The article talks about the possibilities of malicious cloning of these tokens by third parties, but fails to identify the much more common use case, and one that makes this scheme useless for age verification.
It's one thing to be concerned about someone stealing my credential, but another to prevent the transfer of these credentials, especially if they are limited use credentials.
The entire point of age verification systems is to prevent minors from accessing certain resources. I think we all know that this is basically impossible; but what these various governments and social media companies want to do is to make it high friction to do so.
The highest friction version of this is that the credential ties to a real world identity somehow; maybe locked behind legal barriers, etc., but if a minor is caught using someone's credential, then the person whose credential they are using can be investigated, and, if necessary, charged with a crime roughly equivalent to providing alcohol to a minor. Without the possibility of real world enforcement, none of these identity solutions can possibly work.
Keep dreaming of a technological solution -- there is none that does not lead to the world that FIRE is warning about, except to accept that we can only make a solution "good enough" and leave it at that, without expanding into full on identity verification. The solution here is likely to just try to provide better abilities for parents to monitor and limit their children's use of the internet. Let individual parents decide on the level of harm that they are willing to accept, and accept that there will be ways to work around this even if parents are vigilant, but just try to reduce it on the margins.
Yes, this is the part of the issue that is so frequently ignored: Anonymous age verification schemes are easily defeated through proxying because there wouldn't be any consequences for selling your tokens. "Install this app on your phone and we'll pay you $1 per day" and it will mint your anonymous identity tokens and send them off to kids who want to buy them. If there's no way to track the tokens, there is no possibility of negative consequences.
So the schemes always start introducing features to reduce the anonymity of the tokens or make them more trackable in some way:
> The highest friction version of this is that the credential ties to a real world identity somehow; maybe locked behind legal barriers, etc., but if a minor is caught using someone's credential, then the person whose credential they are using can be investigated, and, if necessary, charged with a crime
Which requires that these identity tokens not be anonymous age-verification credentials. They become a traceable identity token tied to your government-issued ID.
> They become a traceable identity token
Not if you use a challenge-response protocol where the client returns a zero-knowledge proof of age, where the proof incorporates a random string sent by the website.
The traceable stuff is private information that the website never sees. If a minor is caught with it, then law enforcement has local access to the minor's hardware and can probably view the private data.
At that point, the private key can be put on a public revocation list. The zero-knowledge proof can include a proof that you're not on the revocation list. Once you've been revoked, you have to go through the hassle of setting this all up again, which might be enough incentive to keep it reasonably secure.
This doesn’t stop the scheme the parent proposes, where adults install some proxy on their device and challenges are responded to on the parent device. Then the private key never leaves the parent device and all the child device has is the proxy software, which could be set up to not log any identifier of the key that it used
I agree, but this is also clearly a increased barrier. Going back to OPs comment that perfection is impossible, the goal is to raise the bar, I would say that this is more than good enough.
> but this is also clearly a increased barrier.
If there's a simple piece of software that can be installed, it's not meaningfully increasing the barrier. Also, there are negative consequences to introducing "rules that you're expected to break" like this. It makes the law unserious.
If it costs money that is definitely a barrier for a child. And apps can be as well, as a parent its easier to control what apps is installed than webpages visited.
Advertisers. Naturally someone who feels excluded or unable to compete on cleaner markets will offer the portal for people who don't have a regular id and if the ads on those portals do best if they are for toys then those are the ads they will sell.
Sure, but the comment I am responding to is arguing that there is a way around pressures towards a traceable token, so you can prosecute the person sharing their credentials. This is not the case.
Sure, but then you're partnering with someone you probably don't know to take payment for doing something illegal, and that partner knows your device and where to send the money.
And if it's a phone app, it's not going to be on app stores and you already know the person giving you the app is a criminal.
So you're installing an untrustworthy app to risk criminal charges, and the customers of this scheme are kids who mostly don't have a lot of money.
You’re missing the point. If the tokens are truly anonymous then none of this matters. There’s no way to discover or prove where the tokens came from. It could be someone in another country with stolen IDs, which are now a goldmine for minting tokens and selling on the internet.
So the schemes inherently add some traceability, which makes the tokens no longer actually anonymous.
This is the back door used to make the tokens double as ID tokens.
I'm not missing the point, and if you'll think about my scheme for a bit you'll see that anonymity is maintained in normal circumstances even though there's incentive to protect your credentials. Let's go through scenarios:
1) You give a teenager your full credentials. Teenager is careless, as teenagers often are, and posts something revealing who he is. Cops have option to search teenager's phone, see who you are, and at least revoke the credentials.
2) You install a relay app on your phone, for money. Now you've installed an untrustworthy app from a criminal, who might hack you, or might be arrested and reveal details of your device and where they're sending your money.
Neither scenario happens because the age verification is traceable.
3) Your credentials get stolen, and used in a foreign country to implement a relay scheme.
This one, I admit, my scheme can't do anything about. But this means our teenager has to pay a foreign entity. Teenagers can also pay foreign porn sites directly, if porn is our concern.
On top of that, the age verification systems we've seen so far have their own security holes that teenagers are exploiting without having to pay anything.
My personal view is that the whole thing is ridiculous and we shouldn't bother with any of this. My point is just that we can implement reasonably good age verification without eliminating anonymity on the internet.
Trusted computing fixes this up to the analog hole. Which is as much as you can expect.
Neuralink fixes the analog hole! Beam the ads directly to your cortex!
[flagged]
Trusted computing is the biggest threat to privacy and liberty of them all!
No, you can reliably attest public source builds of critical software for the ultimate in transparency. That even includes models running on GPUs. Combine that with blind tokens and you get trusted, anonymous identity verification.
What you also get is mobile devices that can't run unblessed code, make it impossible to remove legally-mandated spyware or backdoors, as well as websites that you can't use anonymously, even when you have very valid reasons to do so.
You also can’t build a house which violates building or electrical codes, or drive without a license. These are safety and security protocols and the digital realm now has them.
Mobile devices are secure and that’s why they’re not infected with malware, like any Windows machine. This is why Android is the host of 98% of all mobile malware and iPhone is not.
You have the freedom to make your own insecure devices which don’t have any trusted or secure elements. Go for it! Take your GNU and go wild.
That's just it - if remote attestation becomes commonplace, you can't make your own devices. No apps you need to live your life will work, no mainstream websites will let you visit them... Not to mention that once you get to hardware, "just build your own" login simply stops working.
The internet has plent, of security elements. Devices use TLS to communicate, are encrypted by disk encryption, users' messages/calls/data are encrypted with various protocols... This is already in place.
Building codes and such are laws, the government didn't go and change the laws of physics to make it impossible to build something not up to code. They also don't limit the same of materials and tools to only certified builders who they know will respect the code. You can still break the rules to some extent, or even follow them, just without external certification.
Remote attestation and related technologies change the laws of physics - not complying is simply not possible. You can't just make one little change and hope nobody bothers you about it, the system makes the change impossible, or it detects it and "burns the whole house down".
If your house isn't certified because you repaired a light fixture on your own, you can still invite friends over, you can receive mail and packages to it, you can get phone, internet and other utilities. If you want to change the color of the icons on your phone, or if you want to disable the pre-installed spyware, you're cut off from talking to your firends and family, from social networks, reading the news, you can't pay your taxes, can't get a bank account, can't get paid for your work or even apply for a job. That is the reality we're going towards.
The thing that changes isn't that your every action will be followed. That already happens. It's that you are powerless to avoid it. It's a technological lock to keep you obedient. There is no security element to it. We as an industry need to stop pretending like these are security technologies and start talking to more social sciences experts. Before it's too late...
The same way a lobotomy fixes a headache.
How so?
They are implying the use of trusted computing with proprietary software to ensure that only users on fully “trusted” (locked down) devices are allowed to access network resources.
Presumably, if you have a trusted application on a trusted device, the identifier was installed in a trusted way, the device is in trusted possession and the device won't be given to anyone else, trusted computing may be able, in certain cases, to make it more difficult for a remote minor to use the identifier.
> in certain cases, to make it more difficult for a remote minor to use the identifier
Just offer the user some money if he installs some "trusted" app for age verification token sharing.
> If a minor is caught with it, then law enforcement has local access to the minor's hardware and can probably view the private data.
And then what? You think the police are going to make a case out of getting a token blacklisted or start an investigation into the person who the token came from? Also confiscate their devices as part of the investigation? I guarantee that the token source will be someone in another state or another country or just a stolen ID being used to sell their tokens.
I can’t believe we’re getting to the point where we’re talking about sending the police to deal with cases where a minor is suspected of, what, accessing social media? To confiscate their device and do forensic analysis of the tokens on it?
Do you realize how insane this is getting? How does anyone think this is feasible, let alone a good idea?
I'm saying a system like this is preferable to attaching our real identities to everything we do online, as countries are attempting right now. We can verify age without losing privacy or anonymous speech.
It's still my preference to have no verification at all. On the internet, nobody should know you're a dog.
> I'm saying a system like this is preferable to attaching our real identities to everything we do online, as countries are attempting right now. We can verify age without losing privacy or anonymous speech.
The problem with your hypothetical was that you casually introduced the police as an enforcement mechanism for cases of a minor accessing an over-18 website. The implication is that the physical police are now involved in our access of websites, and you’re saying the tokens involved in us accessing websites will have some evidence that they can use in the investigation of that access.
This is why we keep saying that the anonymous token schemes don’t preserve privacy. It always turns into a slippery slope of adding escape hatches to the anonymity to enforce violations. The very implication that the police are going to be tasked with going out and confiscating devices to investigate suspected age token violations is an indicator of how far the window has shifted on Internet privacy.
I don't know how many times I can repeat that I agree with that.
"Here is a plan that is bad in an obvious way, but not near as bad as what the government actually plans to do."
"Omg you proposed something bad."
Aside from that, I was mainly interested in the narrow point that pervasive surveillance is not the only way to do age verification. If you don't insist on near perfection, then you don't need to bother sending police around. If you do insist on near perfection, then my plan is better than the universal surveillance plan.
> Not if you use a challenge-response protocol where the client returns a zero-knowledge proof of age, where the proof incorporates a random string sent by the website.
Obviously it does. These $1 per-day apps are 24/7 online and so challenges can simply be proxied just the same as tokens.
> ... law enforcement has local access to the minor's hardware ...
This is a large part of what people, in practice, want to prevent using this scheme.
> Once you've been revoked, you have to go through the hassle of setting this all up again, which might be enough incentive to keep it reasonably secure ...
States want to know who to punish when this happens. Which also details how this is defeated: you can't revoke the token, because that makes getting a conviction near-impossible and it exposes the states to counterclaims.
The people who install such forwarding apps don't have money for the court to charge, and they can't take away their identification apps (which these will be, obviously) because that's the cheapest way for states to communicate with them.
Unless you build this into the base layer of the internet (which European networks like minitel did, by the way, with France telecom graciously checking it for free. Free for the state, of course. YOU paid per packet)
> ... to keep it reasonably secure ...
Oh and "reasonably secure" won't cut it. Someone committed suicide after a message was posted, and they're "reasonably secure" who it came from? You see the problem, I hope.
Are you saying such proxying apps exist now? Can you link a source for me?
Regarding my scheme:
The only way law enforcement should have access is if they show up and get the phone in their possession, with a warrant. Which could happen any time some teenager posts something without realizing it identifies them.
If the teenager has your full credentials, that's when law enforcement sees who you are, and can take whatever action we deem appropriate. I would think just revocation if you might have been hacked, more severe if it's clear you shared on purpose. Revoking credentials doesn't interfere with the person using the app for other purposes, or with any prosecution, and criminal prosecution doesn't rely on the perp having money; quite the opposite in fact.
If you install a proxying app for the challenge-response, you're installing an untrustworthy app from a criminal to take payment for a criminal scheme, with risk of prosecution if that criminal gets caught.
Nothing in society is perfectly secure. There are all sorts of ways that we allow some crimes and tragedies to happen because we know that preventing them would be even worse. There are good reasons that courts have long protected privacy and anonymous speech, even though we could solve more crimes without those protections.
> The only way law enforcement should have access is if they show up and get the phone in their possession, with a warrant. Which could happen any time some teenager posts something without realizing it identifies them.
It’s beyond crazy that we’re actually talking about police showing up at someone’s house because they suspect a social media post came from an under-18.
This is one step away from your local government unmasking their Internet critics and sending police to their house by “suspecting” that they might actually be a minor.
> If the teenager has your full credentials, that's when law enforcement sees who you are, and can take whatever action we deem appropriate. I would think just revocation if you might have been hacked, more severe if it's clear you shared on purpose.
Why would you assume the person giving out the token is in the same jurisdiction? The tokens would almost certainly be coming from another country.
The police aren’t going to be tracking down teens, confiscating their phones, running forensic analyses, and then doing the work of getting tokens revoked through a possibly international process. They barely have enough time to show up and take a report when someone does minor physical proper damage.
All this does is open up the process for targeted abuse when governments or police need an excuse to go after someone posting on social media.
> It’s beyond crazy that we’re actually talking about police showing up at someone’s house because they suspect a social media post came from an under-18.
As I've said repeatedly, I agree that this is beyond crazy. But at least it's a visible crazy.
What's even more crazy is that we're heading quickly into a world where we track everything that every person looks at and says online. This is a way worse outcome. But it has less immediately visible consequences so we're jumping in with both feet.
But ... you were arguing method X prevents this from "They become a traceable identity token". And what are you going to do with the anonymous tokens? You'll identify whose credentials they are ...
If you can identify physical hardware from a request or post, obviously it's not anonymous. In fact, if you can identify the owner of credentials from the credentials, they're not anonymous. Obviously in an actual anonymous system it is utterly impossible to do this, whoever you are.
So you've just proven your own argument wrong. Anonymous age verification online is impossible. You don't agree?
No, you don't look up the token. You check a zero-knowledge proof.
The way this works is, there's a function with both public and private inputs, and an output. You can send me public inputs, and I can pass those plus my private inputs into the function, and give you the function output, along with a proof that the output is correct given your inputs.
So in this case, the government has a public key, which it uses to sign your credentials, consisting of your birthdate and a unique identifier.
The website sends you a large random number.
The public inputs are the government public key, the random number, today's date, and maybe a revocation list of identifiers.
The private data is my unique identifier and birth date.
The function returns true if my calculated age > 18, the government's signature of my data is valid, my private identifier is not on the public revocation list, and (to avoid replays) that the hash of your random number is not zero.
I send you back the generated proof, which is just a 256-bit number. You can check that the proof is correct without looking anything up. The proof does not give you any way to reconstruct my private data. It is only associated with the random number you gave me, and the public data everyone knows.
To keep the revocation list from growing forever, we could also make credentials expire after some period of time. Add an issue date to the private data, and we can add an expiration check to the function. Client software can automatically get a new credential if the old one is valid, expiration is just to allow us to delete old identifiers from the revocation list.
A hole in the above scheme is that government could try redoing proofs for a given random number, using all the current identifiers. To prevent this, the user passes in another random number as private data, and the function checks that that doesn't hash to zero either. User can change that random number every time, its only function is to change the generated proof to something the government can't replicate.
So now you drop the other demand. If someone is caught faking credentials, remotely, what do you do? Because if you don't identify whose credentials they are proxying (just send the random number to an actual adult's phone and return the "generated proof") will mean everyone bypasses the security.
Which means your effectiveness is nothing if you have actual anonymity, because you can't catch who proxies. So you have a critical problem one way ... AND the other way.
So as I've mentioned elsewhere, that depends on how much of a stickler we insist on being.
If we're ok with "mostly fix it but if a few teenagers get through it's not the end of the world," then there are a few simple measures that could help a lot:
- Keep an eye out for any credentials posted online, and put those on the revocation list.
- Keep expirations short (and auto-renew).
- Keep the credentials in phone secure enclaves and USB hardware "wallets."
- Consider including private information like name/dob/ssn or credit card number in the credentials, so users have good reason not to share. (We could consider making USB hardware optional if we do this.)
Given secure hardware it might be possible to prevent proxies entirely, the same way we prevent other MITM attacks.
Failing that, we could start by making it illegal to run proxies. Installing a proxy on your phone would mean getting an app from a criminal, not checked by an app store, and giving the criminal a way to pay you. I wouldn't expect this to happen much. Installing on a computer, using a VPN, taking payment via anonymous cryptocurrency, sure, if the VPN isn't compromised. But I wouldn't expect all that many people to do all this. Generating the proofs is a bit expensive so you wouldn't have huge capacity per person.
Criminals in foreign countries could do it with stolen credentials, and they'd only need one. But our teenagers would have to pay a foreign company for the service, and for porn at least they could just pay a foreign porn site directly. For phones, the teenager would have to install an app to use the proxy, which is another dodgy untrusted app (on android, and not possible at all on iphone), and it's easier for parents to check what apps are on the phone than to check what websites the kid visits. And social media gets less appealing if a lot of your friends aren't on it.
If we want to lock things down harder we could go with criminal penalties for intentionally sharing your credentials, which I do not support, but would still be better than pervasive surveillance of everything we do online.
Requiring everyone to have secure cryptographic hardware would in one sense be annoying, but less so if we use it for other things too.
> So as I've mentioned elsewhere, that depends on how much of a stickler we insist on being.
This is an argument about a crypto algorithm. If you somehow fix the mathematical problems I'll start checking how it behaves under ddos conditions and you best have a good answer. And I'm an amateur. With your attitude, I'd strongly advise against mailing the openbsd lists.
> Criminals in foreign countries could do it with stolen credentials, and they'd only need one. But our teenagers would have to pay a foreign company for the service, and ...
Indeed. You see the problem.
So now you're moving to making the system insecure (and obviously insecure). That was also not acceptable ...
You can have the system be:
* anonymous, but guaranteed to be insecure
* secure (or at least, as long as you get to use the police to go after "criminals"), but not anonymous
> If we want to lock things down harder we could go with criminal penalties for intentionally sharing your credentials, which I do not support, but would still be better than pervasive surveillance of everything we do online.
The only way to do this would be regular and surprise offline inspections of every device. Aside from being extremely impractical to do, it would also be much worse than online surveillance.
I'm not sure what my "attitude" is but I'm being pragmatic. This is not a binary situation, where it's either perfectly secure or useless. If our society is not willing to do what you and I prefer and leave things entirely open, then perhaps it's good enough to make things more difficult for teens to access, rather than accept pervasive surveillance to make it impossible. If people think it will improve society enough if most teens stay off certain sites, then we can do that and maintain anonymity.
I'll note that you skipped over my point that even with a "perfect" system, teens could still pay foreign porn sites etc directly. And that using a proxy would require installing an untrusted app on the phone, which would be relatively easy for parents to monitor and could be prevented entirely on iPhone. And that we can probably fix proxies with secure hardware anyway.
And no, the police idea that I do not support would not require surprise inspections. It just requires careless teenagers to occasionally reveal their identities online, with enough evidence to convince a judge to issue a warrant. It's dumb to make a federal case out of this, but not as dumb as losing all privacy and anonymity online. And, as I mentioned, this is not something actually required to make the idea workable.
I'm not going to keep repeating myself so I think I'm done here unless you have a point I haven't addressed in previous comments.
There is a way to prevent this (or at least slow it down), but that way requires device integrity protection.
With integrity protection, tokens can only be minted with a government app, driven by both biometrics and physical human hands touching the physical screen. There's no way to do it in the background. Without it, you can indeed have a single activist mint 10 billion tokens and give them out for free, defeating the entire scheme.
There's a CAP-style triangle here. You can have age assurance and anonymity but lose the ability to run your own software, have age assurance and device control but lose anonymity (via traditional ID checks, which don't require IP in theory), or have anonymity and device control but lose age assurance.
What you conveniently forgot to mention is this means the death of open general purpose computing. No more rooted devices, no more self built PCs. You go buy a government approved device and run the government approved OS preinstalled and the moment you deviate from the government approved happy path you are booted off the internet.
I didn't "conveniently forgot to mention" this. In fact, that was my entire point.
There is a tradeoff here. No matter which path we choose, we are going to lose one of the three legs of the triangle. We're currently losing age assurance, some members of society think that we're making the wrong tradeoff and that we should be making a different one, as is their right. Other members of society disagree, as is also their right.
I am intentionally not presenting an opinion on which tradeoff we should be choosing, I merely want to show that there is a tradeoff, and that whatever choice we make, that choice comes with consequences which we should be aware of and take seriously instead of dismissing entirely.
Well technically, you could still have open PCs, and just plug in a device like a USB hardware wallet.
Could you have a Trusted Platform Module tied to fingerprint reader, while the phone is rooted?
Nobody here complains that you can't install apps onto your TPM.
I'm a fan of separating the trusted compute levels for commercial and non-commercial uses/sides of the internet. I think we have to move in this direction.
As it stands today, doing business on ebay/craigslist/etc isn't that much different than doing it in a back alley in the bad part of town. Generally a bad idea but YMMV if you keep your wits about you. Of course it's your right to do business that way, but no one in their right mind thinks it's acceptable to do global commerce that way.
Commerce relies on legally enforceable contracts (both paper and EULAs), which ultimately rely on identity to be enforced. It's a bug, not a feature, that someone on the internet can steal my identity to purchase a product in my name and have it shipped wherever they want. It's a feature, not a bug, that my bank asks me for photo ID before I empty my account in person.
I'm not allowed to access banking computers, except occasionally and from within in a sandbox with proper credentials (ATM card for example). If, in the future my bank needs to do their compute inside my house on my phone, then it seems fair that there should be walls that keep me outside of their trusted compute.
That said, I am 100% behind keeping open purpose general computing free and available. Rooted devices, self built PCs etc all of it. I love it, saying this as a person who grew up building their own PCs and programming from a young age. I think that we all should be able to access the non-commercial side of the internet in any way we want, a true public square, warts, gutters and all. Hobbyists can do whatever they like as long as it doesn't touch commercial systems.
As I see it, the problem for most of us is that the social/fun side of the internet has largely been captured by commercial interests. Anything with a EULA should be considered a commercial site, since you're legally bound by a contract using it. As it stands today all the fun things on the internet would require enforced identity.
Maybe having a separate walled off "commercial internet with identity enforcement" will finally open the public's eyes as to the ramifications of the digital world we've built. And also allow us to individually take a stand and push back against the commercial interests through our daily choices of what sites we visit. Basically voting with your ID chip instead of your pocketbook. You can still do business in the gutter if you want to, but for the normies it will be easier for them to spot when they're in a back alley. And it gives parents options for keeping kids off of the anonymous side as as well.
I do think a Reddit with identity would be a much less toxic place. As long as the brave adventurers among us can still access the digital gutters like 4chan and other message boards.
> I do think a Reddit with identity would be a much less toxic place.
Do you remember the days of "Real name" requirements on YouTube and "Google+"? The experiment was tried, it didn't change things. (Also, see Facebook for an ongoing version of the same experiment).
[dead]
Freedom, security, anonymity
Pick two, because you can never have all three
The tokens could be tied to the device and Apple account by a provider like Apple, in fact you don’t need to issue tokens, only provide a web api that Apple and other browser providers support, which attests age.
This is certainly something that can be solved technically if we want.
It sounds like your scheme would only allow browsing the "adult web" on locked-down, unmodified devices running government-approved software. Frankly, that's worse than even requiring ID.
I’m just pointing out that it is in fact technically possible to lock things down. Whether we should or not is a separate discussion.
what you say which is the real thing, is the total institutionalisation of everything, the very wet dream of beurocrats everywhere, and of course done because "they have no choice", and are free to claim a pure lack of any motive or underlying agenda, and the vicious cycle of "just doing there job" enters our world, again.
I thought a solution to this would be to use a physical smartcard to store the certificate(perhaps on your government ID). if the protocol is a challenge/response and the private key never leaves the card it would make proxying without the physical card more difficult.
Yeah great idea, having to get out your government ID every time you want to use a website.
A certificate could be anonymous and the website would only need to verify it against the born_before_2008_root_cert in 2026. You could issue has many certs as you want and all would have a validity of 1 year so that websites only have to install at the maximum 2 root certs.
I know but what I mean is it's a lot of hassle just to visit something. And many devices I have like my VR headset don't have an NFC reader to validate some govt ID.
The “2008” part hit me hard
If the smart cards required some human input to perform a signature maybe this could work. Otherwise there is nothing stopping someone from selling use of their card via some proxy software
Is this type of problem even solvable?
I mean Netflix haven't managed to solve password sharing so,
But could you not set up a system where you need to go get (for free) a limited use token at a physical location, or have them mailed to your home, and they have a rough geographical lock? If a bunch of those tokens start appearing in random locations, it is a good indication that someone is reselling them to minors? I'm not saying this is idiot proof, but what could go wrong?
We are talking about porn here. And the internet will be always full of it - and that can only be prevented by controlling all of it, or have each state have a golden firewall.
All of these solutions seem very complicated, for little benefit. So a anonymous age verification scheme, fine with me. But making it more complicatdd, because dark entities could capture and resell tokens .. seems a step in the direction of madness.
Crusades against sexually explicit material are certainly popular in some places.
But these days I see a lot more talk about the developmental effects of parasocial media on kids. There’s a whole segment of buy-in there that didn’t exist before.
I don't see where I should sacrifice my freedoms to remain anonymous on the internet or MUCH more importantly, have control over my hardware and software just because parents can't do their job
Oh I’m not saying that pervasive mandated identity verification is good. I think people should be skeptical about its benefits, very wary about its downsides, presume bad actors are involved, and make proponents fight for every inch of buy in, no matter what their stated motivations are.
I also think that holding important ground involves understanding the terms of the argument, including the problems people say they’re trying to solve.
Trusted computing solves this problem handily.
> but if a minor is caught using someone's credential, then the person whose credential they are using can be investigated, and, if necessary, charged with a crime roughly equivalent to providing alcohol to a minor. Without the possibility of real world enforcement, none of these identity solutions can possibly work.
They don't work even then.
Suppose you completely eliminate privacy on the internet and require every domestic site to collect the name and social security number of everyone who visits. Then a child uses an adult's ID, regardless of whether it's with or without their knowledge. Is the child going to inform on themselves? No. Is the adult, when they don't even know about it? No. Is the adult, when they provided it on purpose? No.
That constitutes the entire set of people who would typically know that the person using the device isn't the person on the ID.
On top of that, we can punch an even bigger hole in it. Search engines, among other things, index other sites. Google is obviously the biggest but there are many others -- Bing, Marginalia, Brave, Swisscows, Yandex, Perplexity, Baidu, etc. They're run by adults and most of their users are adults, who reasonably expect to be able to turn off "safe search" if they want to. So some adult at each search engine would have to provide their ID to the crawler so it can index things inappropriate for children and show them to adult users. It would therefore be a fairly unremarkable and recurring thing to see the same ID make a zillion gigatons of requests.
But then you can't use "why is this person downloading 100 things from 100 computers at once" as an indication of anything nefarious happening, and anyone can still set up a service hosted on a foreign server that will serve adult content to anyone without an ID by serving it out of a cache. (And in the case where you're invading everyone's privacy, that service would also be very popular with adults.)
> Is the child going to inform on themselves? No. Is the adult, when they don't even know about it?
In the context of social media, if they want to actively participate they have to given that it's the entire point. It's true that even with a government ID scheme people could borrow someone's ID to get passive access with their consent. But a kid couldn't share an account with a parent without that parent knowing because you see their activity, and they also couldn't post.
> In the context of social media, if they want to actively participate they have to given that it's the entire point.
If the kid signs up for e.g. TikTok and the adult neither uses nor has any intention of using that platform, what causes them to even notice that it's happening?
Social media also seems like a pretty obvious case for this not working at all because if you ban kids from the ones based in your country, they'd collectively sign up for one based in a different country that doesn't enforce the ban, and the network effect for that age group shifts there because of the ban.
> It's true that even with a government ID scheme people could borrow someone's ID to get passive access with their consent.
That seems like the main problem though? Even if it actually prevented them from posting, you're conceding that it neither prevents them from doom scrolling nor accessing pornography, which are both passive consumption.
Kids shred these schemes. The designers of them seem to forget that the social dynamics of the adult world are completely different - just one kid needs to figure out how to bypass the system, and the knowledge spreads like wildfire.
Example: schools banned phones, so kids switched to talking over Google docs:
https://www.theatlantic.com/technology/archive/2019/03/hotte...
If we give parents better tools to limit and monitor internet access, kids will just buy a used phone which is unregulated. If their parents even bother to use the tools in the first place (it is my impression most parents do not). There is also a lot of loopholes parents do not even think of (like a web browser on a game console).
When I was in high school we all learned about proxies and bypassed the school firewalls. You didn't have to know anything technical after a few people figured it out. Hell, even the teachers were in on it. I remember one wanted to know so he could check the lotto numbers lol.
It's an eternal cat and mouse game and the mouse is going to win. I agree that the right idea is friction but if people aren't aware that there's no clear win that's going you work even 80% of the time then we'll write the wrong laws and have the wrong idea
having kids fiddle around with alternative means and schemes of communication might well turn out to be an intellectual and academic net positive.
This is where social media and other sites' endless datamining and profiling will come back to bite them. These sites already know the age range of users to a very high degree of certainty, and can continue to obtain such in an ongoing fashion. If an underage person is using these sites, it's likely going to be because the store clerk just nodded and winked, instead of because they were genuinely fooled by a borrowed or fraudulent ID. And in that case, the clerk is the one facing the penalties.
Put the burden of responsibility on the sites themselves and the number of people that will be able to successfully bypass such restrictions is going to be negligible and largely depend upon ongoing inorganic behavior or being an outlier in terms of behavior/interests.
the article also mentions; <But the government puts much of the onus on social media platforms to ensure users understand the verification process and on users to read up to make sure they aren’t being scammed.>
Unfortunately, the said-government doesn't seem to worry about the fact that their own systems have been breached over the years
> The entire point of age verification systems is to prevent minors from accessing certain resources. I think we all know that this is basically impossible; but what these various governments and social media companies want to do is to make it high friction to do so.
The problem is, this is wrong. What these governments want to do is get a grip on online behavior, through actions against individuals, who can't/won't defend themselves, rather than through actions against gigantic corporations that may choose litigation and take years to change their behavior, if they do at all.
Governments want to declare something illegal, say downloading a movie, putting racist comments online, ... then catch everyone who engages in that behavior online through mandatory identification, and actually have an effect.
To do this, breaking privacy is, of course, a core requirement. This can be introduced into these systems afterwards ("judge X wants to know who authenticated with token <token>, please provide the information"). Without this, government rules will remain totally ineffective online like they have been in the last 40 years.
I personally much prefer government rules remaining totally ineffective online.
> What these governments want to do
I feel strongly that this conspiratorial mind-reading approach to this sort of issue is just counterproductive.
What all the governments (and non-governments, frankly, there are many supporters of these things) are asking for is excluding minors from certain websites and services.
The problem is that this translates to age verification, which translates to identify verification, which incidentally gives states and other actors a variety of other tools they can use for anti-civil-liberties purposes.
In the end their motives are just irrelevant unless there is a clear way to exclude minors from certain services without going down the chain towards identity verification. Such a way does not exist, so we have to fight it here, at the point where the basic ask emerges.
> The entire point of age verification systems is to prevent minors from accessing certain resources.
Then why are they forbidding VPNs?
This is clearly NOT a use case that is solely referring to minors.
The whole cake is a lie and so is your assumption that age sniffing is "to protect children".
> Keep dreaming of a technological solution
We don't "dream" - we know what is possible and what is not.
Mass surveillance of everyone is simply not an option.
> Let individual parents decide on the level of harm that they are willing to accep
Nobody has an issue IF it were about individual parents, but it clearly is not. Governments try to criminalize and restrict everyone - and that is the true agenda.
Even more significant than the means are the ends. Why does my government get to decide what is appropriate for children?
This sounds a lot like what governance is supposed to be, but there is a critical difference. It's one thing for our society to agree generally on categories that are inappropriate for children, to encode those into law, and to enforce those laws. The difference is, enforce to whom?
Children are victims, not perpetrators. Age verification restates a child's role as perpetrator. This is the premise that I find unacceptable.
Why can’t you just sell single use codes at gas stations/liquor stores/etc and they just check your ID before sale? Of course shady places can still sell them without ID check, but we have this problem already for liquor and tobacco.
[dead]
> The highest friction version of this is that the credential ties to a real world identity somehow; maybe locked behind legal barriers, etc., but if a minor is caught using someone's credential, then the person whose credential they are using can be investigated, and, if necessary, charged with a crime roughly equivalent to providing alcohol to a minor. Without the possibility of real world enforcement, none of these identity solutions can possibly work.
Buying alcohol for a minor implies knowledge and intent.
Getting the tokens out of a phone doesn't require the user to do any of that, the user just has to be frugal and keep the phone longer than it's supported by the manufacturer, until some local exploit is found again, and that token will be extracted and available online for everyone to use.
Parents buy those phones, phones could easily have a "user is a minor" setting (and a flag sent to all the sites that want one) with a password for parents to unlock stuff if needed. This would be set during the phones first set up, and it's done. But nope, the plan is for everyone to install a form if a digital ID on their phones, and once it's there, requiring full-name identification when registering is just one step away.
> Parents buy those phones, phones could easily have a "user is a minor" setting (and a flag sent to all the sites that want one)
That's basically the California law! I hope other states adopt the "ask nicely for age but no online verification." OS setup asks for birthday, but you can just say January 1.
I also thought it should just send the flag, but I've heard there's good reasons not to. There's normally an affirmative prompt from the user to agree to send the age bucket data.
>charged with a crime roughly equivalent to providing alcohol to a minor
In most countries it's perfectly legal to provide alcohol to your kids.
> Keep dreaming of a technological solution -- there is none that does not lead to the world that FIRE is warning about, except to accept that we can only make a solution "good enough" and leave it at that, without expanding into full on identity verification.
The world that FIRE is warning about already exists in Australia, whose age verification laws prompted the article.
I'm an Australian. Our government passed the Assistance and Access bill on New Year's Eve in 2018, without much debate. The law allows them to demand "assistance" (code word for: you shall develop an undetectable spy app for us), and "access" (code word for: you shall silently install that app on the devices of any persons we nominate). Both requests are subject to a gag order.
As an example of what's possible, this allows them to demand Google "assists" them to develop an undetectable app that records the phone screen and keyboard usage at periodic intervals, and send it back to them, and then to demand Google installs it on devices owned by persons of interest.
The world has continued on. That may be because the tech bros are resisting helping (there were threats by a government head of security implying they weren't getting the level of compliance they wanted). But it may also be because we are a democracy, and blatant misuse of powers like this is likely to get you unelected. I've seen a few cases where it "felt" like the government bureaucracies used this tool against whistleblowers, which made me feel distinctly uncomfortable. But I don't know, and until recently they had a remarkably good track record against local terrorism. The recent exception is the recent Bondi killings, where a completely bonkers father convinced his son to go on a shooting spree. But they managed to maintain complete radio silence during the perpetration stage - I guess it was all planned over the kitchen table. That couldn't be detected by any surveillance network.
So for now, it looks like they have used the tool according to the rules laid down in the bill. All spying requires independent judicial orders, which I'm fairly sure they obtained. (To put that into perspective - when the threshold is "the person broke the law" and you get to write the laws, the threshold is not quite as high as it might appear - particularly for government whistleblowers that pissed off the incumbents.)
But for most of us, whose "crimes" are at most indulging in naughty pleasures, the bill offers pretty good privacy guarantees. If the government doesn't follow its own laws all bets are off, of course - and yes, this very scenario is playing out in another Five Eyes country. But if the government does follow its own rules, then any government-backed zero-knowledge proof scheme that includes a snitch code that can only be unlocked by a judicial order is going to be fine.
TL;DR: for the scenario FIRE is worried about, the horse bolted 8 years ago in Australia. The current alternative of being forced to hand over photos, identity documents, and god knows what other PII to random web sites is far worse in terms of privacy than a zero-knowledge proof of age issued by the government - even if isn't truly private.