> buy a card with a UUID from anywhere that sells alcohol/tobacco that is valid for some period of time

Exactly, prepaid phone cards with point of sales activation (to eliminate large scale theft incentive) is nothing new. Once activated, the validity of the token can be like 6 months or one year, and at-most-once-per-domain schema can be managed by the issuing authority if they want.

Instead of a 100 phone minutes, 300 phone minutes card you just buy "I'm over 16", "I'm over 18" cards. It's simple UX.

> buy a card with a UUID from anywhere that sells alcohol/tobacco that is valid for some period of time. most people are comfortable with flashing their ID at the clerk. the UUID card is non-identifying.

It can be implemented in a privacy-preserving way online: your government gives you tokens that prove that you are above age and that they provably cannot track. That's the exact equivalent.

I believe that the other measures (remote attestation and such, the ones we hate) come when we try to make absolutely sure that you don't give/sell that UUID to someone else. But IMO we should just forget about doing that. Just like an adult can, today, buy cigarettes and porn and give them to a kid.

> buy a card with a UUID from anywhere that sells alcohol/tobacco that is valid for some period of time. most people are comfortable with flashing their ID at the clerk. the UUID card is non-identifying.

This could be a good system if it's set up right. There's still some risk of being tracked if it isn't though. IDs could be linked to the cards at the time of purchase if retailers scan the drivers license, then scan the card creating a record that card #XXXXX was purchased using driver's license # XXXXX

Even if retailers aren't scanning the drivers licenses and collecting data that way, the cards and codes on those cards can be tracked and traceable to a retailer. That's how things like calling cards have been tracked. Say for example someone uses the code on a card to access a website, the police can match the code that was used to the serial number of the card, look up which retailer that card was sold at, and can then access security camera footage at that retailer to identify who bought the card from that location. This would also let them passively generate lists of IP addresses/device IDs matched to websites and specific retail locations over time.

> buy a card with a UUID from anywhere that sells alcohol/tobacco that is valid for some period of time

Why should I pay continuously to prove I'm an adult? And those cards will be getting sold to kids faster than you can blink. I bet a lot of parents would buy them for their kids.

> UUID card is non-identifying.

Kids aren't going to trade Pokemon cards in the playground anymore...

I'm just left wondering, how would that be different than buying a phone? Most kids also don't have money to spend on devices, that's all coming from adults, how would the UUID work any different? In my view it seems we'll just reach the current state as with phones.

And honestly, all these should ultimately just be done client side in the browser. After the browser has verified "User is x or user is over 21" there's no reason to then send that information to the website.

Let websites issue a "window.isUserOver(16)" call once and then move forward based on the response to that query.

> - websites issue content tags, browsers consume them, you enter your age into the OS during setup.

Why would that be acceptable though? What if a user does not trust the operating system? Even Linux may not be safe in the future, what with age sniffing coming by Red Hat integrating it into system already. And Red Hat plans more - xorg is abandoned on purpose, for instance.