How will they achieve that without introducing a requirement to identify yourself on every online platform, which some would say is probably the whole reason for introducing something promoted as being "for the children"™.
How will they achieve that without introducing a requirement to identify yourself on every online platform, which some would say is probably the whole reason for introducing something promoted as being "for the children"™.
With digital ID. They are releasing it in a couple of months.
https://digst.dk/it-loesninger/den-digitale-identitetstegneb...
I look forward to being able to buy your porn surfing habits on the darkweb in a few years.
The ID card allows age verification without disclosing the identity to the service which needs the age verified.
You don't think that the digital ID provider is keeping logs of which sites requested to verify which users? Even government websites are not exactly known for their high security.
The digital ID provider is only involved in issuing the ID to you. When you use that ID to verify age to a site the only communication is between your phone and the site. The ID provider has no idea when you use the ID, how often you use the ID, or where you use the ID.
Briefly, when the ID provider issues the ID it gets cryptographically bound to your phone. When you use the ID to prove something to a site (age, citizenship, etc) the is done by using a zero-knowledge proof based protocol that allows your phone to prove to the site (1) that you have an ID issued by your ID provider, (2) that ID is bound to your phone, (3) the phone is unlocked, and (4) the thing you are claiming (age, citizenship, etc) matches what the ID says. This protocol does not convey any other information from or about your ID to the site.
This doesn't work because you can't prove the origin of a single bit of data without the associated identity and the origin of the data can only be verified by matching the biometric image on the ID against your real face with a camera.
Otherwise a single person could donate their ID card and let everyone else authenticate with it.
Now you might counter and say it would be enough to give each card a sequential number independent of the person's identity, but then you run into another problem. Each service might accept each card only once, but there are many services out there, so having a few thousand donations could be enough to cover exactly the niche sites that you don't want kids to see.
There is no way to implement this without a complete authoritarian lockdown of everything. There will always be people slipping past the cracks. This means all this will ever amount to is harm reduction, but nobody is selling it on that platform. Nobody is saying that they are okay with imperfect compromises.
Ah, so your phone is the trust point. That's better than it could have been, but it still leaves other issues, like sites with multiple domains or data brokers cross-identifying you based on phone and user information, e.g. 'this phone verified someone on porn site A. This same phone over on social media site B also verified, and on the social media site they have all their real-world info, so now we know their interests', etc.
And before anyone asserts that the phone can be anonymous, that doesn't work, otherwise you can just have an app that claims to have a verified ID attached.
*everyone's
The difference is meaningful. It's mostly prisoners dilemma. If only one persons porn habit is available thats bad for them. If everyones (legal) porn habits are available, then it gets normalized.
Normalized or not, the risk is you get something akin US drug enforcement: ignored for certain demographics, enforced for others. The ability to see someone's porn history is irrelevant until a government (or employer perhaps) wants to weaponize it.
The problem isn't my peers, it's the people in power and how many of them lack any scruples.
Drugs are not legal; porn is.
this seems to run parallel to the "i have nothing to hide" / "well they have everyone's data, so who cares about mine" arguments.
this is too narrow a view on the issue. the problem isn't that a colleague, acquaintance, neighbor, or government employee is going to snoop through your data. the problem is that once any government has everyone's data, they will feed it to PRISM-esque systems and use it to accurately model the population, granting the power to predict and shape future events.
Predict and shape future porn events?
I don't know, this is a bad take. There is good technology to deal with that problem.
https://github.com/google/longfellow-zk
https://news.ycombinator.com/item?id=44457390
Would social networks accepting Danish users have to implement the other end of that, or will they also be allowed to use less privacy-oriented age verification solutions (e.g. requesting a photocopy of the user's ID)?
It seems to me like it's either a privacy disaster waiting to happen (if not required) or everyone but the biggest players throwing out a lot of bathwater with very little baby by simply not accepting Danish users (if required).
The wording on the page also makes it sound like their threat model doesn't include themselves as a potential threat actor. I absolutely wouldn't want to reveal my complete identity to just anyone requesting it, which the digital ID solution seems to have covered, but I also don't want the issuer of the age attestation to know anything about my browsing habits, which the description doesn't address.
> everyone but the biggest players throwing out a lot of bathwater with very little baby by simply not accepting Danish users (if required).
The biggest players in social media are precisely the ones that this law is targeting.
No one in charge of implementing this law is going to care whether some Mastodon server implements a special auth solution for Danish users or not, they are going to care that Facebook, TikTok, Instagram, etc. do so.
> No one in charge of implementing this law is going to care whether some Mastodon server implements a special auth solution for Danish users or not, they are going to care that Facebook, TikTok, Instagram, etc. do so.
And if that little Mastodon server ends up hosting some content that is embarrassing or offensive to the Danish authorities, laws like this will surely not be used to retaliate...
Arbitrarily and selectively enforced laws seem like an obviously bad thing to me. If the government can nail me for anything, even if they practically don't, I'll be very wary of offending or embarrassing the government.
Why do you think it's going to be arbitrary?
The law will obviously be framed in such a way as to hit the targets it is supposed to hit, avoid collateral damage. It's not like complete amateurs are writing our laws.
That it's going to be arbitrary is your own assessment. You said that "No one in charge of implementing this law is going to care whether some Mastodon server implements a special auth solution for Danish users or not, they are going to care that Facebook, TikTok, Instagram, etc. do so."
I responded by explaining why that wouldn't be a good thing.
Have you changed your mind on that point or are you simply not keeping track of your argument? Either way there can't be an honest discussion whether you have the memory of a goldfish or are deliberately ignoring what you've said.
I am talking about the purpose of the law and the way it is written. It's not hard to create a law that only targets the bigger services, just make it apply to entities with a daily user count above N. A law isn't a headline on Hacker News, it's a carefully written document.
> I am talking about the purpose of the law and the way it is written. It's not hard to create a law that only targets the bigger services, just make it apply to entities with a daily user count above N.
Why would they, though, if "no one in charge of implementing this law is going to care whether some Mastodon server implements a special auth solution for Danish users or not"? The EU CSAR proposal (which Denmark seem very much on board with) doesn't make such exceptions, so why should this law?
> A law isn't a headline on Hacker News, it's a carefully written document.
This is a non sequitur, and also pure speculation.
this scenario can be addressed without digital ID
the social media platforms already measure more than enough signals to understand a users likely age. they could be required by law to do something about it
I would rather outlaw tracking of minors (and adults, too, btw).
It would be a lot simpler to only sell standard devices to adults. Kids should be using devices with curated access to specific tools and platforms meant for children.
In the US they'd just make the platforms massively liable and let them worry about how to enforce. No idea what they'll do in another country.
we get to see how it works in australia next month. there's already stories of kids putting on fake mustaches to fool age-of-face recognition, which is one of the methods used.
i think it'll get to: "these methods aren't good enough, we'll have to enforce digital id".
Do they make parents liable or no? I'm somewhat curious about that as an option.
the EU is working on a system for age verification that won't identify you to the platform. The details are of course complicated, but you can imagine an openid like system run by the government that only exposes if you're old enough for Y.
The platforms asks your government if you're old enough. You identify yourself to your government. Your government responds to the question with a single Boolean.
Our German national ID supports just verifying that you are over age X, with no other info given.
But why would you give your id?
You don't need to, that's the thing. The site requests "are you over 18" and you use your ID to prove it without them getting any other information from it. Requires a phone with NFC, but the app is open source
And the reference implementation requires google play integrity attestation so you are forced to use a google approved device with google approved firmware and a google account to download the application in order to participate. Once this becomes implemented, you are no longer a citizen of the EU but a citizen of Google or Apple and a customer of the EU:
Quick google (on my phone, so not certain) says it works with microg as of August
Yeah, sorry I mixed up the old German Ausweisapp and the euID Reference App
How does the site verify that the ID being used for verification is the ID of the person that is actually using the account? How does the site verify that a valid ID was used at all?
If the app is open source, what stops someone from modifying it to always claim the user is over 18 without an ID?
Not that I understand it, but AFAIK that's cryptography doing it's thing.
And using someone else's Id and password is the same as every method of auth
hopefully the protocol is open source too. I'd hate to find that it just works on iOS and Google certified Android.
I think that ends up being a more difficult problem than just open source. There will have to be some cryptography at play to make sure the age verification information is actually attested by your government.
It would be possible for them to provide an open-source app, but design the cryptography in such a way that you couldn't deploy it anyway. That would make it rather pointless.
I too hope they design that into the system, which the danish authorities unfortunately don't have a good track record of doing.
Should all be open, but I don't know for sure. Works with ungoogled android unless something changed.
https://github.com/Governikus/AusweisApp
That's very cool and good to hear. Thanks for sharing!
It needs to be scaled to the EU level.
*Only for Google Android and Apple iOS users. Everyone else who don't want to be a customer of these two, including GrapheneOS and LineageOS users, will have to upload scans of identity papers to each service, like the UK clusterfuck.
Source: I wrote Digitaliseringsstyrelsen in Denmark where this solution will be implemented next year as a pilot, and they confirm that the truly anonymous solution will not be offered on other platforms.
Digitaliseringsstyrelsen and EU is truly, utterly fucking us all over by locking us in to the trusted competing platforms offered by the current American duopoly on the smartphone market.
This sounds like a temporary issue.
> This sounds like a temporary issue.
There is nothing more permanent than a temporary solution.
There is nothing less permanent than software. Permanent solutions in software last 5 years.
Why? It's not because a hardware token based solution that will work on desktops is technically impossible, but they literally wrote me that they have no plans to investigate the possibility of offering that. This is officially the plan for the permanent solution.
Permanence in software is measured in half decades.
This is an acceptable solution only if the government doesn't know which platform you are trying to access either.
Given all the information companies have about users on social media, do you really believe they can't guess the real age?
Some people: these online companies have too much information about us! They know everything about us!! Where's muh privacy??
Same people now: how will the poor company know that it's an underage user?? Oh noes!
Child abuse is already illegal, the law needs to be expanded to cover these new forms of harm to children. It seems reasonable that I am held criminally accountable if I expose my child to harmful Internet content like social media.