So in Germany we have an ID card with a PIN, NFC and a government app. Website owners can request to be able to use this feature. They then get a certificate from the government that has the fields they are allowed to request stored within it.
Websites can request data from the user by sending that certificate, it opens the app, it shows you the categories of data to be send, you hold your ID card to the phone, enter the PIN, and the certificate is uploaded to the ID card which verifies it. If its valid, the ID sends back the data that is specified in the certificate.
You then get presented with exactly the data that is going to be sent to the website. You can then agree or disagree. So far that is only used to log in to government websites.
This way the government does not know which sites you visit, and you only send your age to the website.
fabian2k · 23m ago
It's even more restrictive than than, for age verification you only get back whether the person is above the age limit or not, it's a boolean response.
So I think from that view the eID works pretty well, it provides the minimal necessary information. The bigger issue with something like this is if you use them to enforce real name policies or stuff like that.
nottorp · 8m ago
> This way the government does not know which sites you visit
Hmm. It's not clear from the description that it is so. The government knows which site sent the request and authenticates your card, which is tied to your identity, right?
michael1999 · 15m ago
I'd refine Doctorow's claims to "Privacy preserving age verification is bullshit in the Common Law Anglo world".
You are completely correct that civil law jurisdictions have already solved this: Germany, Estonia, and many others have the all the requirements: a register of all persons available to the central authority, and crypto infrastructure to make it work.
What's missing from the UK, Canada, USA, etc. is the first part! It is hard to believe if you live in Germany, but there really is no big master list of people in those countries. There are many (many, many) lists, linked badly by many different ids. The tax registry, pension registry, drivers license registry, and visa registry are some of the big ones.
Things could be so much simpler if we had such a thing, but the politics between here and there are basically impossible.
cogman10 · 7m ago
The big problem I have with laws like the UK has been that they solve a non-issue at the cost of large infrastructure and potential privacy problems.
Teenagers have been looking at porn since forever. It's practically a trope of teens stealing their parents' porn mags. I don't think any of this has actually caused major societal issues.
The proposed solutions merely require that a teen steal their parent's identification, briefly, to create a porn account and move on. Heck, they can probably buy that information online if they are innovative enough. They certainly will be selling access to their porn accounts to their classmates. And even if they don't go through all that trouble, getting a porn mag is still pretty possible in the UK.
That makes this just a bad law. It doesn't meaningfully stop the problem it's meant to stop and it's expensive and intrusive. Even if privacy preserving age verification was bulletproof and perfect, you still have the gaping hole that such protection has a ton of holes in it.
And then there's the simple fact that other nations exist. Yes, mainstream sites will put up protections, but what about the sealand porn site? Unless the UK wants a great firewall (ala the chinese firewall), they simply aren't going to stop this problem. Even then, VPNs are common knowledge at this point due to streaming.
Bad law, bad effects, and a pointless fight.
Seattle3503 · 1h ago
To me it seems like Cory Doctorow is demanding perfection, and saying that because we can't achieve perfection in age verification, we can't do age verification at all. That isn't going to stop people from trying, and we will end up with a worse system overall. IMO this is a common pitfall of techno-idealists.
Technologies like the mdl standard [1] can attest to age without revealing the users identity.
As Cory points out, its still possible for kids to swipe someones ID and use that. There are probably practical solutions that are good enough. Android, iOS, and parents could work together to deal with the problem of stolen IDs. If mdl is implemented on devices such that they are managed by the device OS, that would lead to auditability. Parents can ask their child to see their phones ID app, which will show full roster of IDs on the child's device. If a parent sees an ID that shouldn't be there, they can have a conversation about it. In this way the law would be about empowering parents to shape their child's online experience. This is just a straw-man example solution, but there may be better ones.
The other objections I saw could be worked through in a similarly pragmatic fashion.
This is probably going to be good enough for most folks, and its probably a good thing to keep children away from pornography and such. And IMO coming up with a "good enough" solution will flush out all the bad actors who are hiding behind the excuse of "save the children" when really they want to build up an record of everyone's browsing history. But by denying any solution to a real problem, we let the bad actors hide amongst the well-intentioned folks who are trying to do the right thing.
The MDL standard does not do what you think it does.
gjsman-1000 · 45m ago
> common pitfall of techno-idealists
Common pitfall? It’s why these techno-idealists are loudmouthed on the internet, but don’t get respect anywhere politically. If you want to gain ground politically, you need to at least acknowledge what the problem is, or is perceived to be, and offer a real solution. “Nope we can’t do that because of this 0.1% edge case” doesn’t qualify. “Apple should just dump all schematics online regardless of what China might do” doesn’t qualify. “The internet is great at it is, and your political concerns are invalid” doesn’t qualify.
AllegedAlec · 15m ago
> If you want to gain ground politically, you need to at least acknowledge what the problem is, or is perceived to be, and offer a real solution.
Why? If you do not believe it is a problem that's just like apologizing when you haven't done anything wrong.
Barrin92 · 5m ago
if you, like Cory Doctorow, are an activist there's two options. One you scream from a soapbox with no regard for what other people think in which case it's evident you're doing it for self-aggrandizement and attention, or you take into account what the sensibilities and problems are of the people you try to convince and work within that frame of reference.
If you're campaigning for technological and/or political change you're in the business of changing peoples minds and if that doesn't matter to you, you've chosen an odd way to spend your time.
Seattle3503 · 39m ago
Yeah, it feels like a junior engineer fresh out their undergrad algorithms course. The business isn't going to grind to a halt and wait until you build the perfect solution.
gjsman-1000 · 36m ago
Let’s take the pornography argument for example.
Regardless of whether pornography is, or should be legal, average exposure is now 11 years old. That’s average, many kids are even younger.
If this even prevents 95% of kids from accessing pornography until they’re 15 and get a debit card to buy a VPN, that’s a win in the eyes of most parents and legislators. It doesn’t need to be perfect, or even perfectly force you to be 18, to get the primary job done. Pointing to “a 16 year old can get around it with a VPN” is missing the point. It’s not a surprise why that argument falls on deaf ears.
Or, another one, “just use parental controls,” have you even tried this? Almost all parental controls are horrifically buggy, full of loopholes, and these kids can just borrow each other’s technology. Apple’s parental controls predate HTML5 (literally, HTML 4.01) and regularly don’t work, sometimes even by their own admission. It also forces the parent to be in the role of a tech expert fluent in Microsoft, Apple, Google, Nintendo, and other products all at once. You might as well get CompTIA certified. That argument also falls on deaf ears.
idle_zealot · 22m ago
> Apple’s parental controls predate HTML5 (literally, XHTML 4.01) and regularly don’t work, sometimes even by their own admission. It also forces the parent to be in the role of a tech expert. That argument also falls on deaf ears.
The solution, then, ought to be to pass a law requiring some sort of standardized parental controls that allow trivial set-and-forget management. Require device manufacturers/software distributors to sort out a "child mode" switch you can flip upon device initialization, in-your-face and unmissable, and then have apps/webpages be able to see whether the device reports it's in child mode. Does this not solve the "prevents 95% of kids from accessing pornography" threshold of effectiveness while being infinitely less invasive?
thewebguyd · 12m ago
> Require device manufacturers/software distributors to sort out a "child mode" switch you can flip upon device initialization, in-your-face and unmissable, and then have apps/webpages be able to see whether the device reports it's in child mode.
Wouldn't even need to develop anything new for this outside of a simplified UI over an MDM. Devices already support an incredible amount of monitoring and control, even iDevices, via MDMs.
But MDMs are for now only business/enterprise products, and are priced as such.
Makes me wonder if there's a market there for someone to just package up a consumer-focused, dead simple to use MDM. Enroll with QR code, set up some default policies, etc.
gjsman-1000 · 19m ago
It’s a better argument, and would gain more political ground, than do nothing.
However, there’s one major problem: Most families aren’t actually using the multi-user capabilities of their devices. Many devices, like iPads or iPhones, just don’t support multi-user at all.
The result? Either parents are tech experts again, or have deep pockets to get everyone a device, or you’re going to have a bunch of kids logged in as their parents on their devices (as is already the case). Of course, that defeats the policy goal. That’s a non-starter, unless we agreed that a device manufacturer could force a biometric check when accessing an age-verified device account.
Nobody has proposed such a thing; but if there was a good way of making sure that the age-verified user is the actual person engaging with the age-verified account, then we might have progress in that direction.
Personally though, I would really prefer to not have the government get any ideas whatsoever about dictating firmware or OS security or OS parental control requirements. Do you really want your Linux distribution mandated to implement an age check firmware with phoning home requirements to a government parental control server?
wvenable · 12m ago
That's not a major problem. Also, how does age verification fix things in that scenario if a child is using their parents device?
If a parent can't be bothered to pin-lock their device or flip it into child mode then there is no technological solution. Now you're the one looking for the perfect solution that doesn't exist.
gjsman-1000 · 10m ago
> Also, how does age verification fix things in that scenario if a child is using their parents device
Because the age is verified at the time of access; instead of once during initial setup. Odds are that the former will catch far more flies than the latter.
Your employer probably does the same. Do they have you log in once when you set up your laptop, then comfortably happily say it’s you for the next three years; or do they have you sign in every morning?
wvenable · 6m ago
> Because the age is verified at the time of access; instead of once during initial setup.
Is that really how it works? Every single time you visit any website on the Internet or launch any app it's going to age ID you? I don't think that's right. You validate your account and then you login and you're good. If someone else uses your account, they are you.
And as you said, people share devices but it's also usually one account per app per device. You have to go out of your way to sign out of each individual app or website.
wvenable · 15m ago
> Regardless of whether pornography is, or should be legal, average exposure is now 11 years old.
You make it sound like historically it was much later but actually even in the 1980s 11 years old was uncommon. In fact, that matches my own personal experience from that era.
> Or, another one, “just use parental controls,” have you even tried this?
Parental Controls is the right answer but absolutely agree that parental controls suck. As a parent, I'd love just any level of better control. I don't even care if I have different controls per manufacturer as long they're pretty complete and capable.
If the EU can mandate USB-C, they can mandate all technologies include powerful and capable parental controls.
There is no need for age verification -- parents know how old their children are. Parents are providing children with the devices and often the means of connectivity as well. This is and has always been a parenting problem. If the government wants to assist parents, I'm all for that. But age verification is not the answer.
gjsman-1000 · 12m ago
> mandate all technologies include powerful and capable parental controls
That is, until Linux is also forced to come into compliance with said parental control standard, complete with all centralized reporting and remote restriction capabilities.
> This is and has always been a parenting problem.
What do governments do when everyone has the same parenting problem? Listen to industry idealists, like those who would call teenage smoking a “parenting problem,” or crack down?
wvenable · 9m ago
> That is, until Linux is also forced to come into compliance with said parental control standard, complete with all centralized reporting and remote restriction capabilities.
Linux is fine. Someone can build the ultimately perfect parental control software for Linux and I'll use it. The same cannot be said for Windows, Android, or iOS -- third party system cannot exist for those platforms that are sufficient unless they're made by Microsoft, Google, or Apple respectively. Perhaps we just have to mandate an open standard. In fact, I would prefer that.
> What do governments do when everyone has the same parenting problem?
The wrong thing. Always.
2OEH8eoCRo0 · 51m ago
All the govt needs to do is send fines to offenders and the industry will be forced to implement one or more solutions.
The govt doesn't care how you verify age only that you don't sell to minors.
wmf · 48m ago
Experience with GDPR and DSA shows that the fines lag years behind the abuses.
Let's say every citizen has an account with their federal government, and the account can be accessed securely in some reasonable way (password, 2FA, hardware token, etc.).
The government can have a public-private RSA key pair specifically for "At least 18 years old". Once the user is authenticated, he can generate a nonce and a blinding factor, multiply them together to get a blinded random number, and upload that to the government for signing. He takes the signature and unblinds it, then submits the original nonce and unblinded signature to the adult website. The website confirms that the nonce and signature is valid according to the government's public key.
This system raises many questions. For example, preventing replay attacks, so the adult website will reject any nonce being reused, or mandating that a timestamp be a subcomponent of the nonce. There is the un-answerable question of how to handle the case where a legitimate adult offers valid signatures for someone else to use. There is also the question of, to what extent the adult website should be able to keep track of the underlying users (even in a hashed format) to monitor abuse, suspicious users who have too much activity, etc.
Muromec · 1h ago
I'm confused. Author puts crypto backdors and IDP with ZKP into the same bucket and calls it "nerding harder". But why? You can have identity provider, several European countries do and you can have subcredentials. You literally can nerd harder here.
Sure, there is a strong ideological argument why you should not have strong identities required in the internet in general (or even in offline) and on porn sites specifically, but the argument is not technical.
torginus · 49m ago
These 'anonymity' technologies are laughably worthless - sure ZKP might provide mathematical proof that it's impossible to find out who the subject is, but embed a tracking cookie and fingerprinting script into both the porn site, and the online grocery - and there you go, you have irrefutable cryptographic evidence of how John Doe likes to spend his evenings.
ivan_gammel · 6m ago
As soon as fingerprinting becomes criminal offense, this will end quickly. Nobody big enough is going to risk that.
thyristan · 1h ago
But it is. In those European countries, IDPs and certification authorities are one and the same entity. So the technical requirement of privacy evaporates, the government will always know who is proving their age to which porn site.
ivan_gammel · 10m ago
That’s easy to fix. The IdP and the checking service do not have to be the same. The checking service can be a 3rd party that works with IdP verifying facts on behalf of regulated services like porn sites. The job of IdP is to certify the facts and do KYC for checkers to ensure they don’t cheat. The regulated service can ask customer which checker do they use and then ask the checker. The customer may have a long term relationship with preferred checker on a market where multiple checkers exist and reputation matters for being competitive. This way checker is incentivized to maintain privacy and does not have conflicts of interest like the government. Government agencies can still investigate customers but they will need a court order to get the data from checkers.
therein · 47m ago
I don't know why you are downvoted. And even more disappointingly, it is interesting how easily people overlook the fact that this is happening in lockstep across the globe, obviously the goal is to deanonymize the internet.
I can't wait for the next generation that will enjoy "nerding out" on how to best patrol every neighborhood with drones.
Let's put NFC tags on everyone at birth, we can then nerd out harder.
skybrian · 24m ago
You’re probably better off just reading the paper he links to:
I think it shows the difficulty of implementing it for everyone. But Apple and Google’s cell phone implementations would probably cover most people in some countries when finished, and then there will be a long tail of people who will need cheats and workarounds.
You’d be screwed if you didn’t have any friends who could help you cheat.
kazinator · 40m ago
If you're a web person who understands SSL, privacy-preserving age verification can be explained by analogy.
It's a system which requires a central agency, probably a government agency, analogous to a certificate authority.
You are authenticated with that agency; it has personal info about you. But you are externally identified by some impersonal identifier, not your name.
The agency issues you a certificate binding this identifier to an assertion like "is over 18 years old".
When you interact with a site that wants to know whether you are over 18 years old, you present the certificate. The site can see that it's signed by the authority and that it has the assertion that you are over 18.
You can't just give that site someone else's certificate because it has to be the one tied to the abstract identity you are presenting (which contains no personal info; it's some kind of UUID or whatever). Plus the cert can be bound to a specific device and such.
The cert has a private keys with which you can prove that you own that cert; or at least that you are the authenticated operator of a device to which that cert was issued.
It's something like that. I may have some key details wrong. The main idea is that some brokerage that does have info about you can attest that you are over 18 without revealing any of the personal info via certificate-like objects.
It sounds like, in theory, the system can achieve good privacy in age verification. But not perfect age verification; people will find ways around it.
A grown up can certify themselves to be over 18 and then hand the device to a teenager; and such an operation can likely be scaled to some extent. And of course no cryptographic system can eliminate the possibility that minors are looking at the screen of a device operated by an adult, who may even step out of the way to let them operate it.
torginus · 56m ago
The problem is not only that it's impossible to make cryptography that's only secure when the good guys use it, it's that once cryptography is made insecure, it's insecure for everyone, forever.
I'm not a privacy hardliner, and I think the socially acceptable tradeoff between privacy and security have been well established before the computer era - if the police has a well-enough established suspicion against you - they can get a warrant and search your home. That's due process.
I would accept if there was a digital version of that which targeted not the encryption itself (which could be as strong as possible) - but the endpoints, like smartphones and computers.
Let's say police had a device which they could plug into your phone, which would send a specially signed message - a digital warrant, containing all the info a real warrant would - which be permanently be burned into the ROM of your phone, after which the phone would surrender its encryption keys, and the police could dump your unencrypted disk.
The phone would be then presented as evidence at the trial, and not following due process would be a cause for mistrial, no matter what they find there.
The general public would be safe in the knowledge that as long as the police isn't hauling them in, their secrets are safe, and the government would get the tools for what they claimed they wanted - a way to catch bad guys with digital tools.
buzer · 33m ago
> Let's say police had a device which they could plug into your phone, which would send a specially signed message - a digital warrant, containing all the info a real warrant would - which be permanently be burned into the ROM of your phone, after which the phone would surrender its encryption keys, and the police could dump your unencrypted disk.
And when (not if) that device leaks whoever steals your phone will be able to get access all of the things in there.
JoshTriplett · 19m ago
> The problem is not only that it's impossible to make cryptography that's only secure when the good guys use it, it's that once cryptography is made insecure, it's insecure for everyone, forever.
Correct.
> Let's say police had a device which they could plug into your phone, which would send a specially signed message - a digital warrant, containing all the info a real warrant would - which be permanently be burned into the ROM of your phone, after which the phone would surrender its encryption keys, and the police could dump your unencrypted disk.
You are now advocating for making phones insecure for everyone, forever. No.
JanisErdmanis · 1h ago
How would setting up a primary credential with an identity provider differ from the process of registering to vote for USA citizens? All the discrimination opportunities and accountability issues seem to apply equally there.
nemomarx · 47m ago
if you had to register to vote to use Reddit or whatever people would complain about that constantly. and voter id laws are in fact controversial yes.
Seattle3503 · 1h ago
I agree "ensuring everyone has ID" is a separate problem that we should absolutely trying to tackle. We are already seeing people struggle with it absent any new ID schemes, eg in the case of trying to get access to banking. You can already get ID at a post office, maybe we should add other government facilities such as libraries.
JoshTriplett · 59m ago
That's absolutely true, and orthogonal to the problem that you shouldn't need to identify yourself to anyone in order to access arbitrary websites.
Seattle3503 · 32m ago
I don't think thats the proposal. The proposal is that you prove to websites that you are over 18 to see adult content.
JoshTriplett · 17m ago
"adult content" is the boogeyman, to try to make this harder to argue against. The actual net result is shutting down a wide variety of websites and making people identify themselves (to paid identity providers conveniently provided by those who lobbied for this legislation) in order to access others, including Reddit, Discord, etc.
You should not need to identify yourself to access arbitrary websites, either to the website or to some third party.
sltkr · 51m ago
The “not everyone has an ID!” argument is such an American perspective. The vast majority of world citizens live in countries that require you to have some form of government ID anyway:
It seems pretty reasonable to leverage this into online identification.
In fact, online ID is already used in the European Union for popular initiatives (see, e.g., https://www.stopkillinggames.com/ ) and nobody seems to think this is “bullshit” or infeasible or any of the concerns that are lobbed at the age verification requirements.
lmz · 14m ago
It's more accurately a very Anglo perspective. The US, UK, AU, NZ, CA all do not have national ID cards.
lmz · 1h ago
The same people who argue this will also argue that voter ID rules are discriminatory.
mattnewton · 33m ago
Voter ID laws actually have a long history of being used for disenfranchisement of certain classes in the US (most notably former slaves and their descendants, but also women), so it's understandable there is scar tissue there. It gives the incumbent state another lever of power in our very close first-past-the-post winner-take-all elections. Americans don't need imagination to see how it could be abused, just a good history book.
sltkr · 48m ago
Are the laws that require you to show ID to buy alcohol, tobacco, fire arms, or gamble in casinos also discriminatory? Or is it only discriminatory when you prevent people without IDs from watching porn?
9rx · 28m ago
> Are the laws that require you to show ID to buy alcohol, tobacco, fire arms, or gamble in casinos also discriminatory?
So long as it is done for a legitimate purpose and in good faith, generally no. As such, IDs are only expected where there is reasonable suspicion of possible violation. For example, there is no onus, with a few exceptions, to see an elderly person's ID to buy alcohol when there is no reason to think that they aren't below the minimum age.
The exceptions haven't really been tested. It very well could be found discriminatory, and you could make a pretty good case that it is. Which is ultimately the same case being made earlier. Asking a no-question-about-it 50 year old to provide his ID to watch porn isn't really in good faith, is it?
mattnewton · 30m ago
The definition of Porn by the state can change to include things that some people consider protected by the first amendment - right now there are a lot of state politicians or members of the house on record supporting classifying discussion of LGBTQ lifestyles as pornography for example.
I think alcohol, tobacco and gambling here are mostly irrelevant, but the firearms is a better example because of the second amendment, where you have a clash between a very old right granted by the bill of rights clashing with modern societies beliefs.
irchans · 39m ago
Even after reading the article, I think there are reasonable ways to set up a low cost system that uses zero-knowledge proofs to "prove" your age without disclosing your identity. I do think that you will need trusted entities and the system will only stop most, maybe 80 or 90 percent of children under 18 from seeing porn. But, if you do this, then maybe 99% of kids under the age of 14 will have a lot of difficulty viewing porn which is a good thing. There may be valid a slippery slope argument for not setting up the age validation system even if everything I said above is true.
Seattle3503 · 37m ago
Yeah, I think even if we only manage to delay the "age of first porn viewing" to something like 14-15, thats probably a win.
jofla_net · 20m ago
Maybe, but as a parent, I believe its an embarrassment to expect to radically retrofit a society in such ways as to make up for my own negligent lack of responsibility for my own children, which I do take quite seriously.
Not to mention the myriad of resultant unintended consequences which invariably arise when such systems(of which i'm quite familiar) are brought to bear.
Though I do speak from such a position of professional neutrality, as I would gain no benefit at all from implementing such a ubiquitously mandated system. Perhaps if things were different, I'd think otherwise.
dathinab · 1h ago
> "Privacy preserving age verification" is bullshit
it is possible if you accept that it only needs to be good enough
- it's fully okay if it can be deceived in all kinds of ways
- verifying only once per account is okay, if a adult passes their verified account to a child that their responsibility
- legally not just forbid but criminalize (with required prison sentence) the storing of any data except is adult yes/no from a age verification process
- allow a OS accounts to just tell applications (including websites) that "is 18", if a age verification was done in the account, also no singing or anything cryptographically, because again it's good enough no need to protect it against hacking, the main responsibility still lies with the parents
so then you can do a single age verification per OS account, once, and be done with
furthermore this verification could e.g. go through a process which might identify you identity but a) isn't allowed to pass anything but adult yes/no to anyone else b) isn't allowed to store that info c) on a storing it is a "criminal liability" level where a CTO ordering data collection would go to prison
through if you live in a country where everyone has a passport with NFC chips (e.g. all of EU) just adding a "adult yes/no" function(1) to it + a transparent (open source, non profit) app per country to bridge it to accounts which need verification would do the job without needing the extra strict criminalize abuse part.
Which brings us to the main problem:
- requiring politicians to accept a "good enough" solution, accept that the main responsibility still lies with the parent
- politicians not abusing it to spy on their population
- make laws to prevent companies from ab-using "age verification" to collect private data
and that seems indeed impossible
---
(1): Technically I think it does exist, somewhat in many passes already. But practically it not viable as it (I think) discloses too much information and has too much issues wrt. integrating it (wrt. certificate nonsense)
loglog · 39m ago
No cryptographic verification is required for content blocking. Make it easy to set up a slightly locked down "child" account (e.g. one behind a MITM proxy that only lets through HTTP(S) and blocks some domains) by requiring it from every OS vendor. Label existing devices/software without it "18+".
charcircuit · 1h ago
>politicians all over the world demanded a kind of impossible encryption
It's not impossible to design a cryptographic system where law enforcement is a party within it. The false dichotomy of encrypted or not encrypted in my opinion is used to shutdown the conversation since it's easy to argue why no encryption is bad. It's a strawman.
JoshTriplett · 59m ago
It's impossible to design a cryptographic system that does end-to-end encryption and has a backdoor that can never be misused. No technical solution will address the fact that it's failing at its one job.
jgeada · 59m ago
That is a bad faith argument.
As soon as there is another untrusted party in the encryption, an in particular a party with a "skeleton key" that can decrypt anybody's message, then your encrypted communications are merely one leak away from being decoded by everybody else.
aaronmdjones · 35m ago
If there's one thing you can trust a government to do, it's to not be able to keep secrets for very long.
You can do things like require the service to verify that the court order is valid before they gain the capability to decrypt a subset of messages that the court order allows them to see. There doesn't have to be a skeleton key.
thyristan · 1h ago
Then please prove the possibility by doing so.
Up to now, there has only been intense wishful thinking by politicians, and strong "NOPE" by anyone with any kind of knowledge about cryptography. Either really everyone, including the likes of NSA, CIA and other spy services don't actually employ top cryptographers. Or they repeatedly tried and failed miserably. Or really nobody, including the spies, wants backdoored NOBUS encryption.
loglog · 36m ago
NSA does probably want it, and did probably standardized at least one such scheme in the past: Dual_EC_DRBG.
layer8 · 57m ago
The argument regarding general use of encryption for communication is that (a) law enforcement private keys would leak sooner or later, suddenly exposing everyone’s past communication, and that (b) criminals would just use “forbidden” encryption (“if x is outlawed, only outlaws will use x”).
crooked-v · 55m ago
If you include law enforcement by default, the system becomes completely insecure literally the first time an agent is corrupt, lazy, or just gets access stolen from them.
charcircuit · 56s ago
You can design it such that the a single agent isn't able to decrypt anything. You can also do things like limiting the number of decrypted messages of people and more.
RajT88 · 1h ago
Also, water wet.
aktuel · 57m ago
Not just age verification. The whole security circus is bs. Kids cannot go outside by themselves anymore. They have to wear helmets while being constantly monitored. None of it has brought us to a better place. Fuck it. Just fuck it.
Websites can request data from the user by sending that certificate, it opens the app, it shows you the categories of data to be send, you hold your ID card to the phone, enter the PIN, and the certificate is uploaded to the ID card which verifies it. If its valid, the ID sends back the data that is specified in the certificate.
You then get presented with exactly the data that is going to be sent to the website. You can then agree or disagree. So far that is only used to log in to government websites.
This way the government does not know which sites you visit, and you only send your age to the website.
So I think from that view the eID works pretty well, it provides the minimal necessary information. The bigger issue with something like this is if you use them to enforce real name policies or stuff like that.
Hmm. It's not clear from the description that it is so. The government knows which site sent the request and authenticates your card, which is tied to your identity, right?
You are completely correct that civil law jurisdictions have already solved this: Germany, Estonia, and many others have the all the requirements: a register of all persons available to the central authority, and crypto infrastructure to make it work.
What's missing from the UK, Canada, USA, etc. is the first part! It is hard to believe if you live in Germany, but there really is no big master list of people in those countries. There are many (many, many) lists, linked badly by many different ids. The tax registry, pension registry, drivers license registry, and visa registry are some of the big ones.
Things could be so much simpler if we had such a thing, but the politics between here and there are basically impossible.
Teenagers have been looking at porn since forever. It's practically a trope of teens stealing their parents' porn mags. I don't think any of this has actually caused major societal issues.
The proposed solutions merely require that a teen steal their parent's identification, briefly, to create a porn account and move on. Heck, they can probably buy that information online if they are innovative enough. They certainly will be selling access to their porn accounts to their classmates. And even if they don't go through all that trouble, getting a porn mag is still pretty possible in the UK.
That makes this just a bad law. It doesn't meaningfully stop the problem it's meant to stop and it's expensive and intrusive. Even if privacy preserving age verification was bulletproof and perfect, you still have the gaping hole that such protection has a ton of holes in it.
And then there's the simple fact that other nations exist. Yes, mainstream sites will put up protections, but what about the sealand porn site? Unless the UK wants a great firewall (ala the chinese firewall), they simply aren't going to stop this problem. Even then, VPNs are common knowledge at this point due to streaming.
Bad law, bad effects, and a pointless fight.
Technologies like the mdl standard [1] can attest to age without revealing the users identity.
As Cory points out, its still possible for kids to swipe someones ID and use that. There are probably practical solutions that are good enough. Android, iOS, and parents could work together to deal with the problem of stolen IDs. If mdl is implemented on devices such that they are managed by the device OS, that would lead to auditability. Parents can ask their child to see their phones ID app, which will show full roster of IDs on the child's device. If a parent sees an ID that shouldn't be there, they can have a conversation about it. In this way the law would be about empowering parents to shape their child's online experience. This is just a straw-man example solution, but there may be better ones.
The other objections I saw could be worked through in a similarly pragmatic fashion.
This is probably going to be good enough for most folks, and its probably a good thing to keep children away from pornography and such. And IMO coming up with a "good enough" solution will flush out all the bad actors who are hiding behind the excuse of "save the children" when really they want to build up an record of everyone's browsing history. But by denying any solution to a real problem, we let the bad actors hide amongst the well-intentioned folks who are trying to do the right thing.
[1] https://en.wikipedia.org/wiki/Mobile_driver%27s_license
Common pitfall? It’s why these techno-idealists are loudmouthed on the internet, but don’t get respect anywhere politically. If you want to gain ground politically, you need to at least acknowledge what the problem is, or is perceived to be, and offer a real solution. “Nope we can’t do that because of this 0.1% edge case” doesn’t qualify. “Apple should just dump all schematics online regardless of what China might do” doesn’t qualify. “The internet is great at it is, and your political concerns are invalid” doesn’t qualify.
Why? If you do not believe it is a problem that's just like apologizing when you haven't done anything wrong.
If you're campaigning for technological and/or political change you're in the business of changing peoples minds and if that doesn't matter to you, you've chosen an odd way to spend your time.
Regardless of whether pornography is, or should be legal, average exposure is now 11 years old. That’s average, many kids are even younger.
If this even prevents 95% of kids from accessing pornography until they’re 15 and get a debit card to buy a VPN, that’s a win in the eyes of most parents and legislators. It doesn’t need to be perfect, or even perfectly force you to be 18, to get the primary job done. Pointing to “a 16 year old can get around it with a VPN” is missing the point. It’s not a surprise why that argument falls on deaf ears.
Or, another one, “just use parental controls,” have you even tried this? Almost all parental controls are horrifically buggy, full of loopholes, and these kids can just borrow each other’s technology. Apple’s parental controls predate HTML5 (literally, HTML 4.01) and regularly don’t work, sometimes even by their own admission. It also forces the parent to be in the role of a tech expert fluent in Microsoft, Apple, Google, Nintendo, and other products all at once. You might as well get CompTIA certified. That argument also falls on deaf ears.
The solution, then, ought to be to pass a law requiring some sort of standardized parental controls that allow trivial set-and-forget management. Require device manufacturers/software distributors to sort out a "child mode" switch you can flip upon device initialization, in-your-face and unmissable, and then have apps/webpages be able to see whether the device reports it's in child mode. Does this not solve the "prevents 95% of kids from accessing pornography" threshold of effectiveness while being infinitely less invasive?
Wouldn't even need to develop anything new for this outside of a simplified UI over an MDM. Devices already support an incredible amount of monitoring and control, even iDevices, via MDMs.
But MDMs are for now only business/enterprise products, and are priced as such.
Makes me wonder if there's a market there for someone to just package up a consumer-focused, dead simple to use MDM. Enroll with QR code, set up some default policies, etc.
However, there’s one major problem: Most families aren’t actually using the multi-user capabilities of their devices. Many devices, like iPads or iPhones, just don’t support multi-user at all.
The result? Either parents are tech experts again, or have deep pockets to get everyone a device, or you’re going to have a bunch of kids logged in as their parents on their devices (as is already the case). Of course, that defeats the policy goal. That’s a non-starter, unless we agreed that a device manufacturer could force a biometric check when accessing an age-verified device account.
Nobody has proposed such a thing; but if there was a good way of making sure that the age-verified user is the actual person engaging with the age-verified account, then we might have progress in that direction.
Personally though, I would really prefer to not have the government get any ideas whatsoever about dictating firmware or OS security or OS parental control requirements. Do you really want your Linux distribution mandated to implement an age check firmware with phoning home requirements to a government parental control server?
If a parent can't be bothered to pin-lock their device or flip it into child mode then there is no technological solution. Now you're the one looking for the perfect solution that doesn't exist.
Because the age is verified at the time of access; instead of once during initial setup. Odds are that the former will catch far more flies than the latter.
Your employer probably does the same. Do they have you log in once when you set up your laptop, then comfortably happily say it’s you for the next three years; or do they have you sign in every morning?
Is that really how it works? Every single time you visit any website on the Internet or launch any app it's going to age ID you? I don't think that's right. You validate your account and then you login and you're good. If someone else uses your account, they are you.
And as you said, people share devices but it's also usually one account per app per device. You have to go out of your way to sign out of each individual app or website.
You make it sound like historically it was much later but actually even in the 1980s 11 years old was uncommon. In fact, that matches my own personal experience from that era.
> Or, another one, “just use parental controls,” have you even tried this?
Parental Controls is the right answer but absolutely agree that parental controls suck. As a parent, I'd love just any level of better control. I don't even care if I have different controls per manufacturer as long they're pretty complete and capable.
If the EU can mandate USB-C, they can mandate all technologies include powerful and capable parental controls.
There is no need for age verification -- parents know how old their children are. Parents are providing children with the devices and often the means of connectivity as well. This is and has always been a parenting problem. If the government wants to assist parents, I'm all for that. But age verification is not the answer.
That is, until Linux is also forced to come into compliance with said parental control standard, complete with all centralized reporting and remote restriction capabilities.
> This is and has always been a parenting problem.
What do governments do when everyone has the same parenting problem? Listen to industry idealists, like those who would call teenage smoking a “parenting problem,” or crack down?
Linux is fine. Someone can build the ultimately perfect parental control software for Linux and I'll use it. The same cannot be said for Windows, Android, or iOS -- third party system cannot exist for those platforms that are sufficient unless they're made by Microsoft, Google, or Apple respectively. Perhaps we just have to mandate an open standard. In fact, I would prefer that.
> What do governments do when everyone has the same parenting problem?
The wrong thing. Always.
The govt doesn't care how you verify age only that you don't sell to minors.
Let's say every citizen has an account with their federal government, and the account can be accessed securely in some reasonable way (password, 2FA, hardware token, etc.).
The government can have a public-private RSA key pair specifically for "At least 18 years old". Once the user is authenticated, he can generate a nonce and a blinding factor, multiply them together to get a blinded random number, and upload that to the government for signing. He takes the signature and unblinds it, then submits the original nonce and unblinded signature to the adult website. The website confirms that the nonce and signature is valid according to the government's public key.
This system raises many questions. For example, preventing replay attacks, so the adult website will reject any nonce being reused, or mandating that a timestamp be a subcomponent of the nonce. There is the un-answerable question of how to handle the case where a legitimate adult offers valid signatures for someone else to use. There is also the question of, to what extent the adult website should be able to keep track of the underlying users (even in a hashed format) to monitor abuse, suspicious users who have too much activity, etc.
Sure, there is a strong ideological argument why you should not have strong identities required in the internet in general (or even in offline) and on porn sites specifically, but the argument is not technical.
I can't wait for the next generation that will enjoy "nerding out" on how to best patrol every neighborhood with drones.
Let's put NFC tags on everyone at birth, we can then nerd out harder.
https://www.cs.columbia.edu/~smb/papers/age-verify.pdf
I think it shows the difficulty of implementing it for everyone. But Apple and Google’s cell phone implementations would probably cover most people in some countries when finished, and then there will be a long tail of people who will need cheats and workarounds.
You’d be screwed if you didn’t have any friends who could help you cheat.
It's a system which requires a central agency, probably a government agency, analogous to a certificate authority.
You are authenticated with that agency; it has personal info about you. But you are externally identified by some impersonal identifier, not your name.
The agency issues you a certificate binding this identifier to an assertion like "is over 18 years old".
When you interact with a site that wants to know whether you are over 18 years old, you present the certificate. The site can see that it's signed by the authority and that it has the assertion that you are over 18.
You can't just give that site someone else's certificate because it has to be the one tied to the abstract identity you are presenting (which contains no personal info; it's some kind of UUID or whatever). Plus the cert can be bound to a specific device and such.
The cert has a private keys with which you can prove that you own that cert; or at least that you are the authenticated operator of a device to which that cert was issued.
It's something like that. I may have some key details wrong. The main idea is that some brokerage that does have info about you can attest that you are over 18 without revealing any of the personal info via certificate-like objects.
It sounds like, in theory, the system can achieve good privacy in age verification. But not perfect age verification; people will find ways around it.
A grown up can certify themselves to be over 18 and then hand the device to a teenager; and such an operation can likely be scaled to some extent. And of course no cryptographic system can eliminate the possibility that minors are looking at the screen of a device operated by an adult, who may even step out of the way to let them operate it.
I'm not a privacy hardliner, and I think the socially acceptable tradeoff between privacy and security have been well established before the computer era - if the police has a well-enough established suspicion against you - they can get a warrant and search your home. That's due process.
I would accept if there was a digital version of that which targeted not the encryption itself (which could be as strong as possible) - but the endpoints, like smartphones and computers.
Let's say police had a device which they could plug into your phone, which would send a specially signed message - a digital warrant, containing all the info a real warrant would - which be permanently be burned into the ROM of your phone, after which the phone would surrender its encryption keys, and the police could dump your unencrypted disk.
The phone would be then presented as evidence at the trial, and not following due process would be a cause for mistrial, no matter what they find there.
The general public would be safe in the knowledge that as long as the police isn't hauling them in, their secrets are safe, and the government would get the tools for what they claimed they wanted - a way to catch bad guys with digital tools.
And when (not if) that device leaks whoever steals your phone will be able to get access all of the things in there.
Correct.
> Let's say police had a device which they could plug into your phone, which would send a specially signed message - a digital warrant, containing all the info a real warrant would - which be permanently be burned into the ROM of your phone, after which the phone would surrender its encryption keys, and the police could dump your unencrypted disk.
You are now advocating for making phones insecure for everyone, forever. No.
You should not need to identify yourself to access arbitrary websites, either to the website or to some third party.
https://en.wikipedia.org/wiki/List_of_national_identity_card...
It seems pretty reasonable to leverage this into online identification.
In fact, online ID is already used in the European Union for popular initiatives (see, e.g., https://www.stopkillinggames.com/ ) and nobody seems to think this is “bullshit” or infeasible or any of the concerns that are lobbed at the age verification requirements.
So long as it is done for a legitimate purpose and in good faith, generally no. As such, IDs are only expected where there is reasonable suspicion of possible violation. For example, there is no onus, with a few exceptions, to see an elderly person's ID to buy alcohol when there is no reason to think that they aren't below the minimum age.
The exceptions haven't really been tested. It very well could be found discriminatory, and you could make a pretty good case that it is. Which is ultimately the same case being made earlier. Asking a no-question-about-it 50 year old to provide his ID to watch porn isn't really in good faith, is it?
I think alcohol, tobacco and gambling here are mostly irrelevant, but the firearms is a better example because of the second amendment, where you have a clash between a very old right granted by the bill of rights clashing with modern societies beliefs.
it is possible if you accept that it only needs to be good enough
- it's fully okay if it can be deceived in all kinds of ways
- verifying only once per account is okay, if a adult passes their verified account to a child that their responsibility
- legally not just forbid but criminalize (with required prison sentence) the storing of any data except is adult yes/no from a age verification process
- allow a OS accounts to just tell applications (including websites) that "is 18", if a age verification was done in the account, also no singing or anything cryptographically, because again it's good enough no need to protect it against hacking, the main responsibility still lies with the parents
so then you can do a single age verification per OS account, once, and be done with
furthermore this verification could e.g. go through a process which might identify you identity but a) isn't allowed to pass anything but adult yes/no to anyone else b) isn't allowed to store that info c) on a storing it is a "criminal liability" level where a CTO ordering data collection would go to prison
through if you live in a country where everyone has a passport with NFC chips (e.g. all of EU) just adding a "adult yes/no" function(1) to it + a transparent (open source, non profit) app per country to bridge it to accounts which need verification would do the job without needing the extra strict criminalize abuse part.
Which brings us to the main problem:
- requiring politicians to accept a "good enough" solution, accept that the main responsibility still lies with the parent
- politicians not abusing it to spy on their population
- make laws to prevent companies from ab-using "age verification" to collect private data
and that seems indeed impossible
---
(1): Technically I think it does exist, somewhat in many passes already. But practically it not viable as it (I think) discloses too much information and has too much issues wrt. integrating it (wrt. certificate nonsense)
It's not impossible to design a cryptographic system where law enforcement is a party within it. The false dichotomy of encrypted or not encrypted in my opinion is used to shutdown the conversation since it's easy to argue why no encryption is bad. It's a strawman.
As soon as there is another untrusted party in the encryption, an in particular a party with a "skeleton key" that can decrypt anybody's message, then your encrypted communications are merely one leak away from being decoded by everybody else.
https://www.vice.com/en/article/hackers-published-replicas-a...
Up to now, there has only been intense wishful thinking by politicians, and strong "NOPE" by anyone with any kind of knowledge about cryptography. Either really everyone, including the likes of NSA, CIA and other spy services don't actually employ top cryptographers. Or they repeatedly tried and failed miserably. Or really nobody, including the spies, wants backdoored NOBUS encryption.