I am from EU, and contrary to age verification laws in general.

My stance is that if somebody is a minor, his/her/their parents/tutors/legal guardian are responsible for what they can/cannot do online, and that the mechanism to enforce that is parental control on devices.

Having said that, open-source zero-knowledge proofs are infinitely less evil (I refuse to say "better") than commercial cloud-based age monitoring baked into every OS

Even with ZKP this is still highly problematic, it create difficulty for undocumented people to access the web, create ton of phishing opportunity, reinforce censorship on most site (as they will now all need to be minor compliant or need age verification), reinforce the chilling effect and make the web even less crawlable/archivable (or you need to give a valid citizen ID to your crawler/archiver).

With no proof it will protect anyone from proven harm.

No, the way to go is the California way. The device owner (root user) can enter the age of the user. Restrictions are applied based on that. Nothing is verified.

Though the EU is at large keeping it's composure with this. My only criticism towards the EU as an EU citizen is how slow and bureaucratic the EU is and that decisions that should be made on the fly are dragged on forever.

That said, government agencies have been doing a terrible job at keeping the private information of citizens safe. But it is nowhere nearly as bad as the US. My best childhood friend died in very questionable circumstances in 2009 in the US in very questionable circumstances. He had a US citizenship and we never really found out what had happened(to the point where we never really got any definitive proof that he had died). But that didn't stop me from trying and I was blown away by the fact that I could log into a US government website, register with a burner mail, pay 2 bucks with an anonymous gift credit/debit card and get a scanned copy of his death certificate in my email. And I didn't even have to provide his passport/id/anything. Just his name.

Point is, the US has been terrible at privacy for as long as I can remember. It is probably worse now with Facebook and Ellison holding TikTok.

Zero-knowledge proofs are only anonymous in theory if you ignore the issue of requiring a third party, and the issue of implementations.

And according to the EU Identity Wallet's documentation, the EU's planned system requires highly invasive age verification to obtain 30 single use, easily trackable tokens that expire after 3 months. It also bans jailbreaking/rooting your device, and requires GooglePlay Services/IOS equivalent be installed to "prevent tampering". You have to blindly trust that the tokens will not be tracked, which is a total no-go for privacy.

These massive privacy issues have all been raised on their Github, and the team behind the wallet have been ignoring them.

Zero-knowledge proofs are unworkable for age verification because they can't prevent use of somebody else's credentials.

You are missing the point. The real purpose is to control the Internet and free speech. They've been trying this for ages. Now the excuse is protecting children. Soon terrorism will be back. And don't forget aոtisеmіtism, too.

Not exactly a good moment for this particular caste of politicians/elites to pretend they care about children's well-being!

The way to go for this kind of thing is to not go for this kind of thing at all.

Seeming as this affect everyone .. Is there anything like and Open Collective .. grassroots consortium, to put together strong sensible zero-knowledge proof based policy examples that could be given to law-makers instead of this shadowy surveillance Trojan horse nonsense?

Two billion in lobbying. And the conclusion is that regulation is the problem?

> Zero-knowledge proofs are the way to go for this type of thing,

The benefit of zero-knowledge proofs is that the hide information about the ID and who it belongs to.

That’s also a limitation for how useful they are as an ID check mechanism. At the extreme, it reduces to “this user has access to an ID of someone 18+”. If there is truly a zero-knowledge construction using cryptographic primitives then the obvious next step is for someone to create an ad-supported web site where you click a button and they generate a zero-knowledge token from their ID for you to use. Zero knowledge means it can’t be traced back to them. The entire system is defeated.

This always attracts the rebuttal of “there will always be abuse, so what?” but when abuse becomes 1-click and accessible to every child who can Google, it’s not a little bit of abuse. It’s just security theater.

So the real cryptographic ID implementations make compromises to try to prevent this abuse. You might be limited to 3 tokens at a time and you have to request them from a central government mechanism which can log requests for rate limiting purposes. That’s better but the zero-knowledge part is starting to be weakened and now your interactions with private services require an interaction with a government server.

It’s just not a simple problem that can be solved with cryptographic primitives while also achieving the actual ID goals of these laws.

it's not about protecting children. that's only the PR.

once you get this you stop asking why the tech details are the way they are.

"how terrible EU regulation is"

Judges in other countries (Texas) found out this kind of law was a violation of the Free Speech.

Since when Free Speech do not apply to -16y old?

Made laws are made, then killed by courts later one.

Not sure what the Gruber thing is about. I guess I lack context. But on ZKP, I will agree but add this:

The only authority that can be trusted to do age verification is the government.

You know, those people who give you birth certificates, passports, SSNs, driver's licenses, etc.

The idea that parental supervision here is sufficient has been shown to be wholly inadequate. I'm sorry but that train has sailed. Age verification is coming. It's just a question of who does it and what form it takes.

Take Youtube, for example. I think it should work like this:

1. If you're not of sufficient age, you simply don't see comments. At all;

2. Minors shouldn't see ads. At all;

3. Videos deemed to have age-restricted content should be visible;

4. If you're not logged in, you're treated as an age-restricted user; and

5. Viewing via a VPN means you need age verification regardless of your country of origin.

It's not perfect. It doesn't have to be.