| ▲ | antitoxic 6 hours ago |
| I work at a European identity wallet system that uses a zero knowledge proof age identification system. It derives an age attribute such as "over 18" from a passport or ID, without disclosing any other information such as the date of birth. As long as you trust the government that gave out the ID, you can trust the attribute, and anonymously verify somebodies age. I think there are many pros and cons to be said about age verification, but I think this method solves most problems this article supposes, if it is combined with other common practices in the EU such as deleting inactive accounts and such. These limitations are real, but tractable. IDs can be issued to younger teenagers, wallet infrastructure matures over time, and countries without strong identity systems primarily undermine their own age bans. Jurisdictions that accept facial estimation as sufficient verification are not taking enforcement seriously in the first place. The trap described in this article is a product of the current paradigm, not an inevitability. |
|
| ▲ | EmbarrassedHelp 5 hours ago | parent | next [-] |
| According to the EU Identity Wallet's documentation, the EU's planned system requires highly invasive age verification to obtain 30 single use, easily trackable tokens that expire after 3 months. It also bans jailbreaking/rooting your device, and requires GooglePlay Services/IOS equivalent be installed to "prevent tampering". You have to blindly trust that the tokens will not be tracked, which is a total no-go for privacy. These massive privacy issues have all been raised on their Github, and the team behind the wallet have been ignoring them. |
| |
| ▲ | hiciu 3 hours ago | parent | next [-] | | > EU's planned system requires highly invasive age verification EUDI wallets are connected to your government issued ID. There is no "highly invasive age verification". We are literally sending a request to our government's server to sign, with their private key, message "this john smith born on 1970-01-01 is aged over 18" + jwt iat. There are 3 claims in there. They are hashed with different salts. This all is signed by the government. You get it with the salts. When you want to prove you are 18+ you include salt for the "is aged over 18" claim, and the signed document with all the salts and the other side can validate if the document is signed and if your claim matches the document. No face scanning, no driver license uploading to god-knows-where, no anything. > to obtain 30 single use, easily trackable tokens that expire after 3 months This is the fallback mechanism. You are supposed to use bbs+ signatures that are zero knowledge, are computed on the device and so on. It is supposed to provide the "unlinkability". I don't feel competent enough to explain how those work. > jailbreaking / "prevent tampering" This is true. The eidas directive requires that secret material lives in a dedicated hardware / secure element. It's really not much different than what a banking app would require. > You have to blindly trust that the tokens will not be tracked This is not true, the law requires core apps to be opensource. Polish EUDI wallet has been even decompiled by a youtuber to compare it with sources and check if the rumors about spying are true. So you can check yourself if the app tracks you. Also we can't have a meaningful discussion without expanding on definition of "tracking". Can the site owner track you when you verify if you are 18+? Not really, each token is unique, there should be no correlation here. Can the government track you? No, not alone. Can the site owner and the government collude to track you? Yes they can! Government can track all salts for your tokens, site can collect all salts, they can compare notes. There are so called policy mitigations currently: audits and requirements for governments to remove salts from memory the moment stuff is issued. Can they lie? Sure. Can the site owner and the government collude to track you if you are using bbs+? No. Math says no. Can they lie if you are using bbs+? Math says no. | | |
| ▲ | EmbarrassedHelp 3 hours ago | parent | next [-] | | > This is not true, the law requires core apps to be opensource. Polish EUDI wallet has been even decompiled by a youtuber to compare it with sources and check if the rumors about spying are true. So you can check yourself if the app tracks you. The "open source" apps connect to proprietary backends run by a third party that you have to blindly trust. If EUDI wallets were truly open source and free from blindly trusting any authority, then you could simply remove that requirement and issue your own tokens without the use of potentially malicious third party. | | |
| ▲ | hiciu 3 hours ago | parent [-] | | > issue your own tokens I mean, you can. It's like with TLS certificates. The standard is there. The code is there. You can issue your own. The question is, who will trust you? | | |
| ▲ | summm an hour ago | parent [-] | | It is not at all like TLS. With TLS you at least can get your own certificate signed by an official CA, and use that private key on whatever system you want. | | |
| ▲ | hiciu 8 minutes ago | parent [-] | | It is literally TLS in a trench coat with some json sprinkled on top. Where I think we are not in agreement the question of "who to trust" and "for what purposes". Are you going to trust me when I tell you that I'm over 18 if I provide you with the document signed by my cousin, Honest Ahmed? Are you going to trust me when I show you the document signed by my government? (this is the trick question, you don't have a choice, law says you must; there's a list of who you need to trust and for what purposes; like a certificate root store in your browser) |
|
|
| |
| ▲ | summm an hour ago | parent | prev | next [-] | | > jailbreaking / "prevent tampering" Now your EU government requires you to have an unmodified Google or Apple device to use any age restricted services. Cementing the US mobile OS duopoly and locking out any free systems and desktop etc. forever. Any governmental service taking part in this is a violation of civil rights and even if you don't care about those, maybe you care about digital sovereignty. This is so lightly handwaved away, almost as if attention needs to be drawn away. By the looks of this I'd say the end of general computing might be the actual goal, and all the age verification is just yet another "think of the children" pretense? | |
| ▲ | donmcronald 25 minutes ago | parent | prev [-] | | > We are literally sending a request to our government's server to sign, with their private key, message "this john smith born on 1970-01-01 is aged over 18" + jwt iat. There are 3 claims in there. They are hashed with different salts. This all is signed by the government. If the "18+ claim" can't be linked to your identity and doesn't have any rate limits, someone can set up a token-as-a-service to sell tokens on the black market. > Government can track all salts for your tokens, site can collect all salts, they can compare notes. There are so called policy mitigations currently: audits and requirements for governments to remove salts from memory the moment stuff is issued. > Can the site owner and the government collude to track you if you are using bbs+? No. Math says no. How does the math say no? Big tech companies already log absolutely everything. What's going to stop the government from keeping all the salts they're issuing and then mandating that site operators add the salts to their existing logs? > Can they lie? Sure. Well, they've lied to us over and over when it comes to surveillance, so I think at this point it's reasonable to assume they're lying unless it's technically impossible. Where's the in-person key verification that used to be in Whatsapp? How do the authorities get notified when someone makes a poorly thought out joke using Snapchat private messages before getting on a plane? Why is there a war on end-to-end encryption? We're going to pay a fortune for these supposed zero knowledge systems and that's what it's about. Select companies are going to get paid to issue tokens and the scale is going to create a few new billionaires. The people in charge are going to gain a ton of power when they betray everyone and disenfranchise us. |
| |
| ▲ | Aurornis 4 hours ago | parent | prev | next [-] | | Thanks for posting this. The inherent problem with all zero knowledge identity solutions is that they also prevent any of the safeguards that governments want for ID checking. A true zero knowledge ID check with blind signatures wouldn't work because it would only take a single leaked ID for everyone to authenticate their accounts with the same leaked ID. So the providers start putting in restrictions and logging and other features that defeat the zero knowledge part that everyone thought they were getting. | | |
| ▲ | hiciu 3 hours ago | parent | next [-] | | > A true zero knowledge ID check with blind signatures That is not true and "true zero knowledge ID check" + "age verification" with blind signatures is what's being implemented by the EU ID project. So someone's id leaks. It happens. In EUDI there are things called "cryptographic accumulators of non-revocation proofs". If your ID leaks it goes into the accumulator. Similar to the certificate revocation lists. During check, you include claims "im over 18" and "my id is not in the accumulator". This is included in the standard. This is also (I can only assume) one of the reasons why EUDI wallets require play integrity / attestation / secure element on the device. So your private key won't be easily leaked and no one can steal your ID. | | |
| ▲ | Aurornis an hour ago | parent [-] | | You're assuming the leak was accidental, the person knows about it, and they didn't intend for others to use it. What happens when someone sets up a marketplace where people can sell those blind signatures using their ID for $2 each? And then kids just pay $2 to have someone else blindly use their ID to validate the account, because supposedly the system is structured so that nobody can tell which ID was used or tie it back to the account? | | |
| ▲ | hiciu an hour ago | parent [-] | | That's where the google play integrity / attestation comes into the effect. In theory you cannot export your private key from the device (from the secure element), so for each $2 someone would have to quickly unlock their phone, scan code via the app and so on. |
|
| |
| ▲ | dogcomplex 3 hours ago | parent | prev | next [-] | | This specific problem is solved by requiring that any anonymous ZK ID once used for an account be marked on an immutable ledger preventing multiple uses of the same ID. Sharing it would be pointless as multiple attempts to use it get burned. Yet none of those sites know who you are, only that you have a unique valid ID pass. They just have to check any login attempts against that ledger - easy enough. | | |
| ▲ | donmcronald 14 minutes ago | parent [-] | | > They just have to check any login attempts against that ledger - easy enough. So like CT logs, but several orders of magnitude bigger? I thought centralized TLS revocation lists failed due to scale. How will this differ? |
| |
| ▲ | jajuuka 3 hours ago | parent | prev [-] | | I mean that's kind of a problem with ANY solution. There will be workarounds and ways to break it. There is no perfect solution outside someone standing over you while on the internet. We need to look at this more like age checks on porn sites and gaming platforms where you just put in a birthdate. Obviously someone can lie, but that point isn't to be a perfect wall but a hurdle to clear to make sure users are aware of the content and that any sort of nanny software to block if set up. | | |
| ▲ | Aurornis 3 hours ago | parent [-] | | > I mean that's kind of a problem with ANY solution. There will be workarounds and ways to break it. That's unnecessarily reductive. Yes, every solution will have problems, but not all solutions have similar problems. If a solution has problems such that it can be immediately reduced to security theater and bypassed by any teenager who cares, it's just extra hassle and privacy degradation for the rest of us. These details matter. If a weak solution is regulated into law and the government discovers kids are easily bypassing it, they will immediately pivot into requiring more restrictions on it. | | |
| ▲ | jajuuka 2 hours ago | parent [-] | | Extra hassle is manageable. Sites or programs that want you to put in a birthday are extra hassle but objectively better than something like submitting an ID. Privacy degradation is also manageable as well. It just depends on the solution. We've had decades of age gating being "are you 18+ or not" yet it is only now that talks of something more enforceable are coming up. This discussion is largely about how one can create a sense of safety and protection. For the more extreme end it's face scans and submitting ID. Even though these are bypassed by any teenager who cares they are still being pushed seriously because it instills that sense of safety and protection for children. Security theater is just a part of managing the internet and not going away unfortunately. |
|
|
| |
| ▲ | chrishare 3 hours ago | parent | prev [-] | | Link? | | |
|
|
| ▲ | donmcronald 4 hours ago | parent | prev | next [-] |
| > It derives an age attribute such as "over 18" from a passport or ID, without disclosing any other information such as the date of birth. How? If it’s analyzes my ID 100% client side I can fake any info I want. If my ID goes to a server, it’s compromised IMO. I think the zero proof systems being touted are like ephemeral messaging in Snapchat. That is, we’re being sold something that’s impossible and it only “works” because most people don’t understand enough to know it’s an embellishment of capabilities. The bad actors will abuse it. Zero proof only works with some kind of attestation, maybe from the government, and there needs to be some amount of tracking or statistics or rate limiting to make sure everyone in a city isn’t sharing the same ID. Some tracking turns into tracking everything, probably with an opaque system, and the justification that the “bad guys” can’t know how it works. We’ve seen it over and over with big tech. Accounts get banned or something breaks and you can’t get any info because you might be a bad guy. Does your system work without sending my ID to a server and without relying on another party for attestation? |
| |
| ▲ | myrion 3 hours ago | parent | next [-] | | There's no dynamic analysis done, necessarily. In the Swiss design, fex, SD-JWTs are used for selective disclosure. For those, any information that you can disclose is pre-hashed and included in the signed credential. So `over_18: true` is provided as one of those hashes and I just show this to the verifier. The verifier gets no other information than the strictly necessary (issuer, expiry, that kind of thing) and the over 18 bit, but can trust that it's from a real credential. That's not strictly a zero knowledge proof based system, though, but it is prvacy-preserving. | |
| ▲ | bitmasher9 4 hours ago | parent | prev | next [-] | | Attestation from government sounds like the ideal solution. This could actually provide _more_ privacy because we can begin using attestation for things we currently use IDs for such as “Has the privilege of driving a car” or “Can purchase alcohol” | | |
| ▲ | Aurornis 3 hours ago | parent [-] | | Amazing how fast these systems go from "zero knowledge" to "route the request through the government system every time you use your ID" | | |
| ▲ | hiciu 2 hours ago | parent [-] | | there is no "route the request through the government system every time you use your ID". you get your sd-jwt document signed once and you reuse it for like 30 days or so. | | |
| ▲ | summm an hour ago | parent | next [-] | | Technically, if your phone needs to be remote attested, it can be considered a government system, not a user's system. | |
| ▲ | Aurornis 2 hours ago | parent | prev [-] | | I was responding to the comment above mine, which was calling for attestation from the government for specific privileges. > you get your sd-jwt document signed once and you reuse it for like 30 days or so So it still gets routed through the government once a month if you plan on using it. | | |
| ▲ | hiciu 2 hours ago | parent [-] | | Yes we are still talking about attestation from the government for the specific privilege part. You get your document with fields like "can drive", "is over 18" and so on. It's valid for some time; physical ID is valid for like 10 years and then you have to get a new document, this digital one is valid for lets say 30 days and if it expires you get a new one. Then you present only those fields you want, when you want, without anyone talking to the government at all. All the other party needs to check is "is the document valid" and "do presented fields match the document". Like checking a tls certificate for a given domain name or purpose. Strictly speaking there is no "routing through the government" of any information. The government just "issues a certificate" valid for X days without knowledge with whom, how or when you are using it. | | |
| ▲ | Aurornis an hour ago | parent [-] | | > Strictly speaking there is no "routing through the government" of any information. The government just "issues a certificate" valid for X days without knowledge with whom, how or when you are using it. I don't understand how you keep claiming there is no "routing through the government" right next to your explanations that the government is the one providing the documents every 30 days. Obviously something in the document is tied to your ID and the government has mechanisms to revoke it. No matter how many layers you put on top of that, this all has to come back to the government's control. I understand that the salts can be sent to 3rd party websites. However there's obviously a reason that those are only valid for 30 days instead of indefinitely. | | |
| ▲ | hiciu 39 minutes ago | parent [-] | | Yes, something in the document is tied to my ID. There's my name in there for example :). I don't have to share that information, because what government signed is a uniquely salted hash of my name and passed the salt to me. If I choose to share that salt, and provide my name, someone could hash all that information and compare it to the government-issued document to verify if my name really is john smith (or if my claim "I'm over 18" is valid). If I don't, they have no way of knowing. > no "routing through the government" > government is the one providing the documents I'm also lost. I mean, this is the government issued ID we are talking about, right? How are you expected to get it if not from the government? "Are you over 18" claim is part of that government issued ID. They don't have to know which sites or when you are visiting, but they do have to issue you the document. (To be clear, there are also other options, it doesn't have strictly to be government; for example banks around here can provide ID documents - for their clients. There's a list of who is trusted for what https://eidas.ec.europa.eu/efda/trust-services/browse/eidas/...). > However there's obviously a reason that those are only valid for 30 days instead of indefinitely. It's the same reason why we prefer tls certificates with short lifespans. |
|
|
|
|
|
| |
| ▲ | runako 4 hours ago | parent | prev [-] | | > If it’s analyzes my ID 100% client side I can fake any info I want. If my ID goes to a server, amplifying your point, there is effectively no way for the layperson to make this distinction. And because the app needs to send data over an encrypted channel, it would be difficult at best for a sophisticated person to determine whether their info is being sent over the wire. |
|
|
| ▲ | uniq7 5 hours ago | parent | prev | next [-] |
| In your system, can companies verify age offline, or do they need to send a token to the Government's authority to verify it (letting the Government identify and track users)? Switzerland is working on a system that does the former, but if Government really wants to identify users, they can still ask the company to provide the age verification tokens they collected, since the Government hosts a centralized database that associates people with their issued tokens. |
| |
| ▲ | tgsovlerkhgsel 4 hours ago | parent | next [-] | | Aren't the companies also expected to do revocation checking, essentially creating a record of who identified where, with a fig leaf of "pseudonymity" (that is one database join away from being worthless)? | | |
| ▲ | myrion 3 hours ago | parent [-] | | The revocation checking is implemented in a way where the government doesn't know who you checked and you can even cache the information (if that's good enough for you) so they won't notice at all. |
| |
| ▲ | myrion 3 hours ago | parent | prev [-] | | That assumes the companies store the individual tokens, as does the government. Neither of which are part of the design, but could be done if both sides desired it. The Swiss design actually doesn't store the issued tokens centrally. It only stores a trust root centrally and then a verifier only checks the signature comes from that trust root (slightly simplified). | | |
| ▲ | uniq7 5 minutes ago | parent [-] | | If companies are required to verify age, then it's in their interest to store all tokens, just in case they are ever accused of not verifying it. The Swiss E-ID system stores people identifiers and token status lists in their so-called "Base Registry". From https://swiyu-admin-ch.github.io/technology-stack/#credentia... > Decentralized Identifiers (DID) developed by the W3C represent an identifier standard that provides a subject-controlled method for identifying individuals, organizations, or objects online. In the swiyu Trust Infrastructure, DIDs are utilized as a standard identifier for issuers and verifiers. They are centrally hosted on the swiyu Base Registry. > In this protocol, the trusted authority issues certifications (“trust statements”) concerning the identity (i.e., who is the real-world identity controlling a DID) and legitimacy (i.e., who is allowed to issue or verify credentials of a specific VC schema) about an entity as SD-JWT VC and publishes these trust statements in the trust registry. > Token Status Lists are signed, maintained and published by the credential issuers but hosted on the Base Registry. |
|
|
|
| ▲ | agentifysh 4 hours ago | parent | prev | next [-] |
| this is slightly better but not the hero we want or need. zeero knowledge proofs are improvement over uploading raw documents, trust is still an issue here. why should users have to authenticate with a government-backed identity wallet to access platforms to play games or access a website in the first place. we didnt have any of these guards in the 90s and early 2000s and everybody turned out just fine . in fact the average gen z is in a lot worse place than we used to be despite that we had complete raw algorithm supervision free access to the internet with far more disturbing content (remember ogrish and KaZaA) The average person does not understand the math behind zero-knowledge proofs. They only see that state infrastructure is gatekeeping their web access. Furthermore, if the wallet relies on a centralized server for live revocation checks, the identity provider might still be able to log those authentication requests, effectively breaking anonymity at the state level. On a practical level, this method verifies the presence of an authorized device rather than the actual human looking at the screen. Unless the wallet demands a live biometric scan for every single age check, they will simply bypass the system using a shared family computer or a parent's unlocked phone. We used to find our way around any sort of nanny software (remember net nanny) what you are describing still remains a bubble and I really hope Americans aren't looking at EU for any sort of public policy directions here. |
| |
| ▲ | SiempreViernes 2 hours ago | parent [-] | | > we didnt have any of these guards in the 90s and early 2000s and everybody turned out just fine One of the most highly valued tech companies of today makes a software that sometimes talks its user's into killing themselves. Some guy put "uwu notices bulge" on a bullet casing and shot Charlie Kirk: things turned out fine indeed. | | |
| ▲ | ajsnigrutin an hour ago | parent [-] | | People killed both themselves and others way before the internet even existed. Requiring everyone to show their id on every website will not change that. It will limit free speech though. |
|
|
|
| ▲ | dogcomplex 3 hours ago | parent | prev | next [-] |
| Correct. A ZK Proof backed identity system is a significant bump up in both privacy and security to even what we have right now. Everyone does realize we're being constantly tracked by telemetry, right? A proper ZK economy would mitigate the vast majority of that tracking (by taking away any excuse for those in power to do so under the guise of "security") and create a market for truly-secure hardware devices, while still keeping the whole world at maximal security and about as close to theoretical optimum privacy as you're going to get. We could literally blanket the streets with cameras (as if they aren't already) and still have guarantees we're not being tracked or stored on any unless we violate explicit rules we pre-agree to and are enforceable by our lawyers. ZK makes explicit data custody rules the norm, rather than it all just flowing up to whatever behemoth silently owns us all. |
|
| ▲ | nemomarx 6 hours ago | parent | prev | next [-] |
| This is true, but I think it's more that those jurisdictions don't actually care about something solving this securely so much as they want face scans for other purposes? |
|
| ▲ | dom96 5 hours ago | parent | prev | next [-] |
| That's really awesome. I hope that soon we will also have humanity verification without sacrificing our anonymity. With LLMs and paid actors wreaking havoc on social media I do think that social media needs pivot towards allowing only human users on it. I wrote about this here: https://blog.picheta.me/post/the-future-of-social-media-is-h... |
|
| ▲ | viktorcode 4 hours ago | parent | prev | next [-] |
| I have a few questions. In that system does the age verification result come with some sort of ID linked to my government issued ID card? Say, if I delete my account on a platform after verifying and then create a new one, will the platform get the same ID in the second verification, allowing it to connect the two and track me? Or is this ID global, potentially allowing to track me through all platforms I verified my age on? What a verification process looks like from the user perspective? Do I have to, as it happens now, pull out my phone, use it as a card reader (because I don't have a dedicated NFC device on my computer), enter the pin, and then I'll be verified on my computer so I can start browsing social media feed? Or, perhaps, you guys have come up with a simpler mechanism? |
| |
| ▲ | myrion 3 hours ago | parent [-] | | In the Swiss system, it depends on what they verified. If they required your full ID, that has a document number like a passport and they could track that. If they did the right thing and only asked for the over 18 bit, then they wouldn't have a trackable identifier. |
|
|
| ▲ | Terretta 5 hours ago | parent | prev | next [-] |
| Not only EU -- Digital ID on iPhone does this today, and is accepted by many USA airports for travel, etc., with rollout for DLs. |
|
| ▲ | gigel82 5 hours ago | parent | prev | next [-] |
| Where can we learn more about your architecture? Someone brought up the need for device attestation for trust purposes (to avoid token smuggling for example). That would surely defeat the purpose (and make things much much worse for freedom overall). If you have a solution that doesn't require device attestation, how does that solve the smuggling issue (are tokens time-gated, is there a limit to token generation, other things)? |
| |
| ▲ | chrishare 4 hours ago | parent [-] | | It's this I believe: https://www.w3.org/TR/vc-data-model-2.0/ | | |
| ▲ | gigel82 3 hours ago | parent [-] | | A Verifiable Credential fundamentally doesn't solve the problem of "sharing", "smuggling". All it takes is one verified adult to "leak" their VC somewhere, and millions of underage people would be able to use it to "prove" they are over 18. This would only work with something like MS TPM 2 / Apple Secure Enclave (device attestation), which is anti-freedom by design. I was curious if they found a way around that (maybe with time/rate limits, or some actual useful use of blockchain tech). |
|
|
|
| ▲ | brunoborges 6 hours ago | parent | prev [-] |
| Yeah, but how to convince investors that trusting the government-issued ID is good enough? /s |
