this post was submitted on 09 Mar 2026
43 points (95.7% liked)

Ask Lemmy

38431 readers
1414 users here now

A Fediverse community for open-ended, thought provoking questions

Rules: (interactive)

1) Be nice and; have funDoxxing, trolling, sealioning, racism, toxicity and dog-whistling are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them

2) All posts must end with a '?'This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?

3) No spamPlease do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.

4) NSFW is okay, within reasonJust remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com. NSFW comments should be restricted to posts tagged [NSFW].

5) This is not a support community.
It is not a place for 'how do I?', type questions. If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.

6) No US Politics.
Please don't post about current US Politics. If you need to do this, try !politicaldiscussion@lemmy.world or !askusa@discuss.online

Reminder: The terms of service apply here too.

Partnered Communities:

Tech Support

No Stupid Questions

You Should Know

Reddit

Jokes

Ask Ouija

Logo design credit goes to: tubbadu

founded 2 years ago
MODERATORS
Bluetreefrog@lemmy.world
TheSaneWriter@lemm.ee
TheSaneWriter@lemmy.thesanewriter.com
Asudox@lemmy.world
lemmy_bot@lemmy.world
beefbaby182@lemmy.world
ModeratorCan@lemmy.world
neidu3@sh.itjust.works
asudox@lemmy.asudox.dev
candyman337@lemmy.world
candyman337@sh.itjust.works
43
Is private age verification technically possible and if so how? (lemmy.world)
submitted 1 day ago by TechLich@lemmy.world to c/asklemmy@lemmy.world
68 comments fedilink hide all child comments
 

With many jurisdictions introducing age verification laws for various things on the internet, a lot of questions have come up about implementation and privacy. I haven't seen anyone come up with a real working example of how to implement it technically/cryptographically that don't have any major flaws.

Setting aside the ethics of age verification and whether or not it's a good idea - is it technically possible to accurately verify someone's age while respecting their privacy and if so how?

For an implementation to work, it should:

  • Let the service know that the user is an adult by providing a verifiable proof of adulthood (eg. A proof that's signed by a trusted authority/government)
  • Not let the service know any other information about the user besides what they already learn through http or TCP/IP
  • Not let a government or age verification authority know whenever a user is accessing 18+ content
  • Make it difficult or impossible for a child to fake a proof of adulthood, eg. By downloading an already verified anonymous signing key shared by an adult, etc.
  • Be simple enough to implement that non-technical people can do it without difficulty and without purchasing bespoke hardware
  • Ideally not requiring any long term storage of personal information by a government or verification authority that could be compromised in a data breach

I think the first two points are fairly simple (lots of possible implementations with zero-knowledge proofs and anonymous signing keys, credentials with partial disclosure, authenticating with a trusted age verification system, etc. etc.)

The rest of the points are the difficult ones. Some children will circumvent any system (eg. By getting an adult to log in for them) but a working system should deter most children and require more than a quick download or a web search for instructions on how to circumvent.

The last point might already be a lost cause depending on your government, so unfortunately it's probably not as important.

top 50 comments
sorted by: hot top controversial new old
[–] Mesa@programming.dev 4 points 9 hours ago (1 children)

Wrote a comment recently. Age verification? Unnecessary. OS-level parental controls? Possibly meriting.

https://programming.dev/comment/22589550

I am still against where all this age verification crap is coming from, and I'm against what specifically "age verification" entails; but here's the thing: We keep saying, "It should be the parent's responsibility to secure their kids"—and while that's true, you can do all the talking and educating you want, but the fact is that the internet is now nigh-fully integrated with our lives, and unless you are surveilling your kid at every moment they are on the internet (don't recommend), not every parent has the time, resources, or know-how to keep their children safe on the internet without help.

There are some states pushing for "OS-level age verification," and I'm not convinced the proponents for this idea know what this combination of words means—but the idea isn't all bad. An interface for apps to query the device for a simple "can access adult content" value would be helpful for parents to better manage what their kids can access without having to hover 24/7. There is zero need for any sort of identification at any point in the process. The fact that legislation is promoting cumbersome identification collection and not the already existing idea of parental controls is evidence enough that this is designed to surveil.

This may address the privacy concern, but the issue still remains of a centralized power deciding what is and what isn't "safe for kids."

I don't think we're gonna get around the child internet safety conversation, and for good reason; but the conversation should be around how we can do it without jeopardizing individuals' safety and privacy, including children.

[–] dogs0n@sh.itjust.works 3 points 9 hours ago (1 children)

That's what the router setting to block adult websites is for... you don't have to monitor 24/7, have some idea that bad sites are blocked, and you can just be doing regular checkups on your child then.

There is and was never a need to involve IDs, other than more control over us as a whole and being able to extract more data.

[–] Mesa@programming.dev 1 points 7 hours ago

I think maybe the barrier could be a little higher than just disconnecting from your home's network.

If we were to accept the premise that there is currently an issue with child internet safety, then clearly this still an issue despite the existence of router controls. But now the question of if this premise is valid. What do you look at to determine whether "internet safety for children" is adequate? I don't really know, and so I guess I have more reading to do.

I was gonna say something about PSAs, but no time.

[–] parlaptie@feddit.org 8 points 12 hours ago

The problem with this question is assuming that violating privacy isn't the entire point of age verification laws.

[–] sturmblast@lemmy.world 2 points 9 hours ago

I have never seen a company do this in a manner that I would trust

[–] mech@feddit.org 22 points 1 day ago (2 children)

The German government ID card has an age verification function:
It only sends one bit to the requesting service: Yes, over 18 or No, not over 18.
And it doesn't transmit back or store any data, so the state doesn't know what services you access.
Since you are required to have an ID card and the state knows your age, this would be a pretty good option (in Germany).

[–] PosiePoser@feddit.org 8 points 1 day ago (2 children)

Yeah this. I don't know why people are trying to make this into some incredibly complicated multi step process.

[–] Skankhunt420@sh.itjust.works 1 points 7 hours ago

I can't speak for every government in the world, but as far as the major ones go, USA, Russia, China - I have less than zero percent trust in any of their companies to handle my data in a private and safe way.

It just isn't happening. They will dissect it, sell the data points they can, surveil you with the other data points, train AI with it and all kinds of other shenanigans. And most people know this.

That's why you can't just go right in to doing that, gotta help me adults think they're helping children and society at large first. Start with something small, just a small inconsequential right they lose ("Oh, I have to input my age to access this site") and then raise the stakes a little ("Oh, now I have to input my picture ID, ok")

Until it escalates into full inescapable 24/7 surveillance against you. And far from before that moment in time its already too late.

Once they implement this, its already too late.

[–] GreenKnight23@lemmy.world 9 points 23 hours ago

because it's the first step in a multi step attack on our privacy.

[–] TechLich@lemmy.world 3 points 1 day ago* (last edited 1 day ago) (1 children)

How does this work to protect privacy though? Wouldn't the site need to know who you are to be able to look you up with the government?

Or is it more like an SSO/Oauth callback style thing where you sign into the government and they send the "age bit" digitally signed and your browser gives it back the service? Either way the government would know when you're accessing 18+ material and possibly what specific site you're accessing? Or is there more to it?

[–] mech@feddit.org 10 points 1 day ago* (last edited 1 day ago) (2 children)

The site doesn't need to identify me, it only needs to know that a "Yes" bit was sent with a valid certificate from the government. And no data needs to be sent back to the government for that. The info is stored locally on a chip in the card.
If a child has access to my ID card, that's on me.

[–] TechLich@lemmy.world 1 points 15 hours ago* (last edited 14 hours ago)

Ah misread that it was card, not a service. That mostly works and is the same kind of thing as the other crypto solutions.

Though a bad actor could still set up a service with a legit card that provides government signed anonymous "yes" responses on demand.

I worry that the response will be to require an account and a full ID from it. Social media sites saying "we need to verify your identity to ensure you're an adult human and to combat bots. Scan your id card..."

Still one of the better technical solutions here though.

[–] XeroxCool@lemmy.world 2 points 1 day ago (1 children)

Can phones read this chip? What if you're on a standard computer?

[–] mech@feddit.org 3 points 1 day ago (1 children)

Yes, phones can read it.
For a standard computer, you'll need a USB RFID chip reader.

[–] Sv443@sh.itjust.works 3 points 10 hours ago

You can use your phone as the reader, I've had to do so many times to log into govt websites.

[–] Godnroc@lemmy.world 27 points 1 day ago (3 children)

You know how there are stores that sell restricted substances and verify your age by checking a provided ID? Have those same stores sell a cheap, sealed card with a confirmation code on it. You can enter that code online to verify any service. The code expires after a set period of time after it's first use to prevent sharing and misuse.

This system would be as secure as the restrictions on the restricted substance, such as alcohol, so it should be fine for "protecting the children"

[–] prex@aussie.zone 7 points 1 day ago

+1 At least in WA there are restrictions on licenced premises recording your ID, they are meant to just check it.

[–] FinjaminPoach@lemmy.world 7 points 1 day ago

Interesting idea. Could also give it out free with packs of beer like a golden ticket from Charlie And The Chocolate Factory.

And all across the whole world, 18 year old men will jump for joy when picking up birthday booze - "I can finally look at boobs on the internet!"

[–] bamboo@lemmy.blahaj.zone 2 points 1 day ago (1 children)

Were you ever a teenager? This would be abused immediately, unless the codes were single use, and in that case it's a non-starter.

[–] Godnroc@lemmy.world 8 points 1 day ago (1 children)

Yes, and one with unrestricted internet access. Can you elaborate on how someone underage would abuse this system? They can't buy one at the store, can't reuse one that has expired so finding one won't help, and if theft is a concern they would just need to be secured like any other restricted good. I would say it's at least as secure alcohol, tobacco, or firearms.

[–] bamboo@lemmy.blahaj.zone 1 points 1 day ago (1 children)

Alcohol / tobacco / firearms can't be digitally shared or reproduced. Imagine a high school with a mix of 14 - 18 year olds. If an 18 year old can get a valid code without hassle, they can share it with their friends who are in the same class, but are still 17. Or maybe they'll share it with a sibling who is 16. What's to stop it spreading from there? It will probably take just an hour for half of the school to get access to the one code. If the system assumes that kids won't directly or indirectly share their codes with one another, then the system doesn't understand teenage behavior and is flawed.

[–] PosiePoser@feddit.org 6 points 1 day ago* (last edited 1 day ago) (1 children)

So... the same flaw we abused to have our older friends buy us booze and cigarettes when we were underage lol I'll still take it. You're not going to get a perfect solution that works all the time. Point is HARM REDUCTION.

REDUCTION.

Not a perfect, flawless, impossible to abuse system. Just a system that helps to make it a bit more difficult and then hope that parents take care of the rest. Some will always still slip through, thems the breaks.

Yeesh I thought I was a nerd but reading some of the replies in this thread it's like some people never even thought how to get access to alcohol and smokes when they were underage. Never even mind porn. We had older friends buy us those magazines too.

[–] bamboo@lemmy.blahaj.zone 1 points 1 day ago (1 children)

But why create a system which inconveniences everyone, introduces privacy leakage, and which would be inadequate to curb the problem? Sure the comparison with booze and cigarettes at point of sale sounds like it accomplishes the same thing to restrict access to adults, but one kid buying a six pack with a fake ID can only share it with a few friends, and if they try to buy multiple kegs for a party with the whole school, there's is probably some more scrutiny, and of course the cost, which makes it unlikely. Compare this to a code which could be texted to an entire class the moment someone gets their hand on one.

And from an implementation side, if platforms and services exist which don't comply with the law, for example 4chan [https://www.ofcom.org.uk/online-safety/illegal-and-harmful-content/investigation-into-4chan-and-its-compliance-with-duties-to-protect-its-users-from-illegal-content], then implementing these restrictions will just push kids to the unregulated platforms. It'll have the unintended outcomes, and take away the controls from the parents, which will do more harm than good.

[–] PosiePoser@feddit.org 1 points 10 hours ago

I'd do what we're already doing: https://feddit.org/post/26849555/11924777 though this card idea might work too for the sake of data privacy. Not so much for face-to-face privacy, same problem when we got porn on magazines. Let's remember that buying adults goods with the intent to distribute to kids is punishable too. If some 18 year old goes to the store and buys 30 "I'm an adult" cards, there's a good chance the clerk's gonna put a stop to that. After that it becomes effort vs. benefit. Does one really want to go to several different stores to buy multiple cards to sell them for a slight markup? With the threat of getting caught and being charged? There's always the slight embarrassment factor too. Of course adult access could mean a lot of others things than porn too but let's face it: that's what people are going to think, and that's what people are going to think people are going to think.

Again, the magic word is reduction.

There will always be sites that won't comply with any solution, there are p2p sharing methods, TOR and all that. There are always going to be nerdy kids who find their way to forbidden content. But that then becomes easier for parents to keep an eye on. Maybe get the kid off the device more so they simply won't have the opportunity to figure it out. Make sure they only access sites that are in compliance etc. Still not a 100% fool proof solution but again, the point is reduction.

[–] one_old_coder@piefed.social 28 points 1 day ago (6 children)

I'm pretty sure there is already a cryptographic protocol that can do this, but that's not the point. We do NOT need age verification in software, it makes no sense. We need parents to take care of their own children because why would open-source software do the job of failed parenting? It's a social issue, not something that can be solved with technology. Or we would have put shock-collars in every kids when they don't behave.

[–] Voidian@lemmy.dbzer0.com 15 points 1 day ago* (last edited 1 day ago) (6 children)

Great idea, let's get parents to raise their kids.

Now, how do we suddenly make them actually do that? Last I checked this idea has been around about as long as people have been around but it's still not happening.

Parenting matters, but it’s not the only layer of protection. We don’t rely solely on parents to keep kids from walking into bars or buying cigarettes, we have laws and systems to back them up. Why should the internet be different?

[–] dogs0n@sh.itjust.works 1 points 9 hours ago* (last edited 9 hours ago)

Let's not pretend that these laws actually do protect children..

There is always a way around something and if there's any population to figure it out, it's the ones with the most free time.

The difference between going to a bar and using the internet: Showing your ID at a bar doesn't mean it's stored on some server possibly ready to be stolen by hackers. It also doesn't automatically link all of your user data to your id (like it does right now) and make it easier to track your movements everywhere you go.

These laws help no one except the elite. They restrict us, limit access to information and eventually cause our data to be comprimised.

Bad parents exist, but does that mean we lockdown the most expansive knowledge base for everyone? I don't believe this will stop any children of bad parents from being exposed to horrible things online. Age gates don't stop that (because they either get bypassed or another site exposes even worse stuff without the age gate).

[–] Waveform@multiverse.soulism.net 11 points 1 day ago

You see, if we tell parents that it's actually super important that they raise their kids, I'm sure they will do it. Just like if we tell everyone that a vaccine for a dangerous disease is a really good idea, everyone will just settle down and go get it.

load more comments (4 replies)
load more comments (5 replies)
[–] psycotica0@lemmy.ca 10 points 1 day ago (1 children)

I'm not sure if this is part of the "setting aside" stuff, but I'd ask why age needs to be verified and not simply stated.

I'm the admin on this device, I say I'm 50, why does the website need to check some ID to prove I'm 50? They trust what I reported, and if I lied to them that's on me. It shouldn't be the websites job to validate.

[–] roofuskit@lemmy.world 4 points 1 day ago (3 children)

Exactly, it should be a parent's job to limit a child's access not a website.

[–] porcoesphino@mander.xyz 2 points 1 day ago (1 children)

Yes... liquor, guns, driving, and physical punishment should solely be parents choice. Wait... those caused issues and the government decided to mitigate some of the negative consequences?

[–] Omgpwnies@lemmy.world 4 points 1 day ago (1 children)

when you go to a website, do you drive to the website store and ask the salesperson for a copy? All of your examples are solved because there is real, in-person interaction as part of the process.

[–] porcoesphino@mander.xyz -1 points 18 hours ago

I wasn't replying to a comment about if this is solved or not, or the complexities of getting an outcome that most people are happy with. I replied to a comment that simplified the issue all the way to "it's the parent's choice".

Your comment is opening up new issues, that I agree make enforcement while respecting privacy more difficult (but that I personally don't think are insurmountable)

load more comments (2 replies)
[–] GreenKnight23@lemmy.world 2 points 22 hours ago (1 children)

for a moment, let's ignore all of the conspiratorial conjecture (not that it isn't warranted).

by exposing an API for web services to identify the users age/birthday, how does that solve the issue of "protecting children online".

what's stopping a bad actor from identifying, tracking, and grooming children directly based on this same mechanism?

right now the majority of kids online are protected through anonymity, but once they are identified they can be targeted directly and the adults responsible for their well being are blissfully unaware because "the government is tracking their age".

also. what comes next is worse than the date. online content ratings. because there's no point in tracking age if you can't apply a ratings system.

Imagine entire swaths of the internet banned because the content rating doesn't meet the government requirements.

this is less about tracking users and more about censoring dissent.

[–] TechLich@lemmy.world 1 points 15 hours ago

I agree, although in this thread I'm mostly interested in the technical puzzle.

[–] Voidian@lemmy.dbzer0.com 11 points 1 day ago* (last edited 1 day ago)

Despite our current parliament sucking ass, I still have some general trust in my country's government (and culture). So with that in mind:

Our government bodies already have my basic data. Healthcare, census etc. and we use our online banking services to verify identity when accessing the data. It's simple, and extremely widely used. I really don't see why it would be so hard to make a relatively simple service that just gives sites that need to know a yes or no answer on if I'm over 18. They don't need to know my birth date or any other information.

Not let a government or age verification authority know whenever a user is accessing 18+ content

This should be possible but of course the question is if one trusts the government to actually uphold this. Again, with my background, it's a bit easier for me to speak.

Make it difficult or impossible for a child to fake a proof of adulthood, eg. By downloading an already verified anonymous signing key shared by an adult, etc.

You'll never patch all the holes. In a perfect world, we wouldn't be having this conversation. In a perfect world, parents would actually parent their kids and monitor their internet use. Access to adult content doesn't even come close to being the biggest problem in many cases where some kids parents are fucking up their duties. Drugs, gangs, petty (and not so petty) crime comes to mind. Collective responsibility would be great but since we don't live in a perfect world where everyone can just agree to a good idea like "take responsibility of your kids", I'll settle for trusting a democratic government to have some capacity to pick up those that fall.

I happen to agree with age verification laws. This is a tangent but I would also go a step further in saying that MAINSTREAM internet should not be possible to use without verifying that the user is a real individual person. This would be another yes/no question via a service. Outwardly they don't have to reveal their identity but even JizzMcCumsocks needs to have a backend verification as a real person. Basically, if any government member uses some service with their own name and has a verification about that, that service must also have a way of verifying that any user is a real person. We have given Xitter way too much power and at the same time, allowed anonymity. Meta services too of course but I think Xitter is one of the worst due to easy and straight forward use. Humanity has shown, that we are not equipped to handle the kind of (mis)information flow there is in these spaces. Spaces such as Lemmy can and should operate in full anonymity, as there are natural barriers to entry here, plus it's less appealing when it's not even really intended for the kind of use mainstream social media sites are. Here we have a collective and individual responsibility to account for the anonymity and the challenges it brings.

[–] Passerby6497@lemmy.world 3 points 1 day ago (1 children)

Why prove it at all?? An assertion from the OS should be good enough Just have the OS ask once, and send that info when it has to as a general age range. A few different age ranges for kids/teens, an 18-21 group, and 21+ is all the info they really need at most.

If age verification has to be a thing, let the user supply it at install/profile creation time, and just leave it at that.

[–] bamboo@lemmy.blahaj.zone 4 points 1 day ago

This is the way. I think this is what Apple is finally implementing, but since they took too long to do so, governments have been passing laws which require privacy invasive measures that fill the void. Hard to say if that will reverse itself now that there's a whole age-verification industry that popped up. Actually it's unclear to me if the age-verification industry manufactured a problem to push their solution?

Had Apple implemented this in their Parental Controls setting, it would have avoided the government intervention and shady age-verification companies from popping up.

[–] crwth@piefed.zip 3 points 1 day ago (1 children)
  1. Apply for access to age-gated content.
  2. Ignore application for 18 years.
  3. Your account has been approved.
[–] TechLich@lemmy.world 2 points 1 day ago

This is the first perfect solution I've heard!

Granted it's a little slow but it meets all the requirements xD

[–] rowinxavier@lemmy.world 2 points 1 day ago

There are a few options for age verification, but the one I like best is at the ISP/device level. You make the account at the ISP level have a flag for being a kid friendly service. You could also have the government establish simple tools for parents to install on their kids devices which would limit other apps and services, for example by blocking porn or violent age inappropriate content. You could even have it tie in with the age advice for film classification, though the current classification guidelines are pretty horrible. All of that could be handled by a very small government team and could be deliverable in 6 months.

These are active steps a parent can take to limit their child's exposure to the internet and do not come with added cost to the parent. They would be just as available for someone who is poor as for someone who is rich. It would be possible to protect kids from many of the more dangerous aspects of the internet while also leaving unmanaged devices free and clear, preserving the good things about the open internet.

[–] Naryaskant@lemmy.today 3 points 1 day ago

This thread is going to be great for learning to spot https://en.wikipedia.org/wiki/Nirvana_fallacy

load more comments
view more: next ›