alt Hacker NewsWe are missing accessible cryptographic infrastructure for human identity verification.
For age verification specifically, the only information that services need proof of is that the users age is above a certain threshold. i.e. that the user is 14 years or older. But in order to make this determination, we see services asking for government ID (which many 14-year-olds do not have), or for invasive face scans. These methods provide far more data than necessary.
What the service needs to "prove" in this case is three things:
1. that the user meets the age predicate
2. that the identity used to meet the age predicate is validated by some authority
3. that the identity is not being reused across many accounts
All the technologies exist for this, we just haven't put them together usefully. Zero knowledge proofs, like Groth16 or STARKs allow for statements about data to be validated externally without revealing the data itself. These are difficult for engineers to use, let alone consumers. Big opportunity for someone to build an authority here.
Replies
A significant obstacle to adoption is that cryptographic research aims for a perfect system that overshadows simpler, less private approaches. For instance, it does not seem that one should really need unlinkability across sessions. If that's the case, a simple range proof for a commitment encoding the birth year is sufficient to prove eligibility for age, where the commitment is static and signed by a trusted third party to actually encode the correct year.
Your crypto nerd dream is vulnerable to the fact that someone under 18 can just ask someone over 18 to make an account for them. All age verification is broken in this way.
There is a similar problem for people using apps like Ubereats to work illegally by buying an account from someone else. However much verification you put in, you don't know who is pressing the buttons on the screen unless you make the process very invasive.
Even if the problem is perfectly solved to anonymize the ID linked to the age, you still have the issue that you need an ID to exercise your first amendment right. 1A applies to all people, not just citizens, and it's considered racist in a large part of the US to force someone to possess an ID to prove you are a citizen (to vote) let alone a person (who is >= 18y/o) w/ 1A rights.
You are missing the point.
They don't care whether you are 14 or not. They want your biometrics and identification. "Think of the children" is just a pretense.
>We are missing accessible cryptographic infrastructure for human identity verification.
like most proposed solutions, this just seems overcomplicated. we don't need "accessible cryptographic infrastructure for human identity". society has had age-restricted products forever. just piggy-back on that infrastructure.
1) government makes a database of valid "over 18" unique identifiers (UUIDs)
2) government provides tokens with a unique identifier on it to various stores that already sell age-restricted products (e.g. gas stations, liquor stores)
3) people buy a token from the store, only having to show their ID to the store clerk that they already show their ID to for smokes (no peter thiel required)
4) website accepts the token and queries the government database and sees "yep, over 18"
easy. all the laws are in place already. all the infrastructure is in place. no need for fancy zero-knowledge proofs or on-device whatevers.