alt Hacker NewsI completely agree. The only services for which I will verify my age (and the entire rest of my ID) are bank accounts and other services involving a real legal requirement for real ID.
The notion that you should upload a passport to random sites for age verification is unbelievably dangerous. That's a recipe for identity theft. And face scanning is also an invasion of privacy, not to mention very unreliable (my 16 year old son has apparently been accepted as 20 years old).
I've pointed out in many places already that the only way to do online age verification right, is for the government to provide an e-ID that the random site will direct you to with the question "is this person older than X?", then you log in to the e-ID site, which informs you exactly what the site wants to know (which should be as rough as possible; no birthdate), then the e-ID site directs you back to your original site (or possibly through a proxy, if you don't want the government to know what sites you visit), and calls their webhook (through a proxy) with the confirmation of your age.
That's also how my online payments work, and this should be the standard pattern for everything that needs to be secure. Not sharing sensitive or personal data with random sites.
Replies
1000% this. Fake info for everything that isn't directly tied to money or government. HN doesn't have my info. Apple doesn't have it. Google doesn't have it. Amazon doesn't have it. Microsoft doesn't have it. They don't care who I really am, and that hasn't, ever never, been a problem for using their stuff. They want your real ID. They do not need it. At all.
That very much isn't the only right way, and it is far to close to government tracking activities online. For one it effectively allows governments to disallow someone from accessing the internet.
All this to let you do stuff you were allowed to do anyway.
The problem is handing kids admin level access on a device with full unfiltered access to several communication networks. You do not fix that by demoting everyone's access.
even better would be a solution that didn't require even proxy or direct government log in.
like if you could be issued an E-id that could perform a local signature/challenge-response that allowed the site to confirm an age bracket (like 12 or below,13-17,18-20, 21+), assert the entity that issued the id but not assert a stable identifier (not even pairwise) and not pass any data between other parties.
Obviously not foolproof, credentials can be stolen (same in your scenario) but the site doesn't need to care, they should be legally in the clear. Basically it would let you anonymously assert your age.
There's already a spec for this (ISO/IEC 18013-5) and it's been implemented in a variety of jurisdictions. https://en.wikipedia.org/wiki/Mobile_driver%27s_license
The person gets to see what information the service is asking for and can approve or deny. This'll likely end up being the future of how citizens access government services online.