Remix.run Logo
Aurornis a day ago

This comes up on every single HN thread about the topic, but I don’t understand how people aren’t seeing the obvious abuse angle:

Create a market for anonymous age verification tokens. People pay $5 to someone to create an age authorization for them. 17 year old kid (who is old enough under this law) spends all day creating anonymous age auth tokens to sell to people who want them.

Entire system subverted with profit motive.

The next phase of the argument is to argue for rate limiting or extra logging, but the more you force that the more you degrade privacy or introduce unreasonable restrictions. “Sorry, I can’t sign up for the wiki today because I already used my quota of 2 government age checks today”. Still leaves plenty of room for 17 year old kids to earn $10 a day farming out their age checks.

The entire argument that anonymous crypto primitive will solve this problem is tiresome.

pimterry a day ago | parent | next [-]

The same applies to effectively all possible solutions for age verification, no?

Even if you have a perfect mechanism, 17 years old can create real age-verified accounts and then sell the username and password afterwards. Selling age-verification tokens directly would likely be harder than just swapping those login details, since it's very easy to make the tokens time-limited (in practice normal use would probably be some kind of oauth-style redirect flow, so they'd really only have to be valid for a few seconds).

This same argument applies to adults buying alcohol for teenagers too. The determined teenager with money can definitely find a way to get alcohol, but it doesn't mean the age restrictions on purchases are pointless.

Imo it's a bit pointless to worry about high-speed black markets trading in signed tokens when the current most common alternative is a popup with an "I promise I am over 18" button. If society agrees some things should be difficult to access if you're underage, then we can definitely do better than that as a solution.

raxxorraxor 13 hours ago | parent [-]

I can buy booze without an ID or token. You have to match that. And yes, I look perfectly youthful...

illiac786 15 hours ago | parent | prev | next [-]

Germany has a system in their ID cards that allows anonymous age verification. No one uses it but it’s a technical marvel in my opinion.

The site asks for specific read permissions and the user can decide if he wants to grant them.

One of these permissions is age verification.

You put the phone on the ID card and there is a cryptographic proof that the user connecting to the site is in possession of an ID of a person above 16 (which he of course could have stolen).

So it is technically totally feasible to have good data privacy AND age verification.

raxxorraxor 13 hours ago | parent | next [-]

It isn't a technical marvel, it is technical bureaucracy. There is a reason people don't want to use it.

Also once implemented and widely adopted, the state would obviously increase demands on usage. This isn't rocket science.

I understand the cryptographic principle. That isn't the problem here.

illiac786 13 hours ago | parent [-]

yeah, “technical” is not the right adjective, rather the marvel (to me) is the fact that a government managed to deploy a privacy friendly electronic ID system based on sound cryptographic principles.

it’s a marvel because, well, as you put it, there’s all this bureaucracy and when I first discovered it was implemented and every single new electronic ID has this capability since a couple of years, my jaw dropped.

But fully agree the process and the backend itself are not very usable at the moment.

Maybe my expectations around government digitization are too loo though.

biztos 9 hours ago | parent | prev [-]

It's hardly an age verification if it just requires the bearer to have an adult's ID card.

You borrow your friend's card, or you "borrow" your parent's card, or you pay someone who sees this market opportunity.

I think it's ridiculous how the lawgivers are telling the companies to just nerd harder, but they're definitely going to have to nerd harder than that.

illiac786 5 hours ago | parent [-]

I think it’s better than transmitting everything including the biometric picture and requiring the camera to be on.

How would you implement age verification?

interactivecode a day ago | parent | prev [-]

this is the same argument as "why have government id cards, someone could just use a fake beard and use their older classmates id". Any system allows for some gaps, similar to how creditcard transactions make transactions safer but on either side of that transaction there some "insurance" and some leeway if someone really wanted to.

dghlsakjg a day ago | parent | next [-]

The difference is that I can’t mint infinite ID cards, and it is much harder to get a skeptical person to accept a photo ID of the wrong person.

pas a day ago | parent [-]

in person? sure, that's harder, but we're talking about online services, right?

many times verification is simply uploading a photo, GenAI can make a nice fake ID.

are these id verification sites linked to government databases? for usual KYC it's enough to save the photo and do the minimal sanity check, no need to phone home an ask Big Brother.

raxxorraxor 13 hours ago | parent | prev [-]

> why have government id cards...

...for the internet is a perfectly sane question. There are good reason we don't have those as well and these reason vastly outclass ineffective user protections.