Why isn't online age verification just like showing your ID in person?

Posted by hn_acker 3 days ago

Comments

Comment by zug_zug 3 days ago

Cryptographically there are techniques that let you prove you're one of the several hundred million adults in the US that don't reveal anything about which adult you are. It's much less complicated than bitcoin.

I'm bringing this up because it's the perfect litmus test to show whether you really care about age verification, or if you want personal trackability for all internet behavior.

I'd be okay with this for certain situations (e.g. a forum that doesn't want to foreign agitators to pretend they are US voters), but the whole porn thing is a ridiculous farce because there are still going to always be millions of non-us porn sites that don't enforce US laws.

Comment by swid 3 days ago

Not really. There are ways to prove ownership of one of several hundred million tokens. If you give out this many tokens, the odds that some will be stolen or sold must be fairly close to 1.

Comment by Ajedi32 3 days ago

Agreed. But obtaining such a token/proof would still be an additional barrier kids would have to actively bypass, so while I don't think that's the best implementation I don't think it's correct to say there's no value there.

My bigger concern would be who gets to issue these tokens. If it's limited to a particular government, then that doesn't work very well on a global internet. And making the internet not global (blocking adults from accessing foreign websites that don't adhere to your scheme) is kinda authoritarian IMO.

If we're going to do age verification and blocking of adult sites, it needs to be local to the user's device (and thus under the control of parents, not governments).

E.g. Instead of mandating sites verify users, we mandate internet-capable devices sold to kids have certain content restrictions, the same way we mandate you can't sell alcohol to kids. To make this more effective than existing content filtering, implement some kind of legally-enforced content-labeling standards websites have to follow to be whitelisted on these devices. This way the rights, freedoms, and privacy of adults using adult devices is unaffected.

Comment by EarthMephit 3 days ago

Aren't these all solved problems that we've worked out decades ago with certificates?

Certificates prove that a website/server (and sometimes the client) are who they say they are.

We force the website to renew their certificate from an issuer every year so that stolen tokens/certificates are less of a problem.

The issuer can protect or hide the identity of the certificate owner, and doesn't get any information about which clients accessed a server.

Comment by swid 3 days ago

The real problem is just managing identities for millions of people. Some of those people will voluntarily use their credentials for someone under 18. Some will sell their identities. There is no technical solution to that.

Comment by zug_zug 3 days ago

Chat GPT would be happy to explain "Rate-limited anonymous credentials" to you. Just because you can't think of something doesn't mean brilliant mathematicians can't.

Comment by sotix 3 days ago

It would be much more valuable if you explained rate-limited anonymous credentials or provided an article (even wikipedia). ChatGPT is non-deterministic and telling someone to use it feels a bit cold for this website.

Comment by swid 3 days ago

This has no bearing on my comment

Comment by jraby3 3 days ago

Can you send a link or explain how this can be done?

As a not super tech savvy parent I find it impossible to keep my son off screens. He always finds a workaround. So I'm a fan of age verification especially after reading The Anxious Generation, despite all the hate it gets from hacker news.

Comment by zug_zug 3 days ago

Actually it's not super easy to explain to the layman, since it uses cryptography. But if you'd like to learn more ChatGPT is very knowledgeable.

But it sounds like your wish is to keep your kid off screens in general, which I don't think age verification would accomplish.

Comment by lcnPylGDnU4H9OF 3 days ago

> the hate [age verification] gets

Age verification actually gets almost no hate. Society-wide surveillance gets a lot; age verification just happens to be the "think of the children" excuse to shoe-horn in the society-wide surveillance. As OP described, if the age verification is implemented as a "zero-knowledge proof" then we have age verification without society-wide surveillance and nobody is complaining.

https://en.wikipedia.org/wiki/Zero-knowledge_proof

Comment by triceratops 3 days ago

Not OP and I don't claim a cryptographically secure solution. However https://news.ycombinator.com/item?id=46223051 is as good as the controls around other age-restricted products IRL: alcohol, tobacco, and adult magazines. And it preserves anonymity.

Comment by swid 3 days ago

He’s talking about zero knowledge proofs - it’s a neat use of graph coloring where you send an encrypted proof that a graph can be colored with three colors and no neighbors with the same color. The verifier makes a challenge to prove two nodes don’t have the same color, and the prover provides a key to decrypted just those two nodes. This process is repeated a number of times (with new colored graphs) until the verifier approaches certainty that the prover will always be able to show all nodes have neighbors with different colors.

This coloring problem is NP complete and somehow the thing the prover is proving is encoded in the graph structure. At the end of the day, the only thing the verifier is sure of is that the prover can make the three colored graph, 1 bit that corresponds to the thing the verifier wants to know (eg - does the prover have a token that can show they are over 18).

Comment by evgen 3 days ago

For simple yes/no questions ("Is over 18?", "Is US resident?") then you should look back to David Chaum's blind signatures and the work that came out of that back in the 90s. The math is super-simple to understand and there are a ton of even easier metaphors with envelopes and carbon paper that you can use to explain to your grandmother. Once you get someone to grok blind signatures it is easy to lead them to zero-knowledge proofs.

Comment by Izkata 3 days ago

This is far from the best way to do it, but this is a much easier to understand example of how it could be done without having to read about math:

There's a type of token called a JWT that's really common nowadays, which is composed of 3 parts: Metadata describing encryption for the third part, the actual base64-encoded data, and the encrypted signature. The second part would include "is over 18" and "expiration date" to limit reuse/abuse, and is trivially decoded by anyone to confirm there's no personal information in there.

You'd get this token from your government site and copy/paste it into the site needing verification. The government site would provide a standard public key that can be used with the third part of the JWT to confirm it hasn't been tampered with (verification is built-in to JWT libraries). There would only be one public key that rarely changes, allowing the site to cache it, preventing the government site from correlating users based on timestamps - they never see the JWT from the other site (verification is done locally), and the other site would only need to pull the public key once for however many thousands of people use it.

...that said technical issues aside, I kinda feel like this would be the most acceptable version simply because it doesn't require the average user to trust the math - they could go to a JWT-decoding website and look at it themselves.

Comment by takinola 3 days ago

How would you prevent the token from being used by a different person than it was issued to? This is the online equivalent of getting your older cousin to buy you alcohol from the store using their own valid ID

Comment by 1718627440 3 days ago

How do you prevent your house key being used by a different person, that it was not issued to?

Comment by takinola 3 days ago

I don’t get the analogy. I keep my house keys out of the hands of people I don’t want in. In this case, the age verification is being circumvented by someone simply asking another person to perform it on their behalf.

I guess the practical answer is that it’s impossible because there’s always the option to have an adult perform the verification and then hand over the device to the minor

Comment by 1718627440 2 days ago

Yes, the analogy is the burglar getting into the house by asking you to open your door for them. Adults are permitted to decide such a thing, because they know the risks and are expected to be able to reason about that. When an adult has decided, then there is no problem, as far as age verification is concerned. We have regulations when adults are in fact not able to decide such a thing "correctly".

We already have penalties for adults mistreating children by exposing them to dangerous things, but this is orthogonal to age verification.

Comment by bigbadfeline 3 days ago

Why do you want the online process to be more secure than the one using physical IDs?

Comment by takinola 3 days ago

Mostly because online process can scale a lot further and faster. An older cousin can only walk into a store to buy so much alcohol but a stolen token can be reused a million times in a second.

Comment by pseudalopex 3 days ago

> hate

You meant logical criticism?

Comment by jraby3 3 days ago

I mean one sided criticism that doesn't account for the damage done to kids by having no online limits, and assuming everyone in the world is as tech savvy as they are.

Comment by miguelbemartin 3 days ago

In my opinion, access to internet should always be behind a device controlled by an adult. And it should be this adult's responsibility to set appropriate restrictions for minors.

Comment by insane_dreamer 3 days ago

In theory that sounds right; but as a parent with two young teens I can tell you that in practice this is really really hard -- your teens can get around whatever restrictions you might set, bringing you down to either 1) taking away their phone altogether, 2) turning off the internet altogether (while at home), 3) trying some parental control app (none of which work that well or are inconvenient to use in practice). The only thing I've successfully managed to set up is a blocker on the router that shuts off access to their devices at night (so they go to sleep at a reasonable hour). During the day is just way too complicated.

So we talk about it and try to get them to manage it themselves. They're not unwilling, but the addiction of continuous scrolling is really hard to break. It's not even that the content is terrible, it's more just the mindless zombies -- like sitting all day on the couch watching TV. And they don't even have an IG or TT account (and won't be getting one for a long time) -- this is YouTube (which now has endless scrolling like TT) which I don't want to block altogether because there's other helpful resources on there.

I've always been an early adopter, and was on BBS and IRC and all that back in the day, love the fact that the Internet is a place you can easily set up your own blog and all that, but recently I've honestly come to f*ing hate the internet in general and social media in particular.

Comment by surgical_fire 3 days ago

This is something I am conflicted about as a parent.

My daughter is still a baby, so the problem is still a few years away. But I don't know how to best handle it.

In some ways, I see social media as more poisonous to the brain than alcohol or tobacco. So, forbidding - or heavily limiting - internet access sounds like a plan.

On the other hand, part of me being a parent is teaching her how to navigate the world. And part of that, wether I like or not, is using the internet. Having contact with the communication tools that exist.

The world is full of sons of bitches. If I don't teach her how to deal with that, I would be raising an idiot.

Still, a problem for the future me to ponder over.

Comment by 1718627440 3 days ago

You don't teach your child to deal with alcohol by telling it to try it out.

Comment by techjamie 3 days ago

My parents did exactly that, but not in a large quantity. Gave me a sip of a really crappy beer when I was young and basically told me it all tasted like that.

Did a pretty good job of not tempting me to try it very much.

Comment by bennyp101 3 days ago

Yea, I think anyone who grew up at the start of the internet in homes realises just how different it is now, and that teaching your kids about how to be safe online etc is an important part of parenting. But we are at the point where we have some parents who always had access to what it is now, and don't see it as a bad place.

"Stranger Danger" is no longer don't get into a van with someone who promises you sweets kinda thing.

Comment by everdrive 3 days ago

Agreed. My kids are young right now, but I'm wondering if we can just have a shared family room computer like in the 90s. (school-based laptops might thwart this, but maybe by the time they're school-aged people will realize that constantly putting kids in front a screen is a bad thing to do?)

Comment by bennyp101 3 days ago

Yep, I bought a separate all-in-one computer that is in the living room, in full view of everyone else, so we can keep an eye on what is going on when they are using it.

We also have pi-hole running that blocks a lot of things, and can turn on and off certain domains (so they can play roblox etc for a short while, then its blocked again) and their devices are pretty locked down

Comment by keernan 3 days ago

Just a heads up:

All four of my daughters prohibit my 7 grandchildren from going anywhere near roblox. My grandchildren are currently ages 2-11 but my daughters are so outraged by what happens there that they say their children will never be allowed on roblox until they move out of the house. Apparently it is extremely predatory, lots of bullying, and highly sexualized - and while children are the site's target audience, the site provides no effective oversight.

Comment by bennyp101 2 days ago

100% - They are only allowed on certain games, no chat, and I have a couple of private servers so they can do this steal a brain rot thing

Comment by bombcar 3 days ago

You can be pretty effective with not much - school laptops can be router-blocked to the needful, the main familyroom computer can be visible to all but also have rudimentary DNS blocking, etc.

The key is to be open about it and “more” than reasonable; allow things when requested that aren’t harmful.

If we’re too perfect at protecting them from the world they’ll have no tools to deal with the world, which they will have to do eventually.

Comment by froglets 3 days ago

Even if they don’t share a computer you can still set up their own computers in a shared space. We don’t put tvs in bedrooms either just to keep those rooms for reading/sleeping. Added bonus of keeping computers in common spaces is that your kids won’t disappear into their rooms one day and never come back out.

Comment by krupan 3 days ago

You can have a shared family room computer! It works really well. No screens in the bedroom is a great idea. iPhones with strict Screen Time settings are awesome when the kids get old enough to use a phone for communication but not old enough to handle a phone with games and the full Internet

Comment by wiredfool 3 days ago

My 16 yr old just had his phone update and apply his old screen time settings from 4 or 5 years ago. Sorry kiddo, don’t remember the screen time password.

Now why they came back, and weren’t working before? The restrictions were so full of holes that they didn’t really work as anything other than a speedbump.

Comment by hellojesus 3 days ago

I don't have an iPhone so haven't tried any of this, but can you not treat your kids devices like you would a business's?

It looks like normal user device enrollment with device management is optional, hence why I think business probably makes sense.

https://support.apple.com/en-sg/guide/apple-business-manager...

The you can force all traffic through a proxy.

https://support.apple.com/en-sg/guide/deployment/dep7ba46fcd...

And since you have root certs on the devices, you can decrypt traffic and uniquely identify devices and block internet from your central management, at any time, regardless if the phone is on your wifi vs a friend's vs mobile data.

I think it should work.

Comment by ipython 3 days ago

All I can think of when reading this is: https://news.ycombinator.com/item?id=9224

Comment by rawgabbit 3 days ago

With my family, I shut down and threw away my last PC; too many security head aches. I bought the cheapest large screen iPad(s) and promptly locked them down. One of my best decisions.

Comment by everdrive 3 days ago

I think that's the idea behind the family room PC -- you have parental observation rather that attempting to rely on (necessarily-imperfect) security software.

Comment by michaelmrose 3 days ago

Define controlled and define appropriate in a fashion that almost everyone can agree on which is in line with the constitution and enforceable.

You can't.

Comment by miguelbemartin 3 days ago

I think the parent should decide what the level of control is and what is appropriate for their child. I don't think we need to set up laws for everyone in the world.

Comment by dbbk 3 days ago

I'm not sure why we don't just make a law that parents must set parental controls on their kids' devices. We do this for most other things.

Comment by quentindanjou 3 days ago

Because the main purpose of these regulations isn't protecting the kids. It's surveillance control. An easy way to better kill online anonymity.

Comment by BizarroLand 3 days ago

Yep. Do it long enough and there won't be a single plebeian who has the slightest expectation of not being under surveillance.

Comment by keernan 3 days ago

For several years now, I have lived my life under the presumption that whatever I say on the telephone, email, or text has been downloaded and preserved somewhere.

Comment by jraby3 3 days ago

It's harder than you think to manage all the devices especially if you aren't especially tech savvy.

There are also a ton of tricks and workarounds it's super frustrating.

Comment by Tostino 3 days ago

What is the punishment you want to give to parents who don't?

That's the implication of making a law.

Comment by dbbk 3 days ago

Same punishment as not sending them to school

Comment by bennyp101 3 days ago

They get blacklisted from being able to have internet

Comment by michaelmrose 3 days ago

How do they work find and keep a job keep up with their kids school and keep government benefits.

It doesn't matter that you could do those things before the internet the normal and often only or only practical flow involves the net.

Counter offer we keep letting people manage their own kids' shit and they can control access to the degree they deem appropriate

Comment by bennyp101 3 days ago

Whilst I do kinda agree, I was just replying to the parent about what the punishment would probably be :)

But the problem is that people are NOT managing their own kids' shit, and now we have to have things put in place to try and counter that - and end up overreaching.

I'm more than happy to educate mine on how to be safe online, and to come and talk to us about stuff, other aren't, or are not aware they need to.

Perhaps buying internet means you have to sign a waiver saying that if anything happens because of the internet then that is on the parent(s)...

Comment by hellojesus 3 days ago

Consider a parent that uses mac address filtering to block access. Easy to implement on routers.

What happens when the parent goes to bed and the kid hard resets the router? Or the parent goes to bed and the kid spoofs the mac of the parent's device?

It's a good outcome! Let the cat and mouse games begin, and the youth will be more tech literate than ever. But I think punishing the parents is a bit much.

It'll probably eventually be like how modern folks treat play dates when they ask the counterparty if there are guns in their house and whether they're locked, etc. but with the internet: Do you have a central device management system with proper safeguards, logging, and ml running for anomaly detection on your network? Do you dpi? How do you prevent your kids from evil maiding you? Is your personal computer locked in a cage, and do you check all your paraphernalia for keyloggers, etc. before booting?

Comment by michaelmrose 3 days ago

Such a waiver would be equally insane given the fraud and malfeasance that goes on every day it would be like signing a waiver saying whatever happens in the world is your fault for a drivers licence.

Instead how about we simply continue to make reasonable laws regarding behaviour and holding individual people and companies responsible when they violate the law.

Whilst we are at it we can keep content filtering for pre teens and imposed by parents and accept that teens are going to figure out how to get to the real internet at some point.

Comment by Spivak 3 days ago

I'm really glad you're not in charge of making laws. The one thing you can do as a parent is override most age restrictions. You can give your child alcohol, you can take them to R rated movies, you can let them watch NC-17 movies at home, you can buy them M video games, you can just straight up buy them porn. But then parents have a legal requirement to restrict their child's internet access to whatever the government happens to approve of—utter nonsense.

Comment by dbbk 3 days ago

I mean there's a pretty simple comparison here - it's illegal to not send your children to school. Why do we send children to school? So they are educated and developed into functional young adult members of society. You could make the argument that access for kids to the Internet, which has all of the world's information and connectivity, should be regulated in a similar fashion.

Comment by mbg721 3 days ago

As a parent, I was shocked how little that's actually true, at least in some US states. Home-schooling can mean sending a copy of your curriculum to your school district and you're good to go.

Comment by ipython 3 days ago

how about we start with a law that requires tech companies to provide useful parental controls? Can we please stop blaming parents??

Comment by dbbk 3 days ago

The iOS controls at least are pretty robust.

Comment by nickthegreek 3 days ago

> Can we please stop blaming parents??

No? They are surely somewhere in the top 3 influences that can actually have a meaningful difference here.

Comment by ipython 3 days ago

Do you have kids? I'm not being glib.

Yes, I have set up technical guardrails.

But when your kid needs Internet access to do their homework, and you forget to turn off the WiFi to their device after they're done... then they sneak that Chromebook to their room and watch videos all night, you lose.

When you have a extra phone that was sitting on your desk that you were preparing to resell and your kid sneaks that to their room to watch a few hundred YouTube shorts before you catch him, you lose.

When you have parental controls set up on your wifi network, but it's trivial to shut the wifi off and use the cellular network instead, you lose.

When your friends all have personal cell phones but you don't, you lose.

Parents have their hands full enough. Make it easier for parents, don't poke at them with a pointy stick.

Comment by nickthegreek 3 days ago

> But when your kid needs Internet access to do their homework, and you forget to turn off the WiFi to their device after they're done... then they sneak that Chromebook to their room and watch videos all night, you lose.

You are at fault.

> When you have a extra phone that was sitting on your desk that you were preparing to resell and your kid sneaks that to their room to watch a few hundred YouTube shorts before you catch him, you lose.

You are at fault.

> When you have parental controls set up on your wifi network, but it's trivial to shut the wifi off and use the cellular network instead, you lose.

This can be controlled via Parental Controls on iOS via Screen Time. If you chose not to, you are at fault.

> When your friends all have personal cell phones but you don't, you lose.

Not sure what you want anyone to do about this. I recognize that life isnt fair.

> Parents have their hands full enough. Make it easier for parents, don't poke at them with a pointy stick.

No one is arguing against this. They are arguing how to implement this.

Comment by ipython 3 days ago

Glad to hear your life is so simple that you can track all this while working full time jobs, cooking healthy meals, driving the kids to the various activities and travel sports (because you could be arrested if you let your kids walk anywhere), making sure they complete their homework on time, monitoring their interactions with friends, tracking new tech trends to find new threats (is my kid interacting with character.io or ChatGPT in an unhealthy way?)... I'm sure I'm missing a few more.

And yes, you are arguing against "making it easier for parents" - my original post literally advocated for legislating tech companies to make controls available, effective, and easy to use. If you truly believe what you're saying, then you'd agree with me. Instead you're nitpicking my ability to parent my kids. Exactly the behavior that isn't working, so please continue - I'm sure it'll work now.

Comment by nickthegreek 3 days ago

> Instead you're nitpicking my ability to parent my kids.

You willingly invited that conversation. I obliged.

> If you truly believe what you're saying, then you'd agree with me.

Get over yourself. You have not made an attempt to ask for a solution from me to find common ground. You keep trying to remove yourself from the responsibilities of parenting in the modern world as shown in the examples you put forth and your initial post asking that parents not shoulder the blame for what is happening under their nose. Surely they have some level of culpability.

I believe that it would be good for Parental Controls on devices to have a toggle to say that the phone is being used by someone in under 13, or someone 14-18 (whatever bands you want). When enabled, this flag should be available to locally installed apps and remote connections. Laws can be passed that tell remote connections how they must act when receiving this flag. This keeps me, an free adult, from being subjected to more corpo/govt tracking.

Comment by ipython 3 days ago

> Get over yourself.... find common ground

Ad hominem attacks - great way to find common ground. I actually did try to find common ground, which is that we need to legislate. My argument is that the real entities that need legislation are the ones who can most afford to do so - in both time, resources, and ownership of the platforms that we are all beholden to. I will not advocate for even more punitive restrictions on parents (who already are subject to enough societal punitive pressures as it is - TBH your post is a great example. Instead of empathy, you reply with scorn and derision - as if I'm not good enough to parent my kids).

> I believe that it would be good for Parental Controls on devices to have a toggle to say that the phone is being used by someone in under 13, or someone 14-18 (whatever bands you want).

So you're admitting that parental controls are ineffective?

> Laws can be passed that tell remote connections how they must act when receiving this flag.

And those laws are enforced through what mechanism? What country enforces this law? Do ISPs now have to only accept connections from "legal" remote servers that have attested that they respect that flag? That sounds like an even more restrictive situation for you, as a free adult, than the current system.

But, I do have good news! What you described already exists! In fact, there are even W3C standards that have been around for 30 years to implement a machine readable content rating system! Just never got around to that whole passing a law thing to force all websites globally to adopt it...

https://en.wikipedia.org/wiki/Platform_for_Internet_Content_... and more recently https://www.w3.org/2007/powder/. You can read the ACM paper on this, aptly titled "Internet Access Controls Without Censorship" here: https://www.w3.org/PICS/iacwcv2.htm.

And the most popular web browser of the early 2000s even has this functionality built in - to filter out remote connections that advertise content unsuitable for minors! https://www.isumsoft.com/internet/enable-content-advisor-in-...

Comment by nickthegreek 3 days ago

> Ad hominem attacks

Grow some skin. I used that ad hominem in response to your false dilemma/no true support comment of "If you truly believe what you're saying, then you'd agree with me". This comment ignores the obvious 3rd option that we can share underlying values (parental controls are helpful) while disagreeing on details, tradeoffs and the responsibility that comes with parenting.

> So you're admitting that parental controls are ineffective?

I never stated anything of the sort. I specifically pointed how they could be effective for you in the examples you brought forth. I think they could be made more effective, not that they are ineffective.

> And those laws are enforced through what mechanism?

If this is how you feel, than no solution you put forth is valid either.

At this point, I've stated how current parental controls can solve some of your issues, parental controls can be strengthen, outlined an implementation that does not disrupt the lives of Adults on the internet while also pointing out that parents are not immune from blame and are bare the majority of control over their childs lives. Ive engaged with you in good faith.

You just keeping shitting on everything. All because I stated that parents are not immune from blame. I stand by the ad hominem.

Comment by 3 days ago

Comment by SunshineTheCat 3 days ago

We should then make laws that parents must tell their kids to clean their room. Next we can make laws that parents must tell their children to eat their veggies. What about chore laws? Teeth brushing laws? Stop arguing with your sister laws! More laws!

Comment by 1718627440 3 days ago

> What about chore laws?

I know that was snarky, but that already exists in Germany, since the introduction of the civil law book two centuries ago. Children are legally required to do chores. Actually this is quite important, as otherwise it would be an adult requiring minors to do unpaid work, which is illegal.

Comment by bennyp101 3 days ago

There's a giant difference between stopping kids having full reign on what is now essentially the whole world of information - and instant access to strangers, than there is making sure they eat healthy, help out, and don't have bad teeth .... but I'm sure you know that :)

Comment by SunshineTheCat 3 days ago

The only difference is in parents who raise and protect their kids without needing a law...and people who want government to be mom and do it for them and are willing to make everyone else suffer for it :)

Comment by dom96 3 days ago

Honestly, there should be more laws on how children should be brought up.

Comment by 3 days ago

Comment by rolph 3 days ago

we trained our kids to avoid bad words we taught them to be ashamed of bad pictures, we put porn mags in a hidden location, we put sextoys in hidden location, we locked the pay channels on the cable box, but this internet thing came along and all of that is on there, we didnt lock the computer, or put it somewhere hidden, or the router, or the modem, we didnt lock the box for the service dropline, or for the starlink terminal, we decided to complain until pushing the entire service for everyone into the lock up, not only the kids.

Comment by ipython 3 days ago

How does that work in practice? I've tried to do this at home. It doesn't work at all. It's not the 90s any more- there isn't one PC sitting on a desk with a modem attached to a phone line that you need to wait for 30 seconds to dial up and establish a connection before you're online...

Now you have ubiquitous WiFi and cellular connectivity across dozens of devices in a typical household. Even refrigerators have built in web browsers now. Parental controls are a joke, treated as an afterthought at best - nonexistent at worst. Oh, and the school system provides your kids with a Chromebook with Internet access starting in elementary school.

It's victim blaming at its finest IMO. Yeah, we can all point fingers at the parents who sit their kids down with an iPad. But there's many of us who struggle to limit screen time, working against the profit motive of trillions of dollars of corporations. It's a losing battle.

Edit: crazy. Instead of providing an answer to my question of "how do you do this in practice" I get downvoted. Goes to show that there are no real solutions, just a bunch of morality police and victim blaming. Yes, parents are the victims here. The tools are inadequate and trillions of dollars of incentives are lined up against them.

Comment by johnnienaked 3 days ago

You want parents to parent? God speed and good luck

Comment by saghm 3 days ago

No, I think what they want is not to have the rest of us have to jump through hoops (and sacrifice privacy) to achieve the same thing. Some of us don't have kids (or live in a household with any), so passing a law that potentially limits our internet access to solve a "problem" that already is dubious is ridiculous.

Comment by johnnienaked 3 days ago

I couldn't agree more

Comment by saghm 3 days ago

Fair enough! I misunderstood your previous comment as implying that measures like this were needed due to the unlikelihood of parents enforcing this. (There's probably a joke somewhere in here about "parent" comments as well, but I'm not clever enough to figure it out at the moment).

Comment by johnnienaked 2 days ago

Absolutely not im never verifying my ID ever on the internet and I think it's not only an extreme overreach but will end up being ineffective as well.

While I think children need to be protected online, this won't but neither will trying to get parents to parent better

Comment by rzerowan 3 days ago

Paradoxically this is one of those features/requirements that i feel should be on the end-user-device with zero knowledge proof.

It would make sense to have the enduser verification ondevice with a simple reply to any online property : Passed age verification/or not.

Otherwise the centralization and eventual leak of this data is a can of worms in waiting.

Comment by Bender 3 days ago

Here [1] is the zero knowledge solution. It has existed for ages but not adopted likely due to not providing a name, SSN, location and credit card. No third parties, no dependency on CDN's, no sharing or leaking ... anything.

Given that solution is unlikely to be legislated into action I would suggest people are just going to share adult content on Usenet, Tor, P2P, within G/PG rated video games by plonking down a virtual theater and streaming from a throw-away VM and fully automating syncing with LFTP+mirror+SFTP, sharing USB NVME drives, mobile ephemeral websites over WiFi and other methods when people get tired of this Top/Bottom relationship lobbyists want us to participate in. As a plus side, driving people underground means zero tracking, rules, taxes, obligations, leaking email addresses, etc...

[1] - https://news.ycombinator.com/item?id=46152074

Comment by danaris 3 days ago

Any on-device solution that simply sends back a yes/no result as you describe is guaranteed to have one of two problems:

1) It is vulnerable to modifications and hacks on the local device that get it to send back a "yes" result without actually verifying anything

2) It requires the device to use some kind of closed, proprietary system that allows the service to guarantee that #1 cannot happen

Now, in general, the tech world is pretty happy to accept #2, but many of the people around here would object to it on very reasonable grounds.

Comment by mariusor 3 days ago

I think that the improved version of age verification is to ask the yes/no question to a government third party based on a signed payload that your local device offers the service. The government already has your identifying data, they only need to certify on behalf of which person the question is asked.

Comment by danaris 3 days ago

So then you're just back to the even more basic problem of "is the person using this device the same person that the payload was signed on behalf of?"

Comment by mariusor 3 days ago

Yep. But in my mind that's being mitigated by the real measure for identity proof, which is some type of electronic ids.

Comment by danaris 2 days ago

Which a) has a whole host of other concerns associated with it, and b) still does not solve that problem, because it's not at all hard for a child (especially a teenager!) to sneak their parent's ID, use it to authenticate for a service, then put it back.

After all, are most services going to require the ID to be present for every session? Or are they going to require a one-time authentication for the account?

Comment by knollimar 3 days ago

I don't want it in my hardware but I'd buy an accessory that does this.

Comment by danaris 3 days ago

Would you be OK with everyone who wants to browse the web unhindered being required to buy an accessory that does this...?

Comment by baby_souffle 3 days ago

And if it’s such a high adoption rate for an “optional” accessory, may as well just build it right in…

Oh look, we’re back where we started. The only winning move is to not play.

Comment by rzerowan 3 days ago

I mean most mobile devices have already accepted closed ROMs in their baseband and all/most browsers that try to interact with streaming sits require Widevine . As longas its going to hapen one way or another better it be local , and not a gov thing or a monopoly.

At the end of the day the tool should be there enforcement down to the relevant local authorities or not.

Comment by danaris 2 days ago

OK, but what about your desktop computer?

Comment by vermon 3 days ago

EU implementation of age verification is actually base don zero knowledge proofs https://ageverification.dev/

Comment by popcornricecake 3 days ago

If I remember right, a problem with this is that you need to get those proofs by submitting your id or similar, you only get a limited amount of proofs at a time, they expire in maybe a few months, and you can only get them using a government specific app that is only for "secure" devices. Instead of being tracked by the site you're being tracked by the government, you now need a Google Android phone in order to browse adult sites on your PC, and depending on your habits you may need to re-show your id potentially multiple times a day unless you opt to being tracked by the sites instead.

It really should be just once that you need to show your id and then you should be able to generate as many proofs as you need whenever you need on any computer device, but they have an obsession on making very sure that it cannot be circumvented, as if it was insanely important.

Comment by sam_lowry_ 3 days ago

Isn't .dev a TLD operated by Google?

How European can it be?

This looks like a private consortium of usual suspects Tales and T-Systems squandering taxpayers money, not an official thing.

Comment by consp 3 days ago

Hasn't this been made "optional", aka not going to happen, in the digital wallet specification?

Comment by limagnolia 3 days ago

That page says ZKP are a "future roadmap" thing, to be maybe possible wink wink maybe implemented int he "future".

Currently, it does not implement ZKP, and further requires proprietary Google Play Integrity use, making it an absolute toxic cesspool.

Comment by 3 days ago

Comment by onetokeoverthe 3 days ago

[dead]

Comment by simion314 3 days ago

Exactly, on my Play Station I setup for my son I enter his real birthday, then Sony knows what can he do in the Store or chat etc. So we could have the big tech Apple, Google, Microsoft, Canonical ensure to make an idiot prof setup screen and the parent is responsible to set the age of the birthday of the child if they give a device to them . Then the store can be filtered and the browser can have a standard way of adding in the headers an age range or something.

Big tech did not want to cooperate to do this for some weird reason so now we get a much more complicated solution.

Yes I know that if your kid uses a live USB stick he could watch porn on his laptop but IMO is much easier for such a smart kid to find a website that does not respect the browser headers and torrent adult content.

Comment by 3rodents 3 days ago

I don’t like this article. Irrelevant technical nuance is comingled with a philosophical opposition. The technical issues are all solvable. The free speech argument is foolish too: if limiting who can jerk off to pornography is an issue of free speech, surely so is limiting who can enter a bar and converse with the patrons.

Opposition to ID checks because you believe the internet should be open and free is reasonable but this article twists itself into knots throwing everything at the wall. And it is reasonable to believe it is a free speech issue. But we can’t say, at the same time, that the same arguments don’t apply outside of the internet.

(Convenience stores scan ID, bars scan ID, hotels take copies of passports…)

Comment by pessimizer 3 days ago

> Convenience stores scan ID, bars scan ID

These are new things, not old things. The idea that stores and bars should be able to record for all eternity the identities of the people who have purchased things from them is just as much of a horror. They can sell that information to anyone.

> hotels take copies of passports…

This is not really a new thing, although it is a fairly new thing (i.e. within the last 40 years, since cheap enough photocopiers.) But it comes from laws about keeping track of who is staying in temporary accommodation, 100 years ago you would have had to sign the register.

Comment by cwmoore 3 days ago

I am not that fond of stores scanning my ID data either. I’m over 21, there’s no question about it. Per policy, they’ll have my name and address in some log too, and with my photos and gait on camera and probably my license plates. What does all of that do for me? Are you safer because I am being recorded?

I like the (disputed) comment elsewhere on this page, requiring parents to parent. They aren’t my kids.

Comment by morgan814 3 days ago

If you have the money definitely get yourself a passport card. Stores can’t scan them and they only contain a pointer to personal info in some government database.

Comment by Ajedi32 3 days ago

The free speech argument is that these ID checks aren't just being applied to porn sites; there's a push to make social media websites (probably the largest hubs of free speech in the modern world) do them too. That's a much bigger deal. It'd be like if you had to show your ID to a police officer in order to enter exit your front door.

Comment by Palmik 3 days ago

If age verification has to be a thing (which isn't necessarily clear), then it should be up to the client to provide age indication to the server.

It could be through a header, or something like this: https://developer.chrome.com/blog/digital-credentials-api-or...

However, I have the feeling that none of these solutions will get wide enough buy in and adoption to be a viable solution to website owners.

Comment by delusional 3 days ago

Are we to assume that the people at the EFF haven't heard of how European nations, like Denmark, are building government infrastructure to verify your age without disclosing sensitive information?

Are we also at assume that the EFF fail to see the similarity of age-gating porn websites and age-gating entrance to strip clubs?

That doesn't seem likely to me, and I find it way more likely that the EFF is purposefully excluding the best argument against their chosen position.

Comment by GlobalFrog 3 days ago

The core issue here, as often, is that it pits ethical and economic concerns against one another. There has been a systemic choice by web/tech companies to prioritize maximum profit, often at the expense of necessary user support and compliance. Because of that, user support/relations are deficient and there is little accountability for what they're doing, even if, as we often read here, a tech company cancels user accounts, projects, or monetary accounts, without anyone or anywhere to appeal. Age verification presents the same problem. If companies maintained a professional, human-centered user relations function, they could implement a non-intrusive, real-time validation process. If we were in the real world, with for example a barman needing an ID, that single person could confirm the age without copying or indefinitely keeping the ID card. The digital equivalent would be a decent support representative who could conduct a live brief video interaction to confirm a user's age, without even storing a copy of the ID, and who could even require the parents to be there with the minors signing in. That would address both the need for verification and the data minimization problem. Yes, that would cost the companies a lot of money, but that would solve both problems at the same time: verifying the user's age and ensuring privacy. And guess what, the same person could also serve as an entry point for other issues that no one can really appeal against now, like the frozen accounts and other horror stories mentioned above. Yes, parental control is necessary, but it is insufficient. Zero-Knowledge Proof thingies could allow a device to validate parts of the process, but the possibilities of circumventing this are so enormous and endless that they look to me as completely insecure (and using a third party validating this adds another layer of trouble). The most effective way would be to reintroduce a human element in the process, but we have already given up, because we are at the mercy of the web companies due to their free tools. The governments trying to introduce some ethics to those processes are not the problem at all, they should be commended for that. We are the problem because we accept that what should be the web companies' responsibilities is not being fulfilled because we don't want them to make less money as we would lose some freebies. That's on us, not on the laws. So the answer to "Why isn't online age verification just like showing your ID in person?" is : because we collectively accept it is not exactly showing our ID in person.

Comment by johnnienaked 3 days ago

I'm never verifying my ID to access anything on the internet. I'll just stop using it.

Comment by catapart 3 days ago

That's kind of the point of all this. They force websites to enact the verification because they have leverage over businesses that they don't have over citizens, and then they expect that the citizens will hate it so much that they don't go to the "bad" sites at all. "Thank you for your cooperation!"

ETA: (accidental submit; sorry) I'm in the same boat! Not entering my ID information into any website, much less ones they've got on the list. And so they've successfully boxed us in. At least for me, I intend to raise hell about it aside from just not sharing PIA, but I don't have any delusions of it's effect.

Comment by johnnienaked 3 days ago

The internet as well as Facebook and most AI all used to be DARPA/CIA/InQTel projects so this isn't surprising

Comment by magicalhippo 3 days ago

Discussion on the mentioned age verification hub here: https://news.ycombinator.com/item?id=46223389

Comment by Havoc 3 days ago

This tries to make a logical argument against an attack that isn’t that - it’s linked to age and „think of the children“ precisely because it isn’t really disprovable and anyone daring to take a stance against it can be hit with a „oh so you’re against protecting children“.

Scratch out the age in „online age verification“ and you get to real reason

Comment by jagoff 3 days ago

It's not about age verification and it never was, that is a distraction at best and a delusion at worst. This is about tying your real name to all of your online activities, and about getting the current generation of children used to it and accepting of it before they reach voting age.

Comment by minusLik 3 days ago

This. The German government issues electronic IDs which can provide proof of age in a privacy-saving way, but I've never seen that being used in the wild.

Comment by Simulacra 3 days ago

I would counter that they already have that. Would go so far to say that the government knows pretty much everything you do online by name. What they can't control, it's access. I think the reason for this is for an eventual license to get on the Internet. The same way you need a license to drive a car, you will need a license tied to your real identity, to use the Internet.

Comment by taylodl 3 days ago

BINGO!!!

Comment by earlyreturns 3 days ago

Just make the isp the gateway. Nobody under 18 needs the internet. If a parent lets their kid onto the internet, prosecute the parent. It’s pretty simple really. People just want to pretend it’s harder than it is because they have some conflict because removing under 18 from the net cuts into profits or makes it harder to parent. Boo hoo.