You get a cert which is cryptographically signed by your government. They can prove its signed with the governments root cert, showing that its someone over 18, but not who.
That being said the key identifiers will probably still be attached to you in some government db, just not on the porn site.
Though the government could force the pornsite to hand over any logged ids. Some people would say that’s private, as they trust the government not to do stuff without a judges warrant.
As a trans woman relying on HIPPA to not be put on a list of those on HRT, lmao yeah fucking right. The christian taliban will connect the dots the first chance they get.
They can prove its signed with the governments root cert, showing that its someone over 18, but not who.
This is generally a pretty decent system in concept, but it has some unique flaws.
A similar system is even being developed by Cloudflare (“Privacy Pass”) to make CAPTCHAs more private by allowing you to anonymously redeem “tokens” proving you’ve solved a CAPTCHA recently, without the CAPTCHA provider having to track any data about you across sites.
They know someone who had solved a captcha recently is redeeming a token, but they don’t know who.
This type of system will always have one core problem that really can’t be fixed though, which is the sale and transfer of authenticated tokens/keys/whatever they get called in a given implementation.
Someone could simply take their signed cert, and allow anybody else to use it. If you allow the government to view whoever is using their keys, but not the porn sites, then you give the government a database of every porn user with easily timestamped logs. If you don’t give the government that ability, even one cert being shared defeats the whole system. If you add a rate limit to try and solve the previous problem, you can end up blocking access if a site, browser, or extension, is just slightly misconfigured in how it handles requesting the cert, or could break someone’s ability to use their cert the moment it gets leaked.
And even if someone isn’t voluntarily offering up their cert, it will simply get sold. I’ve investigated sites selling IDs and SSNs for less than a dollar a piece before, and I doubt something even less consequential like an ID just for accessing online adult content would even sell for that much.
I’ve seen other methods before, such as “anonymous” scans of your face where processing is done locally to prove you’re an adult, then the result of the cryptographic challenge is sent back proving you’re over 18, but that would fail anyone who looks younger but is still an adult, can be bypassed by the aforementioned sale of personal data to people wanting to verify, and is often easily fooled by videos and photos of people on YouTube, for example.
I don’t think I’ve ever seen a single suggestion of a way to implement age verification that isn’t a privacy nightmare. Oftentimes they literally just want a credit card number, the assumption being that a child would never be able to get hold of such a thing.
In some of the worst cases they actually want a passport or other government ID sending to some organisation that would verify you. With all the fun potential data breaches that that would ensue.
Most of the time these rules never get off the ground because privacy advocacy groups basically sue over it and win every time.
You go onto you state gov website and get a token that just says “this is an adult.” Nothing else. Token lasts 10 minutes.
Cut and paste into the site. They authenticate without saying who theu are, back to the gov site, “yo, this legit?” State says “looks like something we would do.” State keeps no records of WHO validated the token, just that it was a legit token.
Not at all, this is well established technology already in use all over the place.
When countries use digital IDs, they are able to carve out validating individual aspects of an identity. Just address, just over 18, just class of driver’s license, etc.
So the State has a website/wallet where the user pulls a token from the State, basically a fancy hashed OTP/Login code.
The website, which can’t derive your identity from the code, sends the code to the state API and can’t ask more than “is this hash legit” and the State API doesnt need to say more than “yup.”
Where can things go wrong? The State can ask to know who needs the token. Or even demand to know, and log what sites use it. The state can contract this out to a vendor that logs it all, making data theft far more risky.
It all depends on his the state builds requirements.
That’s more or less what I was implying/thinking, there’s not really any good way to implement it. Canada almost ended up implementing it and possibly even going as far as to ban porn, but thankfully Poilievre ended up losing the election including losing his own seat.
How would that work? I’m not well-researched on this particular topic, so I’m curious how that should work.
Key signing maybe?
You get a cert which is cryptographically signed by your government. They can prove its signed with the governments root cert, showing that its someone over 18, but not who.
That being said the key identifiers will probably still be attached to you in some government db, just not on the porn site.
Though the government could force the pornsite to hand over any logged ids. Some people would say that’s private, as they trust the government not to do stuff without a judges warrant.
As a trans woman relying on HIPPA to not be put on a list of those on HRT, lmao yeah fucking right. The christian taliban will connect the dots the first chance they get.
This is generally a pretty decent system in concept, but it has some unique flaws.
A similar system is even being developed by Cloudflare (“Privacy Pass”) to make CAPTCHAs more private by allowing you to anonymously redeem “tokens” proving you’ve solved a CAPTCHA recently, without the CAPTCHA provider having to track any data about you across sites.
They know someone who had solved a captcha recently is redeeming a token, but they don’t know who.
This type of system will always have one core problem that really can’t be fixed though, which is the sale and transfer of authenticated tokens/keys/whatever they get called in a given implementation.
Someone could simply take their signed cert, and allow anybody else to use it. If you allow the government to view whoever is using their keys, but not the porn sites, then you give the government a database of every porn user with easily timestamped logs. If you don’t give the government that ability, even one cert being shared defeats the whole system. If you add a rate limit to try and solve the previous problem, you can end up blocking access if a site, browser, or extension, is just slightly misconfigured in how it handles requesting the cert, or could break someone’s ability to use their cert the moment it gets leaked.
And even if someone isn’t voluntarily offering up their cert, it will simply get sold. I’ve investigated sites selling IDs and SSNs for less than a dollar a piece before, and I doubt something even less consequential like an ID just for accessing online adult content would even sell for that much.
I’ve seen other methods before, such as “anonymous” scans of your face where processing is done locally to prove you’re an adult, then the result of the cryptographic challenge is sent back proving you’re over 18, but that would fail anyone who looks younger but is still an adult, can be bypassed by the aforementioned sale of personal data to people wanting to verify, and is often easily fooled by videos and photos of people on YouTube, for example.
Who under the age of 18 will have money to buy these, and who would be willing to sell them for the pittance teenagers would be willing to spend?
Especially if these get rotated out regularly via a system wide program.
I don’t think I’ve ever seen a single suggestion of a way to implement age verification that isn’t a privacy nightmare. Oftentimes they literally just want a credit card number, the assumption being that a child would never be able to get hold of such a thing.
In some of the worst cases they actually want a passport or other government ID sending to some organisation that would verify you. With all the fun potential data breaches that that would ensue.
Most of the time these rules never get off the ground because privacy advocacy groups basically sue over it and win every time.
Tokenization is the easy solution.
You go onto you state gov website and get a token that just says “this is an adult.” Nothing else. Token lasts 10 minutes.
Cut and paste into the site. They authenticate without saying who theu are, back to the gov site, “yo, this legit?” State says “looks like something we would do.” State keeps no records of WHO validated the token, just that it was a legit token.
Same way that routers connect to VPN services.
How does the state verify that you’re an adult and therefore should have a token?
This solution simply seems to be kicking the can down the road
Not at all, this is well established technology already in use all over the place.
When countries use digital IDs, they are able to carve out validating individual aspects of an identity. Just address, just over 18, just class of driver’s license, etc.
So the State has a website/wallet where the user pulls a token from the State, basically a fancy hashed OTP/Login code.
The website, which can’t derive your identity from the code, sends the code to the state API and can’t ask more than “is this hash legit” and the State API doesnt need to say more than “yup.”
Where can things go wrong? The State can ask to know who needs the token. Or even demand to know, and log what sites use it. The state can contract this out to a vendor that logs it all, making data theft far more risky.
It all depends on his the state builds requirements.
That’s more or less what I was implying/thinking, there’s not really any good way to implement it. Canada almost ended up implementing it and possibly even going as far as to ban porn, but thankfully Poilievre ended up losing the election including losing his own seat.