From my understanding this age verification app seems to be based on the age verification blueprint they have been working on for a while now, which is supposed to be part of the European “digital wallet”
https://digital-strategy.ec.europa.eu/en/policies/eu-age-verification
From my understanding it works as follows:
- There will be a central “authority”, with which you can identify
- This authority will provide you with tokens indicating you are 18+ (or whatever age verfication you may need)
- These tokens are stored locally, and contain no identifying information other than a simple “is this guy 18+?”
- You can use these tokens to verify age with a website that requires age verification
This solution does seemingly address my two greatest concern with online age verficiation:
- You cannot trust the website, so they only get the information they need. They don’t get any identifiable information
- You cannot trust the authority, so they don’t get to know for which websites and for what reason you request 18+ tokens
Assuming that this blueprint is followed, it seems like a decent approach at online age verification.
I get why this sounds better than websites directly collecting IDs, but I think it still understates the problem. Even if the site only sees “18+”, the system still begins with strong identity proofing somewhere upstream. So this is not really anonymous access, it is identity-based access with a privacy layer on top.
The bigger issue is centralization. You still need trusted issuers, approved apps, approved standards, and authorities deciding who can participate. That means users are being asked to trust a centralized framework not to expand, not to abuse its power, and not to fail. History gives us no reason to be relaxed about that.
I am also skeptical of the privacy promises. These systems are always presented in their ideal form, but real-world implementations involve metadata, logging, renewal, compliance rules, vendors, and future policy changes. “The website does not know who you are” is only one small part of the privacy question.
So even in the best-case version, this is still dangerous because it normalizes the idea that access to lawful online content should depend on credentials issued inside a centrally governed identity ecosystem. Today it is age verification. Tomorrow it is broader permissioned access to the internet. That is why I do not see this as a decent compromise, but as infrastructure for future control.
Also once they get their foot in the door, they can remove the privacy next time they want to unmask someone online saying “I support Palestine action”
-“You want to crack down on dissent? We got a token for that.”
Apple or something.
I do see your concerns as valid. But at least in my country, we already have all of that.
I have an app I use to id myself to all sorts of stuff. Almost all of us has that. All the changes you mention are not changes, we have already had that for years. The new thing is that you don’t give your id to the website.
Just like during the pandemic, we had an app to prove our vaccination status, without revealing id. Before that we had to prove id, and then they looked up vaccination status.
Sweden or Estonia?
Probably Denmark, given the username. Denmark is also the only one of the Scandinavian countries to have the authentication provided by a national agency, while Sweden and Norway have it provided by the banks.
As far as I understand, there’s no need for “verified apps”. The third party just verifies your token with the emitter.
The skepticism is very understandable. It is important to scrutinise solutions like this to make sure that they indeed do as they say they do, and to make sure the government doesn’t overreach with their authority.
That said, it should also be possible for laws to be enforced, and there are laws on the books that are supposed to prevent children from accessing things that we as a society have agreed they have no business accessing (alcohol, tabacco, porn, and increasingly commonly social media)
Currently there is no good method to actually enforce those laws on the internet, so there needs to be a solution for that.
I think this form of age verification may be a decent compromise between privacy and the need to enforce these existing laws.Edit: Typo. I wrote “they” instead of “that”
I think the disagreement comes from treating “we have laws” as automatically meaning “we must enforce them everywhere at any cost.” The method matters. This approach flips the burden of proof by treating everyone as a minor unless they prove otherwise. That is a pretty extreme shift from how things normally work in the real world.
We also shouldn’t pretend this actually solves the problem. Kids got access to adult magazines before, and they will get access now through a parent’s phone, shared devices, or older friends. If that’s the target, this kind of system is mostly symbolic while adding friction and control for everyone else.
And more importantly, it normalizes something much bigger. Once you accept that accessing legal content requires proving attributes through some approved system, it becomes very easy to expand that logic. Today it’s age. Tomorrow it can be anything else.
So I don’t see this as a balanced compromise. It’s a disproportionate response to an enforcement gap, with long-term consequences that go way beyond the original problem.
I don’t think laws should be enforced at any cost, but if we can reasonably enforce laws I think there is a duty to do so.
Then there is also a different question of whether we agree with the laws on the books, but that is a different matter imo. Personally I don’t think we should limit access to pornography as strictly as the laws says we should, and I don’t think the ills of social media are solved with a simple age limit.
But that is a separate discussion from the implementation of a (in my eyes) reasonable approach to age verification
I don’t think it’s entirely a separate issue, because how a law is enforced is part of evaluating whether it makes sense in practice.
If a law can only be enforced by treating everyone as a minor until proven otherwise, that’s a strong signal that the law, or at least its scope, may be flawed.
Why are all 4 of those in one category, who.decided that all if a sudden?
This is the intelligent non-invasive way to implement this. Basically using a similar cryptographic signing scheme as SSL certificates. We’ve known how to do this for decades.
Hi. This system doesn’t have the cryptographic properties that you think it does. The authority could keep a map between tokens and real IDs. They just say they don’t.
The big problem is the trustworthiness of that central authority to maintain the confidentiality of your information, and to not use it for other purposes.
Which they of course will not.
The central authority is basically my government. They already know.
They already know how often you do all the things you have to be over a certain age to do?
This won’t tell them that.
A response I gave elsewhere in this thread.
This authority will provide you with tokens indicating you are 18+ (or whatever age verfication you may need) These tokens are stored locally, and contain no identifying information other than a simple “is this guy 18+?”
So they’re reusable? One token can be used for multiple age checks, right?
If not, then think about what that means.
- The token gets sent back to the authority for revocation.
- The token is authorised by the central authority as still valid.
- The token is uniquely identifiable
- The central authority knows who it issued each token for
- The central authority knows who has asked it the verify age.
Sure, the company you’re purchasing from may have no new information, but the central authority now has everything it needs to know:
- How often you buy tobacco, alcohol or medications
- What discussion boards you are a member of
- Have you purchased anything age restricted from any store (e.g. propane from a DIY store)
I don’t know how the system works, but that is definitely not how it’s supposed to work. I would not like to use a system like that.
See the problem is the central authority.
I don’t see a central authority (i.e. your government) issuing tokens, as much different from the government issuing you a ID card by which you can verify your age to buy alcohol in the supermarket.
As long as that central authority doesn’t get to know what I use the tokens for, it seems like an acceptable solution to me.
The difference is in the potential for creep.
The proposed implementation would actually be less invasive than a national ID card (assuming the implementation information provided is complete and accurate), but also usable in less scenarios.
AFAICT there is no provision for actually verifying the person using the app is the person who’s identity is verified in the app.
What’s to stop one person having a verified identity and just sharing it with the people around them once it’s been issued ?
As an example, with an ID card in a bar you need to match the photo, this digital system would be like turning up to a bar with an ID that had no picture or details on , but just said “over 18”, you could then hand this to a friend and they could also use it.
I personally think that if a system is mandatory then an easily circumventable verification system is the best choice , but such an easily circumventable system is exactly the kind of thing governments have used as an excuse to push for further encroachment.
Take the UK for example, the online safety act they have is easily circumvented with a VPN (which many people noted before it was implemented) the government basically stuck their head in the sand and claimed vpn’s weren’t widespread enough to be a problem.
Skip to now and they’ve got representatives looking to force vpn compliance with the online safety act without having the slightest clue about why that wouldn’t and can’t work the way they want.
A more suspicious person might suspect the attack on vpn usage was an expected part of the overall plan.
Even a less suspicious person could still see the direct line from one to the other.
I’m not saying they will, but if i were a betting person, I’d certainly put some money on it.
Too me one of the big issues is being able to trust a government or business to not trace a person’s identity back through the token. There are technical ways to prevent that as far as I’m aware, but there’s such a strong incentive against such protections that it’s really hard to trust unless you’re technologically skilled enough to verify the process yourself.
but whose the “central authority” that you have to provide your ID to? and what happens when that central authority inevitably gets hacked?
That central authority would, from my understanding, be your government. They already have your information, so if they get hacked you are already screwed ;)
But they could easily keep track of all the tokens they issued to you, and match them with services you use.
This has never been about protecting the kids. This is about mass surveillance.
This authority will provide you with tokens indicating you are 18+ (or whatever age verfication you may need) These tokens are stored locally, and contain no identifying information other than a simple “is this guy 18+?”
So they’re reusable? One token can be used for multiple age checks, right?
If not, then think about what that means.
- The token gets sent back to the authority for revocation.
- The token is authorised by the central authority as still valid.
- The token is uniquely identifiable
- The central authority knows who it issued each token for
- The central authority knows who has asked it the verify age.
Sure, the company you’re purchasing from may have no new information, but the central authority now has everything it needs to know:
- How often you buy tobacco, alcohol or medications
- What discussion boards you are a member of
- Have you purchased anything age restricted from any store (e.g. propane from a DIY store)
Not sure that’s necessarily true. I don’t see why it couldn’t work like this:
- request personal token from authority. it works similar to a certificate chain, your token is derived from a central certificate
- you store your token locally
- you visit an age-restricted website. you send your token (or a challenge encrypted with that token) back to the website
- the website verifies your token with the certificate from the authority, (like how literal Certificate Authorities work) . the CA doesn’t know when or why your token was used.
(fwiw I am sure governments will try their best to make this process less private)
Your step 4 will make the token reusable, or at least reusable within a time frame. If a token can only be used once there has to be some information flow back to a central approval authority.
This actually sounds pretty reasonable. Thanks for bringing it up.
On one hand this is an elegant solution that is already in use in Germany for years, if companies want to implement it that is. But I think only Sony’s Playstore uses it. Or so I have heard. No US company wants to use it and I am sure they will lobby to get more data from users than a token if this gets rolled out EU wide. I am skeptical about this.
We should not care about verifying age.
wdym? in general? on the internet?
bc that’s a hard disagree from my side as a blanket statement
Protection from media at the government level should not happen, that’s the slippery slope. Very few policies aside from educate children about topics, has ever actually helped a child. This shit is about data and overlord control. Devices should not have age verification.
Very little good comes from arbitrary control, particularly based on age, and always has been that way even on other topics that are age restricted. Education is a far more effective means, and doesn’t trample everyone.
Thanks for clarifying.
For the record, I think this mechanism is indeed far reaching, simply because the current criterion of “age” is arbitrary in the proposed mechanism.
Not sure if the “just education” part is realistic, though. The whole point is that children cannot make responsible decisions like adults can. We accept that for driving, sex, drugs and weapons.
Agreed they make irresponsible choices sometimes, and we can think that policy can protect them, but we have no control over most of those choices when it comes to seeking behavior. Driving starts at early teens a lot of places anyway, and cars can be stolen, and the cost barrier to entry is super high. There’re other separate regulations about weapons, and kids with weapons are already getting them from an adult or stealing them, barrier to entry is high for purchase. Sex you absolutely cannot control and thinking you can is absurd for germane topic of seeking behavior, barrier to entry is effectively zero. Drugs are illegal or stolen from the start so moot point.
The only way to really curb any of these seeking behaviors is to educate the child and give them some experience with it. Enforcing age barriers doesn’t really work much for these, why would digital age barriers do much for media or anything else? You make responsible people out of children by educating them and giving them responsibility experience to make better choices, and some will always have seeking behavior and age checks don’t really stop them… It just invades the privacy of the rest of us.
We definitely have some control over each of those points:
- We don’t let kids drive, the lowest driving age seems to be 15 and is usually 18: https://en.wikipedia.org/wiki/List_of_minimum_driving_ages. Kids obv would have access to their parents cars.
- Knives, Guns etc cannot be sold to children and I hope you would agree that this is a good thing.
- having sex shouldn’t be controlled but providing or paying for sex work, “adult” events, sex parties etc definitely should be restricted.
- Legal drugs (alcohol, tobacco, weed) should be restricted for children. Illegal drugs are indeed hard to specifically regulate but e. g. selling illegal substances to a minor should carry a higher sentence.
after typing all that out I wonder what we are even debating. those are obvious examples to me where actual restriction is necessary. and to cycle back to the start, why would media be fundamentally exempt from that?
Personally I have two problems with this :
- Can’t those tokens be used for cross-site tracking ?
But more importantly :
- I don’t care if the implementation is technically perfect. I refuse to verify my age on principle.
Could even have an OAuth flow that only provides a service unique key that the service can use to call the central authority to confirm the user is 18+ and nothing else, I always thought this would be the second best solution
Finally a sane approach to online age verification
or rather their foot at the door. they just need SOMETHING and once they get started they can just keep making things worse. its never about protecting kids.
There is no such thing
If they are so dead set on protecting children, I suggest starting with:
Gaza Strip and the West Bank (Palestine) Ukraine Sudan Myanmar Democratic Republic of the Congo (DRC) Syria Yemen Ethiopia Afghanistan Haiti Niger Mali Burkina Faso
Zuks wallet will do just fine in the mean time
Can we stop pretend they give a single fuck about kids?
Edit: poor choice of words. Thats the only thing they give kids.
What a relief that would be. “We are compromising your personal rights with protecting children as a cover, children safety has nothing to do with it, in fact we don’t give a single fuck about anything but revenue. It sounds better to save children than revenue”
bad title, this isnt about protecting kids online
this isnt about protecting kids online
It never is, but they always try to sell unpopular things as “protecting the kids”.
The motives are irrelevant. This will destroy the internet as we know it and disempower citizens. I can’t help but wonder if the empowerment LLMs may have to an individual is terrifying leaders into an authoritarian mindset, finally demanding to be able to know and track what we do online, everywhere we do it. This is about protecting their ability to rule, not children from harm.
I can’t help but wonder if the empowerment LLMs may have to an individual is terrifying leaders into an authoritarian mindset
LLMs are here to enrich the rich, not to “empower the individual”. They require ridiculously expensive computing power, which makes them impractical or even impossible to self-host (with data centers buying up the market, the required hardware becomes unaffordable to the individual). Now you’re at the mercy of renting out the compute from the oligarchs and their companies, and you’re also relying on their censored and biased models (see Grok and his “Mecha-Hitler” antics if you want a taste of the future). Please don’t expect that to empower you, or anyone else. It can’t, and even if it could, it wouldn’t be available to you.
Unless we democratise LLMs, they’ll just become yet another tool of enslavement in the clutches of the Epstein class.
It could greatly boost the use of decentralized apps. Which will ultimately give people more power than they have right now. So in the long run, it might have some positive side effects.
Cracking down on decetralized apps will be the next logical step
How would they do such a thing? Require every open port on every internet connected device to be registered? Disallow https and implement full scale layer 7 scanning?
No, they will expand the mandates for providers to filter traffic. Everything ultimately goes through a handful of big ISP companies, so they will just make them comply with the filtration. It will not work great, even simple DPI is resource intensive, but when an ISP is ultimately at fault, they will have to find a way. And ultimately it doesn’t have to work all the time forever, it just need to degrade services enough so most people find it inconvenient to use. As a tool of control, it needs to prevent unwanted communication to be easy, this will ensure only the nerds will do it, and nobody cares about handful of nerds.
They don’t have to invent anything, that’s exactly how it works already in every country that controls their population and the internet in their country. It took Russia 8 years to transition from completely free unobstructed internet to everything being unavailable and everyone being used to it. Europe is way more capable technically, it will take most of the countries less.It is possible but doesn’t sound all that realistic to me. A truly decentralized app cannot be blocked by dns or endpoints. Thus a country would have to DPI the entire internet which is very resource intensive. And even then the data will be encrypted so you would have to resort to fingerprinting and finding patterns. From an age verification app to automatic data blocking based on deep packet inspection with fingerprinting of the entire internet - that seems quite a leap. Personally I don’t think decentralized apps are next in line to be blocked.
You’d be surprised how easy it is to ban specific protocols or apps, if you put your mind to it. DPI is dead easy this days. Again, Russian example is right there, the only thing that managed to resist the block so far was Telegram, because they’re doing some very advanced block avoidance. Russia is poor, and losing brains very quickly, a country with better equipment and people will not have this problem.
Yeah, it’s resource intensive, but that’s ISP’s job, and they have equipment and motivation already. Small ISPs if they still exist will die, but that’s just added bonus. And you don’t even need the complete blockage, you need to make it annoying enough to use so it’s not very popular, so most of the communication will happen on platforms that are under control. You can’t fight all the nerds, and you don’t need to.
It’s not a leap, it’s the only next logical step. A government doesn’t start carding everyone on the internet because they’re bored. They do it because they don’t want uncontrolled communication for some reason or another. “For the children”, of course, why else. That’s why everyone needs to have an ID app on their phone, and all the websites should be tied to it. It’s for the children.
Unlike most other age verification system, this doesn’t reveal any other personal information but your age. No credit card number, no personal id.
So I’m curious how you get to your conclusion?
In order to make sure that the age a person provided is real, the system will gather all that information anyway. I don’t know what you mean by “reveal”, but it will gather it. And that’s the main building block of the problem.
That system is basically the government. They already know.
No, that’s an app on your phone. That accumulates a ton of data in a way that didn’t exist before. The government knows I exist. Now it knows every website I’m visiting, and my identity on those sites. Now the new politician in my country decides to be a little bit more corrupt, and asks the app maintainer “hey, can you gather IDs and home addresses of all the people who criticized genocide online last couple of years, I would like to execute them publicly”, and they can do it with basically one sql equerry. The only defense against that will be “but that’s illegal, there are laws against that!”, which is shit defense nowadays.
I’m sorry, but have you read the technical documentation? The design is intentional created this way to avoid tracking.
You are issued a set of ZKP tokens that you hand back to websites. They cannot correlate these tokens back to you, nor can the operator of the system.
Now they could lie, of course, and violate the design (but being open source that’s a little harder), but if the government wanted to secretly track you, much more precise tools exist for this already.
That’s the stupid part, it doesn’t matter what it will look like at the beginning. It might be the best written documentation now, they can even implement the app correctly. The thing is, the jump from “people can use the internet” to “in order to access the internet you need to provide your government ID to your smartphone” is a big jump, one that can cost a politician career. The jump from “you need to use version 1.4.412 of the govenment id checker” to “you need to use version 2.0 of the Government Id Checker Plus” is minuscule. That’s where you introduce a persistent database of the tokens, somewhere on page 5 of the changelog. And only nerds care about that and nobody listens to them.
It’s so fucking easy, Russia did this exact gambit in 2017, Kazakhstan couple of years before.Ok, so it’s the slippery slope fallacy.
But that slippery slope, which it sounds like you believe us to be on, also applies to phone location tracking, credit cards payments, mobile phone train tickets, smart homes, smart cars, home CCTV etc etc.
Do you leave your phone at home, always pay with cash, don’t use any apps? Most people do these things on the basis that the government doesn’t wantonly have access to what we’ve bought online. Why is age gating so different?
At last a piece of code free of any flaw, any exploit, invulnerable to any known or unknown attack method!
Of course things can break and something might be able to refer back to you, until it gets fixed.
But if your argument is that “the standard is fine, but something might not quite work”, then the same argument applies to your phone’s location tracking, your debit/credit payments etc. The vast majority of us happily use systems on the basis that they are secure, until they’re not, and then things get fixed.
Your argument has to apply evenly.
Yes, all of that happens. That is a valid worry. Which is why they tried to avoid it.
Did you see how much they did to avoid this? Do you see a flaw in their solution?
Yes, the flaw in their solution is that they require the government ID to access the internet now. That’s the flaw.
Extrapolating from US decisions, like I would have done
The internet as we know it is a playground for billionaires to get richer. Good riddance.
And the new internet that is on the horizon will be the definitive establishment of these same billionaires as feudal lords.
deleted by creator
Liberals. It’s systemic like it has always been. As cathartic as it is to remember the French Revolution, it’s not like it worked and ended stratification and imperialism. Liberalism will always seek as much control as possible, and the internet has proven to be a huge fucking problem exactly because it is so impossible to control.
Exactly. Centrism, and the very idea that there is “moderation” to be sought between progressive ideals and back-assward conservatism, is a fucking plague. We all suffer because people don’t want to seem “extreme” and I’m fucking tired of it. We have to commit to being progressive and admit that all centrism has ever done is seek validation for and to normalize right-wing viewpoints long enough that we stop paying attention.
Only siths deal in absolutes.
Ok?
I’m also not talking about absolutes, unless you’re participating in relativistic politics that only care about ideologies in reference to other ideologies and is a practice used by people too stupid to form their own opinions about platforms they’ve actually looked into.
It was a quote from the star wars prequels
We all know that, it just doesn’t really fit here.
Lies
OK lib.
Found the cave man
The victors of WW2.
Wrong. This is to violate everyone’s rights and target children. This is fucking abhorrent and needs to be stopped.
How about being a fucking parent instead of letting the government do it?
The government isn’t doing shit except censorship and mass data surveillance. This has less than nothing to do with kids.
What if the kid’s parents let them be pro Palestine? Can’t let parent’s risk defense contractor’s profits
I get my porn from illegal download sites that aren’t interested in age-verification.
Like all Prohibition Policies, this is only going to push people toward more illegal outlets, which demonstrate more morality than the legal ones.
Or, as is the case with a lot of sex work, push people into more dangerous situations.
Lotta internet users are going to suddenly be from outside the EU, just like the UK population suddenly all moved to the Netherlands after their own version of this.
What? We got this too? I guess I accidentally dodged it.
Try checking Imgur from a UK IP
just like the UK population suddenly all moved to the Netherlands after their own version of this
Personally I prefer Switzerland lol
The pedophile class is tightening the noose
I don’t use apps from official software installation sources. I will boycott any site or service that asks me for unnecessary information.
Until you can’t because they will deploy this absolutely everywhere to “protect the children” from whatever real or imaginary threat.
It will be banking that is used as the wedge for this. You’ll have to use an approved device / OS / App to get access to the banking system. To protect the children.
I can use a phone to do business with my bank, dumb phone -> call number -> do banking, then again, I can also send up to $3k with no fee
I use the bank web site, with a hardware TAN generator. If no bank offers that option you can use a dedicated device that is used just for that. My bank’s app works on Graphene OS though.
We can always self-host. We’re using such a resource right now. Of course they can start blocking and persecuting, like they’re doing in Russia right now. At which point you should start learning about fpv drones as a hobby, particularly the fiber-optic kind.
still 99% of ppl especially youngsters use this bullshit social media and will fall for this spy company
Democracies: Hey we have to stop the onslaught of right wing populism
Also Democracies: Let’s push moral policies that right wing populists thrive on.
Ewww gross. Fuck age verification
If this is not the most crooked EU Comission ever, it’s a pretty close second.
It will help the pedophile class and Israeli backed oligarchs mass surveil us more effectively
