← Back to context

Comment by _AzMoo

3 days ago

In Australia, the government has certified OAuth2 Identity Providers which act as a broker between social media sites and a provider that can verify your age, such as a bank. This allows age to be verified by a provider, with the social media provider having no access to your identity. If the social media companies chose to support this, they would be complying with the legislation. It's not the government forcing you to identify yourself.

This gives the identity brokers full insight into what sites you are visiting. Worse yet, it consolidates the information in one, easily leaned-on place: If I provide an ID to 3 non-Australian companies, sure, those companies know who I am, but the government or other companies would need to extract that information from each one. With an OAuth scheme, all that information is in one convenient place for the surveillance freaks.

  • https://connectid.com.au/

    They're brokering the negotiation, they're not actually the identity provider. The broker has no knowledge of your actual identity. So in this case, the identity provider (such as your bank) knows that you've been referred by the broker and that you wish to provide your verified age and only that age. The social media company knows that you've chosen to use the specific broker to verify your age, but not who the actual identity provider is. The broker knows that a request with your metadata (IP addr, HTTP headers, etc.) has been initiated between a specific social media site and a specific identity provider, but they don't have access to your actual identity.

    Nobody in the negotiation has a complete picture. To correlate it all together, you would need logs from all 3. And at least in the Australian case, due to our data retention laws, if you've got logs from the social media provider, then you can already associate the user with a specific identity by requesting the information from the ISP which they legally must retain for 2 years, so it's really not necessary.

    All this concern about social media privacy is a little ridiculous IMO. If you're using social media then you've already compromised your identity. If somebody wants to find out who you are, they already can. They don't need a verified identity, and social media companies seem to me more than willing to cooperate with governments. Law enforcement has been using this type of correlating data for years to establish identity in CSAM investigations.

  • It should be written into law that they (the intermediary identity brokers) cannot sell or share any information with data brokers. They should be an independent organization funded by the government, but without its funding tied to yearly renewals (otherwise they would need to curry favor on a yearly manner to whomever is in power).

can these banks/brokers sell the data?

can these banks/brokers get hacked?

I'd love to see a way for people to revoke/replace their personal info, kinda like rotating passwords or changing their names - but for street address, birthday, government ID numbers, etc.

Penalties (of any scale) are insufficient to ensure absolute security.