EU age verification app to ban any Android system not licensed by Google
Technology
123
Beiträge
69
Kommentatoren
1.3k
Aufrufe
-
The GDPR also applies to public institutions as far as I'm aware - but most importantly the concern here is Google and data collected by Google. This data collection is in no way necessary to provide the age verification service. Most of it is not even related to it. The state legally cannot force you to agree to some corporations (i.e. Google's) terms, even if we completely ignore the GDPR.
Data processing mandated by law is legal. Governments can pass laws, unlike private actors. Public institutions are bound by GDPR, but can also rely on provisions that give them greater leeway.
I don't see how that this is in any way necessary, either. But a judge may be convinced by the claim that this is industry standard best practice to keep the app safe. In any case, there may be some finer points to the law.
The state legally cannot force you to agree to some corporations (i.e. Google’s) terms,
I'm not too sure about that, either. For example, when you are out of work, the state will cause you trouble if you do not find offered jobs acceptable.
It's another question, if not having access to age-gated content is so bad as to force you to do anything. Minors nominally have the same rights as full citizens, and they are to be denied access, too.
-
You're right but the example you gave seems to illustrate a different effect that's almost opposite — let me explain.
The phrase "politically correct" is language which meant something very specific, that was then hijacked by the far-right into the culture war where its meaning could be hollowed out/watered down to just mean basically "polite", then used interchangeably in a motte-and-bailey style between the two meanings whenever useful, basically a weaponized fallacy designed to scare and confuse people — and you know that's exactly what it's doing by because no right-winger can define what this boogeyman really means. This has been done before with things like: Critical Race Theory, DEI, cancel culture, woke, cultural Marxism, cultural bolshevism/judeo bolshevism (if you go back far enough), "Great Replacement", "illegals", the list goes on.
I see your point. I should've limited my citation to the phrase's authoritarian origins from the early 20th century.
To clarify, the slippery slope towards "political correctness" I wanted to describe is a sort of corporate techno-feudalist language bereft of any real political philosophy or moral epistemology. It is the language of LinkedIn, the "angel investor class", financiers, cavalier buzzwords, sweeping overgeneralizations, and hyperbole. Yet, fundamentally, it will aim to erase any class awareness, empiricism, or contempt for arbitrary authority. The idea is to impose an avaricious financial-might-makes-right for whatever-we-believe-right-now way of thinking in every human being.
What I want to convey is that there is an unspoken effort by authoritarians of the so-called "left" and "right" who unapologetically yearn for the hybridization of both Huxley's A Brave New World and Orwell's 1984 dystopian models, sometimes loudly proclaimed and other times subconsciously suggested.
These are my opinions and not meant as gospel.
-
Its not the populace, our politicians just like in the US have gone rogue. People are voting for the nutters due to anti immigration propaganda and so increasingly getting far right. Its happening across the entire western world and its bad news for everyone.
Except this isn't even the right wing nutters doing it. These are mainstream politicians executing their power grabbing neolib agenda, with very little democratic oversight or public debate.
-
European Digital identity
looks inside:
Hosted on GitHub in the US
That's ironic
-
Ah, my apologies. It was unclear
My bad
My instance could also hint at it
-
I see your point. I should've limited my citation to the phrase's authoritarian origins from the early 20th century.
To clarify, the slippery slope towards "political correctness" I wanted to describe is a sort of corporate techno-feudalist language bereft of any real political philosophy or moral epistemology. It is the language of LinkedIn, the "angel investor class", financiers, cavalier buzzwords, sweeping overgeneralizations, and hyperbole. Yet, fundamentally, it will aim to erase any class awareness, empiricism, or contempt for arbitrary authority. The idea is to impose an avaricious financial-might-makes-right for whatever-we-believe-right-now way of thinking in every human being.
What I want to convey is that there is an unspoken effort by authoritarians of the so-called "left" and "right" who unapologetically yearn for the hybridization of both Huxley's A Brave New World and Orwell's 1984 dystopian models, sometimes loudly proclaimed and other times subconsciously suggested.
These are my opinions and not meant as gospel.
I get what you mean. You're saying we're sliding towards something that brings back political correctness in its original definition, and I agree with you.
The idea is to impose an avaricious financial-might-makes-right
This resonates a lot. I'd argue we're already there. All this talk of "meritocracy" (fallaciously opposed to "DEI"), the prosperity gospel (that one's even older), it's all been promoting this idea of worthiness determined by net worth. Totalitarianism needs a socially accepted might-makes-right narrative wherever it can find it, then that can be the foundation for the fascist dogma/cult that will justify the regime's existence and legitimize its disregard for human life. Bonus points if you can make that might-makes-right narrative sound righteous (e.g. "merit" determines that you "deserve" your wealth, when really it's a circular argument: merit is never questioned for those who have the wealth, it's always assumed because how else could they have made that much money!).
-
There are 3 parties:
- the user
- the age-gated site
- the age verification service
The site (2) sends the request to the user (1), who passes it on to the service (3) where it is signed and returned the same way. The request comes with a nonce and a time stamp, making reuse difficult. An unusual volume of requests from a single user will be detected by the service.
from a single user
Neither 2 nor 3 should receive information about the identity of the user, making it difficult to count the volume of requests by user?
-
from a single user
Neither 2 nor 3 should receive information about the identity of the user, making it difficult to count the volume of requests by user?
Strictly speaking, neither needs to know the actual identity. However, the point is that both are supposed to receive information about the user's age. I'm not really sure what your point is.
-
Strictly speaking, neither needs to know the actual identity. However, the point is that both are supposed to receive information about the user's age. I'm not really sure what your point is.
I must not be explaining myself well.
both are supposed to receive information about the user's age
Yes, that's the point. They should be receiving information about age, and age only. Therefore they lack the information to detect reuse.
If they are able to detect reuse, they receive more (and personal identifying) information. Which shouldn't be the case.
The only known way to include a nonce, without releasing identifying information to the 3rd parties, is using a DRM like chip. This results in the sovereignty and trust issues I referred to earlier.
-
No one is laughing... We're horrified how the people who have been screaming "freedom" and being obnoxious about how much more free they are than anyone else in the entire universe, seem to love getting enslaved while being obnoxious about how cool it is to be enslaved.
Europe has its problems. We've had them for generations, and right now they're getting worse. But at least we have a culture of fighting back, something americans don't.
In Hungary, we still have people who think fascism is when "evil people do evil things for the sake of evil", so when fascists want to hurt Roma, LGBTQIA+, etc. people, no one dares to call them fascists as long as said people have "receipts" in the form of cobbled together statistics, and have a not too cruel solution.
-
We dont want it. VdL is one of the most corrupt people in policits and unfortunately has a lot of influence
VdL = Ursula von der Leyen to the uninitiated. Conservative politician, but the more boring kind, not the Orbán-style post-fascism kind.
-
I must not be explaining myself well.
both are supposed to receive information about the user's age
Yes, that's the point. They should be receiving information about age, and age only. Therefore they lack the information to detect reuse.
If they are able to detect reuse, they receive more (and personal identifying) information. Which shouldn't be the case.
The only known way to include a nonce, without releasing identifying information to the 3rd parties, is using a DRM like chip. This results in the sovereignty and trust issues I referred to earlier.
The site would only know that the user's age is being vouched for by some government-approved service. It would not be able to use this to track the user across different devices/IPs, and so on.
The service would only know that the user is requesting that their age be vouched for. It would not know for what. Of course, they would have to know your age somehow. EG they could be selling access in shops, like alcohol is sold in shops. The shop checks the ID. The service then only knows that you have login credentials bought in some shop. Presumably these credentials would not remain valid for long.
They could use any other scheme, as well. Maybe you do have to upload an ID, but they have to delete it immediately afterward. And because the service has to be in the EU, government-certified with regular inspections, that's safe enough.
In any case, the user would have to have access to some sort of account on the service. Activity related to that account would be tracked.
If that is not good enough, then your worries are not about data protection. My worries are not. I reject this for different reasons.
-
The site would only know that the user's age is being vouched for by some government-approved service. It would not be able to use this to track the user across different devices/IPs, and so on.
The service would only know that the user is requesting that their age be vouched for. It would not know for what. Of course, they would have to know your age somehow. EG they could be selling access in shops, like alcohol is sold in shops. The shop checks the ID. The service then only knows that you have login credentials bought in some shop. Presumably these credentials would not remain valid for long.
They could use any other scheme, as well. Maybe you do have to upload an ID, but they have to delete it immediately afterward. And because the service has to be in the EU, government-certified with regular inspections, that's safe enough.
In any case, the user would have to have access to some sort of account on the service. Activity related to that account would be tracked.
If that is not good enough, then your worries are not about data protection. My worries are not. I reject this for different reasons.
is being vouched for by some government-approved service.
The reverse is also a necessity: the government approved service should not be allowed to know who and for what a proof of age is requested.
And because the service has to be in the EU, government-certified with regular inspections, that's safe enough
Of course not: both intentional and unintentional leaking of this information already happens, regularly. That information should simply not be captured, at all!
Additionally, what happens to, for example, the people in Hungary(*)? If the middle man government service knows when and who is requesting proof-of-age, it's easy to de-anonymise for example users of gay porn sites.
The 3rd party solution, as you present it, sounds terribly dangerous!
(*) Hungary as a contemporary example of a near despot leader, but more will pop up in EU over the coming years.
-
is being vouched for by some government-approved service.
The reverse is also a necessity: the government approved service should not be allowed to know who and for what a proof of age is requested.
And because the service has to be in the EU, government-certified with regular inspections, that's safe enough
Of course not: both intentional and unintentional leaking of this information already happens, regularly. That information should simply not be captured, at all!
Additionally, what happens to, for example, the people in Hungary(*)? If the middle man government service knows when and who is requesting proof-of-age, it's easy to de-anonymise for example users of gay porn sites.
The 3rd party solution, as you present it, sounds terribly dangerous!
(*) Hungary as a contemporary example of a near despot leader, but more will pop up in EU over the coming years.
The reverse is also a necessity: the government approved service should not be allowed to know who and for what a proof of age is requested.
It would send the proof to you. It would not know what you do with it. I gave an example in the previous post how the identity of the user could be hidden from the service.
If the middle man government service knows when and who is requesting proof-of-age, it’s easy to de-anonymise for example users of gay porn sites.
It would be a lot easier to get that information from the ISP.
-
The reverse is also a necessity: the government approved service should not be allowed to know who and for what a proof of age is requested.
It would send the proof to you. It would not know what you do with it. I gave an example in the previous post how the identity of the user could be hidden from the service.
If the middle man government service knows when and who is requesting proof-of-age, it’s easy to de-anonymise for example users of gay porn sites.
It would be a lot easier to get that information from the ISP.
I gave an example in the previous post how the identity of the user could be hidden from the service.
In both your examples the government service has your full identity, then pinky promises to forget it.
Unless I'm misunderstanding something?
It would be a lot easier to get that information from the ISP.
Not quite the same, as IP addresses are shared through NAT, VPNs exist, etc. With the proposed legislation it is illegal for website operators to deliver content to known VPN ips, as they cannot confirm that the end user isn't a EU subject.
-
I gave an example in the previous post how the identity of the user could be hidden from the service.
In both your examples the government service has your full identity, then pinky promises to forget it.
Unless I'm misunderstanding something?
It would be a lot easier to get that information from the ISP.
Not quite the same, as IP addresses are shared through NAT, VPNs exist, etc. With the proposed legislation it is illegal for website operators to deliver content to known VPN ips, as they cannot confirm that the end user isn't a EU subject.
In both your examples the government service has your full identity, then pinky promises to forget it.
It can be like buying alcohol in a store. They look at you and see your age. Or if it's unclear, the store clerk asks your idea and promptly forgets all about it. Except you're not buying alcohol but a login for some age verifier.
-
In both your examples the government service has your full identity, then pinky promises to forget it.
It can be like buying alcohol in a store. They look at you and see your age. Or if it's unclear, the store clerk asks your idea and promptly forgets all about it. Except you're not buying alcohol but a login for some age verifier.
So yes, they get your identity, then promise to forget it.
That's a worst of both worlds proposal: it makes it trivial to deanonymise people, and it doesn't solve the replay attacks.
-
So yes, they get your identity, then promise to forget it.
That's a worst of both worlds proposal: it makes it trivial to deanonymise people, and it doesn't solve the replay attacks.
Maybe buying alcohol works differently where you live.
-
Maybe buying alcohol works differently where you live.
They ask for ID card indeed, making it super easy to just make a copy. On top of that, your payment details are stored. You're on camera. Etc.
Super easy to automate deanonymization. (1).
