Governments already have everyone's ID, including DOB. They say that the problem is non-adults accessing adult sites and services. So therefore, the sites need to know that users are over 18 (or the selected government age).
There should be a standardized government ID service/API that allows a person to let it disclose their age (or other user selected information) to a requesting site/service. That's all that is needed if the government ID service has appropriate 2FA and security.
Both the request and the response can be appropriately anonymized so that the government doesn't know the site, and the site doesn't know the person's identity.
Why isn't this a thing yet? As far as I know, no one has proposed it.
The german gov id supports that. They have a PKI and the id is a smart card with a cert and private key on it [0]. It lets you answer the question "are you over 18" with a zero knowledge proof. I guess it only proves you have in your possession a valid id AND know the PIN to it, but that should be fine. France apparently has this, too, according to the article.
[0] https://www.personalausweisportal.de/Webs/PA/EN/government/t..., https://www.bsi.bund.de/EN/Themen/Oeffentliche-Verwaltung/El...
This has been widely discussed, and initial implementations exist: the EU digital wallets are doing exactly this. https://ec.europa.eu/digital-building-blocks/sites/spaces/EU....
In theory, every EU state will have to support this soon so users can use it to verify age privately online. Still work to do to roll this out for real, but the technological part is very much already happening and I think the rollout plan is committed.
No. You seem to not understand how government works. It will never be anonymized so it's an awful idea, you basically suggest to link accounts to a passport.
Exactly. Governments that really care about age verification should provide the tools to do so. They have the means to do so without violating privacy. Something like the Dutch DigiD service (the one they're about to sell to the US despite literally everybody opposing that) would be a great basis for this; just add an age verification service to it. They already know who you are in the most legal sense possible.
> Both the request and the response can be appropriately anonymized so that the government doesn't know the site, and the site doesn't know the person's identity.
Yes that's how it's done in France for instance, and generally how it's being discussed in the EU.
> There should be a standardized government ID service/API
Most European country already have one, some are still testing theirs. They're required by the EU to make one accessible to their citizens by the end of this year, in the context of the eID project [0].
[0] https://commission.europa.eu/topics/digital-economy-and-soci...
> if the government ID service has appropriate 2FA and security.
You're kidding right?
Why?
In Russia we have gosuslugi.ru (state services), which nowadays requires 2FA and hasn't been compromised in any major way so far.
Among other things they provide a way for a third party to use it as identification service and a user chooses which data about himself he wants to share. No anonymity, though, and I don't see how it can be implemented so that the verification provider doesn't know which service is requiring age verification.
You seriously think Russia's state services are not compromised by intelligence?
Also, yea, no anonymity is the problem. Why would you want your government to be able to track every single website you've ever visited -- especially considering we're talking about an autocratic regime?
I'm astonished at the naivety on display on a community called "Hacker news."
>You seriously think Russia's state services are not compromised by intelligence?
The state services are required to assist intelligence and law enforcement in lawful investigations, the intelligence don't need to compromise anything.
>Why would you want your government to be able to track every single website you've ever visited
I don't want anyone to track every single website I visited.
>considering we're talking about an autocratic regime
Glad you see the EU for what it is.
The problem is that verifying age requires disclosing your identity and the fact that you use a certain service. Whoever is the provider of such verification, it learns too much about you.
Is the state a worse choice for that than a commercial entity that has fewer resources to secure itself against hacking and might even sell the data itself?
I would rather not have age verification at all and glad there is no such thing in Russia (yet?).
These already exist in several eu countries. Imagine that there are governments that is not America and that actually work.
Just this year, France government ID system hacked: https://www.biometricupdate.com/202604/french-govt-confirms-...
"hacked", such a shame what happened in the background; it was a teenager who saw some url like "view_my_id_documents?id=1234" and just incremented the number, and could download the documents of other people (did on dozens of millions).
.