Bingo, more or less
Zero-Knowledge Proofs exist, but age verification using it is not battle-tested nor standardized. More critically, age verification using ZKPs is not mandatory, and users lack control over which age verification company a website chooses for age verification. Currently, many UK sites rely on centralized companies for this purpose (Yoti seems to be the most popular), and these companies do not implement ZKPs. And even if they do, it doesn’t mean much: Google is using ZKP. Is that anonymous or even private? Having to log into Google to use ZKP, that is like asking a well-known gossip to keep a confidential secret. Even if they can’t spill the entire secret at once, the bits of information they might share here and there could still piece together to compromise the overall confidentiality.
For ZKP age verification, the EU Age Verification App is currently the white label solution under development. But the ZKP feature is not yet implemented nor mandatory, and the project has several unresolved issues that could indirectly compromise privacy.
If a FOSS solution were implemented to perform ZKP in a way that prevents linking the attestation output to a real identity and avoids producing side-channel metadata for tracking or correlating different identities, then privacy concerns would be significantly reduced. However, even with such a solution, I would still have reservations about age verification laws due to them making a geolocked web even more of a thing.
Geolocking harms anonymity and privacy in indirect ways, such as requiring users to turn off their VPN to complete the age verification process, thereby revealing their country of residence. While this might not be a significant issue for users from larger countries like the United States or India, it could make users from smaller countries, for example Luxembourg, more easily identifiable, especially if they share additional information.
Because the scenarios I outlined can happen if trust is compromised, it makes sense to look for genuinely private solutions that can be proven to be secure. How is that fear-mongering? It’s just as reasonable as wondering if your no-logs VPN might start logging your traffic at any point. In the context of my VPN analogy, Tor offers a private solution; however, a verifiably anonymous age verification option is not available.
That phrasing suggests that online age verification is effective. Just as you can highlight the limitations of parental controls, I can point out the numerous ways online age verification fails.
You can force big companies like PornHub to implement them, but “You have to be very naive or childless” to assume that children won’t find ways to share information about accessing pornographic content. Whether it’s through free VPNs, free SOCKS proxies, free web proxies, visiting pirate sites hosted offshore, using P2P sharing, torrenting, direct download file hosts, encrypted files on direct messages, Telegram groups, the methods are numerous. It only takes one TikTok video to make a new bypass go viral. How can online age verification method be effectively implemented, without resorting to extreme measures of internet control?
Good parental controls and good whitelist-based filters are indeed the solution.
5 Likes
Do you even live in the US? I noticed a lot of people have opinions on things like this when they don’t even live there.
Do people who post in this thread need to have a connection to the US? OP covers the US context, but age verification is a current issue in many countries, not just the US, and US tech policy has significant ramifications on the internet.
The biggest and most annoying thing for me is when people who don’t live in that country complain about their laws. These are the internal matters that will be decided by their citizens. Sure, we can talk about the topic in general.