←back to thread

EFF launches Age Verification Hub

(www.eff.org)
351 points iamnothere | 1 comments | 10 Dec 25 20:35 UTC | HN request time: 0s | source

Also: We built a resource hub to fight back against age verification https://www.eff.org/deeplinks/2025/12/age-verification-comin...
Show context
Nevermark ◴[12 Dec 25 04:48 UTC] No.46240963[source]
Why don't we have zero-knowledge age verification?

One actor verifies ages - and they only need to do so once. Sites give users a key tied to their user account to run by their verifier, who returns another key that attests to their verified age encoded for that specific site, to give back to the site.

The site doesn't know anything about the user, but their user login info. The verifier doesn't know anything about what sites are being visited.

This would seem to address the issues, without creating the pervasive privacy and security problems of every age verifying site creating database of people's government id's, faces, and other personal information.

It also seems like a way out of the legal/legislatorial battle. Which otherwise, is going to be an immortal hydra.

I would trust the EFF to run something like this. Open source. With only one-way encrypted/hashed personal info stored at their end.

(I am not a cryptographic expert. But I believe mechanisms like this are straightforward stuff at this point.)

replies(2): >>46241087 #>>46241346 #
vbs_redlof ◴[12 Dec 25 05:15 UTC] No.46241087[source]
Because it's not about age verification, it's about setting up infrastructure to enable incremental enchroachment on privacy.

Fun fact: many ZK identity solutions run centralized provers and can be subpoenaed. Need to use something that generates proofs client-side.

replies(1): >>46241476 #
1. Nevermark ◴[12 Dec 25 06:44 UTC] No.46241476[source]
> Because it's not about age verification, it's about setting up infrastructure to enable incremental enchroachment on privacy.

Yes. You are emphasizing a reason it would be a good idea.

Sideline the ulterior/hidden motive. Or at a minimum, force it into the open, where it has less of a chance. (Ulterior motives are kept quiet for a reason.)

> Fun fact: many ZK identity solutions run centralized provers and can be subpoenaed. Need to use something that generates proofs client-side.

Subpoenas are one of the many privacy problems solved by this.

If there is no log of your real identity tied to visiting a site, there is nothing to hack or subpoena.

A verifier can report you got keys validated. But they don't know what sites they were for.

Sites can ensure users are vetted for age. Without knowing who they are.

This is such a classic cryptography scenario, I don't know how it isn't being pushed to the center of this debate. Anything that reduces the practical tension between divisive goal posts is going to have practical benefit, and make worst case legislation much less likely.