3
Is private age verification technically possible and if so how? (lemmy.world)
submitted 2 weeks ago by TechLich@lemmy.world to c/asklemmy@lemmy.world
28 comments fedilink hide all child comments

With many jurisdictions introducing age verification laws for various things on the internet, a lot of questions have come up about implementation and privacy. I haven't seen anyone come up with a real working example of how to implement it technically/cryptographically that don't have any major flaws.

Setting aside the ethics of age verification and whether or not it's a good idea - is it technically possible to accurately verify someone's age while respecting their privacy and if so how?

For an implementation to work, it should:

  • Let the service know that the user is an adult by providing a verifiable proof of adulthood (eg. A proof that's signed by a trusted authority/government)
  • Not let the service know any other information about the user besides what they already learn through http or TCP/IP
  • Not let a government or age verification authority know whenever a user is accessing 18+ content
  • Make it difficult or impossible for a child to fake a proof of adulthood, eg. By downloading an already verified anonymous signing key shared by an adult, etc.
  • Be simple enough to implement that non-technical people can do it without difficulty and without purchasing bespoke hardware
  • Ideally not requiring any long term storage of personal information by a government or verification authority that could be compromised in a data breach

I think the first two points are fairly simple (lots of possible implementations with zero-knowledge proofs and anonymous signing keys, credentials with partial disclosure, authenticating with a trusted age verification system, etc. etc.)

The rest of the points are the difficult ones. Some children will circumvent any system (eg. By getting an adult to log in for them) but a working system should deter most children and require more than a quick download or a web search for instructions on how to circumvent.

The last point might already be a lost cause depending on your government, so unfortunately it's probably not as important.

top 28 comments
sorted by: hot top controversial new old
[-] Godnroc@lemmy.world 3 points 2 weeks ago

You know how there are stores that sell restricted substances and verify your age by checking a provided ID? Have those same stores sell a cheap, sealed card with a confirmation code on it. You can enter that code online to verify any service. The code expires after a set period of time after it's first use to prevent sharing and misuse.

This system would be as secure as the restrictions on the restricted substance, such as alcohol, so it should be fine for "protecting the children"

[-] FinjaminPoach@lemmy.world 1 points 2 weeks ago

Interesting idea. Could also give it out free with packs of beer like a golden ticket from Charlie And The Chocolate Factory.

And all across the whole world, 18 year old men will jump for joy when picking up birthday booze - "I can finally look at boobs on the internet!"

[-] bamboo@lemmy.blahaj.zone 0 points 2 weeks ago

Were you ever a teenager? This would be abused immediately, unless the codes were single use, and in that case it's a non-starter.

[-] Godnroc@lemmy.world 3 points 2 weeks ago

Yes, and one with unrestricted internet access. Can you elaborate on how someone underage would abuse this system? They can't buy one at the store, can't reuse one that has expired so finding one won't help, and if theft is a concern they would just need to be secured like any other restricted good. I would say it's at least as secure alcohol, tobacco, or firearms.

[-] bamboo@lemmy.blahaj.zone 0 points 2 weeks ago

Alcohol / tobacco / firearms can't be digitally shared or reproduced. Imagine a high school with a mix of 14 - 18 year olds. If an 18 year old can get a valid code without hassle, they can share it with their friends who are in the same class, but are still 17. Or maybe they'll share it with a sibling who is 16. What's to stop it spreading from there? It will probably take just an hour for half of the school to get access to the one code. If the system assumes that kids won't directly or indirectly share their codes with one another, then the system doesn't understand teenage behavior and is flawed.

[-] PosiePoser@feddit.org 3 points 2 weeks ago* (last edited 2 weeks ago)

So... the same flaw we abused to have our older friends buy us booze and cigarettes when we were underage lol I'll still take it. You're not going to get a perfect solution that works all the time. Point is HARM REDUCTION.

REDUCTION.

Not a perfect, flawless, impossible to abuse system. Just a system that helps to make it a bit more difficult and then hope that parents take care of the rest. Some will always still slip through, thems the breaks.

Yeesh I thought I was a nerd but reading some of the replies in this thread it's like some people never even thought how to get access to alcohol and smokes when they were underage. Never even mind porn. We had older friends buy us those magazines too.

[-] mech@feddit.org 2 points 2 weeks ago* (last edited 2 weeks ago)

The German government ID card has an age verification function:
It only sends one bit to the requesting service: Yes, over 18 or No, not over 18.
And it doesn't transmit back any data, so the state doesn't know what services you access.
Since you are required to have an ID card and the state knows your age, this would be a pretty good option (in Germany).

[-] PosiePoser@feddit.org 2 points 2 weeks ago

Yeah this. I don't know why people are trying to make this into some incredibly complicated multi step process.

[-] GreenKnight23@lemmy.world 4 points 2 weeks ago

because it's the first step in a multi step attack on our privacy.

[-] TechLich@lemmy.world 1 points 2 weeks ago* (last edited 2 weeks ago)

How does this work to protect privacy though? Wouldn't the site need to know who you are to be able to look you up with the government?

Or is it more like an SSO/Oauth callback style thing where you sign into the government and they send the "age bit" digitally signed and your browser gives it back the service? Either way the government would know when you're accessing 18+ material and possibly what specific site you're accessing? Or is there more to it?

[-] mech@feddit.org 2 points 2 weeks ago* (last edited 2 weeks ago)

The site doesn't need to identify me, it only needs to know that a "Yes" bit was sent with a valid certificate from the government. And no data needs to be sent back to the government for that. The info is stored locally on a chip in the card.
If a child has access to my ID card, that's on me.

[-] TechLich@lemmy.world 1 points 2 weeks ago* (last edited 2 weeks ago)

Ah misread that it was card, not a service. That mostly works and is the same kind of thing as the other crypto solutions.

Though a bad actor could still set up a service with a legit card that provides government signed anonymous "yes" responses on demand.

I worry that the response will be to require an account and a full ID from it. Social media sites saying "we need to verify your identity to ensure you're an adult human and to combat bots. Scan your id card..."

Still one of the better technical solutions here though.

[-] XeroxCool@lemmy.world 1 points 2 weeks ago

Can phones read this chip? What if you're on a standard computer?

[-] mech@feddit.org 1 points 2 weeks ago

Yes, phones can read it.
For a standard computer, you'll need a USB RFID chip reader.

[-] GreenKnight23@lemmy.world 1 points 2 weeks ago

for a moment, let's ignore all of the conspiratorial conjecture (not that it isn't warranted).

by exposing an API for web services to identify the users age/birthday, how does that solve the issue of "protecting children online".

what's stopping a bad actor from identifying, tracking, and grooming children directly based on this same mechanism?

right now the majority of kids online are protected through anonymity, but once they are identified they can be targeted directly and the adults responsible for their well being are blissfully unaware because "the government is tracking their age".

also. what comes next is worse than the date. online content ratings. because there's no point in tracking age if you can't apply a ratings system.

Imagine entire swaths of the internet banned because the content rating doesn't meet the government requirements.

this is less about tracking users and more about censoring dissent.

[-] TechLich@lemmy.world 1 points 2 weeks ago

I agree, although in this thread I'm mostly interested in the technical puzzle.

[-] psycotica0@lemmy.ca 1 points 2 weeks ago* (last edited 2 weeks ago)

I'm not sure if this is part of the "setting aside" stuff, but I'd ask why age needs to be verified and not simply stated.

I'm the admin on this device, I say I'm 50, why does the website need to check some ID to prove I'm 50? They trust what I reported, and if I lied to them that's on me. It shouldn't be the websites' job to validate.

[-] roofuskit@lemmy.world 1 points 2 weeks ago

Exactly, it should be a parent's job to limit a child's access not a website.

[-] lcmpbll@lemmy.world 0 points 2 weeks ago

I agree, but also parents need better tools to be able to effectively limit their child’s access. App and device level parental controls are not sufficient as they currently work.

[-] roofuskit@lemmy.world 1 points 2 weeks ago

Also, more and more local router parental controls come with a monthly fee. Legislation should be attacking those subscriptions for software that runs on hardware you own, not privacy.

[-] one_old_coder@piefed.social 0 points 2 weeks ago* (last edited 2 weeks ago)

I'm pretty sure there is already a cryptographic protocol that can do this, but that's not the point. We do NOT need age verification in software, it makes no sense. We need parents to take care of their own children because why would open-source software do the job of failed parenting? It's a social issue, not something that can be solved with technology. Or we would have put shock-collars on every kids when they don't behave.

[-] SMillerNL@piefed.social 0 points 2 weeks ago

For an implementation to work, it should: * Let the service know that the user is an adult by providing a verifiable proof of adulthood (eg. A proof that’s signed by a trusted authority/government) * Not let the service know any other information about the user besides what they already learn through http or TCP/IP *

Seems like that's exactly what https://yivi.app/en/ can do.

[-] TechLich@lemmy.world 0 points 2 weeks ago

How do they deal with the other requirements though? What's stopping someone from setting up a service that uses their yivi account to sign "I'm over 18" for anyone who wants to be over 18?

[-] SMillerNL@piefed.social 0 points 2 weeks ago

What’s to stop people from providing that service to buy people alcohol?

[-] TechLich@lemmy.world 1 points 2 weeks ago

The difference is one is physical and requires interaction with a human: "Hey uncle Bob, buy me beer?" Vs. The other one is technical and just requires them to do a Google search and click a button without interacting with anyone.

The first one has a higher barrier for entry and at least involves some form of adult supervision. The second one makes it not much different to the classic "what is your birthday?" thing.

[-] Zagorath@aussie.zone 0 points 2 weeks ago

Here's one good answer: https://crypto.stackexchange.com/a/96283

It has the downside of requiring a physical device like a passport or some specific trusted long-running locally-kept identity store held by the user. But it's otherwise very good.

Another option does not require anything extra be kept by the user, but does slightly compromise privacy. The Government will not be able to track each time the user tries to access age-gated content, or even know what sources of age-gated content are being accessed, but they will know how many different sites the user has requested access to. It works like this:

  1. The user creates or logs in to an account on the age-gated site.
  2. The site creates a token T that can uniquely identify that user.
  3. That token is then blinded B(T). Nobody who receives B(T) can learn anything about the user.
  4. The user takes the token to the government age verification service (AVS).
  5. The user presents the AVS with B(T) and whatever evidence is needed to verify age.
  6. The AVS checks if the person should be verified. If not, we can end the flow here. If so, move on.
  7. The AVS signs the blinded token using a trusted AVS certificate, S(B(T)) and returns it to the user.
  8. The user returns the token to the site.
  9. The site unblinds the token and obtains S(T). This allows them to see that it is the same token T representing the user, and to know that it was signed by the AVS, indicating that the user is of age.
  10. The site marks in their database that the user has been age verified. On future visits to that site, the user can just log in as normal, no need to re-verify.

All of the moving around of the token can be automated by the browser/app, if it's designed to be able to do that. Unfortunately a typical OAuth-style redirect system probably would not work (someone with more knowledge please correct me), because it would expose to the AVS what site the token is being generated for. So the behaviour would need to be created bespoke. Or a user could have a file downloaded and be asked to share it manually.

There's also a potential exposure of information due to timing. If site X has a user begin the age verification flow at 8:01, and the AVS receives a request at 8:02, and the site receives a return response with a signed token at 8:05, then the government can, with a subpoena (or the consent of site X) work out that the user who started it at 8:01 and return at 8:05 is probably the same person who started verifying themselves at 8:02. Or at least narrow it down considerably. Making the redirect process manual would give the user the option to delay that, if they wanted even more privacy.

The site would probably want to store the unblinded, signed token, as long-term proof that they have indeed verified the user's age with the AVS. A subsequent subpoena would not give the Government any information they could not have obtained from a subpoena in an un-age-verified system, assuming the token does not include a timestamp.

[-] TechLich@lemmy.world 0 points 2 weeks ago

It would also reveal to the government that the user was accessing 18+ content (though not what that content is if the token is blinded).

It also doesn't stop the easy circumvent of someone who is an adult providing a service for children or others who don't want to auth with the government.

  1. The 18+ site provides Child c with a token T and it's blinded to b(T)
  2. The child sends b(T) to a malicious service run by a real adult (Mal)
  3. Mal sends the token to the AVS to create s(b(T))
  4. Mal provides s(b(T)) to the child who gives it to the 18+ site as a legit S(T)
[-] Zagorath@aussie.zone 0 points 2 weeks ago

It would also reveal to the government that the user was accessing 18+ content

Yes, I did mention that. Although ironically, Australia's social media minimum age law, and other similar laws being considered around the world, would actually increase privacy in this respect. The government could have separate keys for each age of legal significance (16 and 18, in Australia) and sign with the appropriate one (either the highest the user meets, or all the user meets—the latter would give the site less information about the user's and).

I don't believe it is technically possible to get around the example you shared there. Even in the real world, it's not dissimilar to a child asking an adult to buy alcohol for them.

this post was submitted on 09 Mar 2026
3 points (80.0% liked)

Ask Lemmy

38750 readers
297 users here now

A Fediverse community for open-ended, thought provoking questions

Rules: (interactive)

1) Be nice and; have funDoxxing, trolling, sealioning, racism, toxicity and dog-whistling are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them

2) All posts must end with a '?'This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?

3) No spamPlease do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.

4) NSFW is okay, within reasonJust remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com. NSFW comments should be restricted to posts tagged [NSFW].

5) This is not a support community.
It is not a place for 'how do I?', type questions. If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.

6) No US Politics.
Please don't post about current US Politics. If you need to do this, try !politicaldiscussion@lemmy.world or !askusa@discuss.online

Reminder: The terms of service apply here too.

Partnered Communities:

Tech Support

No Stupid Questions

You Should Know

Reddit

Jokes

Ask Ouija

Logo design credit goes to: tubbadu

founded 2 years ago
MODERATORS
candyman337@lemmy.world
Bluetreefrog@lemmy.world
TheSaneWriter@lemm.ee
TheSaneWriter@lemmy.thesanewriter.com
candyman337@sh.itjust.works
Asudox@lemmy.world
lemmy_bot@lemmy.world
beefbaby182@lemmy.world
ModeratorCan@lemmy.world
neidu3@sh.itjust.works
asudox@lemmy.asudox.dev