It was just announced that the targeted solution is a Zero Knowledge approach, where the website just receives a simple “not underage” without any additional information from a mini-wallet. This would be a solution that I could stand behind as it doesn’t use any 3rd party services for age verification. It’s akin to the COVID certificate.
Then they will break you and industry that wants data will win. You vs bourgeois governments, you will lose.
This is a serious push and though children are the cover they’re after surveillance. Take away their talking points, give them what they claim to want but in a privacy-preserving way and this goes away for another 10 years before they can make another push.
If we win this fight by doing a zero knowledge form they have no scaffolding to use on which to build anything further. If we lose and they build something that isn’t zero knowledge it will 100% be used in a few years to iterate on to build more surveillance and control.
Basically if we don’t push for this privacy alternative and instead fight like hell against it entirely they’ll listen to the only voices putting forward a solution which is meta and the other privacy invasive actors who want an invasive approach. If it’s made heard that people will accept this we can shunt them onto this path.
Ideally we’d push onto this path but make demands that it doesn’t require verification. That parents can set it up at phone/computer setup and it cannot be changed without reinstalling the OS or erasing the phone and that on phones it gets tied to a Google/Apple account. That way there’s not even any identity aspect involved but tools given to parents who want to do this. Shove it back to parental responsibility. But this would be a compromise we could live with and still have some privacy with.
Systems that are put into place will get misused or it’s initial usage will get softened, loosened and then for some safety stuff re-purposed (protection of children, protection against terrorism). If it’s there already why not use it for more than just some age verification.
It’s so cruel that we debate this mainly so that network traffic can get attributed to natural persons and this is gold++ for marketing.
the main probrem isn’t really what data is used for verification, but what data is made unavailable without it. if some conservative asshole decides that resources on sexual health (or alternate sexualities) are pornographic, then that information is effectively gone for everyone under 18 or without an account.
Well, good luck to the conservatives, because if that happens little (or not so little) Timmy will bike to their nearest friend and ask them. That’s how urban legends used to bk propagated
They’ve already decided so. It is all in Project 2025: queerness and sex-ed are considered pornographic. And platforms have been preemptively demonetizing and censoring info for similar topics (abortion and sex-workers resources also) for years.
The only system I’ll accept. Not necessarily for pornography and a lot of “save the children” claims are just pretext for privacy violations, but there are services that legitimately need to check some info and a zero knowledge approach is the most privacy preserving way to do that.
Even with the Zero Knowledge approach, you will still run an app on a phone (what if I don’t have one) that will make some call to the government’s servers, which will most likely know what website you’re trying to access. We’re moving the data mining from some third party to the government, which can be wrongly used later if some idiot comes into power. If it’s not making a call to a government’s servers, I would be surprised, since you could imagine someone just bypassing this to always return “Over 18”.
Even funnier (read “sad”), this initiative will probably rely on Google and Apple to keep it robust, and will likely have no availability on rooted phones or non-Google Play Services ones. It’s premature at best to deploy this in a meaningfully safe way.
The app (or desktop application BTW, incl. Linux) reads your national ID’s NFC tag, once. When you need to prove your age, the app locally computes a zkp that only tells the site “at least 18yo yes/no”.
Note that every EU country has a form of national ID, and the digital capabilities of these IDs are already used for a bunch of stuff (e.g. taxes, bank account creation,…). This doesn’t worsen the privacy situation for EU citizens, but instead ensures that no privacy-unfriendly solutions emerge.
There must be something that ensures the response is legitimate. Otherwise, if it’s client-side and fully offline, I can just spoof the app to return the response “Yes, over 18”. If it’s not the government doing the verification, it’s Google or Apple, which will give them access to all the “adult” websites you visit. Also, another reason for the EU to push for strict device attestation, without any DIY stuff (i.e., no more GrapheneOS, LineageOS, etc).
I couldn’t find a desktop app on the EU’s GitHub (another red flag, btw, using GitHub for this). All that seems to be available is code for the Android or iOS apps. Could you share it, if you can?
What I understood is that the code of the app would be open so it can be Independently checked. It sucks that it comes to this and there will be a choice between plague and cholera, but I would rather have this approach than use 3rd party age verification services.
It’s better than nothing, but there’s also the issue of certifying that the code that’s open, is actually the code in the app. Also the vast majority of people do not posses the knowledge to actually read and understand the code to be able to verify it. So to most people, it being open is of little benefit.
It was just announced that the targeted solution is a Zero Knowledge approach, where the website just receives a simple “not underage” without any additional information from a mini-wallet. This would be a solution that I could stand behind as it doesn’t use any 3rd party services for age verification. It’s akin to the COVID certificate.
Edit: https://www.eff.org/deeplinks/2025/04/age-verification-european-union-mini-id-wallet
I don’t stand behind any of it. We shouldn’t even give them an inch IMO.
Then they will break you and industry that wants data will win. You vs bourgeois governments, you will lose.
This is a serious push and though children are the cover they’re after surveillance. Take away their talking points, give them what they claim to want but in a privacy-preserving way and this goes away for another 10 years before they can make another push.
If we win this fight by doing a zero knowledge form they have no scaffolding to use on which to build anything further. If we lose and they build something that isn’t zero knowledge it will 100% be used in a few years to iterate on to build more surveillance and control.
Basically if we don’t push for this privacy alternative and instead fight like hell against it entirely they’ll listen to the only voices putting forward a solution which is meta and the other privacy invasive actors who want an invasive approach. If it’s made heard that people will accept this we can shunt them onto this path.
Ideally we’d push onto this path but make demands that it doesn’t require verification. That parents can set it up at phone/computer setup and it cannot be changed without reinstalling the OS or erasing the phone and that on phones it gets tied to a Google/Apple account. That way there’s not even any identity aspect involved but tools given to parents who want to do this. Shove it back to parental responsibility. But this would be a compromise we could live with and still have some privacy with.
Systems that are put into place will get misused or it’s initial usage will get softened, loosened and then for some safety stuff re-purposed (protection of children, protection against terrorism). If it’s there already why not use it for more than just some age verification.
It’s so cruel that we debate this mainly so that network traffic can get attributed to natural persons and this is gold++ for marketing.
the main probrem isn’t really what data is used for verification, but what data is made unavailable without it. if some conservative asshole decides that resources on sexual health (or alternate sexualities) are pornographic, then that information is effectively gone for everyone under 18 or without an account.
Well, good luck to the conservatives, because if that happens little (or not so little) Timmy will bike to their nearest friend and ask them. That’s how urban legends used to bk propagated
i’m looking forward to the cuba-style internet cafe culture where there’s a new hard drive of stuff every week
That is true. Sadly this is the direction society is going and it’s depressing.
They’ve already decided so. It is all in Project 2025: queerness and sex-ed are considered pornographic. And platforms have been preemptively demonetizing and censoring info for similar topics (abortion and sex-workers resources also) for years.
this is about the eu
Implying that US companies are not the ones behind this?
The only system I’ll accept. Not necessarily for pornography and a lot of “save the children” claims are just pretext for privacy violations, but there are services that legitimately need to check some info and a zero knowledge approach is the most privacy preserving way to do that.
Even with the Zero Knowledge approach, you will still run an app on a phone (what if I don’t have one) that will make some call to the government’s servers, which will most likely know what website you’re trying to access. We’re moving the data mining from some third party to the government, which can be wrongly used later if some idiot comes into power. If it’s not making a call to a government’s servers, I would be surprised, since you could imagine someone just bypassing this to always return “Over 18”.
Even funnier (read “sad”), this initiative will probably rely on Google and Apple to keep it robust, and will likely have no availability on rooted phones or non-Google Play Services ones. It’s premature at best to deploy this in a meaningfully safe way.
This doesn’t make a call to government servers.
The app (or desktop application BTW, incl. Linux) reads your national ID’s NFC tag, once. When you need to prove your age, the app locally computes a zkp that only tells the site “at least 18yo yes/no”.
Note that every EU country has a form of national ID, and the digital capabilities of these IDs are already used for a bunch of stuff (e.g. taxes, bank account creation,…). This doesn’t worsen the privacy situation for EU citizens, but instead ensures that no privacy-unfriendly solutions emerge.
There must be something that ensures the response is legitimate. Otherwise, if it’s client-side and fully offline, I can just spoof the app to return the response “Yes, over 18”. If it’s not the government doing the verification, it’s Google or Apple, which will give them access to all the “adult” websites you visit. Also, another reason for the EU to push for strict device attestation, without any DIY stuff (i.e., no more GrapheneOS, LineageOS, etc).
I couldn’t find a desktop app on the EU’s GitHub (another red flag, btw, using GitHub for this). All that seems to be available is code for the Android or iOS apps. Could you share it, if you can?
What I understood is that the code of the app would be open so it can be Independently checked. It sucks that it comes to this and there will be a choice between plague and cholera, but I would rather have this approach than use 3rd party age verification services.
It’s better than nothing, but there’s also the issue of certifying that the code that’s open, is actually the code in the app. Also the vast majority of people do not posses the knowledge to actually read and understand the code to be able to verify it. So to most people, it being open is of little benefit.