I’m asking for public policy ideas here. A lot of countries are enacting age verification now. But of course this is a privacy nightmare and is ripe for abuse. At the same time though, I also understand why people are concerned with how kids are using social media. These products are designed to be addictive and are known to cause body image issues and so forth. So what’s the middle ground? How can we protect kids from the harms of social media in a way that respects everyone’s privacy?
The government already knows all our ages, right? They issue our IDs after all. Have the government provide a “yes, this person is over 18” service. There are ways of providing signed files/tokens which don’t contain personal information.
If the government wants to write a law, then I think it’s reasonable they’re also responsible to help with a solution.
In order to provide a “yes, this person is over 18” service for a vendor, the vendor has to know which real name (or other personally identifiable piece of information) to look up, don’t they?
So if you have to provide the vendor with a real name, phone number, ID card number or selfie that identifies the account “draco_aeneus@mander.xyz” with “John Doe/555-4556/X1234567” that eliminates your anonymity, they’ve accomplished surveillance over your personal opinions and whatever other content you share. The real problem isn’t age verification, the problem is they’re trying to eliminate anonymity.
There are https://en.wikipedia.org/wiki/Zero-knowledge_proof which can do exactly what you just proposed. I’m not sure it’s a foolproof answer, but it is designed to exactly deal with that identity conundrum as well as others.
The vendor/site does not need to know a name.
The idea is that people already trust the government with their identifying info. So what the government can do is issue, for example, an opaque “age ID” that is only to be used with an “over 18?” service hosted by the government. Then anyone visiting a website with age-restrictions would provide their age ID, which tells the site nothing about the user. The site checks the “over 18?” service. At no point do arbitrary websites need to collect identifying info.
Now obviously as I’ve described it, there are multiple problems:
One solution is to make the age ID into a “one time password” (OTP). Much like an authenticator app, you could have an app provided by the government which generates a new random OTP on request, and it would expire in a minute or so. Then users provide that instead of a constant age ID. Like before, the site checks the “over 18?” service using the OTP.
It’s still not perfect, but you’ll never solve the “adult buying beer for kids” trick without counterproductive measures. There are probably some additional tricks to make it better, but I don’t want to get too far into it.
As far as I know the german e-passport function does provide good way already. You basically use your passport to make a corresponding app only send the information “over ‘certain age’ or under”, technically no information needs to go to the government of when and where you try to vefify your age since it can all be done locally with your passport. The app is also open source if i recall correctly. It would definitely be a better option than any third party age verification but its not really used at all.
But i am not too familar with the actual working procedure of this function so it may not be entirely accurate.
The OTP solution seems like a really good idea actually
If something like this could work, that would be the best solution in my opinion