Is it completely impossible to do age verification without compromising privacy?

Submitted ⁨⁨1⁩ ⁨hour⁩ ago⁩ by ⁨sheridan@lemmy.world⁩ to ⁨[deleted]⁩

To be clear, I’m not advocating for online age verification. I’m very much against it in any form. I’m just curious from a technical standpoint if it’s possible somehow to construct an accurate age verification system that doesn’t comprise a user’s privacy? i.e., it doesn’t expose the person’s identity to anyone and leave behind a paper trail that can be traced to that person?

source

Comments

Sort:hotnew top

pdqcp@lemmy.dbzer0.com ⁨15⁩ ⁨minutes⁩ ago
Yes, it is, see quark ID as an example of decentralized open source project by the city of Buenos Aires, in Argentina, which leverages zero knowledge proofs:

quarkid.org
github.com/ssi-quarkid

source
SorteKanin@feddit.dk ⁨55⁩ ⁨minutes⁩ ago
In principle it should be possible to do a zero-knowledge proof.

This means that the website asking for age verification asks a yes/no question like “Is this user 18+?” and the age verification service (like a digital ID provided by the government or whatever) answers “yes” or “no” accordingly, but without telling anything else about the user. Also, the verification service should ideally not know who asked for the age verification.

So the site you want to visit only knows the thing they need to know: Whether you are 18+ or not. Nothing else. And the age verification service only knows somebody asked for age verification and provided the answer, but do not know which site you visited.

This is all possible, but I don’t have high hopes this is the intended implementation of any government seeking age verification, so don’t get your hopes up.

source
- perviouslyiner@lemmy.world ⁨5⁩ ⁨minutes⁩ ago
  doesn’t this just raise the authentication requirements? like in the uk we got added checks for who was could work, and lots of deliveroo drivers shared the login + password of someone they knew who was verified.
  
  source
- birdwing@lemmy.blahaj.zone ⁨49⁩ ⁨minutes⁩ ago
  The one who asked the verification service also shouldn’t know who the verification service is, imho.
  
  source
  - SorteKanin@feddit.dk ⁨39⁩ ⁨minutes⁩ ago
    I’m not sure that is feasible, because in order to trust the answer, I feel the asker must know and trust the one providing the answer. It sounds like you’re imagining a system with many different ID providers? What prevents me from creating my own provider that just answers “Yes”, even for people under 18? If the site asking does not know it is my fake ID service providing the answer, I’m not sure they can trust any answer.
    
    But I won’t pretend to be an expert on this topic, so perhaps it is feasible somehow.
    
    source
ininewcrow@lemmy.ca ⁨41⁩ ⁨minutes⁩ ago
The problem is not the system or the idea of age verification

The problem is that no one on earth can be trusted with that level of monitoring, control and power.

source
DeathByBigSad@sh.itjust.works ⁨57⁩ ⁨minutes⁩ ago
Its possible.

Open source front app + a secure element thing in the backgound.

You download an app. You verify your identity, then the app sets up a OTP thing with the shared secret seed lasting for 30 days. But every 30 seconds the OTP changes. Everyone doing a verification in these 30 days gets the same exact secret seed.

The seed hides in the secure element of your device. Every 30 seconds, it releases the new OTP to the Open source app. The app doesn’t connect to the internet once the OTP has already been set up. So nobody knows if you actually view the OTP code.

So the government only knows you have the verification OTP set up not which websites you visited, the website only knows you have a valid OTP from the government, but you could be any of the people in the past 30 days (which the company don’t even have access to).

Even if the company and government cooperates, they could only pin down the time of website registration and that you are one of the millions of people that did the verification and requested a OTP Seed.

(Idk the exact terminology for these things, but hopefully I make sense)

source
- anton@lemmy.blahaj.zone ⁨6⁩ ⁨minutes⁩ ago
  
  The seed hides in the secure element of your device. (it won’t be impossible to extract, but the average kid is not gonna be able hack a secure element).
  
  But only one person needs to “hack” it on their device to publish the key, allowing everyone to use it without “hacking” their own device.
  
  You can’t store a key on a device and keep it safe from the owner.
  
  source
Nighed@feddit.uk ⁨32⁩ ⁨minutes⁩ ago
The government knows who you are. They know your age, your address and know you exist (probably).

You go to a site that requires ages verification. You say:please verify me with the government portal. You go to that portal to get a temporary id code to give to the site. The website says to the gov portal give me the name and age of the user with this temp ID. You approve that access. Portal sends age (or an issue over 16/18/21 etc flag) to the site.

Gov portal doesn’t need to know who the site is You don’t provide a unique ID to the website, just a temporary one. Site only gets the data you approve.

The process can do with some streamlining, busy should work in practice?

source
birdwing@lemmy.blahaj.zone ⁨50⁩ ⁨minutes⁩ ago
Zero-knowledge proof. Medium has an example, though unfortunately the article logs user data, so beware on that.

source
sharkfucker420@lemmy.ml ⁨51⁩ ⁨minutes⁩ ago
Its possible but it would defeat the point of age verification

source
UsedCumSock@sh.itjust.works ⁨42⁩ ⁨minutes⁩ ago
Sign up for age verification platform and upload your government ID on the platform (let’s call this platform Age Verifier).

Age Verifier confirms you’re an adult, and lists you as an adult in their system.

Age Verifier purges your government ID and any PII on you. The only thing they keep is your basic account details and the fact that they’ve confirmed you’re an adult.

The next time you login to an adult site, you verify yourself by logging into Age Verifier’s platform. The adult site confirms with Age Verifier that you’re an adult, and you’re good to go.

This system probably works, but it’s not without its downsides. We’ll need a way to confirm that your government ID and PII is actually deleted on Age Verifier’s platform. A way to deal with this might be to make sure Age Verifier is never driven by profit so they’ll never need to look into selling people’s data. Maybe it could be ran by a non-profit? Or perhaps it can be ran by the government? But if you don’t trust the government, that could be an issue.

And I can also see an issue where one guy who keeps creating different Age Verifier accounts, verifying that the account is an adult, and then selling that account to people.
source