Hacker Neue

Preferences
jraby3 parent
Can you send a link or explain how this can be done?

As a not super tech savvy parent I find it impossible to keep my son off screens. He always finds a workaround. So I'm a fan of age verification especially after reading The Anxious Generation, despite all the hate it gets from hacker news.

zug_zug
Actually it's not super easy to explain to the layman, since it uses cryptography. But if you'd like to learn more ChatGPT is very knowledgeable.

But it sounds like your wish is to keep your kid off screens in general, which I don't think age verification would accomplish.

lcnPylGDnU4H9OF
> the hate [age verification] gets

Age verification actually gets almost no hate. Society-wide surveillance gets a lot; age verification just happens to be the "think of the children" excuse to shoe-horn in the society-wide surveillance. As OP described, if the age verification is implemented as a "zero-knowledge proof" then we have age verification without society-wide surveillance and nobody is complaining.

https://en.wikipedia.org/wiki/Zero-knowledge_proof

triceratops
Not OP and I don't claim a cryptographically secure solution. However https://www.hackerneue.com/item?id=46223051 is as good as the controls around other age-restricted products IRL: alcohol, tobacco, and adult magazines. And it preserves anonymity.
swid
He’s talking about zero knowledge proofs - it’s a neat use of graph coloring where you send an encrypted proof that a graph can be colored with three colors and no neighbors with the same color. The verifier makes a challenge to prove two nodes don’t have the same color, and the prover provides a key to decrypted just those two nodes. This process is repeated a number of times (with new colored graphs) until the verifier approaches certainty that the prover will always be able to show all nodes have neighbors with different colors.

This coloring problem is NP complete and somehow the thing the prover is proving is encoded in the graph structure. At the end of the day, the only thing the verifier is sure of is that the prover can make the three colored graph, 1 bit that corresponds to the thing the verifier wants to know (eg - does the prover have a token that can show they are over 18).

evgen
For simple yes/no questions ("Is over 18?", "Is US resident?") then you should look back to David Chaum's blind signatures and the work that came out of that back in the 90s. The math is super-simple to understand and there are a ton of even easier metaphors with envelopes and carbon paper that you can use to explain to your grandmother. Once you get someone to grok blind signatures it is easy to lead them to zero-knowledge proofs.
Izkata
This is far from the best way to do it, but this is a much easier to understand example of how it could be done without having to read about math:

There's a type of token called a JWT that's really common nowadays, which is composed of 3 parts: Metadata describing encryption for the third part, the actual base64-encoded data, and the encrypted signature. The second part would include "is over 18" and "expiration date" to limit reuse/abuse, and is trivially decoded by anyone to confirm there's no personal information in there.

You'd get this token from your government site and copy/paste it into the site needing verification. The government site would provide a standard public key that can be used with the third part of the JWT to confirm it hasn't been tampered with (verification is built-in to JWT libraries). There would only be one public key that rarely changes, allowing the site to cache it, preventing the government site from correlating users based on timestamps - they never see the JWT from the other site (verification is done locally), and the other site would only need to pull the public key once for however many thousands of people use it.

...that said technical issues aside, I kinda feel like this would be the most acceptable version simply because it doesn't require the average user to trust the math - they could go to a JWT-decoding website and look at it themselves.

takinola
How would you prevent the token from being used by a different person than it was issued to? This is the online equivalent of getting your older cousin to buy you alcohol from the store using their own valid ID
1718627440
How do you prevent your house key being used by a different person, that it was not issued to?
takinola
I don’t get the analogy. I keep my house keys out of the hands of people I don’t want in. In this case, the age verification is being circumvented by someone simply asking another person to perform it on their behalf.

I guess the practical answer is that it’s impossible because there’s always the option to have an adult perform the verification and then hand over the device to the minor

1718627440
Yes, the analogy is the burglar getting into the house by asking you to open your door for them. Adults are permitted to decide such a thing, because they know the risks and are expected to be able to reason about that. When an adult has decided, then there is no problem, as far as age verification is concerned. We have regulations when adults are in fact not able to decide such a thing "correctly".

We already have penalties for adults mistreating children by exposing them to dangerous things, but this is orthogonal to age verification.

bigbadfeline
Why do you want the online process to be more secure than the one using physical IDs?
takinola
Mostly because online process can scale a lot further and faster. An older cousin can only walk into a store to buy so much alcohol but a stolen token can be reused a million times in a second.
pseudalopex
> hate

You meant logical criticism?

jraby3 OP
I mean one sided criticism that doesn't account for the damage done to kids by having no online limits, and assuming everyone in the world is as tech savvy as they are.

This item has no comments currently.