Wild how out-of-bounds it apparently is to say, but even if age verification was empirically proven to protect kids, I’d still be against it.
It's taboo in our culture to say this, but what keeps me up isn't just what people are afraid of; it's how far they’ll go to feel safe. That’s how monsters get made.
We’ll trade away the last scraps of online anonymity and build a legally required censorship machine, all for a promise of safety that's always just out of reach. And that machine sticks around long after anyone remembers why it was built, ready to be turned on whoever’s out of favor next, like a gun hanging above the door in Act One.
But say this out loud and suddenly you're the extremist, the one who "doesn’t care about kids." We’re already past the point where the "solution" is up for debate. Now you just argue over how it'll get done. If you actually question the wisdom of hanging surveillance over the doorway of the internet, you get boxed out, or even labeled dangerous.
It's always like this. The tools of control are always built with the best intentions, then quietly used for whatever comes next. History is clear, but polite society refuses to learn. Maybe the only real out-of-the-box thinking left is not buying the story in the first place.
Tadpole9181 · 12m ago
> But even if age verification was empirically proven to protect kids, I’d still be against it.
Even with an effective implementation via something like zero knowledge proofs? It seems like it's entirely reasonable to say your position is (in this hypothetical) objectively wrong?
Like arguing that even if we know firefighters save lives, you'd still be against it, because "fear and the desire to feel safe are how monsters are made".
I disagree with these policies (because they aren't safe and I disagree that children in a danger best prevented through this kind of measure), but I also disagree with you vehemently. If I'm wrong and we can genuinely prevent harm and the worst cost is an inconvenience (again, without the risk of data leak), then I'm wrong and we should do it.
coppsilgold · 1h ago
I don't see how a scheme where you allow the generation of multiple tokens will be practical when the token itself has value decoupled from the concerns of the generator - such as when the token doesn't give access to your personal account.
If the token signifies you are 18+ and nothing else and if the generation limits are such as to be reasonable then people will generate some fraction of their total tokens just to sell them, or use their elderly relative's tokens.
The kids will be trading these tokens to each other in no time. Token marketplaces will emerge. The 18+ function of the token will just become a money/value carrier.
If you limit it to one token per person, the privacy implications will be devastating. All online presence where being 18+ is required will be linked.
wkat4242 · 1h ago
I'm not on board with age verification at all. Even if it can be done in a private way. I'll just VPN or something, as I'm in the EU and they're dumping this crap on us now.
I'm more than old enough for anything and I have never been 'carded' in my life. In fact I rarely carry ID anyway (even though it's mandatory). Not going to start now.
boneitis · 38m ago
Right. There's still something I found unsettling about performing searches without restraint on Kagi (which, until recently, absolutely required being logged in) that I wouldn't have thought twice about on a common search engine.
Unfortunately, the VPN experience has been deteriorating quickly as BigCo and BigGov have been catching up in natural escalation.
BriggyDwiggs42 · 27m ago
The next thing is probably a vps hosted vpn right?
boneitis · 21m ago
well, given the pervasiveness of KYC requirements these days, i reckon that would still feel not unlike being required to log in in order to use a search engine.
moreover, it's already fairly common for web service operators to proactively block/shadowblock swaths of VPS ranges.
NitpickLawyer · 21m ago
Eh, it's still tricky. Visiting from a VPN gets you subpar experiences in around 30-50% of sites, I would say. From search engines that rate limit you to one or two searches per hour, to things like spotify simply not working. Forums, social media & co that aren't doing verification will also throttle you, shadow ban you and so on.
I get why some sites use these kinds of IP filtering, but the net result is sadly bad for anyone trying to do this.
general1726 · 10m ago
So future actually is self-hosted.
CobrastanJorji · 1h ago
I totally agree with the author's main point: if we must do "age verification," we should do it through third party identity providers and not directly give our information to everyone.
I have a semantic question, though. If I get tokens from an identity provider which I then pass to an adult website, is that really a "zero knowledge" proof? It's been a while, but I don't think that's a zero knowledge proof. Or maybe it is? I'm not sure what the formal definition is.
Tadpole9181 · 7m ago
Yes, it's zero knowledge as long as you don't consider knowledge of which provider you use to be knowledge. Which, if used at scale, shouldn't be.
The token isn't one that you receive and use as-is, so there's no way for the token's generator to tie it to your identity. And when redeemed, the generator can only confirm the token is valid, not that you made it (and therefore what service you're using). Kagi has some articles on the technical details for their "Privacy Pass" feature.
However, using a VPN and pre-generating tokens is still recommended to prevent side-channel attacks based on timing.
averysmallbird · 2h ago
The pro-age verification folks have been talking about ZKPs for years now. Here’s one of the legal proponents of the Texas law, and now General Counsel at the FCC, referencing ZKPs[1]. More sophisticated folks have been pitching actual implementations for a while.
Setting aside whether age verification is desirable or a net benefit, some of the discourse is colored by folks that want to make it as painful and controversial as possible so they don’t have to do it.
Even with a "privacy-preserving" mechanism, I'd remain worried about censorship risk. Are you a government, and you want to punish one of your citizens without lifting a finger? Then deny them the ability to verify their ID with anything!
In principle, you could probably cook up some mechanism to prevent this. But then the information would also be irrevocable in case of error, which I doubt governments would accept. Not that ID verification is a foolproof proxy for the actual physical user in any case, short of invasive "please drink verification can"-style setups, which I worry might look tempting.
magicalhippo · 2h ago
My reading of the EU proposal has licensed third parties doing the age verification step.
The gov't could threaten to revoke the license, but doing so would inconvenience all their users, not just the target. So the third party has leverage to dismiss the gov't.
Of course lots of factors in play, but should be at least a bit better than the gov't doing the age checks.
LegionMammal978 · 1h ago
At least in the U.S., the experience is that businesses will do a lot of things if some level of government 'politely' asks them to. "This account is fraudulent, please delete it." (Or perhaps by waving the stick of "for reasons of national security".) The business doesn't really have any incentive to get in a fight over it, especially if the target wouldn't look sympathetic in the media. I haven't heard much suggesting that typical EU businesses are any different in this regard.
progval · 1h ago
> Then deny them the ability to verify their ID with anything!
Then it's up to legislators to make this illegal. Or at least restrict it to specific purposes, and with a judge's approval.
No comments yet
kelseydh · 1h ago
One of the most ridiculous things about age verification are the assumed ages for using things. For example, recommended Age Ratings for movies way overestimate the age somebody should be to watch things. I was watching NC-17 movies at the age of 7. Powerful experience, but I grew up a normal person. I still remember being 10 and thinking how ridiculous the PG-13 and R classifications were to the level of maturity I already had at that age. Thankfully I had parents who didn't care and I could watch whatever I wanted.
tshaddox · 8m ago
Those content ratings are mostly information for parents who feel strongly about what content the allow their children access to.
riffraff · 1h ago
Kids are generally way more resilient than they get credit for, but not all kids are the same.
I have two, one of them was fine watching people's faces melting in Raiders of the lost Ark when he was 6, the other had nightmares for a couple days after seeing Gollum in LoTR.
The regulations on age are by necessity arbitrary, but I don't think they're completely stupid, even tho I agree parents should be the one responsible in the end.
jmogly · 4h ago
To get to the gist; you shouldn’t need to show pornhub your ID to verify your age. You should be able to verify your age with an identity provider that issues you a signed token for example.
The signed material does not contain any identifiable information about you, and sites like pornhub can verify the token with the identity provider to verify your age.
Lio · 29m ago
Will the identity provider be able to match my token with me?
How does it guarantee anonymity?
i.e. in this scenario will they know that my token was passed to PornHub?
Borealid · 1h ago
What stops an adult from creating these anonymous tokens and then letting others use them?
SkyeCA · 1h ago
What stops an adult from buying alcohol and letting an under-18 drink it?
guappa · 10m ago
Nothing, which is why these laws are useless (to protect children), but very useful to monitor everyone.
tshaddox · 5m ago
What answer are you even looking for? There’s no proactive law enforcement waiting to bust down your door if you give underage kids alcohol. (Note this is true of nearly all crimes.)
But if a kid dies of alcohol poisoning or drunk driving, you can certainly get in serious legal trouble. Those two things (not wanting kids to be harmed by alcohol, and not wanting legal trouble) stop a very large number of adults from giving minors alcohol.
dbetteridge · 1h ago
Make them extremely time limited like an OTP token?
Require a token to be provided by the requester that is used to sign the response token so its limited to a single use
taneq · 1h ago
This is an improvement because only the identity provider(s) have your ID, but now you also have a central database of all the age-verification-requiring sites that many people use, along with those peoples’ ID.
You could argue that the sites requesting access tokens won’t be cached/s but I’m practice that’s not how it’ll work. You could also have a separate request-forwarder service that sits between the age-verifier and the site-that-you-don’t-want-logged, I guess, which would make it harder to get all the required info in one place.
renegat0x0 · 1h ago
The real question is if it will stop at this point, or is it only the first step.
The next question is if that will work at all. Those that want to find it - they will. If that is true, then why is this verification in place at all?
trhway · 59m ago
The end game is naturally to have all your online activity to be associated with your real ID. The government wants this, Big Tech wants this, thus there are no real barriers and, in a frog boiling way, it will be done at least for the majority of users.
_zoltan_ · 1h ago
in around 2013ish I've worked on a ZKP based SAML-like authentication scheme where almost nobody knows anything:
- you could use your corp ID to log in to pornhub, as the provider doesn't know to whom it verifies the request
- pornhub wouldn't know you used your corp ID
we got as far as a demo out of it but never commercialized as far as I know.
this was after there was a trial project with the UK about ZKP based age verification as kinda the next step where you could verify more than your age online.
4b6442477b1280b · 1h ago
it is designed to be a privacy footgun. this wave of age verification bullshit is their foot in the door for "login with your government-issued ID". anonymous rabble congregating on the internet, spreading malinformation and expressing illegal opinions are extremely dangerous to our democracy. the ETA is 5-20 years until another wave of "safety" laws that will require your real identity to be linked to every clearnet website you interact with.
verisimi · 1h ago
The problem with de-anonymising the internet is that I don't think the potential risk (my id becoming public if the id provider is hacked) is worth the potential good (preventing kids from adult experiences online). Is that position ok? Do I have an ability to avoid that risk? When was the case that 'we must do agree verification' proven? If it wasn't, what exactly is going on?
So, I don't accept that this is even an acceptable idea. I hate that we are attempting to 'solutionize' on top of bad assumptions, as with this well-meaning article.
The real issue is that there is no proving that this is a 'good thing' to be done -there is no discussion of the loss of privacy rights. It is already decided that de-anonymising is a good thing for corporations and governments, so the rest is just excuses.
This is actually use of manipulation on the part of governments to trick and coerce individuals into an action they do not want to take. Therefore, thoughtful talking about how to 'mitigate the risk' is the equivalent of negotiating with kidnappers over the ransom, when the right answer is: no coercion. The answers to these questions should be that those who want them opt-in, not forcing risk on everyone.
It's taboo in our culture to say this, but what keeps me up isn't just what people are afraid of; it's how far they’ll go to feel safe. That’s how monsters get made.
We’ll trade away the last scraps of online anonymity and build a legally required censorship machine, all for a promise of safety that's always just out of reach. And that machine sticks around long after anyone remembers why it was built, ready to be turned on whoever’s out of favor next, like a gun hanging above the door in Act One.
But say this out loud and suddenly you're the extremist, the one who "doesn’t care about kids." We’re already past the point where the "solution" is up for debate. Now you just argue over how it'll get done. If you actually question the wisdom of hanging surveillance over the doorway of the internet, you get boxed out, or even labeled dangerous.
It's always like this. The tools of control are always built with the best intentions, then quietly used for whatever comes next. History is clear, but polite society refuses to learn. Maybe the only real out-of-the-box thinking left is not buying the story in the first place.
Even with an effective implementation via something like zero knowledge proofs? It seems like it's entirely reasonable to say your position is (in this hypothetical) objectively wrong?
Like arguing that even if we know firefighters save lives, you'd still be against it, because "fear and the desire to feel safe are how monsters are made".
I disagree with these policies (because they aren't safe and I disagree that children in a danger best prevented through this kind of measure), but I also disagree with you vehemently. If I'm wrong and we can genuinely prevent harm and the worst cost is an inconvenience (again, without the risk of data leak), then I'm wrong and we should do it.
If the token signifies you are 18+ and nothing else and if the generation limits are such as to be reasonable then people will generate some fraction of their total tokens just to sell them, or use their elderly relative's tokens.
The kids will be trading these tokens to each other in no time. Token marketplaces will emerge. The 18+ function of the token will just become a money/value carrier.
If you limit it to one token per person, the privacy implications will be devastating. All online presence where being 18+ is required will be linked.
I'm more than old enough for anything and I have never been 'carded' in my life. In fact I rarely carry ID anyway (even though it's mandatory). Not going to start now.
Unfortunately, the VPN experience has been deteriorating quickly as BigCo and BigGov have been catching up in natural escalation.
moreover, it's already fairly common for web service operators to proactively block/shadowblock swaths of VPS ranges.
I get why some sites use these kinds of IP filtering, but the net result is sadly bad for anyone trying to do this.
I have a semantic question, though. If I get tokens from an identity provider which I then pass to an adult website, is that really a "zero knowledge" proof? It's been a while, but I don't think that's a zero knowledge proof. Or maybe it is? I'm not sure what the formal definition is.
The token isn't one that you receive and use as-is, so there's no way for the token's generator to tie it to your identity. And when redeemed, the generator can only confirm the token is valid, not that you made it (and therefore what service you're using). Kagi has some articles on the technical details for their "Privacy Pass" feature.
However, using a VPN and pre-generating tokens is still recommended to prevent side-channel attacks based on timing.
Setting aside whether age verification is desirable or a net benefit, some of the discourse is colored by folks that want to make it as painful and controversial as possible so they don’t have to do it.
[1] https://americarenewing.com/issues/identity-on-the-internet-...
In principle, you could probably cook up some mechanism to prevent this. But then the information would also be irrevocable in case of error, which I doubt governments would accept. Not that ID verification is a foolproof proxy for the actual physical user in any case, short of invasive "please drink verification can"-style setups, which I worry might look tempting.
The gov't could threaten to revoke the license, but doing so would inconvenience all their users, not just the target. So the third party has leverage to dismiss the gov't.
Of course lots of factors in play, but should be at least a bit better than the gov't doing the age checks.
Then it's up to legislators to make this illegal. Or at least restrict it to specific purposes, and with a judge's approval.
No comments yet
I have two, one of them was fine watching people's faces melting in Raiders of the lost Ark when he was 6, the other had nightmares for a couple days after seeing Gollum in LoTR.
The regulations on age are by necessity arbitrary, but I don't think they're completely stupid, even tho I agree parents should be the one responsible in the end.
The signed material does not contain any identifiable information about you, and sites like pornhub can verify the token with the identity provider to verify your age.
How does it guarantee anonymity?
i.e. in this scenario will they know that my token was passed to PornHub?
But if a kid dies of alcohol poisoning or drunk driving, you can certainly get in serious legal trouble. Those two things (not wanting kids to be harmed by alcohol, and not wanting legal trouble) stop a very large number of adults from giving minors alcohol.
Require a token to be provided by the requester that is used to sign the response token so its limited to a single use
You could argue that the sites requesting access tokens won’t be cached/s but I’m practice that’s not how it’ll work. You could also have a separate request-forwarder service that sits between the age-verifier and the site-that-you-don’t-want-logged, I guess, which would make it harder to get all the required info in one place.
The next question is if that will work at all. Those that want to find it - they will. If that is true, then why is this verification in place at all?
- pornhub wouldn't know you used your corp ID
we got as far as a demo out of it but never commercialized as far as I know.
this was after there was a trial project with the UK about ZKP based age verification as kinda the next step where you could verify more than your age online.
So, I don't accept that this is even an acceptable idea. I hate that we are attempting to 'solutionize' on top of bad assumptions, as with this well-meaning article.
The real issue is that there is no proving that this is a 'good thing' to be done -there is no discussion of the loss of privacy rights. It is already decided that de-anonymising is a good thing for corporations and governments, so the rest is just excuses.
This is actually use of manipulation on the part of governments to trick and coerce individuals into an action they do not want to take. Therefore, thoughtful talking about how to 'mitigate the risk' is the equivalent of negotiating with kidnappers over the ransom, when the right answer is: no coercion. The answers to these questions should be that those who want them opt-in, not forcing risk on everyone.