EU chief calls for a bloc-wide push on an age verification app to protect children online. If enforced, users will have to prove their age to access legally restricted sites.
Both. There’s a difference between showing some clerk your ID compared to uploading it to the internet. It’s not a question of if it being hacked. It will be. Denial of this is dangerous. If you don’t see this as important, you’re desensitized by the sheer number of yearly cyber attacks.
And that’s only the start. Children will only be marginalized. Protected groups will be increasingly threatened. Take your pick on whatever organization you want to look at, and they’ll say this doesn’t help anyone, except maybe foreign adversaries and hacking groups.
What happens when the next government comes along and decides to make a more US kind of implementation? The point is, that we should not make this the precedent. Ever. Kick it while it’s down.
Ok, but for what it’s worth, I’m only trying to defend the EU proposal. This discussion was about the EU proposal, from the very first OP. The US proposal, such as I understand it (I haven’t looked into it that much, since I don’t live there), seems a huge privacy risk that plays into the hands of corporations. No thanks.
In the EU system, you start with a verifiable online identity system. These differ from country to country but all perform the same task: They allow you to prove who you are.
So you go to an online portal and you log in, as you. This system issues you a set of tokens, which does not hold your PII. They solely say “This person is over 18”. If you want a token to say “this person is over 13”, you need a different token. A token is a number that has been signed by the issuing authority in a way that can only be done by the issuing authority. You store these tokens, encrypted, in your age verification app.
Now IF the issuing authority stored “I issued token X to person Y” we would have a huge problem. They don’t. All they do is store “this token was issued”. If they chose to store that a specific token was issued to a specific person, they could track what sites you used the tokens at. So you have to trust your state here, just like you have to trust them not to access your phone records, or your credit card transactions or which mobile mast your phone logs on to.
You proceed to a site that requires an age gate. You are presented with QR code, which you scan with your age verification app (the one that stores the age verification tokens). This QR code contains a URL that holds the verification attempt ID (created by the gater) and your app now connects to this URL (be advised this URL is not the URL of the gater, but of a third party gating service) and sends one of your verification tokens. The third party verification service checks this with the issuing authority and confirms it is a valid token, then retires it if it is. The third party service now calls to the gater and says “this verification attempt has indeed proven their age”.
The gater then lets you proceed.
Throughout this attempt the only place that can be hacked to reveal your PII would be the issuing authority - no other services knows anything about you. What a hacker would have to do is insert code that captures the issuing of tokens and somehow grabs your PII at tha time. But what’s important to understand is that the issuing service also doesn’t know who you are, because they don’t store all your PII when they issue your tokens - they just have the required information about you from the identity service you used to log in (chiefly your age). So even if a hacker got in here, they couldn’t grab who you were, merely when you were born).
Many security experts have analysed this flow and supported it. I myself cannot see what a hacker could really do here. So, in this case, specifically for the EU system, which this post was about, I am willing to accept that the advantages of not having minors access tobacco, alcohol or age gated media far outweighs the privacy risks.
Both. There’s a difference between showing some clerk your ID compared to uploading it to the internet. It’s not a question of if it being hacked. It will be. Denial of this is dangerous. If you don’t see this as important, you’re desensitized by the sheer number of yearly cyber attacks.
And that’s only the start. Children will only be marginalized. Protected groups will be increasingly threatened. Take your pick on whatever organization you want to look at, and they’ll say this doesn’t help anyone, except maybe foreign adversaries and hacking groups. What happens when the next government comes along and decides to make a more US kind of implementation? The point is, that we should not make this the precedent. Ever. Kick it while it’s down.
Ok, but for what it’s worth, I’m only trying to defend the EU proposal. This discussion was about the EU proposal, from the very first OP. The US proposal, such as I understand it (I haven’t looked into it that much, since I don’t live there), seems a huge privacy risk that plays into the hands of corporations. No thanks.
In the EU system, you start with a verifiable online identity system. These differ from country to country but all perform the same task: They allow you to prove who you are.
So you go to an online portal and you log in, as you. This system issues you a set of tokens, which does not hold your PII. They solely say “This person is over 18”. If you want a token to say “this person is over 13”, you need a different token. A token is a number that has been signed by the issuing authority in a way that can only be done by the issuing authority. You store these tokens, encrypted, in your age verification app.
Now IF the issuing authority stored “I issued token X to person Y” we would have a huge problem. They don’t. All they do is store “this token was issued”. If they chose to store that a specific token was issued to a specific person, they could track what sites you used the tokens at. So you have to trust your state here, just like you have to trust them not to access your phone records, or your credit card transactions or which mobile mast your phone logs on to.
You proceed to a site that requires an age gate. You are presented with QR code, which you scan with your age verification app (the one that stores the age verification tokens). This QR code contains a URL that holds the verification attempt ID (created by the gater) and your app now connects to this URL (be advised this URL is not the URL of the gater, but of a third party gating service) and sends one of your verification tokens. The third party verification service checks this with the issuing authority and confirms it is a valid token, then retires it if it is. The third party service now calls to the gater and says “this verification attempt has indeed proven their age”.
The gater then lets you proceed.
Throughout this attempt the only place that can be hacked to reveal your PII would be the issuing authority - no other services knows anything about you. What a hacker would have to do is insert code that captures the issuing of tokens and somehow grabs your PII at tha time. But what’s important to understand is that the issuing service also doesn’t know who you are, because they don’t store all your PII when they issue your tokens - they just have the required information about you from the identity service you used to log in (chiefly your age). So even if a hacker got in here, they couldn’t grab who you were, merely when you were born).
Many security experts have analysed this flow and supported it. I myself cannot see what a hacker could really do here. So, in this case, specifically for the EU system, which this post was about, I am willing to accept that the advantages of not having minors access tobacco, alcohol or age gated media far outweighs the privacy risks.