There are at least some technological solutions here, such as anonymous credentials. [1] Modern versions of this technique allow one to associate metadata (like a proof of age exceeding a threshold) in such a way that the verifier can't even correlate repeated requests across users.
Governments that are serious about age verification and individual privacy (which, doubtful they truly are) should agree on a protocol and set up certificate issuers that are associated with a digital ID. Then age verification will not be an invasive procedure or risk data leaks or insider threats.
As you say, it's doubtful governments want it to be private. So we should expect them to not use these kind of elegant solutions, and the public is generally not sophisticated enough to distinguish between the options already.
The problem is that you still have to trust something you don't control and can't verify that the technological solutions are correctly implemented and applied.
Either they validate so little information that a single homeless person can authenticate the entire country or they validate so much information as to not have a significant privacy guarantee.
There is no in-between for ZKP validating someone's age.
>Modern versions of this technique allow one to associate metadata (like a proof of age exceeding a threshold) in such a way that the verifier can't even correlate repeated requests across users.
If it's unlinkable, what's preventing someone from setting up a site that hands out anonymous tokens for anyone to use?
No, I'm meant me, using my 18+ ID to generate a bunch of tokens that can't be linked back to me, and then giving it to random < 18 year olds for the lulz.
There are multiple approaches. One, which the Europeans use, hardware-locks the token. Each age attestation is unlinkable, but the cryptographic credentials you need to make the attestation aren't portable. Of course, this model requires a big statist apparatus that does implementation certification, but it does achieve the narrow goal of unlinkable, privacy-preserving age attestation that doesn't instantly decay to mass copying.
Other approaches are possible. I'm particularly keen on ones that treat attestations as anonymous digital currency and use cryptographic penalties like slashing to discourage copying post-hoc instead of relying on EU-style implementation certification.
There's a huge literature on the subject I don't want to reproduce here. The point is that yes, we do have the technology to do attestation without sacrificing privacy, which makes all the calls for non-privacy-preserving attestation awfully curious.
This seems to come up in every discussion, in practice it’s irrelevant both because it’s too complicated for normal people to understand, and because the point of all this nonsense really is identification so anything that defeats that will be a non starter.
It doesn't have to be too complicated for normal people to understand.
Majority of people understand their SIN or SSN number or whatever, they understand they have a drivers license number. This could be built in such a way that it's basically just be another government issued "thing" that they have to know about and be able to produce when requested
> You’re not happy about it, but you hand over a photo of your passport and hope it doesn’t come back to haunt you.
I think for this argument to carry weight with voters, privacy advocates need to be much more specific about what "coming back to haunt you" looks like. They do a little bit of it later on[1], but I think most people do a rough cost benefit in their head and decide that the small benefit outweighs the small risk (to them).
[1] "And that creates a lot of risks for data breaches, overly broad data collection and retention, censorial legal demands for collected data, corporate and governmental malfeasance, pressure to self-censor, and perhaps blatant First Amendment violations. Every new layer and every new mandate brings more potential for risk. As we’ve unfortunately seen many times over the years, people including high-level government officials will maliciously seek to root out the identities of their critics, so the more layers of anonymity we can preserve in online speech, the better."
This seems more like a technical problem that we could actually solve well if we wanted to and had competent people advising the governments. You go to DMV and they generate a keypair and an entry in a DB. App looks up your age with your public key + signed private key authorization from you. Apps can ask for specific checks like is_over_21, is_citizen or whatever without any more data. The whole infrastructure could be open source. Something like that..
I’m glad this is finally becoming the cause célèbre du jour. This feels like THE FIGHT or at least one of the TOP 3 THE FIGHTS and it hasn’t had even a fraction of the public’s attention until now.
>I’m glad this is finally becoming the cause célèbre du jour.
It really isn't, though. Don't mistake the internet for reality. The majority of people in the US and Europe support laws like these, and most of the rest don't care.
Even on Hacker News the consensus is mostly in favor of anything from age restriction to making all social media illegal.
The main issue is that they are very careful not to frame it like that. In broader contexts, it's always framed as something like "do you favor limiting children's access to social media" without a word on what it would cost to actually institute such a ban.
Assuming no revolutionary changes are coming to the USA, I am planning to opt out of the digital world when I retire. Physical media only. No subscriptions. Spend lots of time in the library. Find like-minded people and meet in person. Will only keep the bare minimum for survival, like banking.
How is hitting the library an act of rebellious defiance? Getting a library card requires an ID and proof of address. The library then tracks which books you've signed out. Unless you're reading the books inside the library without signing them out.
My library, at least, is fanatical about their patron's privacy.
I don't know what their retention time is on circulation records, but beyond aggregate statistics for culling materials that aren't circulating I bet it isn't too long. Now I want to go check.
My library also only keeps 24 hours of video surveillance because they didn't want to be able to fulfill requests from the cops for footage of patrons. I really liked that.
Edit: In the patron portal it permits me to disable "borrowing history" and says it permanently deletes my records. I do contract IT work for them so next time I'm engaged I'll ask about the details. They're moving to Koha later this year (free / open-source ILS) so I could go look at the code to see what it does (which is nice).
This was in part caused by the general public’s comfort with federated identity for OAuth. If everyone already has one anyway (the thinking may go), why not mandate it?
I'm pretty sure this is a "pick your poison" problem. We as a society are damned no matter what we do or do not do. For my part, we need to do something, because things are not fine the way they are, including the half ass Australian solution. We can't keep putting the onus on private enterprise to address social issues.
I may sound crazy for saying so, but I think the answer is more government run infrastructure for enabling identity-based operations, like payments and authentication, with rules about standards, open source, contractor selection, and audit that make operation transparent. It can work if technical operations are legislated instead of "left for the engineers to figure out."
Then at least the evolution of systems can become real political issues that map to election cycles.
The greatest argument against this I can imagine is that we cannot trust government with this, at which point I just have to laugh given all the other more serious real world things we do trust government with.
How is it any different from being required to identify yourself to get a phone or electricity account? Identifying yourself on the internet is long overdue.
You need to identify yourself to the phone and electricity utilities so they know where to send your monthly bill. My ISP knows my name because I pay them for connectivity. I am okay with this.
If I misbehave here, dang can just ban me. There's no reason HN needs to know my real name. The only reason to mandate blanket age and identity verification is to control online speech.
Anything to close Pandora's box. "They" liked the eras they could control the communications, and therefore the narrative. Boomers on their last legs, question is, will the future undo the unjustness that was forced upon them? Restore the rungs of the ladders that were removed, so they could have a chance too? Or are they going to stay in the fear narrative, and make this tragedy worse?
I can’t think of a better solution to the issue of children being so aggressively harmed by the internet. That doesn’t remove any of the problems associated with this.
It’s not just kids. Adults are having their brains fried on AI generated political videos online right now. The state of the internet is an absolute disaster.
The discussion is not about whether it's a good or bad idea, but whether we will yield the power to these people to ratchet in further oppressive laws onto formerly free countries.
Tech companies should ignore it and just publicly name whoever attempts to prosecute them and see how the population responds. I think people today are orders of magnitude more informed about their privacy and the consequences of digital ID laws. A few countries are on the edge of revolt at the moment anyway, and this would be a good way to get young people into the streets.
20 years ago, people would have had no defense against it or understanding of what was being imposed on them. Today, normal people use Signal and encrypted messengers, faraday bags, and leave their phones at home. Where we were nerdy security guys back then, non-technologist women and girls use spy tradecraft level electronic opsec for their own safety and security from middle school. People are much more sophisticated about their privacy now. They're ready to take this on.
The laws coming into force are on people who are not in favour of them, and I'm so optimistic that I will not interrupt the enemies of privacy and human dignity while they are making a mistake.
I'm not sure "social media" is the best example. You've never had complete freedom of speech on there.
It's been true for decades in the USA that if they want to arrest you, they will. The age verification doesn't make this situation better, but at this point it's almost just a formality.
Freedom of speech is contextually misunderstood. It's about political speech and the commons. Social Media is overwhelmingly private space, subject to contract terms and conditions. It may be a de-facto commons to some people but I do not believe this axiomatically, or legally makes it so, for the purposes of law and constitution. Law and constitutional bounds on speech online hit the international nature of the media very quickly.
Extra-territorial issue are huge here. What is the limit of the boundary on a given nations constitution and law? How much does the economy of the user, the hosting company, the owning company, the receiving parties matter?
Social Media has advertising and publishers. It has people who can effect editorial control over what is seen and by who and to who it is "said" -And that imposes obligations on them, and on people lodging content. Differentially depending on their economy, the reach of law, registration of legally incorporated entities.
All of this is being implemented somewhat haphazardly internationally, enforced differently, subject to legal and financial and social pressures differently depending on the times and the context.
If you want to ask questions about America, about Americans, using American companies, speaking to Americans, believe me you don't neccessarily have a simpler task here. It may well be clearer to some of you, but to me, its just as fraught.
It's just not clear to me "free speech" is the bastion rule which applies here. The EFF may think so, I don't think they have actually demonstrated it all the way to the end.
My privacy is already decimated. For 2 decades we’ve already known about the NSA slurping up everything[1] on top of the Snowden leaks.
Then you have the mega corps like Facebook who can figure out every detail about you even from merely _not_ using their system because of the hole you leave in your social network that does use them.
The only privacy left is from anonymous troll farms claiming to be an American while talking about how the Texas oblast is valuable for its warm water ports.
I am fine for privacy on consumption of content, but you should be forced to identify yourself for posting so the common man at least has a chance to evaluate your statements instead of being misled, all while, as stated above, our governments and corporations don’t have that limitation.
> ...you should be forced to identify yourself for posting...
The Supreme Court has repeatedly held that the right to anonymous speech is inherent in the first amendment [1] [2]. See also The Federalist Papers or Common Sense, without which the US might not exist at all.
That’s pre the ability for foreign actors to engage in our public square en masse. I think technology has changed the situation.
Free speech absolutism that ends up in creating an environment where real speech is drowned out by lies is not valuable to me. It’s like the paradox of tolerance.
Can you link said research? I have never seen anything but division pushed by anonymity.
Also again, the corporations and governments(for certain levels of government like the members of the Five Eyes) can pierce this veil of anonymity, the people who have a lot to lose already are risking it by speaking.
Edit: this also isn’t a newly diagnosed phenomena, I remember seeing this satirical description of the behavior as a kid back when Web 2.0 and social media was starting to change the internet[1]
> My privacy is already decimated. For 2 decades we’ve already known about the NSA slurping up everything[1] on top of the Snowden leaks.
If you were correct, there would be no need for them to push these new laws. The fact is, you will have less privacy after these identification requirements are full enforced.
Governments that are serious about age verification and individual privacy (which, doubtful they truly are) should agree on a protocol and set up certificate issuers that are associated with a digital ID. Then age verification will not be an invasive procedure or risk data leaks or insider threats.
[1]: https://blog.cryptographyengineering.com/2026/03/02/anonymou...
Either they validate so little information that a single homeless person can authenticate the entire country or they validate so much information as to not have a significant privacy guarantee.
There is no in-between for ZKP validating someone's age.
If it's unlinkable, what's preventing someone from setting up a site that hands out anonymous tokens for anyone to use?
Yes, that can eventually be worked around, but not really that different than do the verification on someone else's device.
Other approaches are possible. I'm particularly keen on ones that treat attestations as anonymous digital currency and use cryptographic penalties like slashing to discourage copying post-hoc instead of relying on EU-style implementation certification.
There's a huge literature on the subject I don't want to reproduce here. The point is that yes, we do have the technology to do attestation without sacrificing privacy, which makes all the calls for non-privacy-preserving attestation awfully curious.
Majority of people understand their SIN or SSN number or whatever, they understand they have a drivers license number. This could be built in such a way that it's basically just be another government issued "thing" that they have to know about and be able to produce when requested
I think for this argument to carry weight with voters, privacy advocates need to be much more specific about what "coming back to haunt you" looks like. They do a little bit of it later on[1], but I think most people do a rough cost benefit in their head and decide that the small benefit outweighs the small risk (to them).
[1] "And that creates a lot of risks for data breaches, overly broad data collection and retention, censorial legal demands for collected data, corporate and governmental malfeasance, pressure to self-censor, and perhaps blatant First Amendment violations. Every new layer and every new mandate brings more potential for risk. As we’ve unfortunately seen many times over the years, people including high-level government officials will maliciously seek to root out the identities of their critics, so the more layers of anonymity we can preserve in online speech, the better."
1. Age gating + VPN ban under the guise of protecting children from social media
2. Few years pass, Identity Passport gets ushered in under guise of convenience of not having to repeat those pesky age verification checks.
3. Utilities start to require ID Passport. Including signing up with an ISP.
4. Renting starts to require ID Passport.
5. Work requires ID Passport.
6. Well done, you built the torment nexus!
It really isn't, though. Don't mistake the internet for reality. The majority of people in the US and Europe support laws like these, and most of the rest don't care.
Even on Hacker News the consensus is mostly in favor of anything from age restriction to making all social media illegal.
That doesn't sound right. Put up a poll. I'd put money on 90%+ choosing some flavor privacy/anonymity on the internet.
I don't know what their retention time is on circulation records, but beyond aggregate statistics for culling materials that aren't circulating I bet it isn't too long. Now I want to go check.
My library also only keeps 24 hours of video surveillance because they didn't want to be able to fulfill requests from the cops for footage of patrons. I really liked that.
Edit: In the patron portal it permits me to disable "borrowing history" and says it permanently deletes my records. I do contract IT work for them so next time I'm engaged I'll ask about the details. They're moving to Koha later this year (free / open-source ILS) so I could go look at the code to see what it does (which is nice).
Write your own books.
Make your own music.
I may sound crazy for saying so, but I think the answer is more government run infrastructure for enabling identity-based operations, like payments and authentication, with rules about standards, open source, contractor selection, and audit that make operation transparent. It can work if technical operations are legislated instead of "left for the engineers to figure out."
Then at least the evolution of systems can become real political issues that map to election cycles.
The greatest argument against this I can imagine is that we cannot trust government with this, at which point I just have to laugh given all the other more serious real world things we do trust government with.
If I misbehave here, dang can just ban me. There's no reason HN needs to know my real name. The only reason to mandate blanket age and identity verification is to control online speech.
I grew up in a neighborhood full of drug dealers. Street sellers, not the classy Walter White kind.
Ironically being on a computer all day kept me out of trouble.
But with these laws in place I guess you might as well start doing stupid ish in real life.
Too bad?
Solution: Maximize the distance between yourself and the people
Tech companies should ignore it and just publicly name whoever attempts to prosecute them and see how the population responds. I think people today are orders of magnitude more informed about their privacy and the consequences of digital ID laws. A few countries are on the edge of revolt at the moment anyway, and this would be a good way to get young people into the streets.
20 years ago, people would have had no defense against it or understanding of what was being imposed on them. Today, normal people use Signal and encrypted messengers, faraday bags, and leave their phones at home. Where we were nerdy security guys back then, non-technologist women and girls use spy tradecraft level electronic opsec for their own safety and security from middle school. People are much more sophisticated about their privacy now. They're ready to take this on.
The laws coming into force are on people who are not in favour of them, and I'm so optimistic that I will not interrupt the enemies of privacy and human dignity while they are making a mistake.
It's been true for decades in the USA that if they want to arrest you, they will. The age verification doesn't make this situation better, but at this point it's almost just a formality.
Extra-territorial issue are huge here. What is the limit of the boundary on a given nations constitution and law? How much does the economy of the user, the hosting company, the owning company, the receiving parties matter?
Social Media has advertising and publishers. It has people who can effect editorial control over what is seen and by who and to who it is "said" -And that imposes obligations on them, and on people lodging content. Differentially depending on their economy, the reach of law, registration of legally incorporated entities.
All of this is being implemented somewhat haphazardly internationally, enforced differently, subject to legal and financial and social pressures differently depending on the times and the context.
If you want to ask questions about America, about Americans, using American companies, speaking to Americans, believe me you don't neccessarily have a simpler task here. It may well be clearer to some of you, but to me, its just as fraught.
It's just not clear to me "free speech" is the bastion rule which applies here. The EFF may think so, I don't think they have actually demonstrated it all the way to the end.
Then you have the mega corps like Facebook who can figure out every detail about you even from merely _not_ using their system because of the hole you leave in your social network that does use them.
The only privacy left is from anonymous troll farms claiming to be an American while talking about how the Texas oblast is valuable for its warm water ports.
I am fine for privacy on consumption of content, but you should be forced to identify yourself for posting so the common man at least has a chance to evaluate your statements instead of being misled, all while, as stated above, our governments and corporations don’t have that limitation.
[1] https://en.wikipedia.org/wiki/Room_641A
The Supreme Court has repeatedly held that the right to anonymous speech is inherent in the first amendment [1] [2]. See also The Federalist Papers or Common Sense, without which the US might not exist at all.
[1] https://www.law.cornell.edu/supremecourt/text/362/60
[2] https://www.law.cornell.edu/supct/html/93-986.ZO.html
Free speech absolutism that ends up in creating an environment where real speech is drowned out by lies is not valuable to me. It’s like the paradox of tolerance.
Also anonymity can actually improve social media polarization (see Chris Bail’s research)
Also again, the corporations and governments(for certain levels of government like the members of the Five Eyes) can pierce this veil of anonymity, the people who have a lot to lose already are risking it by speaking.
Edit: this also isn’t a newly diagnosed phenomena, I remember seeing this satirical description of the behavior as a kid back when Web 2.0 and social media was starting to change the internet[1]
[1] https://www.penny-arcade.com/comic/2004/03/19/green-blackboa...
If you were correct, there would be no need for them to push these new laws. The fact is, you will have less privacy after these identification requirements are full enforced.