> "Privacy preserving age verification" is bullshit
it is possible if you accept that it only needs to be good enough
- it's fully okay if it can be deceived in all kinds of ways
- verifying only once per account is okay, if a adult passes their verified account to a child that their responsibility
- legally not just forbid but criminalize (with required prison sentence) the storing of any data except is adult yes/no from a age verification process
- allow a OS accounts to just tell applications (including websites) that "is 18", if a age verification was done in the account, also no singing or anything cryptographically, because again it's good enough no need to protect it against hacking, the main responsibility still lies with the parents
so then you can do a single age verification per OS account, once, and be done with
furthermore this verification could e.g. go through a process which might identify you identity but a) isn't allowed to pass anything but adult yes/no to anyone else b) isn't allowed to store that info c) on a storing it is a "criminal liability" level where a CTO ordering data collection would go to prison
through if you live in a country where everyone has a passport with NFC chips (e.g. all of EU) just adding a "adult yes/no" function(1) to it + a transparent (open source, non profit) app per country to bridge it to accounts which need verification would do the job without needing the extra strict criminalize abuse part.
Which brings us to the main problem:
- requiring politicians to accept a "good enough" solution, accept that the main responsibility still lies with the parent
- politicians not abusing it to spy on their population
- make laws to prevent companies from ab-using "age verification" to collect private data
and that seems indeed impossible
---
(1): Technically I think it does exist, somewhat in many passes already. But practically it not viable as it (I think) discloses too much information and has too much issues wrt. integrating it (wrt. certificate nonsense)
No cryptographic verification is required for content blocking. Make it easy to set up a slightly locked down "child" account (e.g. one behind a MITM proxy that only lets through HTTP(S) and blocks some domains) by requiring it from every OS vendor. Label existing devices/software without it "18+".
it is possible if you accept that it only needs to be good enough
- it's fully okay if it can be deceived in all kinds of ways
- verifying only once per account is okay, if a adult passes their verified account to a child that their responsibility
- legally not just forbid but criminalize (with required prison sentence) the storing of any data except is adult yes/no from a age verification process
- allow a OS accounts to just tell applications (including websites) that "is 18", if a age verification was done in the account, also no singing or anything cryptographically, because again it's good enough no need to protect it against hacking, the main responsibility still lies with the parents
so then you can do a single age verification per OS account, once, and be done with
furthermore this verification could e.g. go through a process which might identify you identity but a) isn't allowed to pass anything but adult yes/no to anyone else b) isn't allowed to store that info c) on a storing it is a "criminal liability" level where a CTO ordering data collection would go to prison
through if you live in a country where everyone has a passport with NFC chips (e.g. all of EU) just adding a "adult yes/no" function(1) to it + a transparent (open source, non profit) app per country to bridge it to accounts which need verification would do the job without needing the extra strict criminalize abuse part.
Which brings us to the main problem:
- requiring politicians to accept a "good enough" solution, accept that the main responsibility still lies with the parent
- politicians not abusing it to spy on their population
- make laws to prevent companies from ab-using "age verification" to collect private data
and that seems indeed impossible
---
(1): Technically I think it does exist, somewhat in many passes already. But practically it not viable as it (I think) discloses too much information and has too much issues wrt. integrating it (wrt. certificate nonsense)