| ▲ | overfeed 6 days ago |
| > The bots will eventually be indistinguishable from humans Not until they get issued government IDs they won't! Extrapolating from current trends, some form of online ID attestation (likely based on government-issued ID[1]) will become normal in the next decade, and naturally, this will be included in the anti-bot arsenal. It will be up to the site operator to trust identities signed by the Russian government. 1. Despite what Sam Altman's eyeball company will try to sell you, government registers will always be the anchor of trust for proof-of-identity, they've been doing it for centuries and have become good at it and have earned the goodwill. |
|
| ▲ | marcus_holmes 6 days ago | parent | next [-] |
| How does this work, though? We can't just have "send me a picture of your ID" because that is pointlessly easy to spoof - just copy someone else's ID. So there must be some verification that you, the person at the keyboard, is the same person as that ID identifies. The UK is rapidly finding out that that is extremely difficult to do reliably. Video doesn't really work reliably on all cases, and still images are too easily spoofed. It's not really surprising, though, because identifying humans reliably is hard even for humans. If we do it at the network level - like assigning a government-issued network connection to a specific individual, so the system knows that any traffic from a given IP address belongs to that specific individual. There are obvious problems with this model, not least that IP addresses were never designed for this, and spoofing an IP becomes identity theft. We also do need bot access for things, so there must be some method of granting access to bots. I think that to make this work, we'd need to re-architect the internet from the ground up. To get there, I don't think we can start from here. |
| |
| ▲ | tern 6 days ago | parent | next [-] | | If you're really curious about this, there's a place where people discuss these problems annually: https://internetidentityworkshop.com/ Various things you're not thinking of: - "The person at the keyboard, is the same person as that ID identifies" is a high expectation, and can probably be avoided—you just need verifiable credentials and you gotta trust they're not spoofed - Many official government IDs are digital now - Most architectures for solving this problem involve bundling multiple identity "attestations," so proof of personhood would ultimately be a gradient. (This does, admittedly, seem complicated though ... but World is already doing it, and there are many examples of services where providing additional information confers additional trust. Blue checkmarks to name the most obvious one.) As for what it might look like to start from the ground up and solve this problem, https://urbit.org/, for all its flaws, is the only serious attempt I know of and proves it's possible in principle, though perhaps not in practice | | |
| ▲ | marcus_holmes 5 days ago | parent [-] | | that is interesting, thanks. Why isn't it necessary to prove that the person at the keyboard is the person in the ID? That seems like the minimum bar for entry to this problem. Otherwise we can automate the ID checks and the bots can identify as humans no problem. And how come the UK is failing so badly at this? |
| |
| ▲ | TheDong 6 days ago | parent | prev | next [-] | | We almost all have IC Chip readers in our pocket (our cell phones), so if the government issues a card that has a private key embedded in it, akin to existing GnuPG SmartCards, you can use your phone to sign an attestation of your personhood. In fact, Japan already has this in the form of "My Number Card". You go to a webpage, the webpage says "scan this QR code, touch your phone to your ID card, and type in your pin code", and doing that is enough to prove the the website that you're a human. You can choose to share name/birthday/address, and it's possible to only share a subset. Robots do not get issued these cards. The government verifies your human-ness when they issue them.
Any site can use this system, not just government sites. | | |
| ▲ | 47282847 6 days ago | parent [-] | | Germany has this. The card plus PIN technically proves you are in current possession of both, not that you are the person (no biometrics or the like). You can chose to share/request not only certain data fields but also eg if you are below or above a certain age or height without disclosing the actual number. | | |
| ▲ | bregma 6 days ago | parent [-] | | > if you are below or above a certain age or height Is discrimination against dwarves still a thing in Germany? | | |
| ▲ | TheDong 6 days ago | parent [-] | | I want to believe that this would be used at amusement parks to scan "can I safely get on this ride" and at the entrance to stairs to tell you if you'll bump your head or not. | | |
| ▲ | 47282847 6 days ago | parent [-] | | The system as a whole is rarely used. I think it’s a combination of poor APIs and hesitation of the population. For somebody without technical knowledge, there is no obvious difference to the private video ID companies. On the surface, you may believe that all data is transferred anyway and you have to trust providers in all cases, not that some magic makes it so third parties don’t get more than necessary. I don’t know of any real world example that queries height, I mentioned it because it is part of the data set and privacy-preserving queries are technically possible. Age restrictions are the obvious example, but even there I am not aware of any commercial use, only for government services like tax filing or organ donor registry. Also, nobody really measures your height, you just tell them what to put there when you get the ID. Not so for birth dates, which they take from previous records going back to the birth certificate. |
|
|
|
| |
| ▲ | IncRnd 6 days ago | parent | prev | next [-] | | That is already solved by governments and businesses. If you have recently attempted to log into a US government website, you were probably told that you need Login.gov or ID.me. ID.me verifies identity via driver’s license, passport, Social Security number—and often requires users to take a video selfie, matched against uploaded ID images. If automated checks fail, a “Trusted Referee” video call is offered. If you think this sounds suspiciously close the what businesses do with KYC, Know Your Customer, you're correct! | |
| ▲ | gambiting 6 days ago | parent | prev | next [-] | | UK is stupidly far behind on this though. On one hand the digitization of government services is really well done(thanks to the fantastic team behind .gov websites), but on the other it's like being in the dark ages of tech. My native country has physical ID cards that contain my personal certificate that I can use to sign things or to - gasp! - prove that I am who I say I am. There is a government app that you can use to scan your ID card using the NFC chip in your phone, after providing it with a password that you set when you got the card it produces a token that can then be used to verify your identy or sign documents digitally - and those signatures legally have the same weight as real paper signatures. UK is in this weird place where there isn't one kind of ID that everyone has - for most people it's the driving licence, but obviously that's not good enough. But my general point is that UK could just look over at how other countries are doing it and copy good solutions to this problem, instead of whatever nonsense is being done right now with the age verification process being entirely outsourced to private companies. | | |
| ▲ | exasperaited 6 days ago | parent | next [-] | | > UK is in this weird place where there isn't one kind of ID that everyone has - for most people it's the driving licence, but obviously that's not good enough. As a Brit I personally went through a phase of not really existing — no credit card, no driving licence, expired passport - so I know how annoying this can be. But it’s worth noting that we have this situation not because of mismanagement or technical illiteracy or incompetence but because of a pretty ingrained (centuries old) political and cultural belief that the police shouldn’t be able to ask you “papers please”. We had ID cards in World War II, everyone found them egregious and they were scrapped. It really will be discussed in those terms each time it is mentioned, and it really does come down to this original aspect of policing by consent. So the age verification thing is running up against this lack of a pervasive ID, various KYC situations also do, we can get an ID card to satisfy verification for in-person voting if we have no others, but it is not proof of identity anywhere else, etc. It is frustrating to people who do not have that same cultural touchstone but the “no to ID” attitude is very very normal; generally the UK prefers this idea of contextual, rather than universal ID. It’s a deliberate design choice. | | |
| ▲ | marcus_holmes 5 days ago | parent [-] | | Same in Australia - there was a referendum about whether we should have government-issued ID cards, and the answer was an emphatic "NO". And Australia is hitting or going to hit the same problem with the age verification thing for social media. |
| |
| ▲ | jhbadger 3 days ago | parent | prev [-] | | >UK is in this weird place where there isn't one kind of ID that everyone has - for most people it's the driving licence, but obviously that's not good enough The US also lacks a national ID, but as a non-driver myself, this is handled by things called variously by state a "state ID" or a "non-driver's driving license". These look exactly like driver's licenses and can be used wherever those can for ID (like for flying) except for a line saying "not valid for driving". |
| |
| ▲ | xlbuttplug2 6 days ago | parent | prev | next [-] | | IDs would have to be reissued with a public/private key model you can use to sign your requests. > the person at the keyboard, is the same person as that ID identifies This won't be possible to verify - you could lend your ID out to bots but that would come at the risk of being detected and blanket banned from the internet. | | |
| ▲ | wredcoll 6 days ago | parent [-] | | I have a wonderful new idea for this problem space based on your username. |
| |
| ▲ | heavyset_go 6 days ago | parent | prev | next [-] | | Not good enough, providers and governments want proof of life and proof of identity that matches government IDs. Without that, anyone can pretend to be their dead grandma/murder victim, or someone whose ID they stole. | | |
| ▲ | sciencejerk 6 days ago | parent [-] | | How about a chip implant signed by the government hospital that attests for your vitality? Looks like this is where things are headed |
| |
| ▲ | phito 6 days ago | parent | prev | next [-] | | In Europe we have itsme. You link the phone app to your ID, then you can use it to scan QR codes to log into websites. | | |
| ▲ | swores 6 days ago | parent | next [-] | | "In Europe" is technically true but makes it sound more widely used than I believe it to be... though maybe my knowledge is out of date. Their website lists 24 supported countries (including some non-EU like UK and Norway, and missing a few of the 27 EU countries) - https://www.itsme-id.com/en-GB/coverage But does it actually have much use outside of Belgium? Certainly in the UK I've never come across anyone, government or private business, mentioning it - even since the law passed requiring many sites to verify that visitors are adults. I wouldn't even be familiar with the name if I hadn't learned about its being used in Belgium. Maybe some other countries are now using it, beyond just Belgium? | | |
| ▲ | phito 5 days ago | parent [-] | | Oh I wasn't aware of that. I remember a Dutch friend talking to me about a similar app they had. Maybe they have a re-branded version of it? |
| |
| ▲ | victorbjorklund 6 days ago | parent | prev | next [-] | | One problem with solutions like that is the the website needs to pay for every log in. So you save a few dollars blocking scrapers but now you have to pay thousands of dollars to this company instead. | |
| ▲ | victorbjorklund 6 days ago | parent | prev | next [-] | | Im from europe I never heard about it | |
| ▲ | JimDabell 6 days ago | parent | prev [-] | | In Singapore, we have SingPass, which is also an OpenID Connect implementation. |
| |
| ▲ | PeterStuer 6 days ago | parent | prev | next [-] | | Officially sanctioned 2fa tied to your official government ID. Over here we have "It's me" [1]. Yes, you can in theory still use your ID card with a usb cardreader for accessing gov services, but good luck finding up to date drivers for your OS or use a mobile etc. [1] https://www.itsme-id.com/en-BE/ | | |
| ▲ | sintax 6 days ago | parent [-] | | Except that itsme crap is not from the government and doesn't support activation on anything but a Windows / Mac machine. No Linux support at all, while the Belgian government stuff (CSAM) supports Linux just fine. | | |
| ▲ | PeterStuer 5 days ago | parent [-] | | It is from the banks that leveraged their KYC but was adopted very broadly by gov and many other id required or linked services. AFAIK it does not need a computer to activate besides your phone and one of those bank issued 2FA challange card readers. For CSAM, also AFAIK, first 'activation' includes a visit to your local municipality to verify your identity. Unless you go via itsme, as it is and authorized CSAM key holder. |
|
| |
| ▲ | throwaway1777 6 days ago | parent | prev [-] | | I doesn’t require a ground up rework. The easiest idea is real people can get an official online id at some site like login.gov and website operators verify people using that api. Some countries already have this kind of thing from what I understand. The tech bros want to implement this on the blockchain but the government could also do it. |
|
|
| ▲ | bhawks 6 days ago | parent | prev | next [-] |
| Can't wait to sign into my web browser with my driver's license. |
| |
| ▲ | weberer 6 days ago | parent | next [-] | | What's next? Requiring a license to make toast in your own damn toaster? | | |
| ▲ | jijijijij 5 days ago | parent [-] | | > your own damn toaster Silly you, joking around like that. Can you imagine owning a toaster?! Sooo inconvenient and unproductive! Guess, if you change your housing plan, you gonna bring it along like an infectious tick? Hahah — no thank you! :D You will own nothing and you will be happy! (Please be reminded, failing behavioral compliance with, and/or voicing disapproval of this important moral precept, jokingly or not, is in violation of your citizenship subscription's general terms and conditions. This incident will be reported. Customer services will assist you within 48 hours. Please, do not leave your base zone until this issue has been resolved to your satisfaction.) |
| |
| ▲ | overfeed 6 days ago | parent | prev | next [-] | | In all likelihood, most people will do so via the Apple Wallet (or the equivalent on their non-Apple devices). It's going to be painful to use Open source OSes for a while, thanks to CloudFlare and Anubis. This is not the future I want, but we can't have nice things. | | |
| ▲ | hedora 6 days ago | parent | next [-] | | No worries. Stick an unregistered copy of win 11 (ms doesn’t seem to care) and your drivers license in an isolated VM and let the AI RDP
into it for you. Manually browsing the web yourself will probably be trickier moving forward though. | |
| ▲ | account42 6 days ago | parent | prev [-] | | > This is not the future I want, but we can't have nice things. Actually, we can if we collectively decide that we should have them. Refuse to use sites that require these technologies and demand governments to solve the issue in better ways, e.g. by ensuring there are legal consequences for abusive corporations. |
| |
| ▲ | heavyset_go 6 days ago | parent | prev [-] | | "Luckily" you won't have to do only that, you'll need to provide live video to prove you're the person in the ID and that you're alive. |
|
|
| ▲ | xlbuttplug2 6 days ago | parent | prev | next [-] |
| The internet would come to a grinding halt as everyone would suddenly become mindful of their browsing. It's not hard to imagine a situation where, say, pornhub sells its access data and the next day you get sacked at your teaching job. |
| |
| ▲ | chmod775 6 days ago | parent | next [-] | | It doesn't need to. Thanks to asymmetric cryptography governments can in theory provide you with a way to prove you are a human (or of a certain age) without: 1. the government knowing who you are authenticating yourself to 2. or the recipient learning anything but the fact that you are a human 3. or the recipient being able to link you to a previous session if you authenticate yourself again later The EU is trying to build such a scheme for online age verification (I'm not sure if their scheme also extends to point 3 though. Probably?). | | |
| ▲ | palata 6 days ago | parent | next [-] | | But I don't get how is goes for spam or scrapping: if I can pass the test "anonymously", then what prevents me from doing it for illegal purposes? I get it for age verification: it is difficult for a child to get a token that says they are allowed to access porn because adults around them don't want them to access porn (and even though one could sell tokens online, it effectively makes it harder to access porn as a child). But how does it prevent someone from using their ID to get tokens for their scrapper? If it's anonymous, then there is no risk in doing it, is there? | | |
| ▲ | 986aignan 6 days ago | parent | next [-] | | IIRC, you could use asymmetric cryptography to derive a site-specific pseudonymous token from the service and your government ID without the service knowing what your government ID is or the government provider knowing what service you are using. The service then links the token to your account and uses ordinary detection measures to see if you're spamming, flooding, phishing, whatever. If you do, the token gets blacklisted and you can no longer sign on to that service. This isn't foolproof - you could still bribe random people on the street to be men/mules in the middle and do your flooding through them - but it's much harder than just spinning up ten thousand bots on a residential proxy. | | |
| ▲ | palata 6 days ago | parent [-] | | But that does not really answer my question: if a human can prove that they are human anonymously (by getting an anonymous token), what prevents them from passing that token to an AI? The whole point is to prevent a robot from accessing the API. If you want to detect the robot based on its activity, you don't need to bother humans with the token in the first place: just monitor the activity. | | |
| ▲ | xlbuttplug2 6 days ago | parent [-] | | It does not prevent a bot from using your ID. But a) the repercussions for getting caught are much more tangible when you can't hide behind anonymity - you risk getting blanket banned from the internet and b) the scale is significantly reduced - how many people are willing to rent/sell their IDs, i.e., their right to access the internet? Edit: ok I see the argument that the feedback mechanism could be difficult when all the website can report is "hey, you don't know me but this dude from request xyz you just authenticated fucked all my shit up". But at the end of the day, privacy preservation is an implementation detail I don't see governments guaranteeing. | | |
| ▲ | palata 5 days ago | parent [-] | | > But at the end of the day, privacy preservation is an implementation detail I don't see governments guaranteeing. Sure, I totally see how you can prevent unwanted activity by identifying the users. My question was about the privacy-preserving way. I just don't see how that would be possible. |
|
|
| |
| ▲ | terribleperson 6 days ago | parent | prev [-] | | One option I can think of is that the attesting authority might block you if you're behaving badly. | | |
| ▲ | account42 6 days ago | parent [-] | | That doesn't work without the attesting authority knowing what you are doing, which would make this scheme no longer anonymous. | | |
| ▲ | A1kmm 6 days ago | parent [-] | | It does work as long as the attesting authority doesn't allow issuing a new identity (before it expires) if the old one is lost. You (Y) generate a keypair and send your public key to the the attesting authority A, and keep your private key. You get a certificate. You visit site b.com, and it asks for your identity, so you hash b.com|yourprivatekey. You submit the hash to b.com, along with a ZKP that you possess a private key that makes the hash work out, and that the private key corresponds to the public key in the certificate, and that the certificate has a valid signature from A. If you break the rules of b.com, b.com bans your hash. Also, they set a hard rate limit on how many requests per hash are allowed. You could technically sell your hash and proof, but a scraper would need to buy up lots of them to do scraping. Now the downside is that if you go to A and say your private key was compromised, or you lost control of it - the answer has to be tough luck. In reality, the certificates would expire after a while, so you could get a new hash every 6 months or something (and circumvent the bans), and if you lost the key, you'd need to wait out the expiry. The alternative is a scheme where you and A share a secret key - but then they can calculate your hash and conspire with b.com to unmask you. | | |
| ▲ | palata 6 days ago | parent [-] | | Isn't the whole point of a privacy-preserving scheme be that you can ask many "certificates" to the attesting authority and it won't care (because you may need as many as the number of websites you visit), and the website b.com won't be able to link you to them, and therefore if it bans certificate C1, you can just start using certificate C2? And then of course, if you need millions of certificates because b.com keeps banning you, it means that they ban you based on your activity, not based on your lack of certificate. And in that case, it feels like the certificate is useless in the first place: b.com has to monitor and ban you already. Or am I missing something? |
|
|
|
| |
| ▲ | heavyset_go 6 days ago | parent | prev | next [-] | | There isn't a technical solution to this: governments and providers not only want proof of identity matching IDs, they want proof of life, too. This will always end with live video of the person requesting to log in to provide proof of life at the very least, and if they're lazy/want more data, they'll tie in their ID verification process to their video pipeline. | | |
| ▲ | debugnik 6 days ago | parent [-] | | You already provided proof of a living legal identity when you got the ID, and it already expires to make you provide proof again every few years. | | |
| ▲ | heavyset_go 6 days ago | parent [-] | | That's not not the kind of proof of life the government and companies want online. They want to make sure their video identification 1) is of a living person right now, and 2) that living person matches their government ID. It's a solution to the "grandma died but we've been collecting her Social Security benefits anyway", or "my son stole my wallet with my ID & credit card", or (god forbid) "We incapacitated/killed this person to access their bank account using facial ID". It's also a solution to the problem advertisers, investors and platforms face of 1) wanting huge piles of video training data for free and 2) determining that a user truly is a monetizable human being and not a freeloader bot using stolen/sold credentials. | | |
| ▲ | palata 6 days ago | parent | next [-] | | > That's not not the kind of proof of life the government and companies want online. Well that's your assumption about governments, but it doesn't have to be true. There are governments that don't try to exploit their people. The question is whether such governments can have technical solutions to achieve that or not (I'm genuinely interested in understanding whether or not it's technically feasible). | |
| ▲ | debugnik 6 days ago | parent | prev [-] | | It's the kind of proof my government already asks of me to sign documents much, much more important than watching adult content, such as social security benefits. |
|
|
| |
| ▲ | cakealert 6 days ago | parent | prev | next [-] | | Such schemes have the fatal flaw that they can be trivially abused. All you need are a couple of stolen/sold identities and bots start proving their humanness and adultness to everyone. | | |
| ▲ | overfeed 6 days ago | parent | next [-] | | > Such schemes have the fatal flaw that they can be trivially abused I wouldn't expect the abuse rate to be higher than what it is for chip-and-pin debit cards. PKI failure modes are well understood and there are mitigations galore. | |
| ▲ | Almondsetat 6 days ago | parent | prev [-] | | Blatant automatic behavior can still be detected, and much more definitive actions can be takes in such a system | | |
| ▲ | palata 6 days ago | parent [-] | | Detecting is a thing, but how do you identify the origin if it was done in a privacy-preserving manner? The whole point was that you couldn't, right? |
|
| |
| ▲ | xlbuttplug2 6 days ago | parent | prev | next [-] | | I did think asymmetric cryptography but I assumed the validators would be third parties / individual websites and therefore connections could be made using your public key. But I guess having the government itself provide the authentication service makes more sense. I wonder if they'd actually honor 1 instead of forcing recipients to be registered, as presumably they'd be interested in tracking user activity. | |
| ▲ | ummonk 6 days ago | parent | prev [-] | | How would it prevent you from renting your identity out to a bot farm? | | |
| ▲ | overfeed 6 days ago | parent [-] | | Besides making yourself party to a criminal conspiracy, I suspect it would be partly the same reason you won't sell/rent your real-world identity to other people today; an illegal immigrant may be willing to rent it from you right now. Mostly, it will because online identifies will be a market for lemons: there will be so many fake/expired/revoked identities being sold that the value of each one will be worth pennies, and that's not commensurate with the risk of someone commiting crimes and linking it to your government-registered identity. | | |
| ▲ | palata 6 days ago | parent | next [-] | | > the same reason you won't sell/rent your real-world identity to other people today If you sell your real-world identity to other people today, and they get arrested, then the police will know your identity (obviously). How does that work with a privacy-preserving scheme? If you sell your anonymous token that says that you are a human to a machine and the machine gets arrested, then the police won't be able to know who you are, right? That was the whole point of the privacy-preserving token. I'm genuinely interested, I don't understand how it can work technically and be privacy-preserving. | | |
| ▲ | cakealert 6 days ago | parent [-] | | It would appear most of the people commenting on the subject don't even understand it. With privacy preserving cryptography the tokens are standalone and have no ties to the identity that spawned them. No enforcement for abuse is possible. | | |
| ▲ | overfeed 5 days ago | parent | next [-] | | > With privacy preserving cryptography the tokens are standalone and have no ties to the identity that spawned them. I suspect there will be different levels of attestations from the anonymous ("this is an adult"), to semi-anonymous ("this person was born in 20YY and resides in administrative region XYZ") to the compete record ("This is John Quincy Smith III born on YYYY-MM-DD with ID doc number ABC123"). Somewhere in between the extremes is an pseudonymous token that's strongly tied to a single identity with non-repudiation. Anonymous identities that can be easily churned out on demand by end-users have zero antibot utility | | |
| ▲ | cakealert 5 days ago | parent [-] | | The latter attestation will be completely useless for privacy. | | |
| ▲ | overfeed 3 days ago | parent [-] | | 100% agree, but it will be necessary for any non-repudiation use cases, like signing contracts remotely. There is no one size fits all approach for online identity management. |
|
| |
| ▲ | palata 6 days ago | parent | prev [-] | | Right, that's my feeling as well | | |
| ▲ | overfeed 5 days ago | parent [-] | | While it's the privacy advocate's ideal, the politics reality is very few governments will deploy "privacy preserving" cryptography that gets in the way of LE investigations[1]. The best you can hope for is some escrowed service that requires a warrant to unmask the identity for any given token, so privacy is preserved in most cases, and against most parties except law enforcement when there's a valid warrant. 1. They can do it overtly in thr design of the system, or covertly via side-channels, logging, or leaking bits in ways that are hard for an outsider to investigate without access to the complete source code and or/system outputs, such as not-quite-random pseudo-randoms. |
|
|
| |
| ▲ | coolcoder613 6 days ago | parent | prev [-] | | > Mostly, it will because online identifies will be a market for lemons: there will be so many fake/expired/revoked identities being sold that the value of each one will be worth pennies, and that's not commensurate with the risk of someone commiting crimes and linking it to your government-registered identity.
That would be trivially solved by using same verification mechanisms they would be used with. |
|
|
| |
| ▲ | wredcoll 6 days ago | parent | prev | next [-] | | I live with the naïve and optimistic dream that something like that would just show that everyone was in the list so they can't use it to discriminate against people. | |
| ▲ | account42 6 days ago | parent | prev | next [-] | | You are right about the negative outcomes that this might have but you have way too much faith in the average person caring enough before it happens to them. | |
| ▲ | glandium 6 days ago | parent | prev [-] | | > sells its access data or has it leaked somehow. |
|
|
| ▲ | tern 6 days ago | parent | prev | next [-] |
| Eyeball company play is to be a general identity provider, which is an obvious move for anyone who tries to fill this gap. You can already connect your passport in the World app. https://world.org/blog/announcements/new-world-id-passport-c... |
| |
| ▲ | esnard 6 days ago | parent [-] | | Note: one of the founders of the World app is Sam Altman. |
|
|
| ▲ | JimDabell 6 days ago | parent | prev | next [-] |
| > some form of online ID attestation (likely based on government-issued ID[1]) will become normal in the next decade I believe this is likely, and implemented in the right way, I think it will be a good thing. A zero-knowledge way of attesting persistent pseudonymous identity would solve a lot of problems. If the government doesn’t know who you are attesting to, the service doesn’t know your real identity, services can’t correlate users, and a service always sees the same identity, then this is about as privacy-preserving as you can get with huge upside. A social media site can ban an abusive user without them being able to simply register a new account. One person cannot operate tens of thousands of bot profiles. Crawlers can be banned once. Spammers can be locked out of email. |
| |
| ▲ | akk0 6 days ago | parent | next [-] | | > A social media site can ban an abusive user without them being able to simply register a new account. This is an absolutely gargantuan-sized antifeature that would single-handedly drive me out of the parts of the internet that choose to embrace this hellish tech. | | |
| ▲ | JimDabell 6 days ago | parent [-] | | I think social media platforms should have the ability to effectively ban abusive users, and I’m pretty sure that’s a mainstream viewpoint shared by most people. The alternative is that you think people should be able to use social media platforms in ways that violate their rules, and that the platforms should not be able to refuse service to these users. I don’t think that’s a justifiable position to take, but I’m open to hearing an argument for it. Simply calling it “hellish” isn’t an argument. And can you clarify if your position accounts for spammers? Because as far as I can see, your position is very clearly “spammers should be allowed to spam”. | | |
| ▲ | akk0 4 days ago | parent [-] | | No, my position is not any of these things you just decided to attribute to me. Allowing people to make alternate accounts has been the status quo on the internet since time immemorial, if only because it's currently not preventable. False bans are not rare (I only got unbanned from LinkedIn after getting banned with no explanation and having my appeal initially denied, for instance). I've gotten banned on places, rightfully (in my view) or not, then come back on a new account and avoided stepping on anyone's toes and lived happily ever after, too. Of course in the ideal world all bans would be handed out correctly, be of a justified duration, and offer due process to those banned. We don't live in that world, the incentive is emphatically NOT to handle appeals fairly and understandably. Getting truly permanently banned on a major platform can be a life changing experience. In reality users can generally get away with signing up new accounts, but new users will be marked somehow and/or limited (e.g. green names on HN) and get extra scrutiny, and sign-ups will have friction and limits to let it not scale up to mass spammer scale. The rest is handled manually by moderation staff. The limits to moderator power are a feature that compensates for the limits to moderator competence. |
|
| |
| ▲ | ibejoeb 6 days ago | parent | prev [-] | | >A zero-knowledge way of attesting persistent pseudonymous identity why would a government do that though? the alternative is easier and gives it more of what it wants. | | |
|
|
| ▲ | exasperaited 6 days ago | parent | prev | next [-] |
| At this future point, AI firms will simply rent people’s identities to use online. |
| |
| ▲ | account42 6 days ago | parent [-] | | They are already getting people hooked on "free" access so they will have plenty of subjects willing to do that to keep that access. | | |
| ▲ | exasperaited 6 days ago | parent [-] | | And if they are as successful as they are threatening to be, they will have destroyed so many jobs that I am sure they will find a few thousand people across the world who will accept a stipend to loan their essence to the machine. |
|
|
|
| ▲ | john01dav 6 days ago | parent | prev | next [-] |
| This has quite nasty consequences for privacy. For this reason, alternatives are desirable. I have less confidence on what such an alternative should be, however. |
| |
| ▲ | palata 6 days ago | parent [-] | | Can you elaborate on that? Are you implying that it is strictly impossible to do this in a privacy-preserving way? | | |
| ▲ | michaelt 6 days ago | parent | next [-] | | It depends on your precise requirements and assumptions. Does your definition of 'privacy-preserving' distrust Google, Apple, Xiaomi, HTC, Honor, Samsung and suchlike? Do you also distrust third-party clowns like experian and equifax (whose current systems have gaping security holes) and distrust large government IT projects (which are outsourced to clowns like Fujutsu who don't know what they're doing) ?? Do you require it to work on all devices, including outdated phones and tablets; PCs; Linux-only devices; other networked devices like smart lightbulbs; and so on? Does it have to work in places phones aren't allowed, or mobile data/bluetooth isn't available? Does the identity card have to be as thin, flexible, durable and cheap as a credit card, precluding any built-in fingerprint sensors and suchlike? Does the age validation have to protect against an 18-year-old passing the age check on their 16-year-old friend's account? While also being privacy-preserving enough nobody can tell the two accounts were approved with the same ID card? Does the system also have to work on websites without user accounts, because who the hell creates a pornhub account anyway? Does the system need to work without the government approving individual websites' access to the system? Does it also need to be support proving things like name, nationality, and right to work in the country so people can apply for bank accounts and jobs online? And yet does it need to prevent sites from requiring names just for ad targeting purposes? Do all approvals have to be provable, so every company can prove to the government that the checks were properly carried out at the right time? Does it have to be possible to revoke cards in a timely manner, but without maintaining a huge list of revoked cards, and without every visit to a porn site triggering a call to a government server for a revocation check? If you want to accomplish all of these goals - you're going to have a tough time. | | |
| ▲ | palata 5 days ago | parent [-] | | Not sure what you are trying to say. I can easily imagine having a way to prove my age in a privacy-preserving way: a trusted party knows that I am 18+ and gives me a token that proves that I am 18+ without divulging anything else. I take that token and pass it to the website that requires me to be 18+. The website knows nothing about me other than I have a token that says I am 18+. Of course, I can get a token and then give it to a child. Just like I can buy cigarettes and give them to a child. But the age verification helps in that I don't want children to access cigarettes, so I won't do it. The "you are a human" verification fundamentally doesn't work, because the humans who make the bots are not aligned with the objective of the verification. If it's privacy-preserving, it means that a human can get a token, feed it to their bot and call it a day. And nobody will know who gave the token to the bot, precisely because it is privacy-preserving. |
| |
| ▲ | john01dav 6 days ago | parent | prev | next [-] | | I am not implying anything and mean only what I directly said. More specifically, I do not know if a privacy preserving method exists. This is different from thinking that it doesn't exist. | |
| ▲ | 63stack 6 days ago | parent | prev [-] | | While the question of "is it actually possible to do this in a privacy preserving way?" is certainly interesting, was there ever a _single_ occasion where a government had the option of doing something in a privacy preserving way, when a non-privacy preserving way was also possible? Politicians would absolutely kill for the idea of unmasking dissenters on internet forums. Even if the option is a possibility, they are deliberately not going to implement it. | | |
| ▲ | palata 6 days ago | parent [-] | | > was there ever a _single_ occasion I don't know where you live, but in my case, many. Beginning with the fact that I can buy groceries with cash. | | |
| ▲ | 63stack 6 days ago | parent [-] | | Example does not fit, when cash was introduced electronic money transfer was not an option. | | |
| ▲ | palata 6 days ago | parent [-] | | Health insurance being digitalised and encrypted on the insurance card in a decentralised way? Many e-IDs in many countries? | | |
| ▲ | 63stack 5 days ago | parent [-] | | I didn't know about e-IDs in other countries, but in Scandinavia (at least in Norway and Sweden, but I know the same system is used in Denmark as well) they are very much tied to your personal number which uniquely identifies you. Healthcare data is also not encrypted. | | |
| ▲ | palata 5 days ago | parent [-] | | Well the e-ID is an ID, so to the government it's tied to a person. But I know that in multiple countries it's possible to use the e-ID to only share the information necessary with the receiver in a way that the government cannot track. Typically, share only the fact that you are 18+ without sharing your name or birthday, and without the government being able to track where you shared that fact. This is privacy-preserving and modern. |
|
|
|
|
|
|
|
|
| ▲ | egil 6 days ago | parent | prev | next [-] |
| Fun fact: The Norwegian wine monopoly is rolling out exactly this to prevent scalpers buying up new releases. Each online release will require a signup in advance with a verified account. |
|
| ▲ | xenotux 6 days ago | parent | prev | next [-] |
| Eh? With the "anonymous" models that we're pushing for right now, nothing stops you from handing over your verification token (or the control of your browser) to a robot for a fee. The token issued by the verifier just says "yep, that's an adult human", not "this is John Doe, living at 123 Main St, Somewhere, USA". If it's burned, you can get a new one. If we move to a model where the token is permanently tied to your identity, there might be an incentive for you not to risk your token being added to a blocklist. But there's no shortage of people who need a bit of extra cash and for whom it's not a bad trade. So there will be a nearly-endless supply of "burner" tokens for use by trolls, scammers, evil crawlers, etc. |
| |
|
| ▲ | nikau 6 days ago | parent | prev [-] |
| Can't wait to start my stolen id as a service for the botnets |
