↑
Sweepi 3 hours ago
[1] https://xcancel.com/Paul_Reviews/status/2044502938563825820
[2] https://xcancel.com/paul_reviews/status/2044723123287666921
[3] https://csa-scientist-open-letter.org/ageverif-Feb2026
imo: mostly because the Author wants it be a disaster. The App has not launched, they published the source code in order to invite external review. I dont have time to every claim, but e.g. this [see quote below] seems to be blown out of proportions to me - the app fails to delete a temp. image, which results in a selfie being stored indefinitely(?) on the internal disk of your device - if an adversary has access to the internal disk of my phone, they can also just access the photo roll.
"For selfie pictures: Different scenario. These images are written to external storage in lossless PNG format, but they're never deleted. Not a cache... long-term storage. These are protected with DE keys at the Android level, but again, the app makes no attempt to encrypt/protect them.
This is akin to taking a picture of your passport/government ID using the camera app and keeping it just in case. You can encrypt data taken from it until you're blue in the face... leaving the original image on disk is crazy & unnecessary."
JimDabell 3 hours ago
The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.
If somebody who has access to your unlocked phone can access the data in the app, then this is something that should be tightened up but it’s a substantial privacy improvement over the far more commonplace option of uploading your ID to every website that wants to know if you are an adult.
It’s an attempt to avoid things like this:
> Discord says 70k users may have had their government IDs leaked in breach (Oct 2025, 435 comments) - https://news.ycombinator.com/item?id=45521738
Teafling 3 hours ago
akabalanza 25 minutes ago
soco 3 hours ago
08627843789 3 hours ago
Comment deletedclose04 2 hours ago
> "Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18."
Love the magic step in the middle, unlock my app. Ask for passcode or faceid to “unlock your app”. That’s a lot of legwork the adult has to do so the child can “trick” the system.
Some people will forever be shocked that if they leave on the table an open booze or medicine bottle, loaded gun, etc. a child can just take them and misuse them. The blame is unmistakably with bottle and gun manufacturers, right?
Put a modicum of effort to protect the sensitive apps or supervise the child when you share your device. They can do a lot of damage even with age appropriate apps. Wanna see how quickly your kid will tell everyone on the net how much money you have (via proxies), where you live, and when you go on vacation? Or tell someone the credit card number they swiped from your pocket if the other person makes it sound like a game?
mrweasel 3 hours ago
While I appreciate the zero-knowledge proofs is considered, how the hell did no one in charge of the app design think of this? It's is literally the first question I asked when I first heard about this app. You go to the app in a store to buy alcohol, you're asked to verify your age, but that's not what you're doing. Your simply showing the store that you have a phone, with and app, which was configured by some over 18 (maybe).
Honestly I don't think it's possible to verify that you're over 18 without also providing something like a photo ID (and even that is error prone).
You can probably do something online, where the website or app does some back channel communication to a server that verifies a token. Even that is going to have issues. You could add a "List of sites that has verified your age" option where you can revoke the verification, in case your nephew borrows your phone.
They are going to implement this and it will be "good enough", but I don't see this being 100% secure or correct.