We all know “proof of age” or “age verification” is synonymous with mass surveilance, but the words “proof of age” were cleverly choosen so the average person considers it the same as showíng another person a driver’s license. Unecessary or otherwise it’s only a minor inconvenience. And there is no harm to privacy.
So what should we call “proof of age” or “age verification” which is just as punchy, but communicatee the real intent? How can we subvert this attack on our rights by turning these twisted words against themselves?
You have to trust someone.
And I can’t speak for all the implementations around the world. But I can speak for the Danish one. Or at least what the design is intended to be right now.
The Danish verification tokens are single use. Yes they get checked against a database, centrally, but that database doesn’t hold any information about who the token was issued to, just whether it’s a valid token that hasn’t been used before.
So your digital wallet holds a set of single use tokens. You have to log in using MitID (central government system for proving your identify online), then your wallet is issued age proofing tokens which you then hand over to the website to prove your age.
So there are a million ways that COULD be abused, just like there are a million ways your bank could abuse the information it holds about you. In both cases, laws require that neither abuse their privilege.
You have to trust someone. Or live a hermit.
this is sounding sketchier and sketchier. so every website that serves 18+ content in Denmark will need to check tokens against a central database upon login? forget censorship and surveillance, that sounds like it plain won’t scale well. also does Denmark really expect every website to implement this? what about Lemmy or other fediverse services?
why is this needed at all? why not just use parental controls on devices? why is this such a crisis now, for the first time in 20 years?
I feel like they could just, you know, not do this.
I wouldn’t call that an ideal implementation, but if they implemented it properly, there’s no way for the website to know who you are, and there’s no way for the website to tell the authority you visited their site. If there is, it’s not actually a ZKP and it’s a failure of the technology (and I assume at that point be against the law). The only abuse that should ever be possible is that the authority knows you are using tokens, not where.
The only required trust that should be needed, is that the authority proved your age in the first place, such as when you get your drivers license, and that they actually implemented all the cryptography properly (which a 3rd party could verify)