To be clear, I’m not advocating for online age verification. I’m very much against it in any form. I’m just curious from a technical standpoint if it’s possible somehow to construct an accurate age verification system that doesn’t compromise a user’s privacy? i.e., it doesn’t expose the person’s identity to anyone nor leaves behind a paper trail that can be traced to that person?
Even if it works, it’s a solution without a problem. If I can afford internet access, I am mature enough to see anything on the internet, and I am mature enough to decide which users can access my internet-connected network and whether they can have access to the whole internet. That’s all the age verification needed ever.
The request for age verification by each website is purely about unnecessary control and censorship.
Internet access is like $1 in most countries (Sim card data).
I don’t know about you, but the tooth fairy gave me enough money to pay for internet access before my skull was old enough to finish growing adult teeth…
And you had the capacity to pay for internet access?
You fucking walk 20 meters from your doorstep to buy a soda and a gig of data, yeah
Sounds like you’re mature enough for porn then.
the 11 year old walks back to the store to buy an orange juice, a bottle of lotion, and 10 more gigs…after discovering 4k video
The problem is not the system or the idea of age verification
The problem is that no one on earth can be trusted with that level of monitoring, control and power.
Nah you can totally trust me, I’m too lazy to do anything nefarious
Great! … the solution to our problems … let’s all trust edgemaster72
Oh, oh shit, this has backfired massively, I didn’t think anyone would go along with it, that’s way too much responsibility
This is precisely what the chosen one would say!
You definitely can do this with cryptography, it’s a really hard problem, but I worked in this space for a number of years, it’s possible.
Like I implied, the problem isn’t the HOW to do it.
The problem is in giving any one person, government, corporation or company this amount of power and control.
And because it’s so powerful, no one who had it would want to give up control by making it anonymous or in objectively protecting privacy for the user.
Right, I understand that perspective, but there is a way to do this with multi-party computation and some other cryptography where no one would have the actual power/be able to see the data/have control. The main issue is it’s expensive to run and no one would be incentivized to run it.
Super easy. Technology has existed for quite some time and was already used in the encrpytion of web traffic.
Basically: you sign up with your “age verification institution” (ideally a service of your government because they have your ID anyway and no profit motive). This involves createing a private key (reaaaaaaaaaaly long password that is saved in a file on your device) and saving the public key with that institution. They also check your ID to ensure your identity and your age.
When you want to visit a 18+ website, the website sends you a nonce (loooooong random number). You take that nonce and send it to the verifier, along with a signature of your private key (and the age they want you verified against). The verifier verifies your signature using your public key. They then sign the nonce with their own private key, thereby verifying, that you, the owner of your private key (whos identity and age they have verified) are above the asked age theshould. You then send the signed nonce back to the 18+ website and they can verifiy the signature to confirm that a trusted age verifier has verified your age.
The site never has access to your identity and the verifier never knows which site you visited, only that you wanted to visit a website that wants to know if you are of a certain age.
(The corresponding technology was used for OCSP Stapling in TLS verification … and has been discontinued last year because nobody was using it …)
Technically this works EXCEPT the required third party. Either it’s the government and you have to trust them with information of knowing everything that required age verification or its separate company that can and would sell your data to data brokers. Being free and NOT the government seems mutually exclusive.
The verifier does not have the information which sites you use. That’s the point of the setup. All communication goes through you, never the site to the verifier directly. You only pass cryptographic values between them that does not include identifiable information (neither about you to the website, nor about the website to the verifier). The verifier knows who you are, the website knows that you are old enough. Nothing else.
Oh I missed that separation before. Ok my bad.
You can use a government issued certificate to generate your own age proofs without their involvement.
In my ideal world, it’s not an issue because parents don’t let kids under a certain age or demonstrated maturity level have computers in their room alone, and even better, they teach their kids how to not have problems with predators, porn, and the deluge of online weirdness and have open, honest talks about how some things are dangerous because they prey on you, some things are dangerous because they get you hooked on certain feelings, and some things are dangerous because they give you false impressions of the world and relationships.
We’re about as close to that world as interstellar exploration, I know. Imagine having parents who you don’t feel afraid to talk to about mature topics and personal matters.
And all that aside, why is it such a big deal that kids not see boobs but they can see violence and gore? Why is it magically okay for Timmy Neckbeard to watch strangle-fetish porn night and day as soon as he turns 18? Why do we scream about how porn is ruining kids minds but we’re not taking down the grifting “masculinity influencers” with as much zeal as we’re going after pornhub and other sites that are mostly just consenting adults doing fun biological acts together? Why do we say porn companies are evil and not do anything to make it less evil like better regulations and resources since we know people are going to find ways to make and view it anyway? (These aren’t questions for Lemmy but I would sure love to see communities start asking these questions to their elected representatives.)
Our species’ obsession with clear lines and labels is making us ignore where the actual problems are, we build fences around the outcomes not the sources. We create solutions to problems we don’t even want to look at directly. It’s like the government handing out umbrellas to combat the issue with the massive water main leak flooding the street.
Its possible.
Open source front-interfacing app + a secure element thing in the backgound.
You download an app. You verify your identity, then the app sets up a OTP thing with the shared secret seed lasting for 30 days. But every 30 seconds the OTP changes. Everyone doing a verification in these 30 days gets the same exact secret seed.
The seed hides in the secure element of your device. (it won’t be impossible to extract, but the average kid is not gonna be able hack a secure element) Every 30 seconds, it releases the new OTP to the Open source app. The app doesn’t connect to the internet once the OTP has already been set up. So nobody knows if you actually view the OTP code.
So the government only knows you have the verification OTP set up not which websites you visited, the website only knows you have a valid OTP from the government, but you could be any of the people in the past 30 days (which the company don’t even have access to).
Even if the company and government cooperates, they could only pin down the time of website registration and that you are one of the millions of people that did the verification and requested a OTP Seed.
(Idk the exact terminology for these things, but hopefully I make sense)
The seed hides in the secure element of your device. (it won’t be impossible to extract, but the average kid is not gonna be able hack a secure element).
But only one person needs to “hack” it on their device to publish the key, allowing everyone to use it without “hacking” their own device.
You can’t store a key on a device and keep it safe from the owner.
It can. Zero knowledge proofs have been around a while and are ideal for this.
They’ll try not to have that because data gathering is what they’re after, not keeping little Timmy from seeing some tits.
Nope, you always need a middle man to do the verification. That middle man has too much information.
Also, if you could solve for the middle man, there is no way to know the user belongs to the ID. It can easily be stolen.
We could just make the middle man somebody who already needs that information, e.g. the IRS.
You could, but that wouldn’t address OPs question. The IRS is known for giving info to other parts of the government to aid in prosecution. And the gov has shown they are terrible at cyber security, so you might as well just post your browser history on the web.
I figured you were wrong so I asked an AI and it confirmed what the people below you were saying, you really do seem to be talking straight out of your ass
Yes, it is technically possible to build an accurate, high-confidence age-verification system that does not compromise privacy in the traditional sense (i.e., no central database of IDs, no name/address/DOB stored by the site, no paper trail that can be subpoenaed or leaked). The core tool that makes this feasible is zero-knowledge proofs (ZKPs), specifically age-based ZK proofs.
How a privacy-preserving age check actually works in 2025
- User proves age to a trusted credential issuer once
-
- Government digital ID (e.g., EU eIDAS wallet, some U.S. mobile driver’s licenses, Yoti, ID.me, etc.)
- The issuer cryptographically signs a statement like “This private key belongs to someone born before 2007-11-27” without ever revealing the exact birthdate. User generates a zero-knowledge proof
-
- Using their phone or browser, they create a proof that says:
“I have a valid credential signed by [Trusted Issuer] that confirms I am 18+ (or 21+).” - Nothing else is revealed: no name, no exact age, no birthdate, no issuer identity if you want to go fully anonymous. Website verifies the proof in <1 second
- The site checks the cryptographic signature and that the policy (“18+”) is satisfied.
- It learns literally nothing else about the person.
- Using their phone or browser, they create a proof that says:
Real-world implementations that already exist or are in late-stage pilots (November 2025):
- Worldcoin’s World ID “age 18+” orb-verified credential + ZK proof
- Polygon ID / zkBridge systems used by some adult sites
- SpruceID + Ethereum Attestation Service kits
- Gitcoin Passport + ZK age attestations
- Proof-of-Humanity + age minimum circuits
- Yoti + ZK prototype (demoed 2024–2025)
Remaining practical hurdles (why it’s not universal yet)
- User has to have a compatible digital credential in the first place (adoption still <30% in most countries)
- Friction: first-time setup takes 2–10 minutes instead of 3 seconds
- Most adult sites don’t want to pay the (tiny) gas/verification fee or integrate the SDKs
- Regulatory gray zone in some jurisdictions that still mandate “know your customer” records
Bottom line
Technically: Yes, 100% possible today with zero-knowledge age proofs.
Practically: It exists, works, and is slowly rolling out, but the porn industry and most social platforms still prefer cheap/frictionless (but privacy-invasive) methods or just do nothing.So the top reply in your screenshot (“you always need a middle man with too much information”) is outdated — cryptography has already solved the “middle man” problem. The real blocker now is deployment inertia, not theory.
Just for your edification anything you say after “so I asked an AI” is going to be ignored by most people. It just tells me everything that comes next is not going to be worthwhile. Might as well tell me your palm reader told you something.
Ok
Read back what you wrote. Your first line was about a trusted credential provider. Thats a middle man. Then you talk about creating a proof. Guess what, that phone and browser are known to spy on you excessively. That’s another middle man. And odds are that same phone or browser it what you will use to access something that needs the verification. So the same phone or browser has all parts of the information.
And of course it’s pointless because anyone could steal an ID and get themselves a key. Or steal your phone… so it wouldn’t even prove anything.I’ll address the second objection first regarding the phone or browser. You’re always going to rely on some technology for the solutions that use cryptography, you just can’t do those calculations long-hand realistically. That said, look up frameworks like CTAP that allow a potentially untrusted user terminal, like a browser, to interact with a trusted hardware token. Those hardware tokens can be made fairly tamper-proof, see FIPS authorized Yubikeys, such that the phone is pretty much removed from the attestation process. Yes these can still be stolen, but they make hardware keys that are fingerprint authenticated and the biometric stays on the device. Doesn’t get much more self-sovereign than that.
The existence of a trusted credential provider is a challenge. Fully self-sovereign credentials need to either be trust on first use or validated against a larger system everyone participates in. Even if we had some system of birth certificates tied to a distributed ledger, we would have to trust the third party recording that certificate in the first place, be it a hospital, doctor, or state entity. These trust and proof systems don’t create the trust, they just allow us to extend that trust from one claimant to a verifier. Whether you place that trust in the state, an individual, or an independent third party is up to you.
So, you have fully backed my response. OP didn’t ask if it was possible with some caveats. I understand a (at a high level) the technical options that can get close to what OP asked for, but it fundamentally just isn’t possible without caveats.
you’re talking out of your ass so I asked an AI
Pot, you are black! Signed, kettle
The big flaw in this strategy is that once you have set up a signed anonymous key from the government and you can make zero knowledge proofs with it, there’s nothing stopping you from distributing that key to every kid who wants it. If it’s in the browser or an app, etc. you can publish that signed key for anyone who wants to be over 18.
PKI only works if the owner of the private key wants it to be private. It’s effective for things like voting or authenticating because the owner of the key doesn’t want anyone else to be able to impersonate them. But if it’s only for age…
At that point, it might as well just be a file that says “I pinky promise that I’m over 18” that the government has signed and given to you.
Could tie it to something like a biometric. That and storing it on a write-only device would keep it from being shared too wide. The trickiss to tie it to a true multi-factor and not just something you have (if unencrypted) or something you know (if ASCII armored).
Then it adds barrier to entry. If it costs money it will be a problem for the more vulnerable population. If it is free and you can have as many as you want it is gonna be abused, if there is a limit it again starts to be a problem.
No, It should be a browser setting. If parental controls are enabled, access should be denied to the site.
Yes. There are many solutions.
Maybe the absolutely easiest to implement is just a signed message from an authority (gov.). You click a button on the website that requires verification, get a new tab to a gov. site with no identifiers from the site redirecting you and get a message you copy. The copied message is then pasted in to the site requiring verification. The site can then verify the message at their servers.
Hey benign and honorable govt!
Please tell the website “kill-your-govt .net” that I am old enough to join the revolution!!!
Kthxbai
edit: if this was pasted in both directions AND we trust that there is no identifying information in either ‘secret’ message, might work. Normies will not like the ctrl-c/ctrl-v workflow though.
That still creates a chain that can be followed. If the site you’re trying to enter is ever compromised, there will be record of your government code and whatever tracking is used to verify that you have entered your code.
I would be happy if the government was not involved in my online activities at all but I guess that ship is about to sail.
See also: timing attacks
It’s possible with certificates and 2fa issued by a government, which already have all your data, that would only verify that you are over 18.
We already have that in Spain, sort of. We have a government app where you have a digital id stored and you can make it create a verify qr that only shows if the user is over 18 or under 18, no more data. The qr only last 5 minutes active.
It is necessary? Not for internet access. That’s a duty of the one paying for internet in the household, not the government. If they have underage kids under their responsibility it’s their duty to make sure that they get good education about what to see and what not and restrict access if needed. Having the government to universally interfere everyone it’s just plain bad.
It is possible, but the real goal is about removing anonymity altogether
Zero-knowledge proof. Medium has a practical example, though unfortunately the article logs user data, so beware on that.
The government knows who you are. They know your age, your address and know you exist (probably).
You go to a site that requires ages verification. You say:please verify me with the government portal. You go to that portal to get a temporary id code to give to the site. The website says to the gov portal give me the name and age of the user with this temp ID. You approve that access. Portal sends age (or an is over 16/18/21 etc flag) to the site.
- Gov portal doesn’t need to know who the site is.
- You don’t provide a unique ID to the website, just a temporary one.
- as if codes are temporary, you must have access to the id/login now, not just at some point
- Site only gets the data you approve/it requested,.not everything.
The process can do with some streamlining, but should work in practice?
Ya you could definitely do this way too. There is a standard that google came up with called private state tokens that would allow you to do this in a pretty clean way, if you were cool with using your governments portal.
Essentially you would login to the govt portal, they would issue you some limited set of tokens (let’s say 5) that would expire after 30 days. You would go to an age restricted website and sign up and that would “burn” a token.
You could use ZK on top of this to make sure that the same email address or some other “nullifier” piece of information was used, to prevent an 18 yo kid from selling their tokens to 17 yos.
Yes, but your government doesn’t want that.
It’s possible but it would defeat the purpose of age verification
How?
