I blame companies (including discord) for collecting as much information as they can instead of as little as possible. More data collected -> more data that will eventually get sold / leaked / hacked.
It depends on the implementation. The EU's European Digital Identity Wallet will allow users to prove that they are over 18 without sharing any other personal information.
So, that's not anonymous then. Because it allows tracking across multiple accounts, some of which are associated with your name. An unchanging proof of age is pretty much just another name for a government ID number.
Not necessarily. In theory, the attestation that someone is of age can be provided by a central service. The central service does not need the website account information to provide a non-fungible certificate, that you show to your service that has no way of knowing who you are from the certificate. All it needs to ensure is the certificate is used only once per account.
You can then prevent certificate forging by forwarding a cryptographic hash of the requester identity (generated by the website client), which will be included in the cert body so the website can verify the attestation was generated for this specific request, and it cannot be randomly reused.
Of course this doesn't solve the problem of using your grandma's id to bypass age restrictions, but I think that problem is worth the cost of privacy gains from corporations not validating IDs directly and screwing up like Discord's vendor did here.
Either the certificate is the same every time and therefore it's an identifier.
Or the certificate isn't the same every time and therefore you can generate a whole bunch of them and give them out for $2 apiece.
Or the certificate isn't the same every time and also isn't anonymous so they can trace who's doing that.
You don't have to reuse the same certificate for several requests. You can get a new one for every request, for every person who is asked to verify their age and pays you $2, and if they're actually anonymous, there's no way to know you did this. Is a rate limit part of the proposal? Can I only sign up to one adult service per week?
Unless you meant the requester's real identity, in which case... we're back to not anonymous.
I did, except for this bit that you added in an edit:
> You don't have to reuse the same certificate for several requests. You can get a new one for every request, for every person who is asked to verify their age and pays you $2, and if they're actually anonymous, there's no way to know you did this. Is a rate limit part of the proposal? Can I only sign up to one adult service per week?
This is trivially easy to detect at the attestation service. If someone is trying to repeatedly (and programmatically) use the same personal ID to generate attestations for different request IDs in a short time frame, you can throttle them, flag them, revoke their cert, whatever.
Again, the service host and request id is part of the certification request, so you can easily separate a legitimate signup for multiple different websites from suspicious multi-signups to the same service for the same govt id.
So the government can tell I'm signing up for pornhub i.e. not anonymous. Also pornhub would need a government approval to operate or they'd just block their requests (and possibly arrest me for using an illegal service). I'd think we'd want service providers to also be anonymous without requiring government approval.
Grandpa isn't interested in Discord, so you can open a second account using his Proof of Age. Maybe a third account, using Uncle Ned's. And a fourth account, using...
I think I'm fine with that tradeoff between effectiveness of age gating vs privacy gains of not having IDs sent over to corporations. To me, identity theft by targeting large stores of government IDs, is orders of magnitude worse than a teenager accessing NSFW channels every now and then.
I'm not defending age verification's existence in the first place btw, I don't think it's a good idea without secure protocols of central attestation for such things. But of course, governments aren't interested in solving the harder more valuable problem, they're interested in shifting the responsibility to corporations while crying foul.
