Many might’ve seen the Australian ban of social media for <16 y.o with no idea of how to implement it. There have been mentions of “double blind age verification”, but I can’t find any information on it.
Out of curiosity, how would you implement this with privacy in mind if you really had to?
I’d lean on the ISPs. Your ISP knows what sites you visit, and they have your location and payment information. They can just insert some verification page when a classified IP is contacted. This gives them hardly any information beyond what they already have. And since they are mainly located in Australia, it is easy to enforce laws on them.
You have to lean on ISPs anyway because it is quite ridiculous to assume that the entire global internet will implement Australian laws. Does anyone believe that their Lemmy instance will implement some AI face scan or cryptography scheme?
You would have to block servers that do not comply with the law anyway. The effective solution would be a whitelist of services that have been vetted. In practice, I think we’ll see the digital equivalent of ok boomer.
If a whitelist seems extreme, then one should have another look at the problem. The point is to make sure that information is only accessed by citizens with official authorization. There is no technological difference between the infrastructure needed to enforce this (or copyrights) and some totalitarian hellscape.
This gives them hardly any information beyond what they already have.
Except now they know the individuals using your Internet.
Sure if you live alone they already can easily put that information together. However if you have a partner, a relative and children all living in one house they now know who is in that home.
Plus maybe no one in the house uses Twitter and Aunt Alice the Twitter user came to visit, does she need to reverify? Your ISP knows that now.
ISPs would be gaining a lot of new information.
It’s not necessary to expose the identities of the users. The age confirmation could happen via a password, PIN, or even a physical USB dongle. Tying such methods to a particular identity adds nothing to the age verification.
If that is not enough, then one would need a permanent, live webcam feed of the user. It could be monitored by AI, and/or police officers could make random checks.
Granted, one would have to make sure that not everyone behind the same router can use age-restricted services; eg with a VPN. That would let them assign connections to individual, anonymous adults. But I’d guess you could do that anyway with some confidence by analyzing usage patterns. Besides, information on who is in a home can also be found in other places such as social media or maybe company websites. So I do not think this is much new information.
But thinking about it, one could compartmentalize this.
The ISP only allows connections to whitelisted servers, including 1 or more government approved VPNs. The ISP refuses connection to these VPNs without age confirmation. The VPN provider does not need to be told the identity of the customer. There needs to be no persistence across sessions. The ISP need not know what sites are visited via VPN. While the VPN provider need not know about sites visited without.
If you do it that way, the ISP ends up knowing less than before.
Since both ISP and VPN servers and offices would be physically located in the country, one would have no problem enforcing prohibitions on data sharing, if desired by lawmakers.
Anyway, this is the only realistic approach in the whole thread. Everything else assumes that Australian law will be followed globally. And then the ISP still has all that usage data. Why not just use a blockchain…
A joke answer, but with the kernel of truth - IRL age verification often requires a trusted verifier (working under threat of substantial penalty) but often doesn’t require that verifier to maintain any documentation on individual verification actions
As in, you have to roll up to an “age verification bureau” and say “I’d like to sign up to $platform, please verify that I’m of legal age to use it and tell them so”, then you buy a “token” that you can enter upon signing up? Am I understanding that correctly?
yes and no: the government already has systems in place that know your age, or they can pay 3rd parties to have maintain records… so yes kinda you’d have to verify with them or they’d already have them, but you wouldn’t need to do that for each platform: it’d likely act like a social login (“login with facebook” etc) where you just tap a button and have the service attest to identity details without providing the identity itself
Sounds quite a lot like zero-knowledge proof
I wasn’t thinking in detail, just addressing an assumption I think a lot of age verification discussions include, which is that the verifier would have to be trusted to maintain some sort of account for you, retaining your data etc.
I have no idea what the legislation says, but I’d be a happier privacy-conscious user if the verification platforms were independent (i.e. not in any other data business) and regulated, with a requirement they don’t retain my personal data at all (like the liquor store example)
So the verifier gathers data from you, matches it with a request from the platform, provides confirmation that some standard has been met, and deletes almost all personal information - I acknowledge that this may not rise to the double-blind standard of the original request
Edited to add:
-
you don’t have to ‘buy’ a token, the platform needs to pay verifiers as a cost of business
-
some other comments are asking how you prevent the verifier knowing the platform - to my mind you don’t, instead the verifier retains a request id record from the platform, but forgets entirely who you are
-
Here in Belgium we have cryptographically signed tokens on our legally mandated IDs.
You can use that token to do all sorts of things (my company uses them as authorship signatures for our quality system for medical devices), but if we had some standard like that, then we could have some software that would have a OTP based on that that is a huge list of valid OTPs in a website API or so, not linked to the token itself. (So you would have to trust this software that generates the OTP). You will get people using the same OTP, but that wouldn’t matter because it would just be a validity check. Lind of like the old product key generators for games.
Sure this could be abused or gotten around by a programmer or hack, but for 95% of the population it would be effective age verification without giving away any information or statistics. Sure, people could also abuse it and save a code and use it constantly, but then they would already have been verified. Sharing a code around would also happen with teens, but it would be far more effective than not, especially for the low stakes of age verification.
Ah, easy then: lower the drinking age from 18 to 16.
Choose the classic “are you 18 or older” dialog. KISS.
If I really had to, I would require everyone to whip out whatever assets of sexual maturity they happen to have, and let the computer analyze it and decide a maturity level.
I would also keep copies for blackmail purposes, because the world is a better place if we all mistrust this solution and anything remotely like it. It’ll be in the legal fine print, which I’m confident no one will read.
Every answer (other than “trust the user to self identify”) is at least remotely like mine, but I’m proposing we cut out the half-measures on the way.
To avoid personal consequences, the system I architect will probably wait on a dead-man-switch for me to die or be incarcerated.
Then it will publish everything it has ever seen, along with AI generated commentary. I’m confident that some of it will be hilarious, and I am hopeful that it will piss everyone off enough that we stop doing this kind of thing.
It can’t. It requires invasion of privacy to verify information about the individual they don’t have the right to access.
Digital age verification goes against privacy. Let’s not delude ourselves into thinking it can.
I seem to remember Leisure Suit Larry verified age using trivia questions that only older people would answer correctly. I know this because at 8 years old I guessed enough of them on my father’s friends computer to play it.
oof, I’d fail trivia questions for my age group because I had a… complicated childhood. But it would probably be a problem for foreigners who didn’t grow up the country. Imagine coming from Chile and having to know about Australian trivia from the 70s or something to sign up for a social media platform 😄
I talked to a friend of mine last week and they didn’t know of the old PS/2 mouse/keyboard cable/sockets. They’ve seen it before, but it wasn’t familiar to them. Nobody only having used USB devices will remember those.
I was just getting used to PS/2 connectors replacing serial mice and keyboards and then friggin USB comes along…
Tell me when you’re getting used to USB so I can prepare for the next switch /s 😅
All I can think of are some variations of you trusting a service to validate your id and give you a token that just asserts your id has been validated.
But it’s still not really privacy preserving because it relies on trusting both parties to not collaborate against your privacy. if at some point the id provider decides to start keeping records of what tokens were generated from your id, and the service provider tracking what was consumes with that token, then you can still put it all back together.
That’s when you add an extra
point of failurevalidator.
Server 1 generates a token for server 2 to validate.
You send the token to server 2, who validates and generates you a token for server 3. Then finally server 3 validates the token and grants/denies your access.The more nodes you have across different countries, the harder it is for the last server to discover your identity.
Definitely not without its flaws, but I wonder if a decentralised node setup similar to the tor network could work.
Could we add a blockchain somewhere? They’re really good with the investors.
We can, but blockchain is old technology.
We should use an LLM to create and verify the tokens.Oh, right, I haven’t been keeping up it seems.
in blockchain tech, there’s the concept of “zero knowledge proofs”, where you can prove having certain information without revealing the info itself
Would be interesting to see a govt tackle setting up a trustless system like it required for cybersecurity best practices. I think it’s a thorny issue without a trusted authority though.
What stops an ID for being posted publicly or shared en masse? So one ID can be used unlimited times - just share the key with minors for $1 at no risk to oneself since there’s no knowledge of the ‘transaction’ being sent around. Better for individual privacy but that undermines the political impetus for wanting the verification. Usage would probably have to be monitored or capped, kind of defeating the advantage of the anonymous protocol (or accept that abuse is unenforceable).
So how would you use it to solve this problem? There still needs to be some sort of foolproof way of saying “person X is only 14 years old”.
You would prove something like “I possess a private key that matches a public key that is in this list of public keys belonging to people at least X years old”. But without revealing which item in the list is the specific one for you. Which is the zero knowledge proofs’ cool trick.
It cannot
Well Australia will probably so something privacy invading and fascist.
I guess if you want it to be somewhat private you could have some kind of hash or token generated from your identification information. I bet that would be fairly private
Homomorphic encryption (zero knowledge cryptography) is a known solution to this problem.
https://crypto.stackexchange.com/questions/96232/zkp-prove-that-18-while-hiding-age
Doesn’t this assume the issuing agency has all employees who are morally sound and not leaking data, unnoticed by an internally badly designed system, which is designed by people who are out of touch? Most things like this are designed that way, irregardless of country .
I’m sure one can make it watertight but it’s so hard and still depends in trusting people. The conversation here is about one thing of a larger system. There are probably a hundred moving parts in any bureaucracy.
This is the understanding ANYWHERE. How do we know there aren’t back doors in our OS’s? We literally have no clue. We do THE BEST WE CAN using the clues we have.
I don’t know anything about cryptology; I have an imagination about how many things can go wrong hooking up parts and running them.
If it’s the law to make an age verification system then it will be made.
But I think one either has an age verification or privacy, but not both, in any country in the world.
I’m totally sure many of the discussions here about crypto are way above my head. But I’m equally sure while any one part will look fine in paper, the sum total will be used by an expanding government agency, crime, or both.
Yeah, these things quickly boil down to the trusting trust thing (see Ken Thompson’s Turing award lecture). You can’t trust any system until you’ve designed every bit from scratch.
You gotta put your trust somewhere, or you won’t be able to implement jack.
This isn’t as limiting as it seems at first glance though. Sending pictures of a true one time pad cipher doesn’t rely on the security of the transport or the camera. From there you can choose to make a compromise of convenience and get to things like Private key cryptography where the ciphers are done via basic xor arithmetic you can do by hand.
sounds too simple bro, what it needs is more blockchain /s
deleted by creator
You seem to be joking but ZK and Homomorphic encryption don’t necessarily need to involve blockchain but they can.
This is like someone mentioning UUID’s and you leave a weird sarcastic comment about databases (and everyone suddenly villainizing them due to them being used for scams).
I believe they were referring to last year’s trend of blockchain being introduced to everything unnecessarily (as a marketing buzzword, similar to AI).
Only last year? I thought it was the whole last decade
I got the joke. What I didn’t get is why it was even remotely relevant to the discussion at hand since ZK is used a lot in crypto but it’s also used everywhere else. It muddied the waters and made the joke somewhat nonsensical, IMO. Perhaps OP was unaware of how prevalent ZK is in the crypto world…
Oh well. Have a good day.
You say you got the joke, but everything else you said suggests you didn’t. Just to be clear I wasn’t being critical of your reply, I was mocking the cryptobros the other poster mentioned.
It was a vapid, low effort, hiveminded Reddit joke.
looks at post history I mean lazy as my joke was, now I understand how you got so upset about it.
No! Because it leaked everything but the birth date to the verification party.
I’ve always thought that it should be the relevant ID issuing organisation, with whom the damage to privacy has already been done, might as well leverage it.
God I hate cryptography so much for making me feel stupid every time I read anything about it.
I want to feel smat!
I find it intimidating for sure. They say “never roll your own crypto” and I take those words to heart. Still, it would suck to have to hire someone and just trust their work. That person could be another Sam Bankman Fried or Do Kwan and you’d be party to their scam and you’d have no idea.
I’m not sure what these things have to do with each other. How exactly would cryptography have prevented SBF, you know, a crypto bro.
It wouldn’t have. You totally misunderstood my comment. Reread it.
To paraphrase: when you hire a cryptographer to work on your project you have to hope that they are not a scammer because they could easily lie to you about the soundness of their cryptography and you’d have no idea. You see, SBF and Do Kwan were liars. If they had been cryptographers (they aren’t and weren’t) their employer would have to believe them since they would be an expert in something nearly impossible for a layman to understand.
Do you get it yet?
I get what you’re trying to say, but I’m not sure it makes sense.
I mean, that’s literally every field you’re not an expert in. And most of us are experts in less than one field.
You don’t know about medicine, car engines, electricity or tax laws, you have your guys for that. Even in our field, we have guys for databases, OSes, networking, because quite frankly nobody understands those really.
So I’m not sure what the point of your comment is. That having experts is good? Yeah, I guess? Did we need to have that reinforced?
If a doctor or mechanic was wrong, at least you’d have an inkling that things were wrong and you’d be able to sue them. Whereas with cryptography, no one has ANY IDEA WHATSOEVER if there are back doors until they are used to rob people blind. In all of the cases you mentioned, victims of those abuses have recourse whereas in cryptography, if things are wrong, they often CANNOT be patched and it’s even exceptionally hard for an expert to prove what went wrong.
Sites are just going to ask people ‘Are you over 16? (Y/N)’. Site is now legally covered, and that is all anyone cares about.
Just like porn and grog is Australia already .
Not to mention my space you needed to be over 16vor something so we all lied
Recently I saw an article on more needs to be done about age verification because it’s easy for children to falsify it (and most do). On the other hand you have adults who falsify it because it’s nobody’s business how old you are.
Current protections that ask you to confirm your age are completely pointless.
Now if you were required to provide ID to access X service, would you? If we’re talking adult content then children will simply look elsewhere, taking them to potentially more dangerous areas of the internet. (Heck, so would adults) Same if you deny them social media.
But if we’re implementing verification regardless then it needs to come from a third party. And it also has to be easy. Like something you do only once.
First: I would allow children access to social media under a child account that has limited access and ability to be audited by a parent. This is important because you don’t want them going somewhere you have no control over. (Which they will)
Secondly: An age verification gateway that can be implemented by developers seeking to use it. Possibly managed by the government body responsible for issuing ID (or a partner). This would be taking a short video of yourself plus uploading ID. (Banks are doing this now)
Thirdly: ease of use. Majority of us have a google or apple account associated with whatever device we have. Let those accounts hook into the 2nd step and share if an account is a child/adult account with any social platforms you log in using it with.
Just a few thoughts that came to mind whilst waiting dinner. Feel free to tear it apart!
Ever heard of Id.me?
deleted by creator
