Thank you. This helps my understanding, and I would find this solution the proper one if we determine that this road must be walked.
But I still have reservations that this would be the "foot in the door", because people like me will generate and publish tokens publicly, and then lobbyists will use this as the reason why we can't allow the use of private keys unless the website receiving them can certify they belong to the user presenting them, thus forcing a rework of the implementation.
I think there is a sane debate to have around whether or not we want privacy-preserving age verification, indeed. And how much of a "foot in the door" it is (is it building more surveillance technology, or is it actually building privacy-preserving technology that will counter it?).
My concern is that "society" may want to control social media for kids, and if we say "either you don't do it or you leak the IDs", it may end up on "ok then let's leak the IDs" without even considering the better way.
I am just very frustrated because right now, even in a place like here where it's supposed to be around tech-savvy people, the discussion feels like kids repeating what they heard: "it's like ChatControl, it's fundamentally stupid and impossible".
Makes sense and apologies if I came off that way. I just skip to the logical conclusion, which is that there is no way this is going to happen without a race to the bottom, ending by forcing privacy violations. But maybe I'm wrong. I'll be a bit more cautious with my posts.
How would it race to the bottom? Let's say you have deployed privacy-preserving age verification. How do you force privacy violations? I guess I see two directions:
1. "We have this system that works, but now we will throw it away and mandate that private companies check your ID and do whatever they please with it". That doesn't seem realistic.
2. "We have this private system where the government issues tokens that it cannot track, and now we will change it for no other reason than to identify you when you use those tokens, purely for the sake of surveillance". That is not subtle either.
A realistic "race to the bottom", to me, would mean that the technology slowly erodes to the point where it facilitates privacy violations. But that is not how the cryptography works. It would be like thinking that E2EE may lose its essence of E2EE if the untrusted party stops caring about it: it cannot be, the whole point being that with E2EE you don't have to trust the untrusted party!
Sorry if I was unclear. My "race to the bottom" occurs because a privacy-preserving pass allows actors to hand out free passes to those the system is seeking to deny entry. E.g., An adult can generate valid keys and then publish them online for anyone to consume (or charge for them even).
My hypothesis is that this would lead to demands for policy changes to prevent that, which can realistically only be done via actual identification or hardware based attlestation (which is identification).
Does that seem wrong? If we didn't care if people could bypass the system, there is no reason to force even privacy preserving barriers, since parents literally have all the tools necessary to deal with this now, from router guards, to parental controls on computers, to device enrollment for iPhone and android systems.
But I still have reservations that this would be the "foot in the door", because people like me will generate and publish tokens publicly, and then lobbyists will use this as the reason why we can't allow the use of private keys unless the website receiving them can certify they belong to the user presenting them, thus forcing a rework of the implementation.