Comment by _AzMoo
2 days ago
They're brokering the negotiation, they're not actually the identity provider. The broker has no knowledge of your actual identity. So in this case, the identity provider (such as your bank) knows that you've been referred by the broker and that you wish to provide your verified age and only that age. The social media company knows that you've chosen to use the specific broker to verify your age, but not who the actual identity provider is. The broker knows that a request with your metadata (IP addr, HTTP headers, etc.) has been initiated between a specific social media site and a specific identity provider, but they don't have access to your actual identity.
Nobody in the negotiation has a complete picture. To correlate it all together, you would need logs from all 3. And at least in the Australian case, due to our data retention laws, if you've got logs from the social media provider, then you can already associate the user with a specific identity by requesting the information from the ISP which they legally must retain for 2 years, so it's really not necessary.
All this concern about social media privacy is a little ridiculous IMO. If you're using social media then you've already compromised your identity. If somebody wants to find out who you are, they already can. They don't need a verified identity, and social media companies seem to me more than willing to cooperate with governments. Law enforcement has been using this type of correlating data for years to establish identity in CSAM investigations.
No comments yet
Contribute on Hacker News ↗