Can't we just do this age verification locally on-device? Just some WASM to run a small AI model, which scans face+ID.
I know it'll be easier to bypass, but that does not matter. We're trying to stop children, not adults with technical skill.
Can't we just do this age verification locally on-device? Just some WASM to run a small AI model, which scans face+ID.
I know it'll be easier to bypass, but that does not matter. We're trying to stop children, not adults with technical skill.
Don't forget teenagers can be extremely skilled technically. Plus they have a lot of time!
But you're on the right track.
I think of a solution like:
1. Browser does one-time age verification through 3rd party service, without disclosing any details about which sites you'll access.
2. Browser stores your age, signed by that service.
3. When a site requests it the browser passes that signed age over. The site simply has to check if it has a valid signature by a trusted authority's public key.
The browser could even use Palantir in this example - but they would never get any data about what users are accessing.
It'd be best to create a standard for this using wallet apps. You can obtain an age certificate from any trusted provider (decentralized chain-of-trust similar to TLS CAs), which you can then load into any wallet app of your choice on any OS, and use it with any online service which supports the standard. This should use anonymous, unlinkable(!) proofs, with the only certified data being `is_over_age`.
Though I'd prefer the way proposed by Mark Camilleri Gambin (EU politician). Have parents enable Child Mode during device setup, then expose `isMinor = true` to all websites and apps, require a parental control PIN to disable. This is a much better and cleaner solution. Requiring age verification of all adults gets it backwards.
Wouldn't the age verification provider then be able to retain logs of what exact credentials it signed and for whom? And if the certificates are identical for every user, couldn't everyone change the presented certificate for the universal correct one?
Second one is a lot more sensible.
Ummm, i don't think teenagers on average can be extremely skilled.
Unless you think of some extreme outliers. Most of these I met can't READ and follow the step by step procedure.
It's not about age verification but control and digital id.
Doesn't everyone have a digital ID already?
My passport has biometrics, the government knows everything about me already through the tax system which is "digital". All my other interactions with the government are through digital services.
What exactly would a digital ID allow a government to do that it can't already? Apart from solve all the issues with having to provide scans of (my already digital) ID documents to every bank/solicitor/mortgage broker/estate agent/etc i interact with, where in many my personal ID documents probably sit on a company file share or some random persons One Drive.
A government digital ID with a one-time code to complete verification would solve all of this nonsense.
On control, again, what possible super power would a "digital ID" give a government that it doesn’t have already to control you?
Digital ID to interact with government services is great. It becomes a problem when they add something like OpenID4VC to it, with the intention of linking it to all your online activity for "age verification". This would create one giant government metadata silo on every individual's online activity.
Like the real world there a services online that need age verification, unless we want kids to continue to be exploited by social media and freely access porn.
We aren't living with the internet of the 90's any more, it's now owned by corporations and bad actors. Yes, i know it's impossible to stop those that are determined to circumvent restrictions (just as can happen with alcohol or movies) but clear restrictions give parents that want to do the right thing cover when setting rules in their own family.
In the end society raises children not just individual parents, and society need to take some responsibility too.
Personally i don't see how an API call to complete a government ID verification could be used to create a giant "metadata silo", unless the companies using the API are voluntarily sending more data than some sort of one-time challenge token. If the companies are coerced into feeding the government with your account activity history, what is stopping the government forcing that to happen now without bothering to draw attention via a digital ID?
I'm not sure where you live but a lot of countries don't have this (yet) or it is optional.
Restricting content you access, or using that to shape what is offered to you on the internet.
Debank you for wrong speak or think, leaving you with no alternatives. The more cuntries implement digital id, the more they'll sync with each other, making life more and more miserable for anyone who doesn't want to go along with whatever nonsense is currently being pushed as the new thing.
They are not trying to stop children, they are tying to vet verify and collect information on anyone adult or kid.
The browser could also emit the age, which sites could check to block, and parents could manage via parental controls.
But that's no fun: can't assure control of the children (bad), monetization (even worse) not share with government (the worst, given the current administration).
True, and that'd be the best method by far. A European politician recently proposed this.[0] The issue is that a single service can't just implement this. If I'm a service and I need age verification, I need something that I can implement by myself.
[0] https://democrats.eu/en/protecting-minors-online-without-vio...
> The issue is that a single service can't just implement this. If I'm a service and I need age verification, I need something that I can implement by myself.
I don't understand. A simple if age<18 check is quite a lot easier to implement than doing age verification yourself, or even shopping it out to some other "partner".
It'd be even simpler. If a device is in Child Mode (which would be activated by parents during setup, and require a separate PIN to disable), it'd respond with status.isMinor = true. Or even simpler, make it a HTTP header.
What I meant is that it doesn't exist yet. It'd require operating systems, apps, browsers, etc, to all implement this system before a company like Discord can actually use it.
Eh, you're trying to boil the ocean. This functionality built into the browser would cover 99.9% of the use cases. Applications can be monitored separately, and I'm at a loss for why my OS needs to know about my age.
None of this matters anyway. If a 15yo boy wants to see boobs on the internet he's gonna find a way. There's so many ways to muck with the connection. Not to say these age verification checks work either; the recent usage of the Death Stranding character's face to bypass the checks is evidence of that.
Even better, the site could just tell the browser that there's age-sensitive content and the browser could check it. There are already standards for this!
The problem is, it doesn't give a legally-enforced monopoly to any rent seeking data brokers, and it doesn't act as a foot in the door for requiring government-ID attribution of all internet activity everywhere.
k-id, owned by epic games, which is one of the age verification companies used by discord, already does something like what you proposed. of course, our favourite infosec twitter zoomers already dissected it. https://github.com/xyzeva/k-id-age-verifier
It's even easier to just not do it at all
The problem that then you need hardware attestation and of course they will exclude linux, because why not.
children have access to 4chan and ChatGPT. hacking the macOS kernel driver to disable the LED that says the camera is on should be out of the technical realm of children, but, well, it happened and was abused by children against other children.
Source? I thought the LED was hardwired to the camera power.
They are now.
https://www.usenix.org/system/files/conference/usenixsecurit...
Shows that it was certainly possible, so the question is: do you believe in the power of 4chan?
Is a face scan accurate enough to do that with 100% accuracy?
Face scan is a total dice roll full of bias, whatever you do. With or without ML.
Even a face scan is a hard no for me. I have no desire to make it easy for companies to start linking me (the person) to anywhere else, directly via my face metadata.
Especially if it lands in hands of Thiel. He's selling his services to governments, law enforcement and abusers like ICE.