Émilio GonzalezFeb 23

Something that icks me regarding the online #ageverification discourse that we see today is that everyone seems to assume that giving privacy-intrusive or PII datais the only way to have age verification online. However, we already know how to make age verification where:

  • The government doesn't know on which sites you register or give access to third parties to PII
  • The website to which you register doesn't need to interact with the government or any third party
  • The website doesn't know your age, just that you're over 18
  • No third party is required

    • The two things you need is a digital ID system and zero-knowledge proofs. That's it

    Show threadExit Code 1Feb 23
    @res260 in theory, yes, but I'm yet to see a solution that looks like something I'd use. Afaik, even the planned EUDI will give the way too much information to the certification agency.
    Show threadÉmilio GonzalezFeb 23

    @paranormal_distribution Regarding EIDAS 2, my understanding is that the framework allows this (gov doesnt know what u register on, website doesn't know anything else than 18+ about you), but if gov obtains a warrant for data about your account and website logged the hash of the proof, they can link it back to you.
    But this can be easily "fixed" by not logging any info about the proof.

    Also important to note that ZKP are not the only auth mechanism, so if websites use the more classic "ask the gov to give me this PII and then check the info myself", then this obviously doesn't apply.

    Show threadExit Code 1
    @res260 I believe the framework as it looks currently would let the government tie user activity to the same anonymous user id. I believe this would make revealing each irl identity quite easy, especially if age verification is used for just about everything you do online. Even without a warrant. (But then, who knows what might be illegal in 10 years?)
    Feb 23 at 3:40pmWeb
    Show threadÉmilio GonzalezFeb 23
    @paranormal_distribution Can't you just regenerate a ZKP for every service you register? Cuz if not yes indeed that completely sucks