Rendered at 10:23:57 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
dadoum 10 hours ago [-]
Still, I don't want to gate people based on age.
Parents should at least be able to overwrite the age of their child, maybe selectively allow bypasses. My experience with a computer would have been completely different if I was blocked from half of the internet. Especially when I see which kind of content gets blocked.
doginasuit 9 hours ago [-]
As a millennial-aged person I saw a fair amount of content I would not want the young people in my life to see, but it's probably not nearly as harmful as the non-age gated content that they will still have access to. There is a lot creepy youtube and tiktok content that isn't off limits but still unhealthy and my younger relatives are fascinated by it.
kentm 4 hours ago [-]
Not that I want my kids looking at porn or violent content, but I’m far more concerned about man-o-sphere influencers than that other stuff.
sciencejerk 4 hours ago [-]
I had to Google "man-o-sphere". Is it particularly more dangerous or toxic than other identity-based activist communities? Genuinely curious to know
grey-area 4 hours ago [-]
Yes, a lot of it involves denigrating women and an entitled and very rigid attitude towards the male place in society (alphas etc).
This is incredibly toxic for young men growing up and the women they interact with.
Some of the more prominent proponents are actual pimps (the Tate brothers).
z0ltan 44 minutes ago [-]
[dead]
pphysch 4 hours ago [-]
Manosphere content is toxic and harmful but the hyperviolence and desensitisation of the former should not be downplayed. That's where the mass shooters evidently come from.
Balinares 4 hours ago [-]
A hundred thousand furries consuming unfathomable amounts of porn without shooting up anyone kind of cast doubt about that point.
vharish 1 hours ago [-]
And 99 out of hundred get tired of porn at some point. We all have watched it and moved on. If only one can shoot and move on.
sciencejerk 4 hours ago [-]
Who is talking about furries? But Tyler James Robinson and Benjamin Jeffrey Smith. I guess that's only 2/100k to your point?
mschuster91 15 minutes ago [-]
> That's where the mass shooters evidently come from.
Bollocks. European teenagers watch just as much porn and play GTA at age 10 and yet we don't end up having 12 children a day die from gun violence [1].
Note, I'm not an anti-gun nut, I think German and British anti-gun laws are ridiculously strict. But the American way of dealing with guns is equally bad.
> That's where the mass shooters evidently come from.
I mean, quite a few have come from proto-manosphere circles, too. Elliot Rodger comes to mind.
Zababa 1 hours ago [-]
>That's where the mass shooters evidently come from.
Citation needed?
vasco 4 hours ago [-]
If you saw a bunch of it and presumably are fine what does it matter then? Sure it might have been uncomfortable for a few days and you may not have understood right away but so what? That's almost every week as a kid. Seeing some titties is probably the least confusing.
anonzzzies 3 hours ago [-]
Many uncles of friends (or fathers, who knows) had stacks of porn mags we knew where they were as 70s kids. When very young they were icky and after that we took them home. Who cares.
echelon 9 hours ago [-]
We need to stop this helicopter civilization bullshit.
We're building 1984 to protect from god knows what imaginary harms.
Stop putting plastic wrap around people's freedoms, liberty, and right to privacy.
Gigachad 7 hours ago [-]
The harms of smartphones and social media are about as far from imaginary as it could get. The data is screaming at us.
We will look back at handing kids phones with instagram like giving kids cigarettes and think wtf were we doing.
AngryData 7 hours ago [-]
And I find that harm to be far less than the harm caused by identifying everybody all the time and censoring topics to people based on government provided tokens.
kelseyfrog 2 hours ago [-]
Therapy and meditation is an effective remedy for this kind of suffering.
imjonse 4 hours ago [-]
It's no coincidence cigarettes were named 'torches of freedom' to get women to start paying up for the privilege of using them a hundred years ago.
echelon 7 hours ago [-]
Are you sure it's just kids?
In dealing with the ills of social media, you do what you do with every other negative externality - you tax it. At least the parts of it you don't like.
Designing privacy, freedom, and liberty destroying mechanisms is not the way.
Big social wants these regulations to pass so that they can get better identity tracking for ads targeting. To them it doesn't matter if the tech ushers in 1984. It makes them more money.
Gigachad 6 hours ago [-]
It's definitely not just kids. Social media is a lot like meth, we should at a bare minimum stop giving it to kids as soon as possible. And then come to realise it's bad for everyone and should be wound back.
Paracompact 3 hours ago [-]
Their argument would be, "If meth is a negative externality, we should just tax it instead of banning it in stores for kids to buy." Kids may die, but I'm sure with all that extra state revenue we'll get a nice park or museum or kickback to Tesla or something.
kelseyfrog 2 hours ago [-]
Be careful this is HN. There's a decent chance someone genuinely believes this.
bloqs 5 hours ago [-]
I'm not sure I get your arguement here
Are you saying that we should let children smoke and just tax it because its better for their liberty and freedoms?
Or are you saying we should just tax social media for adults but banning it for kids is ok
anonzzzies 3 hours ago [-]
We do that here; heavy tax sigarettes (and booze): both dropped like a lead balloon. So yes, tax it for everyone. Kids cannot pay for sigarettes and most adults don't want to (most vapers I know do it because it costs far less; that should be taxed more too imho). If browsing insta/tiktok costs an euro per hour, let's see how many still do it; I'd say they go bankrupt in a few months. Apparently it was never that interesting.
mike_hearn 2 hours ago [-]
The data isn't screaming at us. That's an illusion caused by the flood of bad academic papers on the topic.
A good example is the Jonathan Haidt/Aaron Brown fiasco from a few years ago. Brown has been methodically trying to stop the stampede off yet another pseudo-scientific cliff but not enough people are listening.
> In a recent article for Reason, I argued that the hundreds of studies that New York University professor Jonathan Haidt has assembled to support his claim that social media is causing the teen mental health crisis not only don't back up his claim; they undermine it.
Age verification campaigners like Haidt play a smooth game but consistently downplay how useless social science actually is for answering questions like this:
> I didn't express "concerns" about specific studies; I argued that the majority of the 301 papers cited in his document are garbage. I went through each category of studies on Haidt's list, chose the first one that studied social media and depression to get a random sampling, and then showed that they were so embarrassingly bad as to be completely useless. They were guilty of coding errors, fatal defects hidden in mid-paper jargon, inappropriate statistics, longitudinal studies that weren't longitudinal, experiments in name only, and red flags for hypothesis shopping and p-hacking (that is, misusing data analysis to yield results that can be presented as statistically significant).
It's possible that in the past few years a wealth of robust evidence has suddenly emerged but it seems doubtful.
This stuff does matter. If you misdiagnose the problem then congrats, you just let governments censor the internet - quite possibly creating a China style totalitarian system that pretends to be democratic along the way - and kids will still have the same problems. A bad outcome!
sajithdilshan 1 hours ago [-]
Why are we only focused on kids? the boomers are doing more harm to the society and democracy by spreading mis-information via social media. If we want to have an honest conversation let's talk about every age group and limit it to everyone rather than using kids as a scapegoat
PeterStuer 4 hours ago [-]
"We" are building 1984 to make sure "We" stay in power of our EU Animal Farm.
The legal guardian is responsible for gatekeeping what their minor sees or does not see.
echelon 8 hours ago [-]
I'd seen all the shock websites by age 12. Kids love to prank each other.
None of this is a real harm. The real harms are the government being able to put a muzzle on speech, track who says what, and begin to cordon off areas of thought and expression.
You might think it's a win that this is happening, but you won't be the one in charge and you won't have a say how it's used against you.
doginasuit 8 hours ago [-]
I don't think it is a win, I'm not sure how you got that from my comment. There should be enough room for nuance to acknowledge that the internet is uniquely unhealthy for young people. I don't find 'I saw all the bad stuff and look how great I turned out' very compelling.
If empirical research showed that some kind of intervention would be helpful, I'd be in favor of it even if it comes at a cost. But I don't think age-gating will prove effective as an intervention. If anyone needs to be reined in, it is tech companies that exploit attention and gather data, and the age-gating controversy is a costly distraction.
denkmoon 7 hours ago [-]
Shock sites are materially different to the harm kids do to one another on social media.
echelon 7 hours ago [-]
> Shock sites are materially different to the harm kids do to one another
This would be the "fixed" version of your comment. The social media bit is irrelevant.
Kids have always been assholes to other kids. I took the school bus a few times, and the older neighborhood kids tried to chase me down, beat me, and piss on me. That was before the internet.
You can't make up for other parents' bad parenting by trying to invent a system to bubble wrap all the kids. You teach your own kids to be strong in the face of adversity, to grow a thick skin, and to stand up for themselves.
fwipsy 6 hours ago [-]
Just because you survived it doesn't mean that it's "not real harm." I am sympathetic to privacy concerns, but the downsides also need to be taken seriously and mitigated where it's possible to do so without critically compromising privacy.
Balinares 4 hours ago [-]
I have a hunch that the Epstein class is getting increasingly upset about the kids encountering ideas about what ought to be done about the Epstein class, and mostly are keen to see the next generation molded back into good little subservient laborers. It really isn't about the well-being of the kids.
skybrian 3 hours ago [-]
Websites should have an easy way to check whether the connecting device has a child lock turned on. We don’t need to identify the person using the device at all. It should be up to parents to make sure their kids use device that are locked.
IshKebab 3 hours ago [-]
This is clearly the right way to do things. Just make devices have a forced choice for their age setting on initial setup, and expose that to apps and websites.
Insane that they didn't even try this simple solution first. Yeah people will get around it, but they'll get around any solution.
Nevermark 2 hours ago [-]
You are imagining that a solution for you will be deemed a solution for the political powers pushing for this. Or that being age-verified is the main danger of having age-verification.
That would be nice!
But if there isn't a safe market driven solution to age-verification, which provides anonymous, unsurveiled, age-attested site access, with no ability for the government to individual monitor, deny or revoke, then that is exactly what is going to get pushed on all of us.
You don't defeat an enemy by not needing the manacles they are very motivated to force on everyone..
Increasingly: We adopt zero knowledge proofs, and other decentralized open-sourced hard-security technologies, and resolve seemingly-small, but not-going-away practical issues like age & porn, or empower and "trust" every weak politician, interest group and stranger on the internet to not use our lack of awareness and defense against us.
Add AI to the mix, and the risk/damage of passivity becomes extreme.
nerdsniper 2 hours ago [-]
I hesitate to comment on these because hundreds of comments have already said it and I don't have anything new to add.
- The age-gate should just be a setting on the device: either over 18 or under 18. Websites/apps should at most only be legally required to respect the device's assertions.
- Devices should be controllable by parents: let the parents decide whether the child should be age-restricted or not.
- Devices should have profiles so that you can let your kids use your own phone/laptop without messing up your stuff or getting into things they shouldn't.
Historically parents have been allowed to rent R-rated movies for their kids with nudity and sex and violence even if the video store isn't supposed to rent it out to the kids directly. That was always considered okay. If I think my 16-year old is mature enough to watch some porn, that should be the parents' decision.
trashb 26 minutes ago [-]
I'm not a fan of age checks. There is a reason Google is offering this (for free).
As always with tracking, the value is in the metadata.
The knowledge if you are or are not above a certain age is already privacy invasive but not that relevant for tracking or ads.
But with ZKP at least you won't need to send your creditcard, copy of ID and address to the 3rd party to verify.
doginasuit 10 hours ago [-]
Zero-knowledge seems to be a bit of an oversell here. It is more like you break the knowledge up and only share the relevant parts with each party. And the facilitator (Google) arguably has access to the most information out of any of the parties involved.
slwvx 10 hours ago [-]
zero-knowledge proofs are a well-known tool in cryptography [1]. All Google is sharing is the library to implement it. Google would not have access to the information any more than they have access to the bank info of people who use Android or Gmail.
It's my understanding that they are sharing the library but they will also be involved as a facilitator, at least to the extent that people use their identity wallet service. It also seems like they will have access to who you are sharing information with, which seems like the most valuable information for a company in their position, with nothing but a pinky promise that it will not be tracked. Let me know if any of that is inaccurate.
_alternator_ 8 hours ago [-]
I don't know the technical details of this ZKP library, but there is no technical reason that I'm aware of that the ID provider would need to know who you are sharing with. Not to say Google didn't build it this way for business reasons.
xinayder 57 minutes ago [-]
You also can't know if Google has broken any of the ZKP promises, or in terms of the field, if Google is cheating and uncovered the secret bits you shared.
beepbooptheory 8 hours ago [-]
Here is a good explainer of an ideal implementation of this (maybe). If its this, you would be incorrect.
> any more than they have access to the bank info of people who use Android or Gmail.
...but they do? Google pay gives them your credit card and transaction details; any time your bank sends a statement to your gmail account, Google has that, too.
Am I missing your sarcasm?
dgrin91 10 hours ago [-]
There are true ZKP setups where no one learns anything but the absolute minimum (e.g. is this person over 16, not what is their dob). This is hard to prove though and I don't know if I trust Google to do it
wmf 9 hours ago [-]
Ideally the government would be the issuer and the facilitator but the US lacks the state capacity to do this. Maybe it will work that way in Estonia.
miki123211 4 hours ago [-]
The US is in the weird position of having a class of people (undocumented immigrants) who are often provisionally allowed to live there, known to their state in some capacity, and yet unable to receive some government documents that a permanent resident or citizen would be entitled to.
Europe doesn't really have that status. Either you're known to the government and can receive documents from it, or you're a criminal in hiding, avoiding any and all government offices.
vasco 4 hours ago [-]
No it's not like that in "europe". Plenty of people have been in the limbo state for years in portugal for example until the new government started expediting processes. I had several refugee friends which were in this situation and had local jobs and some forms of id but not others. Like having social security and a tax number but no official ID
EGreg 5 hours ago [-]
Google has pioneered a few technologies where they are the trusted dealer. For example, Private State Tokens.
I have written a paper on how to do age verification in a completely privacy-preserving way, and it doesn’t even need zero-knowledge proofs:
It is suspicious to me that "age assurance" is trending EXACTLY as AI agents become capable of autonomously operating a personal computer in the same way a human office worker would.
I'm afraid "age assurance" has nothing to do with "the children".
sigmoid10 3 hours ago [-]
>It is suspicious to me that "age assurance" is trending EXACTLY as AI agents become capable of autonomously operating
It is not, because your premise is false. This whole thing has been going on for as long as kids have been online. The early 2000s tried (and obviously failed) by using credit cards. The UK tried and failed last decade to ban porn for minors this way. AI tools are probably not even on the radar for the kind of politicians that keep pushing this.
M95D 1 hours ago [-]
> AI tools are probably not even on the radar for the kind of politicians that keep pushing this.
Forget about the politicians for a bit. There still are many regions on the globe where no age verification is mandatory, yet websites chose to implement it anyway. Why, if not for tracking and bots?
chii 3 hours ago [-]
> I'm afraid "age assurance" has nothing to do with "the children".
and you should be afraid, very afraid. Because none of these (and other measures to invade privacy) has ever had anything to do with children.
u1hcw9nx 2 hours ago [-]
The point of ZKP in EU wallet is that it separates checking age and privacy.
You can both give a proof your age and not lose privacy.
xinayder 59 minutes ago [-]
Except that ZKP for sensitive data is far from being a thing, and also, I don't want the fucking government to have anything to do with what sites I access. Period.
Why the hell do I need to login to my digital wallet to access a fucking website???
anon-3988 7 hours ago [-]
Age is just one metric. I don't want zero proof tech about information X. I don't want to have an identity. Full stop.
ambicapter 7 hours ago [-]
This can be used to have zero-proof knowledge of "over 18" or "not over 18". So they don't really get your age, except that you are in two broad ranges.
onion2k 6 hours ago [-]
If you get enough signals like that you can often narrow down a very large cohort of people to an individual.
First it's 'over 18?', then it's 'over 25?', and then 'biological sex?', 'employed?', 'enjoys posting on HN?', 'active in the early morning?' and after half a dozen questions, all with binary answers that are safe individually, you can zero in on a 23 year old woman who has a job and posts on HN in the morning.
Ask a few dozen questions like that and you'd be able to sieve an individual from a group of millions, especially if they're unlucky enough not to be absolutely typical.
0-_-0 40 minutes ago [-]
Browser fingerprinting can already pinpoint you exactly. We should focus on that.
alexghr 5 hours ago [-]
Proper ZK proofs don’t work that way. N different proofs will not be linked to each other unless the circuits are written to emit a stable identifier.
Obviously if you see a bunch of proofs for known circuits coming from the same IP address then yeah, you can infer a bunch of info from that metadata.
xinayder 54 minutes ago [-]
> Proper ZK proofs don’t work that way. N different proofs will not be linked to each other
in theory. How do you do that on paper? How do you "anonymize" this data, to make it so they aren't related to each other?
This is just like Facebook implementing the Signal protocol on WhatsApp. They technically can't access your messages, but they have all the metadata which most of the times will allow someone to infer the content of the conversation.
za_creature 3 hours ago [-]
> N different proofs will not be linked to each other
Please sign up to continue
hashmal 2 hours ago [-]
the visited site won't have the info. but someone in the chain will definitely know your identity. the government, private contractors.
flipbrad 4 hours ago [-]
The point perhaps is that these things enable discrimination based on extremely gross grained and defective criteria - in some ways the least relevant parts of your identity.
wmf 6 hours ago [-]
I think anon's point is that it could be used for other attributes in the future, like your nationality or... your social credit score (don't worry, it only proves that your score is over or under 500).
adrianN 5 hours ago [-]
You only need about 33 bits of information to uniquely identify every human.
Nevermark 3 hours ago [-]
If you need personalized government attestation to visit a site, then the government has the ability to dynamically deny and rescind your individual access to any site that adopts age verification, at any time.
Once adult sites adopt the system, it will creep over to any site wanting to limit their liability. Banks. Business services. Eventually almost everyone.
Liability the government will dramatize and escalate. You won't see the government pass any laws to create age-liability safe harbors.
Wikipedia is already being forced to fight to not implement age verification. Age verification managed by the government = No Wikipedia access without individually tracked, controlled and revokable government permission. [0]
Seldom has a slippery slope been so slippery.
The distance between government controlled per-citizen access to obviously adult sites, and government permissioned/controlled access to any site of substance, does not even involve a technical hurdle. It just becomes a site adoption curve. Every adoption increasing the scope of real-time government surveillance in our minute-to-minute lives, and its real-time at-will ability to deny access to whatever it chooses, whenever it chooses, and for whoever it chooses. In any combination.
Dystopia is here.
In my opinion, this is terrifying.
We need: Third party attestation, providable by anyone/entity meeting basic openly-defined criteria, limited to age attestation only, implemented with Zero Knowledge Proofs, to create a safe anonymous (unsurveiled/no personalized denials) alternative, to take the wind out of the sails of this constant governmental power grab. If it isn't solved by security minded technologists and the marketplace, the freedom destroying version will prevail - and it won't be undone.
We don't need age attestation or any kind of identity attestation, period.
kelseyfrog 2 hours ago [-]
If you're ok with slippery slopes, are you ok with ad hominems?
watersb 11 hours ago [-]
We need "How to talk to your legislators about zero-knowledge proofs".
protocolture 10 hours ago [-]
"Dont do age assurance, ever"
Done.
Avicebron 10 hours ago [-]
Ok, they have ignored that. I did my part and sent an email. Now what?
protocolture 9 hours ago [-]
Violent revolution I guess. Genuinely what are the other options?
I made a formal submission to the Australian Government in the very small consulting window they held for the Access and Assistance bill. Pleading with them to consider simply not introducing the law, as there was no justification for it at all. Google also made a submission against the bill, as did many large local and overseas corporations.
The government went ahead anyway.
What are the chances of me swinging any government when Google et al are on the other side, determined to provide privacy and anonymity destroying products to bolster their bottom line?
Probably worth mentioning that the Access and Assistance bill permits the Australian government to secretly (even just verbally) compel anyone building age assurance technology to secretly backdoor it to collect metadata, or any other information they choose. There's no level of safety from the government one can achieve with any app. If they resist they go straight to the Australian version of a secret national security court. The bill doesn't even make it clear whether briefing their solicitor about the request is legal. It doesn't matter how good the crypto is if the app is recording details outside of that. Its all just theatre at this point. There's no safe app, so we should completely resist all attempts to do things the government could restrict, leak or misuse.
I dont see how this is even slightly contentious in the year of our lord two thousand and twenty six, after decades of leaks affirming governments do this stuff, decades of governments and corporations dangerously failing their citizens privacy, when a particular government is hell bent on using all the personal data it can hoover up to persecute migrants and refugees. How are people blindly monofocusing on the crypto while trusting everything else?
IanCal 3 hours ago [-]
There are steps in between “send an email saying don’t do the thing you want” and “murder lawmakers”.
> I dont see how this is even slightly contentious in the year of our lord two thousand and twenty six
Violent revolution in response to data privacy issues?
ForHackernews 2 hours ago [-]
Tech people really will do absolutely anything to avoid talking to their neighbors and engaging in electoral politics, won't they?
Gigachad 7 hours ago [-]
The vast majority of the population supports banning social media for kids so revolution isn't happening. Of course the social media companies object to their product being banned. It's like cigarette companies objecting to plain packaging.
protocolture 7 hours ago [-]
>The vast majority of the population supports banning social media for kids so revolution isn't happening
Age assurance is being used in more than a single scope. I dont disagree that the revolution isnt happening, but theres no need to be so reductive.
>Of course the social media companies object to their product being banned. It's like cigarette companies objecting to plain packaging.
They aren't objecting to age assurance tools. They are objecting to the current ham fisted model, but when they can organise something less nebulous than the current regime they will be fighting to implement it first.
Gigachad 7 hours ago [-]
Sure, the implementation details are blunt. But Facebook, Google, and Reddit have had decades to sort this out on their own and yet they have only poured fuel on the problem and watched the ad dollars rain in.
So I have little sympathy that the resulting laws are not optimal for them.
protocolture 6 hours ago [-]
>But Facebook, Google, and Reddit have had decades to sort this out on their own
It was solved. Dont collect information.
The problem is making shitty psychotic apps, not determining who can use them.
I would much rather they cut meta into pieces and sold them off as scraps, than just scarfing up the PID of the users to make arbitrary determinations about who can have what brainrot.
intended 4 hours ago [-]
It was solved for you.
There are more people than just you (and other tech literate folk) online.
I would also rather meta be cut an sold of as scraps. This is sadly not the question being framed.
I’ve dedicated a portion of my life volunteering to moderate content in communities. It is an unmitigated shit show. The status quo is great for firms and corrosive for society.
If theres a takeaway from this sub thread, is why “meta being broken up and sold for scraps” not being raised as a question in the first place.
Is it another case of too big to fail?
vlian2088 6 hours ago [-]
>The vast majority of the population supports banning social media for kids so revolution isn't happening.
reddit isn't the vast majority of the population, fren. it's 1% of 4%.
unless you've got polls you could show to back up your claim? polls, not opinion pieces. polls asking unambiguous questions like "are you in favor of banning social media?" or "are you in favor of age verification laws?", not vague ones like "are you concerned about the content your kids might see on the internet?". got any of those?
Gigachad 5 hours ago [-]
77% of the Australian population were in support of "Proposed ban on social media for children under 16"
This was in 2024, since then the attitude is still very much that kids should be taken off social media, but that the current restrictions aren't yet working as the face scanning verification is easily bypassed.
vlian2088 5 hours ago [-]
well, shit. Australians absolutely deserve having to scan their faces/fingers/eyeballs/assholes every time they touch their phones, then.
intended 4 hours ago [-]
> 6 in 10 parents worldwide support social media ban for under 16s - but children are divided
> Support among parents for a social media ban for under-16s is highest in Malaysia (77%) and India (75%), Argentina (55%) and lowest in Japan (38%) and Nigeria (39%)
> Globally, the majority of Gen Z (51%) – the first true digital natives – support a social media ban for under-16s. Support for the ban is highest in India (73%) and UAE (67%), Argentina (54%) and lowest in Japan (28%), UK, and Canada (both 40%
increasingly few people are parents, so these numbers are don't reflect 'the vast majority' of the population.
intended 3 hours ago [-]
A majority of Gen Z dont want it for kids, so that isn't true either. Plus, thats a moving of goal posts.
vlian2088 3 hours ago [-]
I responded to "the vast majority of the population supports banning social media", not "the vast majority of parents supports banning social media".
the latter wouldn't surprise me at all, I've seen all kinds of degenerates suddenly begin to act like boomers after they've had a kid.
matheusmoreira 9 hours ago [-]
"Do the opposite of what Meta is lobbying for"
Done.
miki123211 4 hours ago [-]
It's much easier to convince somebody to achieve their goals your way than to not achieve their goals at all.
Politicians don't want to be seen as going soft on child predators and harms to children. That is a career-ending move. Whether the bills they introduce even protect children at all has no bearing on it. PR is PR.
If you're essentially telling somebody that children don't need to be protected, you might feel smug and superior, but you're achieving nothing. You'll be ignored as a conspiracy-theory-loving nutjob.
If, on the other hand, you tell politicians that there are multiple approaches to protecting children, all as effective, with one of them having fewer side-effects to the rest of society, now that's a much easier sell. You sound like somebody who knows their stuff and has a nuanced take.
dboreham 10 hours ago [-]
Not really any point since US legislators aren't motivated by the interests of regular people.
consumer451 10 hours ago [-]
Yes, they are not.
> Today, we open sourced our Zero-Knowledge Proof (ZKP) libraries, fulfilling a promise and building on our partnership with Sparkasse to support EU age assurance.
PeterStuer 3 hours ago [-]
Will they not just argue that you could share the assertion, and hence we need a 'trusted' verfication point to establish it is actually you in posession of the zkp token, right now. So turn on that smartphone camera right now and obediently follow our biometric verfication instructions ...
sigbottle 3 hours ago [-]
Or even simpler - they can just claim to implement it but still store your data just because.
Doesn't seem like government is taking any steps here to try and regulate anything anymore. Possibly not ever again.
xinayder 51 minutes ago [-]
There is literally no way of us knowing if Google hasn't chosen to cheat during the ZKP protocol or not. Zero chance.
Seattle3503 3 hours ago [-]
Maybe, but we should force them to make that argument after we demonstrate age verification doesn't require identifying ourselves to every website. It would reveal they aren't seeking pragmatic solutions.
ggm 3 hours ago [-]
CSIRO and the Australian privacy commissioner suggested this path to the Australian Government a few years ago.
I'm not a fan of technology fixes for social problems but i do think this may be in the sweet spot.
I see a lot of people here don't agree. I think they may not appreciate quite how concerned a lot of the community is about the effects of networked communication on minors. I'm not here to change people's minds, but this isn't a US problem it's a global one, and US constitutional rights views do not predominate worldwide.
Google has more customers outside the US than inside, and has more business with entities subject to non US laws than solely US domiciled entities.
7 hours ago [-]
RedComet 3 hours ago [-]
It is painfully obvious that the "age assurance" push is to limit anti-zionist propaganda.
I wonder who or what will abuse this infrustructure when they fail.
quietthrow 8 hours ago [-]
This seems great - one question (ideally for Alan stapleberg) why is this not available for everyone? Seems like this is only applicable to the EU? Genuine question - Why would other governments not want this for their people ? I am sure there is a flip side that EU thinks is not worth more than thier people getting this kind of privacy. But what’s has to be true for some govts to think that the flip side is more beneficial than the privacy aspect. Appreciate if someone can break down how incentive structures are different and hence the resultant choices/positions
Groxx 10 hours ago [-]
I've been trying to figure out how zero-knowledge stuff would work in practice for age verification, where "when issued" (or extremely coarse, like what year), "to whom", and "where it's used" are hidden from everyone except the individual holding the proof (since that's the gold standard, and the only one worth accepting).
I get that ZK techniques work, and reveal "nothing". That's useful.
But if they reveal nothing, isn't it wide open for abuse? Couldn't one over-18-person's proof become everyone's proof, because they can't tell it's the same proof, and the issuer can't tell where or how often the proof is being used? Or are there ways to construct data leaks that are not user-identifying but are abuse-identifying (and what would that even mean)?
Aurornis 9 hours ago [-]
> But if they reveal nothing, isn't it wide open for abuse? Couldn't one over-18-person's proof become everyone's proof, because they can't tell it's the same proof, and the issuer can't tell where or how often the proof is being used?
Yep!
This is why the concept of zero knowledge age gating is such a trap for technically minded people. They imagine receiving a private cryptographic object that can be used to anonymously confirm that the government says it was issued to someone over 18.
That’s completely useless because a single leaked token could be used forever, so nobody actually considers this.
All of the real proposals have various compromises baked in. Some people want to require device attestation, so you could only do this handshake from a government approved device running a government approved operating system. Forget using Linux or maybe even a general purpose computer at all.
Other proposals involve online government handshakes in various ways, with a pinky promise that the government won’t keep logs or tap it for national security purposes. So we get back to anonymous by trust only.
xinayder 49 minutes ago [-]
From my limited knowledge of ZKP I believe there are protocols that don't allow token reuse, i.e., once you consume a token for one round, you cannot reuse it for another attestation.
semi-extrinsic 5 hours ago [-]
> Some people want to require device attestation, so you could only do this handshake from a government approved device running a government approved operating system. Forget using Linux or maybe even a general purpose computer at all.
The reason this is a non-problem for the purpose being discussed (age verification on social media) is that you can simply allow anyone with a de-Googled phone or using Linux on a laptop (or even Mac or Windows) to bypass the age check. You don't need a 100.0% accuracy solution, anything above 90% is fine.
Essentially all teenagers are using social media on Android or iOS with apps from the official app store. If you make social media unavailable only on those devices, they are not going to be switching en masse to SailfishOS or start to carry around backpacks with laptops.
Maybe a few will. But then they're going to be very lonely on their social media and subsequently stop caring.
miki123211 4 hours ago [-]
Oh you'd be surprised.
Social media is something people want. A large part of why people buy smartphones in the first place (especially at that age) is to be on social media. If you need to buy some weird kind of smartphone to do it, or ask your tech-savvy friend to do some voodoo on it for ten bucks, people absolutely will do that.
See the story of console modchips in eastern Europe for an example. Legal games were so expensive at that time that most kids / families weren't able to afford them. Console modchips existed, but they were difficult to install, and most people just didn't have the expertise. What ended up happening was that everybody "knew a guy", and that guy would do their modchip for a fee. They didn't need to know anything about rooting, ROMs, flashing or soldering, they gave a legal console to somebody and got a console that could play pirated games back.
hexasquid 4 hours ago [-]
This is interesting in light of the discussion on hacker news yesterday, where folk were talking about how they had to learn how to make games work on early PCs, given limitations that aren't present to the young today.
Motivated kids can find a way! Perhaps evading age gates will produce the next generation of hackers.
whiplash451 8 hours ago [-]
We might be over complicating things here.
The governments’ focus might be on protecting genuine users (adults or not), not fighting fraudsters.
In other words if ZKP works for the vast majority of technically illiterate people with their EU ewallet, the job is done.
denkmoon 7 hours ago [-]
Absolutely. We don't look at the use of false identity documents as a failure of age gating tobacco and alcohol, it's just an accepted consequence that we try to mitigate knowing that we cannot stop all instances.
7 hours ago [-]
mavhc 2 hours ago [-]
why would a token a) last forever, and b) not be created as a response by your smart ID card to a challenge token?
Nursie 5 hours ago [-]
There are a variety of schemes possible that do not have these flaws.
I agree with your analysis, but doesn't that make this blogpost by google a bit overoptimistic, or even disingenuous?
rstuart4133 3 hours ago [-]
> But if they reveal nothing, isn't it wide open for abuse?
Good point, they do contain more information than "They are over 18". The primary (usually only) thing is who is attesting they are over 18. That might be the government, or a bank.
That's inevitable, because the usual flow is rather like Google's OAuth - the site needing you to prove your age rediects to the provider (Google, or whoever), who asks questions to verify your identity, and then replies with "over 18" or "not over 18".
This can leak other information aside from the site knowing who is verifying your age. For example, done the wrong way, the Google / the government could know what porn sites you like. OAuth, for example leaks that sort of information. But there is no technical reason it has to be that way.
The major barrier to all this isn't whether it's possible to design a protocol that proves your age, having a driver's licence or even an amount in a bank account. It is absolutely possible. It's that to be useful, everyone has to agree on the same protocol. That has so far proved to be near insurmountable.
tzs 6 hours ago [-]
Briefly, your government issues you a digital signed copy of a document, such as a driver's license or passport, that gets bound to a hardware security element that you own. In current implementations these are the secure elements of smart phones, but there is no reason that standalone hardware security elements could not be supported.
When you want to provide information from that document to a third party a protocol is used which allows you to demonstrate to the third party that (1) you have a document from the government bound to your hardware security device, (2) you have unlocked the hardware security device, (3) and the document says what you say it says (e.g., "the birthdate field in this document contains a value that is more than 18 years in the past").
This third party gets no additional information about the contents of your document. The protocol takes place entirely between your device and the third party, so the government that issued you the bound document has no idea when or if you use it.
Someone over 18 person could indeed decide to help others prove age, but they would either have to do it in person or be willing to loan their unlocked security element to those others.
miki123211 4 hours ago [-]
That's where trusted computing comes in.
Your proof proves two claims. That the person proving their age is over 18, and that they're using a device and software that hasn't been tampered with. That software requires human presence at every age check.
ZKPs for age assurance are trading off privacy at the expense of software malleability.
Note that this has nothing to do with open source; it's perfectly fine to release the source code for the relevant software. You can even allow for reproducible builds and full auditability if that's what you want.
vasco 4 hours ago [-]
> Note that this has nothing to do with open source; it's perfectly fine to release the source code for the relevant software. You can even allow for reproducible builds and full auditability if that's what you want
The released code can do all of that, and then nothing still assures me that they didn't implement just a POST <my whole information> to their partner and called it ZKP and pointed at google's repo.
1. Imagine what the protocol would look like without privacy (zk allows you to “sign” a computation, so just do the computation in the clear)
2. Imagine what the protocol would look like by revealing a hash of the passport only (the idea of a “nullifier”, a unique identifier that hides the data and and can be revealed to prevent replays)
The first one should already answer your question: the way you would prevent replays or portability (I use your proof) is to attach some sort of session context to your proof
doginasuit 10 hours ago [-]
My understanding as someone who is just learning about the tech is that zero-knowledge isn't a great description of what is happening. The issuer (some party with the proof, like the government) shares the knowledge and that is only valid for a single verifier. So knowledge is held and is shared, just the minimum amount possible to be credible.
Epa095 9 hours ago [-]
Idk if this scheme is zero knowledge, but what's wrong with it? :
- you enter ph and must age-verify. It says 'your secret: "capable peanut", enter age proof below'.
- you go to age-knower (e.g bank or government page). You provide the secret phrase, and you get back a cryptographically signed json with the secret phrase, a claim 'above18', and a field stating who attested for the age (e.g government or bank or whoever).
- you paste this signed json (maybe encoded as base64 or something) into ph. It will verify that the attestee is good, then use it's public key to verify the signature, before checking that the secret is the correct one, and that it contains the age-claim.
Is the problem that if ph and the attestee colludes they can compare the secret string and figure out who you are?
Groxx 9 hours ago [-]
Yes, that allows collusion. Which has historically happened quite regularly any time money or politics are involved, which means we should not accept that strategy.
For some isolated scenarios, that collusion risk may be completely fine. But not for something that is poised to control access to the internet as a whole, or in any way relates to maintaining safe free speech on the dominant public platform for doing so (the internet). People need protection from their government (present and future), or it's not a "right", it's just temporary retroactively-revokable permission.
ekr____ 6 hours ago [-]
The proof is bound to a cryptographic key stored in a tamper-resistant module (as in a phone).
Even if you had to submit a picture of your driver's license, you can send someone else's
wmf 9 hours ago [-]
This is basically the double spending problem which has been solved in various ways.
wmf 6 hours ago [-]
For example, Chaum's blind signatures https://en.wikipedia.org/wiki/Blind_signature let you create a credential that can be anonymously used once but it gets de-anonymized and invalidated if used a second time. This could be applied to age verification so that each credential could only be used once.
Groxx 2 hours ago [-]
I should really look into blinding strategies some time - there are some very interesting possibilities in there.
Groxx 9 hours ago [-]
It has? I've been under the impression that the "solutions" are "trust us, we don't allow that" (relying on an authority with full knowledge, as partial knowledge isn't sufficient) and "use more resources than anyone can feasibly contest" (bitcoin).
You could build a merkle tree to say "we exist after X" but not "there is no other X". And publishing that tree for verification would seemingly violate "zero knowledge", unless you know of some way to scrub that, and also hide timing information, because timing information can identify visitors to observers.
rho138 11 hours ago [-]
[2025]
consumer451 11 hours ago [-]
Yes, but it's never been more important than now. Also, I did not have enough chars for an HN title.
stephen_g 10 hours ago [-]
Funny though how whenever these laws are pushed though, the legislators are more interested in strongly identifying people to gate services despite the fact that they should have plenty of advice that things like zero-knowledge proofs exist.
I hate to be cynical but I worry that this isn't going to matter, because it really seems that a lot of the pressure behind age verification isn't actually very interested in the age verification part...
rho138 1 hours ago [-]
It’s like they’re searching for a gap to fill with a product… where have I seen this go terribly wrong before?
semi-extrinsic 4 hours ago [-]
It seems to me that the technical people who get invited to public debates are simply not competent or knowledgable enough. We definitely need to step up!
But a part of me wonders if this may be by design from the debate moderators - if a technical expert opens up by saying "we have a cryptographically secured solution that is backed by experts and privacy advocates alike", what's the next 45 minutes of the TV show going to be about?
consumer451 9 hours ago [-]
Agreed. Now is our chance to very publicly inform our legislators. Not all is lost, yet.
rimworld 2 hours ago [-]
how would you get everyone to accept a economy 2.0 pre-req technology?
mahirsaid 3 hours ago [-]
more like walled off garden where they only, have access to children and what they watch. so now they will feed them the junk and ads curated only for children so they can get them hooked on products early on.
Way to go Google yo uhave succeeded in your goal.
emsign 11 hours ago [-]
What's the point of giving a single point of information about yourself to a single website, when all the websites you visit use the same trackers (from Google for example) only to merge these data points together and sell them as a package.
All current age verification measures open up a torrent of attack vectors on user PII and privacy. Limiting the number of entities that are able to access data is one of the best ways to prevent it's leak or abuse. Don't let perfection be the enemy of good.
But therein lies the fundamental problem with surveillance capitalism. Until the sale of personal data/metadata is outlawed, the practice of targeting content based on an individuals personal data/metadata is outlawed, there is a highly punitive cost for violations and leaks that make storage outside core business functionality a major criminal and financial risk, and the compilation of this data by "intelligence" agencies it treated as a critical attack vector to national security – the attack on each citizens civil rights that it truly is – most privacy laws and regulations are just virtue signals designed specifically avoid the root causes, and further entrench the power of monopolies and incumbents.
FYI I don't believe Google sells user data. They sell products which leverage user data to give them a critical advantage over every competitor who does not have trackers in everyones pockets/computers, does not store their entire web search/browsing history, etc. It's in the interest of big tech to protect their market advantage (like ZKP, which would prevent competitors from having a new gov-mandated vector to compile user data).
10 hours ago [-]
sroussey 9 hours ago [-]
Google never sold user data until the DoubleClick acquisition, from what I understand
coppsilgold 9 hours ago [-]
Unfortunately ZKP's aren't magic.
When not doing privacy oriented cryptocurrency (cough money laundering cough) with ZKP's, if you really want private verification you are in a position where a single actor can authenticate the entire world and no one will know it happened. And to prevent it you assemble the pieces necessary to deanonymize anyone.
Make no mistake. ZKP age verification, as proposed, will just require multiple parties to collude to figure out your identity.
They can't even implement ZKP for remote attestation due to the auth-the-world problem.
Assuming that perfect is the enemy of good, this is still better than all the proposed alternatives, isn't it?
coppsilgold 9 hours ago [-]
With ZKP age verification, services will not be able to track you without help from the CA. The CA will not be able to track you without help from the services. Both will contain the necessary information in their databases that when combined deanonymize you. The CA is the central authority/certificate authority.
So you should assume the government can track you, because you should assume both will be streaming those identifiers to it.
ekr____ 6 hours ago [-]
This isn't correct. With ZKP-based systems even the CA can't track you. That's the "zero-knowledge" part.
nubg 4 hours ago [-]
but how is that possible? that even the CA cannot track you?
consumer451 8 hours ago [-]
Yes, there is one party that can track you, which in some countries is still slightly trusted.
Ideally, no age verification would be required or proposed. However, if it is, this implementation should be the base minimum, should it not?
This is a gazillion percent better than a foreign corporation being in charge, isn't it?
krupan 8 hours ago [-]
Better than no age verification (and therefore, privacy) coupled with parents doing their job?
consumer451 8 hours ago [-]
That would be ideal. However, this is tech proposal which takes so much of the slop out of the entire thing. With this implementation, there is no profit in it, unless your government is directly cooperating, aka a scandal in many countries.
userbinator 4 hours ago [-]
Another attempt at a technological solution to a sociopolitical problem. No thanks.
metalman 2 hours ago [-]
lying bastards
fuck off
nobody will trust ANYTHING if this shit keeps going on
mv_d5339e31 1 hours ago [-]
[dead]
spacington 4 hours ago [-]
It's not zero proof
It's moving the goal post from one entity to another.
You can also fake it by letting someone else solve it for you.
salviati 4 hours ago [-]
> You can also fake it by letting someone else solve it for you.
Fair enough, that's true. But there is no solution that could ever prevent this, right?
spacington 14 minutes ago [-]
Yeah exactly.
I find the naming and the way it gets sold wrong because of it.
Parents should at least be able to overwrite the age of their child, maybe selectively allow bypasses. My experience with a computer would have been completely different if I was blocked from half of the internet. Especially when I see which kind of content gets blocked.
This is incredibly toxic for young men growing up and the women they interact with.
Some of the more prominent proponents are actual pimps (the Tate brothers).
Bollocks. European teenagers watch just as much porn and play GTA at age 10 and yet we don't end up having 12 children a day die from gun violence [1].
Note, I'm not an anti-gun nut, I think German and British anti-gun laws are ridiculously strict. But the American way of dealing with guns is equally bad.
[1] https://www.sandyhookpromise.org/resources/gun-violence-fact...
I mean, quite a few have come from proto-manosphere circles, too. Elliot Rodger comes to mind.
Citation needed?
We're building 1984 to protect from god knows what imaginary harms.
Stop putting plastic wrap around people's freedoms, liberty, and right to privacy.
We will look back at handing kids phones with instagram like giving kids cigarettes and think wtf were we doing.
In dealing with the ills of social media, you do what you do with every other negative externality - you tax it. At least the parts of it you don't like.
Designing privacy, freedom, and liberty destroying mechanisms is not the way.
Big social wants these regulations to pass so that they can get better identity tracking for ads targeting. To them it doesn't matter if the tech ushers in 1984. It makes them more money.
Are you saying that we should let children smoke and just tax it because its better for their liberty and freedoms?
Or are you saying we should just tax social media for adults but banning it for kids is ok
A good example is the Jonathan Haidt/Aaron Brown fiasco from a few years ago. Brown has been methodically trying to stop the stampede off yet another pseudo-scientific cliff but not enough people are listening.
https://reason.com/2023/03/29/the-statistically-flawed-evide...
https://reason.com/video/2024/04/02/the-bad-science-behind-j...
https://reason.com/2023/05/30/not-every-study-on-teen-depres...
> In a recent article for Reason, I argued that the hundreds of studies that New York University professor Jonathan Haidt has assembled to support his claim that social media is causing the teen mental health crisis not only don't back up his claim; they undermine it.
Age verification campaigners like Haidt play a smooth game but consistently downplay how useless social science actually is for answering questions like this:
> I didn't express "concerns" about specific studies; I argued that the majority of the 301 papers cited in his document are garbage. I went through each category of studies on Haidt's list, chose the first one that studied social media and depression to get a random sampling, and then showed that they were so embarrassingly bad as to be completely useless. They were guilty of coding errors, fatal defects hidden in mid-paper jargon, inappropriate statistics, longitudinal studies that weren't longitudinal, experiments in name only, and red flags for hypothesis shopping and p-hacking (that is, misusing data analysis to yield results that can be presented as statistically significant).
It's possible that in the past few years a wealth of robust evidence has suddenly emerged but it seems doubtful.
This stuff does matter. If you misdiagnose the problem then congrats, you just let governments censor the internet - quite possibly creating a China style totalitarian system that pretends to be democratic along the way - and kids will still have the same problems. A bad outcome!
Sounds like denial or tunnel vision.
None of this is a real harm. The real harms are the government being able to put a muzzle on speech, track who says what, and begin to cordon off areas of thought and expression.
You might think it's a win that this is happening, but you won't be the one in charge and you won't have a say how it's used against you.
If empirical research showed that some kind of intervention would be helpful, I'd be in favor of it even if it comes at a cost. But I don't think age-gating will prove effective as an intervention. If anyone needs to be reined in, it is tech companies that exploit attention and gather data, and the age-gating controversy is a costly distraction.
This would be the "fixed" version of your comment. The social media bit is irrelevant.
Kids have always been assholes to other kids. I took the school bus a few times, and the older neighborhood kids tried to chase me down, beat me, and piss on me. That was before the internet.
You can't make up for other parents' bad parenting by trying to invent a system to bubble wrap all the kids. You teach your own kids to be strong in the face of adversity, to grow a thick skin, and to stand up for themselves.
Insane that they didn't even try this simple solution first. Yeah people will get around it, but they'll get around any solution.
That would be nice!
But if there isn't a safe market driven solution to age-verification, which provides anonymous, unsurveiled, age-attested site access, with no ability for the government to individual monitor, deny or revoke, then that is exactly what is going to get pushed on all of us.
You don't defeat an enemy by not needing the manacles they are very motivated to force on everyone..
Increasingly: We adopt zero knowledge proofs, and other decentralized open-sourced hard-security technologies, and resolve seemingly-small, but not-going-away practical issues like age & porn, or empower and "trust" every weak politician, interest group and stranger on the internet to not use our lack of awareness and defense against us.
Add AI to the mix, and the risk/damage of passivity becomes extreme.
- The age-gate should just be a setting on the device: either over 18 or under 18. Websites/apps should at most only be legally required to respect the device's assertions.
- Devices should be controllable by parents: let the parents decide whether the child should be age-restricted or not.
- Devices should have profiles so that you can let your kids use your own phone/laptop without messing up your stuff or getting into things they shouldn't.
Historically parents have been allowed to rent R-rated movies for their kids with nudity and sex and violence even if the video store isn't supposed to rent it out to the kids directly. That was always considered okay. If I think my 16-year old is mature enough to watch some porn, that should be the parents' decision.
As always with tracking, the value is in the metadata.
The knowledge if you are or are not above a certain age is already privacy invasive but not that relevant for tracking or ads.
But with ZKP at least you won't need to send your creditcard, copy of ID and address to the 3rd party to verify.
[1] https://en.wikipedia.org/wiki/Zero-knowledge_proof
https://blog.vrypan.net/2026/06/29/260629-whats-wrong-with-e...
...but they do? Google pay gives them your credit card and transaction details; any time your bank sends a statement to your gmail account, Google has that, too.
Am I missing your sarcasm?
Europe doesn't really have that status. Either you're known to the government and can receive documents from it, or you're a criminal in hiding, avoiding any and all government offices.
I have written a paper on how to do age verification in a completely privacy-preserving way, and it doesn’t even need zero-knowledge proofs:
https://magarshak.com/papers/Personal.pdf
I'm afraid "age assurance" has nothing to do with "the children".
It is not, because your premise is false. This whole thing has been going on for as long as kids have been online. The early 2000s tried (and obviously failed) by using credit cards. The UK tried and failed last decade to ban porn for minors this way. AI tools are probably not even on the radar for the kind of politicians that keep pushing this.
Forget about the politicians for a bit. There still are many regions on the globe where no age verification is mandatory, yet websites chose to implement it anyway. Why, if not for tracking and bots?
and you should be afraid, very afraid. Because none of these (and other measures to invade privacy) has ever had anything to do with children.
You can both give a proof your age and not lose privacy.
Why the hell do I need to login to my digital wallet to access a fucking website???
First it's 'over 18?', then it's 'over 25?', and then 'biological sex?', 'employed?', 'enjoys posting on HN?', 'active in the early morning?' and after half a dozen questions, all with binary answers that are safe individually, you can zero in on a 23 year old woman who has a job and posts on HN in the morning.
Ask a few dozen questions like that and you'd be able to sieve an individual from a group of millions, especially if they're unlucky enough not to be absolutely typical.
Obviously if you see a bunch of proofs for known circuits coming from the same IP address then yeah, you can infer a bunch of info from that metadata.
in theory. How do you do that on paper? How do you "anonymize" this data, to make it so they aren't related to each other?
This is just like Facebook implementing the Signal protocol on WhatsApp. They technically can't access your messages, but they have all the metadata which most of the times will allow someone to infer the content of the conversation.
Please sign up to continue
Once adult sites adopt the system, it will creep over to any site wanting to limit their liability. Banks. Business services. Eventually almost everyone.
Liability the government will dramatize and escalate. You won't see the government pass any laws to create age-liability safe harbors.
Wikipedia is already being forced to fight to not implement age verification. Age verification managed by the government = No Wikipedia access without individually tracked, controlled and revokable government permission. [0]
Seldom has a slippery slope been so slippery.
The distance between government controlled per-citizen access to obviously adult sites, and government permissioned/controlled access to any site of substance, does not even involve a technical hurdle. It just becomes a site adoption curve. Every adoption increasing the scope of real-time government surveillance in our minute-to-minute lives, and its real-time at-will ability to deny access to whatever it chooses, whenever it chooses, and for whoever it chooses. In any combination.
Dystopia is here.
In my opinion, this is terrifying.
We need: Third party attestation, providable by anyone/entity meeting basic openly-defined criteria, limited to age attestation only, implemented with Zero Knowledge Proofs, to create a safe anonymous (unsurveiled/no personalized denials) alternative, to take the wind out of the sails of this constant governmental power grab. If it isn't solved by security minded technologists and the marketplace, the freedom destroying version will prevail - and it won't be undone.
[0] https://www.eff.org/deeplinks/2025/07/we-support-wikimedia-f...
Done.
I made a formal submission to the Australian Government in the very small consulting window they held for the Access and Assistance bill. Pleading with them to consider simply not introducing the law, as there was no justification for it at all. Google also made a submission against the bill, as did many large local and overseas corporations.
The government went ahead anyway.
What are the chances of me swinging any government when Google et al are on the other side, determined to provide privacy and anonymity destroying products to bolster their bottom line?
Probably worth mentioning that the Access and Assistance bill permits the Australian government to secretly (even just verbally) compel anyone building age assurance technology to secretly backdoor it to collect metadata, or any other information they choose. There's no level of safety from the government one can achieve with any app. If they resist they go straight to the Australian version of a secret national security court. The bill doesn't even make it clear whether briefing their solicitor about the request is legal. It doesn't matter how good the crypto is if the app is recording details outside of that. Its all just theatre at this point. There's no safe app, so we should completely resist all attempts to do things the government could restrict, leak or misuse.
I dont see how this is even slightly contentious in the year of our lord two thousand and twenty six, after decades of leaks affirming governments do this stuff, decades of governments and corporations dangerously failing their citizens privacy, when a particular government is hell bent on using all the personal data it can hoover up to persecute migrants and refugees. How are people blindly monofocusing on the crypto while trusting everything else?
> I dont see how this is even slightly contentious in the year of our lord two thousand and twenty six
Violent revolution in response to data privacy issues?
Age assurance is being used in more than a single scope. I dont disagree that the revolution isnt happening, but theres no need to be so reductive.
>Of course the social media companies object to their product being banned. It's like cigarette companies objecting to plain packaging.
They aren't objecting to age assurance tools. They are objecting to the current ham fisted model, but when they can organise something less nebulous than the current regime they will be fighting to implement it first.
So I have little sympathy that the resulting laws are not optimal for them.
It was solved. Dont collect information.
The problem is making shitty psychotic apps, not determining who can use them.
I would much rather they cut meta into pieces and sold them off as scraps, than just scarfing up the PID of the users to make arbitrary determinations about who can have what brainrot.
There are more people than just you (and other tech literate folk) online.
I would also rather meta be cut an sold of as scraps. This is sadly not the question being framed.
I’ve dedicated a portion of my life volunteering to moderate content in communities. It is an unmitigated shit show. The status quo is great for firms and corrosive for society.
If theres a takeaway from this sub thread, is why “meta being broken up and sold for scraps” not being raised as a question in the first place.
Is it another case of too big to fail?
reddit isn't the vast majority of the population, fren. it's 1% of 4%.
unless you've got polls you could show to back up your claim? polls, not opinion pieces. polls asking unambiguous questions like "are you in favor of banning social media?" or "are you in favor of age verification laws?", not vague ones like "are you concerned about the content your kids might see on the internet?". got any of those?
https://yougov.com/articles/51000-support-for-under-16-socia...
This was in 2024, since then the attitude is still very much that kids should be taken off social media, but that the current restrictions aren't yet working as the face scanning verification is easily bypassed.
> Support among parents for a social media ban for under-16s is highest in Malaysia (77%) and India (75%), Argentina (55%) and lowest in Japan (38%) and Nigeria (39%)
> Globally, the majority of Gen Z (51%) – the first true digital natives – support a social media ban for under-16s. Support for the ban is highest in India (73%) and UAE (67%), Argentina (54%) and lowest in Japan (28%), UK, and Canada (both 40%
https://www.varkeyfoundation.org/post/6-in-10-parents-worldw... Support among parents for a social media ban for under-16s is highest in Malaysia (77%) and India (75%), Argentina (55%) and lowest in Japan (38%) and Nigeria (39%)
increasingly few people are parents, so these numbers are don't reflect 'the vast majority' of the population.
the latter wouldn't surprise me at all, I've seen all kinds of degenerates suddenly begin to act like boomers after they've had a kid.
Done.
Politicians don't want to be seen as going soft on child predators and harms to children. That is a career-ending move. Whether the bills they introduce even protect children at all has no bearing on it. PR is PR.
If you're essentially telling somebody that children don't need to be protected, you might feel smug and superior, but you're achieving nothing. You'll be ignored as a conspiracy-theory-loving nutjob.
If, on the other hand, you tell politicians that there are multiple approaches to protecting children, all as effective, with one of them having fewer side-effects to the rest of society, now that's a much easier sell. You sound like somebody who knows their stuff and has a nuanced take.
> Today, we open sourced our Zero-Knowledge Proof (ZKP) libraries, fulfilling a promise and building on our partnership with Sparkasse to support EU age assurance.
Doesn't seem like government is taking any steps here to try and regulate anything anymore. Possibly not ever again.
I'm not a fan of technology fixes for social problems but i do think this may be in the sweet spot.
I see a lot of people here don't agree. I think they may not appreciate quite how concerned a lot of the community is about the effects of networked communication on minors. I'm not here to change people's minds, but this isn't a US problem it's a global one, and US constitutional rights views do not predominate worldwide.
Google has more customers outside the US than inside, and has more business with entities subject to non US laws than solely US domiciled entities.
I wonder who or what will abuse this infrustructure when they fail.
I get that ZK techniques work, and reveal "nothing". That's useful.
But if they reveal nothing, isn't it wide open for abuse? Couldn't one over-18-person's proof become everyone's proof, because they can't tell it's the same proof, and the issuer can't tell where or how often the proof is being used? Or are there ways to construct data leaks that are not user-identifying but are abuse-identifying (and what would that even mean)?
Yep!
This is why the concept of zero knowledge age gating is such a trap for technically minded people. They imagine receiving a private cryptographic object that can be used to anonymously confirm that the government says it was issued to someone over 18.
That’s completely useless because a single leaked token could be used forever, so nobody actually considers this.
All of the real proposals have various compromises baked in. Some people want to require device attestation, so you could only do this handshake from a government approved device running a government approved operating system. Forget using Linux or maybe even a general purpose computer at all.
Other proposals involve online government handshakes in various ways, with a pinky promise that the government won’t keep logs or tap it for national security purposes. So we get back to anonymous by trust only.
The reason this is a non-problem for the purpose being discussed (age verification on social media) is that you can simply allow anyone with a de-Googled phone or using Linux on a laptop (or even Mac or Windows) to bypass the age check. You don't need a 100.0% accuracy solution, anything above 90% is fine.
Essentially all teenagers are using social media on Android or iOS with apps from the official app store. If you make social media unavailable only on those devices, they are not going to be switching en masse to SailfishOS or start to carry around backpacks with laptops.
Maybe a few will. But then they're going to be very lonely on their social media and subsequently stop caring.
Social media is something people want. A large part of why people buy smartphones in the first place (especially at that age) is to be on social media. If you need to buy some weird kind of smartphone to do it, or ask your tech-savvy friend to do some voodoo on it for ten bucks, people absolutely will do that.
See the story of console modchips in eastern Europe for an example. Legal games were so expensive at that time that most kids / families weren't able to afford them. Console modchips existed, but they were difficult to install, and most people just didn't have the expertise. What ended up happening was that everybody "knew a guy", and that guy would do their modchip for a fee. They didn't need to know anything about rooting, ROMs, flashing or soldering, they gave a legal console to somebody and got a console that could play pirated games back.
Motivated kids can find a way! Perhaps evading age gates will produce the next generation of hackers.
The governments’ focus might be on protecting genuine users (adults or not), not fighting fraudsters.
In other words if ZKP works for the vast majority of technically illiterate people with their EU ewallet, the job is done.
There's an interesting post here which goes into some of this - https://blog.cryptographyengineering.com/2026/03/02/anonymou...
So -
> Yep!
Actually nope.
:(
Good point, they do contain more information than "They are over 18". The primary (usually only) thing is who is attesting they are over 18. That might be the government, or a bank.
That's inevitable, because the usual flow is rather like Google's OAuth - the site needing you to prove your age rediects to the provider (Google, or whoever), who asks questions to verify your identity, and then replies with "over 18" or "not over 18".
This can leak other information aside from the site knowing who is verifying your age. For example, done the wrong way, the Google / the government could know what porn sites you like. OAuth, for example leaks that sort of information. But there is no technical reason it has to be that way.
The major barrier to all this isn't whether it's possible to design a protocol that proves your age, having a driver's licence or even an amount in a bank account. It is absolutely possible. It's that to be useful, everyone has to agree on the same protocol. That has so far proved to be near insurmountable.
When you want to provide information from that document to a third party a protocol is used which allows you to demonstrate to the third party that (1) you have a document from the government bound to your hardware security device, (2) you have unlocked the hardware security device, (3) and the document says what you say it says (e.g., "the birthdate field in this document contains a value that is more than 18 years in the past").
This third party gets no additional information about the contents of your document. The protocol takes place entirely between your device and the third party, so the government that issued you the bound document has no idea when or if you use it.
Someone over 18 person could indeed decide to help others prove age, but they would either have to do it in person or be willing to loan their unlocked security element to those others.
Your proof proves two claims. That the person proving their age is over 18, and that they're using a device and software that hasn't been tampered with. That software requires human presence at every age check.
ZKPs for age assurance are trading off privacy at the expense of software malleability.
Note that this has nothing to do with open source; it's perfectly fine to release the source code for the relevant software. You can even allow for reproducible builds and full auditability if that's what you want.
The released code can do all of that, and then nothing still assures me that they didn't implement just a POST <my whole information> to their partner and called it ZKP and pointed at google's repo.
1. Imagine what the protocol would look like without privacy (zk allows you to “sign” a computation, so just do the computation in the clear)
2. Imagine what the protocol would look like by revealing a hash of the passport only (the idea of a “nullifier”, a unique identifier that hides the data and and can be revealed to prevent replays)
The first one should already answer your question: the way you would prevent replays or portability (I use your proof) is to attach some sort of session context to your proof
- you enter ph and must age-verify. It says 'your secret: "capable peanut", enter age proof below'.
- you go to age-knower (e.g bank or government page). You provide the secret phrase, and you get back a cryptographically signed json with the secret phrase, a claim 'above18', and a field stating who attested for the age (e.g government or bank or whoever).
- you paste this signed json (maybe encoded as base64 or something) into ph. It will verify that the attestee is good, then use it's public key to verify the signature, before checking that the secret is the correct one, and that it contains the age-claim.
Is the problem that if ph and the attestee colludes they can compare the secret string and figure out who you are?
For some isolated scenarios, that collusion risk may be completely fine. But not for something that is poised to control access to the internet as a whole, or in any way relates to maintaining safe free speech on the dominant public platform for doing so (the internet). People need protection from their government (present and future), or it's not a "right", it's just temporary retroactively-revokable permission.
See https://educatedguesswork.org/posts/age-verification-id/#dev... for some more detail.
You could build a merkle tree to say "we exist after X" but not "there is no other X". And publishing that tree for verification would seemingly violate "zero knowledge", unless you know of some way to scrub that, and also hide timing information, because timing information can identify visitors to observers.
I hate to be cynical but I worry that this isn't going to matter, because it really seems that a lot of the pressure behind age verification isn't actually very interested in the age verification part...
But a part of me wonders if this may be by design from the debate moderators - if a technical expert opens up by saying "we have a cryptographically secured solution that is backed by experts and privacy advocates alike", what's the next 45 minutes of the TV show going to be about?
All current age verification measures open up a torrent of attack vectors on user PII and privacy. Limiting the number of entities that are able to access data is one of the best ways to prevent it's leak or abuse. Don't let perfection be the enemy of good.
But therein lies the fundamental problem with surveillance capitalism. Until the sale of personal data/metadata is outlawed, the practice of targeting content based on an individuals personal data/metadata is outlawed, there is a highly punitive cost for violations and leaks that make storage outside core business functionality a major criminal and financial risk, and the compilation of this data by "intelligence" agencies it treated as a critical attack vector to national security – the attack on each citizens civil rights that it truly is – most privacy laws and regulations are just virtue signals designed specifically avoid the root causes, and further entrench the power of monopolies and incumbents.
FYI I don't believe Google sells user data. They sell products which leverage user data to give them a critical advantage over every competitor who does not have trackers in everyones pockets/computers, does not store their entire web search/browsing history, etc. It's in the interest of big tech to protect their market advantage (like ZKP, which would prevent competitors from having a new gov-mandated vector to compile user data).
When not doing privacy oriented cryptocurrency (cough money laundering cough) with ZKP's, if you really want private verification you are in a position where a single actor can authenticate the entire world and no one will know it happened. And to prevent it you assemble the pieces necessary to deanonymize anyone.
Make no mistake. ZKP age verification, as proposed, will just require multiple parties to collude to figure out your identity.
They can't even implement ZKP for remote attestation due to the auth-the-world problem.
So you should assume the government can track you, because you should assume both will be streaming those identifiers to it.
Ideally, no age verification would be required or proposed. However, if it is, this implementation should be the base minimum, should it not?
This is a gazillion percent better than a foreign corporation being in charge, isn't it?
It's moving the goal post from one entity to another.
You can also fake it by letting someone else solve it for you.
Fair enough, that's true. But there is no solution that could ever prevent this, right?
I find the naming and the way it gets sold wrong because of it.