To be clear, I’m not advocating for online age verification. I’m very much against it in any form. I’m just curious from a technical standpoint if it’s possible somehow to construct an accurate age verification system that doesn’t compromise a user’s privacy? i.e., it doesn’t expose the person’s identity to anyone nor leaves behind a paper trail that can be traced to that person?
Its possible.
Open source front-interfacing app + a secure element thing in the backgound.
You download an app. You verify your identity, then the app sets up a OTP thing with the shared secret seed lasting for 30 days. But every 30 seconds the OTP changes. Everyone doing a verification in these 30 days gets the same exact secret seed.
The seed hides in the secure element of your device. (it won’t be impossible to extract, but the average kid is not gonna be able hack a secure element) Every 30 seconds, it releases the new OTP to the Open source app. The app doesn’t connect to the internet once the OTP has already been set up. So nobody knows if you actually view the OTP code.
So the government only knows you have the verification OTP set up not which websites you visited, the website only knows you have a valid OTP from the government, but you could be any of the people in the past 30 days (which the company don’t even have access to).
Even if the company and government cooperates, they could only pin down the time of website registration and that you are one of the millions of people that did the verification and requested a OTP Seed.
(Idk the exact terminology for these things, but hopefully I make sense)
But only one person needs to “hack” it on their device to publish the key, allowing everyone to use it without “hacking” their own device.
You can’t store a key on a device and keep it safe from the owner.