For those who don’t immediately hear the words “I know nothing. NOTHING!”, this is Sgt Schultz, described as “portly, inept, clumsy, dim-witted, yet affable”. He was responsible for guarding the prisoners at Luft Stalag 13, the prisoner-of-war (POW) camp for captured Allied airmen portrayed in the sitcom Hogan’s Heroes, which ran from 1965 to 1971.

The show describes the adventures of a group of prisoners who use the POW camp as a base of operations for sabotage and espionage. Under the command of US Air Force Colonel Robert Hogan, they worked with various resistance groups, defectors, spies, and others to perform sabotage, provide intelligence, smuggle prisoners, and various other activities in support of the war effort – all under the “watchful” eye of the gullible, inept, and sycophantic Colonel Klink.

TIL that John Banner and Werner Klemperer, the actors who played Sgt Schultz and Colonel Klink, were both Jewish, both emigrated from Europe to the US prior to World War II, and both served in the US military. A number of other Jewish actors appeared in the series as well, including Robert Clary (who played the French Corporal LeBeau), who spent three years at the Ottmuth and Buchenwald concentration camps. I may dig into that history at some future date.

Today, however, I wanted to talk about knowledge. Or rather, lack of knowledge.

Recently, the US Supreme Court upheld a Texas law, supposedly aimed at blocking children from seeing online pornography.

While the stated goal of the law is to protect children from pornographic material, there’s a lot more to it than that. Freedom of speech and privacy are two major issues, as is the degree to which technology can support these goals.

The key question is around confirming the age of the person accessing the material, and whether that can be done while respecting the privacy and free speech rights of adults. Companies subject to the law must verify users’ ages through digital identification or a government-issued ID, though internet service providers, search engines, and social media companies are effectively exempt from the law.

It should be noted that the goal of these laws does not appear to be reasonable restriction of children accessing adult content. Instead, it is primarily ideological, and part of a broader campaign against things including healthcare (ie, access to abortion and contraceptives), marriage equality, trans rights, drag queens, and books. The people promoting these laws don’t appear to care if it’s harder to access the material, or if people refuse to access it if it requires uploading a government ID. In fact, many of them would probably consider that a feature, rather than a bug.

Corporate responses to discussions about laws like this are quite interesting. Texas has described the requirement as similar to ID checks at brick-and-mortar stores, or stated that verification can be satisfied with “a quick picture”. Websites and social media companies argue that age verification would be “simple” for the companies running app stores, such as Apple and Google, but this would not address shared devices or desktop computers.

Companies like Pornhub are working on blocking access to their sites from places with laws of this sort, but point out that such blocks are trivial to bypass by using a VPN (Virtual Private Network) to appear to be accessing the site from another location. They also noted that these efforts might drive traffic to less-known sites that do not comply with the law and have fewer safety protocols.

So, let’s look at options for verifying age, and consider their benefits and risks.

At present, many sites present a button which asks the user to confirm that they are older than 18 (or whatever). This is fine for privacy (and better than the “traditional” approach of asking for an actual birthdate), but utterly useless for confirming age, as the user can simply lie. The use of these buttons suggests that compliance with age restriction legislation is sometimes performative, rather than a genuine attempt to confirm age.

Another alternative is to provide credit card information, or a photo of a government-issued ID. While arguably better than a button, these approaches are both unreliable (cards can be stolen, borrowed, or faked) and privacy-invading (cards include identifying information), along with being a potential security nightmare, as it’s necessary to trust the security and integrity of each affected site.

Facial recognition or federated identification are ways by which a third-party (government or private) can be used to confirm the age of a user. While they can be reliable – depending on the process by which the third party confirms identity – and can potentially preserve the privacy of the user from the requested site, they require that the user trust the third party, with all the security and integrity issues that entails.

Biometrics supported by AI are an interesting technology, which can potentially provide reasonably reliable age verification, with theoretically minimal privacy risk. With face scans, you’d be trusting the site not to store your image. Another service appears to use a webcam and hand movements to distinguish between minors and adults – while this could potentially be a reliable way to confirm age, I’d have some questions regarding the potential to capture fingerprints from the image...

Which brings us to zero-knowledge approaches.

The idea behind zero-knowledge is that the fact that a person is over 18 can be conveyed, without any further information. If you consider the use-case of a person entering a bar, showing your birth certificate or driver’s license can demonstrate your age, but also shows additional information, such as birthdate, name, address, and so on.

It should be noted that, with a “true” zero-knowledge proof, the “verifier” learns nothing other than the truth of the assertion being made, and cannot even certainly prove the assertion to another third party.

Setting aside the theoretical, let’s consider the practical and look at the options offered by digital identification.

Think of a government-issued phone app which contains your ID, and is accessed via facial recognition or other biometric. The government already has all of your information, so the only concerns would be to ensure that the app is secure and reliable – which is a solvable problem – and that you are able to prove your age to a third party without communicating that fact to the government.

The app could be used in a number of ways, with varying degrees of privacy and control.

Let’s say that Peg (the “prover”) tries to access something that Texas considers adult content – maybe images of drag queens from a Pride parade... Peg opens their ID app, uses face ID to confirm their identity, then requests an age verification code and enters that code into the site.

The site operator (Vic) knows nothing except the code provided. They forward that code to a government (or third party) service, and receive a reply that confirms that the code is an age verification that is valid for the next five minutes (or whatever), and provides the requested material to Peg.

Provided that this is set up correctly, all Vic would know is that government X verified the age of an anonymous user. And all the government would know is that they issued an age verification code.

Now, it should be noted that this only preserves privacy if it is set up correctly for anonymity. Otherwise, the government would know that the code was provided for Peg and that that code was validated by Vic. In that case, Peg’s privacy is safe from Vic, but not from the government.

A properly set up system like this would allow practical restriction of information for minors, while not impeding free speech or privacy of adults. A good solution.

I wonder why the people proposing these laws aren’t suggesting it...?

Cheers!