I have recently been asked by the Panoptykon Foundation if it was possible to create an online age verification system that would not be a privacy nightmare.

I replied that yes, under certain assumptions, this is possible. And provided a rough sketch of such a system:

1. You visit a website that requires age verification. The website displays a QR code that contains a formally encoded question (for example, “is the visitor older than N?”).
2. You scan the QR code using an app you trust.
3. The trusted app asks you to confirm you want to provide the answer to the stated question (verify your age).
4. If so, the trusted app sends the formally encoded question to an e-ID service. The request does not contain any onformation about the website that requires your age to be verified, but it is signed with a key associated with you (so, a key associated with the person whose age is to be verified).
5. The e-ID service responds with “yes” or “no”. The response (which contains also the original formally encoded question) is signed with the service’s private key.
6. Your trusted app forwards the signed response to the website that needs your age verified. It uses an URL that was provided in the QR code.
7. The website verifies the validity of the signature on the response using the well-known public key of the e-ID service.

The point is that the e-ID service gets no information that identifies the website that requires your age to be verified; and at the same time that website gets no information about us, apart from whether or not we satisfy the age requirement.

This “protocol” description is obviously substantially simplified. Also, it is not the only way to create a privacy-friendly age verification system – other methods could rely on zero-knowledge proofs and directly use distributed anonymity overlay networks like Tor or Veilid, which would help improve privacy of people using them.

The aim here is not to design a perfect, ready-to-deploy solution, but to demonstrate, in a way that is possible to grasp for a non-technical person, that creating such a system is possible.

This kind of protocol could also be used as a privacy-friendly way of certifying other things about us, as far as they are available to the e-ID service. For example: “does the person have a valid driver’s license?”, or “does the person live in this particular city?”.

The service that would require such certification would only receive a “yes” or “no” answer, without getting any other information about us.

Devil in the (technical) details¶

The QR code that gets displayed by a website can be replaced by other ways of communicating with the trusted application on our device. For example, if the website is opened on the same device as where the trusted application is installed, this could be done using an application link that directly opens in the trusted application, without any need for scanning anything. The data format could be as simple as JWT, as long as it is clearly defined and described.

The formally encoded question could be written in a simple domain-specific language – just complex enough for that particular purpose, but no more. That domain-specific language should not be Turing-complete.

The question should be bundled with a randomly generated nonce, which would accompany it all the way to the e-ID service, and would have to be included in the signed response. That response should also contain a short date of validity. Otherwise a signed response could be re-used multiple times.

The website asking for age verification would of course have the information on person’s IP address – but it already has that information, as we had visited it in the first place. There is obviously nothing stopping anyone from using anonimization tools like Tor.

Assumptions¶

Privacy of this system relies on correct, non-malicious implementation of that protocol by the trusted application on the device of the person whose age is being verified. This could be something like mObywatel (the official e-government application in Poland) – but it would have to be open-sourced and independently audited.

The protocol should not require any specific application, just like OTP-based multifactor authentication does not rely any specific application. All that is required is an application that implements the protocol. And the more such independent implementations exist, the better.

Communication between the trusted application and the e-ID service will require a cryptographic key asssociated with the person whose age is being verified. Such a key could be generated by the trusted application itself and verified through logging into that application using one’s official government e-ID login service. The private key should never leave the device.

Privacy of the whole thing also relies on the assumption that the website that is requesting somebody’s age to be verified would not separately send any data that could identify a specific request (nonce, IP addresses involved, exact timing) to the e-ID service. Using an anonymizing network like Tor would provide additional level of safety for the person whose age is being verified.

Privacy outside of the protocol¶

Regardless of how effective the hypothetical protocol is in protecing our privacy on its own, the mere fact of using it might already be quite problematic.

If only pornographic sites were implementing it, each and every verification request would obviously be a clear signal to the e-ID service that we are currently visiting a porn site.

So, the more different services implement this protocol, the better for our privacy. And, the more different things about us can be certified, the better it is for our privacy.

As an added protection, any time the trusted application is sending a request to the e-ID service, it could add a few randomly selected questions, like: “is the person’s age above N?”, “is the person’s age below M?”, “does the person have a valid driver’s license?”, “does the person live in Poznań?”. After receiving responses to all of them, the trusted application would only forward to the website the response to the particular question that the website asked. The e-ID service could not reliably tell which question was relevant, and which questions were chaff.

Privacy is not all¶

Once such a system is implemented, it becomes dependent on the e-ID service. If the e-ID service is down for whatever reason (for example, a technical issue), the whole verification system stops working, and so our access to the services that require such verification becomes impossible or at least much more difficult.

The question of who runs and manages the e-ID service is also an important one. Control over it is real power.

For example, if all social networks would be forced to implement age verification, the entity controlling the e-ID service could be able to maliciously block specific persons from accessing to them, or at least make it much more difficult for them – simply by refusing age verification requests coming from these persons.

This is similar to how the Trump administration is abusing the Social Security Number system. Immigrants are being marked “deceased” in this system in order to make it impossible for them to have access to credit cards or other basic banking services.

Although the e-ID service does not know what website our age is being verified for, it knows who we are, and knows the question being asked. If that question was often associated with with social media access (for example, “is this person over 13 years old?”), the e-ID service operator could assume that we are trying to access a social media site, and simply reject the age verification request.

There are ways to lower the likelihood of such abuse. For example, social media sites would not need to verify our age every time we visit, only when we set up the account for the first time. But this has other unintended consequences: it would become impossible to access any social media content without an account.

Squaring the circle¶

If age verification online is an inevitability, then at least it should be implemented in a way that protects our privacy – and this is possible. Our privacy would also be protected the better, the more different kinds of services implement this protocol in order to verify more distinct kinds of information about us.

But privacy is not the only problem here. The broader such a protocol is deployed, the more serious and more dangerous the issues around centralization of power over our access to different online services become.

We must keep that in mind whenever we talk about deploying of – and especially requiring by law – such a system.