Mastodon says it doesn't 'have the means' to comply with age verification laws
Technology
201
Beiträge
85
Kommentatoren
36
Aufrufe
-
The fact that they haven't gone for this approach that delivers age verification without disclosing ID, when it's a common and well known pattern in IT services, very strongly suggests that age verification was never the goal. The goal is to associate your real identity with all the information data brokers have on you, and make that available to state security services and law enforcement. And to do this they will gradually make it impossible to use the internet until they have your ID.
We really need to move community-run sites behind Tor or into i2p or something similar. We need networks where these laws just can't practically be enforced and information can continue to circulate openly.
The other day my kid wanted me to tweak the parental settings on their Roblox account. I tried to do so and was confronted by a demand for my government-issued ID and a selfie to prove my age. So I went to look at the privacy policy of the company behind it, Persona. Here's the policy, and it's without a doubt the worst I've ever seen. It basically says they'll take every last bit of information about you and sell it to everyone, including governments.
So I explained to my kid that I wasn't willing to do this. This is a taste of how everything will be soon.
Fuck, I went through that with VRchat...
-
This post did not contain any content.
If it's a law, it should be free for both businesses and users.
-
I think this starts to not work when you start to include other states that want to do this, other countries, cities, counties, etc.. How many trusted authorities should there be and how do you prevent them from being compromised and exploited to falsely verify people? How do you prevent valid certs from being sold?
Some examples of the type of service you mentioned:
How do you prevent valid certs from being sold?
Sold by whom? The created cert can be time limited and single use, so the service couldn't really sell them. You could rate limit how many certs users can create and obviously make it illegal to share them in order to deter people from using them. That's not enough to prevent it completetly, but should be an improvement for the use cases I hear the most about: social media (because it reduces the network effect) and porn (because kids will at least know that they're doing some real shady shit).
-
It does not contain a reference to your identity.
but they know who they issued it to, and can secretly subpoena your data from your instance.
no thank you.
They can only subpoena your data if it is stored. Make the code open source (by law) and only store the cert, no connection to the user.
-
Oh, I was thinking the certificate would only be needed for signups - once the account is created, it absolutely should be on the account holder, not the service provider.
Signups + random checks to prevent reselling accounts.
-
I give it 2 years till Netflix requires you to have an ID every time you open the app because it has rated R movies.
This is the same principle. The account holder agreement should make the account holder responsible for the use of the service.
The government shouldn't be parenting our minors, their guardians should be.
Otherswise we should put digital locks on every beer bottle, pack of cigarettes, blunt raps, car door, etc. That requires you to scan your ID before every use.
"Kids shouldn't be driving cars, it isn't safe!"
Yes, but somehow we have made it 100 years without requiring proof of age/license to start the car.And the car is far more deadly than them seeing someone naked.
“Kids shouldn’t be driving cars, it isn’t safe!” Yes, but somehow we have made it 100 years without requiring proof of age/license to start the car.
Driving is a much more visible activity than looking at your phone in a locked room though.
-
Age check happens by trusted entity (your government, not some sketchy big tech ass), they create a signed cert with a short lifespan to prevent your kid using the one you created yesterday and without the knowledge which service it is for.
Sorry, not sufficient.
Not secure.
" I certify that somebody is >18, but I don't say who - just somebody "
This is an open invitation to fraud. You are going to create at least a black market for these certificates, since they are anonymous but valid.
And I'm sure some real fraudsters have even stronger ideas than I have.
Making the certs short-lived (a few minutes) and single use and having a rate limit for users could make it difficult enough with serious risks (if you make it a crime) for little profit (I doubt many kids will pay serious amounts of money to watch porn; definetly not drug-scale amounts of money).
-
Government sets up page to verify age. You head to it, no referrer. Age check happens by trusted entity (your government, not some sketchy big tech ass), they create a signed cert with a short lifespan to prevent your kid using the one you created yesterday and without the knowledge which service it is for. It does not contain a reference to your identity. You share that cert with the service you want to use, they verify the signature, your age, save the passing and everyone is happy. Your government doesn't know that you're into ladies with big booties, the big booty service doesn't know your identity and you wank along in private.
But oh no, that wouldn't work because think of the... I have no clue.
Age check happens via trusted entity (your government)
Bold of you to assume a government entity is trusted. In the UK we have a large misrepresentative error due to our voting system.
-
If it's a law, it should be free for both businesses and users.
That means being paid by the tax payers.
The free option is to trust your children.
-
That means being paid by the tax payers.
The free option is to trust your children.
Oh noes, won't somebody think of the blessed tax payers.
-
Oh noes, won't somebody think of the blessed tax payers.
I'd rather not have the law, or if law then big business pay but exclusions for smaller businesses/hobbyist.
-
Age check happens via trusted entity (your government)
Bold of you to assume a government entity is trusted. In the UK we have a large misrepresentative error due to our voting system.
Depends in what part you trust. I trust them with my ID, I wouldn't trust a random website. They know it anyway as they made it.
-
Depends in what part you trust. I trust them with my ID, I wouldn't trust a random website. They know it anyway as they made it.
If we're talking about a hard copy ID (passport, drivers license) that's one thing. A digital ID, and over the internet, is asking for trouble.
-
This post did not contain any content.
“there is nobody that can decide for the fediverse to block Mississippi.” (...)
“And this is why real decentralization matters,” said Rochko.
-
The fact that they haven't gone for this approach that delivers age verification without disclosing ID, when it's a common and well known pattern in IT services, very strongly suggests that age verification was never the goal. The goal is to associate your real identity with all the information data brokers have on you, and make that available to state security services and law enforcement. And to do this they will gradually make it impossible to use the internet until they have your ID.
We really need to move community-run sites behind Tor or into i2p or something similar. We need networks where these laws just can't practically be enforced and information can continue to circulate openly.
The other day my kid wanted me to tweak the parental settings on their Roblox account. I tried to do so and was confronted by a demand for my government-issued ID and a selfie to prove my age. So I went to look at the privacy policy of the company behind it, Persona. Here's the policy, and it's without a doubt the worst I've ever seen. It basically says they'll take every last bit of information about you and sell it to everyone, including governments.
So I explained to my kid that I wasn't willing to do this. This is a taste of how everything will be soon.
Do you know if the verification services that require ID have access to official government databases to verify them? Cus I'm starting to have some... Ideas
-
If we're talking about a hard copy ID (passport, drivers license) that's one thing. A digital ID, and over the internet, is asking for trouble.
That's the reason I wrote what I wrote. everyone only knows what they need to know. How do you think a third entity would identify you?
-
That means being paid by the tax payers.
The free option is to trust your children.
NSFW tag and parental controls blocking that, is not enough?
-
Making the certs short-lived (a few minutes) and single use and having a rate limit for users could make it difficult enough with serious risks (if you make it a crime) for little profit (I doubt many kids will pay serious amounts of money to watch porn; definetly not drug-scale amounts of money).
You cannot make a certificate "single use" (except if it exists only inside a closed system).
-
This post did not contain any content.
it would be done at the instance level, that's all. it's completely doable
-
Government sets up page to verify age. You head to it, no referrer. Age check happens by trusted entity (your government, not some sketchy big tech ass), they create a signed cert with a short lifespan to prevent your kid using the one you created yesterday and without the knowledge which service it is for. It does not contain a reference to your identity. You share that cert with the service you want to use, they verify the signature, your age, save the passing and everyone is happy. Your government doesn't know that you're into ladies with big booties, the big booty service doesn't know your identity and you wank along in private.
But oh no, that wouldn't work because think of the... I have no clue.
It bothers me so much that a ZKP system is entirely possible, and no one will just do the first step of setting that up.
