We all know “proof of age” or “age verification” is synonymous with mass surveilance, but the words “proof of age” were cleverly choosen so the average person considers it the same as showíng another person a driver’s license. Unecessary or otherwise it’s only a minor inconvenience. And there is no harm to privacy.
So what should we call “proof of age” or “age verification” which is just as punchy, but communicatee the real intent? How can we subvert this attack on our rights by turning these twisted words against themselves?
In the EU the legal framework requires a ZKP implantation. Laws would be broken if traceability was introduced.
what prevents you from leaking your token on the internet, so everyone can use it? it has to be revokable somehow. to be revokable it has to be correlatable, so you can tell where the same token is used across multiple sites. which leads to easy deanonymization.
ZKP is window-dressing. it’s still a major privacy intrusion. don’t fall for it.
(also, it paves the way for lgbt issues, sex ed, harm reduction and activism to be censored behind the 18+ barrier, but that’s a different matter.)
You have to trust someone.
And I can’t speak for all the implementations around the world. But I can speak for the Danish one. Or at least what the design is intended to be right now.
The Danish verification tokens are single use. Yes they get checked against a database, centrally, but that database doesn’t hold any information about who the token was issued to, just whether it’s a valid token that hasn’t been used before.
So your digital wallet holds a set of single use tokens. You have to log in using MitID (central government system for proving your identify online), then your wallet is issued age proofing tokens which you then hand over to the website to prove your age.
So there are a million ways that COULD be abused, just like there are a million ways your bank could abuse the information it holds about you. In both cases, laws require that neither abuse their privilege.
You have to trust someone. Or live a hermit.
this is sounding sketchier and sketchier. so every website that serves 18+ content in Denmark will need to check tokens against a central database upon login? forget censorship and surveillance, that sounds like it plain won’t scale well. also does Denmark really expect every website to implement this? what about Lemmy or other fediverse services?
why is this needed at all? why not just use parental controls on devices? why is this such a crisis now, for the first time in 20 years?
I feel like they could just, you know, not do this.
I wouldn’t call that an ideal implementation, but if they implemented it properly, there’s no way for the website to know who you are, and there’s no way for the website to tell the authority you visited their site. If there is, it’s not actually a ZKP and it’s a failure of the technology (and I assume at that point be against the law). The only abuse that should ever be possible is that the authority knows you are using tokens, not where.
The only required trust that should be needed, is that the authority proved your age in the first place, such as when you get your drivers license, and that they actually implemented all the cryptography properly (which a 3rd party could verify)
Edit: And if there’s concern about token sharing somehow, it should be locked behind your biometics in a way that again doesn’t leak any information, which they saw you encode when they verified your identity.
Well that’s awesome. I had heard Germany did a ZKP solution, I didn’t realize it was EU law.
I don’t really expect anywhere but the EU to do that though. ZKP are really the only way to do it if it’s going to be done.