this post was submitted on 24 May 2025
671 points (96.8% liked)
Technology
70300 readers
3885 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
How would that work? I'm not well-researched on this particular topic, so I'm curious how that should work.
Key signing maybe?
You get a cert which is cryptographically signed by your government. They can prove its signed with the governments root cert, showing that its someone over 18, but not who.
That being said the key identifiers will probably still be attached to you in some government db, just not on the porn site.
Though the government could force the pornsite to hand over any logged ids. Some people would say that's private, as they trust the government not to do stuff without a judges warrant.
As a trans woman relying on HIPPA to not be put on a list of those on HRT, lmao yeah fucking right. The christian taliban will connect the dots the first chance they get.
This is generally a pretty decent system in concept, but it has some unique flaws.
A similar system is even being developed by Cloudflare ("Privacy Pass") to make CAPTCHAs more private by allowing you to anonymously redeem "tokens" proving you've solved a CAPTCHA recently, without the CAPTCHA provider having to track any data about you across sites.
They know someone who had solved a captcha recently is redeeming a token, but they don't know who.
This type of system will always have one core problem that really can't be fixed though, which is the sale and transfer of authenticated tokens/keys/whatever they get called in a given implementation.
Someone could simply take their signed cert, and allow anybody else to use it. If you allow the government to view whoever is using their keys, but not the porn sites, then you give the government a database of every porn user with easily timestamped logs. If you don't give the government that ability, even one cert being shared defeats the whole system. If you add a rate limit to try and solve the previous problem, you can end up blocking access if a site, browser, or extension, is just slightly misconfigured in how it handles requesting the cert, or could break someone's ability to use their cert the moment it gets leaked.
And even if someone isn't voluntarily offering up their cert, it will simply get sold. I've investigated sites selling IDs and SSNs for less than a dollar a piece before, and I doubt something even less consequential like an ID just for accessing online adult content would even sell for that much.
I've seen other methods before, such as "anonymous" scans of your face where processing is done locally to prove you're an adult, then the result of the cryptographic challenge is sent back proving you're over 18, but that would fail anyone who looks younger but is still an adult, can be bypassed by the aforementioned sale of personal data to people wanting to verify, and is often easily fooled by videos and photos of people on YouTube, for example.
Who under the age of 18 will have money to buy these, and who would be willing to sell them for the pittance teenagers would be willing to spend?
Especially if these get rotated out regularly via a system wide program.
Anyone with at least $0.25-$1, and access to any method of digital payments. (Gift Cards for most retailers, PayPal, Cash App, Zelle, prepaid or non-prepaid debit cards, any cryptocurrency, etc)
Primarily bad actors that obtain the credentials any number of ways, then either directly sell them, or sell them indirectly through third-party storefronts that buy from the bad actors in bulk. Believe me, I've watched hundreds of kids in Discord servers publicly sharing and using sites on the clearweb where they cashapp in a dollar then buy a stolen set of bank credentials and try withdrawing money back to their Cash App account.
I've monitored so many of these sites, and seen how easy it is for anybody, even teens with limited financial payment options, to buy stolen credentials with infinitely more importance and personal security measures taken to keep them safe than something specifically for accessing an NSFW site.
Some of these site owners operate for months before eventually shutting down and re-opening separate storefronts for anonymity, and I know of one who was selling stolen SSNs, IDs, Gift Cards, and assorted accounts, and made, by my estimates, at least a million dollars in revenue every month off items that were almost all within the price range of any child or teenager.
Rotation can help, but doesn't cut off these services from operating. They just sell stuff in smaller, more quickly refilled batches instead of buying large batches and reselling them over longer time periods. It can make prices slightly higher, but in the end it doesn't prevent kids from accessing this content.
But what it does end up doing is creating perverse incentives.
It drives people to even less regulated, more harmful porn sites. It leads to the further stealing of credentials and personal information. It creates databases and online footprints that can be used to blackmail people, and it normalizes giving sensitive personal information to random websites online.
The last thing you want when you're trying to prevent people from getting scammed is to monetarily encourage scamming people out of their credentials and biometric data, while simultaneously making it easier for people to unknowingly hand over credentials and biometrics by normalizing the process.
This is something practically every digital rights organization argues against, and for good reason. It's a generally unsafe system that creates bad incentives and drives people to even more unsafe options.
The best mechanisms by far to prevent kids from being exposed to harmful material, or at the very least prevent them from experiencing much harm from such material is often proper parental controls and general internet monitoring by those parents, good sex education, and parents actually talking with their kids instead of fostering the us vs them mentality that drives many kids to rebel against these restrictions, even when they are to benefit the kid.
That's why news like this is always so upsetting to me. It's a mom who is understandably upset, but instead of taking accountability for leaving a unsecured laptop with access to the internet easily accessible to her kid while not monitoring it at all, she simply puts the blame on the platforms her child decided to access, even though we know she could have done many things herself to prevent this from happening without risking anybody's privacy or safety, unlike what age-gating regulations do in practice.
Oh no I wholeheartedly agree age verification isn't the wrong answer, I was just playing devils advocate on the technological side.
Parents should be parents, it governments shouldn't be getting I. the way of you being just another ghost in the machine.
I don't think I've ever seen a single suggestion of a way to implement age verification that isn't a privacy nightmare. Oftentimes they literally just want a credit card number, the assumption being that a child would never be able to get hold of such a thing.
In some of the worst cases they actually want a passport or other government ID sending to some organisation that would verify you. With all the fun potential data breaches that that would ensue.
Most of the time these rules never get off the ground because privacy advocacy groups basically sue over it and win every time.
That's more or less what I was implying/thinking, there's not really any good way to implement it. Canada almost ended up implementing it and possibly even going as far as to ban porn, but thankfully Poilievre ended up losing the election including losing his own seat.
Tokenization is the easy solution.
You go onto you state gov website and get a token that just says "this is an adult." Nothing else. Token lasts 10 minutes.
Cut and paste into the site. They authenticate without saying who theu are, back to the gov site, "yo, this legit?" State says "looks like something we would do." State keeps no records of WHO validated the token, just that it was a legit token.
Same way that routers connect to VPN services.
How does the state verify that you're an adult and therefore should have a token?
This solution simply seems to be kicking the can down the road
Not at all, this is well established technology already in use all over the place.
When countries use digital IDs, they are able to carve out validating individual aspects of an identity. Just address, just over 18, just class of driver's license, etc.
So the State has a website/wallet where the user pulls a token from the State, basically a fancy hashed OTP/Login code.
The website, which can't derive your identity from the code, sends the code to the state API and can't ask more than "is this hash legit" and the State API doesnt need to say more than "yup."
Where can things go wrong? The State can ask to know who needs the token. Or even demand to know, and log what sites use it. The state can contract this out to a vendor that logs it all, making data theft far more risky.
It all depends on his the state builds requirements.