EFF launches Age Verification Hub

This keeps coming up and we keep having the same debates about what Age Verification isn't.

For the folks in the back row:

Age Verification isn't about Kids or Censorship, It's about Surveillance

Age Verification isn't about Kids or Censorship, It's about Surveillance

Age Verification isn't about Kids or Censorship, It's about Surveillance

Without even reaching for my tinfoil hat, the strategy at work here is clear [0 1 2]. If we have to know that you're not a minor, then we also have to know who you are so we can make any techniques to obfuscate that illegal. By turning this from "keep an eye on your kids" to "prove you're not a kid" they've created the conditions to make privacy itself illegal.

VPNs are next. Then PGP. Then anything else that makes it hard for them to know who you are, what you say, and who you say it to.

Please, please don't fall into the trap and start discussing whether or not this is going to be effective to protect kids. It isn't, and that isn't the point.

0 https://www.eff.org/deeplinks/2025/11/lawmakers-want-ban-vpn...

1 https://www.techradar.com/vpn/vpn-privacy-security/vpn-usage...

2 https://hansard.parliament.uk/Lords/2025-09-15/debates/57714...

I am someone who is very privacy focused. I've literally never had a social media account on any platform and I'm 42. From day one of facebook, I never wanted my information online. Like many here, I'm deeply concerned about privacy and surveillance.

In real life, we think age verification is a good thing. Kids shouldn't buy porn. Teenagers shouldn't get into bars. etc... There has to be room somewhere for reasonable discussion about making sure children do not have access to things they shouldn't. I think it's important to note, that complete dismissal of this idea only turns away your allies and hurts our cause in the long run.

I'm not dismissing that idea. It is a perfectly reasonable thing to think about, part of why we have age verification techniques that already work well in critical places like online vape shops.

I'm even willing to talk about the possibility that we could use more robust systems deployed more broadly. A lot of folks here are talking about ZKPs in this regard, and that's not a bad idea at all.

The issue I'm trying to sound the horn on is that the current push for AF in the US and EU has nothing to do with kids. I think you could put together a working group on ZKPs and Age Verification, write up a paper and run experiments, and when you bring it to the lawmakers they're gonna say something to the tune of:

"yeah but that's not trustworthy enough and too technical for people to understand so we're just going to serve legal notices to VPN providers instead to tell them that they can't anymore"

...or something to that tune. I'm not a mind reader, I've just read the reports (by lawmakers) mentioning VPNs as an "area of concern".

This is a political gambit and not a new one. The more we treat the current issue as having anything to do with protecting kids the more we legitimize what is an obvious grift.

How does age verification work for online vape shops?

I think the equivocation of online and real life is a massive mistake. When you go into a grocery store you are constantly on CCTV. Does that mean when you shop on Amazon them recording you via webcam should be considered? Obviously not. The restrictions in real life are temporary. If you try to buy port, go into a bar, etc you are asked for ID and they look at it and hand it back. They don't take your ID, your picture and store it forever and then sell information about you to other people.

The concern about children is aimed at the wrong target. Instead of targeting everyone it would make far more sense to target the platforms. With Roblox having a pedo problem the company should face punishment. That will actually get them to change their ways. However all these massive platforms are major donors to politicians so the chance of that happening is low to none.

> They don't take your ID, your picture and store it forever and then sell information about you to other people.

It would not surprise me in the least if there are brick-and-mortar businesses doing this, especially larger companies in jurisdictions (such as the majority of the United States) with weak/nonexistent privacy protections.

> If we have to know that you're not a minor, then we also have to know who you are

That is untrue

Are you aware of any age verification systems that do not have this property?

(This includes being robust against law enforcement action, legal or otherwise.)

In real life the situation is different. When I buy alcohol, someone looks at my drivers licence, does not make a copy of it, forgets it quickly, and cannot tie it to other information about me. As soon as it's online and it's copies, I can't tell what happens on anyone else's servers. I don't want any company knowing my actual name and location, then that can be tied to more data, which is what Google etc have been trying to do for years but this would just completely fast track that. I would in theory be fine with something where it never leaves my computer, but that is obviously impossible.

> The issue I'm trying to sound the horn on is that the current push for AF in the US and EU has nothing to do with kids. I think you could put together a working group on ZKPs and Age Verification, write up a paper and run experiments, and when you bring it to the lawmakers they're gonna say something to the tune of:

The EU is currently doing large-scale field tries of the EU Digital Identity Wallet, which they have been working on for several years. It uses ZKPs for age verification. They expect to roll it out to the public near the end of 2026.

> Age Verification isn't about Kids or Censorship, It's about Surveillance

We know this because, instead of putting easy-to-use parental controls on new devices sold (and making it easy to install on old ones) with good defaults [1], they didn't even try that, and went directly for the most privacy-hostile solution.

[1] So lazy parents with whatever censorship the government thinks is appropriate for kids, while involved parents can alter the filtering, or remove the software entirely.

In the online world you can’t make sure of anything. Florida for instance requires age verification for porn sites. Guess how many mainstream sites not based in the US are completely ignoring the law and guess how many others are easily accessible via a VPN? If you guessed the sum total of both is less than 100%, you would be wrong - and even that is tilted toward sites that just ignored it.

The one thing you can control is your childs access through their device using parental controls.

I can absolutely guarantee you that any teenager can easily get access to weed, cigarettes and alcohol despite the laws and definitely can use a VPN. It only takes one smart kid to show them how.

> In real life, we think age verification is a good thing.

Ok. In real life, do we think having agents from the government and corporations following you everywhere, writing down your every move and word, is a good thing? Or rather, what kind of crime would one have to have committed, so that they would only be allowed out in public with surveillance agents trailing them everywhere?

How about:

https://blog.google/technology/safety-security/opening-up-ze...

Like many mention in other comments on this post, it's possible to implement using ZKPs. There are likely other methods that would be effective without compromising privacy. None of them are part of the Age Verification discussion because kids are not the actual point of Age Verification.

When I say "if we have to know you're not a kid, we have to know who you are" I'm not stating an actual truth, but the argument as it is playing out politically.

I appreciate the mention - i had not yet heard of this EU DIW thing. That said, I can't find any resources on it that mention the use of ZKPs. Could you share a link?

They don't need to. If you bought something with a card they just store that - let the data brokerage handle connecting it with actual ID cards and other elements of your identity.

But yeah, walmart is for sure logging their transactions and selling the data. It's practically free money.

> None of them are part of the Age Verification discussion because kids are not the actual point of Age Verification.

The EU age verification solution says implementations SHOULD implement[1] their ZKP protocol[2]. Not linking it to the user is stated as an explicit goal:

Unlinkability: The goal of the solution is to prevent user profiling and tracking by avoiding linkable transactions. Initially, the solution will rely on batch issuance to protect users from colluding RPs. Zero-Knowledge Proof (ZKP) mechanisms will be considered to offer protection. More details are provided in Section 7.

[1]: https://ageverification.dev/av-doc-technical-specification/d...

[2]: https://ageverification.dev/av-doc-technical-specification/d...

1) Large social media companies know you better than your friends. That has been known for 10 years and they're way better now: https://www.nytimes.com/2015/01/20/science/facebook-knows-yo...

2) Cigarette vending machines accept VISA cards and government IDs and they're offline.

3) A medium-sized social media network required photos (not scans) of GovIDs, where only year of birth and validity date need to visible. The rest could be blacked out physically.

4) You can guess users' age and only request solid proof only for those you are unsure about.

The problem is that we technical users think of a one-size-fits-all technical approach that works, without a single fail, for all global users. That is bound to fail.

It is only a law and you can break it big time or small time. Reddit's approach might proof way too weak, it'll be fined and given a year to improve. Others might leave the market. Others will be too strict and struggle to get users. Others might have weak enforcement and keep a low profile forever. Others will start small, below the radar and explode in popularity and then enforcement will have to improve.

You can also request identity and then delete it. (Yes, some will fail to delete and get hacked.)

Giving Facebook a free pass is stupid. They're selling your age cohort "10-11" within 0.0037ms for 0.$0003 to the highest bidder on their ad platform.

> the argument as it is playing out politically.

The law does not mandate identity, so your argument does not hold.

Cool trick to tie in the libertarian idea of protecting yourself from legally sanctioned government actions.

> I can absolutely guarantee you that any teenager can easily get access to weed, cigarettes and alcohol

Is you argument then that we shouldn't age gate those things in reality either? Would you suggest that teenagers smoke and drink just as much as they would have had it been legal to sell to minors?

Laws don't just exist to stop you, they also exist to shape society. They exist as signals for what we deem appropriate behavior.

A lot of the proposals don't involve you sending your drivers license or "other information" to anyone. The site in question asks you to verify with a trusted third party (usually a government entity), and that trusted third party only provides then with the end result of the validation.

> which is what Google etc have been trying to do for years but this would just completely fast track that.

Excuse me? They have done that for years. There's nothing to "fast track" here. Big Tech already implemented surveillance.

I don't, but society clearly does. We're already there.

If privacy is an explicit goal, why isn't it a MUST? Why even bother with the initial batch issuance phase? And what's stopping them from silently adopting a batch size of 1?

How many of those proposals do not have a government-mandated app as a spider in the middle of the web, which is aware of all the apps and websites you try to visit which ask for validation?

> Are you aware of any age verification systems that do not have this property?

As I understand it, it's the goal of OpenID4VP[1][2]. Using it a site can request to know if the user is over 18 say, and the user can return proof of just that one claim, I'm over 18, without sharing identifying information.

The new EU age verification solution[3] builds on this for example.

[1]: https://openid.net/specs/openid-4-verifiable-presentations-1...

[2]: https://docs.walt.id/concepts/data-exchange-protocols/openid...

[3]: https://ageverification.dev/

So we make meaningless laws that inconsistently enforced? What do you think happens when little Johnny is caught with weed in his car in a 95% White high income school district vs little Jerome in a 95% Black school district?

Also how much “shaping of society” do you expect to happen when you pass a law that no one respects?

How many kids do you think a law is going to stop from going to the porn sites that completely ignored the law?

How many kids say “I really want to smoke weed but it’s illegally so I won’t do it”?

Is there a good explanation of how ZKPs prevent attestation providers (which presumably know your identity) from linking an issued proof back to you if, for example, the website elects to store it? I can wrap my head around RSA and ECC and PKI, but I haven't managed to make sense of this yet.

Assuming that's even a goal, of course. The cited paragraph mentions RPs (the websites, from what I understand), but makes no mention of attestation providers.

Age verification is absolutely about kids. It’s also being used (or hijacked into) a vehicle for people who want increased surveillance.

There is a ton of evidence that there are harms to unrestricted online access for kids and teens (the book The Anxious Generation is cultural touchstone for this topic at this point). There is a real, well reasoned, and valid movement to do something about this problem.

The solutions proposed aren’t always well targeted and are often hijacked by the pro-surveillance movement, but it’s important to call out that these solutions aren’t well targeted instead of declaring the age verification push isn’t addressing a real problem and constituency.

> How many kids say “I really want to smoke weed but it’s illegally so I won’t do it”?

I think it's generally accepted that marijuana use increases after legalization. So yes.

Can't read the specs at the moment, but what prevents the age verification service and the age-gated website from coluding and de-anonymizing your porn use?

Politicians in Washington State is proposing not just age verification but also health warnings on adult websites. How is either constitutional?

https://www.xbiz.com/news/294260/washington-av-bill-jumps-on...

> In real life, we think age verification is a good thing. Kids shouldn't buy porn. Teenagers shouldn't get into bars. etc...

These are not equivalent, I don't have to scan my face, upload my ID and share my personal biometric data with various 3rd parties, who will sell and leak my data, every time I want to look at porn or sip a beer.

Also, there are countries where teenagers can drink and go to pubs, and society hasn't crumbled. We also have several generations of young adults with access to porn, and the sky didn't fall.

Maybe we shouldn't use the government to implement a "papers, please" process just to use and post on the internet, maybe we should instead legislate the root cause of the problem: algorithmic optimization and manipulation. That way everyone benefits, not just kids, and we won't have to scan our faces to look at memes on Reddit.

Laws that nobody respects lead to lack of respect for the law as a whole.

Hate to break it to you, you're on social media right now.

Not according to the CDC with kids

https://www.mpp.org/issues/legalization/adult-use-legalizati...

It's been illegal to sell porn to minors since approximately forever. If that is constitutional (not saying it is, but I'd be surprised if it wasn't since it's such an established practice), then I don't see how requiring age verification on porn sites wouldn't be. Requiring health warnings might be another matter, though. Not sure about that.

As many others have mentioned in this thread and others, there are ways - effective and straightforward ways - that we could be protecting our kids from the harms that come with the www.

The harms are real. The solution is a Surveillance Wolf wearing a dead Save The Kids Sheep(tm).

Solutions that might work - RTA headers [0]. More robust parental controls. Not this reimagining of the rules of the internet in service of a fairly vague and ineffective goal. It's like the whole AV concept was designed not to work in the current context at all - almost as if that was the point.

Perhaps I'm going a little out on a limb. I don't think I am - but quick, tell me you need to know where I'm dialing from without asking me where I'm dialing in from.

0 - https://www.rtalabel.org/index.php

If HN is social media, then so are PHPBB, NNTP, BBS, etc. and the term loses its semantic relevance.

My heuristic is that social media focuses on particular people, regardless of what they're talking about. In contrast, forums (like HN) focus on a particular topic, regardless of who's talking about it.

Unfortunately The Anxious Generation is a very well-written house of cards built on questionable studies [1] and its success is simply a reflection of the fact it capitalizes on the trendiest moral panic of our times.

Social media is akin to violent video games in the 2000s, tv addiction in the 90s, santanic heavy metal in 80s, and even 'bicycle face' in the 1890s bicycle craze.

Jonathan Haidt seems extremely earnest and thoughtful, but unfortunately being lovingly catapulted to fame for being the guy who affirms everyones gut reaction to change (moral panic)...makes it extremely difficult financially, emotionally and socially for him to steelman the opposite side of that thing.

Even if he hadn't compiled a bunch of suspect research from pre-2010 to make his claims, the field of Psychology is at the center of the replication crisis and is objectively its worst offender. Pyschology studies published in prestigious academic journals have been found to replicate only 36% of the time. [2]

1. https://reason.com/video/2024/04/02/the-bad-science-behind-j...

2. https://en.wikipedia.org/wiki/Reproducibility_Project

Okay but then if a ZKP solution is presented, that's calling their bluff. They now have one less excuse for surveillance.

EDIT: Actually do one better - tell them that for 16+ websites, you're actually protecting teenagers by keeping them anonymous.

You would think so, but DARE increased adolescent usage of some drugs while having little to no effect on others.

Turns out being illegal isn't as much of a disincentive as being uncool. If your parents are smoking it...

Doesn't matter what you want it to mean. What matters is what those in power want it to mean. It's very easy to stretch the definition to cover all sites where people can post content for strangers to see, or stretch it even wider to all digital media where people can interact with a social group.

Does the “sell” part matter - like is it simply that the sale to minors can be regulated? If it is free isn’t it just transmission of information?

> Doesn't matter what you want it to mean. What matters is what those in power want it to mean.

I was replying to a discussion between two HN users, who were using conflicting definitions of the term. AFAIK they are not "those in power".

Yeah, getting into the car with the guy holding the gun doesn't become okay because you have a great argument you're waiting to use down the road. He's already got the gun out.

We should have started arguing when he just said he had a gun, indoors, in the crowd. We shouldn't have quietly walked outside at his demand. But that all happened. Here we are now, at the car, and he's got the gun out, and he's saying "get in", and we're probably not going to win from here -- but pal, it's time to start arguing. Or better yet, fighting back hard.

Because that car isn't going anywhere we want to be. We absolutely can not get in the car right now, and just plan to argue the point later. It doesn't matter how right the argument is at all.

Parental control software has existed for decades. It hasn't worked.

Over 70% of teenagers <18 today have watched porn [1]. We all know (many from experience) that kids easily get around whatever restrictions adults put on their computers. We all know the memes about "click here if you're 18" being far less effective than "click here if you're not a robot."

Yes, there were other ways of trying to solve the problem. Governments could've mandated explicit websites (which includes a lot of mainstream social media these days) include the RTA rating tag instead of it being a voluntary thing, which social media companies still would've fought; and governments could've also mandated all devices come with parental control software to actually enforce that tag, which still would've been decried as overreach and possibly would've been easily circumventable for anyone who knows what they're doing (including kids).

But at the end of the day, there was a legitimate problem, and governments are trying to solve the problem, ulterior motives aside. It's not legal for people to have sex on the street in broad daylight (and even that would arguably be healthier for society than growing up on staged porn is). This argument is much more about whether it's healthy for generations to be raised on porn than many detractors want to admit.

[1] https://www.psychologytoday.com/us/blog/raising-kind-kids/20...

> AFAIK they are not "those in power".

AFAIK nobody here is. The point is that with relevance to the current discussion on potential future age-verification laws, only the widest definition matters, because that's what's at risk.

This is, of course, very technical, but here is how it works at a high level.

In the non-ZKP presentation, the "holder" (phone) sends the credential to the relying party (website), and the RP executes some verification algorithm. In the ZK presentation, the holder executes the verification algorithm and sends to the RP a proof that the algorithm was executed correctly.

The "proof" has this magical property that it reveals nothing other than the check passed. (You will have to take on faith that such proofs exist.) In particular, if the check was the predicate "I have a signature by ISSUER on HASH, and SHA256(DOCUMENT)==HASH, and DOCUMENT["age_gt_18"]=TRUE", anybody looking at the proof cannot infer ISSUER, HASH, DOCUMENT, or HASH, or nothing else really. "Cannot infer" means that the proof is some random object and all HASH, DOCUMENT, ISSUER, etc. that satisfy the predicate are equally likely, assuming that the randomness used in the proof is private to the holder. Moreover, a generating a proof uses fresh randomness each time, so given two proofs of the same statement, you still cannot tell whether they come from the same ISSUER, HASH, DOCUMENT, ...

Haven't either had time to fully wrap my head around the details.

At least in the EU solution they say there would be multiple attestation serivices the user could choose to use. So that would be technically better than nothing.

Nancy Reagan: Don’t sniff glue to get high.

Kids: You can sniff glue and get high!!!

I wonder how it relates to the health warnings on tobacco products?

Ya got me. Nevermind that the DSA (which I have read, in part) and the DIW (new to me) are different things, and that one does not mention the other [0]. Also the DSA is happening now while the Wallet thing isn't rolled out.

There are actual discussions about VPN regulation in relation to AV in the US [1]. The UK's OSA [2] is blatant about the need to violate encryption. Australia's OSA [3] has also come under criticism for precisely the things I'm talking about. Is it a stretch to extend this reasoning to the EU's incredibly similar legislation? Honk my nose if you must but I don't think so.

Here's the thing - I don't want you to listen to me, or anyone else on the internet, as an 'expert'. Verify your information personally, even when you trust it.

0 - https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32...

1 -https://www.eff.org/deeplinks/2025/11/lawmakers-want-ban-vpn...

2 - https://www.legislation.gov.uk/ukpga/2023/50/contents

3 - https://en.wikipedia.org/wiki/Online_Safety_Amendment

Is porn the biggest problem here? What I've seen points the finger at social media as the worst offender for youth mental health.

Also, access to porn isn't new with the internet. When we cleared out my grandpa's house we had to pry open a desk that was chock full of hustlers.

The thing is that as far as I can tell, a ZKP of age involves a state or similar attestor to issue an ID/waller that can be querried for age without revealing identity.

But attestor has to have certainty about the age of the person it issues IDs to. That raises obvious questions.

What states are going to accept private attestors? What states are going accept other states as attestors? What state won't start using its issues ID/Wallet for any purpose it sees fit?

This system seems likely to devolve national Internets only populated by those IDs. That can all happen with ZKPs not being broken.

That is how states work.

FWIW, not that it matters, the proper acronyms are EUDI (EU Digital Itentity) and EUDIW (EUDI Wallet). DIW is not used.

If it's not linked to an identity, why can't a kid use a parent's key?

the more I think about it, the more I feel like I need someone with deep knowledge to explain ZKPs to me.

So like, we've got this algorithm that gets sent our way and we run it and that provides kind of a cryptographic hash or whatever. But if we're running the algorithm ourselves what's to stop us from lying? Where does the 'proof' come from? What's the check that it's running and why do we inherently trust the source it's checking?

Excellent question. More generally, what prevents me from copying the credential and giving it to somebody else?

The currently favored approach works like this. The DOCUMENT contains a device public key DPK. The corresponding secret key is stored in some secure hardware on the phone, designed so that I (or malware or whatever) cannot extract the secret key from the secure hardware. Think of it as a yubikey or something, but embedded in the phone. Every presentation flow will demand that the secure element produce a signature of a random challenge from the RP under the secret key of the secure hardware. In the ZKP presentation, the ZKP prover produces a proof that this signature verifies correctly, without disclosing the secret key of the secure hardware.

In your example, the parent could give the phone to the kid. However, in current incarnations, the secure hardware refuses to generate a signature unless unlocked by some kind of biometric identification, e.g. fingerprint. The fingerprint never leaves the secure hardware.

How does the issuer (e.g. the republic of France) know that DOCUMENT is bound to a given fingerprint? This is still under discussion, but as a first bid, a French citizen goes to city hall with his phone and obtains DOCUMENT after producing a fingerprint on the citizen's phone (as opposed to a device belonging to the republic of France). You can imagine other mechanisms based on physical tokens (yubikeys or embedded chips in credit cards, or whatever). Other proposals involve taking pictures compared against a picture stored in DOCUMENT. As always, one needs to be clear about the threat model.

In all these proposals the biometric identification unlocks the secure hardware into signing a nonce. The biometrics themselves are not part of the proof and are not sent to the relying party or to the issuer.

So adults are required to own a phone to prove their age?

Can I log into an age gated service at a library without a phone?

I am someone with "deep knowledge", but HN is not the proper place for this discussion. See https://people.cs.georgetown.edu/jthaler/ProofsArgsAndZK.htm... for the gory details.

Here is a hopefully simple example of how this ZKP thing may even be possible. Imagine that you give me a Sudoku puzzle. I solve it, and then I want to prove to you that I have solved it without telling you the solution. It sounds impossible, but here is one way to do it. I compute the solution. I randomly scramble the digits 1-9 and I put the scrambled solution in a 9x9 array of lock boxes on a table. I have the keys to the 81 locks but I am not giving you the key yet. You randomly ask me to open either 1) one random row chosen by you; 2) one random column chosen by you; 3) one random 3x3 block chosen by you; or 4) the cells corresponding to the original puzzle you posed to me. In total you have 28 possibilities, and assume that you choose them with equal probability. You tell me what you want and I open the corresponding lockboxes. You verify that the opened lock boxes are consistent with me knowing a solution, e.g. all numbers in a row are distinct, the 3x3 block consists of distinct numbers, etc. If I am cheating, then at least one of your 28 choices will be inconsistent, and you catch me with probability 1/28, so if we repeat this game 1000 times, and I don't know the solution, you will catch me with probability at least 1-(1/28)^1000 which is effectively 1. However, every time we repeat the game, I pick a different random scrambling of the integers 1-9, so you don't learn anything about the solution.

All of ZKP is a fancy way to 1) encode arbitrary computations in this sort of protocol, and 2) amplify the probability of success via clever error-correction tricks.

The other thing you need to know is that the protocol I described requires interaction (I lock the boxes and you tell me which ones to open), but there is a way to remove the interaction. Observe that in the Sudoku game above, all you are doing is flipping random coins and sending them to me. Of course you cannot let me pick the random coins, but if we agree that the random coins are just the SHA256 hash of what I told you, or something else similarly unpredictable, then you will be convinced of the proof even if the "coins" are something that I compute myself by using SHA256. This is called the "Fiat-Shamir transformation".

How do we implement the lock boxes? I tell you SHA256(NONCE, VALUE) where the NONCE is chosen by me. Given the hash you cannot compute VALUE. To open the lock box, I tell you NONCE and VALUE, which you believe under the assumption that I cannot find a collision in SHA256.

Another excellent question. The current answer in the EU seems to be "you need a phone". My preferred answer (despite being one of the Google guys who designed the ZKP mechanism) would be that the government sends you some sort of plastic card with a chip that does not tie you to a phone. Still fighting that battle.

I think a parent should be able to give their kid access if they deem their kid mature enough. If the kid can handle social media without it becoming an addiction or a self-esteem issue or similar, then it would generally be a net positive. For example, social media may include YouTube which has a lot of educational content. Why hold the kid back?

GNU Taler has an age-verification extension.

But it's been illegal to peddle porn to minors for much longer than it's been illegal to peddle social media, so it's a good proxy for how effective our current efforts are.

> access to porn isn't new with the internet

“Ease of access” and “easy access to the most depraved shit you can think of that’s out there” is what changed. That is what is wrong and why many people feel we need to find some way to control that access.

The Internet didn’t come along until I was well into adulthood. Think about what porn access looked like in the late ‘70s and ‘80s. As a teen we were “lucky” if by some rare miracle a friend stole their dad’s Playboy, Penthouse, or Hustler and stashed it in the woods (couldn’t risk your parents finding it under your mattress) for us dudes to learn the finer points of female anatomy. In a week it would be washed out from the elements with nary a nipple to be seen. Those magazines (even hustler) was soft compared to what a few clicks can find today. Basically you got degrees of nudity back then, but we appreciated it.

Hardcore video was very rare to see as a horny teen kid in the ‘80s. Most porn movies was still pretty well confined to theaters, but advent of VHS meant (again by sheer luck) you had to have a friend whose parents happened to be in to it, who had rented or bought a video, it was in the house and accessible, all the adults had to be gone from the house so you could hurry up and watch a few minutes on the family’s one TV with a VCR. You needed to build in viewing time along with rewind time to hide your tracks.

Now…parents just leave the room for a few minutes and a willing kid with a couple of clicks could be watching something far beyond the most hardcore thing I saw as a teen.

The approximate substitute-good for porn is actual sex, which parents generally stop teens from doing. The substitute-good for social media is talking to people in person, which parents are generally happy with.

> Parental control software has existed for decades. It hasn't worked.

How would you know whether it has worked or not? Wouldn't the relevant criteria be up to parents themselves?

To make this more concrete: There are a lot of "legally sanctioned" government actions happening in the US right now that are pretty dubious. That includes digging up old laws and giving them spicy new interpretations that legal experts agree are an abuse of power and not in the intent of the original law.

Some of these are getting batted down by judges, so right now the category of "legal" is especially vague. That's why I phrased it like that.

But also, we see cops just straight up stalking people using government tools. So that's another reason to be concerned about "legal" government actions.

Nothing to do with libertarianism.

Sure it's possible, but are there implementations in use that meet this criterion?

Because if there aren't, then it matters substantially less whether they're possible.

I would much rather have laws that require that certain kinds of websites return machine-readable headers describing what kind of content is on them, and then browsers, web proxies, etc. could be configured by parents, schools, etc. to block undesirable sites.

People are complacent. Even me, even you. We're not going to get off our 21st-century comforts asses and actually do anything to disrupt anything.

At best I may avoid using products from certain companies until I really have to, like Google and Microsoft's AIs, or clear cookies after signing into YouTube so it doesn't sign you into everything else, or write a comment here and there about how some Apple APIs like the iCloud Keychain allow Facebook etc to track you across devices and reinstalls, but I'm not ever going bother doing anything more that would actually challenge all this dystopian fuckiness.

I have one: https://news.ycombinator.com/item?id=46223051

And really, a locally running AI could make that assessment pretty easily even if it isn't declared. No need to destroy the whole world's privacy. Unless that was the goal to begin with, obviously.

No, it's still illegal in most places to knowingly distribute pornography to minors - the law in my state starts;

> A person who sells, gives away or in any way furnishes to a person under the age of 18 years a book, pamphlet, or other printed paper or other thing, containing obscene language, or obscene prints, pictures, figures or descriptions tending to corrupt the morals of youth

> Over 70% of teenagers <18 today have watched porn [1]. We all know (many from experience) that kids easily get around whatever restrictions adults put on their computers. We all know the memes about "click here if you're 18" being far less effective than "click here if you're not a robot."

And we all turned out fine I might add. In fact there's a lot more attention to consent and respect for women than 20 years ago.

Of course not counting the toxic masculine far right but that doesn't have anything to do with porn but everything with hate.

Not sure if you've bought alcohol lately, but at most large grocers near me, they're scanning licenses now instead of just verifying the birth date - and I'm pretty confident those scans aren't just checking the birthdate and then deleting all record of the interaction..

> How does the issuer (e.g. the republic of France) know that DOCUMENT is bound to a given fingerprint? This is still under discussion, but as a first bid, a French citizen goes to city hall with his phone and obtains DOCUMENT after producing a fingerprint on the citizen's phone (as opposed to a device belonging to the republic of France).

Are you saying that someone goes to city hall, shows ID, and gets a DOCUMENT that certifies age, but doesn't link back to the person's identity? And it's married to a fingerprint in front of the person checking ID?

Is there a limit on how many times someone can get a DOCUMENT? If not, it'll become a new variation of fake id and eventually there's going to be an effort to crack down on misuse. If yes, what happens if I get unlucky and lose / break my phone limit + 1 times? Do I get locked out of the world? The only way I can imagine limiting abuse and collateral damage at the same time is to link an identity to a DOCUMENT somehow which makes the whole ZKP thing moot.

I'd be more worried about the politics though. There's no way any government on the planet is going to keep a system like that limited to simple age verification. Eventually there's going to be enough pretense to expand the system and block "non-compliant" sites. Why not use the same DOCUMENT to prove age to buy beer? Sanity for guns? Loyalty for food?

What happens if the proof gets flipped to run the other direction and a DOCUMENT is needed to prove you're a certified journalist? Any sources without certification can be blocked and the ZKP aspect doesn't matter at that point because getting the DOCUMENT will be risky if you're a dissenter. Maybe there's an interview. Maybe there's a background check. Has your phone ever shown up near a protest?

It's just like the Android announcement that developers need to identify themselves to distribute apps, even via side loading. The ultimate goal is to force anyone publishing content to identify themselves because then it's possible to use the government and legal system to crush dissenting views.

Big tech caused most of the problems and now they're going to provide the solution with more technology, more cost, and less freedom which is basically what they've been doing for the last 2 decades so it's not a surprise.

I’m not exactly sure about ZKPs but for age verification the “proof” can come from the government but in such a way that the web service doesn’t know anything more than whether an assertion is true, and the government doesn’t know anything more than you wanted to verify some assertion.

This is a simplified method for age verification:

I want to buy alcohol from my phone and need to prove I’m over 18. SickBooze.com asks me for proof by generating a request to assert “age >= 18”.

My phone signs this request with my own private key, and forwards it to the government server.

The government verifies my signature against a public key I previously submitted to them, checks my age data in their own register of residents, and finally signs the request with one of their private keys.

My phone receives the signed response and forwards it back to SickBooze.com, which can verify the government’s signature offline against a cached list of public keys. Now they can sell me alcohol.

- the “request” itself is anonymous and doesn’t contain any identifying information unless that is what you intended to verify

- the government doesn’t know what service I used, nor why I used it, they only know that I needed to verify an assertion about my age

- the web service I used doesn’t know my identity, they don’t even know my exact age, they just know that an assertion about being >= 18 is true.

The thing is that when it starts being about the kids it means the bottom 90% has entered the internet and you should be away because it is already lost.

I wonder if there's something like internet accelerationism - push things like having friends or watching movies online off the cliff as soon as possible.

As much as you (and I as well) don't want age verification to involve discussion about kids' access to content because we're more concerned about the surveillance push riding the popularity of that, repeating "it isn't about kids" loudly 3 times doesn't make the (extremely large) group of people pushing age verification for kids disappear.

Telling that larger group their interest just isn't part of the conversation at all excludes _you_ from the conversation rather than changing the focus of the conversation to the other downsides instead of the primary interest others might have.

There are also, concerningly IMO, an extremely large amount of people willing to accept severe surveillance or privacy downsides so long as it helps achieve the goal about kids. To them, the same would in reverse would be "why are you talking about surveillance, the real issue is the kids. Say it 3 times loud, for those in the back!" and the conversation gets nowhere because it's just people saying how they won't talk to anyone who disagrees what concerns should be considered.

Thanks for answering, I appreciate it.

> How do we implement the lock boxes? I tell you SHA256(NONCE, VALUE) where the NONCE is chosen by me. Given the hash you cannot compute VALUE. To open the lock box, I tell you NONCE and VALUE, which you believe under the assumption that I cannot find a collision in SHA256.

That's the bit I was missing! The prover pre-registers the scrambled solution, so they can't cheat by making up values that fit the constraints.

I doubt that the porn in the 70s was less bad than the porn today. Legal CSAM was being sold openly so what makes you think that it was more tame than modern stuff?

The fact is that as difficult as it was to get, you got a hold of it and watched it. Why would 'ease of access' make any difference if you didn't have easy access and got it anyway?

Excellent, clear example.

I would throw in Privacy Pass [1], just in case the government and SickBooze.com can exchange info.

Sadly, it‘s still hard to explain how exactly it works, but conceptually simpler than arbitrary ZKPs.

[1]: https://privacypass.github.io/

Are you implying that perhaps 15-25 mins worth of porn video total throughout all of someone’s teenage years due to such rare access of the material would have a similar emotional and mental impact as having the ability to see that much daily for years as is possible now?

There could have been years between the opportunities we had. I don’t think you conceptualize just how infrequent the opportunity would present itself.

I'm not making any claims about mental or emotional impacts, you are. What are they?

Yes all those things are great, but you'll notice that instead of explaining this to the non-technical crowd, technology focused privacy concerned individuals rarely attempt to educate about how these could work. Instead they simply seem to be against any sort of control on what children watch online.

Given that it's also coming from a bunch of tech males, it comes across as extraordinarily creepy. This is not hard to understand.

So then this is an easy problem. Issue liquor stores a terminal. Liquor guy checks licenses. If you're an adult, the clerk presses a button. A public key is generated and uploaded to a public list. You get a private key that shows you're an adult and is not tied to you. Regular laws that apply to liquor also apply to this private key QR code... You cannot give it to a minor or sell it without a license.

To view adult content, use the code to sign a thing. Content company sees the signed code, verifies against the public list and sends the content.

Privacy preserved, no adult content to kids... Easy.

It's also already illegal to send porn to a minor. Porn companies that transmit porn to minors are already committing a sex crime.

I'm sure those people exist, I just never happen to see anything they write online nor meet any of them in real life.

For the folks in the back row:

Age Verification is about Kids and Censorship: to track them and censor them

Age Verification is about Kids: giving it to companies who will keep it as safe as they've kept your identity, email, and other information.

Age Verification is about Kids and Censorship: taking control from you and giving it to corporations and government.

Age Verification is about Kids and Censorship: to keep them on their platforms so they can profit from them

Age Verification isn't just about Kids: it's also about tracking you

I don't know why we want to put children's data online. I don't want cameras in the kids rooms to verify their face, that camera will be used by others. That camera will be used to do the very thing they claim it is to protect against. I don't want the kids online, easily meeting with pedos, pretending to be kids or otherwise. I don't want kids data online for those people to use it to harm them. I don't want kid's data being leaked and exposed forever. To create lasting damage that will follow then the rest of their lives.

The road to hell is paved with good intentions. The devil uses this to fool you. Seriously, y'all gonna trust your kids' data with the people in the Epstein list? Why would you let a fox guard the chicken coop?

We're all in bubbles. But it's good to expand them when you recognize you're in one.

"group of people pushing age verification for kids disappear."

Parents need to parent then, but the amount that will are still larger than the people who want mass surveillance because they can't be arsed to raise their kids.

If they are too lazy to raise their kids, they don't have the energy to push the nanny state forward.

My guy, this is making the opposite argument from what you think:

"On the illegal market, no one is checking IDs before selling marijuana. When and where cannabis is illegal, high schoolers often sell cannabis to their peers. In contrast, licensed cannabis stores have overwhelming compliance with age-gating."

It has indeed not increased the cannabis use of kids, but that would also still be illegal. That study is an argument that age gating works.

We have newer and more relevant data than DARE.

And the Internet also consists in large part of bots talking to bots. This is not to say that some people won't always promulgate the "Won't somebody please think of the children?" argument every time an expansion of the surveillance state apparatus is in question, but rather to say that we should not take for granted that every bad opinion we see online is one deeply held by any real people.

> the government [...] only know[s] that I needed to verify an assertion about my age

This is problematic if a majority of things needing age verification are looked down upon; for example, insurance companies would love to know what people don't do things needing age and therefore don't buy alcohol (at least not online).

Pro tip: those scanners probably don't work with passports, so a human must still eyeball your passport to verify that you're old enough.

> Why even bother with the initial batch issuance phase?

This is a solution that requires non-trivial interaction between many paries.

It seems very reasonable to want to get the parties started on the implementation so they can iron out issues in the infrastructure they're building while they work on the details of the ZKP aspects.

One thing to keep in mind when reading about any "ZKP protocol" is that on its own the term has the same inherent vagueness as "end-to-end encrypted" - especially when like here there are more than two parties concerned to solve a single verification.

What information is not disclosed to whom? In what way is it ZK?

One example is Googles "zero-knowledge age verification" where AFAICT, Google still has full insight into all the sensitive data and metadata. It's not like they inherently need to be the designated middleman but that is how the scheme is designed. Therefore I find it ingeniously marketed. A bit like saying "Facebook Messenger protects all your messages with end-to-end encryption", which is arguably technically true but misleading and not an honest statement.

How do you know this?

I see this argument repeated over and over on HN, with 0 evidence for it. Any "evidence" people cite is usually of the "politicians are evil, so this should be obvious by definition" kind, sometimes of the "they tried x in the past, so surely some unrelated y they're trying to pass in the future is also about x" kind.

I haven't seen a single leak, a single admission from somebody trying to pass a law like this, that surveillance is actually the goal here. There are far too many politicians trying to pass laws like these, in very different countries across the world, for some kind of giant global conspiracy to stay undetected.

Plain ignorance seems far easier to believe.

The simplest possible such method? Single-use age verification codes, generated and validated by the government, sold on physical scratch cards with in-store verification of ID, piggybacking on the infrastructure we already use for selling alcohol and cigarettes.

This would be far easier to implement for websites too. You'd just have a single, unauthenticated API endpoint which, given a code, tells you if the code is valid (and marks it as used). Integrating with such an API is about 1 day of work for a competent dev. Even open, non-profit platforms like Mastodon could easily implement such a mechanism.

Scratch cards wouldn't have to be the only way of getting such codes. THe vast majority of people could just generate them in their banking app or whatever (which would still be far more privacy friendly than the current ID verification mechanisms).

The first question is how would the insurance find out that you are doing lots of things requiring age verification? The only body that could tell them is the government, while a distrust in the government can be healthy, I think this is the least thing to worry about, the government typically knows already much more damaging things than how often you ask for age verification.

Moreover, that would only work if there are relatively few things that require age verification and it needs more than just being looked down upon, i.e. while alcohol buying might be interesting information for insurances, watching porn is likely less interesting. Even worse, if the insurance can't distinguish between porn and alcohol (which they can't by design even if the government would give them the information about how often you ask for age verification).

I somewhat understand your argument about how to prevent misuse, but I'd say one could do that by embedding the key in an ID card and someone will have to connect the ID card to the phone/computer (e.g. via NFC). So obviously you can pretend you lost your ID card and get a new one, but I would say that you can only do that so often until someone will get suspicious, just as if you would ask for a new passport every couple of months someone would start asking you some serious questions.

Regarding using the document to buy beer, that's already done, you need to provide ID. I also hope you being asked to provide ID for buying guns, but then again I'm not from the US, so I have quite a different opinion on gun ownership.

All that said though, we are currently watching some of the most significant civil rights abuses by authorities, all without any ID system and people are worried about age verification? If the government wants to abuse their power they don't need an ID system, they just look at your social media profile at the border.

And now compare this comment with another comment (https://news.ycombinator.com/item?id=46228900) I got in yet another "let's save children from the Internet" thread:

> Your sci-fi distopia flash fiction is compelling, but not actually on topic in this discussion.

> "Think of the children" is weaponized for censorious purposes, but also the harms of social media are well documented (unlike many of the other moral panics fuelled by this phrase).

> I'm not sure a blanket under-16s ban on all social media is the right answer, but there are really good reasons why people support this that you need to engage with to have a useful discussion here.

So basically for everyone even with modest pattern recognition abilities the template used here should be crystal clear, which goes along the lines of

- I'm kinda with you (even though you are stupid and emotion-driven);

- But your point is totally invalid because you should be humiliated by the sheer number of your opponents, which renders you small and negligible;

- Your opponents have very good reasons to support any fascism that is able to address their reaction to prefabricated problems with prefabricated solutions, and you've got to support that too if you want to be heard.

I'm pretty sure these threads are chock full of shills, because one can't rob people of freedom without significant narraive steering efforts.

Yet another comment following the template described in https://news.ycombinator.com/item?id=46242184

> There are far too many politicians trying to pass laws like these, in very different countries across the world, for some kind of giant global conspiracy to stay undetected.

This is today's top agrument! "There are far too many gangsters each operating in their own district for some kind of notion of organized crime to be credible".

> There are also, concerningly IMO, an extremely large amount of people willing to accept severe surveillance or privacy downsides so long as it helps achieve the goal about kids.

I’m alive. Nice to meet you.

I “accept severe surveillance”, not in the sense that I agree with it, but because I know that it already exists and has existed and that people that are against it are screaming into the wind. Many large and small countries have long histories of surveillance.

It’s not that you shouldn’t try to enforce privacy, in fact, the law requires it if you in some cases, and it’s a good idea in others.

I’m certainly not against the EFF standing up for the rights of everyone not to be severely surveilled.

But, realistically, the public cannot easily anonymize our activity and data. And if you try to do so, you’re painting yourself as a target.

If you were trying to keep your country safe, wouldn’t you like the ability to infiltrate any major cloud, SaaS app, social media platform, bank, government, VPN/internal network, and OS?

Similarly, if you were a big data or security company wouldn’t you also do everything you could to know everything it is to know about a person if you had the means and time and it made sense for your business?

Following, if you were to have that power as a government, business, or other organization, wouldn’t it be critical to ensure that you restricted its use to ensure it wasn’t abused to the point that you’d lose it, even though the reality would be that you probably don’t have time to keep it as safe as you need to?

I “accept severe surveillance” not because I promote it or want it, but because I understand how the world works and what it does.

All these things will pass. If you have the focus and the mental capacity to do what is good, then do it. It likely helped the world in some way to learn about KGB wiretaps. But, in the U.S., as far as I can tell, the backlash against the CIA and NSA was just used for political gain and then to replace those that didn’t agree with the current administration. Was that helpful? And who are we really being manipulated by when we attack ourselves and install destabilizing leaders?

All chutzpah is built upon brazen assertion of desired outcome as already achieved.

Just because it's about surveillance doesn't mean it's a bad thing?

The fact that you need a driver's licence to drive a car, or a document to identify yourself to open a bank account is also surveillance. Yet it seems perfectly reasonable?

I guess owning some computer should be fine as a requirement? It just should not be tied to the US megacorps. A web app perhaps?

For instance [1]. I am speaking out of experience, as a GenZ person who has been first introduced to the entire world of sex and porn at EIGHT years old. I myself feel it has harmed my brain in ways which I'll likely never fully understand.

[1] https://eprints.qut.edu.au/217360/1/__qut.edu.au_Documents_S...

Not sure where you are but no one has ever done that to me. I usually would go through self checkouts so someone just comes over, takes a quick look at my drivers licence, and puts in their employee id into the machine to authorise it.

How about the majority of the recent thread about the Australian social media ban?

BTW the Australian law says it's illegal for a platform to require government ID for age verification.

Parenting is, and always has been, a collective responsibility. We made it illegal to sell alcohol to kids, instead of just complaining that parents weren't teaching them not to drink it.

You may be confusing the UKOSA (which is about surveillance) with the concept of age verification more generally.

Write to your legislators/representatives.

Honestly, it is the only thing that you can do, apart from voting and talking to people in your near environment.

Is it a good solution, and always likely to work? No, absolutely not.

But is a hell of a lot better than doing nothing or sharing social media posts, which is frankly as effective as screaming into your pillow at home.

> has existed

Sorry, but if you would actually read my post, you would notice that I am not proposing that it should merely "exist", but that it should come enabled by default on all new devices.

People are ignoring reality and thinking that kids and teenagers won't be smart enough to type "XXX" into piratebay and download a torrent client.

Recycling a post about reasons to do it that way:

> 1. Most of the dollar costs of making it all happen will be paid by the people who actually need/use the feature.

> 2. No toxic Orwellian panopticon.

> 3. Key enforcement falls into a realm non-technical parents can actually observe and act upon: What device is little Timmy holding?

> 4. Every site in the world will not need a monthly update to handle Elbonia's rite of manhood on the 17th lunar year to make it permitted to see bare ankles. Instead, parents of that region/religion can download their own damn plugin.

> same inherent vagueness as "end-to-end encrypted"

Recent HN discussion example: How Kohler Inc. has a toilet feces analysis camera with "end to end encrypted", except they're one of the ends so it is deceptive advertising.

https://news.ycombinator.com/item?id=46129476

If I believed that the efforts in question were in earnest, I would absolutely be talking through the finer points of how to do it right. I don't believe that, though. The veneer of legitimacy here is paper thin - we start with a very weatherbeaten conservative war drum (think of the children!) and immediately jump into "let's ruin privacy for everyone and I totally promise this isn't another Cambridge Analytica".

> Eventually there's going to be enough pretense to expand the system and block "non-compliant" sites. Why not use the same DOCUMENT to prove age to buy beer? Sanity for guns? Loyalty for food?

You're not wrong to be concerned about those impulses, but I think this is getting into "perfect is the enemy of good" territory.

A really authoritarian government isn't going to make an effort to misuse the system that way: They'll tear it down entirely and go back to worse-alternatives which we already use, where they do know all parties involved and exactly when and what was being checked.

This is a fairly defeatist approach to the issue (read that as a statement of fact, not an accusation or argument). The problem with taking this stance, for many people, is that you’re giving a mouse a cookie, except the cookie is marginally more and more control over your life in the form of the ability to control what you see, what communities you’re allowed to engage with, and what you’re allowed to do online.

This battle for online privacy and control is just that, a battle, and you are correct that it is not a fair fight. But engaging and pushing back, through advocacy, speaking out, and acts of noncompliance does three things:

First, it slows the progress of these measures and thus limits the amount of control over our lives we give up, hopefully until some more politically friendly people come to power.

Second, it provides a barometer (via its effectiveness) for assessing the state of that fight, and how dire it is becoming.

Finally, people voicing their concerns about these laws gives information that helps inform more powerful and potentially altruistic advocates with more resources (such as the EFF) in how those resources should be allocated.

Maybe those aren’t good reasons for you, and that’s okay. Lots of people just want to browse twitter and see sports scores and they don’t really care if they have to show ID to do that. For anybody else reading this though, there are lots of reasons why your involvement and engagement in this issue should not stop with “that’s just how the world works”.

You don't need conspiracy, you need the incentives.

The state always thinks of self-preservation. Any bureaucrat is aligned to this goal by getting the benefits from the state. So, the more power it has over its citizens, which is the first threat it, the more safe it is and the less opinions of citizens matter.

Understanding this, every citizen must think carefully about giving away more power to the state.

Google just shows porn pictures if you search porn in image search (logged out, private tab). You don't even have to confirm that you are older than 18

Dude, parents don't want their kids wading through porn and whatever social media throws at them before they are even teenagers.

Childless digital nomad privacy freaks are a minority, age gates are coming. I don't care that they will never be 100%, if it provides cover for parents to stop their kids consuming trash internet "culture" until they are more mature they are already a great benefit to socitey.

This take is really detached from reality, I get down voted for this whenever I ask, but do you have kids? If not sorry, but your opinion means nothing.

We all exist in a society and (as the other comment says) it take society to raise kids. I don't want a society where as a parent I have to fight against shitty parents and the potential immaturity of my kids (they are too young right now thank god) to stop them watching porn as a 11yo or other inappropriate gifts from internet "culture".

Setting some reasonable standards for what content kids should consume provides parents with cover when trying to raise their children well. Its the reason movies have age gates, and strip clubs and many other things not on the internet.