To be clear, I’m not advocating for online age verification. I’m very much against it in any form. I’m just curious from a technical standpoint if it’s possible somehow to construct an accurate age verification system that doesn’t compromise a user’s privacy? i.e., it doesn’t expose the person’s identity to anyone nor leaves behind a paper trail that can be traced to that person?
Even if it works, it’s a solution without a problem. If I can afford internet access, I am mature enough to see anything on the internet, and I am mature enough to decide which users can access my internet-connected network and whether they can have access to the whole internet. That’s all the age verification needed ever.
The request for age verification by each website is purely about unnecessary control and censorship.
The problem is not the system or the idea of age verification
The problem is that no one on earth can be trusted with that level of monitoring, control and power.
Nah you can totally trust me, I’m too lazy to do anything nefarious
Great! … the solution to our problems … let’s all trust edgemaster72
Oh, oh shit, this has backfired massively, I didn’t think anyone would go along with it, that’s way too much responsibility
This is precisely what the chosen one would say!
You definitely can do this with cryptography, it’s a really hard problem, but I worked in this space for a number of years, it’s possible.
Like I implied, the problem isn’t the HOW to do it.
The problem is in giving any one person, government, corporation or company this amount of power and control.
And because it’s so powerful, no one who had it would want to give up control by making it anonymous or in objectively protecting privacy for the user.
Right, I understand that perspective, but there is a way to do this with multi-party computation and some other cryptography where no one would have the actual power/be able to see the data/have control. The main issue is it’s expensive to run and no one would be incentivized to run it.
In my ideal world, it’s not an issue because parents don’t let kids under a certain age or demonstrated maturity level have computers in their room alone, and even better, they teach their kids how to not have problems with predators, porn, and the deluge of online weirdness and have open, honest talks about how some things are dangerous because they prey on you, some things are dangerous because they get you hooked on certain feelings, and some things are dangerous because they give you false impressions of the world and relationships.
We’re about as close to that world as interstellar exploration, I know. Imagine having parents who you don’t feel afraid to talk to about mature topics and personal matters.
And all that aside, why is it such a big deal that kids not see boobs but they can see violence and gore? Why is it magically okay for Timmy Neckbeard to watch strangle-fetish porn night and day as soon as he turns 18? Why do we scream about how porn is ruining kids minds but we’re not taking down the grifting “masculinity influencers” with as much zeal as we’re going after pornhub and other sites that are mostly just consenting adults doing fun biological acts together? Why do we say porn companies are evil and not do anything to make it less evil like better regulations and resources since we know people are going to find ways to make and view it anyway? (These aren’t questions for Lemmy but I would sure love to see communities start asking these questions to their elected representatives.)
Our species’ obsession with clear lines and labels is making us ignore where the actual problems are, we build fences around the outcomes not the sources. We create solutions to problems we don’t even want to look at directly. It’s like the government handing out umbrellas to combat the issue with the massive water main leak flooding the street.
Nope, you always need a middle man to do the verification. That middle man has too much information.
Also, if you could solve for the middle man, there is no way to know the user belongs to the ID. It can easily be stolen.
We could just make the middle man somebody who already needs that information, e.g. the IRS.
You could, but that wouldn’t address OPs question. The IRS is known for giving info to other parts of the government to aid in prosecution. And the gov has shown they are terrible at cyber security, so you might as well just post your browser history on the web.
I figured you were wrong so I asked an AI and it confirmed what the people below you were saying, you really do seem to be talking straight out of your ass
Yes, it is technically possible to build an accurate, high-confidence age-verification system that does not compromise privacy in the traditional sense (i.e., no central database of IDs, no name/address/DOB stored by the site, no paper trail that can be subpoenaed or leaked). The core tool that makes this feasible is zero-knowledge proofs (ZKPs), specifically age-based ZK proofs.
How a privacy-preserving age check actually works in 2025
- User proves age to a trusted credential issuer once
-
- Government digital ID (e.g., EU eIDAS wallet, some U.S. mobile driver’s licenses, Yoti, ID.me, etc.)
- The issuer cryptographically signs a statement like “This private key belongs to someone born before 2007-11-27” without ever revealing the exact birthdate. User generates a zero-knowledge proof
-
- Using their phone or browser, they create a proof that says:
“I have a valid credential signed by [Trusted Issuer] that confirms I am 18+ (or 21+).” - Nothing else is revealed: no name, no exact age, no birthdate, no issuer identity if you want to go fully anonymous. Website verifies the proof in <1 second
- The site checks the cryptographic signature and that the policy (“18+”) is satisfied.
- It learns literally nothing else about the person.
- Using their phone or browser, they create a proof that says:
Real-world implementations that already exist or are in late-stage pilots (November 2025):
- Worldcoin’s World ID “age 18+” orb-verified credential + ZK proof
- Polygon ID / zkBridge systems used by some adult sites
- SpruceID + Ethereum Attestation Service kits
- Gitcoin Passport + ZK age attestations
- Proof-of-Humanity + age minimum circuits
- Yoti + ZK prototype (demoed 2024–2025)
Remaining practical hurdles (why it’s not universal yet)
- User has to have a compatible digital credential in the first place (adoption still <30% in most countries)
- Friction: first-time setup takes 2–10 minutes instead of 3 seconds
- Most adult sites don’t want to pay the (tiny) gas/verification fee or integrate the SDKs
- Regulatory gray zone in some jurisdictions that still mandate “know your customer” records
Bottom line
Technically: Yes, 100% possible today with zero-knowledge age proofs.
Practically: It exists, works, and is slowly rolling out, but the porn industry and most social platforms still prefer cheap/frictionless (but privacy-invasive) methods or just do nothing.So the top reply in your screenshot (“you always need a middle man with too much information”) is outdated — cryptography has already solved the “middle man” problem. The real blocker now is deployment inertia, not theory.
Just for your edification anything you say after “so I asked an AI” is going to be ignored by most people. It just tells me everything that comes next is not going to be worthwhile. Might as well tell me your palm reader told you something.
Ok
Read back what you wrote. Your first line was about a trusted credential provider. Thats a middle man. Then you talk about creating a proof. Guess what, that phone and browser are known to spy on you excessively. That’s another middle man. And odds are that same phone or browser it what you will use to access something that needs the verification. So the same phone or browser has all parts of the information.
And of course it’s pointless because anyone could steal an ID and get themselves a key. Or steal your phone… so it wouldn’t even prove anything.you’re talking out of your ass so I asked an AI
Pot, you are black! Signed, kettle
The big flaw in this strategy is that once you have set up a signed anonymous key from the government and you can make zero knowledge proofs with it, there’s nothing stopping you from distributing that key to every kid who wants it. If it’s in the browser or an app, etc. you can publish that signed key for anyone who wants to be over 18.
PKI only works if the owner of the private key wants it to be private. It’s effective for things like voting or authenticating because the owner of the key doesn’t want anyone else to be able to impersonate them. But if it’s only for age…
At that point, it might as well just be a file that says “I pinky promise that I’m over 18” that the government has signed and given to you.
Its possible.
Open source front-interfacing app + a secure element thing in the backgound.
You download an app. You verify your identity, then the app sets up a OTP thing with the shared secret seed lasting for 30 days. But every 30 seconds the OTP changes. Everyone doing a verification in these 30 days gets the same exact secret seed.
The seed hides in the secure element of your device. (it won’t be impossible to extract, but the average kid is not gonna be able hack a secure element) Every 30 seconds, it releases the new OTP to the Open source app. The app doesn’t connect to the internet once the OTP has already been set up. So nobody knows if you actually view the OTP code.
So the government only knows you have the verification OTP set up not which websites you visited, the website only knows you have a valid OTP from the government, but you could be any of the people in the past 30 days (which the company don’t even have access to).
Even if the company and government cooperates, they could only pin down the time of website registration and that you are one of the millions of people that did the verification and requested a OTP Seed.
(Idk the exact terminology for these things, but hopefully I make sense)
The seed hides in the secure element of your device. (it won’t be impossible to extract, but the average kid is not gonna be able hack a secure element).
But only one person needs to “hack” it on their device to publish the key, allowing everyone to use it without “hacking” their own device.
You can’t store a key on a device and keep it safe from the owner.
It is possible, but the real goal is about removing anonymity altogether
- Sign up for age verification platform and upload your government ID on the platform (let’s call this platform Age Verifier).
- Age Verifier confirms you’re an adult, and lists you as an adult in their system.
- Age Verifier purges your government ID and any PII on you. The only thing they keep is your basic account details and the fact that they’ve confirmed you’re an adult.
- The next time you login to an adult site, you verify yourself by logging into Age Verifier’s platform. The adult site confirms with Age Verifier that you’re an adult, and you’re good to go.
This system probably works, but it’s not without its downsides. We’ll need a way to confirm that your government ID and PII is actually deleted on Age Verifier’s platform. A way to deal with this might be to make sure Age Verifier is never driven by profit so they’ll never need to look into selling people’s data. Maybe it could be ran by a non-profit? Or perhaps it can be ran by the government? But if you don’t trust the government, that could be an issue.
And I can also see an issue where one guy who keeps creating different Age Verifier accounts, verifying that the account is an adult, and then selling that account to people.
It’s only possible as long as you trust the people you’re giving your information to. So…no.
Not true, there are ways to do this privately with cryptography
Zero-knowledge proof. Medium has a practical example, though unfortunately the article logs user data, so beware on that.
I’d say it’s impossible. Minors will ALWAYS find a way around it, even if it involves government IDs. The actual trick is finding if a “are you 18?” box is enough or not.
Depends on how reliable you need this system to be. For example, do you need to handle the scenario where an adult verifies their age to access a website, then lets a minor use that website in their place? That would be a much harder problem to solve than if you just need to verify that an adult was present on the other end at one point in time. For the latter, device-based age verification seems to be trivial to set up from a technical standpoint while fulfilling that criterion.
deleted by creator
I’m inclined to say no. Reducing the problem down to its most basic parts: Alice is authorized to talk to Bob, but Bob doesn’t know that. How can Alice prove it?
Bob has to assume that anyone asking to talk to him could be Mallory, who isn’t authorized to talk to him but will always answer “yes” if asked whether she is. So the authorization he gets has to be from a trusted third party; it can’t come from Alice.
Grace is a trusted third party. If Alice doesn’t care about privacy, and is okay with Grace knowing that Alice talked to Bob and with Bob knowing Alice’s identity, Alice can just tell Bob, “here’s proof that I’m Alice. Show this to Grace and she’ll confirm that I can be here.” This is SSO, essentially.
If Alice doesn’t want Bob to know who she is, but is ok with Grace knowing that Alice talked to Bob, she can ask Grace to give her a secret code, and give that code to Bob, who can check with Grace to know whether or not that code corresponds to someone who is authorized.
If Alice doesn’t want Grace to know that she’s talking to Bob, though, she runs into a problem. Because there’s no way for Grace to send Bob a message without knowing who Bob is, he can’t ask anonymously, and because there’s no way for Grace to confirm that Alice is authorized without knowing who she is, Grace will always know that Alice has asked for authentication to talk to Bob.
Adding Dave in as a trusted fourth party could solve the problem—Alice asks Dave to check with Grace, and lock his answer in a bag with a unique key that only Dave has. Then Grace could give the bag to Bob, who doesn’t need to know who Grace is to pass the bag to Dave and ask him to unlock it. But Alice would be trusting that Dave won’t keep records on which bag corresponds to which person.
I don’t think that’s a surmountable problem. I’ll have to think about it some more.
Here’s my idea: Bob gives Alice a token, assigning her an unique random number n. Alice goes to Grace and tells her, “Somebody assigned me number n, can you verify that I’m allowed?” Grace then writes: “User n is allowed, signed Grace”. Alice then takes this letter and shows it to Bob. Bob now knows that Alice is allowed, but nothing else. Grace only knows that somebody wanted to know that Alice is allowed, not who that somebody is.
Of note here: This system does nothing to protect against an allowed user helping a not allowed user to gain access, but I don’t think it’s possible to protect against traitorous users.
That could very well work, yes; but I think that would require Bob verifying Grace’s signature, and that would require trusting that Grace didn’t make a unique signature that she only used for Alice, and making a note of who verified it.
There might be a way to verify those signatures with public keys in a way that didn’t require Bob to tell Grace that he was verifying the signature, which is still rattling around in my brain.
Bob would have to know and trust Grace beforehand. Grace could be the IRS, for example. The idea here being to have somebody who already knows your age vouch for your age.
That’s not about Bob trusting Grace specifically (that’s a premise of the entire operation), it’s about trusting that the letter Alice handed Bob was actually signed by Grace.
Well, if Grace is already well known, then her public key should be available.
That…seems so obvious, now that you say it.
There are tonnes of ways but honestly, the easiest way is to do it at the ISP level. Have an internet connection you don’t want used for adult material? Have an opt in service at the ISP to block XXX rated sites and maybe social media. If you are old enough to pay for your own internet you should not be required to jump through hoops to access what you want, but kids should not be thrown onto the internet without guardrails. Some kids will get around it but it would be an active choice, so most kids would not. And to be clear, this would be done at the ISP level where you already have verification of age built in to billing, so no additional privacy concern. Honestly, the fact that this is not the solution is what tells me all of this filtering is not about protecting kids, it is about centralisation and control along with pork barrelling for age verification companies.
If anyone is doing actual work trying to solve this please DM me, I’m interested in helping.
