Zero-knowledge proofs are the way to go for this type of thing, I find it mind-boggling that the US lets itself be bamboozled into complete lack of privacy.
My stance is that if somebody is a minor, his/her/their parents/tutors/legal guardian are responsible for what they can/cannot do online, and that the mechanism to enforce that is parental control on devices.
Having said that, open-source zero-knowledge proofs are infinitely less evil (I refuse to say "better") than commercial cloud-based age monitoring baked into every OS
With no proof it will protect anyone from proven harm.
That said, government agencies have been doing a terrible job at keeping the private information of citizens safe. But it is nowhere nearly as bad as the US. My best childhood friend died in very questionable circumstances in 2009 in the US in very questionable circumstances. He had a US citizenship and we never really found out what had happened(to the point where we never really got any definitive proof that he had died). But that didn't stop me from trying and I was blown away by the fact that I could log into a US government website, register with a burner mail, pay 2 bucks with an anonymous gift credit/debit card and get a scanned copy of his death certificate in my email. And I didn't even have to provide his passport/id/anything. Just his name.
Point is, the US has been terrible at privacy for as long as I can remember. It is probably worse now with Facebook and Ellison holding TikTok.
When we hear about “zero knowledge” ID checks in real proposals they’re not actually zero knowledge altogether. They have built in limits or authorities to prevent these obvious attacks, like requiring them to interact with government servers and then pinky promising that those government servers won’t log your requests.
Its billions of lobbying for state surveillance under a smokescreen you bypass with basic human interaction.
And according to the EU Identity Wallet's documentation, the EU's planned system requires highly invasive age verification to obtain 30 single use, easily trackable tokens that expire after 3 months. It also bans jailbreaking/rooting your device, and requires GooglePlay Services/IOS equivalent be installed to "prevent tampering". You have to blindly trust that the tokens will not be tracked, which is a total no-go for privacy.
These massive privacy issues have all been raised on their Github, and the team behind the wallet have been ignoring them.
Not exactly a good moment for this particular caste of politicians/elites to pretend they care about children's well-being!
The benefit of zero-knowledge proofs is that the hide information about the ID and who it belongs to.
That’s also a limitation for how useful they are as an ID check mechanism. At the extreme, it reduces to “this user has access to an ID of someone 18+”. If there is truly a zero-knowledge construction using cryptographic primitives then the obvious next step is for someone to create an ad-supported web site where you click a button and they generate a zero-knowledge token from their ID for you to use. Zero knowledge means it can’t be traced back to them. The entire system is defeated.
This always attracts the rebuttal of “there will always be abuse, so what?” but when abuse becomes 1-click and accessible to every child who can Google, it’s not a little bit of abuse. It’s just security theater.
So the real cryptographic ID implementations make compromises to try to prevent this abuse. You might be limited to 3 tokens at a time and you have to request them from a central government mechanism which can log requests for rate limiting purposes. That’s better but the zero-knowledge part is starting to be weakened and now your interactions with private services require an interaction with a government server.
It’s just not a simple problem that can be solved with cryptographic primitives while also achieving the actual ID goals of these laws.
once you get this you stop asking why the tech details are the way they are.
Judges in other countries (Texas) found out this kind of law was a violation of the Free Speech.
Since when Free Speech do not apply to -16y old?
Made laws are made, then killed by courts later one.
The only authority that can be trusted to do age verification is the government.
You know, those people who give you birth certificates, passports, SSNs, driver's licenses, etc.
The idea that parental supervision here is sufficient has been shown to be wholly inadequate. I'm sorry but that train has sailed. Age verification is coming. It's just a question of who does it and what form it takes.
Take Youtube, for example. I think it should work like this:
1. If you're not of sufficient age, you simply don't see comments. At all;
2. Minors shouldn't see ads. At all;
3. Videos deemed to have age-restricted content should be visible;
4. If you're not logged in, you're treated as an age-restricted user; and
5. Viewing via a VPN means you need age verification regardless of your country of origin.
It's not perfect. It doesn't have to be.