This might only be marginally relevant, but California’s digital id has a way of verifying age without revealing anything else about your identity called “TruAge”
> California’s digital id has a way of verifying age without revealing anything else about your identity called “TruAge”
I'm not familiar with the system, but I assume it would necessarily have to reveal the sites you're verifying with to the State of California.
So it's less of a big deal, as long as you're okay with sending a record to the government about what site you're visiting every time you want to sign up somewhere or re-verify your age.
I'm sure someone in the comments will propose some cryptographic solution where neither party knows anything other than the fact that someone, somewhere, possesses a token associated with a person over the age of 18. If you think this is viable, you're not thinking like a kid trying to get around this system, nor a blackhat trying to take advantage of it: Many people would immediately set up a service that handed out age verification tokens in exchange for viewing some ads (the file sharing site model) if there were no limits and nobody could trace it back to the source. Any ID verification system must necessarily have some party able to verify the person to avoid abuse like this.
> TruAge encrypts your data points and then protects them even further by creating anonymous tokens. These anonymous tokens cannot be traced back to you without legal authorization from a court-issued subpoena
Yes, I think you are right. There is probably a way to make a fully anonymous scheme.
> There is probably a way to make a fully anonymous scheme.
A fully anonymous scheme would be ripe for abuse: People would immediately take their keys and set up websites that exchanged age verification tokens for watching ads. Kids would visit these websites, watch an ad for 60 seconds, and get a fully anonymous age verification token in exchange.
Identity verification systems only work if everyone involved has some incentive to protect their identity. If the identity means nothing and nothing can be traced back to you, the tokens will be generated for next to nothing and handed out freely.
I always figured it'd be implemented Stripe style where completing age verification just gives the site a token that they can use to validate the third party age check.
The problem is how to make the provider side anonymized so that they don't know what sites your visiting, but that could be probably solved with legislation. In California, at least. I wouldn't trust Congress with a bill like this.
Agree. The idea is to verify your age, not harvest all your PII data across every login and viewing session. Companies can easily implement this privacy-preserving step, they just won't until it is strictly enforced.
