So the schemes always start introducing features to reduce the anonymity of the tokens or make them more trackable in some way:
> The highest friction version of this is that the credential ties to a real world identity somehow; maybe locked behind legal barriers, etc., but if a minor is caught using someone's credential, then the person whose credential they are using can be investigated, and, if necessary, charged with a crime
Which requires that these identity tokens not be anonymous age-verification credentials. They become a traceable identity token tied to your government-issued ID.
Not if you use a challenge-response protocol where the client returns a zero-knowledge proof of age, where the proof incorporates a random string sent by the website.
The traceable stuff is private information that the website never sees. If a minor is caught with it, then law enforcement has local access to the minor's hardware and can probably view the private data.
At that point, the private key can be put on a public revocation list. The zero-knowledge proof can include a proof that you're not on the revocation list. Once you've been revoked, you have to go through the hassle of setting this all up again, which might be enough incentive to keep it reasonably secure.
If there's a simple piece of software that can be installed, it's not meaningfully increasing the barrier. Also, there are negative consequences to introducing "rules that you're expected to break" like this. It makes the law unserious.
And if it's a phone app, it's not going to be on app stores and you already know the person giving you the app is a criminal.
So you're installing an untrustworthy app to risk criminal charges, and the customers of this scheme are kids who mostly don't have a lot of money.
So the schemes inherently add some traceability, which makes the tokens no longer actually anonymous.
This is the back door used to make the tokens double as ID tokens.
1) You give a teenager your full credentials. Teenager is careless, as teenagers often are, and posts something revealing who he is. Cops have option to search teenager's phone, see who you are, and at least revoke the credentials.
2) You install a relay app on your phone, for money. Now you've installed an untrustworthy app from a criminal, who might hack you, or might be arrested and reveal details of your device and where they're sending your money.
Neither scenario happens because the age verification is traceable.
3) Your credentials get stolen, and used in a foreign country to implement a relay scheme.
This one, I admit, my scheme can't do anything about. But this means our teenager has to pay a foreign entity. Teenagers can also pay foreign porn sites directly, if porn is our concern.
On top of that, the age verification systems we've seen so far have their own security holes that teenagers are exploiting without having to pay anything.
My personal view is that the whole thing is ridiculous and we shouldn't bother with any of this. My point is just that we can implement reasonably good age verification without eliminating anonymity on the internet.
Just offer the user some money if he installs some "trusted" app for age verification token sharing.
And then what? You think the police are going to make a case out of getting a token blacklisted or start an investigation into the person who the token came from? Also confiscate their devices as part of the investigation? I guarantee that the token source will be someone in another state or another country or just a stolen ID being used to sell their tokens.
I can’t believe we’re getting to the point where we’re talking about sending the police to deal with cases where a minor is suspected of, what, accessing social media? To confiscate their device and do forensic analysis of the tokens on it?
Do you realize how insane this is getting? How does anyone think this is feasible, let alone a good idea?
It's still my preference to have no verification at all. On the internet, nobody should know you're a dog.
The problem with your hypothetical was that you casually introduced the police as an enforcement mechanism for cases of a minor accessing an over-18 website. The implication is that the physical police are now involved in our access of websites, and you’re saying the tokens involved in us accessing websites will have some evidence that they can use in the investigation of that access.
This is why we keep saying that the anonymous token schemes don’t preserve privacy. It always turns into a slippery slope of adding escape hatches to the anonymity to enforce violations. The very implication that the police are going to be tasked with going out and confiscating devices to investigate suspected age token violations is an indicator of how far the window has shifted on Internet privacy.
Obviously it does. These $1 per-day apps are 24/7 online and so challenges can simply be proxied just the same as tokens.
> ... law enforcement has local access to the minor's hardware ...
This is a large part of what people, in practice, want to prevent using this scheme.
> Once you've been revoked, you have to go through the hassle of setting this all up again, which might be enough incentive to keep it reasonably secure ...
States want to know who to punish when this happens. Which also details how this is defeated: you can't revoke the token, because that makes getting a conviction near-impossible and it exposes the states to counterclaims.
The people who install such forwarding apps don't have money for the court to charge, and they can't take away their identification apps (which these will be, obviously) because that's the cheapest way for states to communicate with them.
Unless you build this into the base layer of the internet (which European networks like minitel did, by the way, with France telecom graciously checking it for free. Free for the state, of course. YOU paid per packet)
> ... to keep it reasonably secure ...
Oh and "reasonably secure" won't cut it. Someone committed suicide after a message was posted, and they're "reasonably secure" who it came from? You see the problem, I hope.
Regarding my scheme:
The only way law enforcement should have access is if they show up and get the phone in their possession, with a warrant. Which could happen any time some teenager posts something without realizing it identifies them.
If the teenager has your full credentials, that's when law enforcement sees who you are, and can take whatever action we deem appropriate. I would think just revocation if you might have been hacked, more severe if it's clear you shared on purpose. Revoking credentials doesn't interfere with the person using the app for other purposes, or with any prosecution, and criminal prosecution doesn't rely on the perp having money; quite the opposite in fact.
If you install a proxying app for the challenge-response, you're installing an untrustworthy app from a criminal to take payment for a criminal scheme, with risk of prosecution if that criminal gets caught.
Nothing in society is perfectly secure. There are all sorts of ways that we allow some crimes and tragedies to happen because we know that preventing them would be even worse. There are good reasons that courts have long protected privacy and anonymous speech, even though we could solve more crimes without those protections.
It’s beyond crazy that we’re actually talking about police showing up at someone’s house because they suspect a social media post came from an under-18.
This is one step away from your local government unmasking their Internet critics and sending police to their house by “suspecting” that they might actually be a minor.
> If the teenager has your full credentials, that's when law enforcement sees who you are, and can take whatever action we deem appropriate. I would think just revocation if you might have been hacked, more severe if it's clear you shared on purpose.
Why would you assume the person giving out the token is in the same jurisdiction? The tokens would almost certainly be coming from another country.
The police aren’t going to be tracking down teens, confiscating their phones, running forensic analyses, and then doing the work of getting tokens revoked through a possibly international process. They barely have enough time to show up and take a report when someone does minor physical proper damage.
All this does is open up the process for targeted abuse when governments or police need an excuse to go after someone posting on social media.
If you can identify physical hardware from a request or post, obviously it's not anonymous. In fact, if you can identify the owner of credentials from the credentials, they're not anonymous. Obviously in an actual anonymous system it is utterly impossible to do this, whoever you are.
So you've just proven your own argument wrong. Anonymous age verification online is impossible. You don't agree?
The way this works is, there's a function with both public and private inputs, and an output. You can send me public inputs, and I can pass those plus my private inputs into the function, and give you the function output, along with a proof that the output is correct given your inputs.
So in this case, the government has a public key, which it uses to sign your credentials, consisting of your birthdate and a unique identifier.
The website sends you a large random number.
The public inputs are the government public key, the random number, today's date, and maybe a revocation list of identifiers.
The private data is my unique identifier and birth date.
The function returns true if my calculated age > 18, the government's signature of my data is valid, my private identifier is not on the public revocation list, and (to avoid replays) that the hash of your random number is not zero.
I send you back the generated proof, which is just a 256-bit number. You can check that the proof is correct without looking anything up. The proof does not give you any way to reconstruct my private data. It is only associated with the random number you gave me, and the public data everyone knows.
To keep the revocation list from growing forever, we could also make credentials expire after some period of time. Add an issue date to the private data, and we can add an expiration check to the function. Client software can automatically get a new credential if the old one is valid, expiration is just to allow us to delete old identifiers from the revocation list.
A hole in the above scheme is that government could try redoing proofs for a given random number, using all the current identifiers. To prevent this, the user passes in another random number as private data, and the function checks that that doesn't hash to zero either. User can change that random number every time, its only function is to change the generated proof to something the government can't replicate.
With integrity protection, tokens can only be minted with a government app, driven by both biometrics and physical human hands touching the physical screen. There's no way to do it in the background. Without it, you can indeed have a single activist mint 10 billion tokens and give them out for free, defeating the entire scheme.
There's a CAP-style triangle here. You can have age assurance and anonymity but lose the ability to run your own software, have age assurance and device control but lose anonymity (via traditional ID checks, which don't require IP in theory), or have anonymity and device control but lose age assurance.
As it stands today, doing business on ebay/craigslist/etc isn't that much different than doing it in a back alley in the bad part of town. Generally a bad idea but YMMV if you keep your wits about you. Of course it's your right to do business that way, but no one in their right mind thinks it's acceptable to do global commerce that way.
Commerce relies on legally enforceable contracts (both paper and EULAs), which ultimately rely on identity to be enforced. It's a bug, not a feature, that someone on the internet can steal my identity to purchase a product in my name and have it shipped wherever they want. It's a feature, not a bug, that my bank asks me for photo ID before I empty my account in person.
I'm not allowed to access banking computers, except occasionally and from within in a sandbox with proper credentials (ATM card for example). If, in the future my bank needs to do their compute inside my house on my phone, then it seems fair that there should be walls that keep me outside of their trusted compute.
That said, I am 100% behind keeping open purpose general computing free and available. Rooted devices, self built PCs etc all of it. I love it, saying this as a person who grew up building their own PCs and programming from a young age. I think that we all should be able to access the non-commercial side of the internet in any way we want, a true public square, warts, gutters and all. Hobbyists can do whatever they like as long as it doesn't touch commercial systems.
As I see it, the problem for most of us is that the social/fun side of the internet has largely been captured by commercial interests. Anything with a EULA should be considered a commercial site, since you're legally bound by a contract using it. As it stands today all the fun things on the internet would require enforced identity.
Maybe having a separate walled off "commercial internet with identity enforcement" will finally open the public's eyes as to the ramifications of the digital world we've built. And also allow us to individually take a stand and push back against the commercial interests through our daily choices of what sites we visit. Basically voting with your ID chip instead of your pocketbook. You can still do business in the gutter if you want to, but for the normies it will be easier for them to spot when they're in a back alley. And it gives parents options for keeping kids off of the anonymous side as as well.
I do think a Reddit with identity would be a much less toxic place. As long as the brave adventurers among us can still access the digital gutters like 4chan and other message boards.
Do you remember the days of "Real name" requirements on YouTube and "Google+"? The experiment was tried, it didn't change things. (Also, see Facebook for an ongoing version of the same experiment).
This is certainly something that can be solved technically if we want.
All of these solutions seem very complicated, for little benefit. So a anonymous age verification scheme, fine with me. But making it more complicatdd, because dark entities could capture and resell tokens .. seems a step in the direction of madness.
But these days I see a lot more talk about the developmental effects of parasocial media on kids. There’s a whole segment of buy-in there that didn’t exist before.
Example: schools banned phones, so kids switched to talking over Google docs:
https://www.theatlantic.com/technology/archive/2019/03/hotte...
If we give parents better tools to limit and monitor internet access, kids will just buy a used phone which is unregulated. If their parents even bother to use the tools in the first place (it is my impression most parents do not). There is also a lot of loopholes parents do not even think of (like a web browser on a game console).
They don't work even then.
Suppose you completely eliminate privacy on the internet and require every domestic site to collect the name and social security number of everyone who visits. Then a child uses an adult's ID, regardless of whether it's with or without their knowledge. Is the child going to inform on themselves? No. Is the adult, when they don't even know about it? No. Is the adult, when they provided it on purpose? No.
That constitutes the entire set of people who would typically know that the person using the device isn't the person on the ID.
On top of that, we can punch an even bigger hole in it. Search engines, among other things, index other sites. Google is obviously the biggest but there are many others -- Bing, Marginalia, Brave, Swisscows, Yandex, Perplexity, Baidu, etc. They're run by adults and most of their users are adults, who reasonably expect to be able to turn off "safe search" if they want to. So some adult at each search engine would have to provide their ID to the crawler so it can index things inappropriate for children and show them to adult users. It would therefore be a fairly unremarkable and recurring thing to see the same ID make a zillion gigatons of requests.
But then you can't use "why is this person downloading 100 things from 100 computers at once" as an indication of anything nefarious happening, and anyone can still set up a service hosted on a foreign server that will serve adult content to anyone without an ID by serving it out of a cache. (And in the case where you're invading everyone's privacy, that service would also be very popular with adults.)
In the context of social media, if they want to actively participate they have to given that it's the entire point. It's true that even with a government ID scheme people could borrow someone's ID to get passive access with their consent. But a kid couldn't share an account with a parent without that parent knowing because you see their activity, and they also couldn't post.
Put the burden of responsibility on the sites themselves and the number of people that will be able to successfully bypass such restrictions is going to be negligible and largely depend upon ongoing inorganic behavior or being an outlier in terms of behavior/interests.
This sounds a lot like what governance is supposed to be, but there is a critical difference. It's one thing for our society to agree generally on categories that are inappropriate for children, to encode those into law, and to enforce those laws. The difference is, enforce to whom?
Children are victims, not perpetrators. Age verification restates a child's role as perpetrator. This is the premise that I find unacceptable.
Unfortunately, the said-government doesn't seem to worry about the fact that their own systems have been breached over the years
Then why are they forbidding VPNs?
This is clearly NOT a use case that is solely referring to minors.
The whole cake is a lie and so is your assumption that age sniffing is "to protect children".
> Keep dreaming of a technological solution
We don't "dream" - we know what is possible and what is not.
Mass surveillance of everyone is simply not an option.
> Let individual parents decide on the level of harm that they are willing to accep
Nobody has an issue IF it were about individual parents, but it clearly is not. Governments try to criminalize and restrict everyone - and that is the true agenda.
The problem is, this is wrong. What these governments want to do is get a grip on online behavior, through actions against individuals, who can't/won't defend themselves, rather than through actions against gigantic corporations that may choose litigation and take years to change their behavior, if they do at all.
Governments want to declare something illegal, say downloading a movie, putting racist comments online, ... then catch everyone who engages in that behavior online through mandatory identification, and actually have an effect.
To do this, breaking privacy is, of course, a core requirement. This can be introduced into these systems afterwards ("judge X wants to know who authenticated with token <token>, please provide the information"). Without this, government rules will remain totally ineffective online like they have been in the last 40 years.
I personally much prefer government rules remaining totally ineffective online.
I feel strongly that this conspiratorial mind-reading approach to this sort of issue is just counterproductive.
What all the governments (and non-governments, frankly, there are many supporters of these things) are asking for is excluding minors from certain websites and services.
The problem is that this translates to age verification, which translates to identify verification, which incidentally gives states and other actors a variety of other tools they can use for anti-civil-liberties purposes.
In the end their motives are just irrelevant unless there is a clear way to exclude minors from certain services without going down the chain towards identity verification. Such a way does not exist, so we have to fight it here, at the point where the basic ask emerges.
Buying alcohol for a minor implies knowledge and intent.
Getting the tokens out of a phone doesn't require the user to do any of that, the user just has to be frugal and keep the phone longer than it's supported by the manufacturer, until some local exploit is found again, and that token will be extracted and available online for everyone to use.
Parents buy those phones, phones could easily have a "user is a minor" setting (and a flag sent to all the sites that want one) with a password for parents to unlock stuff if needed. This would be set during the phones first set up, and it's done. But nope, the plan is for everyone to install a form if a digital ID on their phones, and once it's there, requiring full-name identification when registering is just one step away.
In most countries it's perfectly legal to provide alcohol to your kids.