science

As someone who comes from IT, what are you talking about?

You rightfully assert that facial recognition and government ID are privacy invasive, but then you offer DNA verification as a less invasive tool? That's much more privacy invasive.

Also, it's impossible to determine someone's age from some DNA with the required accuracy. The law requires that 18+ content is available to someone who just turned 18 today and not available to someone who's 18th birthday is tomorrow. That's impossible to do from DNA, same as it's impossible to do from just facial recognition alone.

Carbon dating only works for dead materials since e.g. your skin or your skin is only ever roughly a month old and even blood cells only live for ~120 days. Also, again, carbon dating is not nearly accurate enough for the day-accuracy required.

The only day-accurate process that exists is verifying your identity against government ID. And here it hardly matters which kind of ID is used for that (facial ID/DNA/Fingerprint/...) since the issue at hand is the ID itself. Facial ID is by far the least privacy sensitive version of biometric DNA.

This process isn't great, no question about that, but the alternatives are worse if hard age verification is the goal.

That's why the whole goal is being called into question, since there's no non-privacy-invasive option to do real age verification.

The solution is really, stunningly simple:

Your gov issues official documents about you (driving license, passport, id cards...). They know your age.

Your gov is also a trustworthy institution since all those cited above are official documents that anyone, anywhere will accept as valid.

So here's the solution: the gov creates a digital certificate in which the only stored data is your age, or even less: your adult state (as a boolean; if over 18 = TRUE).

The gov issues the cert on demand to any person after presenting any valid ID to prove who you are (it can be done online, with only the id verification being done in person). The cert is bound to your device, and if you change phone, you must migrate it so you can't have it in two devices.

Since the issuer is a trusted authority, the cert can be used as a proof of age in any site needing it as the only thing they need is to read the cert and confirm the auth of the issuer.

And as the cert is only a boolean status saying if you are underage or adult, there is no privacy concerns as the one checking your age won't know anything else about you.

There, you just solved a "huge" problem in a simple way and with no privacy concerns.

Of course this is bad for privacy. But the fundamental idea of trying to age lock information is also flawed. The government, or corporations, should not be able to decide who can and can't see certain information, especially not because of an arbitrary characteristic such as age, which does not correlate to maturity at all. This is dystopic.

I don't think these systems should be implemented, the internet should be a free place and that's it. Before anyone says "what about the kids oh my god" - this has nothing to do with kids, but the politicians like to use the kids as an excuse to do anything because if you add "kids" and "pornography" or even better "online abuse" and "kidnap" into the same phrase then they can shame you and shut down any argument against whatever they want to implement.

This age verification BS is just a first step into full identity verification online and also the govt knowing exactly you're doing online, when and where. They also want to be able to instantly remove your ability to login into anything (or everything) they would like.

People say that the US is turning into surveillance / china-like state but in reality the EU is way, way closer than that. Just look at what was done with the EU Digital COVID Certificate (EUDCC) recently:

The EUDCC was a digitally-signed document. It was usually supplied in the form of a QR code, either contained in a PDF file, or as a printout. There are various mobile apps available to store and display the EUDCC (such as the Corona-Warn-App); alternatively, the EUDCC can be presented on paper.

Technically, the QR code contains a JSON document with the information payload. This JSON document is serialized using Concise Binary Object Representation (CBOR), and digitally signed according to CBOR Object Signing and Encryption (COSE). The resulting data is compressed with zlib and encoded into the final QR code

And yes, there were countries blocking you from going into a store to buy basic stuff without showing a valid COVID certificate. No vax or no proof of recovery = starve out. Add the inability to move between cities to that and you're very, very close to the "democratic" China.

More here: https://github.com/ehn-dcc-development/eu-dcc-hcert-spec

A few users (or maybe the same user and I just didn't notice) have laid out a pretty good way of doing age verification via tokens so the site needing verification gets a token that just says you're cool to enter the site, and you would get the token via the government who already has your ID and personal info anyway. The government doesn't know what the token will be used for, and the things taking the token won't know who you are.

Seems reasonable enough for me. However, I personally feel like the government shouldn't be sticking their fucking noses in what is morally acceptable. If a horny 13 year old wants to see some titties online, why the fuck not? They'll only end up weird about sexual stuff because you try to keep everything from them instead of teaching them anything.

Just geoblock those areas, and put up a page that tells which representatives did this, and maybe point to a petition.

Try to think of how a bad actor might use what you are suggesting to steal someone's identity. The trouble with any identity verification system is not just how inconvenient it is, but also how criminals will try to abuse the system.

Some kind of entity would have to be in charge of storing and verifying the DNA data. Once that database is created, there will always be the potential for exploitation. Also consider what happens if, or more likely when, that entity changes hands and is run by new people with new agendas? That might not work out so well for the people in that database.

The government has my fingerprints and my drivers license photo. I am not interested in sharing that with any for-profit company. I would be even more resistant to anyone wanting to collect my DNA regardless of the reason.

Germany has a government ID that can provide a yes/no answer without revealing anything else about owner

Fwiw - The margin of error for carbon dating is probably not precise enough for age verification.

https://biology.stackexchange.com/questions/24084/can-we-determine-a-persons-age-by-dating-methods-or-other-means

As with all other scientific things someone knows more than me, but I will give my opinion.

The last step is the greatest weakness. The result has to somehow be sent to the website and verified. If you have physical access to the device doing the verification then it will eventually be spoofed. A man in the middle attack would be easy enough given that the device absolutely has to go via a network the user controls.

Beyond the transmission issues, biologically there are not any markers that are a clear and simple age measure. Most biomarkers are more of a range with ages that correlate to some degree. You could say for example testosterone, but that goes up through puberty from a baseline in kids to an adult level, but the adult levels are really varied. Some people are higher than others and some XX people have higher testosterone levels than some XY people, and visa versa for oestrogen. So with the sex hormones out, you would want something that accumulates over time. Unfortunately that is going to vary by where a person lives and what they are exposed to. Honestly it is not at all workable.

That said, a simple solution which would make much more sense than any of this crap is to just have something on the internet account end. If the ISP can offer a check box for "Block adult sites and services" and people can opt in to that then kids will only get access to the full internet when their parents allow it or they are old enough to have their own device on their own internet plan.

If the government want to make a system to protect kids from adult stuff on the internet that is great. If they make it opt in that is all fine with me. But if they make it something you have to verify your age for, using things like state issued ID or facial inspection by an algorithm, then I think it is disastrous. It will be circumvented rapidly by people who are old enough to verify but simply do not want to. That technique will be shared with kids. Kids will be able to bypass it. This nanny state approach is not actually about protecting kids in my opinion. I think the companies involved will use the data, the face images for during verification, as training data for AI models, use the licence data for various profit driven business activities, and in the process make us all less secure. They will eventually have a leak or hack that exposes your data including what site you were on and your licence. The only question is when.

Or....they don't fucking do any of it. It's not their place to police people.