A private approach to age verification
The opinions in this article are mine, not those of my employer.
In the last few years, a large amount of attention has turned towards Internet safety, particularly around protecting children from non-children content that is increasingly easy to find.
Legislators are looking for new kinds of regulation. KOSA at the federal level is meant to add teeth on top of existing children privacy regulations. At the moment, the bill passed the Senate but is stuck in the House.
Still, there are several laws implemented at state levels, which are creating a lot of regulatory uncertainty. Quite a few states have already passed age verification laws to access certain services like pornography.
There are many reasons to be opposed to these policies. They could easily be exploited against marginalized groups, and often require privacy-invading technology. You could get your child’s face scanned to prove their age. Or you could upload more private data to insecure servers and wait for the apology emails.
Yet I don’t think it is reasonable to shrug your shoulders and say things are inevitable or even in a good state today. I recently finished reading The Anxious Generation and I think it does a good job of laying out the research how ubiquitous Internet has negatively affected children.
I have some criticisms about the book’s focus, but it is hard to deny that since smartphones became common teens have suffered dramatically in terms of mental health and suicide rates. And removing them from the Internet can restore their well-being. I don’t think we need to ban teens entirely, but we shouldn’t be funneling eating disorder videos straight into their veins.
So I do think we need to talk more about age verification as a non-partisan issue. In this post I’ll take a look at some technical approaches that could make this possible.
Privacy-Forward
Too much of our data is available on servers. Data breaches are constant, and it’s likely that your social security number is on the dark web already. That’s bad, and I think a system requiring you to upload a driver’s license is going to have very little trust and thus very few users.
This might be an intentional goal for some who want to use this distrust to stifle content and audiences they don’t like.
Yet there are ways to preserve privacy while enacting secure operations over the Internet. E-commerce is a multi-trillion dollar industry. People shop, bank, and communicate securely over the Internet daily.
Online payments are secure, and technically so. The vast majority of Internet communicatiosn are secure as they go through HTTPS. Websites receive certificates through Certificate Authorities.
When a browser accesses a site, they are able to check the site’s certificate is actually secure before proceeding. If the site has no cert, an error will be shown instead of loading the page.
Additionally, the browser will check the validity of the certificate. If it has expired, or the authority loses trust, the browser vendors can revoke approval and show an error instead of loading.
So we shouldn’t accept age verification as an inherent bad faith argument. When Firesheep was released, it kicked the industry into securing the web through HTTPS. There are already several ideas on how to create a robust identity system.
Device-Level Verification
But if you are trusting a third-party service with your data, that could still fail. Maybe, instead of having this middleman, we should just have the device verify our identity directly to the website.
At its core, passkeys create a unique identifying token between your device and a website, allowing it to identify you securely without the need to remember passwords. You can use the phone’s biometric security to unlock the passkey and authorize yourself.
Age verification could go through another process like this, where your legal ID is scanned and saved on-device to prove your name and age. Then, when you want to visit a webpage which is marked as adult, your device would send two cryptographic keys: verifying both the password and this secondary age.
This could enable several different tiers of data, which would be secure and keep your data offline and on-device. The phone and server would communicate, with the server asking a question and the phone answering yes/no. Checks could be done for over-13, over-18, over-21, or based on nationalities or gender. Perhaps you want to build a woman-only space. Or perhaps you want a space that only children are allowed to access, protecting them from creeps.
Maybe this approach could also be used for social media verification. Rather than paying $8/month for a blue checkmark, the website could interface with your phone to check certain metadata and award you with the badge. That would go a long way to knowing you’re replying to real people.
There is increasing interest in identity at the web layer, and W3C has been working on a standard for federated identity. Combining it with passkeys allows one to have a way to authorize specific kinds of web requests without having to be entirely reliant on shady third parties.
If implemented at a protocol level, something servers and devices need to agree on, it would mean that you’d need to use a browser supporting this protocol change to access certain sites (sort of like how you need a Tor browser to access Tor sites).
Requiring something like a fingerprint scan before you can access a website and its content would make it very hard for a child to view them. It isn’t necessarily impossible. There are trade-offs to make, and no technical solution will be perfect. Kids are great at bending the rules. At the same time, improving the situation by just 90% would still be a great improvement.
A New Internet?
What this proposes is a change in how the Internet works. Some content will be hidden away from the public. It may result in more deep web enclaves of community in contrast to the constant screaming of social media. But many of these changes are already happening.
If we want a web that’s more private, we may also need one that knows more about us. While people may have reasonable concens about COPPA 2, would they go as far as to say we should repeal the original? If not, then it does seem fair to merit a discussion of what line we should draw.
Contemporary age verification does seem like a problem. Do you really want random companies to have your driver’s license? Do you trust them? Probably not. And some states are using this as a wedge to shut down porn.
Yet the status quo isn’t good either. We need to be doing better at protecting kids and teens from inappropriate content. We need to make sure they spend more time touching grass, but responsible Internet use is also important.
I don’t think we should decry all age verification and all child safety laws as government overreach or entirely cynical. We should try to develop better systems. At the moment, can we say the Internet is a good system? Can we make it better?
A passkey-like system connected to an on-device state ID would be one way to improve safety for the average user. NIST should take the lead here to write out more precisely the technical standards to follow.
Ideally this system is adopted voluntarily. I don’t necessarily want government to cynically censor important content for vulerable teens. But I also don’t want vulnerable teens to keep winding up in the hosptial. Do we need the government to ban teens from viewing eating disorder content, or can the sites be proactive in tagging the content before it reaches an audience?
There’s also questions around family dynamics. Should parents have a say in what children are seeing online? That’s a question without a solid answer. Should a homophobic father prevent their son from finding affirming content? Should a young girl be watching videos about extreme weight loss? Should teen boys be watchng misogynist podcasts? Parents aren’t always good role models, but neither is the Internet.
Moreover, can we do a better job of knowing who is who in a way more sophisticated than a trivial date picker?