Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
mcv 4 hours ago

I completely agree. The only services for which I will verify my age (and the entire rest of my ID) are bank accounts and other services involving a real legal requirement for real ID.

The notion that you should upload a passport to random sites for age verification is unbelievably dangerous. That's a recipe for identity theft. And face scanning is also an invasion of privacy, not to mention very unreliable (my 16 year old son has apparently been accepted as 20 years old).

I've pointed out in many places already that the only way to do online age verification right, is for the government to provide an e-ID that the random site will direct you to with the question "is this person older than X?", then you log in to the e-ID site, which informs you exactly what the site wants to know (which should be as rough as possible; no birthdate), then the e-ID site directs you back to your original site (or possibly through a proxy, if you don't want the government to know what sites you visit), and calls their webhook (through a proxy) with the confirmation of your age.

That's also how my online payments work, and this should be the standard pattern for everything that needs to be secure. Not sharing sensitive or personal data with random sites.

EnderWT 2 hours ago | parent | next [-]

There's already a spec for this (ISO/IEC 18013-5) and it's been implemented in a variety of jurisdictions. https://en.wikipedia.org/wiki/Mobile_driver%27s_license

The person gets to see what information the service is asking for and can approve or deny. This'll likely end up being the future of how citizens access government services online.

shiandow 4 hours ago | parent | prev | next [-]

That very much isn't the only right way, and it is far to close to government tracking activities online. For one it effectively allows governments to disallow someone from accessing the internet.

All this to let you do stuff you were allowed to do anyway.

The problem is handing kids admin level access on a device with full unfiltered access to several communication networks. You do not fix that by demoting everyone's access.

fc417fc802 2 hours ago | parent [-]

I wholeheartedly agree. Worse, these verification "solutions" distract from fixing the actual underlying issue.

We need better supervision which demands better parental controls which demands better content filtering which demands better content classification.

So fix the root. Legally mandate a standardized protocol for self reporting the content rating of resources.

1970-01-01 4 hours ago | parent | prev | next [-]

1000% this. Fake info for everything that isn't directly tied to money or government. HN doesn't have my info. Apple doesn't have it. Google doesn't have it. Amazon doesn't have it. Microsoft doesn't have it. They don't care who I really am, and that hasn't, ever never, been a problem for using their stuff. They want your real ID. They do not need it. At all.

cloverich 44 minutes ago | parent | next [-]

> They want your real ID. They do not need it.

I think that is exactly backwards. Many of the companies integrating with KYC/AML providers (such as my company) definitely don't want to be dealing in ids, just like most companies don't want to be dealing in storing credit card numbers (and the compliance that goes along with it). Its why Stripe exists, and its why ID verification companies exist.

x0x0 36 minutes ago | parent [-]

I'd like to agree, but I don't. If companies didn't want to be involved, they would aggressively be pushing governments to provide ways to confirm age w/o transmitting any other data. Primarily because you can't leak data you never had in the first place. I don't see that happening.

londons_explore 3 hours ago | parent | prev [-]

Remember that just typing 'John Smith DOB 1/1/1900' into a random webform and clicking submit to get in is technically wire fraud.

Sure, it usually won't be prosecuted... Until you upset the wrong person and they're looking for a crime you did...

araes 38 minutes ago | parent | next [-]

Fraud (Wikipedia, United States):

  - Misrepresents a material (non-trivial) fact in order to obtain action or forbearance by another person
  - The other person relies upon the misrepresentation
  - The other person *suffers injury* as a result of the act or forbearance taken in reliance upon the misrepresentation.
Damages in fraud cases is normally computed using

  - Recovery of damages in the amount of the *difference between the value of the property* had it been as represented and its actual value
  - Out-of-pocket loss, which allows for the recovery of damages in the amount of the *difference between the value of what was given and the value of what was received*.
Usually also heavily implied it needs to involve money in some significant way:

18 U.S.C. § 1343

  (...)'any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises'(...)
Fraud cases also usually heavily apply burden of court practice on the prosecution, to prove fraud and substantial losses. If you type 'John Smith DOB 1/1/1900' the "victim" has to prove it caused them to suffer injury and that there was a significant difference between the value of the property (non-trivial).
fc417fc802 2 hours ago | parent | prev | next [-]

I don't believe it's wire fraud unless you deceive the other party for monetary gain. I realize that's not quite the correct definition but AFAIK it's quite close to it.

londons_explore an hour ago | parent [-]

The gain is that you get to access the website. Fraud simply requires gain, not necessarily monetary benefit.

1970-01-01 44 minutes ago | parent [-]

That's not it. There is 2 parts 2 fraud.

Part 1: misrepresentation of fact

Part 2: harm or loss due to that misrepresentation

You must prove both.

https://definitions.uslegal.com/f/fraud/#:~:text=and%20upon%...

1970-01-01 3 hours ago | parent | prev [-]

So is breaching all your PII into the universe. Choose your battles or they will be chosen for you. Aside, I'm technically 126 years old in some DBs. Nobody cares.

ticulatedspline 4 hours ago | parent | prev [-]

even better would be a solution that didn't require even proxy or direct government log in.

like if you could be issued an E-id that could perform a local signature/challenge-response that allowed the site to confirm an age bracket (like 12 or below,13-17,18-20, 21+), assert the entity that issued the id but not assert a stable identifier (not even pairwise) and not pass any data between other parties.

Obviously not foolproof, credentials can be stolen (same in your scenario) but the site doesn't need to care, they should be legally in the clear. Basically it would let you anonymously assert your age.