this post was submitted on 21 Mar 2026

19 points (91.3% liked)

Ask Experienced Devs

1467 readers

53 users here now

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 2 years ago

MODERATORS

Ategon@programming.dev

Could online age verification be done in a way that protects privacy and autonomy? (lemmy.world)

submitted 2 days ago* (last edited 1 day ago) by 58008@lemmy.world to c/ask_experienced_devs@programming.dev

55 comments fedilink hide all child comments

Apologies if this isn't the right place to ask this, but I thought actual developers with a deep understanding of how technology actually works would be the people to ask!

If you were tasked with setting up a safe and secure way to do this, how would you do it differently than what the UK government is proposing? How could it be done such that I wouldn't have to worry about my privacy and the threat of government suppression? Is it even theoretically possible to accomplish such a task at such a scale?

Cheers!

EDIT: Just to be clear: I'm not in favour of age verification laws. But they're on their way regardless. My question is purely about the implementation and technology of the thing, rather than the ethics or efficacy of it. Can this seemingly-inevitable privacy hellscape be done in a non-hellscapish way?

top 50 comments

sorted by: hot top controversial new old

[–] Kissaki@programming.dev 2 points 1 day ago* (last edited 1 day ago)

What do you mean by government suppression? The government suppressing entities, or you as the authorizing individual?

EU has eIDAS, and Germany has an existing working system. A certified publisher and you with your NFC phone can confirm your age above x without disclosing any other information about your identity. It runs with sophisticated cryptographic negotiation between the three parties. For you as an end user, obviously the government already knows of your existence beforehand and can serve as an authorative entity. The two other parties can then verify their validity to each other through the mutually trusted entity without revealing unnecessary information to any of the parties. Practically, the requesting entity must be certified by the state to confirm their validity and reasonable necessity of what kind of data they plan to request, and the user use their moile phone NFC and an app to read their identity document, and give explicit consent to specific data sharing.

I'm not too familiar with the specifics of what the state can see in this system. It seemed plausible to me that they may not even see that you're authenticating with a specific party or that and what you're sharing. Cryptography ftw.

[–] Rivalarrival@lemmy.today 5 points 1 day ago (1 children)

No.

Basically, as soon as a web service knows your age, they can tailor their content specifically for you. That's great when the service is Netflix and doesn't want to suggest R-rated movies to pre-teens.

That's not quite so great when the "service" is KidGroomer dot com.

Turns out that having machines automatically report the ages of their users is not such a good idea. Turns out that enabling groomers to identify children from adults is a fair bit worse than kids finding naked people on the internet.

[–] oatscoop@midwest.social 3 points 1 day ago* (last edited 1 day ago)

We use used to have a privacy friendly solution that allowed parents to monitor their kid's internet use.

You just had to put it in shared area.

[–] blitzen@lemmy.ca 13 points 2 days ago (2 children)

I agree with others here when they say that age-verification laws aren't about children at all, and identification isn't a side effect, it's the raison d'être.

But if I were to earnestly try to solve the problem, I might look to the physical (non-online) world. In every part of the world I've been to, buying alcohol requires one thing; to be of age. So if you very clearly look of age, you are allowed to buy it. If you look younger, you may be asked to provide ID proving you are old enough. While some vendors may take additional precautions such as scanning your ID, it is not a requirement and most do not. They simply look at your ID to verify, then allow the purchase.

One could buy a physical verification token, like one might buy a gift card currently, and the purchase requires the same verification as buying alcohol. Imagine you buy a plastic gift-card-like item branded Roblox and they verify you are of age, when you sign up for Roblox you enter in the details of the gift-card-like item. You are verified to be of age, and no-one has any other details.

[–] bearboiblake@pawb.social 6 points 2 days ago* (last edited 2 days ago) (2 children)

I think this is the best possible solution, great write up and explanation. A minor improvement would be to make the card some kind of OATH device to generate TOTP tokens rather than a single ID number, so that you can reuse the same identifying token in multiple places with no way to connect the token.

Edit: On second thought, I can't think of a way to make that work, without compromising privacy, and I can think of a few possible ways that the original idea could potentially go wrong, too. Still, I think this is the closest possible solution.

[–] blitzen@lemmy.ca 3 points 2 days ago

Oh, mine is a terrible idea, but maybe one of the least bad. I like your idea of making it reusable somehow.

[–] Zagorath@quokk.au 1 points 2 days ago (1 children)

On second thought, I can't think of a way to make that work, without compromising privacy

I'd say check out my top-level comment, and the link to the crypto Stack Exchange within it.

[–] Zagorath@quokk.au 3 points 2 days ago* (last edited 1 day ago)

identification isn't a side effect, it's the raison d'être.

In Australia, the law quite specifically says sites aren't allowed to require ID as the method of age verification. It can be one option they provide, but it cannot be the only. Even a sort of sentiment analysis is permitted, and from everything I've heard that seems to be the method most have defaulted to. Social media sites don't want to risk losing users by putting up barriers to them making accounts. People talking about politics and taxes are probably adults. People looking at Bluey videos are much more likely to be children. And it's all based on information they already had used in ways a lot of them probably already did.

So at least here, I think the idea that it's anything other than what they say it is is just an unfounded conspiracy theory. It may not be well-implemented, but it is genuinely well-intentioned. Or if not well-intentioned, the real intent is bad, but not in the same way you suggest—it's just about being seen to do something good and win some good PR for the government, without actually having to go to any effort to implement good policy.

[–] bold_omi@lemmy.today 1 points 1 day ago

No.

[+] bearboiblake@pawb.social 7 points 2 days ago (6 children)

[deleted]

[–] MentalEdge@sopuli.xyz 2 points 2 days ago* (last edited 1 day ago) (13 children)

That'd only work if legal sex acts were the worst thing a kid could find online. As someone who went spelunking online as a kid. I assure you theyre not.

And the Roblox issue is hardly that of exposure to normal human biology.

That said this stuff should be up to parents, and instead of verification requirements, we should have parental control requirements (as in, the tools for it should exist).

On a lot of devices, I couldn't make them safe to hand to a kid without coding the tools myself.

load more comments (13 replies)

[–] 58008@lemmy.world 1 points 1 day ago

No, it's not desirable, but it's coming nonetheless. I was just curious if it's even possible to do it in a way that doesn't harm everyone.

[–] MyMindIsLikeAnOcean@piefed.world 1 points 1 day ago* (last edited 1 day ago) (13 children)

This isn’t true.

The internet has been around since the late 90s at the earliest…that’s when some kids started freely accessing adult content.

When I was a kid…(and I grew up unsupervised and poor with one working parent - I was free range)…porn mags were like the holy grail. I literally didn’t see one until I was about 14 and I found one in somebodies forest fort. So think about that…not only could I not find a porn mag…but the person that had one had to go hiking to “use” it.

I mean…we also had homophobic molester gym teachers teaching us health class…

There’s got to be a workable happy medium between no access and no information - and everything always all the time to the max.

load more comments (13 replies)

load more comments (3 replies)

[–] PiraHxCx@lemmy.dbzer0.com 5 points 2 days ago

Very easy: create a law that if minors are caught where they shouldn't be the parents and the minors are going to be held responsible, because raising kids is parent's responsibility.

However, absolutely ZERO percent of the age verification laws are being put in place to protect kids. They are pushing that with sole reason to invade your privacy and monitor your activity, so any mean that doesn't accomplish it missed the point.

[–] PokerChips@programming.dev 3 points 1 day ago

How about we just don't.

[–] smegger@aussie.zone 3 points 2 days ago

Honestly I can't think of any way you could verify age accurately without something identifying being provided.

You could try age based trivia, but anyone could Google an answer.

[–] IceFoxX@lemmy.world 1 points 1 day ago* (last edited 1 day ago)

By the way, people who create accounts without age verification will then have access to the planned children’s versions of social media... A pedophile’s dream come true 🤢🤢🤮🤮🤮

Age verification = digital epstein pedo playground

[–] litchralee@sh.itjust.works 2 points 2 days ago

This is the precise question that Soatok discussed here: https://soatok.blog/2025/07/31/age-verification-doesnt-need-to-be-a-privacy-footgun/

Google recently published an open source library that proves a user’s age in a way that preserves privacy. This library is undergoing two independent security reviews, but should be production-ready in the near future.

If we’re going to force websites to implement some kind of age verification for adult content, we should demand the governments that pass these laws provide the zero-knowledge proof technologies to satisfy the law.

[–] hperrin@lemmy.ca 2 points 2 days ago (1 children)

Yes, kind of. In a similar way that we can currently authenticate with OpenID. Basically something like a passkey could be issued by your government that would let you prove your (pseudonymous) identity (and thus age range) through their API to a website.

This wouldn’t allow for anonymous browsing, since the website would have to identify you, but it could allow for pseudonymous browsing, since the website’s identification of you could be just an ID number that is specific to them. They already track you with cookies, so it wouldn’t be any worse than we have now, except that it’s more unnecessary bureaucracy.

[–] KairuByte@lemmy.dbzer0.com 1 points 22 hours ago (1 children)

This just seems like a great way for your government to know every single thing you do online.

[–] hperrin@lemmy.ca 1 points 21 hours ago

You could make it so that the government doesn’t know who’s requesting it.

[–] TootSweet@lemmy.world 2 points 2 days ago

https://gist.github.com/JWally/bf4681f79c0725eb378ec3c246cf0664

load more comments