Comment by EmbarrassedHelp
7 days ago
Any "verification" means unacceptable privacy violations.
The best route is better parental controls, that are not enabled by default. Locking down the OS like ransomware until the user submits to age verification is the wrong approach, and what Apple did in the UK needs to be highly illegal.
> Any "verification" means unacceptable privacy violations.
So I'm not necessarily arguing for age controls here, but purely on a technical level what do you think of schemes like Verifiable Credentials, which delegate verification to third parties that have already established your identity?
In theory you can set up a system that works like this:
1. User goes to restricted site and sets up an account
2. Site forwards them on to a verification service with a request "IsOver18?"
3. User selects their bank from a dropdown on the broker site
4. Broker forwards them to the bank, with a request "IsOver18?"
5. User logs in and selects "Sure, prove I am over 18 to this request"
6. Bank sends a signed response to the broker "Yep"
7. Broker verifies and sends its own signed response to the site "Yep"
8. The site tags the account as "Over 18 Status verified"
In this situation, the restricted site doesn't get anything other than a boolean answer from the broker. The broker can link a request to a given bank but doesn't get anything that gives away your identity. The bank knows your identity and that it has approved a request, but not necessarily where the request came from.
Verification broker tracks sites which make requests and records it attached to personal data. Site either sells or leaks personal data along with history of all sites visited which require age verification.
Also your solution requires a bank account, not something everyone has. Many do, but not all. Also the bank may not know "which" site you are visiting, but it does now know you are visiting sites which require age verification and how often.
> Verification broker tracks sites which make requests and records it attached to personal data.
How? What personal data?
The broker doesn't get anything other than "Site X wants to verify over 18, the user selected forward to Bank Y" and "Bank Y responds with TRUE"
> Also your solution requires a bank account, not something everyone has
True. Banks are only one example of an already trusted identity provider in this situation. But I get that there are gaps.
> Also the bank may not know "which" site you are visiting, but it does now know you are visiting sites which require age verification and how often.
Verification need only happen once per site, when setting up an account. This does introduce the possibility of a secondary market for approved accounts though, sure.
User installs a browser extension which forwards the request to everyoneisover18.com, owner of that site has a script set up to log into their bank and pass the verification challenge
Restricted-site.com gets the signed response from the broker, not the bank. In your situation there's not any need for "everyoneisover18.com" to defer to a real bank for a faked response as it signs things itself.
But restricted-site.com doesn't trust everyoneisover18.com's key, it only trusts realbroker.com's key, so the response isn't accepted. If it is found to trust fake brokers like that it gets in trouble with the law.
8 replies →