It depends on the implementation. The EU's European Digital Identity Wallet will allow users to prove that they are over 18 without sharing any other personal information.
So, that's not anonymous then. Because it allows tracking across multiple accounts, some of which are associated with your name. An unchanging proof of age is pretty much just another name for a government ID number.
Not necessarily. In theory, the attestation that someone is of age can be provided by a central service. The central service does not need the website account information to provide a non-fungible certificate, that you show to your service that has no way of knowing who you are from the certificate. All it needs to ensure is the certificate is used only once per account.
You can then prevent certificate forging by forwarding a cryptographic hash of the requester identity (generated by the website client), which will be included in the cert body so the website can verify the attestation was generated for this specific request, and it cannot be randomly reused.
Of course this doesn't solve the problem of using your grandma's id to bypass age restrictions, but I think that problem is worth the cost of privacy gains from corporations not validating IDs directly and screwing up like Discord's vendor did here.
Either the certificate is the same every time and therefore it's an identifier.
Or the certificate isn't the same every time and therefore you can generate a whole bunch of them and give them out for $2 apiece.
Or the certificate isn't the same every time and also isn't anonymous so they can trace who's doing that.
You don't have to reuse the same certificate for several requests. You can get a new one for every request, for every person who is asked to verify their age and pays you $2, and if they're actually anonymous, there's no way to know you did this. Is a rate limit part of the proposal? Can I only sign up to one adult service per week?
Unless you meant the requester's real identity, in which case... we're back to not anonymous.
I did, except for this bit that you added in an edit:
> You don't have to reuse the same certificate for several requests. You can get a new one for every request, for every person who is asked to verify their age and pays you $2, and if they're actually anonymous, there's no way to know you did this. Is a rate limit part of the proposal? Can I only sign up to one adult service per week?
This is trivially easy to detect at the attestation service. If someone is trying to repeatedly (and programmatically) use the same personal ID to generate attestations for different request IDs in a short time frame, you can throttle them, flag them, revoke their cert, whatever.
Again, the service host and request id is part of the certification request, so you can easily separate a legitimate signup for multiple different websites from suspicious multi-signups to the same service for the same govt id.
So the government can tell I'm signing up for pornhub i.e. not anonymous. Also pornhub would need a government approval to operate or they'd just block their requests (and possibly arrest me for using an illegal service). I'd think we'd want service providers to also be anonymous without requiring government approval.
Grandpa isn't interested in Discord, so you can open a second account using his Proof of Age. Maybe a third account, using Uncle Ned's. And a fourth account, using...
I think I'm fine with that tradeoff between effectiveness of age gating vs privacy gains of not having IDs sent over to corporations. To me, identity theft by targeting large stores of government IDs, is orders of magnitude worse than a teenager accessing NSFW channels every now and then.
I'm not defending age verification's existence in the first place btw, I don't think it's a good idea without secure protocols of central attestation for such things. But of course, governments aren't interested in solving the harder more valuable problem, they're interested in shifting the responsibility to corporations while crying foul.
“Linkability is especially problematic because untrusted entities, such as attribute providers and relying parties acting together, can correlate and link auxiliary information to the same user, thereby breaching privacy and enabling tracking, profiling, or de-anonymisation.” [1]
That’s assuming EUDI never gets breached — but if Google and every major tech company has been, it’s only a matter of time, but this will have way more personal info ....
I've been using discord for 5 years and never upload my ID … And I don't want discord (or any other company) to know my age, or any other identification ...
For sure, but with the EU system you'd just give discord an expiring certificate that proves you're over 18. They can leak that all they want, it's worthless otherwise. Right now you have to upload your actual ID which is obviously extremely dangerous if leaked. So yes, even though there are obvious problems that you mentioned, the EU implementation is better.
Again, for sure and I agree with you - but we're talking about institutions that already have our IDs in some form or another, so just asking them to issue a certificate that says "yeah this user is actually over 18" seems like a no brainer functionality on top of an existing system. Like obviously our government office has a copy of my passport and ID card, but if those leak then we have a much bigger problem as a country.
> we're talking about institutions that already have our IDs in some form or another
The issue isn’t who already has our IDs, it’s that EUDI introduces new auxiliary information (public keys, signatures, revocation identifiers) that create globally unique, linkable identifiers.
Even if the same institutions issue the wallet, each transaction generates additional personal data that can be misused for tracking and profiling, far beyond the data already stored in government registries.
Right, and I'm firmly in the camp that everything on the internet should be both anonymous and accessible to anyone from anywhere.
But clearly this isn't the way the internet is going. As much as I hate it, it seems inevitable that globally every government is introducing at least a requirement for websites to check the age of their users.
So right now this can be done(here in the UK anyway) either by scanning your ID with a 3rd party provider who "promises" to delete it straight away, or by linking your bank account(yes, I'm definitely going to do that to go on pornhub, 100%). Both methods have the problems you mentioned + the additional risk of leaking my personal details because they are getting more info than they need to fulfil their legal obligations.
But if the government could just issue me an expiring cert that says "yep, this user is 18", without any of my other data on it.....then that's vastly preferable to having to scan my passport or driving licence to browse reddit or discord or whatever? Like yeah, maybe someone could still track it somehow(don't see how if every certificate has a unique ID and doesn't contain any identifiable info other than "yep this is a valid certificate and yes the user is over 18", but let's just say they can), but at least my IDs are not at risk of being leaked anywhere.
That is not true, EUDI is a security problem instead of a solution. It is trivial to correlate the info and there is a critical path where a breach would expose even more.
Best security: Don't collect. Nothing comes close, no even the best ZK setup.
Also, as a European citizen I really don't want it. Ironically governments aren't mature enough for that.
You're describing a CBDC, not a coin. Why isn't it being done? Because commercial banks are vehemently against that. The current administration in particular will never go against the big banks.
Sodium-ion batteries have extreme good performance in low-temperature environments. CATL is working on sodium-LFP dual-power batteries to get the best of both worlds:
China was a big solar exporter before it was a big solar installer. China had a small solar manufacturing capacity in 2003. By 2008 it was number one in the world for solar manufacturing and it has remained there since:
Before that, solar power was too expensive for large scale use inside China. Chinese renewable energy growth was mostly hydropower and wind before 2013. Now of course China is by far #1 in yearly solar power installations as well as solar manufacturing, and that in combination with electric vehicle adoption is helping to curb oil demand:
"China’s electric car revolution hammers demand for oil"
Heating generally uses much more energy than cooling, and even more so if something is burned.
However, it's true that places with low heat pump adoption tend to have few ACs. For example, ACs are rarer in Germany than in Norway, despite Germany being warmer.
