To me it seems like Cory Doctorow is demanding perfection, and saying that because we can't achieve perfection in age verification, we can't do age verification at all. That isn't going to stop people from trying, and we will end up with a worse system overall. IMO this is a common pitfall of techno-idealists.
Technologies like the mdl standard [1] can attest to age without revealing the users identity.
As Cory points out, its still possible for kids to swipe someones ID and use that. There are probably practical solutions that are good enough. Android, iOS, and parents could work together to deal with the problem of stolen IDs. If mdl is implemented on devices such that they are managed by the device OS, that would lead to auditability. Parents can ask their child to see their phones ID app, which will show full roster of IDs on the child's device. If a parent sees an ID that shouldn't be there, they can have a conversation about it. In this way the law would be about empowering parents to shape their child's online experience. This is just a straw-man example solution, but there may be better ones.
The other objections I saw could be worked through in a similarly pragmatic fashion.
This is probably going to be good enough for most folks, and its probably a good thing to keep children away from pornography and such. And IMO coming up with a "good enough" solution will flush out all the bad actors who are hiding behind the excuse of "save the children" when really they want to build up an record of everyone's browsing history. But by denying any solution to a real problem, we let the bad actors hide amongst the well-intentioned folks who are trying to do the right thing.
I'm confused. Author puts crypto backdors and IDP with ZKP into the same bucket and calls it "nerding harder". But why? You can have identity provider, several European countries do and you can have subcredentials. You literally can nerd harder here.
Sure, there is a strong ideological argument why you should not have strong identities required in the internet in general (or even in offline) and on porn sites specifically, but the argument is not technical.
thyristan · 2m ago
But it is. In those European countries, IDPs and certification authorities are one and the same entity. So the technical requirement of privacy evaporates, the government will always know who is proving their age to which porn site.
JanisErdmanis · 6m ago
How would setting up a primary credential with an identity provider differ from the process of registering to vote for USA citizens? All the discrimination opportunities and accountability issues seem to apply equally there.
lmz · 1m ago
The same people who argue this will also argue that voter ID rules are discriminatory.
dathinab · 1m ago
> "Privacy preserving age verification" is bullshit
it is possible if you accept that it only needs to be good enough
- it's fully okay if it can be deceived in all kinds of ways
- verifying only once per account is okay, if a adult passes their verified account to a child that their responsibility
- legally not just forbid but criminalize (with required prison sentence) the storing of any data except is adult yes/no from a age verification process
- allow a OS accounts to just tell applications (including websites) that "is 18", if a age verification was done in the account, also no singing or anything cryptographically, because again it's good enough no need to protect it against hacking, the main responsibility still lies with the parents
so then you can do a single age verification per OS account, once, and be done with
furthermore this verification could e.g. go through a process which might identify you identity but a) isn't allowed to pass anything but adult yes/no to anyone else b) isn't allowed to store that info c) on a storing it is a "criminal liability" level where a CTO ordering data collection would go to prison
through if you live in a country where everyone has a passport with NFC chips (e.g. all of EU) just adding a "adult yes/no" function(1) to it + a transparent (open source, non profit) app per country to bridge it to accounts which need verification would do the job without needing the extra strict criminalize abuse part.
Which brings us to the main problem:
- requiring politicians to accept a "good enough" solution, accept that the main responsibility still lies with the parent
- politicians not abusing it to spy on their population
- make laws to prevent companies from ab-using "age verification" to collect private data
and that seems indeed impossible
charcircuit · 6m ago
>politicians all over the world demanded a kind of impossible encryption
It's not impossible to design a cryptographic system where law enforcement is a party within it. The false dichotomy of encrypted or not encrypted in my opinion is used to shutdown the conversation since it's easy to argue why no encryption is bad. It's a strawman.
Technologies like the mdl standard [1] can attest to age without revealing the users identity.
As Cory points out, its still possible for kids to swipe someones ID and use that. There are probably practical solutions that are good enough. Android, iOS, and parents could work together to deal with the problem of stolen IDs. If mdl is implemented on devices such that they are managed by the device OS, that would lead to auditability. Parents can ask their child to see their phones ID app, which will show full roster of IDs on the child's device. If a parent sees an ID that shouldn't be there, they can have a conversation about it. In this way the law would be about empowering parents to shape their child's online experience. This is just a straw-man example solution, but there may be better ones.
The other objections I saw could be worked through in a similarly pragmatic fashion.
This is probably going to be good enough for most folks, and its probably a good thing to keep children away from pornography and such. And IMO coming up with a "good enough" solution will flush out all the bad actors who are hiding behind the excuse of "save the children" when really they want to build up an record of everyone's browsing history. But by denying any solution to a real problem, we let the bad actors hide amongst the well-intentioned folks who are trying to do the right thing.
[1] https://en.wikipedia.org/wiki/Mobile_driver%27s_license
Sure, there is a strong ideological argument why you should not have strong identities required in the internet in general (or even in offline) and on porn sites specifically, but the argument is not technical.
it is possible if you accept that it only needs to be good enough
- it's fully okay if it can be deceived in all kinds of ways
- verifying only once per account is okay, if a adult passes their verified account to a child that their responsibility
- legally not just forbid but criminalize (with required prison sentence) the storing of any data except is adult yes/no from a age verification process
- allow a OS accounts to just tell applications (including websites) that "is 18", if a age verification was done in the account, also no singing or anything cryptographically, because again it's good enough no need to protect it against hacking, the main responsibility still lies with the parents
so then you can do a single age verification per OS account, once, and be done with
furthermore this verification could e.g. go through a process which might identify you identity but a) isn't allowed to pass anything but adult yes/no to anyone else b) isn't allowed to store that info c) on a storing it is a "criminal liability" level where a CTO ordering data collection would go to prison
through if you live in a country where everyone has a passport with NFC chips (e.g. all of EU) just adding a "adult yes/no" function(1) to it + a transparent (open source, non profit) app per country to bridge it to accounts which need verification would do the job without needing the extra strict criminalize abuse part.
Which brings us to the main problem:
- requiring politicians to accept a "good enough" solution, accept that the main responsibility still lies with the parent
- politicians not abusing it to spy on their population
- make laws to prevent companies from ab-using "age verification" to collect private data
and that seems indeed impossible
It's not impossible to design a cryptographic system where law enforcement is a party within it. The false dichotomy of encrypted or not encrypted in my opinion is used to shutdown the conversation since it's easy to argue why no encryption is bad. It's a strawman.