frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Open in hackernews

What's wrong with EU age verification? (Nothing)

https://blog.vrypan.net/2026/06/29/260629-whats-wrong-with-eu-age-verification/
21•birdculture•1h ago

Comments

ulrikrasmussen•45m ago
The article claims this is what the ZKP scheme reveals:

> Here is cryptographic proof that I hold a valid credential proving I am over 18. You can verify the proof, but you learn nothing about who I am.

Is this true though? I am genuinely interested as I haven't looked into the details, but must the user not at least also disclose who the issuer of the credential is so the verifier can verify it against a public key? This also reveals at least the nationality of the user and could be misused to block access to foreigners using VPN.

readthenotes1•41m ago
We have people checking IDs at the doors of bars and strip clubs.

And just like in those cases, what is to prevent someone who is of age giving their ID to someone underage?

efitz•35m ago
A human glancing at an ID is not creating a log or transmitting every unique identity to the government.

If you handed over your id, and the person checking it made a photocopy and handed it to a police officer who put it in a file in a briefcase they carried, you might feel differently.

varispeed•30m ago
I remember last time I was in the club (decade or so ago), the bouncers were taking IDs and photocopying them and of course there was CCTV as well and police were visible outside of the club.
dgellow•25m ago
What country is that? Sounds insane to me
fmobus•29m ago
aren't a lot of bars in the US scanning the id card with some purpose-made id scanner? Seem to remember reading about that, and it being the US I would guess that data gets very much stored/shared/molested.
technothrasher•15m ago
The scanner manufacturers proudly advertise that their systems dump the scanned IDs to a back-end database for storage and later use.
sejje•14m ago
Yes, they are. The systems aren't even expensive, and they have some features like they track people who have been trespassed, etc.

However, you can buy fake IDs online, and the IDs are reportedly beating those machines. So if you trust the machine for age-verification, you might let in underage people.

ibejoeb•40m ago
> When children are very young, parents can set strict boundaries. But as kids move into their teens, parents also have an obligation to loosen them. Teenagers need spaces where they can act independently

Parent have an obligation to loosen the restrictions, and, what, the government has obligations to tighten them and deprive them of the spaces where they can act independently?

I don't care to talk about the premise itself. This reasoning is absurd.

croes•34m ago
Do you show your ID when you buy alcohol?

We have many place in real life where we already have to prove our age or identity but somehow the internet should be excluded

dgellow•29m ago
Those places don’t track you and keep a registry and copy of your information
dpark•27m ago
Depending on where you live this may be untrue. In Washington state I hand them my id and they scan the code on the back. There is every possibility that they store it and notify the state that I bought a bottle of rum.
ndr•27m ago
Use that logic to sell phones. Don't limit civil liberties to compensate for failures of parental supervision.
rpdillon•25m ago
coda_cantabile•38m ago
But by what mechanism would one prove, when using such selective disclosures and zero-knowledge proofs to access an online service, that they are, in fact, the owner of said attestation?
varispeed•32m ago
This is probably the wedge and the rest will follow once people are accustomed and desensitised to age checks.
satansdeer•35m ago
Overall "more verification" goes in the direction of "more surveillance".

The author described a narrow path that provides "kid safety in the internet" without sacrificing the general population privacy.

Is it technically possible to implement the way he suggests? Yes. Will it be implemented that way? No.

There are people who can affect the way this verification will be implemented who are genuinely interested in more surveillance, heck, remember chat control that is an ongoing fight in a very similar vein, there is a global desire in politicians to get more control over the communications.

To me the author seems either naive or straight up malicious.

dpark•19m ago
> Is it technically possible to implement the way he suggests? Yes.

I actually don’t think it is. Fundamentally this kind of certificate is going to be revocable. It’s untenable politically to hand out irrevocable attestations that can be handed off to minors. If you allow that, the system has failed to prevent minors from accessing adult materials, and if you don’t then the system has failed to preserve privacy.

> To me the author seems either naive or straight up malicious.

I think just naive.

NotPractical•33m ago
Except that within days of this service going live there's going to be a freeageverification.com that instantly generates an attestation for anyone for free. I fail to see how this is not untenable. You can compare it to geoblocks that can be circumvented using VPNs, but at least VPNs are costly to run and are usually paid services. With the implementation of verification described in the article, there is no cost to generate attestations nor any limit on the number of attestations nor any way to stop a known-but-anonymous abuser from generating new attestations.

Maybe the EU knows it's untenable and is still moving forward because they will be able to demonstrate to the public that privacy enables abuse, creating pretext to make the system not private anymore after it's already been implemented.

dpark•28m ago
The offline version proposed doesn’t even work. If the government issues untraceable “I’m an adult” cards there’s nothing stopping someone from acquiring one and immediately selling it to a minor. There’s also realistically nothing stopping someone from acquiring multiple and selling them to minors. “Oops, I lost my adult card again. I need a new one.” The solution is of course to make them revocable which means traceable.

The same applies online/digitally except that you can very likely distribute the same ID to many minors without getting a new one allocated.

I’m in the “we should protect kids online” camp, but I am not sure there’s a real way to do it without compromising privacy for everyone.

rootlocus•26m ago
Protecting kids online requires attention from their parents, not from the government.
dpark•17m ago
Protecting kids is well within the scope of the government.

This “it’s the parents job” is also reductionist. It is, but somehow we still have made it illegal for minors to buy hard liquor and pornography from physical stores in the United States and few argue that restriction is wrong.

rpdillon•14m ago
This is my take, but I am a bit frustrated by OS manufacturers. The obvious move is have a screen after factory reset the puts the device in kid mode permanently. It then will send a "I'm underage" flag to sites, and sites return no content (or safe content) when they see that header. This is a system that makes it easier for parents to do their parenting job. All the pieces of this system already exist, but the UX for managing a device during setup to be a "kids device" isn't there.

This system is good for a bunch of reasons:

* It gives parents control such that they can tailor the experience to their kids. This is a problem with current proposals.

* It doesn't bring identity into the mix at all, completely defusing the risk of mass surveillance.

* It's easy to verify if adult sites are complying: hit them with a curl request containing the header, check the response. This is much easier that verifying that Discord is checking user ages properly using their face-scanning technology.

lokar•28m ago
I agree with the broad point. But it ignores another key requirement: it can’t be easy to “loan” your proof of age to someone else.
dom96•19m ago
If the EU actually mandates each member country implements a ZKP for this then I am all for it.

Can they also provide other ZKPs? Specifically to attest that someone is a unique human being? Humanity verification is incredibly important to fight against propaganda online[1]

1 - https://blog.picheta.me/post/the-future-of-social-media-is-h...

GuestFAUniverse•19m ago
A friend and I were the first to have modems at age 12. And we had access to all kind of stuff on BBS and later in newsgroups. That wasn't meant for our age group and yet there wasn't any harm done. Others in our classes didn't roam there. (They were more into drinking, smoking and stealing in real life instead)

Guess who is heavily using social media today and unreflectively repeats fake news.

granra•7m ago
But now kids grow up with social media and fake news. I too grew up seeing stuff I shouldn't have online and I turned out fine but I see the online landscape today as much scarier place and as a recent father I'm scared of what it can do to my child and will need to police it.
jubilee33•10m ago
Free access to information is non negotiable. You can dress it up in whatever argument you like; safety, intellectual property rights, moral imperatives. Take your pick. Information will not be held back, it wasn't held back by any tyrannical regime of the past with much more asymmetrical access to control, not the banning of the printing press, the efforts of the Stasi to ban western music in East Germany, nor China's more recently attempted "Great Firewall", have worked. This also will not work.

I am not worried for myself and for others who are technically inclined, we will just silently find and implement solutions for ourselves and any others who have the energy and inclination to use them. This is worst, as usual, for the most vulnerable among us. Those most in need of the information which they will not be able to access. Every freedom comes with risks and responsibilities, freedom of information maybe more than any, but the harms of limiting information are much more unacceptable than any caused by its unhindered natural flow. You can propagandize and scheme to your hearts content. You can lobby your governments to implement your halfbaked schemes. But in the end it won't work... Because people like me and millions of other will just not comply. We will build our own networks if need be, but we will do just about anything rather than accept your terms.

jonhohle•5m ago
> Free access to information is non negotiable.

For adults.

There is information and images that are developmentally harmful to children. As the author says, this is no different from drugs, alcohol, tobacco, or gambling.

If you can’t understand that, you either don’t have children, have a screw loose, or are a child predator.

Offline and online are not equivalent spaces. They're not symmetric, they don't fail in the same way, and they don't have the same hazards or risks. I say this because I don't think the argument that we should do it online because we do it offline is coherent.

I actually don't have to show my ID when I buy alcohol because I'm old. There's a material difference between an electronic record being submitted, passed through and stored on several different servers, and somebody seeing you and seeing a grey beard and saying, yeah, you can buy that beer. The worst case scenario in real life is that the bouncer at the bar looks at your ID, seems real enough, checks the date, matches the picture, and that's it. There is no record being stored, there is no log. It's not equivalent to the vast majority of online age verification mechanisms in use today.

ibejoeb•24m ago
Not for the past 20 years. I also don't participate in Patronscan and other similar surveillance operations.

That is beside the point. I'm talking about the incoherent argument about a parent's supposed obligation to stop parenting and the government taking over. There are three premises here asserted by the author: 1) the child's need for independence, 2) a parent's duty to stop parenting, and 3) the government stepping in. Number 1 is contrary to 3, and I don't agree with either 2 or 3. What do you think?

thomastjeffery•19m ago
And none of them are in my living room, nor do they belong there.

The government does not get to put child locks on my liquor cabinet, or even keep me from leaving booze out on the counter. They get to restrict businesses from selling to people without identification. Note that this has already always been the case on the internet, too.

trewnews•15m ago
No I don't. Your reasoning is absurd.

Today I can walk into a shop and buy alcohol without showing my ID.

I can also walk into my local library and read any book I wish to, some with adult themes. I could do this as a teenage too. I also did this in my own school library.

Demanding to see ID to access online content is a terrible idea and it is the parent's responsibility to look after children. It should be an understanding between the parent and child on what they should be accessing online. If that breaks down then the parent should do their job of being a parent. Take the device away and punish the child.

muro•11m ago
buying alcohol without showing an ID might be possible in many places, but it's not a universal right.
Jtarii•6m ago
This approach has clearly failed and something different should therefore be attempted.
grey-area•6m ago
Untraceable is your invention and obviously absurd and unworkable.

No scheme is going to issue cards/tokens that can be traded between people, that's obviously unworkable.

Untraceable is for the consumers of the cards obviously, but in order to have trust they need to be traceable for somebody to verify them. The government can already determine who you are and already requires you to prove that at certain points, this is not a new invention of government it is required for governments to function.