Why is there no privacy respecting solution for age verification? Like the government giving you some sort of token that says you’re over 18 and that’s it?
It also does a fairly good job at preventing stuff from getting through.
One of the big issues right now is that there’s a lot of sexualized content on social media right now that’s bypassing parental controls because the social media services are doing a poor job of limiting that content when encountering a parental controlled device.
What if I told you that by regulation, the EU age verification system has to be anonymous and that it’s only the AUKUS countries that are moving forward in a way where anonymity is “a nice to have”.
Denmark’s system, which is a front-runner implementation in the EU, is going to be fully ZKP.
And yes it’s basically built with tokens.
You identify with a government system in an app. The services issues you signed tokens that are anonymous. You hand these anonymous tokens over to the sites that demand proof of age.
That sounds great. I don’t follow the topic closely (probably I should), so wasn’t aware of these developments. This should be brought up in all discussions about age verification, so everyone knows there are better options.
Some people will feel that it’s not ideal, as you still have to trust the government, opposed to full anonymity, but that is a bit of a separate problem.
Ultimately someone has to vouch for “yes, this person is 18+”. People can’t self-attest, except through crappy biometric, so at some point a government ID has to be involved.
I’d trust my government over a credit reference agency that literally makes revenue from selling access to your private data.
Yes, and governments, at least democratic ones, represent the interests of their people, so at least on paper this is the correct way to structure things. Then you use the channels to government to ensure it’s regulated properly. If this is not possible or there’s no trust, there’s a larger problem.
So there should be a rebuttal demanding a privacy respecting age verification token, instead of just arguing against age verification, which technically does have a point. This way it’s disabled as excuse to sneak in the other things.
No, we still need to be against it. I said tracking and controlling, not just tracking.
They are already blocking resources that shouldn’t be blocked from youth, and even a privacy centric method would still let them do that, and then expand it to anything at a whim in the future.
We don’t want the internet built on this infrastructure, it would br a disaster.
Okay, it’s 2 topics then, the privacy, and basically adding a mandatory authorization layer to the internet derived from your real identity.
To some extent this already exists for movies or say to buy alcohol, getting a driving license etc. in the real world, where people often also have to verify their age. So here it could be asked on what exact basis the internet should work differently.
Neither alcohol or the car verifies your age when you use it.
A minor can’t really sign up for an Internet subscription, so who gave them access?
Mandate age requirements when buying digital units would be better, but then we’re back to the “I have no control over my children and can’t set boundaries”
The basis is its how the world communicates and they become the gate keepers to communication and knowledge. Its like book banning on topics they don’t like but on a scale much more massive.
They’re already banning internet content from people that shouldn’t be about sexual health because its not about protecting kids its about controlling them and people.
You gotta be a good sheep and they’re going to do their best to make you one.
Not saying that these are not possibilities, but the technology itself and mistrust of government are, at least partly, different things. This is definitely a complex topic, spanning a lot of topics.
the technology itself and mistrust of government are, at least partly, different things
I don’t personally think so when it comes to technologies like this that can be used to surveil and/or control a population (edit: and especially that are being heavily driven by governments)
It’s pretty much a given that it will be used against us as history has shown us its always the case.
Trying to separate them out, gives them the extra support they need to pass it through and then abuse it.
i’ve seen screenshots of ios users being verified due to having their credit cards as payment methods tied to their name, which is a hell of a lot better than an ID
I mean a dedicated, government issued age verification token that doesn’t reveal any data to the third party other than you are allowed access age wise.
The scheme from the Danish government, shared in another comment, avoids the sharing by allowing token to be used only once, and, because the government issues the tokens, it can block people from getting tokens if they detect abuse. This can be done by rate-limiting, geoblocking and all sorts of techniques.
Remember that the function of the anonymous token is to not allow the service provider (like an OS, or a a website) to see your identity. This still allows the government to see which service provider you are using.
Hopefully the service provider can form pools yo block the government from knowing each individual website, but that’s not a given.
This still allows the government to see which service provider you are using.
That was a poor choice then. They can do this with ZKP and not even know that.
Like it should be doable where sure the website might ask the government if its valid, but the government doesnt know who owns the token, so all they know is someone accessed the site, not who. So they could know general traffic to sites, but that would be it.
There would be ways to hide even the site as well where the website gives you a non identifying token to use with yours and be verified by the government as well, then they only know some site is requesting verification and sign it back to you as valid and you return it to the site. In this one the government only knows your using it, but not where.
Edit: clarity, but also if they put this much effort into the system using ZKP, this oversight almost sounds intentional so they can track people / population usage even if less.
Edit: 10 years from now - our age restriction service shows traffic to porn hub increased 10x over the past decade while poverty has increased! PornHub is clearly the cause of our poverty situation we should ban it! The traffic is too high! A bit over the top, but the info is still useful to them.
Personal ids can also be used by non-owners, not much different than this theoretic age verification token. But yeah, ideally it would have a security layer to sufficiently confirm ownership.
Why is there no privacy respecting solution for age verification? Like the government giving you some sort of token that says you’re over 18 and that’s it?
There is.
It’s called Parental Controls.
It also does a fairly good job at preventing stuff from getting through.
One of the big issues right now is that there’s a lot of sexualized content on social media right now that’s bypassing parental controls because the social media services are doing a poor job of limiting that content when encountering a parental controlled device.
What if I told you that by regulation, the EU age verification system has to be anonymous and that it’s only the AUKUS countries that are moving forward in a way where anonymity is “a nice to have”.
Denmark’s system, which is a front-runner implementation in the EU, is going to be fully ZKP.
And yes it’s basically built with tokens.
You identify with a government system in an app. The services issues you signed tokens that are anonymous. You hand these anonymous tokens over to the sites that demand proof of age.
How are you supposed to abuse the data of people that you can’t even identify…?
Anyone have a more in-depth technical description of how that works? I’m interested.
https://digst.dk/media/5gybwsaq/implementing-age-verification-with-danish-digital-identity-wallet-dktb-09.pdf
That sounds great. I don’t follow the topic closely (probably I should), so wasn’t aware of these developments. This should be brought up in all discussions about age verification, so everyone knows there are better options.
Some people will feel that it’s not ideal, as you still have to trust the government, opposed to full anonymity, but that is a bit of a separate problem.
Ultimately someone has to vouch for “yes, this person is 18+”. People can’t self-attest, except through crappy biometric, so at some point a government ID has to be involved.
I’d trust my government over a credit reference agency that literally makes revenue from selling access to your private data.
Yes, and governments, at least democratic ones, represent the interests of their people, so at least on paper this is the correct way to structure things. Then you use the channels to government to ensure it’s regulated properly. If this is not possible or there’s no trust, there’s a larger problem.
Because its not about age verification, its about tracking and controlling you and making a privacy respecting solution isn’t compatible with that.
So there should be a rebuttal demanding a privacy respecting age verification token, instead of just arguing against age verification, which technically does have a point. This way it’s disabled as excuse to sneak in the other things.
No, we still need to be against it. I said tracking and controlling, not just tracking.
They are already blocking resources that shouldn’t be blocked from youth, and even a privacy centric method would still let them do that, and then expand it to anything at a whim in the future.
We don’t want the internet built on this infrastructure, it would br a disaster.
Okay, it’s 2 topics then, the privacy, and basically adding a mandatory authorization layer to the internet derived from your real identity.
To some extent this already exists for movies or say to buy alcohol, getting a driving license etc. in the real world, where people often also have to verify their age. So here it could be asked on what exact basis the internet should work differently.
Neither alcohol or the car verifies your age when you use it.
A minor can’t really sign up for an Internet subscription, so who gave them access?
Mandate age requirements when buying digital units would be better, but then we’re back to the “I have no control over my children and can’t set boundaries”
But what about porn / general nsfw, that doesn’t need a subscription and currently anyone can sign up / just visit those.
The basis is its how the world communicates and they become the gate keepers to communication and knowledge. Its like book banning on topics they don’t like but on a scale much more massive.
They’re already banning internet content from people that shouldn’t be about sexual health because its not about protecting kids its about controlling them and people.
You gotta be a good sheep and they’re going to do their best to make you one.
Not saying that these are not possibilities, but the technology itself and mistrust of government are, at least partly, different things. This is definitely a complex topic, spanning a lot of topics.
I don’t personally think so when it comes to technologies like this that can be used to surveil and/or control a population (edit: and especially that are being heavily driven by governments)
It’s pretty much a given that it will be used against us as history has shown us its always the case.
Trying to separate them out, gives them the extra support they need to pass it through and then abuse it.
There is!, one of the officially recognised and approved ways is credit card verification, however afaik only steam is doing that.
i’ve seen screenshots of ios users being verified due to having their credit cards as payment methods tied to their name, which is a hell of a lot better than an ID
I mean a dedicated, government issued age verification token that doesn’t reveal any data to the third party other than you are allowed access age wise.
Because then you can share the token and everyone can use it
I’m sure a more robust solution is possible though.
The scheme from the Danish government, shared in another comment, avoids the sharing by allowing token to be used only once, and, because the government issues the tokens, it can block people from getting tokens if they detect abuse. This can be done by rate-limiting, geoblocking and all sorts of techniques.
Remember that the function of the anonymous token is to not allow the service provider (like an OS, or a a website) to see your identity. This still allows the government to see which service provider you are using.
Hopefully the service provider can form pools yo block the government from knowing each individual website, but that’s not a given.
That was a poor choice then. They can do this with ZKP and not even know that.
Like it should be doable where sure the website might ask the government if its valid, but the government doesnt know who owns the token, so all they know is someone accessed the site, not who. So they could know general traffic to sites, but that would be it.
There would be ways to hide even the site as well where the website gives you a non identifying token to use with yours and be verified by the government as well, then they only know some site is requesting verification and sign it back to you as valid and you return it to the site. In this one the government only knows your using it, but not where.
Edit: clarity, but also if they put this much effort into the system using ZKP, this oversight almost sounds intentional so they can track people / population usage even if less.
Edit: 10 years from now - our age restriction service shows traffic to porn hub increased 10x over the past decade while poverty has increased! PornHub is clearly the cause of our poverty situation we should ban it! The traffic is too high! A bit over the top, but the info is still useful to them.
You can make them biometric and still be private, but that’s even more effort which they wont spend.
Personal ids can also be used by non-owners, not much different than this theoretic age verification token. But yeah, ideally it would have a security layer to sufficiently confirm ownership.
Ah tbh I just realised that with the tokens being unique you could still limit accounts per token to 1, achieving the same effect as using real ID.