Why isn't online age verification just like showing your ID in person?
64 comments
·December 12, 2025zug_zug
jraby3
Can you send a link or explain how this can be done?
As a not super tech savvy parent I find it impossible to keep my son off screens. He always finds a workaround. So I'm a fan of age verification especially after reading The Anxious Generation, despite all the hate it gets from hacker news.
swid
He’s talking about zero knowledge proofs - it’s a neat use of graph coloring where you send an encrypted proof that a graph can be colored with three colors and no neighbors with the same color. The verifier makes a challenge to prove two nodes don’t have the same color, and the prover provides a key to decrypted just those two nodes. This process is repeated a number of times (with new colored graphs) until the verifier approaches certainty that the prover will always be able to show all nodes have neighbors with different colors.
This coloring problem is NP complete and somehow the thing the prover is proving is encoded in the graph structure. At the end of the day, the only thing the verifier is sure of is that the prover can make the three colored graph, 1 bit that corresponds to the thing the verifier wants to know (eg - does the prover have a token that can show they are over 18).
swid
Not really. There are ways to prove ownership of one of several hundred million tokens. If you give out this many tokens, the odds that some will be stolen or sold must be fairly close to 1.
Ajedi32
Agreed. But obtaining such a token/proof would still be an additional barrier kids would have to actively bypass, so while I don't think that's the best implementation I don't think it's correct to say there's no value there.
My bigger concern would be who gets to issue these tokens. If it's limited to a particular government, then that doesn't work very well on a global internet. And making the internet not global (blocking adults from accessing foreign websites that don't adhere to your scheme) is kinda authoritarian IMO.
If we're going to do age verification and blocking of adult sites, it needs to be local to the user's device (and thus under the control of parents, not governments).
E.g. Instead of mandating sites verify users, we mandate internet-capable devices sold to kids have certain content restrictions, the same way we mandate you can't sell alcohol to kids. To make this more effective than existing content filtering, implement some kind of legally-enforced content-labeling standards websites have to follow to be whitelisted on these devices. This way the rights, freedoms, and privacy of adults using adult devices is unaffected.
miguelbemartin
In my opinion, access to internet should always be behind a device controlled by an adult. And it should be this adult's responsibility to set appropriate restrictions for minors.
bennyp101
Yea, I think anyone who grew up at the start of the internet in homes realises just how different it is now, and that teaching your kids about how to be safe online etc is an important part of parenting. But we are at the point where we have some parents who always had access to what it is now, and don't see it as a bad place.
"Stranger Danger" is no longer don't get into a van with someone who promises you sweets kinda thing.
everdrive
Agreed. My kids are young right now, but I'm wondering if we can just have a shared family room computer like in the 90s. (school-based laptops might thwart this, but maybe by the time they're school-aged people will realize that constantly putting kids in front a screen is a bad thing to do?)
bennyp101
Yep, I bought a separate all-in-one computer that is in the living room, in full view of everyone else, so we can keep an eye on what is going on when they are using it.
We also have pi-hole running that blocks a lot of things, and can turn on and off certain domains (so they can play roblox etc for a short while, then its blocked again) and their devices are pretty locked down
froglets
Even if they don’t share a computer you can still set up their own computers in a shared space. We don’t put tvs in bedrooms either just to keep those rooms for reading/sleeping. Added bonus of keeping computers in common spaces is that your kids won’t disappear into their rooms one day and never come back out.
bombcar
You can be pretty effective with not much - school laptops can be router-blocked to the needful, the main familyroom computer can be visible to all but also have rudimentary DNS blocking, etc.
The key is to be open about it and “more” than reasonable; allow things when requested that aren’t harmful.
If we’re too perfect at protecting them from the world they’ll have no tools to deal with the world, which they will have to do eventually.
krupan
You can have a shared family room computer! It works really well. No screens in the bedroom is a great idea. iPhones with strict Screen Time settings are awesome when the kids get old enough to use a phone for communication but not old enough to handle a phone with games and the full Internet
wiredfool
My 16 yr old just had his phone update and apply his old screen time settings from 4 or 5 years ago. Sorry kiddo, don’t remember the screen time password.
Now why they came back, and weren’t working before? The restrictions were so full of holes that they didn’t really work as anything other than a speedbump.
rawgabbit
With my family, I shut down and threw away my last PC; too many security head aches. I bought the cheapest large screen iPad(s) and promptly locked them down. One of my best decisions.
everdrive
I think that's the idea behind the family room PC -- you have parental observation rather that attempting to rely on (necessarily-imperfect) security software.
dbbk
I'm not sure why we don't just make a law that parents must set parental controls on their kids' devices. We do this for most other things.
jraby3
It's harder than you think to manage all the devices especially if you aren't especially tech savvy.
There are also a ton of tricks and workarounds it's super frustrating.
quentindanjou
Because the main purpose of these regulations isn't protecting the kids. It's surveillance control. An easy way to better kill online anonymity.
SunshineTheCat
We should then make laws that parents must tell their kids to clean their room. Next we can make laws that parents must tell their children to eat their veggies. What about chore laws? Teeth brushing laws? Stop arguing with your sister laws! More laws!
bennyp101
There's a giant difference between stopping kids having full reign on what is now essentially the whole world of information - and instant access to strangers, than there is making sure they eat healthy, help out, and don't have bad teeth .... but I'm sure you know that :)
null
dom96
Honestly, there should be more laws on how children should be brought up.
Tostino
What is the punishment you want to give to parents who don't?
That's the implication of making a law.
dbbk
Same punishment as not sending them to school
bennyp101
They get blacklisted from being able to have internet
ipython
how about we start with a law that requires tech companies to provide useful parental controls? Can we please stop blaming parents??
Spivak
I'm really glad you're not in charge of making laws. The one thing you can do as a parent is override most age restrictions. You can give your child alcohol, you can take them to R rated movies, you can let them watch NC-17 movies at home, you can buy them M video games, you can just straight up buy them porn. But then parents have a legal requirement to restrict their child's internet access to whatever the government happens to approve of—utter nonsense.
michaelmrose
Define controlled and define appropriate in a fashion that almost everyone can agree on which is in line with the constitution and enforceable.
You can't.
insane_dreamer
In theory that sounds right; but as a parent with two young teens I can tell you that in practice this is really really hard -- your teens can get around whatever restrictions you might set, bringing you down to either 1) taking away their phone altogether, 2) turning off the internet altogether (while at home), 3) trying some parental control app (none of which work that well or are inconvenient to use in practice). The only thing I've successfully managed to set up is a blocker on the router that shuts off access to their devices at night (so they go to sleep at a reasonable hour). During the day is just way too complicated.
So we talk about it and try to get them to manage it themselves. They're not unwilling, but the addiction of continuous scrolling is really hard to break. It's not even that the content is terrible, it's more just the mindless zombies -- like sitting all day on the couch watching TV. And they don't even have an IG or TT account (and won't be getting one for a long time) -- this is YouTube (which now has endless scrolling like TT) which I don't want to block altogether because there's other helpful resources on there.
I've always been an early adopter, and was on BBS and IRC and all that back in the day, love the fact that the Internet is a place you can easily set up your own blog and all that, but recently I've honestly come to f*ing hate the internet in general and social media in particular.
ipython
How does that work in practice? I've tried to do this at home. It doesn't work at all. It's not the 90s any more- there isn't one PC sitting on a desk with a modem attached to a phone line that you need to wait for 30 seconds to dial up and establish a connection before you're online...
Now you have ubiquitous WiFi and cellular connectivity across dozens of devices in a typical household. Even refrigerators have built in web browsers now. Parental controls are a joke, treated as an afterthought at best - nonexistent at worst. Oh, and the school system provides your kids with a Chromebook with Internet access starting in elementary school.
It's victim blaming at its finest IMO. Yeah, we can all point fingers at the parents who sit their kids down with an iPad. But there's many of us who struggle to limit screen time, working against the profit motive of trillions of dollars of corporations. It's a losing battle.
johnnienaked
You want parents to parent? God speed and good luck
saghm
No, I think what they want is not to have the rest of us have to jump through hoops (and sacrifice privacy) to achieve the same thing. Some of us don't have kids (or live in a household with any), so passing a law that potentially limits our internet access to solve a "problem" that already is dubious is ridiculous.
rzerowan
Paradoxically this is one of those features/requirements that i feel should be on the end-user-device with zero knowledge proof.
It would make sense to have the enduser verification ondevice with a simple reply to any online property : Passed age verification/or not.
Otherwise the centralization and eventual leak of this data is a can of worms in waiting.
Bender
Here [1] is the zero knowledge solution. It has existed for ages but not adopted likely due to not providing a name, SSN, location and credit card. No third parties, no dependency on CDN's, no sharing or leaking ... anything.
Given that solution is unlikely to be legislated into action I would suggest people are just going to share adult content on Usenet, Tor, P2P, within G/PG rated video games by plonking down a virtual theater and streaming from a throw-away VM and fully automating syncing with LFTP+mirror+SFTP, sharing USB NVME drives, mobile ephemeral websites over WiFi and other methods when people get tired of this Top/Bottom relationship lobbyists want us to participate in. As a plus side, driving people underground means zero tracking, rules, taxes, obligations, leaking email addresses, etc...
vermon
EU implementation of age verification is actually base don zero knowledge proofs https://ageverification.dev/
consp
Hasn't this been made "optional", aka not going to happen, in the digital wallet specification?
danaris
Any on-device solution that simply sends back a yes/no result as you describe is guaranteed to have one of two problems:
1) It is vulnerable to modifications and hacks on the local device that get it to send back a "yes" result without actually verifying anything
OR
2) It requires the device to use some kind of closed, proprietary system that allows the service to guarantee that #1 cannot happen
Now, in general, the tech world is pretty happy to accept #2, but many of the people around here would object to it on very reasonable grounds.
rzerowan
I mean most mobile devices have already accepted closed ROMs in their baseband and all/most browsers that try to interact with streaming sits require Widevine . As longas its going to hapen one way or another better it be local , and not a gov thing or a monopoly.
At the end of the day the tool should be there enforcement down to the relevant local authorities or not.
simion314
Exactly, on my Play Station I setup for my son I enter his real birthday, then Sony knows what can he do in the Store or chat etc. So we could have the big tech Apple, Google, Microsoft, Canonical ensure to make an idiot prof setup screen and the parent is responsible to set the age of the birthday of the child if they give a device to them . Then the store can be filtered and the browser can have a standard way of adding in the headers an age range or something.
Big tech did not want to cooperate to do this for some weird reason so now we get a much more complicated solution.
Yes I know that if your kid uses a live USB stick he could watch porn on his laptop but IMO is much easier for such a smart kid to find a website that does not respect the browser headers and torrent adult content.
3rodents
I don’t like this article. Irrelevant technical nuance is comingled with a philosophical opposition. The technical issues are all solvable. The free speech argument is foolish too: if limiting who can jerk off to pornography is an issue of free speech, surely so is limiting who can enter a bar and converse with the patrons.
Opposition to ID checks because you believe the internet should be open and free is reasonable but this article twists itself into knots throwing everything at the wall. And it is reasonable to believe it is a free speech issue. But we can’t say, at the same time, that the same arguments don’t apply outside of the internet.
(Convenience stores scan ID, bars scan ID, hotels take copies of passports…)
cwmoore
I am not that fond of stores scanning my ID data either. I’m over 21, there’s no question about it. Per policy, they’ll have my name and address in some log too, and with my photos and gait on camera and probably my license plates. What does all of that do for me? Are you safer because I am being recorded?
I like the (disputed) comment elsewhere on this page, requiring parents to parent. They aren’t my kids.
Ajedi32
The free speech argument is that these ID checks aren't just being applied to porn sites; there's a push to make social media websites (probably the largest hubs of free speech in the modern world) do them too. That's a much bigger deal. It'd be like if you had to show your ID to a police officer in order to enter exit your front door.
pessimizer
> Convenience stores scan ID, bars scan ID
These are new things, not old things. The idea that stores and bars should be able to record for all eternity the identities of the people who have purchased things from them is just as much of a horror. They can sell that information to anyone.
> hotels take copies of passports…
This is not really a new thing, although it is a fairly new thing (i.e. within the last 40 years, since cheap enough photocopiers.) But it comes from laws about keeping track of who is staying in temporary accommodation, 100 years ago you would have had to sign the register.
Havoc
This tries to make a logical argument against an attack that isn’t that - it’s linked to age and „think of the children“ precisely because it isn’t really disprovable and anyone daring to take a stance against it can be hit with a „oh so you’re against protecting children“.
Scratch out the age in „online age verification“ and you get to real reason
magicalhippo
Discussion on the mentioned age verification hub here: https://news.ycombinator.com/item?id=46223389
brewcejener
cp is currency for a lot of people, this will destroy the programming world
brewcejener
cp is like currency for some people, a lifeblood so to speak
delusional
Are we to assume that the people at the EFF haven't heard of how European nations, like Denmark, are building government infrastructure to verify your age without disclosing sensitive information?
Are we also at assume that the EFF fail to see the similarity of age-gating porn websites and age-gating entrance to strip clubs?
That doesn't seem likely to me, and I find it way more likely that the EFF is purposefully excluding the best argument against their chosen position.
jagoff
It's not about age verification and it never was, that is a distraction at best and a delusion at worst. This is about tying your real name to all of your online activities, and about getting the current generation of children used to it and accepting of it before they reach voting age.
minusLik
This. The German government issues electronic IDs which can provide proof of age in a privacy-saving way, but I've never seen that being used in the wild.
taylodl
BINGO!!!
Simulacra
I would counter that they already have that. Would go so far to say that the government knows pretty much everything you do online by name. What they can't control, it's access. I think the reason for this is for an eventual license to get on the Internet. The same way you need a license to drive a car, you will need a license tied to your real identity, to use the Internet.
johnnienaked
I'm never verifying my ID to access anything on the internet. I'll just stop using it.
catapart
That's kind of the point of all this. They force websites to enact the verification because they have leverage over businesses that they don't have over citizens, and then they expect that the citizens will hate it so much that they don't go to the "bad" sites at all. "Thank you for your cooperation!"
ETA: (accidental submit; sorry) I'm in the same boat! Not entering my ID information into any website, much less ones they've got on the list. And so they've successfully boxed us in. At least for me, I intend to raise hell about it aside from just not sharing PIA, but I don't have any delusions of it's effect.
hexbin010
Look at the Overton window rapidly shrinking. Thanks EFF!
Cryptographically there are techniques that let you prove you're one of the several hundred million adults in the US that don't reveal anything about which adult you are. It's much less complicated than bitcoin.
I'm bringing this up because it's the perfect litmus test to show whether you really care about age verification, or if you want personal trackability for all internet behavior.
I'd be okay with this for certain situations (e.g. a forum that doesn't want to foreign agitators to pretend they are US voters), but the whole porn thing is a ridiculous farce because there are still going to always be millions of non-us porn sites that don't enforce US laws.