> But if they reveal nothing, isn't it wide open for abuse? Couldn't one over-18-person's proof become everyone's proof, because they can't tell it's the same proof, and the issuer can't tell where or how often the proof is being used?
Yep!
This is why the concept of zero knowledge age gating is such a trap for technically minded people. They imagine receiving a private cryptographic object that can be used to anonymously confirm that the government says it was issued to someone over 18.
That’s completely useless because a single leaked token could be used forever, so nobody actually considers this.
All of the real proposals have various compromises baked in. Some people want to require device attestation, so you could only do this handshake from a government approved device running a government approved operating system. Forget using Linux or maybe even a general purpose computer at all.
Other proposals involve online government handshakes in various ways, with a pinky promise that the government won’t keep logs or tap it for national security purposes. So we get back to anonymous by trust only.
> Some people want to require device attestation, so you could only do this handshake from a government approved device running a government approved operating system. Forget using Linux or maybe even a general purpose computer at all.
The reason this is a non-problem for the purpose being discussed (age verification on social media) is that you can simply allow anyone with a de-Googled phone or using Linux on a laptop (or even Mac or Windows) to bypass the age check. You don't need a 100.0% accuracy solution, anything above 90% is fine.
Essentially all teenagers are using social media on Android or iOS with apps from the official app store. If you make social media unavailable only on those devices, they are not going to be switching en masse to SailfishOS or start to carry around backpacks with laptops.
Maybe a few will. But then they're going to be very lonely on their social media and subsequently stop caring.
From my limited knowledge of ZKP I believe there are protocols that don't allow token reuse, i.e., once you consume a token for one round, you cannot reuse it for another attestation.
We might be over complicating things here.
The governments’ focus might be on protecting genuine users (adults or not), not fighting fraudsters.
In other words if ZKP works for the vast majority of technically illiterate people with their EU ewallet, the job is done.
> All of the real proposals have various compromises baked in. Some people want to require device attestation, so you could only do this handshake from a government approved device running a government approved operating system. Forget using Linux or maybe even a general purpose computer at all.
SPOT ON! This needs to be plastered across the top of every single thread on "age verification" (really: identity verification).
Talk of "zero knowledge proofs" or other technical schemes are essentially just nerd sniping on this topic. These sound like really cool solutions where we can have our cake and eat it too, but the reality is that the cool technical bits are just the tip of the iceberg. For them to actually be secure (ie prevent the trivial proxying of credentials), there has to be another, much more draconian, part to the system.
Even if that part is missing to begin with, then calls to add it down the line will be inevitable once the idea that websites are responsible for verifying users "ages" (identities) has taken hold and those flaws become glaringly apparent.
I am a parent who will be staring down this issue in a few short years. The Internet is not the place we grew up. Faceboot and other engagement-farming companies are most certainly malevolent threats to the human psyche [0], and it's reasonable to assume that their effects are even stronger on developing minds.
The only approaches that are workable to protect kids as well as preserve Internet/computing freedom (which is actually an additional angle of protecting kids from continuing loss of freedom to roam) involve the client device being responsible for what to block/show, with information only ever flowing from the server to the client - for example tags that assert a site/app is suitable for people over a given age, and on-device parental control software that operates on those tags. If parental controls are enabled and a website has no tags, then the site does not display - failing closed and preserving compatibility with the open web.
Given that this is a dire problem that parents face that has reached a tipping point, it would be reasonable to create a legal mandate that mass market device manufacturers must include parental control software that can be enabled during setup process, and that websites over a certain size have to include tags stating their age appropriateness. That would bootstrap the ecosystem and lead to the development of more vibrant tags and blocking software, enabling parents to set their own policies independent of corporate attorneys decreeing what is acceptable for their kids.
[0] It is also worth keeping in mind that it is exactly Faceboot and its ilk that are pushing these identity verification laws in the first place! They are simply trying to remove their legal liability for harming kids, so they can otherwise continue business as usual
why would a token a) last forever, and b) not be created as a response by your smart ID card to a challenge token?
You can use a Linux… if it’s a Android
:(
There are a variety of schemes possible that do not have these flaws.
There's an interesting post here which goes into some of this - https://blog.cryptographyengineering.com/2026/03/02/anonymou...
So -
> Yep!
Actually nope.
I agree with your analysis, but doesn't that make this blogpost by google a bit overoptimistic, or even disingenuous?
You can fix the leaked token problem if your prover also proves that (a) the private token id is not on the public revocation list, and (b) the token has not yet expired. Use short expirations and auto-renew, this is just to keep the revocation list from growing forever.
Attackers could still compromise the system with proxies, but you can fix that by (a) passing in a random sessionid from the server so proofs can't be replayed, (b) also passing in the server's public key, so a MITM attack will result in proof the server can't verify, and (c) as you mention, using secure hardware on the client, and encrypting communications between that hardware and the server. The secure hardware doesn't have to preclude general-purpose computers; it can work like a yubikey or hardware wallet, just plug into USB or bluetooth.
Without proxies, a leaked key has a minor impact unless it's widely distributed online, in which case it's easy to notice and add to the revocation list.
Tracking clients can be prevented if the client generates a new public key for each session.
Requiring hardware is in one sense a downside, and strong protections for access would have to be part of the law. But giving everyone secure cryptographic hardware that can do key management and zero-knowledge proofs would be a huge improvement for everyone's privacy and security, so it might be a good trade.