IdeaWell

Project ideas from Hacker News discussions.

EFF launches Age Verification Hub

Original Article

Hacker News Discussion

πŸ“ Discussion Summary (Click to expand)

The discussion reveals three major, interconnected themes regarding proposed digital age verification laws/systems:

1. The Primary Goal is Surveillance and Data Collection, Not Child Protection

Many users expressed deep skepticism that the stated intent of protecting children is the true motivation behind these laws. Instead, they see it as a pretext for establishing broader digital identity requirements and normalized governmental/corporate surveillance mechanisms.

  • Supporting Quotes:
    • "Any time law-makers claim that a law is meant to protect children you can guarantee that the safety of children had almost nothing to do with it. This is all a push to normalize digital ID (to protect the children!); once normalized it will become mandatory." - "mikece"
    • "I always ask myself who wins with these laws (well, any law really). so far, the only winner seems to be the government and data collectors." - "no_wizard"
    • "Age Verification isn't about Kids or Censorship, It's about Surveillance" - "pksebben" (repeated for emphasis)

2. Privacy-Preserving Technologies (like ZKPs) are Being Deliberately Ignored

There is significant frustration that technical solutions capable of verifying age without revealing user identityβ€”such as Zero-Knowledge Proofs (ZKPs)β€”are being disregarded in favor of high-surveillance models.

  • Supporting Quotes:
    • "Hackingonempty: I am disappointed to find no mentions of zero knowledge proofs or any other indications that we wont have to trust anyone with this task. We have the technology to do age verification without revealing any more information to the site and without the verification authority finding out what sites we are browsing." - "hackingonempty"
    • "The politicians don't want Zero Knowledge Proof because it prevents the mass-surveillance of internet users. This is all deliberate." - "wiredpancake"

3. The Peril of Mandated Digital IDs and Government/Corporate Overreach

The discussion frequently touches upon the dangers of mandatory digital identification systems, fearing they will lead to authoritarian control, chilling effects on speech, and the expansion of government/corporate power over individual lives, extending far beyond age restrictions.

  • Supporting Quotes:
    • "The internet, with verifiable identities, is the greatest system to collect kompromat that one could ask for." - "kagrenac"
    • "If we don't push for the use of privacy preserving technology we wont get it and we will get more tracking... You cannot defeat age verification on the internet, age verification is already a feature of our culture." - "hackingonempty" (Implying the system must be privacy-respecting, or it's a failure.)
    • "It's deanonymizing and intrusive and mandatory for sites to implement without protecting them from sockpuppets and foreign troll farms." - "Pxtl"

πŸš€ Project Ideas

Decentralized Attribute Attestation Hub (DAAH) β€” ZKP-Enabled Client-Side Age Flags

A service that facilitates the secure, auditable, and privacy-preserving issuance of client-side identity attributes (like age bracket eligibility) using Zero-Knowledge Proofs (ZKPs) or similar cryptographic techniques, avoiding centralized identity providers.

πŸ” What it does

  • ZKP Credential Issuance: Allows users to prove specific attributes (e.g., "Age > 16") to relying parties (websites) without revealing the exact age or identity, leveraging protocols like OpenID4VP or custom ZKP circuits.
  • Local Key Management: Keys and proofs are generated and stored only on the user's device, potentially bound to secure hardware or biometrics (as discussed by MatteoFrigo), addressing the "government app" concern by decentralizing the attestation holder.
  • Client-Side Flag Broadcasting: Implements the suggested HTTP header mechanism (or a more robust signaling method) that is populated locally using the generated ZKP proof/token, allowing websites to respect the client's local parental policy settings (rlpb's idea).

Why HN commenters would love it

  • Addresses Surveillance Fears: Directly tackles the core anxiety expressed by pksebben and others: that age verification is a pretext for surveillance, by championing privacy-preserving tech like ZKPs (hackingonempty, wiredpancake).
  • Solves the "Client Flag" Dilemma: Provides a strong technical foundation for the proposed client-side flag concept (rlpb) that is cryptographically sound, mitigating concerns about simple header abuse or fingerprinting (phantasmish).
  • High Technical Appeal: Involves cutting-edge cryptography, hardware security modules, and protocol design, inviting deep technical discussion and contribution (MatteoFrigo's Sudoku analogy).

Example output

A user visits a site configured to require age verification. The browser automatically generates a ZKP that asserts Age > 18 using a credential stored locally. The browser sends a request header: Attestation-Proof: <ZKP_Token_12345...>. The server validates the token's signature chain (linking to trusted issuers offline) and allows access. The server never learns the user's name, date of birth, or exact age. - Monetization: Hobby

# Project Proposals Based on HN Discussion

Jurisdiction-Aware Content Rating Overlay (JACRO) β€” Self-Labeling System 2.0

A modernized, strongly encouraged, but non-mandatory digital content rating standard built on existing metadata concepts but enforced client-side via browser policy.

πŸ” What it does

  • Protocol Specification: Defines a modern, lightweight web standard (like an updated RTA header or utilizing structured metadata in HTTPS responses) for content providers to self-label content granularity (e.g., rating: [Nudity:Mild, Violence:None, Topic:Gambling]).
  • Device Policy Enforcement: Browser clients (especially those configured via parental controls, as discussed by rlpb and BobaFloutist) read this explicit rating from the server response and enforce pre-set parental/user filtering rules locally, without ever communicating the user's age to the server.
  • Audit & Liability Tooling: Provides open-source tools allowing parents/guardians to easily audit which sites are claiming what (taeric's data flow audit concern) and easily configure enforcement modes on consumer devices (BobaFloutist's manufacturer culpability model).

Why HN commenters would love it

  • Bypasses Government ID Requirements: Satisfies the desire for a non-mandatory, client-controlled solution that empowers parents rather than forcing universal digital ID (rlpb, Gormo, thinkingtoilet).
  • Retrofits Older Concepts: Provides a modern, HTTPS-friendly implementation of concepts like ICRA (yardstick) or the proposed RTA header (Bender), making it easy for existing services to adopt without major infrastructure upheaval.
  • Focuses Locally: Avoids the jurisdictional nightmare discussed by phantasmish and addaon because the client enforces the local parental policy based on a server-provided content flag, not the user's legal age status relative to the server's location.

Example output

A parent configures their child's tablet setting to "Block all content flagged with rating: [AdultContent:Explicit]." When the child visits a site, the site responds with metadata headers: Content-Rating: [Nudity:None, Violence:Mild, AdultContent:Explicit]. The browser sees the explicit flag, compares it against the local policy, and immediately renders a block screen instead of loading the content. - Monetization: Hobby

Open Proxy/VPN Compliance Monitoring Dashboard β€” Anti-Circumvention Metric Service

A transparency service that tracks and exposes the scale of non-compliance in systems that rely on jurisdiction-specific "digital walls," focusing specifically on age verification circumvention tools.

πŸ” What it does

  • Canary Deployment Tracker: Deploys anonymized, publicly accessible "child canary" agents (bots configured to send the explicit "I am a child" flag, per rolph's suggestion) to known high-risk or targeted websites/services.
  • Circumvention Metric Reporting: Tracks what percentage of requests originating from services known to be VPNs, proxies, or other obfuscation technologies successfully bypass the site's age gates without submitting proof.
  • Transparent Reporting: Publishes regular, accessible dashboards detailing which geopolitical regions/IP blocks are most commonly used to defeat client-server age verification mechanisms, directly challenging the assumption that mandated verification stops circumvented traffic (raw_anon_1111, Epalization).

Why HN commenters would love it

  • Addresses Enforcement Realities: Directly acknowledges the viewpoint that any centralized digital restriction will be defeated by proxies and VPNs (bena, raw_anon_1111), turning that failure into measurable data.
  • Shifts Focus to Platform Efficacy: Provides ammunition for arguments that focus on platform accountability (jajuuka) by showing lawmakers how frequently mandated systems are bypassed, suggesting the effort is misplaced.
  • Data-Driven Debate: Moves the discussion beyond abstract fear to concrete auditing of proposed compliance measures, appealing to the desire for transparency (taeric).

Example output

The Dashboard shows: "14% of all requests attempting to violate the adult content policy on Site X originated from IP ranges associated with commercial VPN Provider Y, concentrated primarily in Country Z." This data can then be used by regulators or system architects to discuss blocking known VPN exit nodes or focusing enforcement efforts geographically. - Monetization: Hobby