I have mentioned this before, but age verification can be solved by hash chains. They can prove age without compromising privacy.
It is crazy that the solutions Discord goes for are IDs and selfies. It definitely gives the impression that there are shady ulterior motives.
Hash chains are simple. If they were adopted, Discord would clearly be in bad faith taking the steps that they do now. If you search you will find quite a bit of information. My introduction to hash chains is for for age verification specifically:
https://spredehagl.com/2025-07-14/
The EU is working on a actual privacy-preserving initiative [0] that allows owners of ID wallets to verify their age, without their actual age or personal data being transmitted. The standard and reference implementations are open source on GitHub. Yet everybody screams uploading IDs and total government surveillance.
Dear littlecranky67, as overseer for your digital wallet, I am happy to inform you that the owner of the discord server kinkydwarfporn doesn't know who you are and your privacy is protected.
Signed your friendly EU official.
As long as someone in the chain is able to physically connect the dots it is game over for privacy.
Your comment assumes there is an "overseer". There is not. Guys, read the technical documents. It is all standardized and open-source. I can code my own wallet.
>Тhe EUDI Wallet notifies the user of a pending request to prove their age, including: the name and identity of the requesting party.
>She consents to share the requested info and her wallet uses verifiable credentials issued by a trusted authority (e.g., national civil registry) to generate a cryptographic proof that she meets the age requirement.
I am fairly sure that here is enough info to be deanonimized by the authorities issuing the EUDI and the wallet app developers.
You first quote reads: "You, the end user, get a notification that a party (probably the porn website you visited) wants to request your age and you, the USER, get the identity of the website (not vice versa).
As for the second quote: Yes sure, you credentials need to be signed by a trusted authority, someone has to establish you are an adult. But it is a cryptographic signature. Same as https certificate needs to be signed by a third party vs. self-signed certificates.
And the ID app developer logs that the porn site has requested my ID. So there is no privacy from the government. Which is much more important privacy.
This is just pointless whataboutism. There are smart devs and crypto experts designing a sound, privacy-friendly system that is open source. It does what is supposed to do and how everybody would want it to be implemented. Yet people reject it on irrational grounds for whatever negative aspect they associate the EU with.
No matter how open source something is, as long as you can only run it on a non-rooted Google or Apple device, and it’s hardcoded with remote attestation features exclusive to these two platforms, it suddenly isn’t much better than a bro asking you to trust him.
Btw the other guy has a point, by definition you can’t support both privacy and something that obliterates it.
It's funny how pointing a fact is called whataboutism.
You trust the EU's pinky promise a keep their word that your ID will be safe and secure and never tied to what you say, the content of your messages or who you send them to. If that is so, then go ahead and use it. That's your business.
> whatever negative aspect
The EU literally wants to read your personal messages because it doesn't trust that you are not some criminal in disguise. Instead of the state having to prove that you are criminal breaking the law, it wants to read everything you send and store the data permanently in case you break the law one day. If you think that is acceptable and that is an entity that can be trusted, then I don't know what to tell you.
If I understand correctly how this works, it doesn't require trust or knowledge. The service gets exactly 1 bit of information (over/under the required age), the government system gets nothing.
"Don't trust, verify". It is an open protocol based on cryptography for everyone to verify that simply does not allow to submit identity information when you perform the age verificaiton check. There is no opinion here, no "you have to trust X not to do that later" - it is the property of the used technology to just submit the verified age. You can't derive identity information now or in the future just if you age-verified yourself. You are being paranoid and talking about a fantasy, non-existing system that is not the one I linked to.
On a side note, whataboutism is not about "stating a fact". It is when the stated fact has nothing to do or does not interfere with the original point being made. As in "Why would I trust the EUDI act when the EU does shenanigans like come up with stupid norms of the shape of bananas" - Stated is a fact, but it has nothing to do with the actualy EUDI act.
At this point, it's just something stupid people say. It used to mean that when you pointed out that my people were desperate for the freedom of living under capitalism, I would point out that you lived in an apartheid state.
Somehow, here, "whataboutism" means that if after you point out that the EU is coming up with an age verification system that they claim preserves personal privacy, I point out that the EU is also very much, openly, against any sort of personal privacy. Somehow that's some form of communist propaganda. Or Russian propaganda. Terrorist? Whatever. The important part is that I'm someone who should be watched or arrested if I continue to question your motives on behalf of our enemies.
If the input is "give ID", what the software claims to do is almost meaningless since you cannot prove that software was running. What do I care that someone can tell me they built a privacy-first way of validating IDs/age if I cannot be sure that is the software they are running?
They can just as easily save the ID to disk and return "all good" for all I know.
It requires that Bob proves posession of a private key, that only he has ever had. That private key could be generated specifically for the commitment that he got from Alice.
Well your solution includes handwritten signatures and everyone being a handwriting expert so that they compare handwritten signatures. I wouldn't call this an elegant solution.
That is what the example uses. In the real world that would be a digital signature. Look under the heading "Fitting the parts together" to see what the real world solution could be like.
Even easier, just get tokens that carry no other information from ones government, and the government runs an API, that for a given token tells whether that token is valid. Can tokens be stolen? Maybe. Can your face be stolen? Today yes.
Hash-chains allows the solution to be token-less. You no longer need those per transaction information leaking API calls. You also avoid dependency on a single provider.
The communication in connection with a transaction would only go between the identity owner (Bob) and the provider (Cycle shop).
No API, they sign the tokens with the government's private key and you verify them with the government's public key
If discord needs to contact an API, then the government can associate the token with you, and you with discord, and know what you browse online. No thank you.
No, using another ID has a much higher barrier: more likely to get caught (it's the same ID, after all - tokens might (or should) be better anonymized so services don't build user profiles just using the age tokens), more likely to get punished (there's a real name attached to it), more likely to lead to a video verification request to compare ID picture with actual face.
Something like half of Israel's economy is intelligence gathering wtf do you think is happening here it's pretty obvious. economic leverage, surveillance, foreign influence, tech exports being used politically, etc.
I'm not sure how hash chains would resolve the fundamental issue of needing to send your ID or similar to some random third-party company that does god-knows-what with it (probably stores it in a publicly accessible path with big "steal me" signs pointing at it). That they need to attest to your age means that they need to trust what your age is, which has really just moved the problem one layer deeper (as far as I can tell).
I assume by third party you mean the authority, and yes, the authority would need to know your personal information. At least enough of it to verify your age. So the ideal is that the authority is the entity that already knows your personal information. Like the entity that issued your passport to you, or the one that issued you drivers license.
But even if the authority was a private company, I think it would be an improvement compared to the current situation. In this situation your personal information would be held by this one company, and not whatever provider that needs to verify your age. Also, you would be able to use the commitments, that this private authority gave you, without any coordination afterwards. The authority would not know about your transactions.
How would that mechanism work in practice, though? If every parent needs to become a trusted authority, wouldn’t that just move the goalpost? Who would be the trusted authority, and who would implement that?
I agree that the mechanism is elegant, but figuring out which entity should be trusted in a way that scales globally is somewhat difficult.
It works quite well in Czechia. Upon verification request, you are redirected to a government site, where you select exactly what data (Full name, DOB, address ... ) you intend to share with the entity requesting the information.
I can imagine you could share just your DOB in such a case, while keeping your real identity private. In such a way Discord would learn only your age, keeping everything else from them.
Government learns that Discord was provided your data, but this is supposedly a trusted, regulated entity.
A better system is in beta in Switzerland. Government is the root of trust, but only signs your private cert regarding your ID. All the interaction with third parties is local to your device, the government doesn’t get to know you interacted with Discord. Discord gets a single bit “is the user of this device 16/18 (restricted/full legal autonomy age) years old?” With chain of trust to the government.
Yes. I think that wahtever organization that issues your passport, would be a natural choice for setting this up.
But nothing prevents it from being a private company, although I cannot see a sound business model for it. Also it would need to project great credibility for customers to trust them with their information.
How difficult would it be to add further anonymization? Let's say I want to prevent the bike shop from building a usage profile on the basis of the age check (e.g. because I'm buying booze). Would I just need to get more chains from Alice, or is there an easy way to integrate e.g. group signatures into the scheme?
I think that whatever organization that issues your passport, would be a natural choice for setting this up. But it could be some other authority. In a way it is the identity owners and the providers that decide who they will trust as authorities.
It is crazy that the solutions Discord goes for are IDs and selfies. It definitely gives the impression that there are shady ulterior motives.
Hash chains are simple. If they were adopted, Discord would clearly be in bad faith taking the steps that they do now. If you search you will find quite a bit of information. My introduction to hash chains is for for age verification specifically: https://spredehagl.com/2025-07-14/