| ▲ | zevv 6 days ago |
| So, what will be the proper technology to apply here? I have no problem with verification of my age (not the date of birth, just the boolean, >18yo), but I do have a problem with sending any party a picture of my face or my passport. |
|
| ▲ | someNameIG 5 days ago | parent | next [-] |
| Discord got me to do this about 2 weeks ago (I'm Australian so they seem to be rolling this out here too), at least for the face scan the privacy policy said it occurred on device, so if you believe that you're not sending anyone images of your face. |
| |
| ▲ | Retr0id 5 days ago | parent | next [-] | | Fascinating. If it really isn't sending the face images, spoofing the verification could be as simple as returning a boolean to some API. | |
| ▲ | Tokumei-no-hito 4 days ago | parent | prev [-] | | we don't store your face [just the unique biometric metadata weights]. a computer doesn't need a picture to identify you, just store the numbers and you can legally claim you aren't "storing the picture". |
|
|
| ▲ | londons_explore 6 days ago | parent | prev | next [-] |
| Maybe someone like apple will make a "verify user looks over 18" neural net model they can run in the secure enclave of iphones, which sends some kind of "age verified by apple" token to websites without disclosing your identity outside your own device? Having said that, I bet such a mechanism will prove easy to fake (if only by pointing the phone at grandad), and therefore be disallowed by governments in short order in favour of something that doesn't protect the user as much. |
| |
| ▲ | miki123211 6 days ago | parent [-] | | Apple lets you add IDs to your wallet in some jurisdictions. I wouldn't be surprised if they eventually introduce a system-wide age verification service and let developers piggyback on it with safe, privacy-preserving assertions. |
|
|
| ▲ | kelseyfrog 5 days ago | parent | prev | next [-] |
| This is a social problem and as such cannot be solved with technology. You would have to make social media so uncool that young people didn't use it. One of the easiest ways of doing this is associating it with old people. Therefore the fastest way to get young people off discord is to get geriatric on discord and en-mass. |
| |
| ▲ | KaiserPro 5 days ago | parent [-] | | Underage drinking is a social problem. The issue isn't social media is bad, the issue is that social media has no effective moderation. If an adult is hanging out at the park talking to minors, thats easy to spot and correct. there is a strong social pressure to not let that happen. The problem is when moving to chat, not only is a mobile private to the child, there are no safe mechanisms to allow parents to "spot the nonce". Moreover the kid has no real way of knowing they are adults until it's too late. Its a difficult problem, doing nothing is going to ruin a generation (or already has), doing it half arsed is going to undermine privacy and not solve the problem. |
|
|
| ▲ | 1659447091 5 days ago | parent | prev | next [-] |
| OIDC4VCI(OpenID for Verifiable Credential Issuance)[0] is what I think has the most promise. My understanding is that an issuer can issue a Credential that asserts the claims (eg, you are over 18) that you make to another entity/website and that entity can verify those claims you present to them (Verifiable Credentials). For example, if we can get banks - who already know our full identity - to become Credential Issuers, then we can use bank provided Credentials (that assert we are over 18) to present to websites and services that require age verification WITHOUT having to give them all of our personal information. As long the site or service trust that Issuer. [0] https://openid.net/specs/openid-4-verifiable-credential-issu... |
| |
| ▲ | Hizonner 5 days ago | parent [-] | | You mean without giving them any personal information other than where to find your bank account. | | |
| ▲ | 1659447091 5 days ago | parent [-] | | It doesn't have to be your bank if you don't want, have the DMV be an issuer or your car insurance, or health insurance or cell phone service etc. You choose which one you want you want to have assert your claim. They already know you. It's a better option than giving every random website or service all of your info and biometric data so you can 'like' memes or bother random people with DM's or whatever people do on those types of social media platforms | | |
| ▲ | stubish 5 days ago | parent | next [-] | | For Australia (who will need something like this this year per current legislation), the only sensible location is the government my.gov.au central service portal. None of the other services have an incentive or requirement to do it (Medicare, drivers license issuers, Centrelink). And given the scope of the rollout (all major social media, as nominated by the gov), it would need almost all of the banks or super funds to implement the same API for the project to not fail. But I don't think anyone has told my.gov.au that needs to happen, so we are either going to get some proprietary solution from social media companies (tricky, since they will need to defend it in court as they are liable, but maybe discord saying 'best we can do sorry' or 'better than our competitors' will let them off). Or just switching off the services for a few days until the politicians panic about the blow back and defer the rollout until some committee can come up with a workable solution (ideally in the next election cycle). | |
| ▲ | LinuxBender 5 days ago | parent | prev | next [-] | | I think the post office could suffice in most countries for this. Or server operators could just implement RTA headers and put the liability on apps/devices to look for the header. | |
| ▲ | Hizonner 5 days ago | parent | prev [-] | | > It doesn't have to be your bank if you don't want, "If I don't want"? I would get no choice at all about who it would be, because in practice the Web site (or whoever could put pressure on the Web site) would have all of the control over which issuers were or were not acceptable. Don't pretend that actual users would have any meaningful control over anything. The sites, even as a (almost certainly captured and corrupt) consortium, wouldn't do the work to accept just any potentially trustworthy issuer. In fact they probably wouldn't even do the work to keep track of all the national governments that might issue such credentials. Nor would you get all national governments, all banks, all insurance companies, all cell phone carriers, all neighborhood busibodies, or all of any sufficiently large class of potentially "trustable" issuers to agree to become issuers. At least not without their attaching a whole bunch of unacceptable strings to the deal. What's in it for them, exactly? Coordinating on certifying authorities is the fatal adoption problem for all systems like that. Even the X.509 CA infrastructure we have only exists because (a) it was set up when there were a lot fewer vested interests, and (b) it's very low effort, because it doesn't actually verify any facts at all about the certificate holder. The idea that you could get around that adoption problem while simultaneously preserving anything like privacy is just silly. Furthermore, unless you use an attestation protocol that's zero-knowledge in the identity of the certifier, which OpenID is unlikely ever to specify, nor are either issuers or relying parties going to adopt this side of the heat death of the Universe, you as a user are still always giving up some information about your association with something. Worse, even if you could in fact get such a system adopted, it would be a bad thing. Even if it worked. Even if it were totally zero-knowledge. Infrastructure built for "of adult age" verification will get applied to services that actively should not have such verification. Even more certainly, it will extended and used to discriminate on plenty of other characteristics. That discrimination will be imposed on services by governments and other pressuring entities, regardless of their own views about who they want to exclude. And some of it will be discrimination you will think is wrong. It's not a good idea to go around building infrastructure like that even if you can get it adopted and even if it's done "right". Which again no non-zero-knowledge system can claim to be anyway. Counterproposal: "those types of social media platforms" get zero information about me other than the username I use to log in, which may or may not resemble the username I use anywhere else. Same for every other user. The false "need" to do age verification gets thrown on the trash heap where it belongs. | | |
| ▲ | 1659447091 5 days ago | parent [-] | | > Don't pretend that actual users would have any meaningful control over anything. You do have control, you just don't like the option of control you have which is to forgo those social/porn sites altogether. You want to dictate to businesses and the government how to run their business or country laws that you want to use. And you can sometimes, if you get a large enough group to forgo their services over their policies, or to vote in the right people for your cause. You can also wail about it til the cows come home, or you can try and find working solutions that will BOTH guard privacy and allows a business to keep providing services by complying with laws that allow them to be in business in the first place. It's not black & white and it's not instant, it's incremental steps and it's slow and sometimes requires minor compromise that comes with being an Adult and finding Adult solutions. I'm not interested in dreaming about some fantasy of a libertarian Seasteading world. Been there done that got the t-shirt. I prefer finding solutions in the real world now. > The false "need" to do age verification gets thrown on the trash heap where it belongs. This is something you should send to your government that makes those rules. The businesses (that want to stay in compliance) follow the government rules given to them. The ones that ask for more are not forcing you against your will to be a part of it. I get you don't like it, I don't care for it either; but again, you can throw a fit and pout about it - or try tofind workable solutions. This is what I choose to do even though I made the choice long ago to not use social media (except for this site and GitHub for work if you want to count those) porn sites or gambling or other nonsense. So all these things don't affect me since I don't go around signing up for or caring for all the time wasting brain rot(imo) things. But I am interested in solutions because I care about data privacy | | |
| ▲ | Hizonner 5 days ago | parent [-] | | Those businesses also have control. They just don't like the option of control they have, which is to stay out of those countries altogether. > This is something you should send to your government that makes those rules. My government hasn't made those rules, at least not yet. Last time they tried, I joined the crowd yelling at them about it. It's easier to do that if people aren't giving them technology they can pretend solves the fundamental problems with what they're doing. Any more bright ideas? | | |
| ▲ | 1659447091 5 days ago | parent [-] | | > Those businesses also have control. They just don't like the option of control they have, which is to stay out of those countries altogether. Yes. ? Apparently they don't want to leave and are happy staying there and complying. If you don't like a businesses practice, don't use them. . . > Last time they tried, I joined the crowd yelling at them about it. Good. I hope more people that feel as strongly about the subject as you will follow your lead. > It's easier to do that if people aren't giving them technology they can pretend solves the fundamental problems with what they're doing. No one is "giving" them technology that pretends anything. There is a community effort to come up with privacy focused, secure solutions. If you noticed the OIDC4VC protocols are still in the draft phase. If it's fubar no one will use it. Worse than that is, if nothing comes of any proposed solutions, the state won't just say oh well you tried. Either we will continue to deal with the current solution of businesses collecting our ids and biometrics and each one having a db of this info to sell/have stolen, or, some consultant that golfs with some gov official will tell them the tech industry can't figure it out but they have a magic solution that's even better and will build a system (using tax dollars) that uses government IDs with the added bonus of tracking and then all of our internet usage can be tracked by the government. Wantonly dismissing any effort to make things better in an acceptable way is not going to make it magically go away forever. That ship has sailed. You can resist efforts to find a privacy focused solution and get stuck with an even worse one from the state, or, get your crowd yelling hat back on and help make sure data and privacy protections are solidly baked into these solutions the tech community is trying to build. |
|
|
|
|
|
|
|
| ▲ | threeseed 6 days ago | parent | prev | next [-] |
| Variation of PassKeys could work well. Especially if it was tightly integrated into the OS so that parents could issue an AgeKey to each of their children which sites would ask for. |
|
| ▲ | hedora 6 days ago | parent | prev [-] |
| Parents? |
