That said, it's interesting to consider what a good idea would look like, if we imagine a world where age verification does become an inevitable strict requirement.
Is it practical to do this cryptographically on the web, with something technically similar to today's client certificates? Age verification certificate authorities who verify your age, and then issue a private key & certificate pair that says just "the holder is 18+" (and nothing else) such that you then provide this seamlessly to websites as you browse? Without exposing a consistent certificate id that can be used to track you?
That would allow the minimum verification but no more, without leaking personal data or creating any other UX impact.
Such systems are still vulnerable to children actively stealing such certificates from verified adults of course, but so is every other manual verification scheme I've seen proposed, and at least it requires a fair degree of technical acumen to steal.
Again, the UK plan here is a bad idea, but perhaps if this is a likely direction of future legislation then it would be good to get ahead of it with some kind of privacy-preserving alternative, instead of falling into easy but terrible fixes later.
> Is it practical to do this cryptographically on the web, with something technically similar to today's client certificates?
That one is easy to imagine (and is already deployed for some other use-cases in Brazil). People will be required by the government to have a client certificate, in order to interact with government services.
You just slowly increase the scope of both which people are required and for what. If you increasing it slowly enough, most people won't even notice or status-quo-bias it into being "business as usual".
Client certificates? Oh no, those are on the way out. You'll get some form of third party signed attributes. You go to a site that needs age verification, and get redirected to one of the applicable trusted providers of attributes (attributes like 'I am 18+'). In practice, this means you get forwarded to a government portal to login with your government issued ID, and then you'll be asked if you're OK with providing site X with the 'I am 18+' attribute (which you only have when you are over 18). Site X then gets a time-limited token from your browser that allows it to verify those claims with the provider of it.
This is being worked on by various governments to my knowledge, and it will all be backed by ID-apps on your Google or Apple smartphone which won't be mandatory, but neither is there a clear answer to how people without (those) smartphones or no wish to install government apps are supposed to do certain things. The Dutch government is experimenting with one at the moment.
Such a system could (and perhaps should) be generalized to all boolean expressions involving personal details of users.
A website should be able to specify a list of access conditions, such as (is not from Iran, Syria, North Korea or Cuba) and ((comes from the US and is over 21) or (does not come from the US and is over 18)). Instead of requiring the user to give them enough personal data to verify those assertions, it could just ask their certificate authority and receive a true/false answer, without receiving a reason why this answer is true or false.
Such a system could also provide seamless CAPTCHAs and abuse prevention mechanisms. Let's say every website would receive a random (but cryptographically signed) string on each visit. The CA would log what user received what string. As long as the user behaved properly, they wouldn't be identifiable to the website owner. However, a court could force the CA to hand over the information of an abusive user for whom a certain string was generated. Website owners could also ask the CA to never let a user with a given string onto their website again, still without knowing a single thing about that user.
> Instead of requiring the user to give them enough personal data to verify those assertions, it could just ask their certificate authority and receive a true/false answer, without receiving a reason why this answer is true or false.
This doesn't preserve privacy though: now your verification authority necessarily hears about every website you visit that wants verification, and can trace your every move.
They could absolutely issue you with a wide selection of certificates you could use to independently verify yourself though, preserving privacy all round. A certificate for "comes from the US", a certificate for "is over 21". Come up with a big list of criteria, issue a true or false certificate for each, and then you can provide the combination required to satisfy whatever a website needs to confirm from you.
You need an expiry for some though. "You're over 18" is permanently true. "You're under 18" is clearly not, but it's easy enough to set an expiry date. Meanwhile "You're an American citizen" isn't necessarily permanent, but becomes invalid unpredictably. You could publish revocations or just require occasional revalidation though.
MS is following Apple's iPhone "it's not your device" model with Windows 11 needing the TPM chip, so soon we'll have less control of our hardware. I wonder if China would introduce a law which would monitor users through the camera e.g. "to ensure children (and adults) are not spending too much time on the computer".
Afaik they already force the presence of monitoring software on phones of Ughyurs...
That said, it's interesting to consider what a good idea would look like, if we imagine a world where age verification does become an inevitable strict requirement.
Is it practical to do this cryptographically on the web, with something technically similar to today's client certificates? Age verification certificate authorities who verify your age, and then issue a private key & certificate pair that says just "the holder is 18+" (and nothing else) such that you then provide this seamlessly to websites as you browse? Without exposing a consistent certificate id that can be used to track you?
That would allow the minimum verification but no more, without leaking personal data or creating any other UX impact.
Such systems are still vulnerable to children actively stealing such certificates from verified adults of course, but so is every other manual verification scheme I've seen proposed, and at least it requires a fair degree of technical acumen to steal.
Again, the UK plan here is a bad idea, but perhaps if this is a likely direction of future legislation then it would be good to get ahead of it with some kind of privacy-preserving alternative, instead of falling into easy but terrible fixes later.