It's clear these "age verification" bills will just keep coming and it's a losing battle to try and oppose each individually.
Instead (or rather in addition to) activism we should go at it from the other end and request the introduction of a verifiably independent authority and zero knowledge protocol that will deliver a cryptographically secure boolean bit (isOver18) with no way to correlate from either end the ID or which website the bit is used for.
The alternative is IDs get collected by all these horrendous privacy fiends and sold / leaked / monetized across the board, which sounds like a dystopian nightmare.
Solutions based on zero-knowledge-proofs would solve the privacy aspect at the massive cost of killing general purpose computing as we know it today, by mandating the use of remote device attestation (as that is the only way to guarantee an otherwise fully anonymous token is not being sniffed and passed onto someone else). That would be in my opinion significantly more dystopian than every service having a copy of my ID, as it would lay the groundwork for corporations and governments to be able to dictate what you can and cannot do exactly with any internet-connected device.
It's not hard for instance to imagine that once every computing device available to the general public is locked down and cannot be jailbroken without also losing the ability to log into any online service, a law would be introduced requiring client-side scanning of all files to check for CSAM, evidence of political dissent or even just plain old movie piracy. The technology to implement this exists (see what Apple tried to do a few years ago) and the exact same legislation is currently being pushed in the 3D printing space, so these fears are not unfounded.
In the farthest along systems, such as the one the EU has been working on for a few years and is now field testing, you only need to have one secure device to store your digital ID, which in the first version will be a smart phone. If you want to use a site that requires proof of age from some other device like a desktop computer or a public computer in a library you can do the age verification on your phone.
I'm not an expert in this area, but I thought blockchain and things like zk-SNARKs solved this.
I agree that if remote device attestation comes bundled in, it's worse overall.
But are we just SOL then? How long before Cloudflare integrates, and then ISPs? What is left of the internet? Are we all going to run pirate LoRa nodes and other such things to get some free (as in freedom) internet?
> Are we all going to run pirate LoRa nodes and other such things to get some free (as in freedom) internet?
I will, if it comes down to it. I wouldn’t love to return to the 1980s with pirate BBSes and floppynet, but I already lived through it and survived. There would be a certain romance to it, like old hacker movies, maybe it would even make cyberpunk cool again.
(To be clear, it would still suck and we should fight this. But even if we lose a battle, the war is eternal.)
I would propose a variant of RFC 3514, where adult-related packets have a specified bit in the IP header. Simpler and you can filter it at the firewall.
Instead (or rather in addition to) activism we should go at it from the other end and request the introduction of a verifiably independent authority and zero knowledge protocol that will deliver a cryptographically secure boolean bit (isOver18) with no way to correlate from either end the ID or which website the bit is used for.
The alternative is IDs get collected by all these horrendous privacy fiends and sold / leaked / monetized across the board, which sounds like a dystopian nightmare.