I have recently been asked by @panoptykon if it was possible to create an online age verification system that would not be a privacy nightmare.
I replied that yes, under certain assumptions, this is possible. And provided a rough sketch of such a system.
But privacy is not the only issue with systems like that:
https://rys.io/en/178.html
By the way, this is a first in a long time blogpost of mine that is both in PL and EN.
I don't use any LLMs to translate my bloggo, so you know that this is all organic, hand-made, artisan translation – and any and all bullshit is mine and mine alone. 
@lightspill that hazard extends way beyond just people under 18, and reasons for such exclusion extend way beyond "people being careful".
I dive a bit into that in the blogpost.
That protocol is simplified to the point where it makes no sense and thus we cannot really evaluate its security, but yeah, I was glad to see that you do get around to semi-acknowledging that a scheme like that would need to rely on some kind of service like Tor to begin to provide any semblance of privacy. Even then the central authority would have a record of it every time each of us hit an age gate, which is valuable metadata to be giving away whether or not it's probably just pornography.
Lots of people seem eager to claim that it can feasibly be done in a privacy-safe way but I still have yet to be convinced of it.
And it's all just to set up a new system of oppression with the other problems you mention. It seems utterly ridiculous.
One particular way in which the story makes no sense to me: The website wants to ask a question about "the visitor." How does it identify the visitor in its message to the central authority? If nothing prevents it, said visitor could simply pass the question on to Charlie's Web Age Verifier Bypass Service down the road which is in posession of an age-appropriate keypair, and relay the response in an automated fashion. How does one prevent that?
I mean it's not as if people wouldn't do it. Borrowing an older kid's ID to buy beer was commonplace when I was younger. Imagine if it could be done automatically, instantly, on a large scale. Shutting down The Pirate Bay is already nigh-impossible for the powers of law and order, it seems. Imagine if every kid had to use it if they wanted to connect to Instagram.
@kbal @panoptykon the website does not identify the visitor to the e-ID service, that's what the trusted app on the visitor's device is for.
The website provides a question and an URL to the trusted app. The trusted app sends a request containing the question, signed with the visitor's key, to the e-ID service. The e-ID service responds with a signed response also containing the question, to the trusted app. The trusted app then forwards that response to the website, using the URL.
@kbal @panoptykon the website knows it's a response related to this particular visit thanks to the nonce. And then verifies the signature on the response against a well-known long-term public key of the e-ID service.
Obviously the e-ID service is not any e-ID service. Perhaps it's government-run. Perhaps it is run by institutions that are somehow "anointed" by the government.
Okay, there is a nonce. Presumably it is negotiated somehow to prevent the Website from hiding any info in it. But then the question for the ID server is simply "Does a user who knows this nonce have access to a keypair indicating the right age range?" The user (i.e. the "trusted app" that is in their control) can then simply send that question off to Charlie or whoever and get the desired answer to relay to the Website without revealing to anyone any secrets of their own. The ID server has no way to know it was proving the age of the wrong person, the Website doesn't know who it actually got an age for, and neither can identify the actual user.
I think the people implementing these age verification schemes do want to try and defend against that sort of thing, because both the ones I've seen so far in reality (the one from Spain and some other thing a couple years ago that was closer to your idea) seem to have willingly sacrificed any semblance of privacy in their efforts to prevent it.
> The ID server has no way to know it was proving the age of the wrong person
Did you actually read the post?
The e-ID server knows who it is providing a response about, as the request from the trusted app is signed with the key associated with that person.
That key is authenticated by logging into that application through the e-ID service.
Okay I can imagine it being similar to a yubikey, albeit one with a totally new protocol along the lines of what you described. But it occurs to me that people wanting to share their age credentials with friends or strangers wouldn't actually need to give up the keys to anyone. People could run rate-limited age verifier relay services using their legit keypairs without having to compromise their ownership of those keys, similar to the way some people are willing to run bittorrent clients today.
If we assume that anyone who puts in a little effort being able to bypass this elaborate system is not a problem because it's only meant to deter people who can't be bothered, I guess it only remains to design the Tor-like service over which this will run and make it resistant to traffic analysis.
Anyway, thank you for being patient with my questions.
> the Website doesn't know who it actually got an age for
The website knows it got a response related to a specific request based on the nonce in the response. And that the response was signed by the e-ID service.
Can an adult let a kid into an age-gated website by scanning the code themselves in their own trusted app, and getting response for themselves? Sure. But any other age verification system would allow an adult to just pass their physical device to a kid after age verification.
@rysiek @panoptykon I enjoyed reading that write up, it clearly laid out your system.
But, age is (and has been used) as a proxy. Should you be able to drive at 16? Certainly age isn't really the best measure for this, but it's easy to implement.
Maybe we should be trying to unravel what we're really after when we do age verification and try to implement that instead (more of a legal question enabled by technology than a technology question.)
@scerruti and if you click through to @panoptykon's piece on that (first link in the post; in Polish, but auto-translation should work well), you will find a discussion of exactly these deeper issues:
https://panoptykon.org/dzieci-weryfikacja-wieku
I was asked about a specific thing, I provided the response (quoted in their piece), and then I wrote a blog post to dive deeper into this particular side of things.
@rysiek @panoptykon if we can't decide these issues, what is pornographic content and does it have to be the purpose of the site?
Could we blacklist the entire Internet unless you were age verified. And then could we somehow allow parents to whitelist specific sites for their children but still do it anonymously?
@sirobsidian @panoptykon maybe? it's an app that runs on the user's device, so it *could* implement a protocol like this. Is it open-source? Has it been audited?
Anyway, the point of the post wasn't to list all possible existing apps like that – only to give an example of what shape such a system could take.
Switzerland has an interesting proposition for a privacy preserving e-ID implementation: https://www.eid.admin.ch/en/
I hope people will understand the benefits of such a system and support it when voting. Unfortunately, a referendum (lead by anti-vax, etc) successfully collected 50k signatures against it.
The digital identity (e-ID) allows Swiss citizens and people with a Swiss residence permit to prove their identity online. The federal government will start issuing the e-ID in the swiyu wallet app in the third quarter of 2026 at the earliest. The Trust Infrastructure also allows other authorities and private individuals to issue electronic credentials.
@Kroppeb no, my "solution" is a thought experiment for @panoptykon so that they can explain to non-techies that such a system can be made in a privacy-preserving way. I mention that better systems could be made using zero-knowledge proofs very early in my post.
Also, a more privacy-friendly link to the video:
https://media.ccc.de/v/38c3-eu-s-digital-identity-systems-reality-check-and-techniques-for-better-privacy
Digital identity solutions, such as proposed through the EU's eIDAS regulation, are reshaping the way users authenticate online. In this ...
@rysiek Bit surprised by your assumption later in the piece that there was only on e-Id provider. I'd think that in an international context there'd need to be multiple acceptable providers. Perhaps even multiple providers for one person: e.g., government and bank(s).
@rysiek @panoptykon I disagree that your protocol would not be a privacy nightmare. IMHO just the fact that your proposal leaks the fact that a verification was attempted to the government disqualifies it.
Additional problems that jump out to me on a very cursory reading are that it allows the requesting website to link the browser loading it to the verifying device, e.g. linking the device fingerprints of a laptop and a phone.
(1/n)
> I disagree that your protocol would not be a privacy nightmare.
We don't have to agree where "nightmare" begins and ends.
However, we are talking about public websites (porn or otherwise), used by regular non-techie users.
In that particular context, schemes like "scan your face to prove your age" – like the scheme being rolled out by Discord in the UK currently – are a privacy nightmare in ways that I hope we can agree my protocol sketch is not:
https://www.theverge.com/news/650493/discord-age-verification-face-id-scan-experiment
> IMHO just the fact that your proposal leaks the fact that a verification was attempted to the government disqualifies it.
In the blogpost I provide some examples of how this could be mitigated, at least partially.
For example, if more different services used that kind of a system, then the trusted app could add multiple irrelevant questions to the request to the e-ID service, such that it would be difficult for the e-ID service to know which question is the relevant one.
@jaseg and just to be very clear, I am not advocating for that, as I am not advocating for age verification in the first place!
But that discussion is happening, that kind of legislation is happening, and in most places the systems being deployed are horrendously bad.
I see this as harm reduction, not a solution. What I want to achieve is that if these systems become mandated, at least they are not Discord-face-scanning-level shit.
> it allows the requesting website to link the browser loading it to the verifying device, e.g. linking the device fingerprints of a laptop and a phone.
That's a fair concern. However, as I note in my blogpost, there is no reason why the trusted app could not run on the same device as the website is being visited, at which point there is no additional IP address exposure to the website. To improve the privacy of the system, this could even be mandated in the protocol.
> verifying device has no way of verifying that the verification request actually comes from the website in question.
I do mention that the person using the trusted app would get a confirmation dialog each time a confirmation is requested. That dialog would obviously have to contain the domain name of the website, taken from the URL where the response is to be sent.
This is not perfect – the malicious proxy service could still rely on people blindly clicking stuff.
But okay, say the porn site now has a non-repudiated token, issued via proxy, that could be linked to user identity.
Traffic does not match that, so the only thing linking it is the nonce, as long as the porn website or the proxy service, and the e-ID provider, kept it.
The e-ID provider can only link the user to this particular request if the porn site or the proxy provides them with the nonce. Correct?
I'm sure it could be mitigated in some way. I'll have a thunk.
> Finally, traffic analysis attacks undermine the whole secrecy idea of the system from the perspective of a network observer in any setting where verification is a rare occurrence
No doubt. But again, we are talking about publicly available websites, visited without the use of tools like Tor. If we are worried about a global network observer, than the mere fact of that IP address visiting that website at that time is already where the gig is up.
The protocol I sketched out does not add to that problem. Or am I missing your point here?
> Using something like tor provides nothing in this setting since the traffic will still stand out badly.
Which traffic, between the user device and the website, or between the user device and e-ID provider? Or both?
Observed from where, the ISP level or the home WiFi network level?
How is the sketched protocol adding to the global observer's ability to link a person to a visit?
> The reason people call schemes like this a privacy nightmare is that they are unavoidable once implemented while simultaneously having myriad possibly critical corner cases that each can have grave consequences up to the death of people
I am not a proponent of these systems. But I am absolutely terrified by the schemes – like the Discord one I mentioned – that are already being rolled out. So I wanted to show that it is possible to design a better scheme.
> I think in this setting analysis using any sort of straw man construction is largely meaningless since the whole difficulty of the setting lies exactly in the sort of detail one would leave out in a straw man construction.
This is a valid way of looking at this of course. And I appreciate your poking at it.
I did miss the malicious proxy issue. I'm also bothered by the nonce. And I kinda feel both of these could be solved in one fell swoop with some funky crypto. 👀
@uint8_t I would not mind that at all. I hope you're involved in pushing back against age verification online.
@AMS can you please offer a specific scenario of such an attack?
@AMS @panoptykon sure, but the user of the trusted app would still get a notification asking them if they want to confirm their age to a given website.
And to have that trusted app even be able to issue requests to e-ID provider, they would need to log in using this app to the e-ID provider and verify their long-term key held in that trusted app.
I'm sure there are ways to improve on that, but it's not like that kind of proxy service could operate in a clandestine manner.
@cm yeah, long-term-ish attestation is definitely one way to improve the privacy of the system.
Another way is for the trusted app to randomly ask for age verification at random intervals, to create noise such that the e-ID service cannot easily tell which requests were chaff and which were actually related to any actual visit.
There are many ways this could be improved. Again, the point was to show that a system like this is, technically, possible.
@rysiek I was thinking they could add a code to lottery scratch cards in ink that fades on exposure to light.
The ink will have faded on old used cards so if anyone under age gets hold of one it'll be of no use to them.
Jan Penfrat
Michał "rysiek" Woźniak · 🇺🇦
Fox/squirrel Superposition
Rigo Wenning
kbal
Panoptykon
Light
Stephen Cerruti
Daniel Thomas
DavyJones
j_bertolotti
Samuel Hautamäki
w00p
Kroppeb
Ed Davies
jaseg
Z̈oé ⛵
AMS
christian mock
InsertUser