this post was submitted on 21 Mar 2026
19 points (91.3% liked)

Ask Experienced Devs

1467 readers
11 users here now

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 2 years ago
MODERATORS
Ategon@programming.dev
19
Could online age verification be done in a way that protects privacy and autonomy? (lemmy.world)
submitted 2 days ago* (last edited 2 days ago) by 58008@lemmy.world to c/ask_experienced_devs@programming.dev
55 comments fedilink hide all child comments
 

Apologies if this isn't the right place to ask this, but I thought actual developers with a deep understanding of how technology actually works would be the people to ask!

If you were tasked with setting up a safe and secure way to do this, how would you do it differently than what the UK government is proposing? How could it be done such that I wouldn't have to worry about my privacy and the threat of government suppression? Is it even theoretically possible to accomplish such a task at such a scale?

Cheers!

EDIT: Just to be clear: I'm not in favour of age verification laws. But they're on their way regardless. My question is purely about the implementation and technology of the thing, rather than the ethics or efficacy of it. Can this seemingly-inevitable privacy hellscape be done in a non-hellscapish way?

you are viewing a single comment's thread
view the rest of the comments
[–] Kissaki@programming.dev 2 points 1 day ago* (last edited 1 day ago)

What do you mean by government suppression? The government suppressing entities, or you as the authorizing individual?

EU has eIDAS, and Germany has an existing working system. A certified publisher and you with your NFC phone can confirm your age above x without disclosing any other information about your identity. It runs with sophisticated cryptographic negotiation between the three parties. For you as an end user, obviously the government already knows of your existence beforehand and can serve as an authorative entity. The two other parties can then verify their validity to each other through the mutually trusted entity without revealing unnecessary information to any of the parties. Practically, the requesting entity must be certified by the state to confirm their validity and reasonable necessity of what kind of data they plan to request, and the user use their moile phone NFC and an app to read their identity document, and give explicit consent to specific data sharing.

I'm not too familiar with the specifics of what the state can see in this system. It seemed plausible to me that they may not even see that you're authenticating with a specific party or that and what you're sharing. Cryptography ftw.