The key problem with this entire issue is that it's basically a morality law. There are classes of crimes that, over time, society has discovered simply do not have an enforcement mechanism less damaging than the harm they are seeking to prevent.
An example is Adultery. Most people will agree that it is morally wrong to cheat on your spouse. The reason civilized countries no longer have adultery laws is not because a majority of people support the crime, it's that the level of control a government needs to exercise over its citizenry to actually enforce such a law is repugnant. The state must proscribe definitions of infidelity ( human sexuality being the mess it is, this alone is a massive headache), then engage the state apparatus to surveil people's intimate lives, and then provide a legal apparatus that prevents abuse via allegation. And for what? So that people's feelings are a little less hurt?
The juice simply is not worth the squeeze.
So it goes for age restrictions. Age verification creates massive potential for invasion of privacy, blackmail, censorship, and more, necessitating a massive state censorship apparatus to block foreign content, and for what? So that little Timmy's forced back into trading nudie mags at the bus stop? To save parents the onerous effort of telling their kids "no"?
It's simply not worth it.
I think that's a bit of rationalizing. I don't thinks there's much evidence that Adultery is no longer a criminal offense because people were concerned about privacy or government control.
It's that people became more secular, Adultery is considered a sin and not a crime, and modern countries instituted separation between religious and secular laws.
It's perfectly legitimate for the state to have laws where preventative enforcement is not really possible. Like, we can't surveill everyone such that we can stop murder, but we wouldn't want to do without laws against it.
There are also a lot of differences between adultery (a p2p activity between individuals, usually with no compensation) and the activities of a business like pornhub which is a big platform with lots of employees and multiple large revenue streams. It seems both reasonable and feasible to me to regulate the latter.
For this specific issue (harm to childen through greatly increased access to porn via electronic devices) I think of it more like selling cigarettes to under 18s - it's worth doing something about the problem! - but like you I believe that the proposed age verification laws are not a great solve for the actual problem.
Adultery not being a crime goes far beyond its enforcement mechanism.
Ok, but how long will it take the people in power to figure this out (again)?
They won't (they veiw those as features not bugs) they need replaced with ones that already know.
So in Germany we have an ID card with a PIN, NFC and a government app. Website owners can request to be able to use this feature. They then get a certificate from the government that has the fields they are allowed to request stored within it.
Websites can request data from the user by sending that certificate, it opens the app, it shows you the categories of data to be send, you hold your ID card to the phone, enter the PIN, and the certificate is uploaded to the ID card which verifies it. If its valid, the ID sends back the data that is specified in the certificate.
You then get presented with exactly the data that is going to be sent to the website. You can then agree or disagree. So far that is only used to log in to government websites.
This way the government does not know which sites you visit, and you only send your age to the website.
The problem with schemes like these is that it is reasonably easy to come up with something which is pretty close, yet still missing some crucial details.
- You do not want the government to know which websites you visit. This rules out any kind of redirect / forwarding via a government website or app.
- You do not want websites to correlate their requests, as that would allow for cross-website tracking. Request data from website A should be completely useless to website B. This rules out most regular certificate schemes.
- You do not want a website to correlate multiple data requests, as that would allow websites to create some kind of supercookie. Requests should be completely independent, and two requests from the same user should be indistinguishable from requests from two different users.
- You do not want to lose privacy when the government and the website work together. The request should still be anonymous when the two collaborate, or else there can be no reasonable assumption of privacy. This rules out most clever pass-a-one-time-code schemes.
- You want the request to be unique and time-bound. It should not be possible to replay a response, either to the same website or a different one.
- You do not want to send more data than strictly necessary. If a website needs to know if you are 18 or older, it should only receive a boolean flag.
Getting some of those properties is easy. Getting all of them at the same time? Nearly impossible. And the worst part is that I almost certainly forgot a handful of requirements!
The technical issues are workable, the really difficult issue is none of the big stakeholders really care about the level of privacy you describe. Priorities like audit compatibility, cost of deployment, etc all end up governing what standards get adopted.
Edit: And as Doctorow points out there are a host of other issues that arise from actually deploying a working system.
You're doing the thing where you hold age-verified requests to an unreasonably high standard of privacy, ignoring the status quo.
The absolute majority of porn viewers access a mainstream site like Pornhub through their home or mobile ISP, which is required to verify the owners identity. So in practice, if you're an average user (note: Hacker News users aren't average users) your ISP already knows which porn sites you visit, and your privacy is dependent entirely on your ISP not sharing that information with the government or other organizations.
If you look closely you'll see that none of your concerns are actually valid.
> You do not want the government to know which websites you visit. This rules out any kind of redirect / forwarding via a government website or app.
Technically trivial (e.g. using Referer-Policy: origin).
> You do not want websites to correlate their requests
Impossible to guarantee today.
Yes, this sucks, but this is not a failure of age verification.
> You do not want a website to correlate multiple data requests
This isn't the norm today. For example, Pornhub today already doesn't work without cookies. That doesn't stop users from flocking to it.
Still, it _would_ be technically possible to provide this; see Cloudflare Turnstile for an example. But nobody cares; neither mainstream users nor site owners want stateless websites.
> as that would allow websites to create some kind of supercookie.
No it wouldn't.
> You want the request to be unique and time-bound. It should not be possible to replay a response, either to the same website or a different one.
Technically trivial.
> You do not want to send more data than strictly necessary. If a website needs to know if you are 18 or older, it should only receive a boolean flag.
Technically trivial.
So to summarize: literally all of your concerns are easily dismissed as either easily solvable or already part of how the web works. None of it is pertinent to the topic of age verification.
It's even more restrictive than than, for age verification you only get back whether the person is above the age limit or not, it's a boolean response.
So I think from that view the eID works pretty well, it provides the minimal necessary information. The bigger issue with something like this is if you use them to enforce real name policies or stuff like that.
Presumably the request contains some nonce, otherwise this is trivial to replay?
But even then, I can volunteer my ID, keep it permanently attached to a computer running a server that allows certain requests (like the boolean age check), and then provide an API / client that allows anyone anywhere to use it to pass.
No risk to me (none of my data leaks), presumably no rate limits (the card has no way to track time; at best it could store recent request timestamps but I doubt it does).
In fact even better, use stolen or lost cards. Owner will get a new one, but the old one has no way of knowing it's voided. We can build a network that is able to sign whatever info (age, gender, city, name) you want, as long as we have one ID with such info.
That still results in the government knowing you connected to that website though.
Edit: unless there’s a blind middleman that has tight data policies?
I think it does not know. The app is open source and it just sends the Boolean. The government just gives out the id cards - they are not involved in the verification process
I know the whitelabel EU app is open source but are the derivatives going to be? As far as I understand it, every EU country will release its own version of the app.
Not really (as far as the website and the government doesn't collaborate and share information with each other).
AFAIK the EU age verification app works by requesting bunch of digitally signed "proof of age" tokens (openid verifiable credentials) from a government institution and sends (uses up) one when you want to prove your age to a website. The website can check the validity of these tokens without connecting to the government institution.
They are even trying to do some form of blind signature or zero-knowledge proof to have better protections.
https://ageverification.dev/av-doc-technical-specification/d...
Age verification laws are easy to circumvent and they are bad for many other reason though.
...Unless the government is specifically looking out for this, that's easy to game by just submitting a bunch of requests for age validation with incrementing ages.
Is that worth it? No idea—but I'm willing to bet some surveillance advertisers think it's worth it.
I haven't read the spec so I'm not sure if you can request that or only 18+.
However doing dozens of requests requires the user's approval each time which may raise red flags and I can imagine your certificate revoked.
The ID card also has this amazing function where you can log in to sites using the card without revealing your identity, and even merging the databases from two sites does not allow two users to be identified as the same natural person: https://www.personalausweisportal.de/Webs/PA/EN/business/tec...
I have never seen a website offering login using this function, though ;-)
I completely agree it's technologically feasible in basically every continental European country (as we all have some form of biometric IDs), but do you want to have to do that every time you open a private tab to look at porn? Do you want to not be able to clear your browser cookies without going through that process all over again for basically every website? Do you want to extend 2FA into 3FA with your national ID acting as the third factor so you can view "sensitive" content?
This guy gets it!
Don't get me wrong, I love diving into the technical details just as much as anybody else here. I've learned something new almost every time there's a comment thread on the subject .
But the technical details are a distraction. That this is happening at all is the forest the technical crowd is going to miss for the trees.
Preserving some semblance of privacy on the internet is already hard enough. We do not need systems like this to encroach any farther; risks of personal privacy is so great and could be caused by such a simple innocent and subtle configuration mistake.
> This way the government does not know which sites you visit
Hmm. It's not clear from the description that it is so. The government knows which site sent the request and authenticates your card, which is tied to your identity, right?
There's:
-the ID card which trusts the government PKI and has its own private key and certificate
- the application that does some certificate checks and facilitates communication between the card and an eID server
- an eID server which is connected to the PKI and regularly received short lived certificates to present to the card, does revocation checks, validity checks and a bunch of other stuff. Also provides a list of fingerprints of TLS certificates of eID services allowed for the session
- an eID service which opens a session with the eID server indicating requested data and ultimately receives this data from the eID server. They own the legalese certificate of which data they have access to.
- maybe another provider wrapping all this and the required certifications,. compliance and hardware into an easy to use API. But could also all be the same.
It could be argued that the government has influence on the eID server providers - which do the actual communication with the card and are the first to receive the data before passing it on - via access to the necessary PKI, but they're not directly involved in the communication.
That certificate retrieved from the government has no personal information attached to it. It's essentially empty, only defining what information will be requested from the user.
The certificate is passed to the user's ID card where that information is populated, the document is cryptographically signed, and returned to the requesting party after the user reviews and approves the transaction.
I'm not asking what goes to the site. Does the request to the goverment come from the site you visit? Can the government pair the site with your card? They know who they issued the card to.
If the ID card cryptographically signs it, doesn't that mean that it isn't anonymous?
I assume it's a variant of PKI, with everyone trusting the government's root key, and each ID card storing a unique certificate signed by that root key. But an ID card will only have a single certificate, so it would be trivial to see that multiple data snippets were signed by the same certificate - and therefore the same person. That would allow a website to track users across sessions - or even across websites.
Age and IP address are probably sufficient to uniquely identify most Internet users.
For the curious, look up BSI TR-03124 eID-Client and BSI TR-03130 eID-Server for technical implementation, available in English.
Interesting. How does the revocation of lost/stolen cards interact with the anonymous design of the age attestation?
If an enterprising 19-year-old sold their card and PIN to a 15-year-old and reported it lost to get a replacement, presumably there's some mechanism to stop the 'lost' card being used as proof of age?
There are some steps missing.
The card communicates with an eID server via the app. This server is connected to the PKI and receives a new certificate daily-ish and also has a revocation list of blocked IDs. There's a ridiculous amount of regulation for hosting one yourself, so you get that service from one of the two or three who provide it as a service.
ID data this eID server received from the card is then sent to the eID service that initiated the session, which may either be the entity who needs it, or another service provider who wraps another set of regulation requirements and complex eID server API calls into an easy to use API for their customers.
ID data isn't actually shown to the user in the app unless it's a custom implementation that loops it all the way back from the service provider at the end.
That would be an unlikely scenario. No one would just sell their ID just like that because you have to go to the police to make a report on what happened exactly which then gets distributed in whole Europe and also getting a new ID is quite a procedure and costly unfortunately
You don't sell the id, you login once on their computer.
There's no way this could be implemented globally.
why don't you think this would work? Technically this is basically "the (SP) site trusts another (IDP) site to sign/encrypt a JWT containing some custom assertions". The user would go to the SP, get a signed blob (session nonce / expiry / whatever), take that to the IDP, log in there, IDP creates a JWT with the original blob plus any assertion you allow, you post the JWT back to the SP, SP decrypts the IDP packet, gets its own nonce, ties you to the session, done.
There are also obviously better ways (https://blog.cloudflare.com/privacy-pass-standard/ possibly some variation of zero knowledge proofs) but technically this seems like a solvable problem. Money wise the IDP or in general verifier can charge users for an account and/or generated assertions.
The problem is not technical, it's human :)
I'd refine Doctorow's claims to "Privacy preserving age verification is bullshit in the Common Law Anglo world".
You are completely correct that civil law jurisdictions have already solved this: Germany, Estonia, and many others have the all the requirements: a register of all persons available to the central authority, and crypto infrastructure to make it work.
What's missing from the UK, Canada, USA, etc. is the first part! It is hard to believe if you live in Germany, but there really is no big master list of people in those countries. There are many (many, many) lists, linked badly by many different ids. The tax registry, pension registry, drivers license registry, and visa registry are some of the big ones.
Things could be so much simpler if we had such a thing, but the politics between here and there are basically impossible.
Those big (computerised) master lists were really useful for the Holocaust: I'm not sure it's a bad thing that some countries don't have them.
Unfortunately the countries that don't have them, still have them.
Your birth certificate is still stored somewhere. You're still entered in a bunch of databases from the moment you're given birth to in a hospital. You still get a social security number, which you need to work, which you need to do to afford food.
Sure, all those databases might not have a neat shared primary key, but that's definitely not going to stop future Holocaust 2.0 perpetrators from joining all those tables together.
And you think a crafty teenager can't get around that?
I guess I'm such a hard line anarchist that this sounds totally awful to me. Remember East Germany? Nope, none of you do...
> Remember East Germany? Nope, none of you do...
I do. (Just barely.)
I don't have a Personalausweis. (You only need to have either a passport or an ID card, not both.)
Even if you could do this in every single country (it would already be extremely hard to actually do this in the United States reliably, and I can only imagine it is basically a non-starter in a lot of developing countries) it does pose so, so, so many problems.
- How can you ensure the system can't be abused if there's no identifying information passed? Don't get me wrong, this is also a problem with current systems, maybe even worse. But if it's privacy preserving, ... Almost all kids under 18 have parents or guardians. Almost all of those parents or guardians are 18 or older. So literally all you have to do to bypass age verification is steal their ID for a few minutes? There are also a myriad of solvable problems that aren't guaranteed to be solved without care, like ensuring that the same ID is not used 100,000 times.
- This is a job that is best suited for the government to handle. The internet is global though, and there are a lot of governments. In the U.S., there is in fact not one federal ID, but instead we use state IDs. I assume that means you now need to handle around 50 different state IDs to be able to verify someone's identity, but it actually gets even worse than that, because some people will have IDs, and some will have drivers licenses, because oddly enough that's just how we structure IDs here. People without drivers licenses may have state IDs which are often intentionally visibly distinct to make sure they can't be mistaken for the other. In states I'm aware of, you'll never have both, the driver's license acts as a state ID if you have one. Now scale that to every country on Earth.
- As insane as it may sound, there are plenty of people who don't have essentially any form of ID. You might think I'm over-estimating the numbers with "plenty", but even just in the United States, it's literally over 2.5 million, off the top of my head. (No idea what the best source is here.) The closest thing we have that every citizen is supposed to have is Social Security, but that isn't really usable as a form of ID for various reasons. (And frankly it's a pretty terrible means to verify someone's identity at all anymore in the Internet age, but oh well.)
I'm totally sympathetic to the fact that people really don't want their kids browsing porn on the Internet, but children basically can't pay for Internet access or afford iPhones. I think it's insane that people keep suggesting using advanced cryptography, zero-knowledge proofs, privacy pass tokens or whatever else for a problem that so clearly needs to be solved socially and not technically. (And obviously, only the surface-level aspects of this are really about porn. We all know it's deeper than that, and if it wasn't, the UK would readily exempt Wikimedia from these requirements. I hope nobody here is deluding themselves into thinking this is a noble effort.) You are literally giving your children a device that can easily obtain porn and letting them use it unsupervised. It's not like it was a secret: Avenue Q told you everything you needed to know. I get that raising kids is hard and society pressures you to do this, but isn't that the problem you'd rather tackle?
The problem is that we've let this idea that you can solve the problem like this enter the mainstream, and now that we have, even smart and reasonable people may accidentally convince themselves that it is tractable just because it is technically feasible to devise such a system. This is bad because we're going to waste a lot of energy repeating ourselves on thinking about the entirely wrong way to look at things.
> all you have to do to bypass age verification is steal their ID for a few minutes?
There are numerous interesting and/or problematic aspects of this, but this question is perhaps the least interesting.
If your kid, or anyone else really, steals your ID then age verification is the least of your problems. They could transfer all your money, move house, get married, change your name or a myriad of other much more serious things. Willingly letting your kid use your ID would be borderline illegal and not an insurance in the world would cover it.
> literally over 2.5 million
These people have never borrowed a book, visited a doctor, paid taxes or opened a bank account? There are many things in society that require validating who you are. Surely they have some form of ID. Perhaps just a more insecure one than a cryptographically signed.
I don't think a federal identity is as far fetched as you make it sound, for better and for worse.
> If your kid, or anyone else really, steals your ID then age verification is the least of your problems. They could transfer all your money, move house, get married, change your name or a myriad of other much more serious things. Willingly letting your kid use your ID would be borderline illegal and not an insurance in the world would cover it.
Yes, for most people, your kid absolutely could accomplish all of that. I absolutely could've done that as a kid. This is well-documented, you can find many cases of it actually happening. Kids can also steal your car keys and crash it, they do that. It's just that most kids don't just randomly go and commit crimes like steal all of your money, but they absolutely lie about being 18 and bypass restrictions meant for them. (Like for example, clicking 'I am 18' on websites when they're not. I've never done that, of course.)
> These people have never borrowed a book, visited a doctor, paid taxes or opened a bank account? There are many things in society that require validating who you are. Surely they have some form of ID. Perhaps just a more insecure one than a cryptographically signed.
> I don't think a federal identity is as far fetched as you make it sound, for better and for worse.
There's a lot of Americans who would have some choice words about that, and I suspect that is why we have 2.5 million Americans with no form of photo ID.
Also, I actually agree a federal ID is generally doable. I don't think it's a good solution for this problem, and I think it will be very difficult to enforce this one in the U.S. for cultural reasons.
> In the U.S., there is in fact not one federal ID, but instead we use state IDs.
That's only partially true. We also have federal IDs: passports, passport cards, permanent resident cards, DoD Ids, Transportation Worker IDs. There's also some other federally issued IDs listed as Real ID compliant [1], but I've never seen them so I didn't list them.
[1] https://publicpoint.fnal.gov/get-connected/Shared%20Document...
That's not exactly what I mean though, I really mean to say that there's no federal ID that you can basically rely on people having. I totally get that there are actually federal IDs, and probably could've worded that a bit better.
What I really mean is that among IDs you might expect every citizen to actually have, state IDs are basically the most reliable and even that only gets you around 99% of the way there.
> Almost all kids under 18 have parents or guardians. Almost all of those parents or guardians are 18 or older. So literally all you have to do to bypass age verification is steal their ID for a few minutes?
Presumably this is the purpose of the PIN, which I assume is in the owner's head, not on the card (otherwise it would be redundant with the NFC chip).
Look, I'm not trying to paint the picture that the problems aren't technically solvable; the fact that it kind of is is the part that makes this discussion so durable.
I admit that PIN verification would make it harder to bypass the system, though to be honest with you, I think it's also not really hard to realize that some kids will still manage to figure out their parent's PIN numbers, which they will likely re-use for their bank cards and a bunch of other shit, because most people don't really want to have to come up with 10 different PIN numbers, and we all kinda get the idea that PIN numbers aren't really that secure in the first place. Adding a PIN number requirement is probably a wise idea, but it does make the system a bit more of a PITA for everyone as people will inevitably forget their PIN and need to reset it or what have you. And I reckon that's basically how each countermeasure for problems of these systems go, each one just adds a little bit more pain depending on how hell bent you are on making it work. (I think the PIN number is good enough for trying to prevent someone for stealing your identity with your ID card to an extent, but not as good against people you live with misusing your ID card.)
Of course, you could keep going. You could try to come up with counter-measures to discourage someone from re-using their ID card for other people, and probably at least limit the impact of some of these issues to make the system basically work.
Even if you really do concoct the perfect solution for one country, you then have to make sure this problem gets solved correctly in every individual federal government, and then anyone who wants to offer adult content online has to individually handle identity verification across all countries that require it.
Meanwhile, we already have a system where essentially only adults can buy devices to connect to the Internet, and Internet service plans. You can't even get a debit card in the U.S. without being at least 18 years of age.
The big problem I have with laws like the UK has been that they solve a non-issue at the cost of large infrastructure and potential privacy problems.
Teenagers have been looking at porn since forever. It's practically a trope of teens stealing their parents' porn mags. I don't think any of this has actually caused major societal issues.
The proposed solutions merely require that a teen steal their parent's identification, briefly, to create a porn account and move on. Heck, they can probably buy that information online if they are innovative enough. They certainly will be selling access to their porn accounts to their classmates. And even if they don't go through all that trouble, getting a porn mag is still pretty possible in the UK.
That makes this just a bad law. It doesn't meaningfully stop the problem it's meant to stop and it's expensive and intrusive. Even if privacy preserving age verification was bulletproof and perfect, you still have the access holes all over.
And then there's the simple fact that other nations exist. Yes, mainstream sites will put up protections, but what about the sealand porn site? Unless the UK wants a great firewall (ala the chinese firewall), they simply aren't going to stop this problem. Even then, VPNs are common knowledge at this point due to streaming.
Bad law, bad effects, and a pointless fight.
It's 2025 and we're still discussing people's access to porn because of some conservatives, whereas we should be discussing how technology could actually be used to improve world.
Unbelievable. Let people watch their thing if they want to, jeez.
There are MUCH more important problems on Earth.
Having a device in your pocket that you take everywhere with no stigma to being seen with it yet it has unlimited access to any genre of porn you can think of is hardly comparable to finding a 90s porn mag in a bush from time to time, so you can't really say this has been happening forever.
Erotic novels have been discreet for a while. It's also not been usual to have a laptop in public since the 90s. There are definitely pictures of people perusing porn on trains (visible in reflections).
Briefcases were also a thing as have been strip clubs since forever. Quick access to porn hasn't been a problem since the printing press was invented.
> I don't think any of this has actually caused major societal issues.
It degrades and oppresses all women.
I don't necessarily disagree, but surely not more than not having it age limited?
To me it seems like Cory Doctorow is demanding perfection, and saying that because we can't achieve perfection in age verification, we can't do age verification at all. That isn't going to stop people from trying, and we will end up with a worse system overall. IMO this is a common pitfall of techno-idealists.
Technologies like the mdl standard [1] can attest to age without revealing the users identity.
As Cory points out, its still possible for kids to swipe someones ID and use that. There are probably practical solutions that are good enough. Android, iOS, and parents could work together to deal with the problem of stolen IDs. If mdl is implemented on devices such that they are managed by the device OS, that would lead to auditability. Parents can ask their child to see their phones ID app, which will show full roster of IDs on the child's device. If a parent sees an ID that shouldn't be there, they can have a conversation about it. In this way the law would be about empowering parents to shape their child's online experience. This is just a straw-man example solution, but there may be better ones.
The other objections I saw could be worked through in a similarly pragmatic fashion.
This is probably going to be good enough for most folks, and its probably a good thing to keep children away from pornography and such. And IMO coming up with a "good enough" solution will flush out all the bad actors who are hiding behind the excuse of "save the children" when really they want to build up an record of everyone's browsing history. But by denying any solution to a real problem, we let the bad actors hide amongst the well-intentioned folks who are trying to do the right thing.
> To me it seems like Cory Doctorow is demanding perfection, and saying that because we can't achieve perfection in age verification, we can't do age verification at all.
Not we can't, but we shouldn't. All the current solutions are terrible, and are either trivial to fool or mass surveillance machines. We shouldn't be stupid enough to go for either option because it'll either cost a fortune while giving us nothing, or cause immeasurable harm when the National Porn Viewing Database inevitably gets used to blackmail everyone.
We're trying to (poorly) use technology to solve a social problem. If we can't figure out a way to do so using technology without significant downsides, then perhaps we shouldn't be using technology to solve the problem at all.
The MDL standard does not do what you think it does.
My understanding is that it supports selective disclosure of attributes such as "over 18". Is this not true?
They also get who actually passed the bill wrong - it was the last Conservative government.
> common pitfall of techno-idealists
Common pitfall? It’s why these techno-idealists are loudmouthed on the internet, but don’t get respect anywhere politically. If you want to gain ground politically, you need to at least acknowledge what the problem is, or is perceived to be, and offer a real solution. “Nope we can’t do that because of this 0.1% edge case” doesn’t qualify. “Apple should just dump all schematics online regardless of what China might do” doesn’t qualify. “The internet is great at it is, and your political concerns are invalid” doesn’t qualify.
> If you want to gain ground politically, you need to at least acknowledge what the problem is, or is perceived to be, and offer a real solution.
Why? If you do not believe it is a problem that's just like apologizing when you haven't done anything wrong.
if you, like Cory Doctorow, are an activist there's two options. One you scream from a soapbox with no regard for what other people think in which case it's evident you're doing it for self-aggrandizement and attention, or you take into account what the sensibilities and problems are of the people you try to convince and work within that frame of reference.
If you're campaigning for technological and/or political change you're in the business of changing peoples minds and if that doesn't matter to you, you've chosen an odd way to spend your time.
I think all members of your ethnic group are inferior and dangerous (if you identify with more than one ethnic group, pick one). I'm calling for legislation mandating that you all be rounded up and put in camps.
If you want to argue against my proposal, please remember to stay within my frame of reference.
That’s an example where there’s not much point in arguing against your proposal precisely because of the impossibility of establishing any kind of shared frame of reference. If people are trying to put you in concentration camps then the time for reasoned argument has most likely passed. On the other hand, people who support and oppose these sorts of age verification laws might actually have a lot of common ground, if they’d take the time to find it.
Yeah, it feels like a junior engineer fresh out their undergrad algorithms course. The business isn't going to grind to a halt and wait until you build the perfect solution.
Let’s take the pornography argument for example.
Regardless of whether pornography is, or should be legal, average exposure is now 11 years old. That’s average, many kids are even younger.
If this even prevents 95% of kids from accessing pornography until they’re 15 and get a debit card to buy a VPN, that’s a win in the eyes of most parents and legislators. It doesn’t need to be perfect, or even perfectly force you to be 18, to get the primary job done. Pointing to “a 16 year old can get around it with a VPN” is missing the point. It’s not a surprise why that argument falls on deaf ears.
Or, another one, “just use parental controls,” have you even tried this? Almost all parental controls are horrifically buggy, full of loopholes, and these kids can just borrow each other’s technology. Apple’s parental controls predate HTML5 (literally, HTML 4.01) and regularly don’t work, sometimes even by their own admission. It also forces the parent to be in the role of a tech expert fluent in Microsoft, Apple, Google, Nintendo, and other products all at once. You might as well get CompTIA certified. That argument also falls on deaf ears.
> Apple’s parental controls predate HTML5 (literally, XHTML 4.01) and regularly don’t work, sometimes even by their own admission. It also forces the parent to be in the role of a tech expert. That argument also falls on deaf ears.
The solution, then, ought to be to pass a law requiring some sort of standardized parental controls that allow trivial set-and-forget management. Require device manufacturers/software distributors to sort out a "child mode" switch you can flip upon device initialization, in-your-face and unmissable, and then have apps/webpages be able to see whether the device reports it's in child mode. Does this not solve the "prevents 95% of kids from accessing pornography" threshold of effectiveness while being infinitely less invasive?
> The solution, then, ought to be to pass a law requiring some sort of standardized parental controls that allow trivial set-and-forget management. Require device manufacturers/software distributors to sort out a "child mode" switch you can flip upon device initialization, in-your-face and unmissable, and then have apps/webpages be able to see whether the device reports it's in child mode. Does this not solve the "prevents 95% of kids from accessing pornography" threshold of effectiveness while being infinitely less invasive?
This feels like an idea out of a previous era; where a lone family computer sat in the living room. There are so many devices now, we can't assume we control or know about all devices our children may have access to.
> There are so many devices now, we can't assume we control or know about all devices our children may have access to.
This is specifically a solution for a world with many personal devices. The devices a child has access to are their own (in child mode), someone else's being lent to them (the analog loophole, not solved by child mode or proof-of-age), and public devices at schools, libraries and the like, which are typically locked down.
> Require device manufacturers/software distributors to sort out a "child mode" switch you can flip upon device initialization, in-your-face and unmissable, and then have apps/webpages be able to see whether the device reports it's in child mode.
Wouldn't even need to develop anything new for this outside of a simplified UI over an MDM. Devices already support an incredible amount of monitoring and control, even iDevices, via MDMs.
But MDMs are for now only business/enterprise products, and are priced as such.
Makes me wonder if there's a market there for someone to just package up a consumer-focused, dead simple to use MDM. Enroll with QR code, set up some default policies, etc.
It’s a better argument, and would gain more political ground, than do nothing.
However, there’s one major problem: Most families aren’t actually using the multi-user capabilities of their devices. Many devices, like iPads or iPhones, just don’t support multi-user at all.
The result? Either parents are tech experts again, or have deep pockets to get everyone a device, or you’re going to have a bunch of kids logged in as their parents on their devices (as is already the case). Of course, that defeats the policy goal. That’s a non-starter, unless we agreed that a device manufacturer could force a biometric check when accessing an age-verified device account.
Nobody has proposed such a thing; but if there was a good way of making sure that the age-verified user is the actual person engaging with the age-verified account, then we might have progress in that direction.
Personally though, I would really prefer to not have the government get any ideas whatsoever about dictating firmware or OS security or OS parental control requirements. Do you really want your Linux distribution mandated to implement an age check firmware with phoning home requirements to a government parental control server?
That's not a major problem. Also, how does age verification fix things in that scenario if a child is using their parents device?
If a parent can't be bothered to pin-lock their device or flip it into child mode then there is no technological solution. Now you're the one looking for the perfect solution that doesn't exist.
> Also, how does age verification fix things in that scenario if a child is using their parents device
Because the age is verified at the time of access; instead of once during initial setup. Odds are that the former will catch far more flies than the latter.
Your employer probably does the same. Do they have you log in once when you set up your laptop, then comfortably happily say it’s you for the next three years; or do they have you sign in every morning?
> Because the age is verified at the time of access; instead of once during initial setup.
Is that really how it works? Every single time you visit any website on the Internet or launch any app it's going to age ID you? I don't think that's right. You validate your account and then you login and you're good. If someone else uses your account, they are you.
And as you said, people share devices but it's also usually one account per app per device. You have to go out of your way to sign out of each individual app or website.
> You validate your account and then you login and you're good.
... which doesn't work, because it'll quickly lead to an enterprising 18-year-old highschooler selling pre-verified porn website accounts for $10.
> Regardless of whether pornography is, or should be legal, average exposure is now 11 years old.
You make it sound like historically it was much later but actually even in the 1980s 11 years old was common. In fact, that matches my own personal experience from that era.
> Or, another one, “just use parental controls,” have you even tried this?
Parental Controls is the right answer but absolutely agree that parental controls suck. As a parent, I'd love just any level of better control. I don't even care if I have different controls per manufacturer as long they're pretty complete and capable.
If the EU can mandate USB-C, they can mandate all technologies include powerful and capable parental controls.
There is no need for age verification -- parents know how old their children are. Parents are providing children with the devices and often the means of connectivity as well. This is and has always been a parenting problem. If the government wants to assist parents, I'm all for that. But age verification is not the answer.
> Parental Controls is the right answer but absolutely agree that parental controls suck. As a parent, I'd love just any level of better control. I don't even care if I have different controls per manufacturer as long they're pretty complete and capable.
> If the EU can mandate USB-C, they can mandate all technologies include powerful and capable parental controls.
> There is no need for age verification -- parents know how old their children are. Parents are providing children with the devices and often the means of connectivity as well. This is and has always been a parenting problem. If the government wants to assist parents, I'm all for that. But age verification is not the answer.
We no longer live in the era of a single family computer. Parents don't know about all devices their children will use to access the internet, so filters aren't going to cut it.
A good implementation of age verification would assist parents, as you suggest, while denying control to the government. IMO parents should always be able to bypass the block for their children. If the government wants to "block" Wikipedia, the parents should be able to give it back to their kid.
> mandate all technologies include powerful and capable parental controls
That is, until Linux is also forced to come into compliance with said parental control standard, complete with all centralized reporting and remote restriction capabilities.
> This is and has always been a parenting problem.
What do governments do when everyone has the same parenting problem? Listen to industry idealists, like those who would call teenage smoking a “parenting problem,” or crack down?
> That is, until Linux is also forced to come into compliance with said parental control standard, complete with all centralized reporting and remote restriction capabilities.
Linux is fine. Someone can build the ultimately perfect parental control software for Linux and I'll use it. The same cannot be said for Windows, Android, or iOS -- third party system cannot exist for those platforms that are sufficient unless they're made by Microsoft, Google, or Apple respectively. Perhaps we just have to mandate an open standard. In fact, I would prefer that.
> What do governments do when everyone has the same parenting problem?
The wrong thing. Always.
> Linux is fine. Someone can build the ultimately perfect parental control software for Linux and I'll use it.
You can't build a perfectly secure system and still respect the user's freedom. The perfect parental control system is by definition also going to be the ultimate rootkit - or else you'd just boot your own kernel which perfectly fakes the parental controls.
In such a world you wouldn't be allowed to build your own OS, only boot a pre-approved image. The Linux community is not exactly likely to participate in this.
No solution is perfect but we already have secure boot. It doesn't even have to mandate some pre-approved image; it just has to be an image that I approve and lock. This is already a well solved problem for corporate environments.
You miss the point. I want all the power. Let me install and configure a Linux image of any sort and then lock it down. I am root. My kid is a mere user.
There is nothing terribly difficult or even controversial about that.
> Almost all parental controls are horrifically buggy, full of loopholes, and these kids can just borrow each other’s technology.
... and the centrally imposed, one-size-fits-all, politics-first age verification system you want will of course be free of bugs, loopholes, opportunities to borrow devices, or whatever.
That's good, since you want to apply it to every single person on the Internet.
All the govt needs to do is send fines to offenders and the industry will be forced to implement one or more solutions.
The govt doesn't care how you verify age only that you don't sell to minors.
And how well has this worked in practice? How would you even identify violations, if you're not requiring websites to store the user's real-world identity?
Large websites do not care even the slightest bit about how accurate the verification method is. They have zero incentive to genuinely get rid of underage users. If anything, they want to keep them - they are prime advertising real estate! Websites have every incentive to implement the age check in the cheapest and most half-baked way possible. As long as they are able to prove on paper that they are doing some form of age verification, they have met their requirements. Got a 90% false positive rate? Working as intended!
The only people getting fines are the small websites who can't afford to pay a 3rd party verification service. This'll shut down your local hobbyist communities, which only drives more visitors to the large megacorp websites.
Experience with GDPR and DSA shows that the fines lag years behind the abuses.
Yeah, it seems like Doctorow presents arguments that a good IDP system is complicated, but begins and concludes by saying it's impossible.
It kinda seems the internet has real, longstanding problems stemming from the inability to verify anything about anything online. For the most blatant example, a website admin can never permanently ban a troll or criminal (they just sign up under a new name).
It makes one wonder how Doctorow reconciles the internet as it is with his stand against adopting some kind of IDP system.
I'm confused. Author puts crypto backdors and IDP with ZKP into the same bucket and calls it "nerding harder". But why? You can have identity provider, several European countries do and you can have subcredentials. You literally can nerd harder here.
Sure, there is a strong ideological argument why you should not have strong identities required in the internet in general (or even in offline) and on porn sites specifically, but the argument is not technical.
These 'anonymity' technologies are laughably worthless - sure ZKP might provide mathematical proof that it's impossible to find out who the subject is, but embed a tracking cookie and fingerprinting script into both the porn site, and the online grocery - and there you go, you have irrefutable cryptographic evidence of how John Doe likes to spend his evenings.
The porn site and the grocery can already embed a tracking cookie and do fingerprinting to match their visitors.
As soon as fingerprinting becomes criminal offense, this will end quickly. Nobody big enough is going to risk that.
Isn't it basically illegal under the GDPR? You're not allowed to just collect data for the hell of it and need actual consent.
The GDPR is a fucking joke even on the best of days.
If other laws were like it, they would be like: You're not allowed to steal (unless you really need to), but if you do, take as little as you can (as determined by you), and you have to give it back as soon as you can (again, according to you), and if the person you stole from wants it back, you have to (unless you have a good reason not to)
But it is. In those European countries, IDPs and certification authorities are one and the same entity. So the technical requirement of privacy evaporates, the government will always know who is proving their age to which porn site.
IDPs and certificate authorities can be the same with no problem if you design your protocol so that the porn sites do not see your certificates. E.g., IDP issues you signed identity credentials. To prove age to the porn site a ZKP is used to prove to the porn site that you have signed credentials that give you age as 18+ but without giving the porn site any information other than that.
The ZKP approach is what the EU is doing.
Note that in the article the objection to ZKP systems is not that they don't work correctly (because they do work). It is that it can be hard for some people to obtain IDs, it may cost to much for some sites, it could be hard to regulate IDPs effectively, and things like that.
That’s easy to fix. The IdP and the checking service do not have to be the same. The checking service can be a 3rd party that works with IdP verifying facts on behalf of regulated services like porn sites. The job of IdP is to certify the facts and do KYC for checkers to ensure they don’t cheat. The regulated service can ask customer which checker do they use and then ask the checker. The customer may have a long term relationship with preferred checker on a market where multiple checkers exist and reputation matters for being competitive. This way checker is incentivized to maintain privacy and does not have conflicts of interest like the government. Government agencies can still investigate customers but they will need a court order to get the data from checkers.
And how is the general public supposed to verify that the IdP and checking service aren't collaborating? If it is possible for a checking service to create a log, given how Big Tech has been treating user data, how can we ever trust that they aren't logging everyone's data?
Reputation is irrelevant. Everyone is trustworthy - until they are not. The dark web is filled with data leaks from reputable parties.
I don't know why you are downvoted. And even more disappointingly, it is interesting how easily people overlook the fact that this is happening in lockstep across the globe, obviously the goal is to deanonymize the internet.
I can't wait for the next generation that will enjoy "nerding out" on how to best patrol every neighborhood with drones.
Let's put NFC tags on everyone at birth, we can then nerd out harder.
>Others say they can estimate your age by using AI to analyze a picture of your face. This is a stupid idea for many reasons, not least of which is that biometric age estimation is notoriously unreliable when it comes to distinguishing, say, 16 or 17 year olds from 18 year olds.
It doesn't matter it's unreliable telling 17 year olds from 18 year olds. This thing is to reduce the amount of porn kids are exposed to. It's not like issuing a passport or something. As long as it sort of has some positive effect.
I actually did the face picture thing for Reddit. Seemed to work ok, although I'm 61 so not too near the cutoff.
If you're a web person who understands SSL, privacy-preserving age verification can be explained by analogy.
It's a system which requires a central agency, probably a government agency, analogous to a certificate authority.
You are authenticated with that agency; it has personal info about you. But you are externally identified by some impersonal identifier, not your name.
The agency issues you a certificate binding this identifier to an assertion like "is over 18 years old".
When you interact with a site that wants to know whether you are over 18 years old, you present the certificate. The site can see that it's signed by the authority and that it has the assertion that you are over 18.
You can't just give that site someone else's certificate because it has to be the one tied to the abstract identity you are presenting (which contains no personal info; it's some kind of UUID or whatever). Plus the cert can be bound to a specific device and such.
The cert has a private keys with which you can prove that you own that cert; or at least that you are the authenticated operator of a device to which that cert was issued.
It's something like that. I may have some key details wrong. The main idea is that some brokerage that does have info about you can attest that you are over 18 without revealing any of the personal info via certificate-like objects.
It sounds like, in theory, the system can achieve good privacy in age verification. But not perfect age verification; people will find ways around it.
A grown up can certify themselves to be over 18 and then hand the device to a teenager; and such an operation can likely be scaled to some extent. And of course no cryptographic system can eliminate the possibility that minors are looking at the screen of a device operated by an adult, who may even step out of the way to let them operate it.
> (which contains no personal info; it's some kind of UUID or whatever)
And now all the websites have an uncircumventible and highly reliable fingerprinting scheme to track you across literally anywhere. Only identity thieves care about whatever data the agency would be safeguarding: linking up accounts between websites is more than enough for anyone else who would want to abuse that information.
While I understand your point, I just wanted to point out that I am not sure if there is not technical solution to the problem. I wonder what can be done with a technology similar to this: https://huggingface.co/spaces/zama-fhe/encrypted_sentiment_a... Or this https://en.m.wikipedia.org/wiki/Zero-knowledge_proof Ok I didn't point the exact solution for the problem, but still it hints me that technical solutions may exist.
Anyway, I am not in the side of control freaks, but still find the question interesting.
How would setting up a primary credential with an identity provider differ from the process of registering to vote for USA citizens? All the discrimination opportunities and accountability issues seem to apply equally there.
if you had to register to vote to use Reddit or whatever people would complain about that constantly. and voter id laws are in fact controversial yes.
The same people who argue this will also argue that voter ID rules are discriminatory.
Voter ID laws actually have a long history of being used for disenfranchisement of certain classes in the US (most notably former slaves and their descendants, but also women), so it's understandable there is scar tissue there. It gives the incumbent state another lever of power in our very close first-past-the-post winner-take-all elections. Americans don't need imagination to see how it could be abused, just a good history book.
The problem with voter ID laws have rarely been with the ID itself. Very few people would have issue with a voter ID law which also guarantees that 100% of the population can easily obtain said ID at zero cost.
The issue is that those laws are usually linked to very specific forms of ID, which just so happen to be easily available to certain demographic groups.
Imagine a voter ID law where the only acceptable form of ID would cost $50.000 to purchase. Would you consider that fair and nondiscriminatory? What if you could only get the ID on the third Tuesday of the month, between 14:00 and 14:30, at a single location in the entire state? What if the ID required you to pass a certain kind of test, judged arbitrarily by a government official?
Are the laws that require you to show ID to buy alcohol, tobacco, fire arms, or gamble in casinos also discriminatory? Or is it only discriminatory when you prevent people without IDs from watching porn?
The definition of Porn by the state can change to include things that some people consider protected by the first amendment - right now there are a lot of state politicians or members of the house on record supporting classifying discussion of LGBTQ lifestyles as pornography for example.
I think alcohol, tobacco and gambling here are mostly irrelevant, but the firearms is a better example because of the second amendment, where you have a clash between a very old right granted by the bill of rights clashing with modern societies beliefs.
> Are the laws that require you to show ID to buy alcohol, tobacco, fire arms, or gamble in casinos also discriminatory?
So long as it is done for a legitimate purpose and in good faith, generally no. As such, IDs are only expected where there is reasonable suspicion of possible violation. For example, there is no onus, with a few exceptions, to see an elderly person's ID to buy alcohol when there is no reason to think that they aren't below the minimum age.
The exceptions haven't really been tested. It very well could be found discriminatory, and you could make a pretty good case that it is. Which is ultimately the same case being made earlier. Asking a no-question-about-it 50 year old to provide his ID to watch porn isn't really in good faith, is it?
I agree "ensuring everyone has ID" is a separate problem that we should absolutely trying to tackle. We are already seeing people struggle with it absent any new ID schemes, eg in the case of trying to get access to banking. You can already get ID at a post office, maybe we should add other government facilities such as libraries.
That's absolutely true, and orthogonal to the problem that you shouldn't need to identify yourself to anyone in order to access arbitrary websites.
I don't think thats the proposal. The proposal is that you prove to websites that you are over 18 to see adult content.
"adult content" is the boogeyman, to try to make this harder to argue against. The actual net result is shutting down a wide variety of websites and making people identify themselves (to paid identity providers conveniently provided by those who lobbied for this legislation) in order to access others, including Reddit, Discord, etc.
You should not need to identify yourself to access arbitrary websites, either to the website or to some third party.
The “not everyone has an ID!” argument is such an American perspective. The vast majority of world citizens live in countries that require you to have some form of government ID anyway:
https://en.wikipedia.org/wiki/List_of_national_identity_card...
It seems pretty reasonable to leverage this into online identification.
In fact, online ID is already used in the European Union for popular initiatives (see, e.g., https://www.stopkillinggames.com/ ) and nobody seems to think this is “bullshit” or infeasible or any of the concerns that are lobbed at the age verification requirements.
It's more accurately a very Anglo perspective. The US, UK, AU, NZ, CA all do not have national ID cards.
You’re probably better off just reading the paper he links to:
https://www.cs.columbia.edu/~smb/papers/age-verify.pdf
I think it shows the difficulty of implementing it for everyone. But Apple and Google’s cell phone implementations would probably cover most people in some countries when finished, and then there will be a long tail of people who will need cheats and workarounds.
You’d be screwed if you didn’t have any friends who could help you cheat.
I think this would be a perfect use-case for blind signatures. https://en.wikipedia.org/wiki/Blind_signature
Let's say every citizen has an account with their federal government, and the account can be accessed securely in some reasonable way (password, 2FA, hardware token, etc.).
The government can have a public-private RSA key pair specifically for "At least 18 years old". Once the user is authenticated, he can generate a nonce and a blinding factor, multiply them together to get a blinded random number, and upload that to the government for signing. He takes the signature and unblinds it, then submits the original nonce and unblinded signature to the adult website. The website confirms that the nonce and signature is valid according to the government's public key.
This system raises many questions. For example, preventing replay attacks, so the adult website will reject any nonce being reused, or mandating that a timestamp be a subcomponent of the nonce. There is the un-answerable question of how to handle the case where a legitimate adult offers valid signatures for someone else to use. There is also the question of, to what extent the adult website should be able to keep track of the underlying users (even in a hashed format) to monitor abuse, suspicious users who have too much activity, etc.
The main problem with that approach I believe is that since proving your age to the porn site involves an interaction with the government site and the porn site which will occur at close to the same time.
If the porn site and the government site both keep logs and someone is able to get the logs from both they might be able to match up timestamps to unmask some porn site users.
A system that allows this is called "linkable".
It might be possible to mitigate this by introducing delays and noise. Wait some random amount of time before giving the finishing the verification with the porn site. Have a process running on your computer that frequently generates nonces and has the government sign them.
Probably better is to use a protocol that is unlinkable. There are ZKP systems that are unlinkable.
The problem is not only that it's impossible to make cryptography that's only secure when the good guys use it, it's that once cryptography is made insecure, it's insecure for everyone, forever.
I'm not a privacy hardliner, and I think the socially acceptable tradeoff between privacy and security have been well established before the computer era - if the police has a well-enough established suspicion against you - they can get a warrant and search your home. That's due process.
I would accept if there was a digital version of that which targeted not the encryption itself (which could be as strong as possible) - but the endpoints, like smartphones and computers.
Let's say police had a device which they could plug into your phone, which would send a specially signed message - a digital warrant, containing all the info a real warrant would - which be permanently be burned into the ROM of your phone, after which the phone would surrender its encryption keys, and the police could dump your unencrypted disk.
The phone would be then presented as evidence at the trial, and not following due process would be a cause for mistrial, no matter what they find there.
The general public would be safe in the knowledge that as long as the police isn't hauling them in, their secrets are safe, and the government would get the tools for what they claimed they wanted - a way to catch bad guys with digital tools.
> Let's say police had a device which they could plug into your phone, which would send a specially signed message - a digital warrant, containing all the info a real warrant would - which be permanently be burned into the ROM of your phone, after which the phone would surrender its encryption keys, and the police could dump your unencrypted disk.
And when (not if) that device leaks whoever steals your phone will be able to get access all of the things in there.
I'd imagine such devices would be very tightly controlled, being hard to access for civilians, and lets say limited to 1 such device per 1m people(which would also give you an idea of what sort of frequency this is supposed to be used).
The keys for every phone would be stored in a central repo, with a separate key for every phoneX every decryptor(which has its own private key). Meaning you'd need a device and the central repo to access users data.
But lets say they manage to build a bootleg version, what would be the criminal gain for them? Reading the data doesn't mean they can impersonate you, as the device wouldn't give you access to private keys used for authentication (lets even say these are deleted), only encryption.
The criminals could brick your phone and read your texts. There's only very niche cases when this would be worth it to them, like you're the subject of a highly targeted intelligence gathering op.
> The problem is not only that it's impossible to make cryptography that's only secure when the good guys use it, it's that once cryptography is made insecure, it's insecure for everyone, forever.
Correct.
> Let's say police had a device which they could plug into your phone, which would send a specially signed message - a digital warrant, containing all the info a real warrant would - which be permanently be burned into the ROM of your phone, after which the phone would surrender its encryption keys, and the police could dump your unencrypted disk.
You are now advocating for making phones insecure for everyone, forever. No.
Overall this article is completely correct and I agree with every point of it and have tried to make these arguments about the various ZKP proposers that I have encountered.
But I almost gave up early because he can't resist the urge to take a dig:
> For politicians to make good policy, they don't need to be technical experts: they need to have solid, independent, well-resourced expert agencies. Those would be the very agencies that Trump and Musk have DOGEd into oblivion ...
And then in the next paragraph blithely engages in some Gell-Mann amnesia
> But when it comes to tech policy, politicians get it all so goddamned wrong
Expert agencies formulating clean water policies are emphatically not the reason that we have potable water. Experts in actually doing the work of producing clean water are the ones that push the standards upstream. It's a subtle but important difference.
Look, it's not 2018 anymore, we survived a round of Trump and we'll survive this one and the world will not end and some things will get better and some things will get worse, but trying to tie everything back to how Trump has ruined everything is going to make your views look worse and worse as they age.
Even after reading the article, I think there are reasonable ways to set up a low cost system that uses zero-knowledge proofs to "prove" your age without disclosing your identity. I do think that you will need trusted entities and the system will only stop most, maybe 80 or 90 percent of children under 18 from seeing porn. But, if you do this, then maybe 99% of kids under the age of 14 will have a lot of difficulty viewing porn which is a good thing. There may be valid a slippery slope argument for not setting up the age validation system even if everything I said above is true.
On the other hand: Are you willing to pay hundreds of millions for developing the biggest data leak in human history, killing websites like Wikipedia in the process, while stopping only 10% of underage children from seeing porn?
The current systems being put in place in the UK are privacy-invading and ineffective. In my opinion they are worse than not having anything at all. I might be willing to change my viewpoint if something better comes along, but if a proper solution was so easy, why haven't we seen a peer-reviewed reference design yet? What's stopping the nerds from nerding harder?
> On the other hand: Are you willing to pay hundreds of millions for developing the biggest data leak in human history
The comment you are replying to was talking about ZKP based systems. In those systems you don't show any identity information to the websites that you are trying to prove your age to.
Those systems can be made leak proof by making the party that you have to show identification to be some party that already has your identity information. For example it can be the government agency that issues your driver's license.
Yeah, I think even if we only manage to delay the "age of first porn viewing" to something like 14-15, thats probably a win.
Maybe, but as a parent, I believe its an embarrassment to expect to radically retrofit a society in such ways as to make up for my own negligent lack of responsibility for my own children, which I do take quite seriously. Not to mention the myriad of resultant unintended consequences which invariably arise when such systems(of which i'm quite familiar) are brought to bear. Though I do speak from such a position of professional neutrality, as I would gain no benefit at all from implementing such a ubiquitously mandated system. Perhaps if things were different, I'd think otherwise.
In my opinion "we need mandatory age verification" is an admission that we can't really address the overarching issue of parents that can't/won't parent at a good enough level. Narcissistic parenting without any added access to questionable content on a smartphone is still... narcissistic parenting. The definition of "parent better" differs between people and is often non-negotiable, even way before anything involving CPS occurs. Not to mention, the content being withheld will become available at adulthood anyway, and can still be harmful if the person has not been given the tools to navigate it well.
Admittedly the bar is far higher with ubiquitous social media and smartphones. I'm not sure a parenting license system would ever work out in practice. Yet a lot of issues stemming from upbringing can cause irreversible harm and I don't feel like those root causes are brought up that much in the broader discussion about mental health symptoms.
It pains me to think that some amount of debilitating childhood trauma is unavoidable, but content restriction at least sounds like an actionable problem that doesn't require uprooting the fabric of society to correct.
What a breathlessly overhyped post. Basically - yes we can do it technically, but there's big economic and social limitations on rolling something like it out.
Hard for sure, but not bullshit. I actually found it hard to read the post - it could have been a third as long and more useful and measured. But I guess it gets clicks.
Remember when they passed a bunch of really strong anti-terrorism bills in the US after 9/11 and we were all super sure that it was a great idea because they promised us they'd show restraint and only use the powers they were giving themselves against the worst of the worst, then they declared vandalism to be terrorism (https://www.reuters.com/world/us/trump-says-he-will-buy-new-...)?
That's how I expect "privacy-preserving age verification" to go. It's the narrow end of the wedge. Once privacy-preserving age verification is in place there will be some reason to get rid of the privacy, and we will have a fully tracked and identified internet.
> "Privacy preserving age verification" is bullshit
it is possible if you accept that it only needs to be good enough
- it's fully okay if it can be deceived in all kinds of ways
- verifying only once per account is okay, if a adult passes their verified account to a child that their responsibility
- legally not just forbid but criminalize (with required prison sentence) the storing of any data except is adult yes/no from a age verification process
- allow a OS accounts to just tell applications (including websites) that "is 18", if a age verification was done in the account, also no singing or anything cryptographically, because again it's good enough no need to protect it against hacking, the main responsibility still lies with the parents
so then you can do a single age verification per OS account, once, and be done with
furthermore this verification could e.g. go through a process which might identify you identity but a) isn't allowed to pass anything but adult yes/no to anyone else b) isn't allowed to store that info c) on a storing it is a "criminal liability" level where a CTO ordering data collection would go to prison
through if you live in a country where everyone has a passport with NFC chips (e.g. all of EU) just adding a "adult yes/no" function(1) to it + a transparent (open source, non profit) app per country to bridge it to accounts which need verification would do the job without needing the extra strict criminalize abuse part.
Which brings us to the main problem:
- requiring politicians to accept a "good enough" solution, accept that the main responsibility still lies with the parent
- politicians not abusing it to spy on their population
- make laws to prevent companies from ab-using "age verification" to collect private data
and that seems indeed impossible
---
(1): Technically I think it does exist, somewhat in many passes already. But practically it not viable as it (I think) discloses too much information and has too much issues wrt. integrating it (wrt. certificate nonsense)
No cryptographic verification is required for content blocking. Make it easy to set up a slightly locked down "child" account (e.g. one behind a MITM proxy that only lets through HTTP(S) and blocks some domains) by requiring it from every OS vendor. Label existing devices/software without it "18+".
>politicians all over the world demanded a kind of impossible encryption
It's not impossible to design a cryptographic system where law enforcement is a party within it. The false dichotomy of encrypted or not encrypted in my opinion is used to shutdown the conversation since it's easy to argue why no encryption is bad. It's a strawman.
It's impossible to design a cryptographic system that does end-to-end encryption and has a backdoor that can never be misused. No technical solution will address the fact that it's failing at its one job.
That is a bad faith argument.
As soon as there is another untrusted party in the encryption, an in particular a party with a "skeleton key" that can decrypt anybody's message, then your encrypted communications are merely one leak away from being decoded by everybody else.
If there's one thing you can trust a government to do, it's to not be able to keep secrets for very long.
https://www.vice.com/en/article/hackers-published-replicas-a...
You can do things like require the service to verify that the court order is valid before they gain the capability to decrypt a subset of messages that the court order allows them to see. There doesn't have to be a skeleton key.
What is the mathematical formula for a valid court order? How does it look different from a court order signed by a judge held at gunpoint? How does it look different from a court order signed by a dictator's minion? How does it prevent someone from tricking a judge into signing an order to decrypt message 2421425241 instead of 2421475241? What is stopping the service from accepting invalid court orders? What is stopping the service from just decrypting everything for convenience?
Note: this comment is just about what is technically possible, not what should actually be done.
Actually those issues could be addressed by using a sufficiently large threshold system to protect each message's decryption key, so that in order to decrypt a message a large number of people have to agree that it is justified.
You could make it for example so that a message can only be decrypted if it is approved by judges in 3 different federal circuits, with at least 2 judges in each of those 3 circuits approving, and also approved by at least 2 outside civil rights groups chosen from {ACLU, EFF, Amnesty International}, and INTERPOL.
If that's not good enough we could also make it so that for each message the threshold system includes 5000 random citizens with smartphones and at least 3000 of them must agree.
>What is the mathematical formula for a valid court order?
This is a political / social issue. A human has to decide.
>How does it look different from a court order signed by a judge held at gunpoint?
It doesn't. You could similarly hold developers at gunpoint to push malicous updates too or at users to give them their messages. Putting people at gunpoint is illegal.
>How does it look different from a court order signed by a dictator's minion?
Judges could have their own private key so it would be noticeable that the minions private key would not be trusted.
>How does it prevent someone from tricking a judge into signing an order to decrypt message 2421425241 instead of 2421475241?
It doesn't. This is solved by laws that make such an action illegal to do
>What is stopping the service from accepting invalid court orders?
They want to protect the privacy of their users so they should reject invalid court orders.
>What is stopping the service from just decrypting everything for convenience?
They would not have the keys LE has. So it could be setup such that LE's keys are required to decrypt something.
Right, just "nerd harder".
The mathematics of encryption just doesn't play that way.
Then please prove the possibility by doing so.
Up to now, there has only been intense wishful thinking by politicians, and strong "NOPE" by anyone with any kind of knowledge about cryptography. Either really everyone, including the likes of NSA, CIA and other spy services don't actually employ top cryptographers. Or they repeatedly tried and failed miserably. Or really nobody, including the spies, wants backdoored NOBUS encryption.
NSA does probably want it, and did probably standardized at least one such scheme in the past: Dual_EC_DRBG.
The argument regarding general use of encryption for communication is that (a) law enforcement private keys would leak sooner or later, suddenly exposing everyone’s past communication, and that (b) criminals would just use “forbidden” encryption (“if x is outlawed, only outlaws will use x”).
(a) LE keys don't have to be all powerful. It can require actions from other parties such as the company that is running the chat or a judge. It can limit the scope of who or what messages can be decrypted.
(b) Perfect is the enemy of good. Smaller services won't have the same utility and network effects of large ones.
If you include law enforcement by default, the system becomes completely insecure literally the first time an agent is corrupt, lazy, or just gets access stolen from them.
You can design it such that the a single agent isn't able to decrypt anything. You can also do things like limiting the number of decrypted messages per period of time and more.
From logical standpoint it seems pretty obvious that the person providing children access to porn is their parents when they give them an unfiltered internet connection, not the porn websites. God forbid we actually require parents to, you know, parent.
Also, water wet.
Not just age verification. The whole security circus is bs. Kids cannot go outside by themselves anymore. They have to wear helmets while being constantly monitored. None of it has brought us to a better place. Fuck it. Just fuck it.
I couldn't read past the dig at Trump, quite honestly. All that the Trump admin has done is reduce some of the massive bloat in the Federal Government, but people with TDS can't see it because they have this enormous blind spot of hatred built up in their minds. And if they have that kind of inability to think through real life in that regard, then they have other massive blind spots as well.
I'm 100% against the modern Puritanism being pushed by statists. I think it's disgusting. Police your own kids, don't look at things you don't like, and let the rest of us be. Massive government surveillance systems are evil, and "government experts" are just assholes, to be brutally honest. It's make-work jobs at the taxpayers' expense, and we never actually could afford that "expert class" of know it alls meddlers.
