← Back to context

Comment by Nursie

1 day ago

> Age verification obliviates anonymity on the internet.

How so?

Please explain in detail, because there are already schemes such as "verifiable credentials" which allow people to prove they are of age without handing over ID to online services.

15 comments

Nursie

Reply
shakna  20 hours ago

Last time my government tried that, they failed. [0]

You need to 100% trust those verification services. And considering their success rate [1], you shouldn't.

[0] https://thinkingcybersecurity.com/DigitalID/

[1] https://discord.com/press-releases/update-on-security-incide...

  • Nursie  19 hours ago

    > You need to 100% trust those verification services.

    First link - mitigation: use a well supported standard like OIDC, not a home-cooked scheme. Duh.

    Second link - this is part of the problem such schemes as verifiable credentials are designed to address, random third parties collecting ID they don't need.

    Yes, any system needs to be executed well. Neither of these really display that.

    • shakna  19 hours ago

      If _the government_ can't be trusted not to use a dumbass scheme, then no, it isn't a duh moment. You don't exactly get to dictate how the government implements it!

      The point is that systems today, aren't really well executed. So it is unreasonable to expect them to be well executed.

      If you can't trust people not to build the bomb well - then don't let them build a bomb.

      7 replies →

afiori  21 hours ago

because most implementations are not going to be like that.

  • Nursie  21 hours ago

    In the context of "Age verification should be banned" though, we're already talking about legislative intervention. If there's no particular problem with schemes that are like that then we don't necessarily need a blanket ban on age verification.

    Perhaps what we're really saying is "Ban age verification that collects lots of personal information".

    Or perhaps we could distil it down further to "Ban unnecessary collection and storage of PII". In which case, Congrats! You've arrived back at the GDPR :)

    Which I think is a good thing, and should be strengthened further.

    (Also the other response to "because most implementations are not going to be like that" is "why not?". People are already building such ecosystems.)

    • AnthonyMouse  19 hours ago

      > If there's no particular problem with schemes that are like that then we don't necessarily need a blanket ban on age verification.

      There is a problem with schemes like that.

      The way computer security works is, attacks always get better, they never get worse. A scheme that nobody has found any privacy holes in when it's enacted will have one found a week after.

      The way governments work is, the compromise bill passes if the people who care about privacy support it because then it has the votes of the people who care about privacy and the people who want to ID everyone. But then when the vulnerability is found, the people who care about privacy can't get it fixed because they can't pass a new bill without also having the votes of the people who want to ID everyone, and those people already have what they want. More specifically, many of them then have what they really want, which is to invade everyone's privacy, as they were hoping to do once the vulnerability was found.

      Which means you need it to be perfect the first time or it's already ossified and can't be fixed. But the chances of that happening in practice are zero, which means it needs to not happen at all.

      2 replies →