Comment by stymaar
14 hours ago
“Age verification” isn't a problem in itself, the problem is how it's done. They could issue a physical id card with a cryptographic chip and do the age verification in a zero-knowledge fashion and it would be perfectly fine.
The problem is the lack of thinking about the solution and just handwaving “age verification” as a political posture, which is why we end up with half-baked systems.
I strongly disagree.
You're framing this as some desirable thing that could be good except that a bad implementation erodes privacy. That's wrong at every step. These bills originate from big tech such as Meta that literally profit from collecting as much personal info from you as possible. https://old.reddit.com/r/LinusTechTips/comments/1rsn1tm/it_a...
But even beyond their tainted origins, you can't implement your way out of something badly formed in the first place. You handwave "zero knowledge" but that doesn't do for your privacy what you're hoping it will. That id card will still have a serial number and CCTV of you purchasing it and you will de facto end up trusting some government binary blob to implement this cryptography correctly without backdoors. Snowden was a decade ago. This will have a backdoor. This will be used for surveillance, tomorrow even if by some miracle not today.
And finally, this makes the internet worse. There will be a section of people who are, for one reason or another, not able to pass this bar. Much of the goodness of the internet comes from being able to interact with anyone on it.
That Reddit post is feeding more conspiracy thinking than helping.
The facts listed also match the actions of a firm aiming to ensure that the burden of verification does not fall on it, for a legislative process that they know is coming.
Red flag after red flag has been raised on child outcomes and social media, for a decade.
The internet is great for people here on HN, who know enough to avoid getting screwed.
The internet is a grotesque horror show for anyone who is stuck on the wrong side of a customer support system. Plus, most people here are thinking from the perspective of someone in the US or EU. They actually get better support than the rest of the world gets.
Let me be clear - I hate that we are at this juncture. However willful ignorance of the harms being inflicted on users is palliative care for our feelings. It means that one day, there is going to be a confrontation between a techie advocating for privacy and the people whose lives are being upended by tech.
Privacy has to be protected effectively, which means acknowledging the hurt and providing solutions for that.
How did you come to the conclusion that advocating for privacy is at odds with protecting users? I'd argue the opposite is true.
3 replies →
People fall through the cracks of the system. You suddenly can't use a digital service any more, because it requires you to use a specific technology that you can't obtain, even though you are old enough. You might be a refugee, you might be someone with special characters in their name or you might be someone from a country that simply doesn't provide recognized digital certifications. Or you might want to run a rooted operating system on your phone or computer.
This assumes good faith, which doesn't match reality. It's about control, not protecting children.
Also age verification is still a problem in itself. Given your idea of a physical card, kids will find a way to use the card of their parents. Even if the card couldn't be misused by others - you give platforms the knowledge of whom is a minor, which means they can be targeted better.
Kids will simply find a way to circumvent it without any extra steps. To make age verification useful for protecting kids, you'd need to lock down every software on every operating system and put it under tight government control. We're talking about things like every programming language with a networking library, wget, curl, every web browser that was ever developed, etc.
All kinds of tools and software would need to be locked down or criminalized. Otherwise, some smart kid is guaranteed to get around the restriction and give that method to others, and if it's at school on a USB stick.
> Kids will simply find a way to circumvent it without any extra steps.
This is just an argument against any regulation whatsoever. Yes, some people will find ways to do illegal stuff, but that doesn't mean forbidding stuff is useless. For instance gangs members always find a way to get access to weapons even in countries where firearms is regulated, but there are still pretty much zero mass slaughter in schools in these countries.
> To make age verification useful for protecting kids, you'd need to lock down every software on every operating system and put it under tight government control.
No! This should never be implemented at the software or OS level in the first place. You should be handed a chip card that you can use for that purpose, like how the bank rent you a credit card. Any other implementation is a bad one, and should be fought.
But by fighting the very idea of age verification instead, an idea that pretty much nobody else in the society has issues with when it comes to voting rights, driving rights, or alcohol consumption, you are just favoring these poor implementations by moving the debate on a ground you can't win.
> Otherwise, some smart kid is guaranteed to get around the restriction and give that method to others,
You should really read that “The optimal amount of fraud is non zero” blog post I linked above.
10 replies →
The same people want to require licensing before you can publish software, if you look deep enough in these threads.
2 replies →
> This assumes good faith, which doesn't match reality. It's about control, not protecting children.
“Never attribute to malice that which is adequately explained by stupidity.”
> Given your idea of a physical card, kids will find a way to use the card of their parents.
Sure there are kids who have access to their parents credit card with the PIN, but how frequent is that? In every system, fraud will exist, but that doesn't mean the system is worthless. “The optimal amount of fraud is non-zero”: https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...
I linked it in my direct reply, but - we don't need to guess at why these bills are being introduced or who by. We have evidence. It's malice. https://old.reddit.com/r/LinusTechTips/comments/1rsn1tm/it_a...
> “Never attribute to malice that which is adequately explained by stupidity.”
This is not an argument, it's just a stupid quip. And I would sooner suggest that you "never attribute to stupidity that which is adequately explained by malice". Humans are overwhelmingly selfish and more than willing to harm others to serve themselves.
1 reply →
But to be effective you need to prove that the person presenting the ID is the person the ID belongs to.
In person that falls to a human being, and it's an easy and intuitive task that takes seconds.
On the internet this involves some kind of video recording being sent to some agency somewhere being paid a fee, who may later be asked to prove the efficacy of their service. This agency needs a digital copy of the photo from your ID for matching purposes. They'll be tempted to store this for auditing purposes... they'll also be tempted to store correlation IDs etc if the architecture allows.
The issue is trust. You just can't trust these first and third parties not to collaborate for commercial gain or at government demand or request.
And ultimately you're still exchanging verification at registration for a shareable credentials: I could use my ID to sign up to pornhub premium and then sell the username and password to a 16 year old if I wished, just like those buying alcohol can go and give it to the underage. A black market for digital credentials is even easier to establish than material goods
> On the internet this involves some kind of video recording being sent to some agency somewhere being paid a fee, who may later be asked to prove the efficacy of their service. This agency needs a digital copy of the photo from your ID for matching purposes.
That's why I'm talking about an “Id card” using Zero-knowledge proofs in a cryptographic chip, not using a paper ID with your picture on top…
Doesn't matter!
You still need to send a digital image from the id, signed by an authority, saying "this person is 18"
You then still need a trusted ID service or algorithm to capture an image of the user _at the time of use_ to compare that to.
Just having access to your digital ID credentials proves nothing
The zero knowledge proof only helps prevent tracking between the ID service and the website you're logging into. This is valuable but requires standardisation and client side support, which doesn't exist.
All the time the client side is implemented by JavaScript served from the server side you're just trusting these parties to behave and not snoop
4 replies →
It is a problem in itself. First they want to know your age (they're pretending: of course they want to know your identity, but let's leave that for a moment).
What's next? Your US legal status as determined by your ethnicity? Scan your face to prove you're white? Yeah, that sounds absolutely ridiculous but so did the age verification with KYC just a few years ago.
Why are those things naturally "whats next"?
We allow bars and car companies to verify age before conducting business. Does that in itself lead to racial discrimination? I think not.
The issue is the scale and centralization of information. Let's imagine that every bar has to not only check the id of every customer but do it automatically: every time you enter a bar anywhere in the country you must have your id scanned by a government-issued system. Are you still ok with it?
6 replies →
"Age verification" is designed to attribute your identity to your online presence. As such, it's done just right.
> and it would be perfectly fine
Unless a tiny chance exists that some system in the middle is not secure. Then you have the problem of those who orient their acceptance to the "oh well" shrug, and then systemic faults get downplayed by default. (Edit: I re-read and notice 'half-baked systems': seemingly, we agree.)
> as a political posture
Which is the core problem of masses accepting pseudo-heartly and not-brainy unacceptable figures. And again, systemic faults incarnated as administrations get downplayed by default.
And it is focussed on social networks, which require an email address, which usually implies a device.
But instead of inserting controls around email addresses (as with paid services) or devices (as with contraband), the requirement is pushed to the application layer. It really makes no sense from a technical POV.