joshhansen.tech

Category: Protocols

  • A privacy-preserving protocol for age-verified web applications

    A privacy-preserving protocol for age-verified web applications

    Poorly-designed bills have recently passed in California, Colorado, New York, and Illinois, requiring intrusive, privacy-compromising age verification procedures for sites online. The motivation is to prevent children and adolescents accessing pornography and social media. However, the ill-considered means of achieving this may be worse than doing nothing at all: by forcing users to disclose their age online, and forcing sites to process and potentially store this information, a user’s age is exposed to malign actors, especially given the inevitability of data breaches.

    Others have covered the deficiencies of those bills in detail. What I want to do here is sketch an alternative to the recently legislated approaches, which would maximally preserve privacy while providing parents the tools they need to prevent their children’s access to age-inappropriate materials.

    Principles

    • No information about the user disclosed to websites. This is for the obvious reason that any information disclosed becomes a privacy risk, giving malicious actors online power over the user through knowledge of their identity. In the case of age-verification, this would include knowledge of whether the user is a child, proclaiming the vulnerable status of children to the entire Internet so to speak. Even well-intended sites collecting such data can be hacked, and inevitably will be.
    • Parents in the driver’s seat. Parents know their children’s needs better than the state legislature. Operating systems, browsers, and application software should empower parents to choose the appropriate access level for their children.
    • Voluntary before mandatory. Web services and operating system and application developers should be given space to voluntarily implement an age-verification system, rather than legislatures with little technical knowledge attempting to design the system for them. The ESRB video game rating system was developed in this way, and was a great success.
    • Non-users pay no penalty. Users not interested in age verification should not be required to do anything. The Internet and the Web should continue functioning as previously.

    Design

    • Site age requirement declarations in DNS. The Domain Name System is a distributed, decentralized database and as such is a perfect place for site age requirements to be stored. Until such a time as a DNS AGE record (or similar) might be standardized, a TXT record will be used. Details of the record value are given below. The record indicates which ages the domain’s materials are appropriate for, applying to all sub-domains as well.
    • Client-side parental controls and enforcement of age requirements. Client software including the operating system, web browser, and other internet-connected applications should allow parents to indicate the age rating their children can access, and whether to enforce websites’ ratings or something stricter. In practice, all of these scenarios would fetch the AGE record from DNS (or equivalent TXT record), which would not reveal the user’s interest in age requirements to the domain in question. The operating system could prohibit connections to domains for which the age requirement was not met. Alternately, browsers and applications could query the operating system to determine if a given age requirement is met, and refuse to fetch corresponding content. Either way, and crucially, no information is disclosed to the site whose age requirements are being enforced. Only a DNS query is leaked, and this can be avoided if necessary by running one’s own DNS server.

    Age requirements record design

    Age requirements are better expressed relative to an age rather than relative to a date of birth. This prevents needless updates, allowing long TTLs on records.

    We want the age requirements record to be able to specify any subset of ages, where age can be any non-negative quantity of seconds, potentially fractional.

    Consider one possible format:

    < 12 years; >= 70 years

    This would mean “all ages less than 12 years old, and all ages at least 70 years old”.

    Of course this could be minified thus:

    <12y;>=70y

    The more typical requirement of at least 18 years of age would be:

    >= 18 years

    TXT record alternate

    Until an AGE record could be formalized, a TXT record with prefix of AGEVERIFY: followed by the requirements could be used instead. For example a TXT record with a value of AGEVERIFY:>= 18 years would be equivalent to an AGE record with a value of >= 18 years.

    AGE record recursiveness

    This proposal includes a requirement that AGE records (and their TXT record equivalents) be interpreted recursively. This means that subdomains’ age requirements will be the intersection of parent domain requirements and own requirements. This means subdomain requirements will only become more restrictive, never more permissive. It would be appropriate, for example, for top-level domains such as .xxx primarily (or exclusively) hosting adult materials to declare a minimum age which would apply to all registered subdomains.

    Analysis

    Unlike the approaches thus far legislated, this protocol would allow parents to restrict their kids’ access to adult materials without revealing anything about their children’s age to websites and applications. It is maximally privacy-preserving and maximally-parent-empowering.

    The burden of implementation would rest on operating systems and/or client applications. However, as it would provide a useful feature to users, such implementations are likely to happen without legislative mandate.

    Site operators would be empowered to declare age requirements. Given the threat of more onerous regulations, sites are incentivized to set their requirements somewhat strictly. If this is seen as insufficient, it could be legislated that certain categories of site must declare certain minimums.

    Conclusion

    It’s my view that legislatures acting on age verification now have jumped the gun and will come to regret the rash and intrusive approaches mandated.

    Mandatory age-verification for online content by means of forced disclosure of age status is perhaps the most dangerous and destructive approach that could be imagined.

    Requiring sites to instead estimate age and elicit proof of age is nearly as dangerous, as this private information will inevitably be stolen in a data breach.

    It would be wiser to give technologists time to develop privacy-respecting means of ensuring children don’t access age-inappropriate materials, rather than mandating draconian and technologically-naive systems which could in fact harm children more than help them.

    As this post demonstrates, it is technically feasible to do this in a way that reveals no information about children online, and which empowers parents to restrict children’s access to adult materials as they deem appropriate. Privacy, parent-empowerment, a preference for voluntary implementation, and requiring no change for non-users make this approach preferable to the draconian mandates currently causing justifiable alarm across the Internet.

    Request for Comments

    Of course this is only an outline of a fully-fleshed specification, and details would need to be filled in. But does this approach hold up? Is there something I’m missing? Please comment on this post or email me at ageverify@joshhansen.tech