this post was submitted on 05 Apr 2026
610 points (99.4% liked)

Technology

83502 readers
3503 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
610
Group Pushing Age Verification Requirements for AI Turns Out to Be Sneakily Backed by OpenAI (gizmodo.com)
submitted 1 day ago by themachinestops@lemmy.dbzer0.com to c/technology@lemmy.world
48 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] fluffykittycat@slrpnk.net 2 points 1 day ago (4 children)

Not really, no. Nor do we want that

[–] NateNate60@lemmy.world 24 points 1 day ago* (last edited 1 day ago) (1 children)

It is possible to construct a zero-knowledge proof using cryptography and adapting existing digital ID infrastructure. A user can prove that they have knowledge of a private key tied to an adult's identification card without having to reveal the key, or the associated public key.

But that being said, whether something is possible and whether it is a good idea are two different questions.

[–] fluffykittycat@slrpnk.net 11 points 1 day ago (1 children)

I've never heard anyone explain how you can devise a system that is both Anonymous and immune to somebody handing out their zero knowledge proof tokens by the handful

[–] pazuzuzu@lemmy.nz 15 points 1 day ago (1 children)

Matthew Green the CS/cryptography professor is actively writing about this in fairly broad language https://blog.cryptographyengineering.com/2026/03/02/anonymous-credentials-an-illustrated-primer/

[–] Tiresia@slrpnk.net 8 points 1 day ago (1 children)

tl;dr: The "zero knowledge" proof could have a finite number of uses per block of time for each verifier, each of which represented by a unique single-use key. This way anyone sharing keys would be limited by that finite number of uses, and if people sharing this aren't coordinated they could end up re-using a single-use key.

If the encryption was stolen without their consent, this could tip a user off prompting them to invalidate the current set and get a new one. And if the verification is used to support a pseudonym like an account for an online service then instances of re-use could get flagged for moderators.

[–] a_gee_dizzle@lemmy.ca 1 points 1 day ago

This is interesting, thanks for sharing

[–] CosmoNova@lemmy.world 10 points 1 day ago (2 children)

What do you mean? The system already exists in Germany and whatever website or app asking if you‘re an adult will only get exactly that information. Not your face, not your name, not even your age. They will simply receive a verified Y/N from a government service. Needless to say no US company implemented it because they would miss out on a lot of sweet sweet data.

[–] Infernal_pizza@lemmy.dbzer0.com 12 points 1 day ago (1 children)

Surely that's not zero knowledge since the government can see every site you visit, which is the whole point of these laws anyway

[–] sbv@sh.itjust.works 0 points 1 day ago (2 children)

I can't speak to Germany's system, but there's no need for a site to tell the verification service its identity. If it just asks "is the current session authenticated to someone over 16" and gets an answer back. Identity of both parties remains secret.

[–] baltakatei@sopuli.xyz 3 points 22 hours ago

Theoretically, it's possible for the user to authenticate their age without either the site or service knowing the user's identity. Quick and dirty example:

There's a thing called a ring signature that allows one to prove that one of a large number of people digitally signed something. Let's say a million people all have private keys whose corresponding public keys are registered to a database after they flashed their state ID at a post office or something to prove they are ≥18 years of age. So, John Smith uses his private key plus all 1 million public keys to sign a statement that he sends to a server saying he's ≥18. The server then takes all 1 million public keys plus the signed message John provided and verifies that his signature is among the 1 million but cannot calculate which exact public key belongs to John. The verification process requires all 1 million public keys as input; you cannot, for example, try an omit each public key one-by-one to see which causes the verification process to fail.

Currently, there is ongoing research on how to make compact ring signatures since they can be very large the more public keys are involved.

https://en.wikipedia.org/wiki/Ring_signature

That said, even if you had scalable compact ring signature technology, I'd be more worried about advertiser deänonymization efforts once a user has logged in that check browser canvas size, IP address, user agent, font availability, etc. See https://coveryourtracks.eff.org/

Also, ring signatures for age verification don't actually verify age, just that someone proved their age at some point in the past to the owner of the public key database; just like an adult can log into YouTube on behalf of their children and let the children go to town, John could give anyone access to his private key regardless of age.

[–] Infernal_pizza@lemmy.dbzer0.com 6 points 1 day ago (1 children)

No need to, but no need for it not to either. And no way to verify it isn't beyond "trust me bro" and I don't trust them

[–] sbv@sh.itjust.works 1 points 1 day ago

no way to verify it isn't beyond "trust me bro" and I don't trust them

If the verification service is structured like oauth, then the request could be passed through the browser as signed plaintext. You could verify that the requesting site is only passing a minimum age request to the service. That would be as straightforward as viewing the interaction in your browser's debug tooling.

If you say that you don't trust the signature, and that it could be used to smuggle identifying information across, there's a couple of ways to deal with that: open source and audited provider governed by legislation; information theory that would show personally identifying information wouldn't fit into a field of that size; and "personal auditing" where you can try throwing data at the service to see if you can trick it into accepting invalid input (that really goes with the previous point, because the only field you can usefully vary is the signature).

[–] baltakatei@sopuli.xyz 2 points 1 day ago (1 children)

“Hey, Uncle, can I use your age tokens to do my research homework? The rich kids all get to use the entire Internet because their uncles let them ride their age credentials. Thanks!”

[–] pycorax@sh.itjust.works 0 points 1 day ago

I don't see how other methods aren't immune to this issue without asking you to do verification every day.

[–] raicon@lemmy.world 6 points 1 day ago

Actually its possible, but we do not want that

[–] RidcullyTheBrown@lemmy.world 1 points 1 day ago

It already exists, lots of institutions people work with know way more than just their age. They could really provide an anonymous way of validating someone's age without divulging their identity. This can also be done in such a way that the verification provider doesn't know the requester either so they don't have a way of tracking user habits