I have mixed feelings about a world where zero-knowledge-based ID verification gets so good that it reduces barriers to being adopted widely.<p>On the one hand, it's better than a world where <i>non</i>-privacy-respecting ID verification becomes required <i>anyways</i>, and thus every bit of your online behavior becomes tied to your actual identity.<p>On the other hand, the presence of this kind of technology makes it <i>easier</i> for governments to say things like "all ___ content online must be restricted to ages 18+ or 21+" and actually have a way to implement that across Discord and TikTok and gaming chatrooms and everything inbetween, in a way that has already been deployed at scale... because it had not already been fought against from a privacy perspective when it was deployed for things like public transit.<p>The things that can be placed in that blank are far more widespread than one might initially think.
The demonstration, UK railcards, is a bit odd. I thought they were sharing too much information, date of birth when only something like "under 18" would be needed. But these railcards have several different age-based options. What is the point of this age discrimination, surely you take up one seat on a train regardless of your age?<p>Per <a href="https://www.railcard.co.uk/" rel="nofollow">https://www.railcard.co.uk/</a>
Can anyone explain a bit more about how this actually works in context here?<p>Do you hand your full PII "private key" or equivalent, to Google, or does any of the proving happen on your own device?<p>Then proofs are constructed to 3rd parties, proving certain properties of your data without revealing the underlying data? Are they live/interactive proofs or can static proofs be constructed for these type cases?<p>What is exactly being proved? Proving that you/Google knows a "private key" that can be found in a particular set of public keys published by the issuer? Or something like that?
Theoretically, using zero knowledge proof for age verification is a great idea.<p>Too bad that while the porn website you are visiting will not get your name from google, google will sell the fact that you visited that porn website to anyone who is interested...
If Google only does this when you tie your identity to a real-world ID, and refuses to auto-grant it for people whose accounts are more than 18 years old, then this is just a data heist.<p>For reference, 2007 is 18 years ago.
the main thing that has saved the west from digital ID so far has been android OEM fragmentation, where there just hasn't been a way to manage hardware secrets in a way consistent enough across devices to be pushed down on people as a digital ID.<p>this thin edge of the wedge age verification solution is to normalize people showing ID everywhere and whether it's their age or some other social credit attribute is immaterial. the product is submission. the original hope for this was first in differential privacy, then ZKSNARKS, then FHE, and whatever proof they're on about now is intended to obfuscate not the data, but the actual use case, which is going back to covid era ID checks. for climate, surely.<p>I distinctly remember a conversation I had in 2013 while working on early instances of a related identity tech, where I said to the founder and CTO, "nobody wants this, it's something you want to impose on others. your security model needs a failure mode other than catastrophic because the incentives to take it down are tremendous- from fake ID and fraud to people like me who just think you're assholes."<p>Identity isn't a tech problem, it's a political problem people in bureaucracies who problematize human freedom and dignity keep trying to bully through with increasingly obfuscated tech.<p>for googlers reading this though, I've got a great name for your identity product: holler-it! it's just like hollerith but so much quirkier and safe feeling.
(Disclosure: I’m the CTO of Vidos, a company building such an identity layer.)<p>I believe in a version of the trust triangle. Where issuer, holder, and verifier remain clearly separated. Meaning no single entity, has full control over your data.<p>E.g. a government issues an ID credential to your wallet app, and you can use it to prove your age without any intermediary getting any extra data. The site gets a cryptographic proof “user is 18+” and nothing more. I'm pleased when I read standards like ISO 18013-5 for mobile IDs that support selective disclosure by design. You share just a yes/no or an attribute, not your whole ID document.<p>Crucially, this addresses the “Google as a single point of failure” fear. You just need credentials from issuers you trust (your government, your bank, university, etc.) stored in a wallet of your choice. The verifier (website/app) will accept a proof from any wallet/issuer that meets their criteria. We’ve built our system to be agnostic about credential sources for exactly this reason. It’s a universal verification layer.<p>If anything I hope we can agree, we must continuously surfacing and discussing these risks early rather that waiting until it's too late.
Let's say I set up my ID with this. Next year, when Google Wallet is replaced by Google Money, will the ID transfer? Will it have this feature still?
This is going to be a disaster. Societies rely on imperfect enforcement of the law in order to progress. There's no way to create a critical mass of resistance and disobedience that will lead to the toppling of an unfair law if you enforce the law perfectly and universally, and this will lead society to ossify.<p>Imagine if every single gay person were caught and put in jail the moment they acted on their urges, or every single person who bought or sold weed (or alcohol, during the prohibition) were similarly arrested. We'd still be stuck in the mindset of a century ago.<p>A society that has removed its own ability to progress is truly a horrifying prospect.
Google can open source some libraries here, but to what ends? Ultimately there is not zero knowledge here, there's one very concrete bit of information: Google says so.<p>Sure other people might be able to replicate the signing process. But who else is going to be able to get governments around the world to add those other would be zk proof providers?<p>This feels like such a vicious demented technological gordian knot being woven to trap humanity in.<p>Meanwhile the web has it's own devilry in progress, a similar effort to make non authenticated people utterly unable to use the web, the Digital Credentials API, brought to you again by Google.
<a href="https://developer.chrome.com/blog/digital-credentials-api-origin-trial" rel="nofollow">https://developer.chrome.com/blog/digital-credentials-api-or...</a><p>This is all so hideously bad for humanity. The zero knowledge aspect is the absolute bare minimum to not make this pure scum and villainy, but it's still a sick awful thing to do to humanity, uses a lure of convenience to walk us into a place where the individuals of the world are powerless and where ever expanding digital dominion over us corals and steers us. Do not want, go back to hell & stop trying to drag hell to earth, monsters.
I honestly think this is a bad/dumb idea. Age verification in general is just silly on the internet and laws mandating it are inane.<p>The main thrust of such measures is "Let's make sure a kid can't see/access this". However, without an actual camera to double check that "yes indeedy, this really is the person attached to the ID" then "faking" it is all too simple. I can almost guarantee you'll get IDs floating around the internet which kids will use to completely bypass these protections (or they'll simply swipe their parents' ids when they aren't looking). It's a half step above "what's your birthday" checks.
We have the results of what happens when kids grow up with no actual age verification on the internet or with video games.<p>Nothing. Nothing happens. Millenials grew up on the internet where ID checks were "Promise you are 18", and what bad has come of it? A generation of murderers and rapists? Please...
gross and blatantly illegal under dutch law. companies don't need a copy of my id. most of them don't even adhere to the law anyway and demand an uncensored copy. every time I follow the instructions from my government to blank out the BSN (SSN) the (usually american) company rejects it and demands an uncensored version they're not even permitted to have.<p><a href="https://www.rijksoverheid.nl/onderwerpen/identiteitsfraude/vraag-en-antwoord/fraude-voorkomen-met-kopie-id-bewijs" rel="nofollow">https://www.rijksoverheid.nl/onderwerpen/identiteitsfraude/v...</a><p>Last time I checked Google isn't any of the following:<p>* a government instution<p>* a bank<p>* a notary<p>* a casino<p>* my life insurer<p>* my employer<p><a href="https://www.rijksoverheid.nl/onderwerpen/identiteitsfraude/vraag-en-antwoord/ben-ik-verplicht-om-een-kopie-van-mijn-identiteitsbewijs-te-geven-aan-een-bedrijf" rel="nofollow">https://www.rijksoverheid.nl/onderwerpen/identiteitsfraude/v...</a>
Not good.. yet another thing that will not work on devices with unlocked bootloader..
I hate how smartphones with preinstalled spyware are becoming necessary..