alt Hacker News> Any "verification" means unacceptable privacy violations.
So I'm not necessarily arguing for age controls here, but purely on a technical level what do you think of schemes like Verifiable Credentials, which delegate verification to third parties that have already established your identity?
In theory you can set up a system that works like this:
1. User goes to restricted site and sets up an account
2. Site forwards them on to a verification service with a request "IsOver18?"
3. User selects their bank from a dropdown on the broker site
4. Broker forwards them to the bank, with a request "IsOver18?"
5. User logs in and selects "Sure, prove I am over 18 to this request"
6. Bank sends a signed response to the broker "Yep"
7. Broker verifies and sends its own signed response to the site "Yep"
8. The site tags the account as "Over 18 Status verified"
In this situation, the restricted site doesn't get anything other than a boolean answer from the broker. The broker can link a request to a given bank but doesn't get anything that gives away your identity. The bank knows your identity and that it has approved a request, but not necessarily where the request came from.
Replies
User installs a browser extension which forwards the request to everyoneisover18.com, owner of that site has a script set up to log into their bank and pass the verification challenge
Verification broker tracks sites which make requests and records it attached to personal data. Site either sells or leaks personal data along with history of all sites visited which require age verification.
Also your solution requires a bank account, not something everyone has. Many do, but not all. Also the bank may not know "which" site you are visiting, but it does now know you are visiting sites which require age verification and how often.