Comment by MattPalmer1086
20 hours ago
For the record, I'm not actually against age verification for certain content. But it would have to be:
1) private - anonymous (don't know who is requesting access) and unlinkable (don't know if the same user makes repeated requests or is the same user on other services).
2) widely available and extremely easy to register and integrate.
The current situation is that it's not easy, or private, or cheap to integrate. And the measures they say they will accept are trivially easy to bypass - so what's the point?
I worked in a startup that satisfied point 1 back in 2015. The widely available bit didn't come off though when we ran out of runway.
Age verification should be done at the point of buying a laptop or a SIM card, the same way as when you buy alcohol. And there would be no need to send your ID to a company so that it ends up on the black market eventually.
Add to that 3) Verifiable to a lay person that the system truly has those properties, with no possibility of suddenly being altered to no longer have those properties without it exceedingly obvious.
This whole concept runs into similar issues as digital voting systems. You don't need to just be anonymous, but it must be verifiably and obviously so — even to a lay person (read your grandma with dementia who has never touched a computer in her life). It must be impossible to make changes to the system that remove these properties without users immediately notice.
The only reason why paper identification has close to anonymous properties is the fallibility of human memory. You won't make a computer with those properties.
It's easy to demonstrate (3) for an age verification system - practical experience will amply demonstrate it to everyone.
Voting is very different - you do need to be able to demonstrate the fairness of the process verifiably to everyone - not just crypto nerds. Age verification - well, some people might get around it, but if it generally seems to work that is good enough.
>It's easy to demonstrate (3) for an age verification system - practical experience will amply demonstrate it to everyone.
No. Absence of evidence that I am not anonymous does not constitute evidence that I am anonymous. Verifiable unlinkability is also difficult to prove.
It may be possible to create a system like this technically, but all social and economic incentives that exist are directed against it:
- An anonymous system is likely more expensive.
- The public generally does not care about privacy, until they are personally affected.
- You have no idea as a user whether the server components do what they say they are doing. Even if audited, it could change tomorrow.
- Once in place its purpose can change. Can you guarantee that the next government will not want to modify this system to make identification of dissenters, protestors or journalists easier?
there's some irony that the EU is set to have a fairly anonymous solution like next year. they could have waited or tried to use similar tech for this, in theory
Important to note: Their anonymous solution is reported to be temporary until their digital ID system is released[1], which does not offer that same anonymity, but rather functions as a server-side OpenID-based authentication system.[2] While you can share only your age with an online service, it still creates an authorization token, which appears to remain persistent until manually removed by the user in the eID app. This would give the host of that authentication system (EU and/or governments) the ability to see which services you have shared data with, as well as a token linked to your account/session at that service. There is also no guarantee that removing an authorization will actually delete all that data in a non-recoverable way from the authentication system's servers.
[1] https://itdaily.com/news/security/eu-temporary-app-age-verif...
[2] https://openid.net/specs/openid-4-verifiable-presentations-1...
Good catch, that does seem a lot worse. :/
This is about the Category 1 duties arriving by 2027, not this year's tranche of rules (such as age gating).
Interesting - do you have a link to it?
https://commission.europa.eu/strategy-and-policy/priorities-...
It's anonymous to the sites or companies you use it with and not to the government, but that would still be more robust than the uks checks so far. it's only end of 26 though, I thought it was at the end of this year instead.
1 reply →