There are a variety of ways (see "Verifiable Credentials") that ages can be verified without handing over any data other than "Is old enough" to social media services.
> Age verification obliviates anonymity on the internet.
How so?
Please explain in detail, because there are already schemes such as "verifiable credentials" which allow people to prove they are of age without handing over ID to online services.
> You need to 100% trust those verification services.
First link - mitigation: use a well supported standard like OIDC, not a home-cooked scheme. Duh.
Second link - this is part of the problem such schemes as verifiable credentials are designed to address, random third parties collecting ID they don't need.
Yes, any system needs to be executed well. Neither of these really display that.
If _the government_ can't be trusted not to use a dumbass scheme, then no, it isn't a duh moment. You don't exactly get to dictate how the government implements it!
The point is that systems today, aren't really well executed. So it is unreasonable to expect them to be well executed.
If you can't trust people not to build the bomb well - then don't let them build a bomb.
> You don't exactly get to dictate how the government implements it!
Who was talking about the government implementing it? I wasn't.
And also "This has been done poorly in the past so we should never attempt to do it again, better" seems an odd way to go about things. There are well put together schemes by international standards bodies in this area now. Neither of the above links followed them.
I mean, your example of the ATO there isn't even an age verification thing, it's a defective clone of OIDC, so by that logic we should ban all SSO or identity delegation solutions?
Because we don't believe anyone will ever use the standards in this area, despite loads of companies and government bodies actually using OIDC already?
> I mean, your example of the ATO there isn't even an age verification thing, it's a defective clone of OIDC, so by that logic we should ban all SSO or identity delegation solutions?
MyGovID _is_ an age verifier. Sorry. The successor after the rebrand, is called myID [0], and advertised as:
> myID is a secure way to prove who you are online.
---
> I'm not really sure what you're driving at.
Clearly. You seem to think that because it might one day be done correctly, by one group, the rest of the world is safe. However, over in this reality, we have fuck ups by governments and private corporations, who are the people the rest of the world actually deals with.
You cannot enforce these real groups, to actually follow good practices. Thus, in practice, everyone gets fucked when you bring in these laws. Because it will always be done the wrong way, by someone.
> The successor after the rebrand, is called myID [0], and advertised as:
It's an identity scheme and SSO solution for accessing government services. As said at [0] in the "What is myID" section.
I sincerely hope that they're using something standard and well tested like OIDC behind the scenes this time, because otherwise it's ripe for another fuckup like the one you linked. If it is also used for age verification that appears to be secondary.
> You cannot enforce these real groups, to actually follow good practices. Thus, in practice, everyone gets fucked when you bring in these laws. Because it will always be done the wrong way, by someone.
So we need to stop the Australian government from ever using an SSO/identity solution again because it can't be trusted to do it properly, having messed up in the past, and the rest of us have had to live with the consequences. And as they aren't the only ones to have messed up, companies do it all the time too, we should also ban all identity and SSO solutions (because that's what we're talking about in this thread, banning of age verification, not mandating it).
I don't think you get to call out age validation as a uniquely hard problem that cannot possibly be made safe, but allow other identity-style services a pass. There are many areas in which we (through the government) can and do mandate good practice, both by government and private entities.
You should probably stop pretending you know what myID is, and what it does.
Its a sovereign identity verification service. That is not limited to above PL2 verifications. There are age-only accredited entities in the registry.
Its one of the approved verification tools for the Online Safety Act 2021 . It was renamed as part of the passage of the law. You're just not forced to use it, for verification.
And yes, it does it poorly, and does not follow a standard. Its using Vanguard's PAS behind the scenes [1], with extras ServiceNow tacked on. Until they rearchitect the entire damn thing.
So... As I might have doxxed myself a little just now... No, uploading identity documents is never a safe process. Its a king's hoard in treasure before nations that never sleep.
Name a provider, and there will be a breach, and it will continue to affect the victims most of their lives.
> No, uploading identity documents is never a safe process.
You should probably stop pretending you understand verifiable credentials then.
Because if you did, you'd understand that they don't need to involve uploading identity documents anywhere.
The idea is to defer to service providers such as banks that have already performed such verification, often physically. And if you want to argue that banks should stop verifying who people are when they open accounts... well that's going to be an interesting conversation.
Without doxxing myself too much, I'm going to say that I know intimately the details of a project within Australia to build a standards-based non-government VC system that won't touch a single piece of ID at any stage, as an additional capability on a commercial identity system that's already active and in use.
KYC rules require the banks collect those, and keep them on an online portal. This information is held by the ABA - hence why they were falsely accused because of the infostealer breach last year.
I have absolutely not said banks should stop collecting ID. Collecting it in person is a fantastic idea. Holding it on an isolated network is difficult, but a good compromise, and banks are better suited to doing that than most.
Uploading it to a S3 bucket in Sydney, as the ABA do, is a moronic decision. That myID upload it to a Azure Blob in Sydney, is worse than I feel the need to explain.
If you think you can succeed, where literally no one else in the world has, good luck to you. But I expect the same result as Forticode.
I believe that nobody's ID will be at risk of leaking, because it will never be handled in the first place, nor will it be accessed. So that's already better than most of the schemes people are upset about.
> But I expect the same result as Forticode.
What happened there? I can't find a lot of reference to it on the net other than "we make amazing security products" and then "entering liquidation", so clearly a lot went wrong!
It's always possible for people to make mistakes and do things badly, but I don't see "age verification" as some special case in the identity landscape that presents unique challenges. And the system is already in use without major issue (touch wood). Verifiable Credentials will be an addition to the platform at some point.
In the context of "Age verification should be banned" though, we're already talking about legislative intervention. If there's no particular problem with schemes that are like that then we don't necessarily need a blanket ban on age verification.
Perhaps what we're really saying is "Ban age verification that collects lots of personal information".
Or perhaps we could distil it down further to "Ban unnecessary collection and storage of PII". In which case, Congrats! You've arrived back at the GDPR :)
Which I think is a good thing, and should be strengthened further.
(Also the other response to "because most implementations are not going to be like that" is "why not?". People are already building such ecosystems.)
> If there's no particular problem with schemes that are like that then we don't necessarily need a blanket ban on age verification.
There is a problem with schemes like that.
The way computer security works is, attacks always get better, they never get worse. A scheme that nobody has found any privacy holes in when it's enacted will have one found a week after.
The way governments work is, the compromise bill passes if the people who care about privacy support it because then it has the votes of the people who care about privacy and the people who want to ID everyone. But then when the vulnerability is found, the people who care about privacy can't get it fixed because they can't pass a new bill without also having the votes of the people who want to ID everyone, and those people already have what they want. More specifically, many of them then have what they really want, which is to invade everyone's privacy, as they were hoping to do once the vulnerability was found.
Which means you need it to be perfect the first time or it's already ossified and can't be fixed. But the chances of that happening in practice are zero, which means it needs to not happen at all.
/goes on to discuss how government legislation of specific schemes is the issue, not the schemes themselves.
Then we don't legislate specific schemes? The GDPR doesn't do that, for instance, it spells out responsibilities and penalties but doesn't say "Though shalt use this specific algorithm".
Remember, this discussion started with a call to ban all age checks, which itself is a government action and restriction on the agency of private business.
There are ways that private entities can implement age checks both securely and without leaking much other information, so it seems very heavy-handed to ban them. Private entities are building such systems between themselves already, without government mandates on the specifics.
Except that you have to in this case because IDs are issued by the government and then it's the government having to provide some privacy-protecting means of using them, which is the thing they're incapable of in practice.
> There are ways that private entities can implement age checks both securely and without leaking much other information
I have yet to see a single one implemented in real life. People point to attempts and then you look at the implementation and it's full of dubious choices and unforced errors, before you even start looking for bugs.
Moreover, private entities have the perverse incentive to do the opposite of implementing it securely, because they find it profitable to track people, or find it unprofitable to spend the resources necessary to prevent themselves from being infiltrated by foreign governments when their business is the sort which is useful to them as these are.
> it's the government having to provide some privacy-protecting means of using them
Nope, not necessarily.
> I have yet to see a single one implemented in real life.
There are likely to be a lot more coming as the newer standards in this area were finalised last year. Online identity is a continually evolving space.
> Moreover, private entities have the perverse incentive to do the opposite of implementing it securely, because they find it profitable to track people
Some do in some circumstances, but far from all. Others (often financial institutions) have wised up to PII being a liability rather than an opportunity and some are working on frameworks and capabilites in this space that don't involve any more storage or transfer of anyone's ID than already happens in banks.
Necessarily, in fact, for any system that uses a government ID, because that requires there to be some interface between the government ID and a private bureaucracy that the holder of the ID would be pressured into interacting with. If that interface allows the private party to e.g. learn who you are, instead of just your age, it's only the government that could replace it with one that didn't.
> There are likely to be a lot more coming as the newer standards in this area were finalised last year. Online identity is a continually evolving space.
Evolution is supposed to cause bad ideas to die. The problem with laws, such as the ones surrounding government identity documents, is that they regularly require bad ideas to live. Which is why the use of government ID should be minimized.
> Some do in some circumstances, but far from all.
They all have that incentive, because it leads to money, and money is an incentive.
It's possible to turn someone down who is offering you money, but we're dealing with large scale systems here, and then the incentives determine the averages.
> Others (often financial institutions) have wised up to PII being a liability rather than an opportunity and some are working on frameworks and capabilites in this space that don't involve any more storage or transfer of anyone's ID than already happens in banks.
We really need to get it to stop happening in banks. The fact that every single thing you buy using a digital payment method is tied to your government ID is a preposterously dangerous status quo to leave unchallenged.
The difference is that IRL establishments don't sell off that data to anyone else, nor do they have the ability to collate that data with data from other establishments to make a profile of you.
If you think the nightclub that scans your driver's license magstripe isn't selling your data off, when they could be making money off of it? Between PatronScan,Intellicheck, Scantek, and TokenWorks, yeah a dingy bar where it's a dude visually checking isn't it, but a nightclub and quick swipe totally is.
Slippery slope can be argumental if you provide the actual argumental reasoning for it as I was thought it could be used as deductive argumentation (though that does not say much). On itself it is a fallacy.
I don't see how verifiable credentials with zero knowledge proofs provide that however.
The Party doesn't care about the Proles, only the members of the Outer Party.
I think that it's rather funny that people like to appeal to 1984 as if the only point of Mr. Orwell was that surveillance is bad, missing the entire point about stuff like the control of the language or the idea that the only self-justification of the (Inner) Party is power for the sake of power (see also: The Theory and Practice of Oligarchical Collectivism).
I'd even go as far as to say that if "telescreens are horrible" is the only thing that someone takes away from 1984, they've frankly missed the point.
The problem with this discussion is that this is a wonk solution for wonkish times. You're trying to thread the needle between various reasonable compromises. Ironically due to social media, that is simply not how politics and lawmaking works any more. Instead it's an emotionally driven fight between various different sorts of moral panic, and the only option is to get people more mad about surveillance than "think of the children".
You might be able to get somewhere by getting a tech company on your side, but they generally also hate adult content and don't mind banning it entirely.
(people are not going to get age verification _banned_ any time soon! That's simply not going to happen!)
> You might be able to get somewhere by getting a tech company on your side
There are quite a few already looking at this, some in the context of providing secure verification services for the existing and upcoming social media bans etc.
Unfortunately I agree with you on the rest - facts and pragmatism have fallen by the wayside compared to feels and shouting.
Why?
> They already got so much data on their users
There are a variety of ways (see "Verifiable Credentials") that ages can be verified without handing over any data other than "Is old enough" to social media services.