How is age verification supposed to work? I don't suppose users of the site are going to provide legal documents just to use it. It's tantamount to shutting it down.
I ask because there was a similar moral outrage around age verification for access to porn sites that I recall being a big issue a while ago. I don't recall exactly how it played out in court, but it appeared to amount to nothing, which I can't help but to feel was due to the fact that mechanisms to verify someone's age online are either trivial to circumvent or present such a high barrier to entry that no reasonable user would surmount it.
They're not saying age verification is wrong, but dozens of skeezy sites taking in personally identifiable information who should have no business in taking in personally identifiable information is a bad idea.
Pornhub advocate for devices to do authentication of ID (i.e. Apple has FaceID and a bunch of stuff for reading IDs already as part of their digital ID initiative) and then attesting the user is of age. This could remain entirely anonymous and more secure than a kid inputting his dad's drivers license number that he stole from the dad's wallet.
Strawman. PornHub doesn't argue against age verification, it criticizes the poorly designed implementation.
Showing my ID at the liquor store to buy alcohol is not comparable to having to put my ID and PII in a poorly secured database. Databases that get breached again and again with virtually no consequences for the owner.
Note that they do not object to age verification. They object to the specific way North Carolina is requiring it to be done:
> Aylo has publicly supported age verification of users for years, but we believe that any law to this effect must preserve user safety and privacy, and must effectively protect children from accessing content intended for adults.
> Unfortunately, the way many jurisdictions worldwide have chosen to implement age verification is ineffective, haphazard, and dangerous. Any regulations that require hundreds of thousands of adult sites to collect significant amounts of highly sensitive personal information is putting user safety in jeopardy. Moreover, as experience has demonstrated, unless properly enforced, users will simply access non-compliant sites or find other methods of evading these laws
Using modern cryptographic techniques (such as blind signatures or zero-knowledge proofs) it is possible to design a system whereby you can prove your age to porn site P without P receiving any information they did not already have other than that you are older than their age threshold. In particular this would even work for anonymous users.
There would be another site V involved in the verification. You would have to give V your real identity and show them your proof of age documents, but V would not get any information about what site you trying to get verified for.
If V were a site that already has your real identity then using V for age verification would not be giving them anything that they didn't already have.
It might be possible for someone who obtains records of both P and V to get an idea of the real identities of porn site account owners by trying to match up the timing. This risk can be greatly reduced by having just one or two V sites, so that they are high traffic, and by having some random delays in the verification protocol.
That way someone trying to figure out if I was using say Pornhub might find out from V that I was doing the V side of a verification at say 2024-06-01 01:44:21, and they might be able to find out from Pornhub if they had any verifications using V that started within a few minutes before that and completed within a few minutes after that.
But with only one or two V sites, there will be way more verifications that happened at V at times compatible with those Pornhub verifications. They would not be able to tell if mine at 2024-06-01 01:44:21 is one of those Pornhub ones or one of the many more going on around that time for other sites.
It is a little counterintuitive, but the more sites that require age verification the better the privacy protection, and the fewer the number of V sites, the better the privacy protection.
That suggests that if we are going to require some sites to do age verification, to do it in the most privacy preserving way (1) it should be done nationally rather than as a patchwork of state verification laws, and (2) V should be a government site.
Is there a way to prove your age without being identified/logging in? Surely some kind of OpenID style protocol can be invented for this with zero knowledge of personal information ending up with pornhub or which sites were being given age verification?
And yet here we are. Hundreds of large porn sites in the US, requiring zero real verification.
Age verification was never adopted by most of the major US porn sites. I was a teenager at the time, I never once had to age verify or provide a CC to use any of the large sites. The only thing most of those sites have ever required - if anything at all - going back to the 1990s, is a click or equivalent indicating you're over 18. Beyond that there were dozens of large US porn forums back then, facilitating downloading, none of which required age verification at any point either.
According to TFA they don't oppose age verification, they oppose the required method of age verification, namely submitting personal information and IDs.
They say they would support secure verification, I guess like having a digital signature from an authority, like the government.
I wonder if PornHub is doing anything to help this happen, though. I doubt it...
We have a few different things going on here. First, age verification requires sharing a lot of PII with some of the dodgier companies on the web. Pornhub’s business past is shady…and they may be the least shady of the lot. Second, things like gay rights aren’t a solved problem. The most awful fact in all of this is that people can be killed for watching gay porn in many countries. If a country changes its policy dramatically, porn sites will have a database of people who have watched gay porn in their country.
When someone physically checks my ID, I can be reasonably sure that it’s not going to be in a database. You could do age verification without a database, but it would be one hell of a lot easier with a database. And again, we’re looking at some of the dodgiest businesses on the web.
Heh. Reminds me of a public debate a few years ago about forcing porn platforms to securely verify the age of their users. I think a government member said something like "We could use FranceConnect (the government SSO service) for authentication in these cases".
1. Sites have no reliable way to determine a user's age without massive privacy violations. (E.g. To access this site, upload a copy of your driver's license.)
2. Making the government the final authority on who is allowed to access the adult internet would enable way too much authoritarian abuse. (E.g. Sorry citizen, you have been deemed a dissident, and will therefore now be treated like a child by every website you visit.)
The solution to 1 is to handle the age verification part on the client side, so sites don't need to know anything about the user except whether they're old enough to access the content in question. And the solution for 2 is for parents to enforce access at the household level rather than governments doing it at the national level. (E.g. Don't let your kids use devices/software that lies to sites about their age, unless you're there to supervise.)
The exact details of how that gets implemented at the protocol level aren't as important as the overall principle. (Though I have a few ideas.)
All sorts of sticky bits here. If the main thing the age verification service is used for is watching porn then how much privacy can you really have? The verification side knows you're watching porn and can look at your ISP records or ask the registered providers if you accessed using token / session x if they really need to e.g. unmask your specific fetish or find out about your activity.
There are some difficult tensions between building for privacy vs being auditable.
Another specific part that seems difficult is the need for a biometric bind. There's no clear way to do this without invasive UX that's bad for the use-case.
If you want to make assertions about a natural person then you need to bind them to the credential with a biometric match, to prevent IDs from being copied or shared.
If you perform that on the client it's amenable to all sorts of hacking, "the drm problem" where you are asking a computer or mobile device to act as a little policeman. The device is no longer "yours".
If you perform it on the server you need to be passing images or better video back to a service. You can have the best protocol and procedures in the world but you will never convince customers that is private & anonymous.
It all depends on requirements tho. If the goal is mainly to prevent say, 8 year olds stumbling across porn websites, and not to stop a motivated 8 year old from accessing them by stealing parent credentials or using workarounds they found on a forum, then the problem is fairly tractable and could probably be solved within the credit card ecosystem alone.
Similar story with people claiming early victory on online age verification. A common claim is "web age verification can't work unless you're happy giving every porn site your name and credit card". Clearly not true. Federated authentication is very old tech and the same techniques that allow you protect your identity with an Apple sign-in can also be used to allow sites to verify that the user is an adult with some goverment account, but nothing more. I agree that it would likely end up expensive and marred by beurocracy like most government IT projects, but at a technical level it's sound
They do oppose age verification because despite knowing there was a problem of underage people viewing their content they did nothing to stop this. Now a government solution has been imposed they are acting as if they are now some how a responsible business.
I don’t know the answers or the right way to implement things but age verification is not an unreasonable requirement.
> Is there a way to prove your age without being identified/logging in?
This comes up every time, but the purpose of the identity check is to ascertain (to the extent possible) that the person logging in is the person whose age you’re verifying.
If you completely separate identity from age checking using some cryptographic method, the loophole is that a single identity token with an adult age can now be used by everyone, everywhere to tell websites that they are above a certain age. So as soon as you did that, someone would just share (or steal) a token of valid age and post it online for everyone to use. Entire system subverted.
You could try to use a 3rd-party service that handles age check functions and implements some level of rate limiting to prevent this, but then you’re trusting that party to know about all of the porn websites and other places the person is trying to log in to. If that 3rd party is the government, well you’ve just created a convenient place for the government to collect stats about people logging in to porn websites.
I ask because there was a similar moral outrage around age verification for access to porn sites that I recall being a big issue a while ago. I don't recall exactly how it played out in court, but it appeared to amount to nothing, which I can't help but to feel was due to the fact that mechanisms to verify someone's age online are either trivial to circumvent or present such a high barrier to entry that no reasonable user would surmount it.
reply