Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
dyauspitr 13 hours ago

I disagree, we should have age verification but maybe it can be done in a mostly anonymous way like a central arbiter of identity from the government or something.

Aurornis 11 hours ago | parent | next [-]

> like a central arbiter of identity from the government or something

This comes up in every ID thread on Hacker News, usually with suggestion that we do it via zero-knowledge cryptographic primitives

However, all of those proposals miss the point. These ID verification laws aren't simply designed to confirm that someone has access to an >= 18yo ID. They are identity verification to try to confirm that the person presenting the ID is the same person who is using the site.

This concept is obvious with in-person ID checks: You can't go to the liquor store and show them any random ID, they have to check that it's your ID.

For some reason when we talk about internet ID verification that part is forgotten and we get these proposals to use cryptographic primitives to anonymously check something without linking the person to the ID. It doesn't work, and doesn't satisfy the way these laws are usually written.

I'm also surprised that people of this website even think it might work in the first place. Did everyone forget what it's like to be a kid trying to out-maneuver rules to access something? How long do you think it would take before the first enterprising kid figures out that if they can get access to their mom or older brother's ID, they can charge their friends $5 to use it for this totally anonymous one-time cryptographic ID check for their social media accounts?

dyauspitr 10 hours ago | parent [-]

These ID verification laws aren't simply designed to confirm that someone has access to an >= 18yo ID. They are identity verification to try to confirm that the person presenting the ID is the same person who is using the site.

This makes no sense. This is exactly like asking someone older to buy you beer. Will there be rule breakers? Sure but they will be in the overwhelming minority.

Aurornis 8 hours ago | parent | next [-]

> This makes no sense. This is exactly like asking someone older to buy you beer.

No, the analogy would be a kid walking into the liquor store to order beer with their mom’s ID and the system allowing you to do it because the store operator isn’t allowed to look at their face or the name on the ID.

> Will there be rule breakers? Sure but they will be in the overwhelming minority.

Some of you have forgotten what it’s like to be a kid around technology.

Every time the topic of web filtering comes up there is a chorus of people declaring it useless because as a kid they easily found ways around it, as kids do.

Now extend that analogy to these wishful thinking cryptographic ID checks, where you only need to circumvent the ID check literally once ever in your childhood and your account is approved for good.

It’s like if you could buy beer with your mom’s ID once and the liquor store owner couldn’t look at the ID or your face and then once you did it a single time you could access all the beer you wanted.

pibaker 10 hours ago | parent | prev [-]

In other words, total death of anonymity on the internet.

Don't you love having your government name tied to every single word you say online, forever, potentially publicly accessible if someone configured mongodb wrong?

dyauspitr 10 hours ago | parent [-]

Different token every time. If something leaks then only the private tokens are leaked. You then have to break every site you visited to link them to you individually.

salawat 13 hours ago | parent | prev [-]

That's exactly the opposite of anonymous. You cannot have anonymity & age verification that actually guarantees anything. It's a contradiction. Either the chain exists, or it doesn't.

alkonaut 12 hours ago | parent [-]

Are you saying it would be impossible to have a service where the site (social media, say) would issue some sort of random token and ask me to sign it using a centralized ID service. Then I log in to the centralized id service and use it to sign the random token and bring it back to the service.

The centralized service see who I am, but not what I'm proving my age for. The social media or other site see that I have signed their token so would have the appropriate age, but not who I am.

What's impossible about this?

tzs 11 hours ago | parent [-]

The problem with that is if someone gets a hold of the logs from both the centralized service and the social media site they can compare timestamps and may be able to match them up.

Most people will be doing the whole process (site gives token, person gets token signed, person returns token) as quickly as possible which limits the candidates for a match. Worse, if the central service is compromised and wants to make it easier for log matching to identify people they could purposefully introduce delays which would make it easier to distinguish people.

Most people will use the same IP address through the verification process which would really make it easy.

alkonaut 10 hours ago | parent | next [-]

Yes, timestamp comparison will be possible. I don't think there is a reasonable way around it? And authentication on to someone else is also unavoidable with reasonable privacy. I think a system with both of those drawbacks is still preferable to most other options.

tzs 7 hours ago | parent [-]

The way most proposals that want to support age verification (or verification of other things from a typical ID such as country) without disallowing anonymous users is to involve secure hardware.

Briefly, someone (probably your goverment) issues a digital copy of your ID cryptographically tied to a key in a hardware security module you provide. There is a protocol that can be used to demonstrate to a site that you have such an ID and that you can perform operations on it using that key, and can be used to disclose anything from the ID that you wish to disclose (e.g., what country you are in, or that your birthday on the ID is at least 18 years in the past) without disclosing any other information from the ID.

This avoids the timestamp problem because the issuer of the ID is not involved in verifying things from the ID. They have no idea when or how often people are using their IDs.

So far people working on these systems are using smart phones as the secure hardware with the keys locked behind biometrics. Google's made on open source library for implementing such systems, the EU has one nearing release after several years of development, and I believe Apple's new ID storage in Wallet supports such a system.

The EU has said that they plan to add support for security devices other than smart phones, such as stand alone security keys or smart cards.

machomaster 9 hours ago | parent | prev | next [-]

Just let people freely register as many virtual ids as possible (and confirm with the real id). Then use that virtual ids to register in actual services.

This allows anonymity, security (no timestamps comparison), freedom of speech and expression (to have independent accounts not linked to the main virtual id).

dyauspitr 10 hours ago | parent | prev [-]

This is no different from VPN providers. Maybe have the central authority keep no logs just like VPN companies. We already have government agencies that do that for instance the agency that handles text to speech phone calls for deaf people. Alternatively use a VPN to sign the token.