The scheme from the Danish government, shared in another comment, avoids the sharing by allowing token to be used only once, and, because the government issues the tokens, it can block people from getting tokens if they detect abuse. This can be done by rate-limiting, geoblocking and all sorts of techniques.
Remember that the function of the anonymous token is to not allow the service provider (like an OS, or a a website) to see your identity. This still allows the government to see which service provider you are using.
Hopefully the service provider can form pools yo block the government from knowing each individual website, but that’s not a given.
This still allows the government to see which service provider you are using.
That was a poor choice then. They can do this with ZKP and not even know that.
Like it should be doable where sure the website might ask the government if its valid, but the government doesnt know who owns the token, so all they know is someone accessed the site, not who. So they could know general traffic to sites, but that would be it.
There would be ways to hide even the site as well where the website gives you a non identifying token to use with yours and be verified by the government as well, then they only know some site is requesting verification and sign it back to you as valid and you return it to the site. In this one the government only knows your using it, but not where.
Edit: clarity, but also if they put this much effort into the system using ZKP, this oversight almost sounds intentional so they can track people / population usage even if less.
Edit: 10 years from now - our age restriction service shows traffic to porn hub increased 10x over the past decade while poverty has increased! PornHub is clearly the cause of our poverty situation we should ban it! The traffic is too high! A bit over the top, but the info is still useful to them.
Personal ids can also be used by non-owners, not much different than this theoretic age verification token. But yeah, ideally it would have a security layer to sufficiently confirm ownership.
Because then you can share the token and everyone can use it
I’m sure a more robust solution is possible though.
The scheme from the Danish government, shared in another comment, avoids the sharing by allowing token to be used only once, and, because the government issues the tokens, it can block people from getting tokens if they detect abuse. This can be done by rate-limiting, geoblocking and all sorts of techniques.
Remember that the function of the anonymous token is to not allow the service provider (like an OS, or a a website) to see your identity. This still allows the government to see which service provider you are using.
Hopefully the service provider can form pools yo block the government from knowing each individual website, but that’s not a given.
That was a poor choice then. They can do this with ZKP and not even know that.
Like it should be doable where sure the website might ask the government if its valid, but the government doesnt know who owns the token, so all they know is someone accessed the site, not who. So they could know general traffic to sites, but that would be it.
There would be ways to hide even the site as well where the website gives you a non identifying token to use with yours and be verified by the government as well, then they only know some site is requesting verification and sign it back to you as valid and you return it to the site. In this one the government only knows your using it, but not where.
Edit: clarity, but also if they put this much effort into the system using ZKP, this oversight almost sounds intentional so they can track people / population usage even if less.
Edit: 10 years from now - our age restriction service shows traffic to porn hub increased 10x over the past decade while poverty has increased! PornHub is clearly the cause of our poverty situation we should ban it! The traffic is too high! A bit over the top, but the info is still useful to them.
You can make them biometric and still be private, but that’s even more effort which they wont spend.
Personal ids can also be used by non-owners, not much different than this theoretic age verification token. But yeah, ideally it would have a security layer to sufficiently confirm ownership.
Ah tbh I just realised that with the tokens being unique you could still limit accounts per token to 1, achieving the same effect as using real ID.