritarian's wet dreams) the vendor of the UUID is not responsible for ensuring that that UUID is not later used by someone who is not of-age.
If you were to -say- make alcohol vendors liable for the actions of of-age people who pass on alcohol to not-of-age people, then you'd see serious attempts to control distribution.
[0] Don't forget the existence of preexisting parental controls in every major OS. IME, this is a hurdle that's at least as difficult to surmount as the ID check done in non-chain convenience stores.
no, it isn't, for reasons already mentioned but i will say it again for clarity:
- a 14 year old can click "im of age" on a checkbox.
- a 14 year old cannot go into a gas station and buy smokes. they will be declined.
>As I mentioned, any of-age person can distribute those UUIDs to people who are not of-age.
again... same with smokes and alcohol! but we are okay with how smokes and alcohol are regulated right now.
tiktok is not worse than a bottle of vodka. we are okay with how vodka is regulated. tiktok does not need even more strict age-verification than vodka.
it is not perfect, but it is absolutely more stringent than a checkbox. if you still doubt me, please send one of your 12-14 year old family members to buy a pack of smokes or a bottle of vodka at the nearest store. i will wait for your report.
or make them good for 1 month, but sold in 12-packs.
...if these tokens are as protective as you claim they are, why would it be important for them to expire?
Would you also advocate for the token issued by authoritarians' preferred "send a video of yourself [0] and/or your government-issued photo ID [1] to some random third-party for-profit company" check to frequently expire? If not, what's up with the discrepancy?
[0] Or of someone physically near you who is of-age
[1] See [0]
age verification is already being rolled out. so we can either suck it up and try advocate for less shitty versions, or we can bicker amongst ourselves while id/video-based age verification continues to be implemented everywhere.
>...if these tokens are as protective as you claim they are, why would it be important for them to expire?
read above for the conversation that occurred.
>Would you also advocate for the token issued by authoritarians' preferred "send a video of yourself [0] and/or your government-issued photo ID [1] to some random third-party for-profit company" check to frequently expire? If not, what's up with the discrepancy?
a) no, obviously not, because i dont advocate for video or id-based age verification.
b) i know that you know this, and are just pretending to be ignorant for some weird ass reason: various age verification implementations have different risks and benefits.
for some implementations, users are forced to give up significant amounts of privacy in favor of increased accuracy. other implementations give up less privacy, at the risk of reduced accuracy. look at discords implementation for a recent example (it was easier to spoof the client-side verification than the server-side id-based one. more privacy, less accuracy). this type of balancing act is not new. we do the same balancing act with alcohol, smoking, gambling, healthcare, security, development, etc.
so, when looking at potential mitigations for less-accurate methods, while maintaining the same level of privacy, a sensible option is to make the UUIDs time-bound which will limit the time an illicit token is valid. this makes much less sense for id/video-based verification, because they have higher accuracy than my version (paid for by giving up your privacy).
---------
something you said earlier: "Your time and energy are better spent resisting the expansion,".
so, go do that. find the people that are really pushing for age verification, and argue with them. instead of replying to me, use that time to call your state representative or something. im not your opponent here. if it were up to me, we wouldnt have age verification in the first place. you already know that my stance is anti-age verification!
my proposal is not perfect. i dont like age verification. you can have the karma from this argument, its cool, you can "win". what more do you want me to say?
(Also, like, did you ever go to college? Live in a dorm or apartment with underage students? It was super common for of-age people to buy and distribute booze to substantially underage students. Everyone knew it was happening all the damn time.)
> they are obviously not liable if i buy something legitimately, go home, and feed it to my kid. in that case, i am liable...
And if you changed up the rules to make them liable, you'd see serious attempts at controlling distribution.
What has been the state of the art in parental controls for quite some time is like the current regulatory regime for booze and tobacco. The single thing that needs to change to make it exactly the same would be to make it substantially illegal for US-based publishers to not tag the porn/violence/etc that they publish with age-restriction tags. [0]
What's being proposed and is currently implemented by several big-name sites is even more invasive.
> we are okay with how smokes and alcohol works right now.
I'm not. Either booze and tobacco need to be made into Schedule I substances, or their regulation needs to become much more lax. But I recognize that my opinion on the topic is considered to be somewhat out-of-the-ordinary.
[0] This might already be the law of the land right now. I haven't bothered to check.
because they dont matter. parental controls exist today but have been deemed ineffective for the age verification conversation, for whatever stupid reason. so we are stuck trying to figure something else out. do i wish we could just use the existing basic parental controls instead of whatever the hell we are going to end up with? obviously!
the easiest "something else" is to piggy-back on existing age-restriction regulations (i.e. smokes, alcohol, gambling) because they have broad (obviously not ubiquitous, but broad) support. we have decades of experience with them.
and, to that end, you create a little token and you show your id to the store clerk to buy it. the "protect the children" people are satisfied (its the same process everything else age-restricted!), and i dont need to send my id to a peter thiel company. it preserves privacy, it re-uses existing laws, it re-uses existing infrastructure, etc.
Consider that such arguments (just like the arguments of Prohibitionists that resulted in the rise to power of Organized Crime) are made in a varied combination of ignorance and bad faith, and that we should loudly reject them in the strongest possible terms.
To be clear, I'm asserting that the claim that preexisting parental controls are insufficient is an argument made in ignorance and bad faith, not your assertion that the argument is being made.
me and you can yell into the void all we want. and i will continue to do so!
but, age verification is already here. so while i continue to yell about how stupid it is, i am also going to propose options that i feel like are less bad than what is being actively rolled out right now.
As I mentioned, what you propose is exactly as useful and protective as what we have now. What we have now has been roundly rejected by the authoritarians pushing this expansion of power and influence. Your time and energy are better spent resisting the expansion, rather than suggesting alternatives that those authoritarians will never accept (and tacitly accepting their premise in the process).
i disagree, for reasons i have already said and for other reasons i havent yet.
but it is clear that we wont end up agreeing, so no need for us to keep going.
No matter what the actual mechanism is, I guarantee they will insist on something like that.
if the goal is "surveil everyone using the internet", yes, very obviously my proposal would not be selected, and you will have to upload your id to various 3rd-party id verifiers.
I'm not sure that's the right answer here, but I think it ticks a lot boxes for the state.
As it is we're seeing companies capture IDs and face scans and it's incredibly invasive relative to the need - "prove your birth year is in range". Getting hung up on unlinkable sessions is missing the forest for the trees.
At this point I think the challenge has less to do with the crypto primitives and more to do with building infrastructure that hides 100% of the complexity of identity validation from users. My state already has a gov't ID that can be added to an apple wallet. Extending that to support proofs about identity without requiring users to unmask huge amounts of personal information would be valuable in its own right.
Your crypto nerd dream is vulnerable to the fact that someone under 18 can just ask someone over 18 to make an account for them. All age verification is broken in this way.
There is a similar problem for people using apps like Ubereats to work illegally by buying an account from someone else. However much verification you put in, you don't know who is pressing the buttons on the screen unless you make the process very invasive.
An 18-year-old creating an account for a 12-year-old is a legal issue, not a service provider issue. How does a gas station keep a 21-year-old from buying beer for a bunch of high school students? Generally they don't, because that's the cops' job. But if they have knowledge that the 21-yo is buying booze for children, they deny custom to the 21-yo. This is simple.
They don't? Teenagers can easily get their hands on alcohol... you just need to know the right person at school who has a cool older brother. If their older brother is really cool they can get weed too!
The police absolutely do not have the time to investigate the crime of making a discord account for someone.
They don't care whether you are 14 or not. They want your biometrics and identification. "Think of the children" is just a pretense.