Government builds a website where you can log in using any government issued ID or using one of the many many many available services that hold your details already(at least in the UK nearly everyone will have a DLVA account, HMRC account, HMPO account, NHS account.....all of these are government services which we can only assume hold our data securely already).
On that website, you can click "give me a verification code", it gives you a code that is single use and only valid 24 hours. You type that into whatever 18+ website you need to, they use a public API provided by the government to just check "yes this is a valid code and the user is 18" - bang, done, verified. The website knows nothing about you at all, except for the fact that you're 18.
In fact, the UK government ALREADY HAS THIS. For the EU settlement scheme, you can give your employeer(or anyone else who needs it) a special magic code that they type in on the government website, and it just says "yet his person has the right to reside in the UK" without spilling any of your personal information at all. The code is single use and valid a limited amount of time. And you can do the same with your driving licence, where anyone can verify you hold a valid licence without actually seeing it or any details on it.
Like, am I being stupid here? It seems like an almost trivial solution to the problem, especially given that it already exists for at least 2 services named above.
And yes, I know people will say "oh but that requires the government having this data on you, and that's bad" or "but then the government will know you've authenticated with pornhub!".
And yes, both of these are true - but on point 1 - like, I'd love some ideal situation where the government can simultaniously give me a passport or a driving licence AND not have any information about me at the same time, but that ain't happening, and on point 2 - yes, but that's still infinitely preferable to the current implementation, and it can be easily solved with legislation saying that the code authentication service doesn't log who requested verification, it just answers with yes/no and that's it.
Every time I search something, I open a fresh private tab and google it. If I want to turn safe-search off, I'd have to go through this code verification flow for every single search. Aside from just being annoying, they'd have to implement strict rate limiting to prevent automated code sharing, so I'd soon end up waiting for a rate limit to expire before I can search anything.
And "the government will know you've authenticated with pornhub" is extremely harmful, in my opinion.
Sadly we got to this place because there are other harms that are occurring and those are forcing this conversation.
The "other harms" are made up fearmongering by rightwing cowards and incompetent parents.
Hah. I wish.
I have personally had to remove NCII for teens and young adults. Grooming is a thing, self harm communities are a thing, as is sextortion.All of it at internet scale.
And this ignores the parts where the platforms released features they knew from their own tests, were harmful to teens.
It is convenient to dismiss them, because it makes it easier to hold positions that depend on them being minor harms.
This means giving the government complete insight into your internet browsing. All they need to do is store a database table of handed out keys to ids.
This is unacceptable tyranny on its face.
>>This means giving the government complete insight into your internet browsing.
...how? All they know is you've authenticated with service X. And like I said, we can make legislation to say they are not allowed to keep the record of who authenticated.
Besides, let's not let perfect be the enemy of the good - in the UK all ISPs are required to keep a full year of your browsing history, and 17 government agencies can access this data(including DEFRA - the agriculture agency lol). So like....the "the government will have a full history of your browsing" is a ship that sailed a few years ago. Obviously I don't agree with it, and I think we should be on the streets of London and protesting this, but here we are as a country.
So like yeah, I get your point. But UK is particularily fucked on this point, let's not make it even more fucked with the way things currently are, the authentication can and should be done better.
Why does the government need to know what pages you visit? It could just encode a string representing the date and 'above 18' and sign it with its private key. PH then just needs to verify it using the public key.
Even better solution then.
>>Why does the government need to know what pages you visit?
In the UK the government already knows, but that's beside the point. It's another bad law that should have been fought against much more than it was.
The codes can trivially be shared in this case
...and? Just like a child can "trivially" ask an adult to buy them a beer.
Who are these adults giving children their verification codes for adult websites?
Asking adults for beer doesn't scale, code sharing can. If you want to crack down on code sharing, you'd have to start surveilling who is signing up to what.
> If you want to crack down on code sharing, you'd have to start surveilling who is signing up to what.
Why? One code for one user account per site. If you're paranoid about privacy rotate codes and accounts weekly. As long as you can purchase the codes with cash in IRL stores the privacy impact is minimal.
So this solution is fine for proving your immigration status, getting employment or renting a house, but it's not good enough for browsing porn(to be a tiny bit flippant)?
>>If you want to crack down on code sharing
Right now, all the kid has to do is grab their parents passport while they are not home or asleep, scan it on their phone and they are in. It takes 30 seconds.
With the codes they would either need to convince their parents to generate a code for them, or find someone online who will - which of these solutions seems less prone to abuse to you?
Again, let's not let perfect be the enemy of the good.