The article talks about the possibilities of malicious cloning of these tokens by third parties, but fails to identify the much more common use case, and one that makes this scheme useless for age verification.

It's one thing to be concerned about someone stealing my credential, but another to prevent the transfer of these credentials, especially if they are limited use credentials.

The entire point of age verification systems is to prevent minors from accessing certain resources. I think we all know that this is basically impossible; but what these various governments and social media companies want to do is to make it high friction to do so.

The highest friction version of this is that the credential ties to a real world identity somehow; maybe locked behind legal barriers, etc., but if a minor is caught using someone's credential, then the person whose credential they are using can be investigated, and, if necessary, charged with a crime roughly equivalent to providing alcohol to a minor. Without the possibility of real world enforcement, none of these identity solutions can possibly work.

Keep dreaming of a technological solution -- there is none that does not lead to the world that FIRE is warning about, except to accept that we can only make a solution "good enough" and leave it at that, without expanding into full on identity verification. The solution here is likely to just try to provide better abilities for parents to monitor and limit their children's use of the internet. Let individual parents decide on the level of harm that they are willing to accept, and accept that there will be ways to work around this even if parents are vigilant, but just try to reduce it on the margins.

There is a much easier solution that already exists - parental controls on children's devices. I honestly don't understand why is it not solving the problem?

Yes, parents are responsible to set this up. But parents are also responsible to lock their alcohol, drugs or guns, condoms, etc., and many other things.

Perhaps parental controls are not good enough? That's where the regulation could genuinely help - require child-certified devices to implement minimum set of parental controls, and make them easy to use.

I wouldn't trust governments, today or in the future, to keep such a system private and I don't see a foolproof way of building some kind of audit mechanism into it to make sure the data is always truely private.

I've also always been curious how a truely anonymous identity verification could possibly work. At best for age verification, I could be given some kind of token that would still have to verify my age and be verifiable with a central authority to ensure my token is valid. The central authority could always keeper records of my token, revoke it whenever they please, and every entity that can verify the age associated with, or embedded into, the token knows at least some of my PII.

By some stroke of luck, the NZ government recently put into place a robust privacy-preserving framework for digital identity [1].

They just launched the GOVT.NZ [2] app, and it contains a wallet that can store digital credentials. It's built by a local company called MATTR [3], who specialise in trust technology and exotic cryptography like zero-knowledge proofs. The first credential available this year will be a mobile drivers license, and we'll then be able to prove things about ourselves like whether or not we're over 18 (according to an accredited institution), completely privately over the internet and without sharing any other information.

I'm cautiously optimistic about the direction our digital ecosystem is heading in NZ :')

[1] https://www.publicservice.govt.nz/about-the-commission/gover...

[2] https://www.digital.govt.nz/digital-government/key-areas-of-...

[3] https://mattr.global/

>Modern versions of this technique allow one to associate metadata (like a proof of age exceeding a threshold) in such a way that the verifier can't even correlate repeated requests across users.

If it's unlinkable, what's preventing someone from setting up a site that hands out anonymous tokens for anyone to use?

I don't think they are serious about privacy and even if they were I don't even want to distinguish between "children" and "adults" on the internet. Things seem to have worked fine up to this point, there doesn't appear to be a public demand for age verification, rather some murky corporations/NGOs/agencies pushing for this. I think it's pretty clear there is some other intention besides protecting children that is the goal here.

As you say, it's doubtful governments want it to be private. So we should expect them to not use these kind of elegant solutions, and the public is generally not sophisticated enough to distinguish between the options already.

Zero Knowledge Proofs are worthless for this.

Either they validate so little information that a single homeless person can authenticate the entire country or they validate so much information as to not have a significant privacy guarantee.

There is no in-between for ZKP validating someone's age.

The problem is that you still have to trust something you don't control and can't verify that the technological solutions are correctly implemented and applied.

This seems to come up in every discussion, in practice it’s irrelevant both because it’s too complicated for normal people to understand, and because the point of all this nonsense really is identification so anything that defeats that will be a non starter.