Age verification and privacy

Age verification on the Internet: what about privacy?

in

Currently, 18+ content is often shielded with a pop-up where the user must certify that they are 18+, something best described as a wash. The European Union is working on a system to improve age verification on the Internet as a temporary precursor to the digital identity card (EUDI wallet). Behind that seemingly simple question “Are you 18 or older?” lies a tricky problem: How do you verify someone’s age without compromising privacy?

What might that look like?

Worldwide, more countries are thinking about this idea or have even introduced it already. In some countries, for example, citizens are expected to upload their passport or driver’s license or have a facial scan performed, something that obviously has huge privacy implications. The system envisioned by the EU is better. It is a derivative, or rather precursor to the EUDI wallet. This is the digital proof of identity that will allow us to identify ourselves online in the future. The age verification system is essentially similar to the wristband system used at festivals: the bartender can tell by the color of your wristband that you are old enough to order a beer, but otherwise does not know who you are.

The system works roughly as follows:

  • You log in to the age verification app through an official entity (for example, a government, your bank or an approved identity provider).
  • That authority gives you a cryptographic proof: for example, “This person is 18 years of age or older.”
  • This proof is separate from the website you want to log into, so the identity provider does not know where you will use this proof.
  • When you go to a website (for example, examplesite.co.uk), you show that proof.
  • The website checks the proof and sees: this person is 18+, but otherwise does not see who you are.

So where is the problem?

That wristband at a festival works fine as long as it is a color-coded number given to every visitor 18+. But imagine it has a unique number. And imagine every bartender writing down that number. In the hospitality industry this would be weird, but digitally everything is logged. At the end of the, the catering manager could ask all the bartenders for the numbers, and know exactly what you ordered where. Combine that with camera footage and you’re suddenly a lot less anonymous.

In the “age proof” system now under development, a proof has a unique characteristic per person. Suppose the owner of examplesite.co.uk also runs viezeplaatjes.co.uk and gokpaleis123.co.uk. By logging the unique attribute, he can see exactly that you came to all those sites. Does he also run a webshop where you buy something? Then he has your name and address information and can link your entire surfing behavior to your real identity.

It would be even worse if a company like Google built a handy plug-in for website owners where they could support this tricky protocol just by clicking “install.” Never mind those cookies: this would be the most robust way of online tracking.

Zero knowledge proof

One promising technique to solve this privacy problem is called zero-knowledge proof. In short, this is a cryptographic way to prove something without revealing the underlying information. Specifically, it works like this: your identity provider generates a digital proof based on your data, but encrypted in such a way that a website can only verify that the proof is valid for “18+,” without learning anything else about you. Each time you create such a proof, it can be constructed differently, so websites cannot link it to previous proofs.

However, the fact that evidence can no longer be traced back to an individual also creates new problems, because how do you prevent someone from lending their wristband to someone else? One solution could be to store the evidence in a secure piece in hardware, but this requires that the majority of EU citizens have a device that supports this, something that is not currently the case. Still, zero knowledge proof seems to be the only way to keep the Internet privacy-friendly. All in all, privacy and online age verification seem to be and especially complicated duo.

Magecart attack claims 8.8 million victims worldwidenpm logoLarge-scale attack on popular npm packages: millions of websites and apps potentially...