Decentralized social network Mastodon says it cannot comply with age verification laws, like in Mississippi and elsewhere, and says it's up to individual server owners to decide.
Government sets up page to verify age. You head to it, no referrer. Age check happens by trusted entity (your government, not some sketchy big tech ass), they create a signed cert with a short lifespan to prevent your kid using the one you created yesterday and without the knowledge which service it is for. It does not contain a reference to your identity. You share that cert with the service you want to use, they verify the signature, your age, save the passing and everyone is happy. Your government doesn’t know that you’re into ladies with big booties, the big booty service doesn’t know your identity and you wank along in private.
But oh no, that wouldn’t work because think of the… I have no clue.
That sounds like a very functional and rational solution to the problem of age verification. But age verification isn’t the ultimate goal, it’s mass surveillance, which your solution doesn’t work for.
The fact that they haven’t gone for this approach that delivers age verification without disclosing ID, when it’s a common and well known pattern in IT services, very strongly suggests that age verification was never the goal. The goal is to associate your real identity with all the information data brokers have on you, and make that available to state security services and law enforcement. And to do this they will gradually make it impossible to use the internet until they have your ID.
We really need to move community-run sites behind Tor or into i2p or something similar. We need networks where these laws just can’t practically be enforced and information can continue to circulate openly.
The other day my kid wanted me to tweak the parental settings on their Roblox account. I tried to do so and was confronted by a demand for my government-issued ID and a selfie to prove my age. So I went to look at the privacy policy of the company behind it, Persona. Here’s the policy, and it’s without a doubt the worst I’ve ever seen. It basically says they’ll take every last bit of information about you and sell it to everyone, including governments.
The fact that they haven’t gone for this approach that delivers age verification without disclosing ID, when it’s a common and well known pattern in IT services, very strongly suggests that age verification was never the goal.
I don’t agree. It certainly makes it possible that it isn’t the goal. But I genuinely believe that, at least here in Australia (where our recent age-gating law is not about porn, but about social media platforms, with an age limit of 16), the reason behind the laws being designed as they are is (1) optics: despite what those of us here say, keeping young children off of harmful social media algorithms is very politically popular and they wanted to pass a bill that banned it as quickly as they could. No time for serious discussion about methods. And (2) a complete lack of knowledge. Because they wanted the optics, they passed the bill extremely quickly and without a serious amount of consultation. And I don’t trust that even if they had done consultation, they would have known who is more reliable to listen to, the actual experts and privacy advocates, or the big AI companies with big money promising facial recognition will somehow solve this. Because politicians are, by and large, really fucking stupid at technology.
What is it they say? Never attribute to malice that which can be adequately explained by stupidity?
The service provider could even generate a certificate request that the age verification entity signs (again, with no identifying information, other than “I need an age verification signature, please”). That certificate would only be valid for that specific service provider and can’t be re-used.
I give it 2 years till Netflix requires you to have an ID every time you open the app because it has rated R movies.
This is the same principle. The account holder agreement should make the account holder responsible for the use of the service.
The government shouldn’t be parenting our minors, their guardians should be.
Otherswise we should put digital locks on every beer bottle, pack of cigarettes, blunt raps, car door, etc. That requires you to scan your ID before every use.
“Kids shouldn’t be driving cars, it isn’t safe!”
Yes, but somehow we have made it 100 years without requiring proof of age/license to start the car.
And the car is far more deadly than them seeing someone naked.
“Kids shouldn’t be driving cars, it isn’t safe!” Yes, but somehow we have made it 100 years without requiring proof of age/license to start the car.
This is sort of my take. There’s a lot of fun to be had in discussing possible technical solutions to the problem. And technical solutions do exist. But they all have some sort of noteworthy downside, including relying on the government to build and maintain this signing server.
But the best solution, IMO, is much more low-tech. Parental controls. Mandate that all browsers and operating systems support a parental control API where apps and websites can request to know if a user is of age. Mandate that adult sites call this API. And put the onus on parents to actually set up parental controls on their children’s devices, with an appropriately strong password that the children cannot break into.
Oh, I was thinking the certificate would only be needed for signups - once the account is created, it absolutely should be on the account holder, not the service provider.
Philosophically I agree with you. I was just discussing a technological way to accomplish age verification without giving up users’ identities to a service provider, or the government knowing what service you’re using. Unfortunately, too many governments want to know what you’re doing inside your pants.
Yeah, there is likely a tech answer to this that would work. Coming up with one and them choosing not to use it makes it even more clear kids’ safety isn’t their goal.
This can be improved even further to lock a single age verification to a single account. Instead of issuing you a generic signed cert, they use blinded signatures to sign a cert that you generate and encrypt, containing the domain name and your username. The govt never sees the site or your username, because it’s encrypted, and the site never sees the document you provided the govt with to prove your age. But you have a cert that can only be used by you to verify your account is of age.
There’s an alternative solution that would enable a person’s browser or device to verify their age based on a govt-signed cert with repeated hashes. This would have the benefit of the government not even knowing how many verifications you had done, because they only provide one cert per person (with longer renewals. The downside of this is that it requires some form of unique multiple-use identifier. In the sample question that’s fine because it’s a passport. IRL it could be something like an email address, or even just your own unique UUID.
Ideally, it would be handled directly on the hardware. Allow people to verify their logged in profile, using a government-run site. Then that user is now verified. Any time an age gate needs to happen, the site initiates a secure handshake directly with the device via TLS, and asks the device if the current user is old enough. The device responds with a simple yes/no using that secure protocol. Parents can verify their accounts/devices, while child accounts/devices are left unverified and fail the test.
Government doesn’t know what you’re watching, because they simply verified the user. People don’t need to spam an underfunded government site with requests every day, because the individual user is verified. And age gates are able to happen entirely in the background without any additional effort on the user’s side. The result is that adults get to watch porn without needing to verify every time, while kids automatically get a “you’re not age-verified” wall. And kids can’t MITM the age check, due to the secure handshake. And if it becomes common enough, even a VPN would be meaningless as adult sites will just start requiring it by default.
For instance, on a Windows machine, each individual user would be independently verified. So if the kid is logged into their account, they’d get an age wall. But if the parent is logged into their verified account, they can watch all the porn they want. Then keeping kids away from porn is simply a matter of protecting your adults’ computer password.
But it won’t happen, because protecting kids isn’t the actual goal. The actual goal is surveillance. Google (and other big tech firms like them) is pushing to enact these laws, because they have the infrastructure set up to verify users. And requiring verification via those big tech firms allows them to track you more.
I think this starts to not work when you start to include other states that want to do this, other countries, cities, counties, etc… How many trusted authorities should there be and how do you prevent them from being compromised and exploited to falsely verify people? How do you prevent valid certs from being sold?
Some examples of the type of service you mentioned:
Sold by whom? The created cert can be time limited and single use, so the service couldn’t really sell them. You could rate limit how many certs users can create and obviously make it illegal to share them in order to deter people from using them. That’s not enough to prevent it completetly, but should be an improvement for the use cases I hear the most about: social media (because it reduces the network effect) and porn (because kids will at least know that they’re doing some real shady shit).
Age check happens by trusted entity (your government, not some sketchy big tech ass), they create a signed cert with a short lifespan to prevent your kid using the one you created yesterday and without the knowledge which service it is for.
Sorry, not sufficient.
Not secure.
" I certify that somebody is >18, but I don’t say who - just somebody "
This is an open invitation to fraud. You are going to create at least a black market for these certificates, since they are anonymous but valid.
And I’m sure some real fraudsters have even stronger ideas than I have.
Making the certs short-lived (a few minutes) and single use and having a rate limit for users could make it difficult enough with serious risks (if you make it a crime) for little profit (I doubt many kids will pay serious amounts of money to watch porn; definetly not drug-scale amounts of money).
What stops non-anonymous certificates from being sold?
If John Doe views way too much porn, then you expect the site to shut him down? They have no ability to track other site usage. The authorities have to block him after the 10,000th download.
At that point, why does the site need to know? Either the government blocks someone’s ID or they don’t
Government sets up page to verify age. You head to it, no referrer. Age check happens by trusted entity (your government, not some sketchy big tech ass), they create a signed cert with a short lifespan to prevent your kid using the one you created yesterday and without the knowledge which service it is for. It does not contain a reference to your identity. You share that cert with the service you want to use, they verify the signature, your age, save the passing and everyone is happy. Your government doesn’t know that you’re into ladies with big booties, the big booty service doesn’t know your identity and you wank along in private.
But oh no, that wouldn’t work because think of the… I have no clue.
That sounds like a very functional and rational solution to the problem of age verification. But age verification isn’t the ultimate goal, it’s mass surveillance, which your solution doesn’t work for.
The fact that they haven’t gone for this approach that delivers age verification without disclosing ID, when it’s a common and well known pattern in IT services, very strongly suggests that age verification was never the goal. The goal is to associate your real identity with all the information data brokers have on you, and make that available to state security services and law enforcement. And to do this they will gradually make it impossible to use the internet until they have your ID.
We really need to move community-run sites behind Tor or into i2p or something similar. We need networks where these laws just can’t practically be enforced and information can continue to circulate openly.
The other day my kid wanted me to tweak the parental settings on their Roblox account. I tried to do so and was confronted by a demand for my government-issued ID and a selfie to prove my age. So I went to look at the privacy policy of the company behind it, Persona. Here’s the policy, and it’s without a doubt the worst I’ve ever seen. It basically says they’ll take every last bit of information about you and sell it to everyone, including governments.
https://withpersona.com/legal/privacy-policy
So I explained to my kid that I wasn’t willing to do this. This is a taste of how everything will be soon.
I don’t agree. It certainly makes it possible that it isn’t the goal. But I genuinely believe that, at least here in Australia (where our recent age-gating law is not about porn, but about social media platforms, with an age limit of 16), the reason behind the laws being designed as they are is (1) optics: despite what those of us here say, keeping young children off of harmful social media algorithms is very politically popular and they wanted to pass a bill that banned it as quickly as they could. No time for serious discussion about methods. And (2) a complete lack of knowledge. Because they wanted the optics, they passed the bill extremely quickly and without a serious amount of consultation. And I don’t trust that even if they had done consultation, they would have known who is more reliable to listen to, the actual experts and privacy advocates, or the big AI companies with big money promising facial recognition will somehow solve this. Because politicians are, by and large, really fucking stupid at technology.
What is it they say? Never attribute to malice that which can be adequately explained by stupidity?
Fuck, I went through that with VRchat…
Don’t forget censorship.
Because it’s not actually about age verification, it’s about totalizing surveillance of everyone.
ActivityPub is a major threat to the commercial social networks.
These laws are purely a way to regulate communication, but they are effectively a way to prevent new social networks from becoming established.
This is why the really big social networks are welcoming them with open arms. Even the criminal social networks are secretly pleased with them.
Laws only affect people too poor to manipulate them and too honest to disobey them.
The service provider could even generate a certificate request that the age verification entity signs (again, with no identifying information, other than “I need an age verification signature, please”). That certificate would only be valid for that specific service provider and can’t be re-used.
I give it 2 years till Netflix requires you to have an ID every time you open the app because it has rated R movies.
This is the same principle. The account holder agreement should make the account holder responsible for the use of the service.
The government shouldn’t be parenting our minors, their guardians should be.
Otherswise we should put digital locks on every beer bottle, pack of cigarettes, blunt raps, car door, etc. That requires you to scan your ID before every use.
“Kids shouldn’t be driving cars, it isn’t safe!” Yes, but somehow we have made it 100 years without requiring proof of age/license to start the car.
And the car is far more deadly than them seeing someone naked.
This is sort of my take. There’s a lot of fun to be had in discussing possible technical solutions to the problem. And technical solutions do exist. But they all have some sort of noteworthy downside, including relying on the government to build and maintain this signing server.
But the best solution, IMO, is much more low-tech. Parental controls. Mandate that all browsers and operating systems support a parental control API where apps and websites can request to know if a user is of age. Mandate that adult sites call this API. And put the onus on parents to actually set up parental controls on their children’s devices, with an appropriately strong password that the children cannot break into.
Oh, I was thinking the certificate would only be needed for signups - once the account is created, it absolutely should be on the account holder, not the service provider.
Why not apply this to the ISP account holder and trust them to protect their own kids the way they see fit?
Philosophically I agree with you. I was just discussing a technological way to accomplish age verification without giving up users’ identities to a service provider, or the government knowing what service you’re using. Unfortunately, too many governments want to know what you’re doing inside your pants.
Yeah, there is likely a tech answer to this that would work. Coming up with one and them choosing not to use it makes it even more clear kids’ safety isn’t their goal.
Signups + random checks to prevent reselling accounts.
Driving is a much more visible activity than looking at your phone in a locked room though.
This can be improved even further to lock a single age verification to a single account. Instead of issuing you a generic signed cert, they use blinded signatures to sign a cert that you generate and encrypt, containing the domain name and your username. The govt never sees the site or your username, because it’s encrypted, and the site never sees the document you provided the govt with to prove your age. But you have a cert that can only be used by you to verify your account is of age.
There’s an alternative solution that would enable a person’s browser or device to verify their age based on a govt-signed cert with repeated hashes. This would have the benefit of the government not even knowing how many verifications you had done, because they only provide one cert per person (with longer renewals. The downside of this is that it requires some form of unique multiple-use identifier. In the sample question that’s fine because it’s a passport. IRL it could be something like an email address, or even just your own unique UUID.
Ideally, it would be handled directly on the hardware. Allow people to verify their logged in profile, using a government-run site. Then that user is now verified. Any time an age gate needs to happen, the site initiates a secure handshake directly with the device via TLS, and asks the device if the current user is old enough. The device responds with a simple yes/no using that secure protocol. Parents can verify their accounts/devices, while child accounts/devices are left unverified and fail the test.
Government doesn’t know what you’re watching, because they simply verified the user. People don’t need to spam an underfunded government site with requests every day, because the individual user is verified. And age gates are able to happen entirely in the background without any additional effort on the user’s side. The result is that adults get to watch porn without needing to verify every time, while kids automatically get a “you’re not age-verified” wall. And kids can’t MITM the age check, due to the secure handshake. And if it becomes common enough, even a VPN would be meaningless as adult sites will just start requiring it by default.
For instance, on a Windows machine, each individual user would be independently verified. So if the kid is logged into their account, they’d get an age wall. But if the parent is logged into their verified account, they can watch all the porn they want. Then keeping kids away from porn is simply a matter of protecting your adults’ computer password.
But it won’t happen, because protecting kids isn’t the actual goal. The actual goal is surveillance. Google (and other big tech firms like them) is pushing to enact these laws, because they have the infrastructure set up to verify users. And requiring verification via those big tech firms allows them to track you more.
I think this starts to not work when you start to include other states that want to do this, other countries, cities, counties, etc… How many trusted authorities should there be and how do you prevent them from being compromised and exploited to falsely verify people? How do you prevent valid certs from being sold?
Some examples of the type of service you mentioned:
I can only verify with my own government. The rest I don’t know. But shut up, that’s how it works! /s
To be honest, I have no clue. But dropping my pants to write a mail isn’t what I want to do.
Sold by whom? The created cert can be time limited and single use, so the service couldn’t really sell them. You could rate limit how many certs users can create and obviously make it illegal to share them in order to deter people from using them. That’s not enough to prevent it completetly, but should be an improvement for the use cases I hear the most about: social media (because it reduces the network effect) and porn (because kids will at least know that they’re doing some real shady shit).
Bold of you to assume a government entity is trusted. In the UK we have a large misrepresentative error due to our voting system.
but they know who they issued it to, and can secretly subpoena your data from your instance.
no thank you.
They (the govt) would know that they issued a certificate to ex. lemmy.dbzer0.com
They can’t know that the certificate is issued to conmie
Unless, of course, the instance logs the age certificate used by each user
And also, unless the govt’s age verification service logs the certificate issued by each citizen
They can only subpoena your data if it is stored. Make the code open source (by law) and only store the cert, no connection to the user.
Sorry, not sufficient.
Not secure.
" I certify that somebody is >18, but I don’t say who - just somebody "
This is an open invitation to fraud. You are going to create at least a black market for these certificates, since they are anonymous but valid.
And I’m sure some real fraudsters have even stronger ideas than I have.
Making the certs short-lived (a few minutes) and single use and having a rate limit for users could make it difficult enough with serious risks (if you make it a crime) for little profit (I doubt many kids will pay serious amounts of money to watch porn; definetly not drug-scale amounts of money).
What stops non-anonymous certificates from being sold?
If John Doe views way too much porn, then you expect the site to shut him down? They have no ability to track other site usage. The authorities have to block him after the 10,000th download.
At that point, why does the site need to know? Either the government blocks someone’s ID or they don’t
Not useful to look at it in such a black or white manner. The possibilities are presumably less, and surely not that obvious.