alt Hacker NewsIn principle, not at all. But there is no way to do this properly at all. No matter how secure the companies that do this say it is, it's another possible vulnerability.
You can't play whack a mole with the internet. People will always find a way to move smut or whatever on the internet. It takes no time at all to spin up more and more sites, and there's a million ways around them (vpns, etc).
All it does it just push people to more and more fringe sites, when moderation is likely to be lax and the content more extreme. Ideally it wouldn't be viewed at all, but it's just how the internet is.
It also sets a terrible precedent for censorship- in the UK, we've already seen, on Reddit for example, subreddits dedicated to quitting addictions being age gated, and it'll only get worse.
Replies
>But there is no way to do this properly at all
We have tried nothing and we are all out of ideas?
The European Commission's proposed interim solution for age verification (ageverification.dev) is actually pretty good vs the shitshow of the US and UK.
It works like this:
1. You contact an age verification provider (e.g., national eID schemes, banks, or mobile operators) and provide proof of identity, which they will verify possibly against government databases or whatever, etc. Once they confirm your age they will issue you with a bunch of Age attestations. At this point you don't even know where you will use these, so that info literally cannot be sent to the provider. The attestations are a JWT-like envelope with a payload conceptually equivalent to `{"nonce": "LARGE_RANDOM_HEX_STRING", "age_over_18":true}`, signed with the provider's public key. (The actual implementation is more complex).
2. This is stored in a local app, which will guarantee each attestation only gets used once (to avoid linking user across relying sites). There is no special authentication of the app in the protocol with the replying site, so you can write your own. The Commission provides an open source reference app. There is a standard protocol for communicating with verification providers, however it is not mandatory, so using the reference app might not support all verification providers, but should support a variety.
3. When you want to visit some site needing age verification, and you already have a verified account, you just sign in, otherwise, that site will use a standardized protocol to request proof from the app. The app will provide just the attestation token. The relying site does not get any info about your identity, other than the attestation token. Plus of course, the relying party must accept any age verification provider approved by the commission, not just its preferred one. The EC's solution also supports the app providing the relying site a Zero-Knowledge Proof of having such a token, which makes it possible for the relying site to learn the user's identity even if colluding with the age verification provider.