Comment by Gigachad
13 days ago
The long term solution would have to be some kind of integration with a government platform where the platform doesn’t see your ID and the government doesn’t see what you are signing up for.
I don’t this will happen in the US but I can see it in more privacy responding countries.
Apple and Google may also add some kind of “child flag” parents can enable which tells websites and apps this user is a child and all age checks should immediately fail.
I do like the idea of the “this is a child” taint (ok, terrible name but I really think it should be a near-unremovable thing on a platform like Apple’s that’s so locked down/crypto signed etc).
Like, you’d enroll it by adding a DOB and the computer/phone/etc would just intentionally fail all compatible age checks until that date is 18 years in the past. To remove it (e.g. reuse a device for a non-child), an adult would need to show ID in person at Apple.
Government IDs could be used to do completely privacy preserving, basically OpenID Connect but with no identifying property, just an “isEighteenOrMore” property. However, i agree it’ll never happen in the US because “regular” people still don’t know how identity providers can attest without identifying, and thus would never agree to use their government ID to sign into a pornsite. And on top of all that yeah nobody trusts the government, basically in either party, so they’d be convinced the government was secretly keeping a record of which porn sites they use. Which to be fair is not entirely unlikely. Heck, they’d probably even do it by incompetence via logs or something and then have people get blackmailed!
When I played an MMOG, if the admins found out that a child was underage, it was customary for them to suspend their account until their 13th birthday. I thought this was a clever policy, but I just can't understand the reverse of authenticating someone's age based on that of their account...
This assumes people are putting in their real birthdays, which IMO is a terrible practice to encourage.
I never put in my real birthday. It's just one more datapoint to leak in an inevitable hack and help scammers exploit me.
Just because a website sticks a field on a form, doesn't mean you need to fill it out.
I can think of maybe 1 website I use that has a legitimate use to know this info about me... and a dozen that use my fictious birthday for no other purpose than an excuse to market at me under the shallow guise of a 'Happy Birthday' email.
6 replies →
Exactly, that's the problem: with OIDC the ID provider gets to know which sites you visit. That is unavoidable given how the protocol works. And you don't want to give all that information to the government in the first place.
> where the platform doesn’t see your ID
ID checks aren't very worthwhile if anyone can use any ID with no consequences.
How long would it take for someone's 18 year old brother to realize they can charge everyone $10 to "verify" everyone's accounts with their ID, because it doesn't matter whose ID is used?
Ok, at which point an adult has taken responsibility for giving them access.
The older brother could also rent an R (or x) rated movie, buy cigarettes, lighters, dry ice, and give them to the kids. The point of the age check is to prevent kids from getting access without an adult in the loop, not to prevent an adult from providing kids access
This is a good point. We could extend it to computing devices: An adult gives a child access to a device, and now the adult is in the loop and takes responsibility. If said adult (parent, most often) want to automatically restrict certain activities/content on the device they can use the parental controls available. No panopticon required.
1 reply →
The system doesn’t have to be bulletproof. It just has to be better than the free for all it is today.
Better?..
1 reply →
this is already how the EU infrastructure for digital ID works, basically. Using public/private keys on your national id, the government functions as a root authority that you (and other trusted verifiers downstream) can identify you with and commercial platforms only get a yes/no when you want to identify yourself but have no access to any data.
South Korea also has had various versions of this even going back to ~2004 I think.
Yes, it has been possible for a long time to provide anonymous attestations. But somehow, they also always seem to require that you have something like Google play services running for you to ask for the attestation in the first place. And with PKI, even though they could do with just the public key, they somehow also always insist on generating the keys for you (so they have the private key as well).
Do all EU countries have that? I know our (German) ID works that way, using the FOSS AusweisApp, but I hadn’t heard of it being EU-wide (it should be, though).
Spanish ID cards have had an X. 509 cert inside them for more than 10 years, I use it all the time to sign documents and access government sites. There is already legislation and a push for an EU-wide digital identity wallet that should be up and running this year, look up eidas 2.0 and the EUDI wallet.
That looks like it should make things like privacy compatible age verification "trivial".
1 reply →
It's been a slow rollout but yes, it's an EU wide thing. Slovenian IDs issued after around 2022 have them too.
It's nice that the platforms don't get access to data, but does the government gets information about who is trying to access what?
I see this currently being pushed by some politicians in the EU. And I have a slight suspicion that some of these politicians are literally lobbyists.
The "oh my god, think of the children" is similar to "oh my god, think of the terrorists". I am not saying all of this is propaganda 1:1 or a lie, but a lot of it is and it is used as a rhetoric tool of influence by many politicians. Both seems to connect to many people who do not really think about who influences them.