Well they could do it the right way where, for example, you go to your city hall to get a certificate of age where they check your ID.
Then some cryptography happens so you only enter a public key from that certificate on a website or OS to verify your age.
The website or OS doesn’t check your ID. City hall doesn’t know your browsing history.
But I’m not fooling myself, that’s not the point of such a law.
That’s not true. It’s simple if all you actually want is age verification.
You go in to the government building and show your ID. Seeing you are 18 or older you get to go to another room where they don’t check your ID, just give you a token saying the one holding it is over 18. Make the token like a FIDO key where you have a pin you set yourself.
There is an air gap between the validation and the token creation so there is no way to go from token to ID. You make the key use a pin so we consider it to be once usable by one person.
The issue is not about the technology. The issue is that we all know this has nothing to do with kids getting on porn sites.
You make the key use a pin so we consider it to be once usable by one person.
Now you have trusted the user not to provide the PIN to another, and the implementation is no longer correct. You’d at least need to use biometrics to tie the key to the person.
You are changing the goal. The point of this is to provide THE USER with a solution where they don’t have to give away their personal information to the Government or the 3rd Party site. We do not care about situations where users commit crimes as that means our focus is on the Government’s needs which they would already have met by just implementing a “Show us your ID” solution.
Now you could make the pin be a biometric so it’s physically connected to the user. But part of the solution needs to be that the token is not identifiable with the user. If I pull of my wrist band no one will know it was mine. If you throw out your token someone could go around testing everyone’s fingers and find out it was yours.
Without ensuring that the key issued to one person is not used by another, the key does not prove the age of the user, and isn’t that the whole point of the key?
no, the point of the key is to access infomatîon without giving away personal information.
Even a photo ID doesn’t prove age. It just shows a record of what age the gov thinks someone is. They are still prone to forgery, misuse, etc. There isn’t any actual method of showing someone’s age so we can skip that part and focus on what the actual need of the user is, accessing a website while not handing over more personal information than is necessary.
What website is going to accept a key that doesn’t prove someone’s age though? We already have buttons that say “I’m over 18”. How this key better than that?
It can be a shared token. For example a cryptographic hash. There are many solutions for the problem of certifying a token while giving no traceable data.
In most solutions there would be the traceability of knowing “User X went to site Y and site Z” but never knowing who “User X” is. There have been solutions proposed that create site specific hashes where it becomes more difficult if not impossible to track a user across different sites. So it just depends on if this issue needs to be resolved or not.
Personally I would be fine letting every porn site I use know I’ve been to every other porn site. If you wanted to go somewhere that you don’t want them to know, throw out your token and go get a new one.
Remember folks, age verification is personal identity verification.
💯 don’t call it age verification - that’s just what the unmasked scooby-doo villain is still hiding behind.
Well they could do it the right way where, for example, you go to your city hall to get a certificate of age where they check your ID. Then some cryptography happens so you only enter a public key from that certificate on a website or OS to verify your age.
The website or OS doesn’t check your ID. City hall doesn’t know your browsing history.
But I’m not fooling myself, that’s not the point of such a law.
no implementation of personal ID for internet access will ever be “correct.”
Exactly. Digital ID verification is in no way comparable to physical ID verification.
incorrect.
Please do explain why you think digital id verification is indeed comparable to physical id verification.
That’s not true. It’s simple if all you actually want is age verification.
You go in to the government building and show your ID. Seeing you are 18 or older you get to go to another room where they don’t check your ID, just give you a token saying the one holding it is over 18. Make the token like a FIDO key where you have a pin you set yourself.
There is an air gap between the validation and the token creation so there is no way to go from token to ID. You make the key use a pin so we consider it to be once usable by one person.
The issue is not about the technology. The issue is that we all know this has nothing to do with kids getting on porn sites.
Now you have trusted the user not to provide the PIN to another, and the implementation is no longer correct. You’d at least need to use biometrics to tie the key to the person.
You are changing the goal. The point of this is to provide THE USER with a solution where they don’t have to give away their personal information to the Government or the 3rd Party site. We do not care about situations where users commit crimes as that means our focus is on the Government’s needs which they would already have met by just implementing a “Show us your ID” solution.
Now you could make the pin be a biometric so it’s physically connected to the user. But part of the solution needs to be that the token is not identifiable with the user. If I pull of my wrist band no one will know it was mine. If you throw out your token someone could go around testing everyone’s fingers and find out it was yours.
Without ensuring that the key issued to one person is not used by another, the key does not prove the age of the user, and isn’t that the whole point of the key?
no, the point of the key is to access infomatîon without giving away personal information.
Even a photo ID doesn’t prove age. It just shows a record of what age the gov thinks someone is. They are still prone to forgery, misuse, etc. There isn’t any actual method of showing someone’s age so we can skip that part and focus on what the actual need of the user is, accessing a website while not handing over more personal information than is necessary.
What website is going to accept a key that doesn’t prove someone’s age though? We already have buttons that say “I’m over 18”. How this key better than that?
Would these tokens be unique per website visit? Are they generated by the user or the government?
It can be a shared token. For example a cryptographic hash. There are many solutions for the problem of certifying a token while giving no traceable data.
In most solutions there would be the traceability of knowing “User X went to site Y and site Z” but never knowing who “User X” is. There have been solutions proposed that create site specific hashes where it becomes more difficult if not impossible to track a user across different sites. So it just depends on if this issue needs to be resolved or not.
Personally I would be fine letting every porn site I use know I’ve been to every other porn site. If you wanted to go somewhere that you don’t want them to know, throw out your token and go get a new one.
Never say never there is ALWAYS a way to do things right. But our government is too stupid to do it. So it might as well be impossible. Kek
If it’s completely local I’m less worried than online verification.
I’m not uploading any age verification online. I’ll quit the internet first.