1. Paper tokens: Produce 100 billion authentication tokens (could be passwords, could be private keys of signed certificates), print them on thick paper, fold them up, publicly stir them in giant vats at their central manufacturing location before distributing them to show that no record is being kept of where each token is being geographically routed to, and then have them freely available in giant buckets at any establishment that already does age-checks for any other reason (bars, grocery stores that sell alcohol or tobacco, etc.). The customer does the usual age-verification ritual, then reaches into the bucket and themselves randomly selects any reasonable number of paper tokens to take with them. It should be obvious to all parties that no record is being kept of which human took which token.

2. Require these tokens to be used for something besides mature-content access. Maybe for filing your taxes, opening bank accounts, voting, or online alcohol / tobacco purchases. This way, people requesting these tokens do not divulge that they are mature-content consumers.

This problem is always approached from the wrong angle (requiring verification of adults to view adult material) instead of the more freedom- and privacy-preserving method of requiring child-friendly sites to advertise to the browser that they are suitable for child web browsers.

What I mean by this, and the way that I would solve this problem, is to introduce an HTTP header such as X-Child-Friendly: true or X-Content-Rating: E and to put the onus on parents to set the child’s web browser to only allow browsing sites which return this header. Every browser would need to have a “Parental Control” mode that restricts browsing to sites that return this header, but this could easily become a standard. Instead of having every adult site implement your legislative controls, now you just need child-friendly sites to add a header to their responses.

The whitelist approach is less likely to allow adult sites to slip through the net, compared to the blacklist approach.

For those who say that children would find a way around this by installing a different browser or unlocking the parental controls: it should be the responsibility of parents to monitor their child’s access to the internet and installation of software. The current approach of trying to enforce age-verification on adult sites just shifts the problem to other adult sites that are not under the jurisdiction of the legislation.

Forcing age-verification for adults also has a huge bureaucratic cost and potential for abuse and loss of privacy. I think we know why legislators prefer this approach, and it isn’t to protect the children.

I don’t really like all these anti-porn laws. If kids want porn, there are too many leaky buckets they can drink from. Hell, they could just messages pics and videos to each other.

That said, if we are forced to do strong verification, the best I can think of is some sort of mix of the ideas we use for certificate authorities and oauth.

Certificate authorities are really just trusted identity providers. In my solution, you would choose from a list of trusted identity providers. You provide them with all the private information necessary for them to validate your identity. From there a third party can validate information about you with your permission.

The way this workflow would work is similar to oauth workflows people are familiar with for Google, Facebook, and other single sign-on solutions. You go to a adult site, select your provider from a list of trusted identity providers, the adult site redirects you to the provider site, you log in and give the adult site the privilege to verify you are over 18. The browser redirects to the adult site. The adult site would get nothing else about you besides what identify provider you use and if you are over 18.

Now ultimately, you have to give your private details to someone but at least you don’t have to give it to everyone. Unfortunately, your provider could potentially keep track of what sites you are allowing to verify your information. We would need strict laws on these providers on what records they are allowed to keep.