Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

70% Positive

Analyzed from 2020 words in the discussion.

Trending Topics

#age#government#knowledge#proof#zero#data#information#google#zkp#verification

Discussion (51 Comments)Read Original on HackerNews

anon-398832 minutes ago
Age is just one metric. I don't want zero proof tech about information X. I don't want to have an identity. Full stop.
dadoumabout 3 hours ago
Still, I don't want to gate people based on age.

Parents should at least be able to overwrite the age of their child, maybe selectively allow bypasses. My experience with a computer would have been completely different if I was blocked from half of the internet. Especially when I see which kind of content gets blocked.

doginasuitabout 3 hours ago
As a millennial-aged person I saw a fair amount of content I would not want the young people in my life to see, but it's probably not nearly as harmful as the non-age gated content that they will still have access to. There is a lot creepy youtube and tiktok content that isn't off limits but still unhealthy and my younger relatives are fascinated by it.
echelonabout 2 hours ago
We need to stop this helicopter civilization bullshit.

We're building 1984 to protect from god knows what imaginary harms.

Stop putting plastic wrap around people's freedoms, liberty, and right to privacy.

Gigachadabout 1 hour ago
The harms of smartphones and social media are about as far from imaginary as it could get. The data is screaming at us.

We will look back at handing kids phones with instagram like giving kids cigarettes and think wtf were we doing.

doginasuitabout 3 hours ago
Zero-knowledge seems to be a bit of an oversell here. It is more like you break the knowledge up and only share the relevant parts with each party. And the facilitator (Google) arguably has access to the most information out of any of the parties involved.
slwvxabout 3 hours ago
zero-knowledge proofs are a well-known tool in cryptography [1]. All Google is sharing is the library to implement it. Google would not have access to the information any more than they have access to the bank info of people who use Android or Gmail.

[1] https://en.wikipedia.org/wiki/Zero-knowledge_proof

doginasuitabout 3 hours ago
It's my understanding that they are sharing the library but they will also be involved as a facilitator, at least to the extent that people use their identity wallet service. It also seems like they will have access to who you are sharing information with, which seems like the most valuable information for a company in their position, with nothing but a pinky promise that it will not be tracked. Let me know if any of that is inaccurate.
_alternator_about 2 hours ago
I don't know the technical details of this ZKP library, but there is no technical reason that I'm aware of that the ID provider would need to know who you are sharing with. Not to say Google didn't build it this way for business reasons.
beepbooptheoryabout 1 hour ago
Here is a good explainer of an ideal implementation of this (maybe). If its this, you would be incorrect.

https://blog.vrypan.net/2026/06/29/260629-whats-wrong-with-e...

dgrin91about 3 hours ago
There are true ZKP setups where no one learns anything but the absolute minimum (e.g. is this person over 16, not what is their dob). This is hard to prove though and I don't know if I trust Google to do it
wmfabout 3 hours ago
Ideally the government would be the issuer and the facilitator but the US lacks the state capacity to do this. Maybe it will work that way in Estonia.
quietthrowabout 1 hour ago
This seems great - one question (ideally for Alan stapleberg) why is this not available for everyone? Seems like this is only applicable to the EU? Genuine question - Why would other governments not want this for their people ? I am sure there is a flip side that EU thinks is not worth more than thier people getting this kind of privacy. But what’s has to be true for some govts to think that the flip side is more beneficial than the privacy aspect. Appreciate if someone can break down how incentive structures are different and hence the resultant choices/positions
watersbabout 4 hours ago
We need "How to talk to your legislators about zero-knowledge proofs".
protocoltureabout 4 hours ago
"Dont do age assurance, ever"

Done.

Avicebronabout 3 hours ago
Ok, they have ignored that. I did my part and sent an email. Now what?
protocoltureabout 2 hours ago
Violent revolution I guess. Genuinely what are the other options?

I made a formal submission to the Australian Government in the very small consulting window they held for the Access and Assistance bill. Pleading with them to consider simply not introducing the law, as there was no justification for it at all. Google also made a submission against the bill, as did many large local and overseas corporations.

The government went ahead anyway.

What are the chances of me swinging any government when Google et al are on the other side, determined to provide privacy and anonymity destroying products to bolster their bottom line?

Probably worth mentioning that the Access and Assistance bill permits the Australian government to secretly (even just verbally) compel anyone building age assurance technology to secretly backdoor it to collect metadata, or any other information they choose. There's no level of safety from the government one can achieve with any app. If they resist they go straight to the Australian version of a secret national security court. The bill doesn't even make it clear whether briefing their solicitor about the request is legal. It doesn't matter how good the crypto is if the app is recording details outside of that. Its all just theatre at this point. There's no safe app, so we should completely resist all attempts to do things the government could restrict, leak or misuse.

I dont see how this is even slightly contentious in the year of our lord two thousand and twenty six, after decades of leaks affirming governments do this stuff, decades of governments and corporations dangerously failing their citizens privacy, when a particular government is hell bent on using all the personal data it can hoover up to persecute migrants and refugees. How are people blindly monofocusing on the crypto while trusting everything else?

matheusmoreiraabout 3 hours ago
"Do the opposite of what Meta is lobbying for"

Done.

dborehamabout 4 hours ago
Not really any point since US legislators aren't motivated by the interests of regular people.
consumer451about 4 hours ago
Yes, they are not.

> Today, we open sourced our Zero-Knowledge Proof (ZKP) libraries, fulfilling a promise and building on our partnership with Sparkasse to support EU age assurance.

Groxxabout 3 hours ago
I've been trying to figure out how zero-knowledge stuff would work in practice for age verification, where "when issued" (or extremely coarse, like what year), "to whom", and "where it's used" are hidden from everyone except the individual holding the proof (since that's the gold standard, and the only one worth accepting).

I get that ZK techniques work, and reveal "nothing". That's useful.

But if they reveal nothing, isn't it wide open for abuse? Couldn't one over-18-person's proof become everyone's proof, because they can't tell it's the same proof, and the issuer can't tell where or how often the proof is being used? Or are there ways to construct data leaks that are not user-identifying but are abuse-identifying (and what would that even mean)?

Aurornisabout 3 hours ago
> But if they reveal nothing, isn't it wide open for abuse? Couldn't one over-18-person's proof become everyone's proof, because they can't tell it's the same proof, and the issuer can't tell where or how often the proof is being used?

Yep!

This is why the concept of zero knowledge age gating is such a trap for technically minded people. They imagine receiving a private cryptographic object that can be used to anonymously confirm that the government says it was issued to someone over 18.

That’s completely useless because a single leaked token could be used forever, so nobody actually considers this.

All of the real proposals have various compromises baked in. Some people want to require device attestation, so you could only do this handshake from a government approved device running a government approved operating system. Forget using Linux or maybe even a general purpose computer at all.

Other proposals involve online government handshakes in various ways, with a pinky promise that the government won’t keep logs or tap it for national security purposes. So we get back to anonymous by trust only.

whiplash451about 1 hour ago
We might be over complicating things here.

The governments’ focus might be on protecting genuine users (adults or not), not fighting fraudsters.

In other words if ZKP works for the vast majority of technically illiterate people with their EU ewallet, the job is done.

denkmoonabout 1 hour ago
Absolutely. We don't look at the use of false identity documents as a failure of age gating tobacco and alcohol, it's just an accepted consequence that we try to mitigate knowing that we cannot stop all instances.
countcolabout 2 hours ago
You can use a Linux… if it’s a Android

:(

Epa095about 2 hours ago
Idk if this scheme is zero knowledge, but what's wrong with it? :

- you enter ph and must age-verify. It says 'your secret: "capable peanut", enter age proof below'.

- you go to age-knower (e.g bank or government page). You provide the secret phrase, and you get back a cryptographically signed json with the secret phrase, a claim 'above18', and a field stating who attested for the age (e.g government or bank or whoever).

- you paste this signed json (maybe encoded as base64 or something) into ph. It will verify that the attestee is good, then use it's public key to verify the signature, before checking that the secret is the correct one, and that it contains the age-claim.

Is the problem that if ph and the attestee colludes they can compare the secret string and figure out who you are?

Groxxabout 2 hours ago
Yes, that allows collusion. Which has historically happened quite regularly any time money or politics are involved, which means we should not accept that strategy.

For some isolated scenarios, that collusion risk may be completely fine. But not for something that is poised to control access to the internet as a whole, or in any way relates to maintaining safe free speech on the dominant public platform for doing so (the internet). People need protection from their government (present and future), or it's not a "right", it's just temporary retroactively-revokable permission.

doginasuitabout 3 hours ago
My understanding as someone who is just learning about the tech is that zero-knowledge isn't a great description of what is happening. The issuer (some party with the proof, like the government) shares the knowledge and that is only valid for a single verifier. So knowledge is held and is shared, just the minimum amount possible to be credible.
wmfabout 3 hours ago
This is basically the double spending problem which has been solved in various ways.
Groxxabout 3 hours ago
It has? I've been under the impression that the "solutions" are "trust us, we don't allow that" (relying on an authority with full knowledge, as partial knowledge isn't sufficient) and "use more resources than anyone can feasibly contest" (bitcoin).

You could build a merkle tree to say "we exist after X" but not "there is no other X". And publishing that tree for verification would seemingly violate "zero knowledge", unless you know of some way to scrub that, and also hide timing information, because timing information can identify visitors to observers.

rho138about 4 hours ago
[2025]
consumer451about 4 hours ago
Yes, but it's never been more important than now. Also, I did not have enough chars for an HN title.
stephen_gabout 3 hours ago
Funny though how whenever these laws are pushed though, the legislators are more interested in strongly identifying people to gate services despite the fact that they should have plenty of advice that things like zero-knowledge proofs exist.

I hate to be cynical but I worry that this isn't going to matter, because it really seems that a lot of the pressure behind age verification isn't actually very interested in the age verification part...

consumer451about 2 hours ago
Agreed. Now is our chance to very publicly inform our legislators. Not all is lost, yet.
coppsilgoldabout 2 hours ago
Unfortunately ZKP's aren't magic.

When not doing privacy oriented cryptocurrency (cough money laundering cough) with ZKP's, if you really want private verification you are in a position where a single actor can authenticate the entire world and no one will know it happened. And to prevent it you assemble the pieces necessary to deanonymize anyone.

Make no mistake. ZKP age verification, as proposed, will just require multiple parties to collude to figure out your identity.

They can't even implement ZKP for remote attestation due to the auth-the-world problem.

consumer451about 2 hours ago
Assuming that perfect is the enemy of good, this is still better than all the proposed alternatives, isn't it?
coppsilgoldabout 2 hours ago
With ZKP age verification, services will not be able to track you without help from the CA. The CA will not be able to track you without help from the services. Both will contain the necessary information in their databases that when combined deanonymize you. The CA is the central authority/certificate authority.

So you should assume the government can track you, because you should assume both will be streaming those identifiers to it.

consumer451about 2 hours ago
Yes, there is one party that can track you, which in some countries is still slightly trusted.

Ideally, no age verification would be required or proposed. However, if it is, this implementation should be the base minimum, should it not?

This is a gazillion percent better than a foreign corporation being in charge, isn't it?

krupanabout 1 hour ago
Better than no age verification (and therefore, privacy) coupled with parents doing their job?
consumer451about 1 hour ago
That would be ideal. However, this is tech proposal which takes so much of the slop out of the entire thing. With this implementation, there is no profit in it, unless your government is directly cooperating, aka a scandal in many countries.
emsignabout 4 hours ago
What's the point of giving a single point of information about yourself to a single website, when all the websites you visit use the same trackers (from Google for example) only to merge these data points together and sell them as a package.
TalkingCodeMonkabout 4 hours ago
Because of the principle of least privilege: https://wikipedia.org/wiki/Principle_of_least_privilege

All current age verification measures open up a torrent of attack vectors on user PII and privacy. Limiting the number of entities that are able to access data is one of the best ways to prevent it's leak or abuse. Don't let perfection be the enemy of good.

But therein lies the fundamental problem with surveillance capitalism. Until the sale of personal data/metadata is outlawed, the practice of targeting content based on an individuals personal data/metadata is outlawed, there is a highly punitive cost for violations and leaks that make storage outside core business functionality a major criminal and financial risk, and the compilation of this data by "intelligence" agencies it treated as a critical attack vector to national security – the attack on each citizens civil rights that it truly is – most privacy laws and regulations are just virtue signals designed specifically avoid the root causes, and further entrench the power of monopolies and incumbents.

FYI I don't believe Google sells user data. They sell products which leverage user data to give them a critical advantage over every competitor who does not have trackers in everyones pockets/computers, does not store their entire web search/browsing history, etc. It's in the interest of big tech to protect their market advantage (like ZKP, which would prevent competitors from having a new gov-mandated vector to compile user data).

srousseyabout 3 hours ago
Google never sold user data until the DoubleClick acquisition, from what I understand