What's wrong with EU age verification? (Nothing)

What’s wrong with EU age verification? (Nothing)

欧盟的年龄验证机制有什么问题吗?(完全没有)

There is a lot of chatter about online age verification. When the criticism turns to the EU’s approach, it tends to be either uninformed or deliberately misleading. 关于在线年龄验证的讨论非常多。当批评声指向欧盟的方案时,这些言论往往要么缺乏了解,要么就是蓄意误导。

Do we need online age verification? This is partly an ideological question. If you think age verification should not exist at all, the technical details won’t matter to you. No implementation will be acceptable, because the objection is to age gates themselves, not to any particular mechanism. 我们需要在线年龄验证吗?这在一定程度上是一个意识形态问题。如果你认为根本不应该存在年龄验证,那么技术细节对你来说就无关紧要了。任何实施方案都是不可接受的,因为反对的焦点在于“年龄门槛”本身,而不是任何特定的机制。

I am not in that camp. A 9-, 10-, or 14-year-old is not ready to wander the open internet without limits. This isn’t just a matter of parental taste. Children and teenagers are still developing the cognitive, emotional, and social skills needed to handle manipulation, addiction loops, sexual content, gambling mechanics, grooming, harassment, algorithmic radicalization, and the rest of what adults themselves often struggle with. 我并不属于那一派。9岁、10岁或14岁的孩子还没有准备好在没有限制的情况下在开放的互联网上游荡。这不仅仅是家长偏好的问题。儿童和青少年在应对操纵、成瘾循环、色情内容、赌博机制、诱拐、骚扰、算法激进化以及成年人自己都常感到棘手的问题时,其认知、情感和社交技能仍在发展中。

Isn’t it the family’s job to set the limits? Yes and no. When children are very young, parents can set strict boundaries. But as kids move into their teens, parents also have an obligation to loosen them. Teenagers need spaces where they can act independently, make decisions, and talk to others — where they can learn to navigate the world without a parent looking over their shoulder. The question is whether we can build online spaces where that gradual freedom is possible. 设定限制难道不是家庭的责任吗?既是,也不是。当孩子还很小时,父母可以设定严格的界限。但随着孩子进入青春期,父母也有义务放宽这些限制。青少年需要一些空间,让他们能够独立行动、做出决定并与他人交流——在那里,他们可以学会在没有父母时刻监督的情况下探索世界。问题在于,我们能否构建出允许这种渐进式自由的在线空间。

“I raised my kids to be smart and self-confident, and they would never do X.” Maybe. I hope I did too. But not all children are the same. They don’t share the same temperament, support, confidence, parents, or protection. And even grounded, intelligent teenagers are vulnerable at times. “我把我的孩子培养得很聪明、很自信,他们绝不会做某事。”也许吧。我希望我也做到了。但并非所有孩子都一样。他们没有相同的性格、支持、自信、父母或保护环境。即使是脚踏实地、聪明的青少年,有时也会变得脆弱。

We already accept age restrictions elsewhere. Children can’t drive, drink, gamble, or enter certain venues before a certain age. It is not absurd to think parts of the internet should be age-restricted too. The hard question isn’t whether age limits can ever be legitimate. It’s how to enforce them without turning the internet into an identity checkpoint. 我们已经在其他领域接受了年龄限制。在达到一定年龄之前,儿童不能开车、饮酒、赌博或进入特定场所。认为互联网的部分内容也应受到年龄限制,这并不荒谬。难题不在于年龄限制是否合法,而在于如何在不将互联网变成身份检查站的情况下执行这些限制。

Is age verification the first step to mass online surveillance? It can be. Most people assume age verification means scanning an ID, uploading a passport, taking a selfie, or submitting to a face scan — which is exactly what many services already ask for. Implemented that way, the critics are right to be alarmed. To prove to a porn site, a gambling site, an online liquor store, or a religious forum that I’m an adult, I should not have to hand over my name, date of birth, ID number, face, address, or passport. That is a dangerous amount of information to give any private website, let alone one dealing with sensitive content. 年龄验证是大规模在线监控的第一步吗?有可能。大多数人认为年龄验证意味着扫描身份证、上传护照、自拍或提交人脸扫描——这正是许多服务目前所要求的。如果以这种方式实施,批评者的担忧是正确的。为了向色情网站、赌博网站、在线酒类商店或宗教论坛证明我是成年人,我不应该交出我的姓名、出生日期、身份证号、面部信息、地址或护照。将如此多敏感信息交给任何私人网站都是危险的,更不用说那些处理敏感内容的网站了。

There is another familiar pattern: sign in with a trusted third party. A site might ask me to authenticate through my bank, my Google or Apple account, my mobile operator, or a government identity service. That avoids handing the site my documents, but it creates a different problem: now the identity provider learns which age-restricted sites I visit. That’s not much better. In one version, the website learns who I am. In the other, the identity provider learns where I go. Both are scary. But neither is the only way to do this. 还有另一种熟悉的模式:通过受信任的第三方登录。网站可能会要求我通过银行、Google或Apple账户、移动运营商或政府身份服务进行验证。这避免了将文件交给网站,但产生了另一个问题:现在身份提供商知道了我会访问哪些受限网站。这并没有好到哪里去。在前一种情况下,网站知道了我是谁;在后一种情况下,身份提供商知道了我的去向。两者都很可怕。但这两种都不是唯一的方法。

The better primitive: a signed age attestation

更好的基础方案:已签名的年龄证明

A better design starts from a simple idea: prove only the thing that needs proving. The website doesn’t need my name, my date of birth, my ID number, or whether I’m 19, 37, or 74. It only needs to know whether I clear a threshold: age >= required_age 更好的设计始于一个简单的理念:只证明需要证明的事情。网站不需要我的姓名、出生日期、身份证号,也不需要知道我是19岁、37岁还是74岁。它只需要知道我是否达到了门槛:年龄 >= 所需年龄。

The easiest way to picture this is a digitally signed attestation. Take the offline version: You go to a government office. You show your passport or national ID. They issue a card that says only one thing: “over 18”. The card carries official seals, signatures, and anti-forgery features. You show that card at the entrance of an age-restricted venue. The venue can confirm the card is genuine without learning your name, date of birth, or ID number. 最容易理解的方式是数字签名证明。以线下版本为例:你去政府办公室,出示护照或国民身份证。他们签发一张只写有一件事的卡片:“年满18岁”。该卡带有官方印章、签名和防伪功能。你在受限场所的入口处出示该卡。场所可以确认卡片真实,而无需获知你的姓名、出生日期或身份证号。

The digital version is the same idea, with cryptography. An authorized issuer verifies your age once and issues a signed credential: 数字版本也是同样的理念,只是使用了密码学。授权签发机构验证你的年龄一次,并签发一份已签名的凭证:

{
  "claim": "age_over_18",
  "value": true,
  "issuer": "Trusted Age Attestation Provider",
  "valid_until": "2027-12-31"
}

The issuer signs it: signature = Sign(issuer_private_key, attestation) 签发机构对其进行签名:signature = Sign(issuer_private_key, attestation)

A website can later verify it: Verify(issuer_public_key, attestation, signature) 网站随后可以验证它:Verify(issuer_public_key, attestation, signature)

The key property: the website never has to contact the issuer. It only needs to know the attestation was signed by a trusted issuer and is still valid. And the issuer never learns where — or whether — you used it. 关键特性在于:网站无需联系签发机构。它只需要知道该证明是由受信任的机构签发的且仍然有效。而签发机构永远不会知道你在哪里使用了它,甚至不知道你是否使用了它。

This is the core of the EU approach. The EU Age Verification Blueprint describes a system built on Proof of Age attestations, relying parties, attestation providers, age-verification apps, and trust lists. It is aligned with the European Digital Identity Wallet architecture and lets users prove they are over a certain age without disclosing their exact age or identity. 这就是欧盟方案的核心。欧盟年龄验证蓝图描述了一个基于年龄证明、依赖方、证明提供商、年龄验证应用和信任列表构建的系统。它与欧洲数字身份钱包架构保持一致,允许用户在不泄露确切年龄或身份的情况下证明自己已达到特定年龄。

Selective disclosure and zero-knowledge proofs

选择性披露与零知识证明

A signed attestation is already far better than uploading an ID to every site. But a subtle privacy risk remains. If the wallet presents the same signed credential to many websites, those sites may be able to correlate visits. Even without my name, they could learn that the same anonymous adult visited site A, site B, and site C. 已签名的证明已经远好于向每个网站上传身份证件。但仍存在一个微妙的隐私风险。如果钱包向多个网站出示相同的签名凭证,这些网站可能能够关联访问记录。即使没有我的名字,他们也能知道同一个匿名成年人访问了网站A、网站B和网站C。

That’s why the stronger version uses selective disclosure or zero-knowledge proofs. Instead of showing the underlying attestation, the wallet proves a statement about it: I hold a valid Proof of Age attestation, signed by a trusted issuer, that proves age >= 18. …without revealing the attestation itself. 这就是为什么更强的版本使用选择性披露或零知识证明。钱包不再展示底层的证明,而是证明关于它的一项声明:我持有一份由受信任机构签发的有效年龄证明,证明年龄 >= 18岁……且无需泄露证明本身。

The EU technical documentation describes this as generating a zero-knowledge proof from a Proof of Age attestation: the app encodes the attestation as private input to a circuit, uses public inputs such as the attestation provider’s public key, and produces a zkSNARK proof. 欧盟技术文档将其描述为从年龄证明生成零知识证明:应用程序将证明编码为电路的私有输入,使用诸如证明提供商公钥之类的公共输入,并生成一个zkSNARK证明。

That’s a big deal. It means the privacy-preserving version isn’t: Here is my ID. It isn’t: Here is my date of… 这意义重大。这意味着保护隐私的版本不再是:“这是我的身份证。”也不是:“这是我的出生日期……”