Where are these mythical sweet-spot solutions? Concretely, half the websites I visit from the UK want me to either scan my face or upload ID documents to access their full featureset. Now that users have been conditioned to accept this, nobody seems very interested in figuring out how to collect less PII - only insulating themselves from liability by having the data processed by a third party.
They don't exist because the organizations who lobbied governments were YOTI, Persona, K-ID and others who have a vested interest in collecting data and rent seek by latching through regulations like diseased ticks.
But some of the easiest middle ground solutions that solve 90% of the problem are things like simple math problems. Get asked "3+7" and that will pretty quickly filter out almost anyone under the age of 6. If you can accept that there are some smart 4 or 5 year olds who can do simple math, congrats you recognize there's a 10%.
> half the websites I visit from the UK want me to either scan my face or upload ID documents to access their full featureset.
what kind of websites are you visiting to get age checked on half of the sites you visit? i've only been asked to verify for dating apps and "sexy stuff". and i definitely don't spend 50% of my total browsing time on those sites.
maybe this says more about the kind of content/sites you're accessing if it is really as high as 50%? UK age verification mostly only applies to sites which might end up hosting the content quoted below.
> pornographic images, and content that encourages, promotes, or provides instructions for eating disorders, self-harm, or suicide.
or you're just being hyperbolic? 79% of statistics are made up, after all.
reddit.com, discord.app, google.com with safe-search off (This one works sometimes, they are A/B testing force-enabling safe-search for unauth'd sessions)
I don't use that; it's worse for your brain than any regulated substance. Kick your reddit habit while you can.
Google safe search: I've only seen this from my PAYG mobile phone, because I've never bothered to lift the adult content lock on that after more than a decade, and Google is the only place I've seen ask, actually. Even so it rarely happens.
Discord: the mere idea of being in an adult-content-related discord group is enough to make my skin crawl.
Worth noting that of these three, only one of them is a UK-only decision, as far as I am aware: Google Safe Search respects UK phone companies' default adult content block on PAYG. They are about the only company that does. Reddit and Discord have made this decision globally, have they not? Because there are US state laws too.
I'd also caution that Reddit can and will destroy a 10+ year account (erasing all submissions and comments) for no discernible reason with a quite-literally-broken appeals process.
Government builds a website where you can log in using any government issued ID or using one of the many many many available services that hold your details already(at least in the UK nearly everyone will have a DLVA account, HMRC account, HMPO account, NHS account.....all of these are government services which we can only assume hold our data securely already).
On that website, you can click "give me a verification code", it gives you a code that is single use and only valid 24 hours. You type that into whatever 18+ website you need to, they use a public API provided by the government to just check "yes this is a valid code and the user is 18" - bang, done, verified. The website knows nothing about you at all, except for the fact that you're 18.
In fact, the UK government ALREADY HAS THIS. For the EU settlement scheme, you can give your employeer(or anyone else who needs it) a special magic code that they type in on the government website, and it just says "yet his person has the right to reside in the UK" without spilling any of your personal information at all. The code is single use and valid a limited amount of time. And you can do the same with your driving licence, where anyone can verify you hold a valid licence without actually seeing it or any details on it.
Like, am I being stupid here? It seems like an almost trivial solution to the problem, especially given that it already exists for at least 2 services named above.
And yes, I know people will say "oh but that requires the government having this data on you, and that's bad" or "but then the government will know you've authenticated with pornhub!".
And yes, both of these are true - but on point 1 - like, I'd love some ideal situation where the government can simultaniously give me a passport or a driving licence AND not have any information about me at the same time, but that ain't happening, and on point 2 - yes, but that's still infinitely preferable to the current implementation, and it can be easily solved with legislation saying that the code authentication service doesn't log who requested verification, it just answers with yes/no and that's it.
Every time I search something, I open a fresh private tab and google it. If I want to turn safe-search off, I'd have to go through this code verification flow for every single search. Aside from just being annoying, they'd have to implement strict rate limiting to prevent automated code sharing, so I'd soon end up waiting for a rate limit to expire before I can search anything.
And "the government will know you've authenticated with pornhub" is extremely harmful, in my opinion.
I have personally had to remove NCII for teens and young adults. Grooming is a thing, self harm communities are a thing, as is sextortion.All of it at internet scale.
And this ignores the parts where the platforms released features they knew from their own tests, were harmful to teens.
It is convenient to dismiss them, because it makes it easier to hold positions that depend on them being minor harms.
> I have personally had to remove NCII for teens and young adults. Grooming is a thing, self harm communities are a thing, as is sextortion.All of it at internet scale.
And even 100% effective age verification will not make a dent.
> And this ignores the parts where the platforms released features they knew from their own tests, were harmful to teens.
Those features are also harmful to adults.
> It is convenient to dismiss them, because it makes it easier to hold positions that depend on them being minor harms.
It's convenient to blow things out of proportion if it helps you implement other changes you want like mass-scale tracking.
This means giving the government complete insight into your internet browsing. All they need to do is store a database table of handed out keys to ids.
>>This means giving the government complete insight into your internet browsing.
...how? All they know is you've authenticated with service X. And like I said, we can make legislation to say they are not allowed to keep the record of who authenticated.
Besides, let's not let perfect be the enemy of the good - in the UK all ISPs are required to keep a full year of your browsing history, and 17 government agencies can access this data(including DEFRA - the agriculture agency lol). So like....the "the government will have a full history of your browsing" is a ship that sailed a few years ago. Obviously I don't agree with it, and I think we should be on the streets of London and protesting this, but here we are as a country.
So like yeah, I get your point. But UK is particularily fucked on this point, let's not make it even more fucked with the way things currently are, the authentication can and should be done better.
Asking adults for beer doesn't scale, code sharing can. If you want to crack down on code sharing, you'd have to start surveilling who is signing up to what.
> If you want to crack down on code sharing, you'd have to start surveilling who is signing up to what.
Not at all. If you want to find who shares codes at scale, you just track that person. If someone sells hundreds of thousands of codes online, you can just buy one from them and you have proven that they do it.
Again, if age verification is honestly about helping the kids, I don't think it has to be 100% efficient.
> If you want to crack down on code sharing, you'd have to start surveilling who is signing up to what.
Why? One code for one user account per site. If you're paranoid about privacy rotate codes and accounts weekly. As long as you can purchase the codes with cash in IRL stores the privacy impact is minimal.
So this solution is fine for proving your immigration status, getting employment or renting a house, but it's not good enough for browsing porn(to be a tiny bit flippant)?
>>If you want to crack down on code sharing
Right now, all the kid has to do is grab their parents passport while they are not home or asleep, scan it on their phone and they are in. It takes 30 seconds.
With the codes they would either need to convince their parents to generate a code for them, or find someone online who will - which of these solutions seems less prone to abuse to you?
Again, let's not let perfect be the enemy of the good.
> but then the government will know you've authenticated with pornhub!
If you do your cryptography right, the government will not know that you've authenticated with pornhub. That's the whole goddamn point of privacy-preserving age verification.
It's possible for the government (or any entity, but when it comes to ID it feels natural that the government owns it) to verify your age (by verifying your identity) and give you a token that proves that you are above age, in such a way that the government cannot track you with this token and the website cannot identify you from this token.
With my implementation, the government revokes the code after it's been verified once. If you want to verify elsewhere, you need to request a new code.
How does that work with your implementation? A token given to you can be verified as legit by anyone using a public key, but there is no way to revoke it after a single use(because you have no way of knowing it's been used, by design).
The service (e.g. the porn website) keeps a list of used tokens and refuses to reuse them.
You can use the same token on multiple websites, but then you leak metadata. As for the age verification "protection", I don't think it makes it worse, given that anyway someone could get a token and give it to a kid.
Again, I don't think that the goal is to make it absolutely certain that no kid will ever access social media or porn. When you go to such extreme, you need dystopian technology and I don't think the juice is worth the squeeze.
My opinion is that age verification may (maybe?) be a tool to make it slightly more inconvenient for kids to access some services. But I am not completely convinced that it is always desirable. Instead of accessing a mainstream porn website, they may end up downloading random stuff from the internet, including malware and possibly violent porn, which is probably worse.
Social media is a real problem, but again... if a kid goes home and tell their parents that they are excluded because everybody else has TikTok, won't the parent get a token and install TikTok? Right now no parent wants their kids to use social media (or even have a smartphone), but they do it because all the other kids do, and kids need to conform.
Why does the government need to know what pages you visit? It could just encode a string representing the date and 'above 18' and sign it with its private key. PH then just needs to verify it using the public key.
Well the idea with the date/timestamp was that it would only be valid for X minutes, but if you are afraid that in the 10 minutes window it can be used multiple places you can add some salt to the process. PH pops up a page showing "Your secret word is: hamburgers. Provide access code below:". Age-verifier webpage asks for the secret word, and will create a json with "secret: hamburgers, claims: over_a18, date:2026..." and sign it with its private key, and this will be the code (encoded as a number). PH will verify that the code contains the secret "hamburgers", the claim and that its fresh enough (although this step is maybe not needed since it had the valid one-time secret).
there are thousands of comments on these threads every time it comes up. there's tons of what i consider reasonable solutions proposed. there's examples below, too, which don't require face scans.
>Concretely, half the websites I visit from the UK want me to either scan my face or upload ID documents
Privacy-wise I think they're completely acceptable, but in terms of circumvention I don't think the politicians will be satisfied. It's barely a step up from the "I'm over 18" buttons on websites.
>It's barely a step up from the "I'm over 18" buttons on websites.
i think its a pretty decent step up from that, but i know what you mean.
>I don't think the politicians will be satisfied.
and that circles back to my original point. the politicians aren't satisfied with a "mostly effective" solution (e.g. OS-enforced age attestation) as they are with literally every other law, and instead are taking advantage of the issue to justify mass surveillance.
I believe kids will always find circumvention pathways.
There is a signaling function these laws serve: things are the products we consider acceptable in society. We have these rules for cigarettes, booze, and vapes.
That said, privacy being sacrificed for signals, is an unacceptable trade, especially when better solutions can be crafted.
I'd consider this a feature. I'd be proud if my kids find a way to circumvent the parental controls on the family computer or use their own money to build their own computer like I did growing up. At that point they've earned the right to the full internet.
(However, I would not be willing to use any solution that sacrifices my or my kid's privacy.)