On the other hand: Are you willing to pay hundreds of millions for developing the biggest data leak in human history, killing websites like Wikipedia in the process, while stopping only 10% of underage children from seeing porn?
The current systems being put in place in the UK are privacy-invading and ineffective. In my opinion they are worse than not having anything at all. I might be willing to change my viewpoint if something better comes along, but if a proper solution was so easy, why haven't we seen a peer-reviewed reference design yet? What's stopping the nerds from nerding harder?
> On the other hand: Are you willing to pay hundreds of millions for developing the biggest data leak in human history
The comment you are replying to was talking about ZKP based systems. In those systems you don't show any identity information to the websites that you are trying to prove your age to.
Those systems can be made leak proof by making the party that you have to show identification to be some party that already has your identity information. For example it can be the government agency that issues your driver's license.
But these systems then are trivial to bypass by a person that publishes their private key for others to use as impersonation. If the site can't determine if the same id is used for multiple requests, they can't prevent it. And if the gov isn't able to see which site is requesting the data, neither can it.
Systems like the EU's digital identity wallet use hardware-based security. The private keys are generated by the secure element in your smartphone or something equivalent on a smart card, and any operations that need the keys during a verification are done in that secure element.
IIRC the new EU spec doesn't actually require using "secure elements" that could limit the user, only says they should be used if present. It shouldn't be hard to find some device where the hardware isn't present or is insecure to extract the keys from.
Or people could just proxy requests to the device, even with a reasonable rate limit in place, one donor could provide access for over a dozen people each day.
So, I think that I can avoid a lot of the data leak problems.
There might be a simple way to do this with a crypto-currency. If possession of a credit card is considered proof of age, then possession of cryptocurrency should also be considered proof of age. Maybe the user could play $0.01 to the porn site using crypto currency to prove that he is over 18. If done properly, no one, not even the government, would know who the user was.
Here is another idea.
You have independent stores where the clerks can sell proof-of-age certificates to people. These certificates are essentially just 20 random Base64 characters. By law, the independent stores are not allowed to identify the customer (who pays with cash). The store clerk is only permitted to issue certificates to people who appear to be over the age of 18, no id required. The store keeps a list of every certificate that they have sold along with the month in which the certificate was sold so that the certificates can expire after several months.
Now I claim that it is possible to create open source zero knowledge proof software that runs on a server for each store, a few government certifying authorities, the porn websites, and on the users computer so that as long as the stores don't identify the users, no one will be able to identify the user. The government will not be able to tell which certificate was used to access the porn. The government will not have access to the certificates. It will not be able to tell which store issued the certificate. The porn site will not learn the certificate of the user nor will it know his identity.
Also, the number of lines of code needed for each program of the five needed open source programs will be less than 1000 lines, maybe less than 100 lines.
I think that all of this could be done at a cost of about $50,000 to develop the software plus the cost of running the servers. I feel like I could write all the code for less than that.
The system is not perfect. You have to trust the stores to not identify the customers and to do a decent job of identifying who is over the age of 18.
Some kids will get certificates by copying their parent's code or copying the code of an older friend. Some 16 year olds will look like they are 18 and they will be able to buy proof of age certificates. But, over 80% of kids under 17 will not be able to view porn.
Despite the low cost and effectiveness of the idea above, I am not sure that it is a good idea. I don't like the government censoring content.
The current systems being put in place in the UK are privacy-invading and ineffective. In my opinion they are worse than not having anything at all. I might be willing to change my viewpoint if something better comes along, but if a proper solution was so easy, why haven't we seen a peer-reviewed reference design yet? What's stopping the nerds from nerding harder?