- cross-posted to:
- technology@beehaw.org
- cross-posted to:
- technology@beehaw.org
The UN Convention on the Rights of the Child clearly expresses that minors have rights to freedom of expression and access to information online, as well as the right to privacy.
These rights would be steamrolled by age verification requirements.
You must log in or register to comment.
Is there realistically any way to stop 1984 from becoming fully realized or is it already too far along into the landslide for humanity to save itself?
Am I age verified if the first thing that popped into my mind upon seeing that logo was “GameCube!”
no, the GameCube intro is iconic and the government overreach is chronic
If it is about protecting children, just create age based VPNs and whitelist the services with appropriate content.
This must be used above all to track the activity of every adult among all popular services. Having to proof adultness cannot be done without creating a link between the identify of the adult and the account at the service.
In theory, it’s possible, if the age verification authority keeps the link secret. But that’s impossible to uphold.
What are the elites planning to do that requires this huge amount of surveillance? The article says that they need it already in the second quarter of 2025. We will find out soon.
Having to proof adultness cannot be done without creating a link between the identify of the adult and the account at the service.
It can be done.
Do you really have no other complaints?
How can it be done?
-
You connect to an age-gated site.
-
Your browser receives an age verification request that does not contain information about the site.
It would contain the time, a random number, and the query: Is user over 18/16/14/whatever?
- Your browser sends the request to a government-licensed service.
You identify yourself to that service in some way. The service could also be a program on your own device that uses a chip on your ID-card. If the service confirms the age, it digitally signs the request.
- Your browser returns the signed request to the age-gated site.
The site checks if the signature is valid and done. There’s never any connection between the age verification service and the site. If the request is more than a few seconds old, then it will be rejected to prevent sharing.
Of course, this assumes that sites will cooperate and implement such schemes at their own expense. Obviously(?) that will only be done by the larger sites, so it will be quite pointless. I don’t know why that is not a consideration. Understanding that doesn’t actually require any deep technical knowledge. But that’s typical for EU tech regulation.
How do you prevent people from selling access to children by calling the age verification service for them?
Btw,
Do you really have no other complaints?
Which other complaints could I have?
How do you prevent people from selling access to children by calling the age verification service for them?
The high volume of requests would be detected pretty quickly. The verification service would not know what sites you visit, but it would know that you are making requests.
To succeed, that would need a fairly large number of stolen or fake identities. There’s really no point when you can just sell adult products, including pirated media, directly.
Which other complaints could I have?
I can think of a number, besides the one in the OP.
You could worry about freedom of information also for adults. Such systems interfere, by design, with receiving and imparting information. It also creates a system that can be easily abused for political censorship. Me, I worry a lot about the direction Europe is taking.
You could also worry about privacy in other definitions. Europeans, or Germans anyway, usually equate privacy with data protection, which is not actually correct. One American definition of privacy is as “the right to be let alone”. You’re certainly not being let alone with such a system. You might feel that it forces you and your family to abide by moral values that you may not share.
Then there’s the economic aspect. The people in a country with such laws will have to do extra work and use extra resources to implement and enforce this.
I don’t fully get the part about selling adult products directly.
The verification service doesn’t need stolen accounts.
There is a maximum number of unsuspiciously requestable tokens and people can sell their unrequested ones. There will be a black market and no ability to investigate unless privacy is lifted.
It’s still inhibiting children, but so does telling them not to do it.
Since foreign services do not need to comply, porn will still be available. So a firewall is needed. But then, why not give children an age appropriate vpn for their devices and accounts and leave the internet to itself?
There is a maximum number of unsuspiciously requestable tokens and people can sell their unrequested ones. There will be a black market and no ability to investigate unless privacy is lifted.
Such a thing would work as with credit cards. An unusual pattern of use would flag the card as potentially compromised and cause it to be blocked, not the volume of requests in itself. It wouldn’t be quite so easy to avoid detection.
Making porn, alcohol, or other such things available to minors is a criminal offense. Being flagged multiple times would probably be enough for a conviction if one couldn’t provide an explanation.
An age verification service would need to determine your age. It’s not strictly necessary for them to keep your identity on file, but I think the likelihood is that it would be required precisely to prevent such abuse.
I don’t fully get the part about selling adult products directly.
Such a service would be illegal in itself. It would have to exist on the darknet beside offers for mail-order drugs, stolen passwords, and so on. Might as well offer mail-order alcohol or adult media downloads with no questions asked.
Since foreign services do not need to comply, porn will still be available. So a firewall is needed. But then, why not give children an age appropriate vpn for their devices and accounts and leave the internet to itself?
Good question. Part of the answer is that law-makers in Europe have no idea what they are doing. Why there is no one capable of giving them technical advice is something I simply don’t know. Some tech regulations are so absurd that you’d never believe me they are real.
-
No, these rights work perfectly well with age verification systems in general. It’s the planned implementation that is bullshit. And that’s not a coincidence but intentional to -again- sell us surveilance through the back door.
(For reference: No one but the EU and member’s governments are more qualified to produce an actual, working age verification system in the form of “Yes, that person has the required age. No, you don’t need to know any other personal information because we already checked and certified it”. Because they already have the data base neccessary. But you can’t outsource such a system to private companies that actually want to get paid mainly in aquired data…)
The point of an age verification system is to make sure that certain classes of people cannot access certain categories of information.
Is there really no problem there?
In case of minors and pornography, most societies have come to the conclusion that there is no problem with that.
If some people want to fight this, they should fight this issue (this would be very much a losing battle in all places in my opinion), not age verification systems, because the second would not exist without laws like the first one.
There is no way to remotely verify someone’s age across the Internet without violating their privacy. If there was, there would be no way to use it that doesn’t violate their other rights.
It security engineer here: zero knowledge proofs are exactly that. Proof your age isg higher than X, but not even how much higher. They can’t even profile you based on that information as they can’t recognize you across visits.
Some government identity cards already support that. For everybody else there are companies that offer that service.
BTW I’m against age verification. We had access to porn at a certain age, I want my children to be able to look when that gets interesting to them. But then again I’m pretty progressive and open with sexuality in general and I take time out of my day to actually talk to my kids about dangers on the internet.
If I search for zero-knowledge proofs relating to age verification the only thing I see is the hash chain method “based on a 2013 paper by Angel & Walfish” which is clever enough but does not in itself solve the problem of proving age while maintaining one’s privacy. It allows Alice to demonstrate to a verifier that she is over the age of 65 while revealing nothing else other than her name or some other identifying piece of information. Avoiding the reveal of any such information is what we would want to avoid.
Is there some better way to do it?
You only need to prove the number in your government id is greater that the required. Number. The number is signed by the government CA
Any reasonable government doesnt gove out ascending number-IDs, Right??!
Your government… you know… the people that already have all your data and issue your passport… cannot include a flag (properly cryptographically signed by them) that tells a service “Yes, the guy that just inserted this valid passport is an adult. You don’t need to get any other info. We already checked for you.”, no other connection or transfer of data neccessary?
If you know a way to do it without invading people’s privacy you’d better go tell the government of Spain about it, because they didn’t manage to find it when they designed their eIDAS scheme which they hoped would become the Europe-wide standard. Not sure if that’s still seen as likely but I haven’t heard about any other concrete proposals yet.
I’m talking about things you can do technically.
Governments don’t plan completely idiotic ideas because they don’t know better but because their actual reason for choosing the system they chose is NOT creating a workable system that protects your privacy.
That’s the whole point. Articles like this aren’t completely wrong. The systems planned are indeed a risk to privacy rights. But we need to stop pretending that it’s an accident and the government simply don’t know better or there is no better solution at all. Actual solutions exist and we need to talk about the fact that those are ignored intentionally because a working system that protects your privacy is simply not the goal here.
What do you mean by violating privacy?
If you have a passport, citizenship, or birth certificate your age is already documented.
yes, however the government should NEVER have access to what social messaging apps ANYONE uses without a warrant.
Isn’t that a matter of implementation whether they even receive this information or not during validation?
the fact that they received a validation request is informative that they probably shouldn’t be able to access, however regardless of implementation, assuming causality and the speed of light remain, this will be information the government will recieve. Some entity (probably the government) would* also need to know who to send the response to, technically they could just broadcast this over some low frequency transmission broadcast to everyone, but realistically the government would need some kind of address (IP, fax number, po box, etc.).
Technically this is an implementation detail, however the only ways to implement this type of thing that wouldn’t be comprimizing would involve citizen prompted government broadcasts and trust that the government won’t have records of who requested the broadcast and what number was sent (which would make it trivial for adults to just sell the age identifier) and would still worsen the average citizen’s security because it still takes effort to generate a unique identifier for every site.
If my gov creates a digital cert of age and signs it then I should be able to use that and the service provider can verify against gov public key, no? No information of visit exchanged.
As an alternative I also expect it to be possible via zero knowledge proof https://en.m.wikipedia.org/wiki/Zero-knowledge_proof
that still uniquely identifies you to the company and would make having multiple accounts that are fully separate harder. in addition there would be no way of knowing whether or not the government has or hasn’t hidden another layer of data (like your name) in the certificate.
This would also be trivial for children to bypass as it would need to be usable an unlimited number of times (or else individuals couldn’t have multiple accounts) therefore it would only take one adult sharing their cert and signature publicly for any child to have a valid certificate.
No one but the EU and member’s governments are more qualified to produce an actual, working age verification system […]
Because they already have the data base neccessary
Just imagine that every time you watch cat videos, the cat video website sends a request to your government’s servers to verify your age.
Of course, this can also be done without accessing any database. E. g. the German electronic identity card supports verifying your age without revealing any other personal information.
Just imagine your passport just has a separate set of information saved “This person is legally an adult” signed of by the government issueing them. No transfer of any other data neccessary. You don’t need to know their name, their age or anything else. And you don’t need some database to be queried. You just get the certified “I have the proper age to access this”-card build into their regular papers.
Yeah it’s really not that simple. If you give someone a unique signed token that just says “whoever has this is over the age of 35” then that token becomes your unique id number that every website you share it with can use to track you. If you create a whole bunch of temporarily valid tokens for old-enough citizens any time they want some, so far you have no way top stop those getting into the hands of teenagers who want to use them to sneak into feddit.
Which is the reason I talked about the passport. It doesn’t have to be unique, just a flag cryptographically signed by the issueing government.
Yes, I can still give away my passport then so that someone can get into adult stuff on the internet… or I can open it for them. So that’s not exactly the use case I’m that actually about.
But that’s all missing the point. There is simply no interest in developing a proper system. Just like terrorism, or child-pornography, age verification is just another pretense to establish surveilance, weaken privacy rights and monetize us by outsourcing everything to private companies (purely concidently usually connected to AI and very interested in all data they can get theri greedy little hands on). We can discuss the technical issues for years, but the people actually planning that stuff won’t care because that’s not the actual agenda.
Uh… if “it doesn’t have to be unique” then you may as well just have a password — everyone who knows that the password is “swordfish” is allowed into the adults-only club. There are things stopping people selling their actual paper-based passports en masse or just making photocopies. If you have an easily-replaceable digital token with no biometric info and it’s not tied to your identity in any way, there are no such constraints.
I was obviously not talking about random paper-based passports but the one ID that is already standard and required for every citizen. And that one -if you decide to give it away- is tied to you, has your identity and is not easily replaced. But requiring to submit all that information on a low level internet verification process is unneccessary, when just “yes, I have that card proving I have the proper age!” is perfectly functional for that purpose.
There is no one-size-fits all solution for security. But for basic stuff like acccess to online stuff an anonymous solution based on your ID is perfectly workable. Nobody is preventing additional biometric checks for more important stuff, it’s the general things in day-to-day life we need to primarily protect from data kraken trying to profile us to make money.
I’m still curious as to what it is that you have in mind. “Yes I have that card” will be communicated to random web services by the user presenting to them some kind of signed digital token I imagine, as is usual, and that token itself, or the user-held secret used in generating it, is what can then be sold, transferred, or used to track the user unless you have some way to prevent that. If you’ve given any hint of how you think it can be done, I didn’t get it.
One thing people sometimes think of is having the user be authenticated with a government (or other authority) server in real time whenever they want to prove their age to some stranger — but the system I saw which worked like that was obviously a pretty big violation of privacy so I assumed it wasn’t the sort of thing you meant. If that’s the idea, how would you prevent the central authority from keeping a record of when and where your “passport” was used?
