Comment by notepad0x90

Comment by notepad0x90 6 days ago

Even if this was a good idea, ID verification technology should not be outsourced to private parties. This is a service governments themselves must provide. I shouldn't need to upload an ID because the government already has it!

If they simply wanted age verification, the dumb and lazy way is to SSO through a government managed portal with OAUTH2 and you only share your age with the third party. You do a one time account setup (you already have to do this in the US for many government services at the federal level) with age verification, that's your gov portal login. This means the government will now which naughty sites you visit of course, but like I said, it is the lazy approach, and if you think about it, if they respect the laws then a law can be passed to prevent them from storing or using that association, if they didn't, they could still sniff your traffic and wiretap you.

A slightly smarter approach would be to directly auth against a government portal and be given a 24h expiring code for age verification, and the government will publish an updated list of codes to trusted businesses. Those codes could be leaked, but making it a felony should deter most cases, because who wants to go to prison to let some kids watch porn?

Smarter people than me can come up with smarter solution, that is really my point. Involving third-parties and requiring you to upload documents is done either out of extreme incompetence or opportunistic malice by elected officials (bribery).

franga2000 6 days ago

Every possible solution is terrible, many people have thought about this and nobody has found one that isn't.

The "24 hour code" one you suggest is something the EU is prototyping. Since there's nothing stopping an adult from sharing their code with a minor, or even code-sharing (or selling) websites to pop up, they want it to be bound to a particular device. So what they've done is added integrity checks to the app, so you can only run it on a locked down phone.

Want to run GrapheneOS for privacy and security? Or use an unofficial ROM to get updates on a phone the manufacturer stopped supporting? Just want to uninstall the bloatware and spyware the manufacturer installs? Want to use Linux? Have an old computer without a TPM? All of that and more - congrats, no "adult content" for you.

And no, it's not "porn", it's "adult content", which is a much broader and blurrier category. Is discussion of sexual orientation or gender issues adult content? Sex education? Medical information about "private parts"? News articles mentioning scary things like rape?

This is bad technology and it should never be developed. Do Not Create The Torment Nexus.

Reply View 0 replies

kijin 6 days ago

South Korea has implemented something similar, but through private corporations, not directly by the government.

When you sign up with a South Korean online service that might contain age-restricted content, you provide your name, date of birth, and phone number. The service operator uses a special telecom-provided API to have a 6-digit code sent to your phone. (The code is generated by the telecom, not the service operator.) When you enter the code, the telecom confirms the name and date of birth. No need for random online services to ask for government IDs, because they're allowed to pass the burden of proof to telecoms who have already verified it offline.

You could probably do something similar via banks, schools, the social security system, or any other regulated industry that has KYC rules.

Reply View 0 replies

zimpenfish 5 days ago

> the dumb and lazy way is to SSO through a government managed portal with OAUTH2

The weird thing is that UKGOV already has this for the NHS - my GP's app uses access.login.nhs.uk to log me in. That could easily verify my age to another system.

(Admittedly it's not sufficient for the wider case because not everyone is registered on nhs.uk but it does show that UKGOV has the capability to do this.)

Reply View 0 replies