Please stop saying "Brussels" to mean the EU. It's a nasty trick to give the idea that it's some kind of external entity forcing your country to do something. It's not. It's an assembly. And it's insulting to people from Brussels. I don't want this any more than you do.
It’s very common throughout English. The Russian government is refered to as Moscow, US as Washington. It’s the same and doesn’t refer to residents. It’s known as synecdoche.
No, it is not quite the same as Moscow and Washington are capitals of centralised states who give orders to the whole nation.
The EU on the other hand does not have a common constitution, army etc. so is not a real state (yet). It is made up of soveraign nations who come together debate and decide there, but then it is still up to the members to implement that.
So the transition to the EU as one state is happening, but might never complete.
The European Commission is in fact empowered to boss member states around, it's one of the things that give EU law teeth rather than it being like "international law" (unenforceable anarchy). It also acts much like a government (in the sense of executive, not in the sense of state) when it comes to EU lawmaking, and has various government-like powers in fields like competition law for example. And the European Commission is based in Brussels. Saying "Brussels" to refer to Commission activity is as natural as saying "London", "Downing Street", "the Cabinet Office", "Whitehall" etc to refer to British government functions. And that's without getting into all the other EU institutions that are based there!
It is true that the EU institutions are ultimately subordinate to the member states in a way that, say, the US federal institutions are not, but the EU is still very much is its own thing. It even has legal personality these days: you can sue the EU and the EU can sue you.
It doesn't imply that the EU is one state. It's just the place where the decisions are made. If Brussels didn't like anyone knowing that, I'm sure other cities in the EU would happily take the gobs of free money showered on wherever the EU is headquartered.
Spoiler, the parliamanet moves once a month between Brussel and there. That's how centralized the EU is, we cannot even decide on one fixed place to meet and decide.
I’m not sure you realise that this is a far more generic rhetorical phenomenon that encompasses all kinds of situations. Like referring to the FBI as Quantico.
It's usually used in place of a person/active participant in something.
So ‘Brussels suffered a deadly fire’ will always refer to the city. ‘Brussels decides on new aircraft regulations’ will almost always refer to either the city government, the Belgian government, or the EU Parliament headquartered there. Brussels is just an exceptional case because there is so much based there, as opposed to the Hague or the Vatican.
Being belgian I thought that the city of Brussels did something. Using the term EU is more precise I guess in this case. For us, Brussels is just a town in our country, not the EU or representing the EU.
It's also very common inside the EU. Brussels is not an internal entity either, it's seen as distant eurocrats by most EU citizens. Only those interested in EU funds know about them really. It's not seen as a representative assembly
It definitely forces countries to do things they want to do, generally via compliant leadership of those countries. See the last 15 years of UK voters being worried about immigration levels, vs immigration levels.
The assembly seats in Brussels, so the decision comes from Brussels (geographically).
It doesn't imply that people from Brussels are the ones to decide, not everyone has the same idea anyways. Though, as citizens of a EU member state, they have some responsibility, at least indirectly.
| "The saga is turning into a PR disaster for Brussels. "
imo: mostly because the Author wants it be a disaster.
The App has not launched, they published the source code in order to invite external review. I dont have time to every claim, but e.g. this [see quote below] seems to be blown out of proportions to me - the app fails to delete a temp. image, which results in a selfie being stored indefinitely(?) on the internal disk of your device - if an adversary has access to the internal disk of my phone, they can also just access the photo roll.
"For selfie pictures:
Different scenario. These images are written to external storage in lossless PNG format, but they're never deleted. Not a cache... long-term storage. These are protected with DE keys at the Android level, but again, the app makes no attempt to encrypt/protect them.
This is akin to taking a picture of your passport/government ID using the camera app and keeping it just in case. You can encrypt data taken from it until you're blue in the face... leaving the original image on disk is crazy & unnecessary."
Not immediately deleting the selfie is a pretty fundamental and egregious mistake to make. People are particularly sensitive to selfies not being handled correctly after Discord lost thousands of them, despite promising to delete them after age verification occurred (and then not doing so) https://www.bbc.com/news/articles/c8jmzd972leo
The damage is limited because the selfie is only retained on device, but it still does not signal competency from the EU to fail at the most basic hurdle of disposing of the selfie once verification is complete.
>Discord lost thousands of them, despite promising to delete them after age verification occurred (and then not doing so)
This is misleading, yet everyone seems to repeat it. Discord's implementation of ID verification did not retain IDs. Reporting on this was so poor, but what appears to have happened was that people that failed age estimation / ID checks had to raise a support ticket and get manually reviewed. That support platform was pwned and the active support tickets were leaked. Who knows how long these support tickets were set to live for, but up to 70,000 active tickets getting leaked feels like a drop in the bucket. It's also not immediately clear to me what the alternative is (other than not getting hacked), when you require human intervention to review problematic IDs. Even if the ID only lived on their server for 24 hours during manual review, across a userbase of >200 million users, that's a lot of IDs at risk at any given moment, especially during these initial roll outs of age verification.
This is a distinction without a difference. Users were assured their selfies would not be retained and they were. Discord then proceeded to lose those selfies to bad actors, after promising not to retain them. The incident has caused enormous distrust of all age verification systems, which were already starting in the mind of the community from a base level of skepticism. It's already highly invasive to take a photo of yourself, but then the user must trust that the organization on the other end will handle it appropriately. To have that trust so conspicuously broken poisons the well for all other age verification systems and websites that are legally compelled to use it, or face penalties from aggressive organizations like OFCOM. Website operators are placed in an impossible position, where they must use these deeply unpopular technologies or face severe fines.
Welp, this ship has sailed, corporations and governments have data hoarding addiction. They might not yet ask where your grandpa lived 57 years ago, but they seriously ponder this idea how to extort it from you of where else to get this data.
Oh God not this stupid tweet again. He's "hacking" it from a rooted phone. You can't just willy nilly edit those files like that on a normal phone. Fml I would've written a CN under that.
The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.
If somebody who has access to your unlocked phone can access the data in the app, then this is something that should be tightened up but it’s a substantial privacy improvement over the far more commonplace option of uploading your ID to every website that wants to know if you are an adult.
> The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.
It is my understanding that this is not possible. I would be happy to be shown to be wrong, but to me it seems like you can either prevent people from lending out their credentials, or you can preserve the anonymity of the user, but not both.
You can use 0KP to prove you have a signed certificate issued by your government that says you are an adult, but then anyone with such a certificate can use it to masquerade as however many sock puppets they like and act as a proxy for people who aren't adults. You can have the issuing government in the loop signing one-time tokens to stop Adults-Georg from creating 10k 18+ attestations per day, but then the issuing government and the service providers have a timing side-channel they can use to correlate identities to service users. Is there some other scheme I'm missing that solves this dilemma?
> It is my understanding that this is not possible. I would be happy to be shown to be wrong, but to me it seems like you can either prevent people from lending out their credentials, or you can preserve the anonymity of the user, but not both.
This is not designed to prevent adults from coöperating with minors; that makes no sense as a design goal because any technical measure can always be bypassed with “download this for me and give me the file”. This is designed to prevent minors from being able to access systems without an adult.
Nothing prevents an adult from buying alcohol on behalf of minors; that doesn’t mean laws that prevent minors from directly buying alcohol are useless.
But laws against selling/giving alcohol to minors are moderately successful at curbing teen alcohol use because they carry with them a risk of punishment that grows with the scale of the operation. If all it took was one adult who thought "kids should be allowed to drink if they want" to provide all the kids in the country with free booze and that adult had no meaningful fear of repercussions, the laws would be nothing but sternly worded advice.
If the proof of adulthood scheme is truly anonymous, one adult with some technical chops who thinks "kids should be allowed to watch porn if they want" would be able to, say, run an adult-o-matic-9000 TOR hidden service that anyone can use to pinky promise that they are an adult without fear of repercussions. If such a service comes with a meaningful risk of being identified and punished, it is by definition not anonymous.
I suppose I'm just not convinced giving up some basic liberties for a law that converts into sternly worded advice if just one adult chooses to break it is a great idea.
> You can use 0KP to prove you have a signed certificate issued by your government that says you are an adult, but then anyone with such a certificate can use it to masquerade as however many sock puppets they like and act as a proxy for people who aren't adults
The certificates in question can use a few mitigations: short lived, hardware stored (in a TPM, making distribution harder), be single use, have a random id which the service being accessed can check how many times has been used.
> but then the issuing government and the service providers have a timing side-channel they can use to correlate identities
That's not reallya concern, IMO. That would always exist as a risk - most people would probably have a flow of trying to do something, having to prove ID/age, doing that step, continuing with the something, which means you'd probably be able to time correlate the two sides quite often. The solution here is legal with strong barriers, not technical.
Precisely. To rate-limit attestations you either need government somewhere in the loop so that they get notified and can revoke certificates when they detect abuse (but then they can correlate requests to prove adulthood with the service provider), or you need the proof of adulthood to be tied to the certificate in some way that the service provider can tell if a certificate is being re-used. But then anyone with a copy of all the certificates (read: the government) can re-run the proof on their end and figure out who is who.
The app would be restricted to environments certified by Apple or Google. Then the app can apply features like trusted time to implement client-side rate limiting.
Can you give a brief explanation of how this is done with a zero-knowledge proof? That site is low information and painful to navigate, and it seems quite surprising to me that this is possible. ID verification, in the government sense, is ostensibly going to require matching an ID against a some other resource. If done locally then you can trivially spoof the result, akin to hacking a game, but if done remotely then it's not zero-knowledge.
I think a zero-knowledge system here would be quite desirable. But a centralized repository that is e.g. maintaining tabs on every single adult-authorization for every single person with verifiable details of them is, by contrast, a dystopic disaster waiting to happen because it will be hacked, leaked, and abused, sooner or later.
A nitpick I have about contemporary descriptions of tech is that it tends to be heavily polarized. It's either 'here is how it works' in a way that is dumbed down to the point of meaningless, or 'here is the source code and white paper' in a way that is so esoteric that it again is largely meaningless if you don't intend on spending an afternoon deep diving the topic.
For some contrast this [1] is an infographic from NASA about the Apollo program in the 60s. Enough details to inform one from a technical perspective, but also organized well enough that even if you know nothing about space or space flights, you could walk away with a pretty good idea of what's going on, and it might even spark your interest enough to research some things you didn't follow.
Most countries in the EU already have widely accepted identity proof apps mostly verified by the banks or the government itself. Once verified the identity app gets a certificate which is signed by the authority which issues the identity. We all know how that works as that’s how TLS works as well. The zero proof age check is based on verifiable credentials and the related verifiable presentation. Once you have a wallet with your identity it’s not hard to issue cryptographic proofs of some properties of your credentials, and age is a property of your identity credentials basically. To learn more about the technical details, search for the specifications I mentioned above: verifiable credentials, verifiable presentations.
Ah, and the sites (or whatever else) can then verify the key is valid locally? Assuming that is the case, that'd make for a surprisingly nice system, further assuming that the produced credential is not reversible. I'm highly cynical and so I expected it to be a backdoor for surveillance as it feels like most things under the pretext of 'won't anybody think about the children' are.
> The solution leverages the existing eIDAS infrastructure, including eIDAS nodes and the trust framework for trusted services, to ensure a high level of security and reliability. By aligning with the technical architecture of the EU Digital Identity Wallet ARF, the solution delivers secure, reusable, and interoperable proofs of age.
> The solution enables users to present their Proof of Age attestation to Relying Parties, primarily for online use cases. The system is optimised for secure and privacy-preserving online presentation, allowing users to prove their eligibility without disclosing unnecessary personal information.
> AVI SHOULD support the generation of Zero-Knowledge Proofs using the solution detailed in: "Matteo Frigo and abhi shelat, Anonymous credentials from ECDSA, Cryptology ePrint Archive, Paper 2024/2010, 2024, available at https://eprint.iacr.org/2024/2010".
> Anonymous digital credentials allow a user to prove possession of an attribute that has been asserted by an identity issuer without revealing any extra information about themselves. For example, a user who has received a digital passport credential can prove their “age is ” without revealing any other attributes such as their name or date of birth.
Without exposing my citizenship, I was able to use by EU-nation issued ID to confirm only my year of birth.
The website supported this country's national ID login method, in the login challenge asked the server to provide my age, before I signed in to confirm (scanning qr code with my mobile app) I was informed what data was requested, then I consented to them confirming my data.
Not very sensitive things work without my physical ID present, sensitive have additional step with me providing my physical ID (to the NFC reader) and unlocking my key (stored on the ID) with a pin.
All in all it's really very sensible and fast.
Not necessarily the EU ID apps we're talking about but some of the existing implementations.
Even better would be if the website provided the age rating in a HTTP header, and the browser could locally check if the account is allowed to see it. That way you avoid exposing the age of the user.
And yes, even sending an age bracket exposes the age over time as you can observe a repeat visitor changing brackets and compute the actual age from that. With the server sending the info instead you can't really tell if the browser blocked it, or if the user just didn't navigate further on the page. (The browser still need to fetch all the CSS and other resources though, otherwise that would be possible to tell apart.)
> The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.
That's the theory. How is it in practice?
In my opinion, it just means there is a single government database to hack to get copies of all IDs...
By the way have the "security experts" checking this app evaluated that part? Or they're just worried about the app users cheating?
Do you care about it when running a smartphone full of NSA backdoors, CIA backdoors, Google backdoors, Apple backdoors, Baidu backdoors, Chrome backdoors and official reCAPTCHA backdoors and google analytics backdoors?
> In my opinion, it just means there is a single government database to hack to get copies of all IDs...
That doesn't make sense, all IDs are already in a single government database. Kind of by definition in fact, for IDs to be useful they need to be emitted by a central authority with associated security and revokability guarantees.
The implementations I've seen rely on an app reading your physical ID and its NFC chip, comparing that with a selfie to ensure it's the same person, and being able to provide anonymous proof you are of age based on that, or proof that you are indeed who you say you are.
> That doesn't make sense, all IDs are already in a single government database. Kind of by definition in fact, for IDs to be useful they need to be emitted by a central authority with associated security and revokability guarantees.
Yes and those databases are decently protected. However for an "app" someone will do a web 4.0 or 6.0 bridge to access these databases. Maybe even vibe code it. That's what I'm worried about.
Hmm how is it zero knowledge when you can be tracked to a single installation of an app? I thought zero knowledge means they ask a "trusted" 3rd party, i.e. the government. And that says yes/no, without passing any ID details on.
Zero knowledge as in the state provides a certificate without directly interacting with the third party website, and the third party does not get personal information beyond "this access is by a certified adult", with no explicit or implicit information about which adult.
Yep, that's a good idea, but it also means the app on your phone has to talk to the state. Probably through a web 7.0 RESTLESS api. And even though the 3rd party web site doesn't get your identity, the state's database does.
The app checks your physical ID you have, and provides a certificate that you give the third party you're proving yourself to. The app knows you requested proof, but not what for. The third party knows you're proven to be 18+, but knows nothing else.
The alternative would be to just not do anything and to remove liability from Meta et al. In the world we live in, where competing interests already spent tens of billions to bribe/lobby the EU, we have to be realistic about it.
This open source and transparent ZKP-based approach is extremely surprising to see, publishing a draft in advance and inviting the public to break it so it can be improved? Are you kidding me? What about the billions of private investment in all the companies that offer centralized ID checks like Persona, Socure, ID.me and more? Thats a growing billion dollar industry. They all counted on this as a future market opportunity that the EU just seem to have destroyed at least in the EU?
People fighting against this age id app might be paradoxically useful idiots for billion dollar investments and lobbying efforts. The demos is once again dragged into the trenches to fight a war they don't understand.
The main issue appears to be that as per the blueprint user MUST use one of the mandated handsets (iPhone or Android with pre-installed and privileged Google Services) and:
- MUST use either Google or Apple account
- must not be banned by the provider or sanctioned in the USA
These issues have been flagged to the devs working on the blueprint since the inception, only to be handwaved away.
Getting banned can happen randomly even if you're not doing anything illegal or wrong (it's enough for a robot to decide you're within the blast radius), getting sanctioned can happen if you're an UN lawyer investigating human rights abuses USA actually likes.
> The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.
No it isn't.
Literally that is not the scope document, and such a solution would not be permitted by the EU as compliant with the legislation.
The app isn't zero knowledge. A prototype workflow has been designed for a one way transfer to sites that is zero knowledge, but it doesn't actually deliver zero knowledge because it you have to verify your age with an external provider to get the credential (which is not zero knowledge), the app has to be secured with either Apple or Google's attestation services (which are not zero knowledge), and the site has to be able to check with the original external provider that the credential hasn't been revoked (which is in no way zero knowledge).
Zero knowledge proofs are when the prover can prove the statement is true to the verifier without disclosing more information beyond the statement. It doesn’t mean the prover cannot talk to other systems to produce the statement.
That only works in the context of when the sender isn't the adversary, which isn't the case in an age verification system - it very much does treat the sender as the enemy and untrusted. And again, the revocation chain on the backend is not zero proof.
It is "funny" to read every single time "to protect minors online" like there are no adult around them, while technically those technologies are by design to control every single human for online access. It is not because the words are well chosen to sound unpolitical, just for "security", that it make those law/technology not political. It is political.
Why does this app even exist? Why is everyone in this thread so okay with more surveillance? It’s ironic that people are arguing over technicalities instead of tackling the moral and societal impact of age verification.
The online version has been extended quite a bit beyond what we broadly agree. If we translated back to checking ID in shops, it might look more like this:
1) Obviously you can't be trusted to handle your own ID card, because you could lend it to someone else or manipulate it in some way, so there should be a trusted guard with you at all times to manage your ID card for you and hand it to the shopkeeper.
2) Obviously you can't be trusted not to try to influence or attack your guard, so you must be kept in handcuffs for your own safety.
3) Obviously you can't be trusted with acquiring unapproved tools or meeting unapproved people who might enable you to break out of your handcuffs, so the guard must only allow you to communicate with approved people and buy approved products.
Conveniently and profitably, this also puts the company supplying the guard in a position where they can sell access to their control over you (as a consumer and as a source of experimental data) to their trusted partners.
This is not the problem the title makes it out to be.. It's still in development.
> "Now, when we say it's a final version, it's ... still a demo version." He added the final product is not yet available for citizens and "the code will be constantly updated and improved … I cannot today exclude or prejudge if further updates will be required or not."
The whole idea of this age requirement is ridiculous in the first place, changing the focus to how good or bad the unnecessary tools are is nothing but a nice distraction.
The metaphor still works, minors in pubs are, presumably, under the supervision of their parents, otherwise they have not business being there in the first place.
1. Devs forgot to delete images in some failed scenarios. Images that do not get sent anywhere and remain locally. In an open source app that anyone can point calmly to the bug and it will get fixed easily.
2. "an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file"... Any android developer knows that to access the shared prefs file you need ROOT access on the phone, which is impossible on the stock os. Rooting the phone requires advanced knowledge. It means deliberately nuking your phone security, which most likely will require factory resetting the phone in the process. Or a hacker would need to use a sophisticated exploit, maybe even 0day, to access an app that would allow him to log in on some adult sites. Sounds reasonable (no).
So, the guy found two very superficial problems in a early demo app. Does not even look at the important code with the actual implementation of the zero knowledge proof cryptography, as it is way above his skill level. Throws malicious allegations mixed with blatant lies. Cries for attention to the whole internet and it gets augmented by news and people who understand security and technology even less than him. He dares calling it "hacking" in under 2 minutes. That's just disgusting.
He even calls himself "Security Consultant". Lord have mercy on whoever is going to work with him.
It would be possible to implement age verification in a way that would somewhat work and that would be to use the correct crypto on an government issued ID card. Crypto where the OS (or a website) can ask the card: "Is the holder of that card over X years old y/n?" and the card would just answer with a binary yes no question without exposing any other data while still checking the government signature.
Obviously that won't stop motivated teens from taking their parents ID cards or similar mechanisms. Thst means any system that likes to prevent that needs to additionally ensure the identity of the card holder. And then you create a privacy nightmare.
So my proposal would be to accept that nothing is ever perfect and just use the card and ensure that system works as well as it could.
Of course "card " is a standin for all manner of hardware that can do it, including phones.
The “hack” in question is pointing out that the app forgets to delete images of the user's face and ID (stored). A lot of people have pictures of their face already on the phone, and often their ID as well so this is hardly a security flaw in any real sense.
But it's not “lots of people,” it's everyone. Everyone has a picture of their face on their phone. And the information is encrypted because phones use disk encryption by default. “Someone can get a photo of your face and passport if they have full unencrypted access to your phone's hard drive” is like saying “someone could turn off your alarm and make you late for work if they break into your house.” There are simply bigger concerns in that situation.
"Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18." - and how is that something that could, or should, be addressed by the app? Are we even serious??
well of course because the whole reason you're making free men and women verify their identity with government-issued documents... was supposed to be to prevent that. If its not going to prevent such an easy work-around ITS NOT WORTH IT (not that it was in the first place)
Because people share phones with their kids. It's not rare or even mildly unusual. The problem isn't that the app needs to solve this. The problem is the app is useless, along with this whole bizarre "need for age verification" plot that poofed out of existence simultaneously around the whole globe mysteriously a few months ago.
Well, reality called and says: Like ID, drivers license, credit cards and guns: Phones are sth. you dont just "share" with your kids. Also there is an option to guard the ID App with an additional PIN/Biometric.
That's not reality for many of us. I don't consider my phone a secure device by any means. It has nothing on it that I'd regard as something I'd need to guard against my family.
I know a fair number of especially elderly people who want to disable PIN and bio-metrics from their phone, because they view it as a pain to deal with.
PINs can also be guessed or someone might look you over the shoulder and steal it that way. Many phones still doesn't have biometrics, or people don't want to use it.
Our realities might be different, but in my reality a cell phone, which you almost by definition brings with you out in the world, should never be considered a secure device.
Oh man, if the kid gets hold of both of their parents phones with login, they could divorce them. I don't have kids yet, so this might change, but I would not give them login and / or unsupervised access.
I don't think you can guess pins, as the phones locks after a few failed attempts.
You keep using the term “secure” that it sounds like you think education is like a prison sentence. You’re not doing this for security but for safety. A stair gate or drawer child-proofing lock are by no means secure but you use them anyway for the child’s safety.
You can’t just leave every dangerous thing out in the open because you “view it as a pain to deal with” storing them safely and then blame everyone else for the situation that follows.
Our realities might be different but in my reality if you put 0 (zero) effort to keep some critical things safely away from your child because it’s too much of a hassle to do it, or they’ll get around that anyway, etc. then you’re failing your children.
You make it sound like you put no effort in understanding my comment and just followed up with whatever supported your view.
If you have anything on your phone that should be off limits to your child but make no effort to ensure that (give them the phone, no passwords, no supervision) because it’s too inconvenient you are failing the child. Can I put it in simpler words?
> What do you have on your phone that's dangerous?
I hope you were asking hypothetically.
For one, the phone itself since staring into a small screen at god knows what because supervising them is a chore is bad for anything you can imagine, from eyes, to posture, to brain development. But also a browser that can access anything on the internet (modern Goatse, Rotten, Ogrish, other wholesome sites like that). My credit card numbers. All my passwords. Hardcore porn. Facebook and TikTok. The app that delivers booze to my doorstep. 50 shades of grey (the book and the movie). X (Twitter), I left the worst for last. If you really think a completely open internet connected phone is perfectly safe for a kid at the very least you’re in the wrong conversation.
It doesn’t matter, the discussion is about age verification for things that a child should be kept away from, whatever that is. If you’re trying to protect the kids from anything, especially legitimate concerns, then you can’t expect some mechanism to magically do all that parenting for you. It can help but not be the parent when the parent thinks it’s too inconvenient to actually do some parenting.
I don't like the idea of a central authority determining what "my child should be kept away from" and then implementing Orwellian surveillance laws to enforce it. "For the sake of the children".
Seeing something scary, disturbing, or sexual on the internet as a child does not result in a maladjusted adult. These laws are about one thing and one thing only - furthering the global surveillance network.
Everything else is a smokescreen. Pretending that a phone or any Internet-connected terminal is something that should be kept secured and away from children is a parenting decision, not a policy one, and any attempt to justify it as a policy decision is toxic nonsense at best and astroturfing for the surveillance state at worst.
| 'I don't like the idea of a central authority determining what "my child should be kept away from" and then implementing Orwellian surveillance laws to enforce it.'
Well thank God this about a double-blind way to verify your age and not that.
The surrounding context is that. Why else would you participate with a government in an age verification system?
Maybe your argument is that it's not a surveillance state because it is implemented with a 0 knowledge proof. Sure, the age verification is, but that is only part of the system we are talking about. The rest of the system is the demand that every adult play keep-away with their verification, and every host on the internet (that can be adequately threatened) play, too.
The only way for this to be anything else is if every participant can individually decide what should and should not be kept away from children. Such a premise is fundamentally incompatible.
A phone isn't going to run off the road and kill 7 people. This is nonsense and you know it.
And yes, phones are something parents do "just" share with their kids because nobody is bizarre enough to look at a phone the same way as a gun or a car. It's the YouTube device that can talk to grandma. All you have to do to see proof that it's something people "just" share is to walk into a grocery store and look at parents pushing kids in carts while those kids watch videos. 25 years ago those phones were Game Boys. Nobody is seeing them as a gun. That's the most disconnected from reality take I've seen in my life.
Whats the diff between today giving you phone to your 8-year and making sure /having trust that they do not use it to e.g. order a new toy from Amazon and tomorrow that he is not using to verify they are an adult?
I mean, most things today (like accessing porn, buying alcohol) do not require any extra age verification. They can just do it using your phone/accounts.
Not everyone views their child as an enemy that just happens to be in close quarters with them. Most people trust their kids to generally not do bad things. People keep knives in their kitchen and kids, explain the danger, and kids are generally responsible enough to not play with them.
If this is a concept that you can't grasp, then words will never convey it. It's simply a detachment from reality to think people are viewing their phones as a loaded gun and their child as someone hellbent on betraying them and causing massive societal damage.
The phone is the YouTube device. If they get a notification that their kid ordered from Amazon, they'll cancel the order and tell their kid not to do it again. It's seriously that simple. Just go and talk to a parent. They'll think viewing their phones as a WMD is insane.
The problem comes in when they feel their opinions should carry weight about other people's kids. There are very limited ways in which we should allow that, and to an oversimplified approximation, they boil down to "don't do kids harm that prevents them from becoming an intact person society treats as a human allowed to make their own decisions". And then the problem is that some people think some websites do such damage, and other people think some websites provide help to survive such damage.
Okay, so those parents can just not give their kids their phones, and everyone else can continue living life as usual without needing a fancy new way of telling websites how old they are
Giving your kid a gateway to every bad thing on the internet is not life as usual. It's incredibly recent, and I don't have shares in SSRI manufacturers, so I don't like it.
You're the one who said kids would be accessing age gated sites with their parents' credentials. You're the one who made the case that it's useless. Don't go back and forth on it lol
Exactly. "Age verification" is the "think of the children" marketing campaign for "identity verification". Governments don't like anonymity; it makes it harder to find those they consider enemies. But it's hard to market something people don't want and get no benefit from. So, you dress it up in fear and make it easy to villify people who argue against it.
This is a reference app implementation that uses a detailed framework which explicitly has as a core tenet double blindness. The place you prove your age to has no idea about anything other than you being of age, and the thing you use to prove your age has no idea about where you're using that proof.
If you trust mega corps and the government when they say they're not accessing and monitoring your personal info, then I think that's very interesting.
On top of the pretty bad article, HN finds the “can’t win” scenario again. There’s no age verification scheme that will survive “collusion”, that’s when the adult allows the minor to use validated credentials, devices, etc. And whatever more intrusive age verification schemes we come up with will also fail this but add the intrusiveness to ruffle even more HN feathers. We can have the constant face, fingerprint and DNA scan for as long as the sensitive apps is used. Everything gets stored on a central server for safety so your kid can’t hack the device and replace the reference sample. /s
> "Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18."
Love the magic step in the middle, unlock my app. Ask for passcode or faceid to “unlock your app”. That’s a lot of legwork the adult has to do so the child can “trick” the system.
Some people will forever be shocked that if they leave on the table an open booze or medicine bottle, loaded gun, etc. a child can just take them and misuse them. The blame is unmistakably with bottle and gun manufacturers, right?
Put a modicum of effort to protect the sensitive apps or supervise the child when you share your device. They can do a lot of damage even with age appropriate apps. Wanna see how quickly your kid will tell everyone on the net how much money you have (via proxies), where you live, and when you go on vacation? Or tell someone the credit card number they swiped from your pocket if the other person makes it sound like a game?
I replied to the content of the article and HN comments, not what you think I should have replied to. If anything you even failed to notice that I expect parents to do some of the parenting and not expect an app to magically do it all for them.
The government already defines what misuse is both for children and adults, defines responsibility for a lot of things even in your cupboard, and has been doing so for as governments have been a thing. And I don’t think you understand what “thought crime” is.
You won’t hear me say this too often but next time use an LLM to write your comments, any LLM will do, can only get better.
> "Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18."
While I appreciate the zero-knowledge proofs is considered, how the hell did no one in charge of the app design think of this? It's is literally the first question I asked when I first heard about this app. You go to the app in a store to buy alcohol, you're asked to verify your age, but that's not what you're doing. Your simply showing the store that you have a phone, with and app, which was configured by some over 18 (maybe).
Honestly I don't think it's possible to verify that you're over 18 without also providing something like a photo ID (and even that is error prone).
You can probably do something online, where the website or app does some back channel communication to a server that verifies a token. Even that is going to have issues. You could add a "List of sites that has verified your age" option where you can revoke the verification, in case your nephew borrows your phone.
They are going to implement this and it will be "good enough", but I don't see this being 100% secure or correct.
That's not what you're competing with. Your competing with a drivers license with a photo (not a great photo) and some countries have pretty easily faked drivers licenses, but others have drivers licenses in hard plastic with holographic features.
You're competing with that for "I want to make sure the person standing in front of me is of legal drinking age" use-case, but for the remote KYC/age-verification usecases, you're competing with a photo of the document and/or a selfie.
Maybe bundling these under the same system is a mistake and they should be separate systems with different considerations; it would certainly help with arguments about it online ;P
I don't know about other countries, but here it requires your passport or actual drivers license, and a 12 or 24 hour wait, to actually activate the drivers license app.
We're talking about the EU here, where the standard form of ID is an ID card with very strict requirements, including multiple secure features and an NFC chip with the photo and some other information.
If it's just a PIN, and the PIN is his aunts birthday, it might not be much of a challenge. We also have to consider the cases where the adult is complicit, in these cases the app is even less secure than photo ID (for store purchases, not necessarily online).
142 comments:
Please stop saying "Brussels" to mean the EU. It's a nasty trick to give the idea that it's some kind of external entity forcing your country to do something. It's not. It's an assembly. And it's insulting to people from Brussels. I don't want this any more than you do.
It’s very common throughout English. The Russian government is refered to as Moscow, US as Washington. It’s the same and doesn’t refer to residents. It’s known as synecdoche.
In other words, sorry but it’s here to stay.
No, it is not quite the same as Moscow and Washington are capitals of centralised states who give orders to the whole nation.
The EU on the other hand does not have a common constitution, army etc. so is not a real state (yet). It is made up of soveraign nations who come together debate and decide there, but then it is still up to the members to implement that.
So the transition to the EU as one state is happening, but might never complete.
The European Commission is in fact empowered to boss member states around, it's one of the things that give EU law teeth rather than it being like "international law" (unenforceable anarchy). It also acts much like a government (in the sense of executive, not in the sense of state) when it comes to EU lawmaking, and has various government-like powers in fields like competition law for example. And the European Commission is based in Brussels. Saying "Brussels" to refer to Commission activity is as natural as saying "London", "Downing Street", "the Cabinet Office", "Whitehall" etc to refer to British government functions. And that's without getting into all the other EU institutions that are based there!
It is true that the EU institutions are ultimately subordinate to the member states in a way that, say, the US federal institutions are not, but the EU is still very much is its own thing. It even has legal personality these days: you can sue the EU and the EU can sue you.
It doesn't imply that the EU is one state. It's just the place where the decisions are made. If Brussels didn't like anyone knowing that, I'm sure other cities in the EU would happily take the gobs of free money showered on wherever the EU is headquartered.
You mean like Strasbourg?
https://en.wikipedia.org/wiki/Seat_of_the_European_Parliamen...
Spoiler, the parliamanet moves once a month between Brussel and there. That's how centralized the EU is, we cannot even decide on one fixed place to meet and decide.
Yes indeed - the gobs of money know no bounds.
I’m not sure you realise that this is a far more generic rhetorical phenomenon that encompasses all kinds of situations. Like referring to the FBI as Quantico.
Or Scotland Yard for the metropolitan police in london. They were commonly known by that name almost immediately after their founding in 1829.
Perhaps the earliest example is Pharaoh. It originally referred to the royal residence.
Oh, or using building names like White House and Kremlin?
Yes, I heard of the concept. My point was just that many have a misconception about the nature of the EU.
It's more a metonymy than a synecdoche
If there was a major event in Belgium, which city would the news outlets refer to in order to avoid ambiguity?
It's usually used in place of a person/active participant in something.
So ‘Brussels suffered a deadly fire’ will always refer to the city. ‘Brussels decides on new aircraft regulations’ will almost always refer to either the city government, the Belgian government, or the EU Parliament headquartered there. Brussels is just an exceptional case because there is so much based there, as opposed to the Hague or the Vatican.
They might say "The city of Brussels".
Being belgian I thought that the city of Brussels did something. Using the term EU is more precise I guess in this case. For us, Brussels is just a town in our country, not the EU or representing the EU.
It's also very common inside the EU. Brussels is not an internal entity either, it's seen as distant eurocrats by most EU citizens. Only those interested in EU funds know about them really. It's not seen as a representative assembly
It definitely forces countries to do things they want to do, generally via compliant leadership of those countries. See the last 15 years of UK voters being worried about immigration levels, vs immigration levels.
> It's a nasty trick to give the idea that it's some kind of external entity forcing your country to do something
Which it is. How nasty to engage in wrongthink.
The assembly seats in Brussels, so the decision comes from Brussels (geographically).
It doesn't imply that people from Brussels are the ones to decide, not everyone has the same idea anyways. Though, as citizens of a EU member state, they have some responsibility, at least indirectly.
These are the sources cited by the article:
[1] https://xcancel.com/Paul_Reviews/status/2044502938563825820
[2] https://xcancel.com/paul_reviews/status/2044723123287666921
[3] https://csa-scientist-open-letter.org/ageverif-Feb2026
| "The saga is turning into a PR disaster for Brussels. "
imo: mostly because the Author wants it be a disaster.
The App has not launched, they published the source code in order to invite external review. I dont have time to every claim, but e.g. this [see quote below] seems to be blown out of proportions to me - the app fails to delete a temp. image, which results in a selfie being stored indefinitely(?) on the internal disk of your device - if an adversary has access to the internal disk of my phone, they can also just access the photo roll.
"For selfie pictures:
Different scenario. These images are written to external storage in lossless PNG format, but they're never deleted. Not a cache... long-term storage. These are protected with DE keys at the Android level, but again, the app makes no attempt to encrypt/protect them.
This is akin to taking a picture of your passport/government ID using the camera app and keeping it just in case. You can encrypt data taken from it until you're blue in the face... leaving the original image on disk is crazy & unnecessary."
Not immediately deleting the selfie is a pretty fundamental and egregious mistake to make. People are particularly sensitive to selfies not being handled correctly after Discord lost thousands of them, despite promising to delete them after age verification occurred (and then not doing so) https://www.bbc.com/news/articles/c8jmzd972leo
The damage is limited because the selfie is only retained on device, but it still does not signal competency from the EU to fail at the most basic hurdle of disposing of the selfie once verification is complete.
>Discord lost thousands of them, despite promising to delete them after age verification occurred (and then not doing so)
This is misleading, yet everyone seems to repeat it. Discord's implementation of ID verification did not retain IDs. Reporting on this was so poor, but what appears to have happened was that people that failed age estimation / ID checks had to raise a support ticket and get manually reviewed. That support platform was pwned and the active support tickets were leaked. Who knows how long these support tickets were set to live for, but up to 70,000 active tickets getting leaked feels like a drop in the bucket. It's also not immediately clear to me what the alternative is (other than not getting hacked), when you require human intervention to review problematic IDs. Even if the ID only lived on their server for 24 hours during manual review, across a userbase of >200 million users, that's a lot of IDs at risk at any given moment, especially during these initial roll outs of age verification.
This is a distinction without a difference. Users were assured their selfies would not be retained and they were. Discord then proceeded to lose those selfies to bad actors, after promising not to retain them. The incident has caused enormous distrust of all age verification systems, which were already starting in the mind of the community from a base level of skepticism. It's already highly invasive to take a photo of yourself, but then the user must trust that the organization on the other end will handle it appropriately. To have that trust so conspicuously broken poisons the well for all other age verification systems and websites that are legally compelled to use it, or face penalties from aggressive organizations like OFCOM. Website operators are placed in an impossible position, where they must use these deeply unpopular technologies or face severe fines.
Welp, this ship has sailed, corporations and governments have data hoarding addiction. They might not yet ask where your grandpa lived 57 years ago, but they seriously ponder this idea how to extort it from you of where else to get this data.
>The App has not launched, they published the source code in order to invite external review.
I read that from many reactions in discussions, but not from their own channels? (Maybe I missed that)
It is ready for deployment: https://commission.europa.eu/news-and-media/news/european-ag...
The message is that it is ready, 'ticks all the boxes' (the published code does not) and that is now ready for integration by other countries. https://xcancel.com/vonderleyen/status/2044340323120193595#m
Then in the article I read that what we see now is a 'demo' version. So the code on Github is not the current code?
Oh God not this stupid tweet again. He's "hacking" it from a rooted phone. You can't just willy nilly edit those files like that on a normal phone. Fml I would've written a CN under that.
On top of that they didn't infiltrate anything.
Adding onto that: the app is open source. Finding possible weak points was the very reason of this exercise.
Note that this is an implementation of eIDAS:
https://www.eudi-wallet.eu/
The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.
If somebody who has access to your unlocked phone can access the data in the app, then this is something that should be tightened up but it’s a substantial privacy improvement over the far more commonplace option of uploading your ID to every website that wants to know if you are an adult.
It’s an attempt to avoid things like this:
> Discord says 70k users may have had their government IDs leaked in breach (Oct 2025, 435 comments) - https://news.ycombinator.com/item?id=45521738
> The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.
It is my understanding that this is not possible. I would be happy to be shown to be wrong, but to me it seems like you can either prevent people from lending out their credentials, or you can preserve the anonymity of the user, but not both.
You can use 0KP to prove you have a signed certificate issued by your government that says you are an adult, but then anyone with such a certificate can use it to masquerade as however many sock puppets they like and act as a proxy for people who aren't adults. You can have the issuing government in the loop signing one-time tokens to stop Adults-Georg from creating 10k 18+ attestations per day, but then the issuing government and the service providers have a timing side-channel they can use to correlate identities to service users. Is there some other scheme I'm missing that solves this dilemma?
> It is my understanding that this is not possible. I would be happy to be shown to be wrong, but to me it seems like you can either prevent people from lending out their credentials, or you can preserve the anonymity of the user, but not both.
This is not designed to prevent adults from coöperating with minors; that makes no sense as a design goal because any technical measure can always be bypassed with “download this for me and give me the file”. This is designed to prevent minors from being able to access systems without an adult.
Nothing prevents an adult from buying alcohol on behalf of minors; that doesn’t mean laws that prevent minors from directly buying alcohol are useless.
But laws against selling/giving alcohol to minors are moderately successful at curbing teen alcohol use because they carry with them a risk of punishment that grows with the scale of the operation. If all it took was one adult who thought "kids should be allowed to drink if they want" to provide all the kids in the country with free booze and that adult had no meaningful fear of repercussions, the laws would be nothing but sternly worded advice.
If the proof of adulthood scheme is truly anonymous, one adult with some technical chops who thinks "kids should be allowed to watch porn if they want" would be able to, say, run an adult-o-matic-9000 TOR hidden service that anyone can use to pinky promise that they are an adult without fear of repercussions. If such a service comes with a meaningful risk of being identified and punished, it is by definition not anonymous.
I suppose I'm just not convinced giving up some basic liberties for a law that converts into sternly worded advice if just one adult chooses to break it is a great idea.
In Europe it’s very frequently perfectly legal to give alcohol to minors, but not sell.
For example, in the UK it’s only illegal to give alcohol to a child younger than 5 years old.
France has no limitations, giving a toddler wine is not explicitly illegal. Getting a child drunk would be.
That one adult could also just download and serve the content without an age gate. The security system on the original download seems irrelevant.
That would require all the infrastructure to serve the content, compared to just serving the file ”proving” you are an adult.
>masquerade as however many sock puppets they like
Multiple accounts must be supported, because e.g. personal and work accounts must be separate to not mix them.
> You can use 0KP to prove you have a signed certificate issued by your government that says you are an adult, but then anyone with such a certificate can use it to masquerade as however many sock puppets they like and act as a proxy for people who aren't adults
The certificates in question can use a few mitigations: short lived, hardware stored (in a TPM, making distribution harder), be single use, have a random id which the service being accessed can check how many times has been used.
> but then the issuing government and the service providers have a timing side-channel they can use to correlate identities
That's not reallya concern, IMO. That would always exist as a risk - most people would probably have a flow of trying to do something, having to prove ID/age, doing that step, continuing with the something, which means you'd probably be able to time correlate the two sides quite often. The solution here is legal with strong barriers, not technical.
Can attestations be rate-limited or is that the timing side-channel you are talking about?
Precisely. To rate-limit attestations you either need government somewhere in the loop so that they get notified and can revoke certificates when they detect abuse (but then they can correlate requests to prove adulthood with the service provider), or you need the proof of adulthood to be tied to the certificate in some way that the service provider can tell if a certificate is being re-used. But then anyone with a copy of all the certificates (read: the government) can re-run the proof on their end and figure out who is who.
The app would be restricted to environments certified by Apple or Google. Then the app can apply features like trusted time to implement client-side rate limiting.
Can you give a brief explanation of how this is done with a zero-knowledge proof? That site is low information and painful to navigate, and it seems quite surprising to me that this is possible. ID verification, in the government sense, is ostensibly going to require matching an ID against a some other resource. If done locally then you can trivially spoof the result, akin to hacking a game, but if done remotely then it's not zero-knowledge.
I think a zero-knowledge system here would be quite desirable. But a centralized repository that is e.g. maintaining tabs on every single adult-authorization for every single person with verifiable details of them is, by contrast, a dystopic disaster waiting to happen because it will be hacked, leaked, and abused, sooner or later.
https://blog.google/innovation-and-ai/technology/safety-secu...
Basically you can prove that you have an identification document and that a certain property is true without revealing anything else.
A nitpick I have about contemporary descriptions of tech is that it tends to be heavily polarized. It's either 'here is how it works' in a way that is dumbed down to the point of meaningless, or 'here is the source code and white paper' in a way that is so esoteric that it again is largely meaningless if you don't intend on spending an afternoon deep diving the topic.
For some contrast this [1] is an infographic from NASA about the Apollo program in the 60s. Enough details to inform one from a technical perspective, but also organized well enough that even if you know nothing about space or space flights, you could walk away with a pretty good idea of what's going on, and it might even spark your interest enough to research some things you didn't follow.
[1] - https://assets.science.nasa.gov/content/dam/science/psd/luna...
Most countries in the EU already have widely accepted identity proof apps mostly verified by the banks or the government itself. Once verified the identity app gets a certificate which is signed by the authority which issues the identity. We all know how that works as that’s how TLS works as well. The zero proof age check is based on verifiable credentials and the related verifiable presentation. Once you have a wallet with your identity it’s not hard to issue cryptographic proofs of some properties of your credentials, and age is a property of your identity credentials basically. To learn more about the technical details, search for the specifications I mentioned above: verifiable credentials, verifiable presentations.
Ah, and the sites (or whatever else) can then verify the key is valid locally? Assuming that is the case, that'd make for a surprisingly nice system, further assuming that the produced credential is not reversible. I'm highly cynical and so I expected it to be a backdoor for surveillance as it feels like most things under the pretext of 'won't anybody think about the children' are.
Then why does the linked GitHub explicitly state it uses OpenID4VP?
You are mixing things up, and EU abbreviations do not help.
Many countries in EU already have electronic identity documents and delegate authentication to mobile apps one way or another.
eID or mobile identity application operating over QR codes and used to log into websites and apps is a commodity here.
This has nothing to do with age verification.
I’m not sure what you are saying I am mixing up.
The article links to the source code repository here:
https://github.com/eu-digital-identity-wallet/av-app-android...
That links to the tech spec:
> The solution leverages the existing eIDAS infrastructure, including eIDAS nodes and the trust framework for trusted services, to ensure a high level of security and reliability. By aligning with the technical architecture of the EU Digital Identity Wallet ARF, the solution delivers secure, reusable, and interoperable proofs of age.
> The solution enables users to present their Proof of Age attestation to Relying Parties, primarily for online use cases. The system is optimised for secure and privacy-preserving online presentation, allowing users to prove their eligibility without disclosing unnecessary personal information.
— https://github.com/eu-digital-identity-wallet/av-doc-technic...
Annex A includes details on the ZKP:
> AVI SHOULD support the generation of Zero-Knowledge Proofs using the solution detailed in: "Matteo Frigo and abhi shelat, Anonymous credentials from ECDSA, Cryptology ePrint Archive, Paper 2024/2010, 2024, available at https://eprint.iacr.org/2024/2010".
— https://github.com/eu-digital-identity-wallet/av-doc-technic...
And the linked paper:
> Anonymous digital credentials allow a user to prove possession of an attribute that has been asserted by an identity issuer without revealing any extra information about themselves. For example, a user who has received a digital passport credential can prove their “age is ” without revealing any other attributes such as their name or date of birth.
— https://eprint.iacr.org/2024/2010
You're both right.
Without exposing my citizenship, I was able to use by EU-nation issued ID to confirm only my year of birth.
The website supported this country's national ID login method, in the login challenge asked the server to provide my age, before I signed in to confirm (scanning qr code with my mobile app) I was informed what data was requested, then I consented to them confirming my data.
Not very sensitive things work without my physical ID present, sensitive have additional step with me providing my physical ID (to the NFC reader) and unlocking my key (stored on the ID) with a pin.
All in all it's really very sensible and fast.
Not necessarily the EU ID apps we're talking about but some of the existing implementations.
Or just let us set our age in the OS profile? Works for adults and kids.
Even better would be if the website provided the age rating in a HTTP header, and the browser could locally check if the account is allowed to see it. That way you avoid exposing the age of the user.
And yes, even sending an age bracket exposes the age over time as you can observe a repeat visitor changing brackets and compute the actual age from that. With the server sending the info instead you can't really tell if the browser blocked it, or if the user just didn't navigate further on the page. (The browser still need to fetch all the CSS and other resources though, otherwise that would be possible to tell apart.)
> The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.
That's the theory. How is it in practice?
In my opinion, it just means there is a single government database to hack to get copies of all IDs...
By the way have the "security experts" checking this app evaluated that part? Or they're just worried about the app users cheating?
Do you care about it when running a smartphone full of NSA backdoors, CIA backdoors, Google backdoors, Apple backdoors, Baidu backdoors, Chrome backdoors and official reCAPTCHA backdoors and google analytics backdoors?
> In my opinion, it just means there is a single government database to hack to get copies of all IDs...
That doesn't make sense, all IDs are already in a single government database. Kind of by definition in fact, for IDs to be useful they need to be emitted by a central authority with associated security and revokability guarantees.
The implementations I've seen rely on an app reading your physical ID and its NFC chip, comparing that with a selfie to ensure it's the same person, and being able to provide anonymous proof you are of age based on that, or proof that you are indeed who you say you are.
> That doesn't make sense, all IDs are already in a single government database. Kind of by definition in fact, for IDs to be useful they need to be emitted by a central authority with associated security and revokability guarantees.
Yes and those databases are decently protected. However for an "app" someone will do a web 4.0 or 6.0 bridge to access these databases. Maybe even vibe code it. That's what I'm worried about.
Hence the second paragraph in my comment. The app is client side and reads the physical ID.
Hmm how is it zero knowledge when you can be tracked to a single installation of an app? I thought zero knowledge means they ask a "trusted" 3rd party, i.e. the government. And that says yes/no, without passing any ID details on.
Zero knowledge as in the state provides a certificate without directly interacting with the third party website, and the third party does not get personal information beyond "this access is by a certified adult", with no explicit or implicit information about which adult.
Yep, that's a good idea, but it also means the app on your phone has to talk to the state. Probably through a web 7.0 RESTLESS api. And even though the 3rd party web site doesn't get your identity, the state's database does.
It's the RESTLESS api being hacked I worry about.
No.
The app checks your physical ID you have, and provides a certificate that you give the third party you're proving yourself to. The app knows you requested proof, but not what for. The third party knows you're proven to be 18+, but knows nothing else.
The alternative would be to just not do anything and to remove liability from Meta et al. In the world we live in, where competing interests already spent tens of billions to bribe/lobby the EU, we have to be realistic about it.
This open source and transparent ZKP-based approach is extremely surprising to see, publishing a draft in advance and inviting the public to break it so it can be improved? Are you kidding me? What about the billions of private investment in all the companies that offer centralized ID checks like Persona, Socure, ID.me and more? Thats a growing billion dollar industry. They all counted on this as a future market opportunity that the EU just seem to have destroyed at least in the EU?
People fighting against this age id app might be paradoxically useful idiots for billion dollar investments and lobbying efforts. The demos is once again dragged into the trenches to fight a war they don't understand.
The main issue appears to be that as per the blueprint user MUST use one of the mandated handsets (iPhone or Android with pre-installed and privileged Google Services) and:
- MUST use either Google or Apple account - must not be banned by the provider or sanctioned in the USA
These issues have been flagged to the devs working on the blueprint since the inception, only to be handwaved away.
Getting banned can happen randomly even if you're not doing anything illegal or wrong (it's enough for a robot to decide you're within the blast radius), getting sanctioned can happen if you're an UN lawyer investigating human rights abuses USA actually likes.
So I do see a problem here.
> The alternative would be to just not do anything and to remove liability from Meta et al.
Or just give parents easy to use parental controls. But that wouldn't grow the surveillance state.
Or just have parents look after their children.
> The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.
No it isn't.
Literally that is not the scope document, and such a solution would not be permitted by the EU as compliant with the legislation.
The app isn't zero knowledge. A prototype workflow has been designed for a one way transfer to sites that is zero knowledge, but it doesn't actually deliver zero knowledge because it you have to verify your age with an external provider to get the credential (which is not zero knowledge), the app has to be secured with either Apple or Google's attestation services (which are not zero knowledge), and the site has to be able to check with the original external provider that the credential hasn't been revoked (which is in no way zero knowledge).
Zero knowledge proofs are when the prover can prove the statement is true to the verifier without disclosing more information beyond the statement. It doesn’t mean the prover cannot talk to other systems to produce the statement.
That only works in the context of when the sender isn't the adversary, which isn't the case in an age verification system - it very much does treat the sender as the enemy and untrusted. And again, the revocation chain on the backend is not zero proof.
It is "funny" to read every single time "to protect minors online" like there are no adult around them, while technically those technologies are by design to control every single human for online access. It is not because the words are well chosen to sound unpolitical, just for "security", that it make those law/technology not political. It is political.
Why does this app even exist? Why is everyone in this thread so okay with more surveillance? It’s ironic that people are arguing over technicalities instead of tackling the moral and societal impact of age verification.
As a society, we broadly agree shops should check ID before selling kids alcohol. It is not that crazy to extend that online.
The online version has been extended quite a bit beyond what we broadly agree. If we translated back to checking ID in shops, it might look more like this:
1) Obviously you can't be trusted to handle your own ID card, because you could lend it to someone else or manipulate it in some way, so there should be a trusted guard with you at all times to manage your ID card for you and hand it to the shopkeeper.
2) Obviously you can't be trusted not to try to influence or attack your guard, so you must be kept in handcuffs for your own safety.
3) Obviously you can't be trusted with acquiring unapproved tools or meeting unapproved people who might enable you to break out of your handcuffs, so the guard must only allow you to communicate with approved people and buy approved products.
Conveniently and profitably, this also puts the company supplying the guard in a position where they can sell access to their control over you (as a consumer and as a source of experimental data) to their trusted partners.
Showing my ID at the store doesn't register this on a government OpenID4VP server, and the store doesn't copy my ID.
This is not the problem the title makes it out to be.. It's still in development.
> "Now, when we say it's a final version, it's ... still a demo version." He added the final product is not yet available for citizens and "the code will be constantly updated and improved … I cannot today exclude or prejudge if further updates will be required or not."
The whole idea of this age requirement is ridiculous in the first place, changing the focus to how good or bad the unnecessary tools are is nothing but a nice distraction.
The title of the original article seems wrong, they didn't launch the app, they published the source code ahead of the launch.
There's something that is written between the lines here.
EU is often portrayed as overly bureaucratic, slow moving. The way this app was developed seems more in the line of "move fast, break things".
I don't know if that says something about the EU, or about the EU-naysayers, but I thought it was worth pointing out.
This all feels a bit like letting children into a nightclub and then needing to see ID every time you buy a drink.
Right? It seems to me that the filter should be at the device level by the parents.
... isn't this how most bars/pubs work?
The metaphor still works, minors in pubs are, presumably, under the supervision of their parents, otherwise they have not business being there in the first place.
They didn't launch an app per se - they've released the source code of such app. So, let's be more precise on the terminology, please!
1. Devs forgot to delete images in some failed scenarios. Images that do not get sent anywhere and remain locally. In an open source app that anyone can point calmly to the bug and it will get fixed easily.
2. "an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file"... Any android developer knows that to access the shared prefs file you need ROOT access on the phone, which is impossible on the stock os. Rooting the phone requires advanced knowledge. It means deliberately nuking your phone security, which most likely will require factory resetting the phone in the process. Or a hacker would need to use a sophisticated exploit, maybe even 0day, to access an app that would allow him to log in on some adult sites. Sounds reasonable (no).
So, the guy found two very superficial problems in a early demo app. Does not even look at the important code with the actual implementation of the zero knowledge proof cryptography, as it is way above his skill level. Throws malicious allegations mixed with blatant lies. Cries for attention to the whole internet and it gets augmented by news and people who understand security and technology even less than him. He dares calling it "hacking" in under 2 minutes. That's just disgusting.
He even calls himself "Security Consultant". Lord have mercy on whoever is going to work with him.
Why it needs documents? From video of liveness check it clearly visible that 35 years old bearded man is over 18.
The EU let Ursula von der Leyen say a lot of false statements about this https://netzpolitik.org/2026/gesichtsscan-und-handy-zwang-vo...
She is basically a human bullshit generator whose goal function is attaining power.
The title seems totally misleading.
The app still hasn’t launched. There’s only so long you can run on hype before you lose the readers you were trying to win over.
If my kids cannot change a boolean into a json, they do not deserve the [redacted]
I don't work with json very often, and this is probably a joke, but how would that even work?
op meant "in" not "into"
It would be possible to implement age verification in a way that would somewhat work and that would be to use the correct crypto on an government issued ID card. Crypto where the OS (or a website) can ask the card: "Is the holder of that card over X years old y/n?" and the card would just answer with a binary yes no question without exposing any other data while still checking the government signature.
Obviously that won't stop motivated teens from taking their parents ID cards or similar mechanisms. Thst means any system that likes to prevent that needs to additionally ensure the identity of the card holder. And then you create a privacy nightmare.
So my proposal would be to accept that nothing is ever perfect and just use the card and ensure that system works as well as it could.
Of course "card " is a standin for all manner of hardware that can do it, including phones.
Previously on source: https://news.ycombinator.com/item?id=47803773
The “hack” in question is pointing out that the app forgets to delete images of the user's face and ID (stored). A lot of people have pictures of their face already on the phone, and often their ID as well so this is hardly a security flaw in any real sense.
"Lots of people choose to keep their key under their mat, so our lock not stopping anyone is hardly a security flaw in any real sense".
But it's not “lots of people,” it's everyone. Everyone has a picture of their face on their phone. And the information is encrypted because phones use disk encryption by default. “Someone can get a photo of your face and passport if they have full unencrypted access to your phone's hard drive” is like saying “someone could turn off your alarm and make you late for work if they break into your house.” There are simply bigger concerns in that situation.
"Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18." - and how is that something that could, or should, be addressed by the app? Are we even serious??
well of course because the whole reason you're making free men and women verify their identity with government-issued documents... was supposed to be to prevent that. If its not going to prevent such an easy work-around ITS NOT WORTH IT (not that it was in the first place)
The phone also needs to be rooted for any of the attacks to work.
At least that's what the manufacturer's AI generated article says: https://eidas-pro.com/blog/eu-age-verification-app-hack-expl...
Because people share phones with their kids. It's not rare or even mildly unusual. The problem isn't that the app needs to solve this. The problem is the app is useless, along with this whole bizarre "need for age verification" plot that poofed out of existence simultaneously around the whole globe mysteriously a few months ago.
Well, reality called and says: Like ID, drivers license, credit cards and guns: Phones are sth. you dont just "share" with your kids. Also there is an option to guard the ID App with an additional PIN/Biometric.
That's not reality for many of us. I don't consider my phone a secure device by any means. It has nothing on it that I'd regard as something I'd need to guard against my family.
I know a fair number of especially elderly people who want to disable PIN and bio-metrics from their phone, because they view it as a pain to deal with.
PINs can also be guessed or someone might look you over the shoulder and steal it that way. Many phones still doesn't have biometrics, or people don't want to use it.
Our realities might be different, but in my reality a cell phone, which you almost by definition brings with you out in the world, should never be considered a secure device.
> It has nothing on it that I'd regard as something I'd need to guard against my family.
It has the internet on it.
Oh man, if the kid gets hold of both of their parents phones with login, they could divorce them. I don't have kids yet, so this might change, but I would not give them login and / or unsupervised access.
I don't think you can guess pins, as the phones locks after a few failed attempts.
You keep using the term “secure” that it sounds like you think education is like a prison sentence. You’re not doing this for security but for safety. A stair gate or drawer child-proofing lock are by no means secure but you use them anyway for the child’s safety.
You can’t just leave every dangerous thing out in the open because you “view it as a pain to deal with” storing them safely and then blame everyone else for the situation that follows.
Our realities might be different but in my reality if you put 0 (zero) effort to keep some critical things safely away from your child because it’s too much of a hassle to do it, or they’ll get around that anyway, etc. then you’re failing your children.
You make it sound like having a phone in public is basically "open carry" which is absolute nonsense.
What do you have on your phone that's dangerous? Phones aren't safety device, and they shouldn't be turned into one.
You make it sound like you put no effort in understanding my comment and just followed up with whatever supported your view.
If you have anything on your phone that should be off limits to your child but make no effort to ensure that (give them the phone, no passwords, no supervision) because it’s too inconvenient you are failing the child. Can I put it in simpler words?
> What do you have on your phone that's dangerous?
I hope you were asking hypothetically.
For one, the phone itself since staring into a small screen at god knows what because supervising them is a chore is bad for anything you can imagine, from eyes, to posture, to brain development. But also a browser that can access anything on the internet (modern Goatse, Rotten, Ogrish, other wholesome sites like that). My credit card numbers. All my passwords. Hardcore porn. Facebook and TikTok. The app that delivers booze to my doorstep. 50 shades of grey (the book and the movie). X (Twitter), I left the worst for last. If you really think a completely open internet connected phone is perfectly safe for a kid at the very least you’re in the wrong conversation.
It doesn’t matter, the discussion is about age verification for things that a child should be kept away from, whatever that is. If you’re trying to protect the kids from anything, especially legitimate concerns, then you can’t expect some mechanism to magically do all that parenting for you. It can help but not be the parent when the parent thinks it’s too inconvenient to actually do some parenting.
I don't like the idea of a central authority determining what "my child should be kept away from" and then implementing Orwellian surveillance laws to enforce it. "For the sake of the children".
Seeing something scary, disturbing, or sexual on the internet as a child does not result in a maladjusted adult. These laws are about one thing and one thing only - furthering the global surveillance network.
Everything else is a smokescreen. Pretending that a phone or any Internet-connected terminal is something that should be kept secured and away from children is a parenting decision, not a policy one, and any attempt to justify it as a policy decision is toxic nonsense at best and astroturfing for the surveillance state at worst.
| 'I don't like the idea of a central authority determining what "my child should be kept away from" and then implementing Orwellian surveillance laws to enforce it.'
Well thank God this about a double-blind way to verify your age and not that.
The surrounding context is that. Why else would you participate with a government in an age verification system?
Maybe your argument is that it's not a surveillance state because it is implemented with a 0 knowledge proof. Sure, the age verification is, but that is only part of the system we are talking about. The rest of the system is the demand that every adult play keep-away with their verification, and every host on the internet (that can be adequately threatened) play, too.
The only way for this to be anything else is if every participant can individually decide what should and should not be kept away from children. Such a premise is fundamentally incompatible.
A phone isn't going to run off the road and kill 7 people. This is nonsense and you know it.
And yes, phones are something parents do "just" share with their kids because nobody is bizarre enough to look at a phone the same way as a gun or a car. It's the YouTube device that can talk to grandma. All you have to do to see proof that it's something people "just" share is to walk into a grocery store and look at parents pushing kids in carts while those kids watch videos. 25 years ago those phones were Game Boys. Nobody is seeing them as a gun. That's the most disconnected from reality take I've seen in my life.
Whats the diff between today giving you phone to your 8-year and making sure /having trust that they do not use it to e.g. order a new toy from Amazon and tomorrow that he is not using to verify they are an adult? I mean, most things today (like accessing porn, buying alcohol) do not require any extra age verification. They can just do it using your phone/accounts.
Not everyone views their child as an enemy that just happens to be in close quarters with them. Most people trust their kids to generally not do bad things. People keep knives in their kitchen and kids, explain the danger, and kids are generally responsible enough to not play with them.
If this is a concept that you can't grasp, then words will never convey it. It's simply a detachment from reality to think people are viewing their phones as a loaded gun and their child as someone hellbent on betraying them and causing massive societal damage.
The phone is the YouTube device. If they get a notification that their kid ordered from Amazon, they'll cancel the order and tell their kid not to do it again. It's seriously that simple. Just go and talk to a parent. They'll think viewing their phones as a WMD is insane.
> Most people trust their kids to generally not do bad things.
Okay, so trust them not to access age-gated sites using your credentials then.
Then just get rid of the age gating and verification entirely because it's useless.
Other parents have different opinions to you about the value of this.
The problem comes in when they feel their opinions should carry weight about other people's kids. There are very limited ways in which we should allow that, and to an oversimplified approximation, they boil down to "don't do kids harm that prevents them from becoming an intact person society treats as a human allowed to make their own decisions". And then the problem is that some people think some websites do such damage, and other people think some websites provide help to survive such damage.
Okay, so those parents can just not give their kids their phones, and everyone else can continue living life as usual without needing a fancy new way of telling websites how old they are
Giving your kid a gateway to every bad thing on the internet is not life as usual. It's incredibly recent, and I don't have shares in SSRI manufacturers, so I don't like it.
You're the one who said kids would be accessing age gated sites with their parents' credentials. You're the one who made the case that it's useless. Don't go back and forth on it lol
In theory, maybe yes. But in practice people do share their phones with their kids.
Sure and when they do that they share unfiltered access to their banking apps, email, messages, the entire intent including unwholesome bits etc.
Not much the government should or could do about that - it’s a parental decision.
My kid can take my phone and not be able to transfer any money form my bank account, because it's protected by pin and biometrics.
That's a solved problem and making an immense vulnerability out of it is silly.
Exactly. "Age verification" is the "think of the children" marketing campaign for "identity verification". Governments don't like anonymity; it makes it harder to find those they consider enemies. But it's hard to market something people don't want and get no benefit from. So, you dress it up in fear and make it easy to villify people who argue against it.
Stop with the scaremongering.
This is a reference app implementation that uses a detailed framework which explicitly has as a core tenet double blindness. The place you prove your age to has no idea about anything other than you being of age, and the thing you use to prove your age has no idea about where you're using that proof.
If you trust mega corps and the government when they say they're not accessing and monitoring your personal info, then I think that's very interesting.
The Solution: constant face tracking /s
On top of the pretty bad article, HN finds the “can’t win” scenario again. There’s no age verification scheme that will survive “collusion”, that’s when the adult allows the minor to use validated credentials, devices, etc. And whatever more intrusive age verification schemes we come up with will also fail this but add the intrusiveness to ruffle even more HN feathers. We can have the constant face, fingerprint and DNA scan for as long as the sensitive apps is used. Everything gets stored on a central server for safety so your kid can’t hack the device and replace the reference sample. /s
> "Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18."
Love the magic step in the middle, unlock my app. Ask for passcode or faceid to “unlock your app”. That’s a lot of legwork the adult has to do so the child can “trick” the system.
Some people will forever be shocked that if they leave on the table an open booze or medicine bottle, loaded gun, etc. a child can just take them and misuse them. The blame is unmistakably with bottle and gun manufacturers, right?
Put a modicum of effort to protect the sensitive apps or supervise the child when you share your device. They can do a lot of damage even with age appropriate apps. Wanna see how quickly your kid will tell everyone on the net how much money you have (via proxies), where you live, and when you go on vacation? Or tell someone the credit card number they swiped from your pocket if the other person makes it sound like a game?
The first premise you are avoiding is that a child can misuse a phone.
The second premise you are avoiding is that the government can define, for every child, what constitutes misuse.
You are advocating thought crime. You do not have my support.
My government cannot adequately manage responsibility for my cupboards. It therefore shall not have authority over them.
Do you also refuse to show id when buying alcohol because the gubbernment does not have authority over what you may buy?
That's how you sound.
I replied to the content of the article and HN comments, not what you think I should have replied to. If anything you even failed to notice that I expect parents to do some of the parenting and not expect an app to magically do it all for them.
The government already defines what misuse is both for children and adults, defines responsibility for a lot of things even in your cupboard, and has been doing so for as governments have been a thing. And I don’t think you understand what “thought crime” is.
You won’t hear me say this too often but next time use an LLM to write your comments, any LLM will do, can only get better.
reminder - there's tech out there capable of reading your mind remotely
> "Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18."
While I appreciate the zero-knowledge proofs is considered, how the hell did no one in charge of the app design think of this? It's is literally the first question I asked when I first heard about this app. You go to the app in a store to buy alcohol, you're asked to verify your age, but that's not what you're doing. Your simply showing the store that you have a phone, with and app, which was configured by some over 18 (maybe).
Honestly I don't think it's possible to verify that you're over 18 without also providing something like a photo ID (and even that is error prone).
You can probably do something online, where the website or app does some back channel communication to a server that verifies a token. Even that is going to have issues. You could add a "List of sites that has verified your age" option where you can revoke the verification, in case your nephew borrows your phone.
They are going to implement this and it will be "good enough", but I don't see this being 100% secure or correct.
Just like anyone can take anyone's credit card and go shopping - but in contrast Phones are (or at least can be) much more secure.
That's not what you're competing with. Your competing with a drivers license with a photo (not a great photo) and some countries have pretty easily faked drivers licenses, but others have drivers licenses in hard plastic with holographic features.
The credit card doesn't work as age verification.
You're competing with photos of a drivers license.
Not sure if you're joking or not, but Denmark have had people show an edited screenshot of the drivers license app, to get into clubs or buy alcohol.
I think they "fixed" it. I think it has some effect now that only works if you tilt the phone.
You're competing with that for "I want to make sure the person standing in front of me is of legal drinking age" use-case, but for the remote KYC/age-verification usecases, you're competing with a photo of the document and/or a selfie.
Maybe bundling these under the same system is a mistake and they should be separate systems with different considerations; it would certainly help with arguments about it online ;P
Bouncer love it, when someone says "oh sorry, I forgot my ID, can you let me in anyway?" they just tell them to download the app :)
I don't know about other countries, but here it requires your passport or actual drivers license, and a 12 or 24 hour wait, to actually activate the drivers license app.
Mhh, maybe it was the Sundhedskortet app? But that does not have a photo.
To be honest I just overhead the bouncer talking about them liking the app. Maybe I misheard it.
We're talking about the EU here, where the standard form of ID is an ID card with very strict requirements, including multiple secure features and an NFC chip with the photo and some other information.
My bank in Finland allows activating the bank's app remotely. They verify the NFC chip of the ID card in addition to photos and other factors.
How does the nephew unlock the phone and app?
If it's just a PIN, and the PIN is his aunts birthday, it might not be much of a challenge. We also have to consider the cases where the adult is complicit, in these cases the app is even less secure than photo ID (for store purchases, not necessarily online).
If adult is "complicit" they can purchase the stuff for the kid anyway.
Why is that even a scenario to discuss?