this post was submitted on 29 Aug 2025
762 points (99.9% liked)
Technology
74646 readers
2356 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Government sets up page to verify age. You head to it, no referrer. Age check happens by trusted entity (your government, not some sketchy big tech ass), they create a signed cert with a short lifespan to prevent your kid using the one you created yesterday and without the knowledge which service it is for. It does not contain a reference to your identity. You share that cert with the service you want to use, they verify the signature, your age, save the passing and everyone is happy. Your government doesn't know that you're into ladies with big booties, the big booty service doesn't know your identity and you wank along in private.
But oh no, that wouldn't work because think of the... I have no clue.
Funnily enough that is roughly the implementation the EU seems to be working on.
https://digital-strategy.ec.europa.eu/en/policies/eu-age-verification
On a side-note. I do not consider the government to be a trusted party. Whatever solution gets implemented needs to not provide the government any information that they can use for mass surveillance.
The two main requirements in my view are:
Edit: You mention the certificate being short-lived, but one of the concerns mentioned in the proposed implementation for the EU age verification states that if that window is too short it can be used to determine identity.
I think I have to specify what I mean by trusted. I do not trust them with my browser history, but I do trust them handling my government-issued identity. I do however not trust a company with that identity because I know they will definitely use it for their own good. What I want is the complete and absolute separation of information. Everyone knows exactly what they need to know, not a byte more. I'm still not convinced we desperately need the possibility to identify us for every fucking service though. Keeping kids from accessing porn should be the task of the parent. Keeping kids out of porn, yes indeed, we all need to tackle that problem.
So basically, yes, I think we have the same solution in mind, but with different wording.
You sell that cert to a local kid for $50
You generate another cert to sell to a local kid tomorrow
???
Profit
And your solution is...?
There's no problem, so we don't need one. We got by just fine without age verification on the internet for decades
I'm not sure if we are doing that fine. The thing about the decades is there wasn't really a web for kids to browse. Nowadays it's different. But still, I agree with you. We should keep responsibility to the parents as long as possible. But I really don't think my friend's daughter should be browsing TikTok at her age.
(Which is my friend's task, not mine or that of some pedo in government)
The problem is that meat-space logic is applied to the cyberspace (as it might have been said in the 90ies).
You go into a store and the clerk sees you and knows your age. If it's borderline, then they ask for ID. They are applying that thinking to internet services. And so are you. You are just trying to figure out a better way to ask for ID.
The UK doesn't have a system of mandatory national ID. Brits feel that that is totalitarian. So obviously, they do not use the scheme you propose. It's not their meat-space logic.
Where this falls down is that no ordinary Mastodon instance can comply with the regulations of the close to 200 hundred countries in the world. Of course, just like 4chan, many wouldn't want to out of principle.
The only way to make this work is to introduce another meat-space thing: Border posts. You need a Great Firewall of the [Local Nation]. At physical border posts, guards check if goods comply with local regulations. We need virtual border posts to check if data is imported and exported in compliance with local regulations.
Such a thing, a virtual Schengen border, was briefly considered in the EU about 15 years ago. It went nowhere at the time. But if you look at EU regulations, you can see that the foundations are already laid, most obviously with the GDPR but also the DSM, DMA, DSA, CRA, ...
Eventually, the border will be closed to protect our values; to enforce our laws. We will lock out those American and Chinese Big Tech companies that steal our data. We will only allow their European branches and strictly monitor their communications abroad. We will be taking back control, as the Brexiteers sloganized it. Freedom is just another word for having to ask the government for permission when you enter a country. And increasingly, it is another word for having to ask permission for how you use your own computer.
It won't be some shady backroom deal. Look here. People in this community love these regulations. Europeans here are happy to tell US companies to "FO if they don't want to follow our laws". Well, the Great Firewall of Europe is how you do that.
That sounds like a very functional and rational solution to the problem of age verification. But age verification isn't the ultimate goal, it's mass surveillance, which your solution doesn't work for.
what exactly is the problem, though?
The fact that they haven't gone for this approach that delivers age verification without disclosing ID, when it's a common and well known pattern in IT services, very strongly suggests that age verification was never the goal. The goal is to associate your real identity with all the information data brokers have on you, and make that available to state security services and law enforcement. And to do this they will gradually make it impossible to use the internet until they have your ID.
We really need to move community-run sites behind Tor or into i2p or something similar. We need networks where these laws just can't practically be enforced and information can continue to circulate openly.
The other day my kid wanted me to tweak the parental settings on their Roblox account. I tried to do so and was confronted by a demand for my government-issued ID and a selfie to prove my age. So I went to look at the privacy policy of the company behind it, Persona. Here's the policy, and it's without a doubt the worst I've ever seen. It basically says they'll take every last bit of information about you and sell it to everyone, including governments.
https://withpersona.com/legal/privacy-policy
So I explained to my kid that I wasn't willing to do this. This is a taste of how everything will be soon.
I don't agree. It certainly makes it possible that it isn't the goal. But I genuinely believe that, at least here in Australia (where our recent age-gating law is not about porn, but about social media platforms, with an age limit of 16), the reason behind the laws being designed as they are is (1) optics: despite what those of us here say, keeping young children off of harmful social media algorithms is very politically popular and they wanted to pass a bill that banned it as quickly as they could. No time for serious discussion about methods. And (2) a complete lack of knowledge. Because they wanted the optics, they passed the bill extremely quickly and without a serious amount of consultation. And I don't trust that even if they had done consultation, they would have known who is more reliable to listen to, the actual experts and privacy advocates, or the big AI companies with big money promising facial recognition will somehow solve this. Because politicians are, by and large, really fucking stupid at technology.
What is it they say? Never attribute to malice that which can be adequately explained by stupidity?
First, Mastodon is talking about Mississippi in the US.
Second, why can't people parent their own kids? What if I don't agree with the government and want my kid to see stuff the government has decided to block? The government isn't the parent of your child and you shouldn't be treating them as such. If you child is doing something you don't want, it's your job as their parent to stop it.
Don't forget censorship.
How about people parent their children?
I believe the issue is that parents themselves are overworked from their job and have no energy to be a parent, because in our society, it is more successful to be a worker than to be a parent.
(Sorry for turning it into a critique of capitalism, I just can't help it these days)
I'm with you on this one, but that's easy to say for me. I'm in IT anyway. I just have a hard time imagining how my sister for example would set this up for her kids. That doesn't mean I am for all of this bullshit, though.
It was never about the kids.
https://en.wikipedia.org/wiki/2010s_global_surveillance_disclosures
Because it's not actually about age verification, it's about totalizing surveillance of everyone.
Bold of you to assume a government entity is trusted. In the UK we have a large misrepresentative error due to our voting system.
Depends in what part you trust. I trust them with my ID, I wouldn't trust a random website. They know it anyway as they made it.
If we're talking about a hard copy ID (passport, drivers license) that's one thing. A digital ID, and over the internet, is asking for trouble.
That's the reason I wrote what I wrote. everyone only knows what they need to know. How do you think a third entity would identify you?
Easy:
I don't trust the government and private interests to come to an agreement that somehow benefits citizens more than their combined interests.
I'm not saying I'm for age verification. I'm just saying if it were for it, there'd be solutions.
What I wrote I did while being barely awake in five minutes. Sure it needs work. But there'd be ways to do it without a camera up your butt.
My point is that any solution here will be used for tracking, because that's in the interests of both regulators and regulated entities. It's not going to solve the original problem because kids are great at finding workarounds, and it will cause harm to those who follow the rules.
I also could devise a technical solution here that respects users' privacy and is effective, but once it's implemented, it will be changed to violate privacy. That's how these things work.
Sadly, I agree with everything you wrote.
I doubt the concept of anonymised data. Companies and governments have bad incentives to know who you are, and collect data from brokers to make correlations and educated guesses.
You should avoid everything then. Besides that, what has that got to do with the issue?
You may want to join us reading along in the privacy communities of the fediverse.
But long story shortened - third parties are very much identifying each of us in staggeringly novel and effective ways.
For example, depending on circumstances, third parties may not be sure which room in my home I am sitting in, right now, while being aware that I'm writing this. This shit has gotten deeply weird and invasive.
I'm not talking about fingerprinting.
ActivityPub is a major threat to the commercial social networks.
These laws are purely a way to regulate communication, but they are effectively a way to prevent new social networks from becoming established.
This is why the really big social networks are welcoming them with open arms. Even the criminal social networks are secretly pleased with them.
Laws only affect people too poor to manipulate them and too honest to disobey them.
I am sorry but much as I enjoy lemmy, activitypub is absolutely not a threat to anything. Mastodon and co had stagnant to declining user numbers ever since the last twitter exodus. And as things are, that just isn’t going to change and no amount of telling each other so in the mastodon and lemmy echo-chambers is going to change that.
Worse, the open platforms could absolutely not handle massive growth. Moderation would be a nightmare. How many people are going to volunteer to look over the additional thousands of thousands of posts with gore, csam etc. And you would need a lot of them.
Who’s going to pay for the legal advice that inevitably will be needed for the various situations that’d crop up if the network ever got enough users to be an actual threat? Donations? How well is that going to scale? How many volunteer hosters and admins would still be willing to do it in the face of all that?
ActivityPub is a niche, and if you enjoy it, you should hope it stays that way, because it certainly wouldn’t survive mainstream.
These are all very good questions, which will all need to be answered eventually, and need to be considered at the platforms move forward.
A lot of these problems could be solved if Governments and business entities started running their own Mastodon servers, and other platforms (as appropriate).
Unfortunately government and businesses are increasingly outsourcing their IT infrastructure to commercial cloud services, rather than keeping them in-house.
Reddit was profitable off of just minimal advertising and Reddit Gold. I'm concerned about video hosting, but I think mastodon and Lemmy can scale just fine.
but they know who they issued it to, and can secretly subpoena your data from your instance.
no thank you.
I think this starts to not work when you start to include other states that want to do this, other countries, cities, counties, etc.. How many trusted authorities should there be and how do you prevent them from being compromised and exploited to falsely verify people? How do you prevent valid certs from being sold?
Some examples of the type of service you mentioned:
This can be improved even further to lock a single age verification to a single account. Instead of issuing you a generic signed cert, they use blinded signatures to sign a cert that you generate and encrypt, containing the domain name and your username. The govt never sees the site or your username, because it's encrypted, and the site never sees the document you provided the govt with to prove your age. But you have a cert that can only be used by you to verify your account is of age.
There's an alternative solution that would enable a person's browser or device to verify their age based on a govt-signed cert with repeated hashes. This would have the benefit of the government not even knowing how many verifications you had done, because they only provide one cert per person (with longer renewals. The downside of this is that it requires some form of unique multiple-use identifier. In the sample question that's fine because it's a passport. IRL it could be something like an email address, or even just your own unique UUID.
meh just do what Amazon does "Hey if you're student you can get Amazon Prime for $5! how old are you?"
me: "I'm 20."
Amazon: "Ok here's your cheap prime!"
/me groans getting out of the chair cause I'm in my 40s
Point being just slap up an unverified age gate and be done with it. Really, truthfully, whose going to actually check? who even cares to check? it's all just a dog and pony show to please the conservative and "think of the children" religious nut jobs who have no idea how any of this shit works anyways. Just spend 2 minutes whipping up a site with a centered div that has a drop down menu asking "how old are you?" less than 18 send it to a "no internet for you page" greater than 18 "go look at porn" page.
Doesn't take a rocket scientist to know what's REALLY happening that they're requiring scanned IDs or faces or what have you. and no company in their right mind is going to fight this as it's free and easy data collection. Bluesky doesn't give a flying fuck as they're just going to end up selling the data they collect.
Because think of the shareholders, I’m waiting to see which politicians spouses own controlling shares in the verification companies…
Ideally, it would be handled directly on the hardware. Allow people to verify their logged in profile, using a government-run site. Then that user is now verified. Any time an age gate needs to happen, the site initiates a secure handshake directly with the device via TLS, and asks the device if the current user is old enough. The device responds with a simple yes/no using that secure protocol. Parents can verify their accounts/devices, while child accounts/devices are left unverified and fail the test.
Government doesn’t know what you’re watching, because they simply verified the user. People don’t need to spam an underfunded government site with requests every day, because the individual user is verified. And age gates are able to happen entirely in the background without any additional effort on the user’s side. The result is that adults get to watch porn without needing to verify every time, while kids automatically get a “you’re not age-verified” wall. And kids can’t MITM the age check, due to the secure handshake. And if it becomes common enough, even a VPN would be meaningless as adult sites will just start requiring it by default.
For instance, on a Windows machine, each individual user would be independently verified. So if the kid is logged into their account, they’d get an age wall. But if the parent is logged into their verified account, they can watch all the porn they want. Then keeping kids away from porn is simply a matter of protecting your adults’ computer password.
But it won’t happen, because protecting kids isn’t the actual goal. The actual goal is surveillance. Google (and other big tech firms like them) is pushing to enact these laws, because they have the infrastructure set up to verify users. And requiring verification via those big tech firms allows them to track you more.
It bothers me so much that a ZKP system is entirely possible, and no one will just do the first step of setting that up.
Eh, Denmark is. They are building exactly a ZKP system.
Britain has chosen to not make this a legal requirement so it is possible to tie back age verification with who verified. That makes it a lot more suspect.
Sorry, I mean just for the UK, US, and apparently China also.
Fortunately, the EU isn't going down the same path, and has Estonia, Finland, Denmark and the Netherlands as guides. And to just do this in the right order and do step 1: sensible digital ID system.