But let's assume the majority of parents can actually do this. The problem with social media is not an individual one! We've fallen into a Nash Equilibrium, a game theory trap where we all defect and use our phones. If you don't have a phone or social media nowadays you will have much more trouble socializing than those who do, even though everyone would be better off if nobody used phones. As a teenager, you don't want to be the only one without a phone or social media. And so I truly do think the only solution is with higher level coordination.

Now, it's possible that the government isn't the right organization to enforce this coordination. Unfortunately, we don't really have any other forms of community that work for this. People already get mad at HOA's for making them trim their lawn; imagine an HOA for blocking social media! I do think the idea of a community doing this would be great though, assuming (obviously) that it was easy to move on and out of, as well as local. This would also help adults!

So to be honest, I don't think parents have the individual power to fix this, even with their kids.

There is almost literally documented examples of Facebook executives twirling their mustaches wondering how they can get kids more addicted. This isn't a few bands with swear words, and in fact, I think that the damage these social media companies are doing is in fact, reducing the independence teens and kids that have that were the fears parents originally had.

I dunno, are you uncertain about your case at all or just like. I just like, can't help but start with fuck these companies. All other arguments are downstream of that. Better the nanny state than Nanny Zuck.

The problem is that it's bloody hard to actually do this. I'm in a war with my 7yo about youtube; the terms of engagement are, I can block it however I want from the network side, and if he can get around it, he can watch.

Well, after many successful months of DNS block, he discovered proxies. After blocking enough of those to dissuade him, he discovered Firefox DNS-over-HTTPS, making it basically impossible to block him without blocking every Cloudflare IP or something. Would love to be wrong about that, but it seems like even just blocking a site is basically impossible without putting nanny-ware right on his machine; and that's only a bootable Linux USB stick away from being removed unless I lock down the BIOS and all that, and at that point it's not his computer and the rules of engagement have been voided.

For now I'm just using "policy" to stop him, but IMO the tools that parents have are weak unless you just want your kid to be an iPad user and never learn how a computer works at all.

All parental moderation mechanisms can and should be implemented as opt-in on-device settings. What governments need to do is pressure companies to implement those on-device settings. And what we can do as open-source developers is beat them to the punch. Each parent will decide whether or not to use them. Some people will, some won't. It's not Bob's responsibility to parent Charlie's children. Bob and Charlie must parent their own children.

To the people arguing that parents are too dumb to control their children's tech usage because they themselves are tech-illiterate: millennia ago, we invented this new thing called fire. Most people were also "too dumb" to keep their children away from the shiny flames. People didn't know what it was or how dangerous it could be. So the tribe leader (who, by the way, gropes your children) proposed a solution: centralize control of all the fire. Only the tribe leader gets to use it to cook. Everyone else just needs to listen to him. Remember, it's all for you and your children's safety.

It would allow someone with an mDL on their device to present only their age instead of other identifying information.

May the best legal person win!

Someone brought up the need for device attestation for trust purposes (to avoid token smuggling for example). That would surely defeat the purpose (and make things much much worse for freedom overall). If you have a solution that doesn't require device attestation, how does that solve the smuggling issue (are tokens time-gated, is there a limit to token generation, other things)?

The only reasonable way to deal with children on the Internet is to treat Internet access like access to alcohol/drugs. There is no need for children to access the Internet full stop.

Internet is a network in which everything can connect to everything, and every connected machine can run clients, servers, p2p nodes and what not. Controlling every possible endpoint your child might connect to is not feasible. Shutting the entire network down because "won't somebody please think of the children" is not acceptable.

And, don't let them trick you. This is the endgoal. An unprecedented level of control over the flow of information.

I think a lot of the younger generation supports it, actually. They didn't really grow up with a culture of internet anonymity and some degree of privacy.

For me this is a crux, at least in principle. Once online media is so centralized... the from argument freedom is diminished.

There are differences between national government power and international oligopoly but... even that is starting to get complicated.

That said... This still leaves the problem in practice. We get decrees that age-restriction is mandatory. There will be bad compliance implementations. Privacy implications.

Meanwhile a while... how much will we actually gain when it comes to child protection.

You can come up will all sorts of examples proving "Facebook bad" but that doesn't mean these things are fixed when/if regulation actually comes into play.

Still, there's an awful lot of excellent educational content on YouTube. It seems unfortunate to block access to that. Have you considered self hosting an alternative frontend for it?

The Internet is basically the final frontier where this harmful law doesn't reach, though the Karens are really trying to expand their power there.

The legal doctrine is also not specific to the US, of course.

Of all the things, a "save-the-children prolegomena to the Prometheus myth" certainly wasn't on my bingo card today. So thank you for that, but I'm not aware of any reports of fire-keeping in the way you've described. Societies and religions do have sacred traditions related to fire (like Zoroastrians) but that doesn't come with restrictions on practical use AFAIK.

Everyone does realize we're being constantly tracked by telemetry, right?

A proper ZK economy would mitigate the vast majority of that tracking (by taking away any excuse for those in power to do so under the guise of "security") and create a market for truly-secure hardware devices, while still keeping the whole world at maximal security and about as close to theoretical optimum privacy as you're going to get. We could literally blanket the streets with cameras (as if they aren't already) and still have guarantees we're not being tracked or stored on any unless we violate explicit rules we pre-agree to and are enforceable by our lawyers. ZK makes explicit data custody rules the norm, rather than it all just flowing up to whatever behemoth silently owns us all.

With LLMs and paid actors wreaking havoc on social media I do think that social media needs pivot towards allowing only human users on it. I wrote about this here: https://blog.picheta.me/post/the-future-of-social-media-is-h...

My kid logs out of this account so he can watch restricted content. I wonder - what is PG rating for logged out experience?

We could start to ban many of the mechanisms social media companies have deployed over the last 10 years. Infinite scrolling, algorithmic feeds of "creator" content, AI generated ragebait from bot accounts, etc. I'd love to see social media reverted back to when it was just holiday photos from your friends.

I'm not sure how those two positions connect.

Execs bad, so laws requiring giving those execs everyone's IDs, instead of laws against twirled mustaches?

The solution would then be to break them up or do things like require adversarial interoperability, rather than ineffective non-sequiturs like requiring them to ID everyone.

The perverse incentive comes from a single company sitting on a network effect. You have to use Facebook because other people use Facebook, so if the algorithm shows you trash and rage bait you can't unilaterally decide to leave without abandoning everyone still there, and the Facebook company gets to show ads to everyone who uses it and therefore wants to maximize everyone's time wasted on Facebook, so the algorithm shows you trash and rage bait.

Now suppose they're not allowed to restrict third party user agents. You get a messaging app and it can send messages to people on Facebook, Twitter, SMS, etc. all in the same interface. It can download the things in "your feed" and then put it in a different order, or filter things out, and again show content from multiple services in the same interface, including RSS. And then that user agent can do things like filter out adult content, if you want it to.

We need to fix the actual problem, which is that the hosting service shouldn't be in control of the user interface to the service.

Wild times when we're seeing highest voted Hacker News commenters call for the nanny state.

If you're thinking these regulations will be limited to singular companies or platforms you don't use, there is no reason to believe that's true.

There was already outrage on Hacker News when Discord voluntarily introduced limited ID checks for certain features. The invitations to bring on the nanny state reverse course very quickly when people realize those regulations might impact the sites they use, too.

A lot of the comments I'm seeing assume that only Facebook or other platforms will be impacted, but there's now way that would be the case.

Meta is the bozo in a panel van with no windows. All The legit porn sites put up Big Blinking Neon Signs.

Who would be responsible if a child developed alcohol addiction? A nicotine problem? Any other addiction?

Exactly. The same people that should be responsible for giving them unfettered access to an internet that is no longer safe. Even adults have to be wary of getting hooked on scrolling, and while I agree that the onus is on the companies, it has been demonstrated over and over again that they will not be held to account for their behavior.

So the only logical choice left that actually preserves freedom is for parents to get off their ass and keep their child safe. Parent's that don't use filtering and monitoring software with their children should be charged with neglect. They are for sending a kid into the cold without a coat, or letting them go hungry, why is it different sending them onto the internet?

And to your last point: You are dead wrong. No government anywhere in the world has demonstrated that they have the resources, expertise, or technical knowledge to solve this problem. The most famously successful attempt is the Chinese Great Firewall, which is breached routinely by folks. As soon as a government controls what speech you are allowed to consume, the next logical step for them is to restrict what speech you can say, because waging war on what people access will always fail. I mean, Facebook alone already contains tons of content that's against its terms of service, and they have more money than God, so either they actually want that content there, or they are too understaffed to deal with the volume, and the volume problem only ever increases.

So in my view, you are the one against freedom by advocating for the government to control the speech adults can access for the sake of "protecting the children" when the actual people that are socially, morally, and legally culpable for that protection are derelict in their duties.

How about we reject all institutional nannies?

It is much easier to implement user-controlled on-device settings than any sort of over-the-Internet verification scheme. Parents purchase their children's devices and can adjust those settings before giving it to their kids. This is the crux of the problem, and all other arguments are downstream of this.

Then close their business. Age verification just makes their crimes even more annoying.

> the terms of engagement are, I can block it however I want from the network side, and if he can get around it, he can watch.

You're treating this as a technical problem, not a parental rules problem. Your own rules say he's allowed to watch!

You have to set the expectations and enforce it as a parent.

Is it impractical to keep an eye on what he's doing on his computer, i.e. physically checking in on him from time to time?

How about holding him responsible for his own behavior, to develop respect for the rules you impose? Is it just hopeless, and if so how come? Is it impossible for him to understand why you don't want him watching certain content or why he should care about being worthy of your trust?

I'm not judging here, I'm genuinely curious.

Its unfortunate that the application of this rule is being performed at the software level via ad-hoc age verification as opposed to the device level (e.g. smartphones themselves). However that might require the rigimirole of the state forcibly confiscating smartphones from minors or worrying nepalise outcomes.

The difference though is that parents are generally the ones to give their kids their phones and devices. These devices could send headers to websites saying "I'm a kid" -- but this system doesn't exist, and parents apparently don't use existing parental controls properly or at all.

Parents are legally and socially expected to keep their kids away from tobacco and alcohol. You're breaking legal and social convention if you allow your kids to access dangerous drugs.

Capitalist social media is exactly as dangerous as alcohol and tobacco. Somebody should be held responsible for that, and the legal and social framework we already have for dealing with people who want to get kids addicted to shit works fairly well.

That's not exactly accurate. The two key parts of the attractive nuisance law are a failure to secure something combined with the victim being too young to understand the risks.

So if you put a trampoline in your front yard, that's an easy attractive nuisance case.

If you put a pool in your back yard with a fence and a locked gate, it would be much harder to argue that it was an attractive nuisance.

If a 17 year old kid comes along and breaks into your back yard by hopping a 6-foot tall fence, you'd also have a hard time knowing they didn't understand that their activities came with some risk. Most cases are about very young children, though there are exceptions

We've literally watched things unfold in real time out in the open in the last year I don't know how much more obvious it could be that child-protections are the bad-faith excuse the powers that be are using here. Combined with their control of broadcasting/social media, it's the very thing they're pushing narratives in lockstep over. All this to effectively tie online identities to real people. Quick and easy digital profiles/analytics on anyone, full reads on chat history assessments of idealogies/political affiliations/online activities at scale, that's all this ever was and I _know_ hackernews is smart enough to see that writing on the wall. Ofc porn sites were targeted first with legislation like this, pornography has always been a low-hanging fruit to run a smear campaign on political/idealogical dissidents. It wasn't enough, they want all platform activity in the datasets.

I can't help but feel like the longer we debate the merits of good parenting, the faster we're just going to speedrun losing the plot entirely. I think it goes without saying that no shit good parenting should be at play, but this is hardly even about that and I don't know why people take the time of day. It's become reddit-caliber discussion and everyone's just chasing the high of talking about how _they_ would parent in any given scenario, and such discussion does literally nothing to assess/respond to the realities in front of us. In case I'm not being clear, talking about how correct-parenting should be used in lieu of online verification laws is going to do literally nothing to stop this type of legislation from continually taking over. It's not like these discussions and ideas are going to get distilled into the dissent on the congressional floors that vote on these laws. It is in it's own way a slice of culture war that has permeated into the nerd-sphere.

These massive privacy issues have all been raised on their Github, and the team behind the wallet have been ignoring them.

How? If it’s analyzes my ID 100% client side I can fake any info I want. If my ID goes to a server, it’s compromised IMO.

I think the zero proof systems being touted are like ephemeral messaging in Snapchat. That is, we’re being sold something that’s impossible and it only “works” because most people don’t understand enough to know it’s an embellishment of capabilities. The bad actors will abuse it.

Zero proof only works with some kind of attestation, maybe from the government, and there needs to be some amount of tracking or statistics or rate limiting to make sure everyone in a city isn’t sharing the same ID.

Some tracking turns into tracking everything, probably with an opaque system, and the justification that the “bad guys” can’t know how it works. We’ve seen it over and over with big tech. Accounts get banned or something breaks and you can’t get any info because you might be a bad guy.

Does your system work without sending my ID to a server and without relying on another party for attestation?

The average person does not understand the math behind zero-knowledge proofs. They only see that state infrastructure is gatekeeping their web access. Furthermore, if the wallet relies on a centralized server for live revocation checks, the identity provider might still be able to log those authentication requests, effectively breaking anonymity at the state level.

On a practical level, this method verifies the presence of an authorized device rather than the actual human looking at the screen. Unless the wallet demands a live biometric scan for every single age check, they will simply bypass the system using a shared family computer or a parent's unlocked phone. We used to find our way around any sort of nanny software (remember net nanny)

what you are describing still remains a bubble and I really hope Americans aren't looking at EU for any sort of public policy directions here.

Switzerland is working on a system that does the former, but if Government really wants to identify users, they can still ask the company to provide the age verification tokens they collected, since the Government hosts a centralized database that associates people with their issued tokens.

In that system does the age verification result come with some sort of ID linked to my government issued ID card? Say, if I delete my account on a platform after verifying and then create a new one, will the platform get the same ID in the second verification, allowing it to connect the two and track me? Or is this ID global, potentially allowing to track me through all platforms I verified my age on?

What a verification process looks like from the user perspective? Do I have to, as it happens now, pull out my phone, use it as a card reader (because I don't have a dedicated NFC device on my computer), enter the pin, and then I'll be verified on my computer so I can start browsing social media feed? Or, perhaps, you guys have come up with a simpler mechanism?

It's my job as a parent (and I have several kids...) to monitor the things they consume and talk with them about it.

I don't want some blanket ban on content unless it's "age appropriate", because I don't approve that content being banned. (honestly - the idea of "age appropriate" is insulting in the first place)

Fuck man, I can even legally give my kids alcohol - I don't see why it's appropriate to enforce what content I allow them to see.

And I have absolutely all of the same tools you just discussed today. I can lock devices down just fine.

Age verification is a scam to increase corporate/governmental control. Period.

More simply: If ID checks are fully anonymous (as many here propose when the topic comes up) then every kid will just have their friends’ older sibling ID verify their account one afternoon. Or they’ll steal their parents’ ID when they’re not looking.

Discussions about kids and technology on HN are very weird to me these days because so many commenters have seemingly forgotten what it’s like to be a kid with technology. Before this current wave of ID check discussions it was common to proudly share stories of evading content controls or restrictions as a kid. Yet once the ID check topic comes up we’re supposed to imagine kids will just give up and go with the law? Yeah right.

You mean this culture shift is needed for the masses but I don't think that's the case. In my widest social circle I am not aware of anyone giving alcohol to young kids (yes by the time they are 16ish yes but even that's rare). Most guardians would willingly do similar with locked devices.

The real problem is that the governments/companies won't get to spy on you if locked devices are given to children only. They want to spy on us all. That's the missing cultural shift.

Any parent can be reckless and give their children all kinds of things - poison, weapons, pornographic magazines ... at some point the device has enough protective features and it is the parents responsibility.

Of course no personal details should be provided to the site that requests age confirmation. Just "barer of this token" is an adult.

Better than muddying the waters trying to make it less addictive but then letting them on there when their brains aren't ready.

This is what I find most insane about the UK's age verification law. It's literally so easy to find adult content without proving your age... You can literally just type in "naked women" into a search engine and get porn...

To call it ineffective would be an understatement. Finding adult content on the web almost just as easy as it's always been. The only thing it's made harder is accessing adult content from the normie-web – you can't access porn on places like Reddit anymore, but you can access porn on 4chan and other dodgy adult sites.

If the argument is "think about the kids" there are more effective ways to do it... Requiring device-level filtering for example would likely be more effective because it could just blacklist domains with hosting adult content unless unrestricted. It would also put more power in the parents hands about what is and what isn't restrict.

Children shouldn't be associating with other children, except in small groups. Even the typical classroom count is far too large. They become the nastiest, most horrible versions of themselves when they congregate. A good 90% of the pathology of public schools can be blamed on the fact that, by definition, public schools require large numbers of children to congregate.

If that happened in the US, Republicans would then:

1. Insist that non-white children carry ID at all times

2. Operationalize DHS and ICE to deport non-white children to foreign concentration camps.

Is that really a non-sequitur though? Cigarettes are harmful and addictive so their sale is age gated. So too for alcohol. Gambling? Also yes. So wouldn't age gating social media be entirely consistent in that case?

Not that I'm necessarily in favor of it. I agree that various other regulations, particularly interoperability, would likely address at least some of the underlying concerns. But then I think it might not be such a bad idea to have all of the above rather than one or the other.

How about taking all these websites that require PII onto their own members-only domain?

This actually should have been in place and well fleshed-out before Google & Microsoft started pushing their "account" nonsense.

I might suggest explaining this to him, providing a uBlock filter to sanitize the page, and requiring use of said filter.

It's not as easy as you may believe to prevent that type of access.

It doesn't have to be perfect and there will of course be easy workarounds to hid the warnings for people that want. The goal is to improve the situation though, not solve it perfectly. Like putting information about the dangers of smoking on packages of smokes; it doesn't stop people from smoking but it does make the danger very easy to learn.

like most proposed solutions, this just seems overcomplicated. we don't need "accessible cryptographic infrastructure for human identity". society has had age-restricted products forever. just piggy-back on that infrastructure.

1) government makes a database of valid "over 18" unique identifiers (UUIDs)

2) government provides tokens with a unique identifier on it to various stores that already sell age-restricted products (e.g. gas stations, liquor stores)

3) people buy a token from the store, only having to show their ID to the store clerk that they already show their ID to for smokes (no peter thiel required)

4) website accepts the token and queries the government database and sees "yep, over 18"

easy. all the laws are in place already. all the infrastructure is in place. no need for fancy zero-knowledge proofs or on-device whatevers.

Your crypto nerd dream is vulnerable to the fact that someone under 18 can just ask someone over 18 to make an account for them. All age verification is broken in this way.

There is a similar problem for people using apps like Ubereats to work illegally by buying an account from someone else. However much verification you put in, you don't know who is pressing the buttons on the screen unless you make the process very invasive.

They don't care whether you are 14 or not. They want your biometrics and identification. "Think of the children" is just a pretense.

In china there are places to scan you device and get coupons. usually at elevators in residential buildings so they can track also if you're arriving or leaving easily.

In the US every store tracks and report to ad networks your Bluetooth ids. and we know what happens to ad networks.

US now requires cars to report data, which was optional before (e.g. onstar) and china joined on this since the ev boom.

the public id space is booming.

Another example where this plays a role are voter registration and ID requirements for voting in the US. It is entirely bizarre to me how these discussions just accept it as a law of nature that it's expensive and a lot of effort to get an ID. This is something that could be changed.

(This is a genuine question) please could you describe the underlying problem that age verification is attempting to solve?

You could buy 19 gallons of milk for that money (80 liters).

There are options that don't involve any ID uploads whatsoever.

The government literally actively prevents people selling all these things to children, rather than permit a free for all and then expect parents to take responsibility for steering their kids away from them.

I mean, historically speaking, we blamed the tobacco companies.

Don't punish the rest of the web for crappy parenting and crappy incentives by companies/govts.

And there would be ways to work around it. If people find that privacy-preserving age verification is not good enough because "some kids will work around it", then nothing is good enough, period. Some will always work around anything.

There is no digital equivalent of "flash an ID card and be done with it" in the surveillance state era of the internet. Using a CC is the closest we have and even then you're giving data away.

A child with an iPhone, Xbox, and a Windows Laptop won't be able to install discord unless the parent explicitly lets them, or opts out of all the parental controls those platforms have to offer.

The tech is here already, this is not about keeping children safe.

and there is nothing I or the few (in terms of power) well-meaning government and corporate actors can do to change that.

How far does it go? Are all bugs features? Shall we assume that Boeing (via MCAS) and Ford (via the Pinto) were trying to kill their passengers? There's a difference between ulterior motive and incompetent execution of expressed intention.

The verifier gets no other information than the strictly necessary (issuer, expiry, that kind of thing) and the over 18 bit, but can trust that it's from a real credential.

That's not strictly a zero knowledge proof based system, though, but it is prvacy-preserving.

amplifying your point, there is effectively no way for the layperson to make this distinction. And because the app needs to send data over an encrypted channel, it would be difficult at best for a sophisticated person to determine whether their info is being sent over the wire.

If they did the right thing and only asked for the over 18 bit, then they wouldn't have a trackable identifier.

yup we should all be able, to talk to our kids instead of screaming at them.

Exactly the same way that kids used in former days to get cigarettes or alcohol: simply ask a friend or a sibling.

By the way: the owners of the "well-known" beverage shops made their own rules, which were in some sense more strict, but in other ways less strict than the laws:

For example some small shop in Germany sold beverages with little alcohol to basically everybody who did not look suspicious, but was insanely strict on selling cigarettes: even if the buyer was sufficiently old (which was in doubt strictly checked), the owner made serious attempts to refuse selling cigarettes if he had the slightest suspicion that the cigarettes were actually bought for some younger person. In other words: if you attempted to buy cigarettes, you were treated like a suspect if the owner knew that you had younger friends (and the owner knew this very well).

Digital ID with binary assertion in the device is an API call that Apple's app store curation can ensure is called on app launch or switch. Just checking on launch or focus resolves that problem. It's no longer the account being verified per se, it's the account and the use.

(So you need to keep all your stuff into one device to be fully tracked easily. And have no control over your device, share your location… )

If we must have controls, I hope the process of circumventing them continues to teach skills that are useful for other things.

Considering the echo chamber in which I was at school, my friends would have simply used some Raspberry Pi (or a similar device) to circumvent any restriction the parents imposed on the "normal" devices.

Oh yes: in my generation pupils

- were very knowledgeable in technology (much more than their parents and teachers) - at least the nerds who were actually interested in computers (if they hadn't been knowledgeable, they wouldn't have been capable of running DOS games),

- had a lot of time (no internet means lots of time and being very bored),

- were willing to invest this time into finding ways to circumvent technological restrictions imposed upon them (e.g. in the school network).

As it is we're seeing companies capture IDs and face scans and it's incredibly invasive relative to the need - "prove your birth year is in range". Getting hung up on unlinkable sessions is missing the forest for the trees.

At this point I think the challenge has less to do with the crypto primitives and more to do with building infrastructure that hides 100% of the complexity of identity validation from users. My state already has a gov't ID that can be added to an apple wallet. Extending that to support proofs about identity without requiring users to unmask huge amounts of personal information would be valuable in its own right.

The problem with social media isn't the inherent mixing of children and technology, as if web browsers and phones have some action-at-a-distance force that undermines society; it's the 20 years or so they spent weaponizing their products into an infinite Skinner box. Duck walk Zuckerburg.

This is all assuming good faith interest in "the children," which we cannot assume when what government will gain from this is a total, global surveillance state.

Stronger punishment creates more of an incentive to age verify. Which is basically why it's happening now.

Gee, I wonder if the executives who are suspected of doing such things haven't spent the last 100 years building the infrastructure necessary to avoid charges, let alone jail time? Large corporate legal departments, wink-wink-nudge-nudge command and control hierarchies where nothing incriminating is ever put into writing, voluminous intra-office communications that bury even the circumstantial evidence so deeply no jury could understand it even if the plaintiffs/state could uncover it, etc.

Anyone over the age of 12 that thinks corporate entities can be made to be accountable in a meaningful way is more than naive. They are cognitively defective. Or is it that you realize they can't be held accountable but you'd rather maintain the status quo than contemplate a country which abolished them and enforced that all business was the conducted by sole proprietorships and (small-n) partnerships?

You think the idea of parents, not governments, being responsible for parenting doesn't translate well to voters? In the country founded on the idea of freedom from overreaching governance and personal responsibility?

EUDI wallets are connected to your government issued ID. There is no "highly invasive age verification".

We are literally sending a request to our government's server to sign, with their private key, message "this john smith born on 1970-01-01 is aged over 18" + jwt iat. There are 3 claims in there. They are hashed with different salts. This all is signed by the government.

You get it with the salts. When you want to prove you are 18+ you include salt for the "is aged over 18" claim, and the signed document with all the salts and the other side can validate if the document is signed and if your claim matches the document.

No face scanning, no driver license uploading to god-knows-where, no anything.

> to obtain 30 single use, easily trackable tokens that expire after 3 months

This is the fallback mechanism. You are supposed to use bbs+ signatures that are zero knowledge, are computed on the device and so on. It is supposed to provide the "unlinkability". I don't feel competent enough to explain how those work.

> jailbreaking / "prevent tampering"

This is true. The eidas directive requires that secret material lives in a dedicated hardware / secure element. It's really not much different than what a banking app would require.

> You have to blindly trust that the tokens will not be tracked

This is not true, the law requires core apps to be opensource. Polish EUDI wallet has been even decompiled by a youtuber to compare it with sources and check if the rumors about spying are true. So you can check yourself if the app tracks you.

Also we can't have a meaningful discussion without expanding on definition of "tracking".

Can the site owner track you when you verify if you are 18+? Not really, each token is unique, there should be no correlation here.

Can the government track you? No, not alone.

Can the site owner and the government collude to track you? Yes they can! Government can track all salts for your tokens, site can collect all salts, they can compare notes. There are so called policy mitigations currently: audits and requirements for governments to remove salts from memory the moment stuff is issued.

Can they lie? Sure.

Can the site owner and the government collude to track you if you are using bbs+? No. Math says no.

Can they lie if you are using bbs+? Math says no.

The inherent problem with all zero knowledge identity solutions is that they also prevent any of the safeguards that governments want for ID checking.

A true zero knowledge ID check with blind signatures wouldn't work because it would only take a single leaked ID for everyone to authenticate their accounts with the same leaked ID. So the providers start putting in restrictions and logging and other features that defeat the zero knowledge part that everyone thought they were getting.

One of the most highly valued tech companies of today makes a software that sometimes talks its user's into killing themselves. Some guy put "uwu notices bulge" on a bullet casing and shot Charlie Kirk: things turned out fine indeed.

The Swiss design actually doesn't store the issued tokens centrally. It only stores a trust root centrally and then a verifier only checks the signature comes from that trust root (slightly simplified).

- Many parents don't think about restricting their kids' online exposure at all. And I think a larger issue than NSFW is the amount of time kids are spending: 5 hours according to this survey from 2 years ago https://www.apa.org/monitor/2024/04/teen-social-use-mental-h.... Educating parents may be all that is needed to fix this, since most parents care about their kids and restrict them in other ways like junk food

- Parents that want to restrict their kids struggle with ineffective parental controls: https://beasthacker.com/til/parental-controls-arent-for-pare.... Optional parental controls would fix this

In the USA it depends on the state. Federal guidelines for alcohol law does suggest exemptions for children drinking under the supervision of their parents, but that's not uniformly adopted. 19 states have no such exceptions, and in many of the remaining 31, restaurants may be banned from allowing alcohol consumption by minors even when their parents are there.

This problem probably can't be solved entirely technologically, but technology can definitely be a part of solving it. I'm sure it's possible to make parental controls that most kids can't bypass, because companies can make DRM that most adults can't bypass.

A government could implement the equivalent of China's great firewall. Even if it doesn't stop everyone, it would stop most people. The main problem I suspect is that it would be widely unpopular in the US or Europe, because (especially younger) people have become addicted to porn and brainrot, and these governments are still democracies.

He is currently prepping to overthrow his local Pizzeria while the rest of us argue as if social media even exists anymore (it doesn't, it's just algorithmic TV now).

No matter what the actual mechanism is, I guarantee they will insist on something like that.

An 18-year-old creating an account for a 12-year-old is a legal issue, not a service provider issue. How does a gas station keep a 21-year-old from buying beer for a bunch of high school students? Generally they don't, because that's the cops' job. But if they have knowledge that the 21-yo is buying booze for children, they deny custom to the 21-yo. This is simple.

This isn't true, there is no federal requirement for a cellular modem in cars. Most modern cars have one, but nothing prevents you from disabling or removing it. I certainly would not tolerate such a "bug" in by car.

> In the US every store tracks and report to ad networks your Bluetooth ids.

This also isn't true, modern phones randomize Bluetooth identifiers. I personally disable Bluetooth completely.

If we fight every and any solution, we may end up with their solution, becauase they build it. We end up in the position of saying "don't use the thing they built" without offering alternatives. I'd rather be saying "use whatbwe built, ita is better."

We should be able to verify facts about people on the internet without compromising personal data. Giving platforms the ability to select specific demographics will, in my view, make the web a better place. It doesn’t just let us age restrict certain platforms, but can also make them more authentic. I think it’s really important to be able to know some things to be true about users, simply to avoid foreign election interference via trolling, preventing scams and so much more.

With this, enforcement would also be increasingly easy: Platforms just have to prove that they’re using this method, e.g. via audit.

"People of the same trade seldom meet together, even for merriment and diversion, but the conversation ends in a conspiracy against the public." - Adam Smith

LOL.

Of course these technologies keep existing, and you end up with the worst, most wretched people implementing them, and we're all worse off. Concretely, few people are working on ZKPs for age verification because the hive mind of "good people" who know what ZKPs are make working on age verification social anathema.

From what I’ve seen, most of the pro-ID commenters are coming from positions where they assume ID checks will only apply to other people, not them. They want services they don’t use like TikTok and Facebook to become strict, but they have their own definitions of social media that exclude platforms they use like Discord and Hacker News. When the ID checks arrive and impact them they’re outraged.

Regulation for thee, not for me.

A service provider of adult content now cannot serve a child, regardless of the involvement or lack thereof of a parent.

They are bothered that you were taught such things and have made sure that your children will never be exposed to such information.

To regulate access to addicting material. This is done in the physical world - why should digital be lawless when it applies to the same human behaviors?

I've been addicted to a lot of digital media parts in harmful ways and I had the luck and support to grow out of most of it. A lot of people are not that lucky.

If governments want to require private companies to verify ages, those same governments need to provide accessible ways for their citizens to get verification documents, starting from the same age that is required.

Because one could argue that the government could keep track of the keys they give away.

That is where blind signing is interesting. The government can sign _your_ key without knowing it.

Maybe it's about time that the proven predatory companies be restricted to something like their own adults-only internet cafes where age can be checked at the door.

They had their chance with the open internet and they blew it.

You're saying the status quo and I think its fair to state you wouldn't intentionally design the status quo. Unless we have some wizard wheeze where we can easily arrest and detain or otherwise effectively punish parents without further reducing the quality of life for their children.

Hypothetically, if every kid in your social circle had their device "locked", the adults would probably have a very hard time the kids away from their devices, or just relent, because the kids would be very unhappy. Although maybe with today's knowledge, most people will naturally restrict new kids who've never had unrestricted access, causing a slow culture shift.

The whitelist would be decided by the market: the parents have the unlocked device, there are multiple solutions to lock it and they choose one. Which means that in theory, the dominant whitelist would be one that most parents agree is effective and reasonable; but seeing today's dominant products and vendor lock-in...

I could not control how my parents were going to raise me, I was only able to play with the hand I was dealt. I hate the idea that parents are sacrosanct and do not share blame in these situations. At the same time, if this is just the family situation you're given and you're handed a device unaware of the implications, who is going to protect you from yourself and others online if your parents won't? Should anyone?

They work hand in hand with governments around the world, that's why they get the tax breaks. In return they hand over details about your opinions, social networks and whereabouts, not to mention facial recognition data via Facebook. They aren't remotely capitalist in any real sense since they have a bad business model.

This is exactly what one of our neighbors did when I was growing up.

All the kids loved it.

There just weren't very many lawsuits back then like there are now after the number of attorneys proliferated so much.

To be as safe as they could, the parents put the trampoline in a pit where the bouncing surface was at ground level.

If you drove by, you wouldn't even be able to see it, or have any idea that it was there.

Unless there was somebody bouncing at the time.

You should have seen the look on peoples' faces when they drove down our street and saw that for the first time :)

There is a difference between identifying specific children, and running programs that target children more generally; and / or having research that shows how your product harms children, and failing to do anything to stop it. We can tackle both of those issues without requiring age verification. We're headed down the path of age verification because we know now that not only is social media harmful, it's especially harmful to kids, and has been specifically targeted to them. Those are things that can be fixed, regardless of how you feel about age verification. Its not different than tobacco being not allowed to create advertisements for kids; its the same type of people doing the same types of things in the end.

what i'm saying is these discussions around parenting have had zero impacts on preventing the passage/implementation of such legislation/policies to date despite many smart people in here understanding what's actually at stake. and it's very likely that these parenting discussions will again go on to have absolutely zero impact on preventing the continued impelmentation of id verification on platforms. these policies/legislations aren't simply being implemented because people have failed to fully thought-exercise out good/bad parenting styles enough yet in the marketplace of ideas, it's becoming a reality because we aren't collectively raising awareness of the downstream ways this legislation will be harnessed for shitty outcomes. we aren't talking about it for what it is, but instead talking about it in the way they want us to talk about it. these parenting discussion points have been beaten to death and nothing new or novel is being shared, and rather than looking straight at the wolves right here in the room with us (data brokerage & who benefits from this type of data brokerage & figuring out how to stop it) people just look at each other and get butthurt about idealogical parenting differences. it's literally a slice of the now-ever-so-common 2d culture war we're all acutely aware exists, right here on hackernews, and we're all actively participating.

Now your EU government requires you to have an unmodified Google or Apple device to use any age restricted services. Cementing the US mobile OS duopoly and locking out any free systems and desktop etc. forever.

Any governmental service taking part in this is a violation of civil rights and even if you don't care about those, maybe you care about digital sovereignty.

This is so lightly handwaved away, almost as if attention needs to be drawn away. By the looks of this I'd say the end of general computing might be the actual goal, and all the age verification is just yet another "think of the children" pretense?

https://www.forbes.com/sites/federicoguerrini/2025/08/10/who...

If the "18+ claim" can't be linked to your identity and doesn't have any rate limits, someone can set up a token-as-a-service to sell tokens on the black market.

> Government can track all salts for your tokens, site can collect all salts, they can compare notes. There are so called policy mitigations currently: audits and requirements for governments to remove salts from memory the moment stuff is issued.

> Can the site owner and the government collude to track you if you are using bbs+? No. Math says no.

How does the math say no? Big tech companies already log absolutely everything. What's going to stop the government from keeping all the salts they're issuing and then mandating that site operators add the salts to their existing logs?

> Can they lie? Sure.

Well, they've lied to us over and over when it comes to surveillance, so I think at this point it's reasonable to assume they're lying unless it's technically impossible. Where's the in-person key verification that used to be in Whatsapp? How do the authorities get notified when someone makes a poorly thought out joke using Snapchat private messages before getting on a plane? Why is there a war on end-to-end encryption?

We're going to pay a fortune for these supposed zero knowledge systems and that's what it's about. Select companies are going to get paid to issue tokens and the scale is going to create a few new billionaires.

The people in charge are going to gain a ton of power when they betray everyone and disenfranchise us.

The Swiss E-ID system stores people identifiers and token status lists in their so-called "Base Registry". From https://swiyu-admin-ch.github.io/technology-stack/#credentia...

> Decentralized Identifiers (DID) developed by the W3C represent an identifier standard that provides a subject-controlled method for identifying individuals, organizations, or objects online. In the swiyu Trust Infrastructure, DIDs are utilized as a standard identifier for issuers and verifiers. They are centrally hosted on the swiyu Base Registry.

> In this protocol, the trusted authority issues certifications (“trust statements”) concerning the identity (i.e., who is the real-world identity controlling a DID) and legitimacy (i.e., who is allowed to issue or verify credentials of a specific VC schema) about an entity as SD-JWT VC and publishes these trust statements in the trust registry.

> Token Status Lists are signed, maintained and published by the credential issuers but hosted on the Base Registry.

Requiring everyone to show their id on every website will not change that. It will limit free speech though.

Did you mean "mandatory" parental controls? All current systems are optional and as you describe they are frequently ineffective, so not clear why keeping things like they are would be different.

Porn is not just political information about human right abuses, government overreach or heavily censored overview of concentration camps for "group X". People can live just fine with government censorship buying into any kind of propaganda.

Kids would find a way to access porn though. Whatever it VPNs, tor or USB stick black market. Government cant even win war on drugs and you expect them to successfully ban porn. What a joke.

People do hide their intentions but that doesn’t give us a license to reduce complex system dynamics to absurdities.

Governments (and a few companies) really want this.

Is it more important to prevent your son from being weaponized and turned into a little ball of hate and anger, and your daughter from spending her teen years depressed and encouraged to develop eating disorders, or to make sure they can binge the same influencers as their "friends"?

because their parents didn’t read the research or don’t care about the opportunity cost because it can’t be that big of a deal or it would not be allowed or legal right? at least not until their kid gets into a jam or shows behavioral issues, but even then they don’t evaluate, they often just fall prey to the next monthly subscription to cancel out the effects of the first: medication

This is a huge self own. I can't believe I'm reading this on a website called "hacker news".

- Governments benefit from easier monitoring and enforcement.

- The advertising industry prefers verified identities for better targeting.

- Social media companies gain more reliable data and engagement.

- Online shopping companies can reduce fraud and increase tracking.

- Many SaaS companies would also welcome stronger identity verification.

In short, anonymity is not very profitable, and governments often favor identification because it increases oversight and control.

Of course, this leads to political debate. Some point out that voting often does not require ID, while accessing online services does. The usual argument is that voting is a constitutional right. However, one could argue that access to the internet has become a fundamental part of modern life as well. It may not be explicitly written into the Constitution, but in practice it functions as an essential right in today’s society.

I would start with banning cellphones.

So we should probably get ahead of this debate and push for good ways to do part-of-identity-checks. Because I don't see any good way to avoid them.

We could potentially do ID checks that only show exactly what the receiver needs to know and nothing else.

The reason you don’t see it in policy discussion from the officials pushing these laws is because removal of anonymity is the point. It’s nit about protecting kids, it never was. It’s about surveillance and a chilling effect on speech.

That being said, this is a 1 bit information, adult in current legislation yes/no.

If the identity check was blind it wouldn't actually be an identity check. It would be "this person has access to an adult identity".

If there is truly no logging or centralization, there is no limit on how many times a single ID could be used.

So all it takes is one of those adult blind signatures to be leaked online and all the kids use it to verify their accounts. It's a blind process, so there's no way to see if it's happening.

Even if there was a block list, you would get older siblings doing it for all of their younger siblings' friends because there is no consequence. Or kids stealing their parents' signature and using it for all of their friends.

Realizing that much of the internet is totally toxic to children now and should have a means of keeping them out is distinct from agreeing to upload ID to everything.

A better implementation would be to have a device/login level parental control setting that passed age restriction signals via browsers and App Stores. This is both a simpler design and privacy friendly.

The hardware providers already have the information. You only need to make them reveal it to 3rd parties.

For example, with a German ID you can provide proof that you are older than 18 without giving up any identifying information. I mean, nobody uses this system at the moment, but it does exist and it works.

Gambling isn’t introducing substance into user system it is making use of existing brain chemicals.

Social media companies engineered every piece of addictive mechanisms from gambling to alter brain chemistry or reactions of users.

On the flip side, I do think we should also hold companies more accountable for this. We collectively prevented companies from advertising tobacco to minors through regulation with a pretty massive success rate. These companies know how harmful social media can be on youth, and there is little to no effective regulation around how children learn about these platforms and get enticed into them.

Also, if they were genuinely responsible, why can a child's parents be held accountable for them developing an addiction? The company was responsible, not the parent... do you see how ignorant that sounds?

Additionally, the laws I've read mandate that no data be retained, so you have stronger legal protections than typical credit card use, or even giving your ID to a store clerk for age restricted purchases (many stores will scan it without asking, and in some states scanning is required).

I'm against these age-verification laws, but to say it's impossible to comply with open-source software isn't really true.

Most actual studies done on this topic find very little evidence this is true.

It's a run-of-the-mill moral panic. People breathlessly repeating memes about whatever "kids these days" are up to and how horrible it is, as adults have done for thousands of years.

I expect some emotional attacks in response for questioning the big panic of the day, but before you do so please explore:

[1] Effects of reducing social media use are small and inconsistent: https://www.sciencedirect.com/science/article/pii/S266656032...

[2] Belief in "Social media addiction" is wholly explained by media framing and not an actual addiction: https://www.nature.com/articles/s41598-025-27053-2

[3] No causal link between time spent on social media and mental health harm: https://www.theguardian.com/media/2026/jan/14/social-media-t...

[4] The Flawed Evidence Behind Jonathan Haidt's Panic Farming: https://reason.com/2023/03/29/the-statistically-flawed-evide...

Sure, there's a lot of corruption right now. Doesn't have to stay that way.

The "open source" apps connect to proprietary backends run by a third party that you have to blindly trust. If EUDI wallets were truly open source and free from blindly trusting any authority, then you could simply remove that requirement and issue your own tokens without the use of potentially malicious third party.

That is not true and "true zero knowledge ID check" + "age verification" with blind signatures is what's being implemented by the EU ID project.

So someone's id leaks. It happens. In EUDI there are things called "cryptographic accumulators of non-revocation proofs". If your ID leaks it goes into the accumulator. Similar to the certificate revocation lists. During check, you include claims "im over 18" and "my id is not in the accumulator".

This is included in the standard.

This is also (I can only assume) one of the reasons why EUDI wallets require play integrity / attestation / secure element on the device. So your private key won't be easily leaked and no one can steal your ID.

Another thing: I fundamentally disagree with certain age rarings for kids content. Some explicit violence is rated OK for young audiences, but insert a swear word or a some skin and the age rating is bumped up? This rating system is nonhelp at all. I have to review each bit of content anyway before I can be certain.

This is exactly what I meant by my above comment: It’s like the pro-ID check commenters have become completely disconnected from how young people work.

Someone’s 18 year old sibling isn’t going to be stopped by “should know better”. They probably disagree with the law on principal and think it’s dumb, so they’re just helping out.

Since people are already talking about using the law instead of parenting this needs clarification. Are the parents the one that would revoke their privileges or the government?

They don't? Teenagers can easily get their hands on alcohol... you just need to know the right person at school who has a cool older brother. If their older brother is really cool they can get weed too!

The police absolutely do not have the time to investigate the crime of making a discord account for someone.

if the goal is "surveil everyone using the internet", yes, very obviously my proposal would not be selected, and you will have to upload your id to various 3rd-party id verifiers.

to go on tiktok, you enter a UUID once onto your account, and thats it. the only person that sees your id card is the store clerk that glances at the birth date and says "yep, over 18" when you are buying the "age token" or whatever you want to call it. no copies of your id are made, it cant be hacked, theres no electronics involved at all. its just like buying smokes. theres no tie between your id and the "age token" UUID you received.

theres no fanciness to it, either. itd be dead simple, low-tech, cheap to implement, quick to roll out. all of the enforcement laws already exist.

>Why should I have to share more than required?

you shouldnt. having to prove age to use the internet is super dumb. but thats the way the winds are blowing apparently. if im gonna have to prove my age to use the internet, id much rather show my id to the same guy i buy smokes from (and already show my id to) than upload my id to a bunch of random services.

and yeah, your phone gives all the deniability and randon ids, etc. but if you allow apps to access location it's game over. also, just go see that google sells one option where you pay by people who saw you ad physically entered a store. (ps: sadly, I implemented the DSP side of this)

Absolutely.

This is much better than destroying "the greatest source of knowledge in the history" to make it safe for kids.

This is true of basically any issue discussed on the internet. Saying it must be astroturfing is reductive

First of all, you cannot know that, since plenty of people before you learnt that stuff from libraries.

>So you would deny children the greatest source of knowledge in the history?

Yes, because other sources of knowledge exist and are much more appropriate for children. It is also the greatest source of despicable stuff in history. When you turn 18, have fun exploring the world wide web.

So many questions. Are you campaigning against billboards in your city? Do you avoid taking your kids to any business that has digital signage? I assume you completely abstain from all types of movies and TV? What about radio or books?

What are you, personally, doing on HN?

Fascinating.

"Real" user verification is a wet dream to googlr, meta, etc. Its both a ad inflation and a competive roadblock.

The benefits are real: teens are being preyed upon and socially maligned. State actors and businesses alike are responsible.

The technology is not there nor are governments coordinating appropiate digital concerns. Unsurprising because no one trusts gov, but then implicitly trust business?

Yeah, so obviously, its implementation that will just move around harms.

In Poland we have the same setup.

Its not unreasonable to assume that he would seek to automate his bullshit.

See here for some examples:

https://www.techdirt.com/2022/08/26/who-would-benefit-from-c...

https://www.michaelgeist.ca/2025/10/senate-bill-would-grant-...

Groups of people who wake up at the same time of the day often have a tendency to be from a similar place, hold similar values and consume similar media.

Just because a bunch of people came to the same conclusion and have had their opinions coalesce around some common ideas, doesn't mean it's astroturfing. There's a noticeable difference between the opinions of HN USA and HN EU as the timezones shift.

"use a token from the device so the ID never leaves, this is way better right!"

This is the true objective. They actually want DEVICE based ID.

I want LESS things that are tied to me financially and legally to be stolen when(not if) these services and my device are compromised.

All these services have accounts, and the only time you need to do an age check is when the account is created.

Ah. I see, you believe that the godzilla monsters are useful and that you know how to make leashes for them that will definitely work this time.

But imagine if a locked device was treated like alcohol. Most kids get access to alcohol at some point despite it being illegal, often from older siblings, and rarely with legal consequences for the adult. But it's much less of an issue, because most kids don't get it consistently. Furthermore, "good" kids understand that it's bad, and even some "bad" kids understand that they must limit themselves.

So like CT logs, but several orders of magnitude bigger? I thought centralized TLS revocation lists failed due to scale. How will this differ?

I am not sure I understand this.

I am aware that manufacturers benefit from spying on people through car telemetry, or else they would not shoulder the cost of providing a cell plan. But, I, the owner of the vehicle, have every right to literally cut the cord (or simply unplug and remove the cellular modem).

> and yeah, your phone gives all the deniability and randon ids, etc. but if you allow apps to access location it's game over.

I don't. I run GrapheneOS (fully degoogled), and the only apps allowed to access location services are OSMand and a self-hosted Home Assistant instance. Of course that does not change the fact that millions of other people are being spied on.

I consider it a huge success of the Internet architects that we were able to create a protocol and online culture resilient for over 3 decades to this legacy meatspace nonsense.

> That being said, this is a 1 bit information, adult in current legislation yes/no.

If that's all it would take to satisfy legislatures forever, and the implementation was left up to the browser (`return 1`) I'd be all for it. Unfortunately the political interests here want way more than that.

At least here in US: Google/Apple device controls allow app to request whether user meets age requirements. Not the actual age, just that the age is within the acceptable range. If so, let through, if not, can't proceed through door.

I know I am oversimplifying.

But I like this approach vs. uploading an ID to TikTok. Lesser of many evils?

This would only work with something like MS TPM 2 / Apple Secure Enclave (device attestation), which is anti-freedom by design. I was curious if they found a way around that (maybe with time/rate limits, or some actual useful use of blockchain tech).

Obvious flaws are OK. I absolutely hate the Nirvana fallacy that you people think is acceptable here, while hundreds of millions of kids suffer from serious developmental issues, as reported left and right by all kinds of organizations and governments themselves.

This is still the case. The difference now is that the astroturfed bot accounts are pushing for fascism (I.E., the second problem).

The clearest example is LGBTQ kids who want to talk to other LGBTQ kids, or enjoy LGBTQ content, without fundamentalist or just homophobic/transphobic parents finding out. Children of fundamentalist or cult members who want an escape from the cult are another common category.

Design features tend to persist.

The phrase/idiom "the purpose of a system is what it does" maps best to situations where a multiple decisions within a system make little sense when viewed through the lens of the stated purpose, but make perfect sense if the actual outcome is the desired one.

It is an invitation to analyze a system while suspending the assumption of good faith on the part of the implementors.

Is that really evidence of astroturfing? If we're in the middle of an ongoing political debate, it doesn't seem that far fetched for me that people reach similar conclusions. What you're hearing then isn't "astro-turfing" but one coalition, of potentially many.

I often hear people terrified that the government will have a say on what they view online, while being just fine with google doing the same. You can agree or disagree with my assesment, but the point is that hearing that point a bunch doesn't mean it's google astroturfing. It just means there's an ideology out there that thinks it's different (and more opressive seemingly) when governments do it. It means all those people have a similar opinion, probably from reading the same blogs.

So even if their own child has no phone at all, they have access to the internet through other children's unlimited mobile access.

Interesting. Are you saying all the concerns raised by the proponents of ID verification are invalid and meritless? For example,

1. Foreign influence campaigns

2. Domestic influence campaigns

3. Filtering age-appropriate content

I’m sure there are many other points with various degree of validity.

If everyone was banned from facebook we would have organised them via text messages or email. That's the main point of social media age restrictions, individually banning kids is too punishing on those kids so parents and teachers don't try. Doing it across the whole population is much better.

The site guidelines ask users to send those to us at hn@ycombinator.com rather than post about it in the threads, but we always look into such cases when people send them.

It almost invariably turns out to simply be that the community is divided on a topic, and this is usually demonstrable even from the public data (such as comment histories). However, we're not welded to that position—if the data change, we can too.

The cynic in me fears they don't want a privacy-preserving solution, which blinds them to 'who'. Because that would satisfy parents worried about their kids and many privacy conscious folks.

Rather, they want a blank check to blackmail or imprison only their opponents.

That's unnecessarily reductive.

Yes, every solution will have problems, but not all solutions have similar problems.

If a solution has problems such that it can be immediately reduced to security theater and bypassed by any teenager who cares, it's just extra hassle and privacy degradation for the rest of us.

These details matter. If a weak solution is regulated into law and the government discovers kids are easily bypassing it, they will immediately pivot into requiring more restrictions on it.

you get your sd-jwt document signed once and you reuse it for like 30 days or so.

Do you have an A+++++ oven with three panes of glass? It's [relatively] safe to touch and instead of monitoring if a child is somewhere near the oven you have to monitor if the child does not actively open the oven. That's much easier.

I mean, you can. It's like with TLS certificates. The standard is there. The code is there. You can issue your own.

The question is, who will trust you?

What happens when someone sets up a marketplace where people can sell those blind signatures using their ID for $2 each? And then kids just pay $2 to have someone else blindly use their ID to validate the account, because supposedly the system is structured so that nobody can tell which ID was used or tie it back to the account?

How do you know what is "shared talking points" vs "humans learning arguments from others" and simply echoing those? Unless you work at one of the social media platforms, isn't it short of impossible to know what exactly you're looking at?

A signed key is still unique.

- You can still check that user 1 and user 2 don't use the same key.

- You can still issue a challenge to the user every 10 days to make sure he has indeed access to his key and not just borrowed it.

- You can still enforce TPM use of said keys, so that they cannot be extracted or distributed online, but require a physical ID card.

- You can still do whatever revocation system you want for the cases when a key is stolen or lost.

Really the "blind" nature of the signature changes nothing to what you would normally do with a PKI.

Having said that, I think having an "I'm of legal age" tickbox goes quite far enough.

For the ultra-controlling, setting up a "kid's account" using the tools already provided in mainstream OS's [0][1] is a fine option.

[0] <https://www.microsoft.com/en-us/microsoft-365/family-safety>

[1] <https://support.apple.com/guide/mac-help/set-up-content-and-...>

A stronger statement: we know how to build zero-knowledge proofs over government-issued identification, cf. https://zkpassport.id/

The services that use these proofs then need to implement that only one device can be logged in with a given identity at a time, plus some basic rate limiting on logins, and the problem is solved.

The problem with comparing social media use to tobacco is that they are completely different. It's like saying weed is just like heroin because they both make you feel good. It's reductive and not productive.

The completely anti-social media stance ignores the good parts of social media. People can connect from across the planet and found others who shares the same views or experiences. People who are marginalized can find community where none may exist in their local area. So we should approach this more carefully and grounded.

The latter may not be great, but eating potato chips all day also probably isn't, and I don't think the government should outlaw minors eating potato chips. Plus it's variable: some get positive, educational, pro-social, productive outcomes from social media and some don't. Gambling is always bad in the limit.

A simple rule could probably be that if a website can make you lose over $200 of real money, it should probably require age verification. I don't see why other things should.

It’s not that simple. Especially not in politics but even in the domain you’re referencing, have you ever seen Mozilla’s bug tracker? Once your project is so big and involves so many people you move beyond fixing everything you want.

There may be central planning at play, in this case I assume there is, but to claim it necessarily is relies on an oversimplification that doesn’t exist in human political machines that are a giant ship of theseus essentially. There’s no identity -> management capacity proven anywhere enough to make that kind of claim. Institutions inherit and have emergent behavior driven by the dynamics of their constituents/individuals. That includes the inability to create imagined outcomes reliably. The platonic intent and physical regimes cannot be integrated.

Instead it would be more appropriate to let sites pass headers, such as "we have adult content", thst you could filter on the network or client side. It's still voluntary, of course. Anyone will just visit sites that don't have the checks if necessary.

I do think that HN does a better job than most at containing this (thanks for your hard work).

With that being said, i think explaining _in detail_ why you’re laying down certain rules can go a LONG way toward building some trust and productive dialogue with your child. Maybe you’ll find out they are more mature than you give them credit, can loosen up a bit. Or maybe a reasonable compromise can be found. Or maybe they’ll be bitter for a few months, but they’ll at least understand “why”.

1. Automatic shaping of online community discussions (social media, bots, etc)

2. Automatic datamining, manipulating and reacting to all digitally communicated conversations (think dropping calls or MITM manipulation of conversations between organizers of a rival poltical party in swing districts proir to an election, etc. CointelPro as a service)

3. Giving users a new UI (speech) with which they can communicate with computer applications

We've had decades of age gating being "are you 18+ or not" yet it is only now that talks of something more enforceable are coming up. This discussion is largely about how one can create a sense of safety and protection. For the more extreme end it's face scans and submitting ID. Even though these are bypassed by any teenager who cares they are still being pushed seriously because it instills that sense of safety and protection for children. Security theater is just a part of managing the internet and not going away unfortunately.

In theory you cannot export your private key from the device (from the secure element), so for each $2 someone would have to quickly unlock their phone, scan code via the app and so on.

I'm not sure that's the right answer here, but I think it ticks a lot boxes for the state.

If the site you send your information to gets a uniquely identifying piece of information, that's not blind to your identity.

> - You can still check that user 1 and user 2 don't use the same key.

The systems described elsewhere in the thread give people a set of signatures that can't be traced back to their source.

The challenge here though is to prove to the user, especially without forcing the user to go into technical details, that it is indeed private and isn't giving away details.

The user needs to be able to sandbox an app like that and have full control of its communications.

But I don't think we need 99.99% confidence -- isn't even acknowledged that 30% of twitter is bots or something? I think it's safe to conclude there's astroturfing on any significant political issue.

Also as far as documented cases, there were documented cases of astroturfing around fracking [1], or pesticides [2]

1. https://journals.sagepub.com/doi/10.1177/2057047320969435 2. https://www.corywatson.com/blog/monsanto-downplay-roundup-ri...

How do you suppose it is that millions of people, separated by vast geographic distances, somehow all reach similar conclusions all at once?

Related: How do you suppose it is that out of 350-700+ million people (depending on whose numbers you believe), there's always only two "choices" and both of them suck?

In the US, #1 and #2 are invalid and meritless. Wholly and without reservation. One of the huge reasons for the First Amendment is to ensure that people are able to counter lies uttered in the public sphere with truth.

#3 is handled by parental controls that have existed in mainstream OSs for quite some time now. [0][1][2] However, those preexisting parental controls don't justify additional expansion of the power and influence of authoritarians, so here we are.

[0] <https://www.microsoft.com/en-us/microsoft-365/family-safety>

[1] <https://support.apple.com/guide/mac-help/set-up-content-and-...>

[2] <https://support.google.com/android/answer/16766047?hl=en-rw>

I don't think that there is any definitive way to prevent or detect this anymore. The number of personnel dedicated to online manipulation has grown too much, and the technology has advanced too far.

These are now discussions that states and oligarchs have interests in, not Juicero or smart skillet astroturfing. And this remains a forum that people use to indicate elite support for their arguments.

"Citizens will be on their best behavior, because we’re constantly recording and reporting everything that is going on" - Larry Ellison

(I seem to recall from the context of the quote, he isn't saying this is the future he wants, but it's a future he's not particularly opposed to)

But the real threat is "accidental" database leaks from private websites. Let's say you live in a state where abortion isn't legal, and you sign up for a web forum where people discuss getting out-of-state abortions. As soon as that website is required to collect real names (which it will be), it becomes unusable, because nobody can risk getting doxxed.

> you get your sd-jwt document signed once and you reuse it for like 30 days or so

So it still gets routed through the government once a month if you plan on using it.

We've had pediatricians shame us for feeding our kids what they're willing to eat and not magically forcing "a more varied diet" down their throats at every meal, despite them being perfectly healthy by every objective metric. There are laws making it technically illegal for us to leave our kids unsupervised at home for any period of time in any condition, even a few minutes if one of us is running slightly late from work/appointments.

Your not-quite-2-year-old is too tall for a rear-facing car-seat? You're a bad parent, possibly a criminal and putting them at risk by flipping the seat to face forward, a responsible parent spends hundreds of dollars they don't have on several different seats to maybe find one that fits better or have their kid ride uncomfortably and arguably unsafely with their legs hyper-extended up the seatback.

Miss a flu shot because you were busy? Careful you don't come off as an antivaxxer.

And all of this and more on top of changing diapers, doctors' appointments, daycare, preschool, school, family activities and full time jobs?

Yeah, when my kids are old enough to engage with social media I will teach them how to use it responsibly, warn them about the dangers, make myself available to them if they have any problems, enforce putting the phones down at dinner and and keep a loose eye on their usage. Fortunately/unfortunately for them they have a technically sophisticated father who knows how to log web activity on the family router without their knowledge. So if anything goes sideways I'll have some hard information to look at. Most families don't have that level of technical skill.

It worked really well up until she got a school managed chromebook for homework with no access controls.

no, it is exactly as protective as the protections for purchasing alcohol or buying smokes or other controlled substances/products.

buying smokes/alcohol when underage is obviously harder than "click this box". (did you ever try to buy smokes/alcohol when underage? you cant just go up to the clerk at the store when you are 14 and say "trust me bro, im 18/19/21".)

>Anyone who is of legal age can buy UUIDs and pass them around to folks who are not.

same for smoking and alcohol. i could go to the store right now and buy smokes, then hand them to my 10 year old.

we have laws already in place to punish selling smokes/alcohol to underagers, and laws for consuming smokes/alcohol when underage. we can apply those laws to your internet-age-token.

most people seem fine with the current trade-off for smokes/alcohol. i see no reason why tiktok needs to be treated as more dangerous than either.

>Having said that, I think having an "I'm of legal age" tickbox goes quite far enough.

i agree with this and everything you said afterwards. id rather not have any of it.

parents need to start parenting by taking responsibility on what their kids are doing, and government should start governing with regulations on ad tech, addictive social media platforms, instead of using easily hackable platforms for de anonymization, which in turn enable mass identity theft.

The cynic in me says that's not why governments want identity confirmation for gambling websites. It's so you can't dodge the taxman

All is not lost, though: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

I also think the FUD they've succeeded in creating around the use of LLMs for code generation (there's a portion of the management class that seems to genuinely believe that Claude Code is AGI) is the greatest marketing operation of our lifetimes.

Thank you for that.

Where I think we are not in agreement the question of "who to trust" and "for what purposes".

Are you going to trust me when I tell you that I'm over 18 if I provide you with the document signed by my cousin, Honest Ahmed?

Are you going to trust me when I show you the document signed by my government?

(this is the trick question, you don't have a choice, law says you must; there's a list of who you need to trust and for what purposes; like a certificate root store in your browser)

No, I think both ideas are bad.

How does digital ID prevents you from speaking out? For example, 2nd amendment requires a lot of hoops in some jurisdictions, which were deemed constitutional, and not violating 2nd amendment. Same with the 1st amendment. You can argue that with digital IDs there will be less privacy and anonymity than before, but it’s a different story.

Moreover, influence campaigns are not about truth or lies, but about making the public loose face on the institutions. A good example of it today is Russia, where the public does not believe that democratic elections are possible at all, in principle.

> #3 is handled by parental controls that have existed in mainstream OSs for quite some time now.

It is not handled perfectly at all, and easily bypassed. To pretend that information access on the internet can be regulated through parental controls is ridiculous.

This was before the heyday of influencer culture, so I can only imagine how sophisticated things are nowadays. It’s not always bots.

I recommend the book Trust Me, I’m Lying for a deep but somewhat dated look at the online influence industry.

In the same way that patriarchy rose amongst them all.

In the same way that a shared currency was deemed necessary.

Escpecially in matters of governance, there is something to be said about how humans like to organise themselves. No country has truly escaped capitalism so far.

When I challenged him on his rhetoric, my comment INSTANTLY disappeared. I thought maybe it was a fluke, so I tried again, and the next comment insta-disappeared also.

Soon thereafter I was locked out of the account and asked to provide a "selfie" to confirm my identity. (I declined.)

You get your document with fields like "can drive", "is over 18" and so on. It's valid for some time; physical ID is valid for like 10 years and then you have to get a new document, this digital one is valid for lets say 30 days and if it expires you get a new one.

Then you present only those fields you want, when you want, without anyone talking to the government at all. All the other party needs to check is "is the document valid" and "do presented fields match the document". Like checking a tls certificate for a given domain name or purpose.

Strictly speaking there is no "routing through the government" of any information. The government just "issues a certificate" valid for X days without knowledge with whom, how or when you are using it.

Right. That's exactly as protective as that tickbox. [0] As I mentioned, any of-age person can distribute those UUIDs to people who are not of-age. Unlike with the proposed ID-collection-and-retention schemes (that are authoritarian's wet dreams) the vendor of the UUID is not responsible for ensuring that that UUID is not later used by someone who is not of-age.

If you were to -say- make alcohol vendors liable for the actions of of-age people who pass on alcohol to not-of-age people, then you'd see serious attempts to control distribution.

[0] Don't forget the existence of preexisting parental controls in every major OS. IME, this is a hurdle that's at least as difficult to surmount as the ID check done in non-chain convenience stores.

> In the same way that they came up with the idea of divine being(s) in the image of man that rule nature.

Thanks to the diligent efforts of the Priesthood, of course, who never cease in their 'education' of humanity as to the 'truth.'

Before the world came under centralized control of the Priesthood, there were many tribes of 'Nephelim'--or no-faith-God-people. (ne-phe-el-im.)

(Nope, it has nothing to do with aliens. Guess who is telling that lie also?)

> In the same way that patriarchy rose amongst them all.

Not among my ancestors the Cherokee. They were a matriarchy. They were wiped out (genocided) by foreigners who were controlled by a paternal Priesthood.

In our own history, we were once ruled by such a priesthood. They were called the Nicotani, or Ani-Kutani. They grew insolent and arrogant and eventually crossed the line when one of them raped a man's wife. They were subsequently exterminated, to the last man.

> In the same way that a shared currency was deemed necessary.

By whom? Who made that decision for you? Is it you who is deciding to get rid of cash and make everything digital too, so that you can be even more easily tracked, controlled, monitored...enslaved?

> Escpecially in matters of governance, there is something to be said about how humans like to organise themselves.

That's just the thing. It's not you organizing yourself.

What? In the US, arguments #1 and #2 are entirely invalid and meritless. As I mentioned:

  One of the huge reasons for the First Amendment is to ensure that people are able to counter lies uttered in the public sphere with truth.

> A good example of it today is Russia, where...

We're talking about the US. Many other governments (and governed people) do not agree that freedom of speech is important or even desirable.

> It is not handled perfectly at all, and easily bypassed.

For quite some time now it has been handled at least as well as these new schemes that authoritarians (and those that profit from their actions) are strong-arming companies into preemptively complying with.

> Moreover, influence campaigns are not about truth or lies, but about making the public loose face on the institutions.

If the institution that's being actually damaged by losing face [0] is (or is intimately associated with) one that has spent the last many decades normalizing the replacement of cogent political discussion with Twitter-grade zingers and ragebait, and is now finding it difficult to engage in cogent discussion then, well, they've made the bed they're now forced to lie in. The way out of that bed is sustained, good faith, cogent discussion, rather than building dossiers and the automated infrastructure for information restriction.

But, in truth, most of the folks pushing these systems aren't interested in cogent discussion and are arguing for them in some combination of ignorance and bad faith.

[0] As is often the case in matters like this, I expect the claimed damage is far, far greater than the actual damage.

... and honest:

- they will honestly tell you that they'd be very happy to see you dead when you impose restrictions upon them (people who are older will of course possibly get into legal trouble for such a statement)

- they will tell they they wish you'd never have given birth to them (or aborted them)

- they will tell you that since they never wanted to be born, they owe you nothing

- ...

Drugs, alcohol, cigarettes, pornography were all illegal for me to access as a kid but I wouldn’t have had any trouble getting any of it.

I don't understand how you keep claiming there is no "routing through the government" right next to your explanations that the government is the one providing the documents every 30 days.

Obviously something in the document is tied to your ID and the government has mechanisms to revoke it. No matter how many layers you put on top of that, this all has to come back to the government's control.

I understand that the salts can be sent to 3rd party websites. However there's obviously a reason that those are only valid for 30 days instead of indefinitely.

no, it isn't, for reasons already mentioned but i will say it again for clarity:

- a 14 year old can click "im of age" on a checkbox.

- a 14 year old cannot go into a gas station and buy smokes. they will be declined.

>As I mentioned, any of-age person can distribute those UUIDs to people who are not of-age.

again... same with smokes and alcohol! but we are okay with how smokes and alcohol are regulated right now.

tiktok is not worse than a bottle of vodka. we are okay with how vodka is regulated. tiktok does not need even more strict age-verification than vodka.

it is not perfect, but it is absolutely more stringent than a checkbox. if you still doubt me, please send one of your 12-14 year old family members to buy a pack of smokes or a bottle of vodka at the nearest store. i will wait for your report.

If I choose to share that salt, and provide my name, someone could hash all that information and compare it to the government-issued document to verify if my name really is john smith (or if my claim "I'm over 18" is valid).

If I don't, they have no way of knowing.

> no "routing through the government"

> government is the one providing the documents

I'm also lost. I mean, this is the government issued ID we are talking about, right? How are you expected to get it if not from the government? "Are you over 18" claim is part of that government issued ID.

They don't have to know which sites or when you are visiting, but they do have to issue you the document.

(To be clear, there are also other options, it doesn't have strictly to be government; for example banks around here can provide ID documents - for their clients. There's a list of who is trusted for what https://eidas.ec.europa.eu/efda/trust-services/browse/eidas/...).

> However there's obviously a reason that those are only valid for 30 days instead of indefinitely.

It's the same reason why we prefer tls certificates with short lifespans.

(Also, like, did you ever go to college? Live in a dorm or apartment with underage students? It was super common for of-age people to buy and distribute booze to substantially underage students. Everyone knew it was happening all the damn time.)

> they are obviously not liable if i buy something legitimately, go home, and feed it to my kid. in that case, i am liable...

And if you changed up the rules to make them liable, you'd see serious attempts at controlling distribution.

What has been the state of the art in parental controls for quite some time is like the current regulatory regime for booze and tobacco. The single thing that needs to change to make it exactly the same would be to make it substantially illegal for US-based publishers to not tag the porn/violence/etc that they publish with age-restriction tags. [0]

What's being proposed and is currently implemented by several big-name sites is even more invasive.

> we are okay with how smokes and alcohol works right now.

I'm not. Either booze and tobacco need to be made into Schedule I substances, or their regulation needs to become much more lax. But I recognize that my opinion on the topic is considered to be somewhat out-of-the-ordinary.

[0] This might already be the law of the land right now. I haven't bothered to check.

At 16 it was easier, but at 8 it wasn’t hard.

PS This post is partly satire, I will leave it to you as to which part is serious.

And this entire thing is about bad parenting. Its always easier to just give the kid a tablet and go back to whatever you were doing. Its always better to actually interact with the kid. That trade-off of time is important because if you mess up when they are young, you spend a lot more time handling issues later on. That time you gained by giving them a tablet will get payed back someday, usually with interest. That's what is happening here.

because they dont matter. parental controls exist today but have been deemed ineffective for the age verification conversation, for whatever stupid reason. so we are stuck trying to figure something else out. do i wish we could just use the existing basic parental controls instead of whatever the hell we are going to end up with? obviously!

the easiest "something else" is to piggy-back on existing age-restriction regulations (i.e. smokes, alcohol, gambling) because they have broad (obviously not ubiquitous, but broad) support. we have decades of experience with them.

and, to that end, you create a little token and you show your id to the store clerk to buy it. the "protect the children" people are satisfied (its the same process everything else age-restricted!), and i dont need to send my id to a peter thiel company. it preserves privacy, it re-uses existing laws, it re-uses existing infrastructure, etc.

or make them good for 1 month, but sold in 12-packs.

Consider that such arguments (just like the arguments of Prohibitionists that resulted in the rise to power of Organized Crime) are made in a varied combination of ignorance and bad faith, and that we should loudly reject them in the strongest possible terms.

To be clear, I'm asserting that the claim that preexisting parental controls are insufficient is an argument made in ignorance and bad faith, not your assertion that the argument is being made.

...if these tokens are as protective as you claim they are, why would it be important for them to expire?

Would you also advocate for the token issued by authoritarians' preferred "send a video of yourself [0] and/or your government-issued photo ID [1] to some random third-party for-profit company" check to frequently expire? If not, what's up with the discrepancy?

[0] Or of someone physically near you who is of-age

[1] See [0]