Again, this discussion is about the EU proposal, which explicitly does not connect your ID to everything you do. In facts it’s designed exactly to ensure that sites can verify you being over a threshold age without having any other knowledge about you. Have you read the EU implementation or are you conflating it with the US proposal?

I’ll talk to my researcher.

No that isn’t why.

There is no correlation between population density and broadband speed in the west.

I think we are veering off topic. I agree that pornography can degrade all genders, not just women, and that much of what appears degrading to an observer is actually just someone’s kink (and power to them).

That said, this is a slightly different discussion to age gating.

No definitely not. Smoking at 13 is obviously worse than watching a picture of a naked person. FWIW I grew up in the Nordics which very much has a culture of nakedness (children and old and young all shower in a shared space, all naked, for example). I don’t have a concern at all about nakedness and I agree finding a bag of damp porno mags in a shed is part and parcel of growing up in your teens. No concerns from me.

Having said that, I hope you also will agree that “a couple of titties” is not what most pornography online, today, actually displays. The vast amount of pornography degrades women, and a lot of it glosses over the very real power imbalances and subsequent abuses of a lot of vulnerable people. I haven’t got a single concern with what consenting adults choose to do together - if you’d like to dress in a plastic outfit and be spanked red, go for it! And seeing naked people in communal spaces (beaches, dressing rooms) is super helpful for your development and understanding of what “normal” is (beautiful, flabby, wrinkled, brown, pink, curly and all the wonderful sizes and shapes we all are). Count me in on nakedness!!

But I do have a concern with the adult industry as a whole and I seriously doubt that a 12 year old having unfettered access to what porn today actually portrays is helpful for that person’s development.

All that said, age gating and access to pornography is clearly not the same discussion.

Age gating is a discussion that fundamentally asks “ok, if we age gate products in the real world, like alcohol and tobacco and pornography, why don’t we also age gate it online?”.

If we decided not to age gate pornography - at least “soft pornography”(hard to define, but let’s pretend that we could), I’d be all up for not also age gating this online.

But if we, as a democratic society, decide that some things should be age gated, I’m all for also attempting - indeed ensuring - that these are age gated online.

Of course there a enormous risks of age gating online - I get that showing an ID to a shop keeper is a transaction that’s very hard to log and therefore track at large - that has to be adequately handled. Here, I believe the US proposal is atrocious and an enormous violation of privacy. But, genuinely, when you read the EU implementation, I do not have the same privacy concerns. Don’t forget the EU proposal is authored by the same bodies that forced GDPR onto the world (with ALL the good that this brought for ensuring our PII was protected). The EU isn’t perfect, but largely the EU is of, by and for the people, still, and our collective democracy, with all the faults that it has, is trying to balance all these concerns appropriately. I think the current implementation achieves the right balance and I am frustrated that many who are against the EU proposal haven’t actually read it, then equate it with the US proposal, which is fundamentally different, and equate the democratic EU with the plutocratic US. Like always in the US, almost everything degrades into “how can this make the rich richer”. That is, luckily, not yet the case in the EU.

Ok, but for what it’s worth, I’m only trying to defend the EU proposal. This discussion was about the EU proposal, from the very first OP. The US proposal, such as I understand it (I haven’t looked into it that much, since I don’t live there), seems a huge privacy risk that plays into the hands of corporations. No thanks.

In the EU system, you start with a verifiable online identity system. These differ from country to country but all perform the same task: They allow you to prove who you are.

So you go to an online portal and you log in, as you. This system issues you a set of tokens, which does not hold your PII. They solely say “This person is over 18”. If you want a token to say “this person is over 13”, you need a different token. A token is a number that has been signed by the issuing authority in a way that can only be done by the issuing authority. You store these tokens, encrypted, in your age verification app.

Now IF the issuing authority stored “I issued token X to person Y” we would have a huge problem. They don’t. All they do is store “this token was issued”. If they chose to store that a specific token was issued to a specific person, they could track what sites you used the tokens at. So you have to trust your state here, just like you have to trust them not to access your phone records, or your credit card transactions or which mobile mast your phone logs on to.

You proceed to a site that requires an age gate. You are presented with QR code, which you scan with your age verification app (the one that stores the age verification tokens). This QR code contains a URL that holds the verification attempt ID (created by the gater) and your app now connects to this URL (be advised this URL is not the URL of the gater, but of a third party gating service) and sends one of your verification tokens. The third party verification service checks this with the issuing authority and confirms it is a valid token, then retires it if it is. The third party service now calls to the gater and says “this verification attempt has indeed proven their age”.

The gater then lets you proceed.

Throughout this attempt the only place that can be hacked to reveal your PII would be the issuing authority - no other services knows anything about you. What a hacker would have to do is insert code that captures the issuing of tokens and somehow grabs your PII at tha time. But what’s important to understand is that the issuing service also doesn’t know who you are, because they don’t store all your PII when they issue your tokens - they just have the required information about you from the identity service you used to log in (chiefly your age). So even if a hacker got in here, they couldn’t grab who you were, merely when you were born).

Many security experts have analysed this flow and supported it. I myself cannot see what a hacker could really do here. So, in this case, specifically for the EU system, which this post was about, I am willing to accept that the advantages of not having minors access tobacco, alcohol or age gated media far outweighs the privacy risks.

I’d love to engage in this. Before we do that, please can we be clear if we are talking about the EU system, or the USA-proposed OS-based system? Given they are not the same, the reactions to these two systems have also not been the same.

The EU age verification system, of which I’m talking and of which the OP was about, is not baked into the OS. That might be the case in the US. I’m lucky I don’t live there. And this discussion here is about the EU system, not the US one.

Your ISP has a record over every single website you’ve visited and your payment provider knows 99% of all purchases you’ve made and your phone knows where you’ve been at all times. Your threshold for having to trust that laws prevent wanton use of all this information doesn’t shift with anonymous age gating.

Frankly the concerns you display in the post reveal to me that you’ve not spent a great detail looking into what’s actually being proposed.

I don’t have to give up any rights for age gating to work anonymously and properly. Neither do you.

So you’re not sure what Google can and can’t track and you have no evidence, and the specification for the system is available online, which you seemingly haven’t read, but you’re just generally “worried” without citing specific evidence.

Where have you read that this is about checking everyone’s ID?

They are specifically building an anonymous system for verifying age required to buy to products and access media that we already check ID for (not anonymously, but distributed) in physical stores.

Most countries don’t have age gates for accessing social media and, under the EU system proposed for the EU, if they did, this system is exactly providing a method of verifying a user’s age without knowing who the user is. So it’s literally the opposite of what you claim it to be.

Most of what you’ve said is blatantly not true. Google (let’s use them instead of Apple here) can of course track your app use if the app uses Firebase or the Adds SDK - which clearly a verification should never do.

But Google doesn’t have the ability to see what you do inside of an app that aren’t voluntarily sending telemetry to Google. If you have proof that they do, please present it.

Which goal posts have I moved?

The architecture for Zero Knowledge Proofs is not novel and well understood.

You prove your identity to the issuer of tokens. They issue you a set of signed tokens that only they could have signed. You issue one of these tokens and a nullifier to a location that needs to verify your age. The verifying location checks the signature and lets you in. They return the nullifier to the token issuer.

The issuer can OF COURSE verify that you’ve used your tokens if they store the tokens they issue. You do have to trust your government for this system to work. But you already trust your government not to mass-surveil you through your ISP, mobile phone provider and credit card spend. This doesn’t increase your defend surface.

A cinema screening is not a physical good. Yet we still age gate it.

Ok, so it’s about Google and Apple accounts.

When you say “Google butting in” can you be more specific about what it is you believe Google tracks in an app they haven’t made themselves but only ingested in their store? Is it your belief that Google tracks all app interactions even in apps without firebase or Google Ads SDK?

Ok, so it’s the slippery slope fallacy.

But that slippery slope, which it sounds like you believe us to be on, also applies to phone location tracking, credit cards payments, mobile phone train tickets, smart homes, smart cars, home CCTV etc etc.

Do you leave your phone at home, always pay with cash, don’t use any apps? Most people do these things on the basis that the government doesn’t wantonly have access to what we’ve bought online. Why is age gating so different?

Of course things can break and something might be able to refer back to you, until it gets fixed.

But if your argument is that “the standard is fine, but something might not quite work”, then the same argument applies to your phone’s location tracking, your debit/credit payments etc. The vast majority of us happily use systems on the basis that they are secure, until they’re not, and then things get fixed.

Your argument has to apply evenly.

But have you read the EU standard? Anonymity is a requirement. There is no tracking. The age check does not refer back to you. Indeed, it cannot.

You can of course believe that the legal requirements aren’t adhered to and that the state is actually lying, but if you believe that the state already has a million ways to track you, including 99.9999% of us who carry our phones around with us and pay with credit cards in physical stores.

But let’s separate the technical/privacy discussion of age gating from the discussion about age gating social media platforms.

If I go to a Scottish distillery website and buys chocolate, they are not going to age gate me. If I buy whisky they will. That’s not age gating at the door, that’s age gating for a specific product that we, our democratic society, have decided, through democratic means, should not be available to minors.

Regulating social media age gating is a different discussion altogether. The discussion is about whether we want to be able to anonymously check (again, the EU standard requires anonymity) someone’s age online.

I’m sorry, but have you read the technical documentation? The design is intentional created this way to avoid tracking.

You are issued a set of ZKP tokens that you hand back to websites. They cannot correlate these tokens back to you, nor can the operator of the system.

Now they could lie, of course, and violate the design (but being open source that’s a little harder), but if the government wanted to secretly track you, much more precise tools exist for this already.