What we call "age verification" is actually mass surveillance
pluralistic.net472 points by hn_acker 4 hours ago
472 points by hn_acker 4 hours ago
>"Age verification" means that everyone who does anything online will have to submit to fine-grained tracking and recording of all their online activities.
its been said 1000 times here, but: age verification doesn't have to be a nightmare dystopia of 24/7 fine-grained tracking and recording unless you are somehow hoping to achieve 100% success rate (something we have not done with any other law ever). there are several reasonable proposals that would be 90%+ successful without stepping on anyone's toes.
i am convinced that enough people in power know it, too, but see this as their chance to get the full-dystopia version rolled out.
Could you be more specific as to what you're imagining? I don't personally see a way to verify someone's age which doesn't involve either credit card verification, photo id verification, or some sort of facial recognition. If you know enough about someone to verify their age—even to a relatively low degree of accuracy—you probably know enough to pinpoint who they are in general.
Heck—in most cases, we can't even tell the difference between humans and bots anymore! And it's true that we basically accept that some bots will slip through the cracks—but identifying bots also strikes me as significantly easier than identifying children.
The way identity wallets work:
The government issues an eID to your wallet. The ID is signed by the government and linked to the device to prevent transferring the credential. A public/private key-pair is generated by the secure enclave in your phone, the public key along with proof of possession of the private key is included in the request for the government eID. The government signs individual attributes combined with the public key with the government private key. The government certificate containing the public key is, well, public.
One of the attributes is ‘over_18’ (In the EU eID scheme countries can add other over_XX attributes if they want, but over_18 is mandatory).
When a website wants to requests attributes, in this case the over_18 attribute, they send a request to the user’s wallet app, including a challenge. The wallet sends back a package including the government-signed attribute, which contains the device public key and the over_18 attribute plus a response to the challenge (proving the credential didn’t get transferred).
The website only sees the ‘over_18’ attribute, which is backed by the government signature. They don’t see any other attributes (the wallet app shows in advance which attributes you are sharing). The government never sees which website wants to know if you’re 18+.
Of course this is all a bit simplified, check OIDC4VCI and OIDC4VP for details.
The only real issue is the wallet app and device binding. Because a compromised device could allow credentials to be transferred some form of attestation of device and wallet app is required. In practice this means no rooted/jailbroken phones.
> The website only sees the ‘over_18’ attribute, which is backed by the government signature
Not true. The device's public key is also sent, which functions as a stable device identifier.
We've spent years trying to get away from stable tracking IDs and fingerprinting. Returning to a system where devices are sending a stable ID to a website to prove ownership is a step backward.
There are proposed mitigations like issuing multiple sets of credentials or rotating them, but we're not going to get an infinite number of keypairs for every website or session in the secure enclave in practice.
Another reason why these proposals aren't getting much uptake is that they aren't addressing what the lawmakers are pursuing: They don't want anonymous authorization tied to the device. They want IDs tied to accounts and a way to discourage people from sharing IDs. In the anonymous systems it only takes one person a few minutes to put an over-18 identity into a device and there's no way to determine if someone is abusing the system by stealing IDs or if someone's 18 year old brother is setting up all of their younger brothers' phones for $5 each.
The situation gets stickier when you acknowledge that it's not possible to limit all of these websites to only mobile phone devices with secure enclaves that are not jailbroken. Once you open a door to desktop devices and other OSes accessing these sites, you open the door to replaying and proxying attacks, where someone will produce those `over_18` attestations on-demand for you, possibly for a minimal price. This brings us back to the public stable identifier to discourage fraud, which means governments won't be happy to issue as many keypairs as we want, which means we're back to semi-stable fingerprints.
> Not true. The device's public key is also sent, which functions as a stable device identifier.
This is covered by allowing for single-use credentials. IIRC the EU personal IDs will use this. Basically, the wallet requests a batch of single-use eIDs that all use different device key-pairs. Each credential is only used for one request and then deleted. The wallet will automatically request new credentials in batches when they run out. The old key-pairs are deleted along with the credential so you don’t run out of space in the secure enclave.
> Another reason why these proposals aren't getting much uptake
I’m not sure what you mean by not much uptake, EU countries are required to issue and accept them for official business by the end of 2026
> In practice this means no rooted/jailbroken phones.
Personally - this is less acceptable to me than just having the site collect my image/id.
I'd support just putting the id in a dedicated device (ex - gov issues smart key) or just accepting that sometimes people will share id info (just like... physical ids).
It doesn't even close all the doors to transferring ids - since I can still just hand someone a phone (just like... physical ids).
If you use physical ids to verify your identity, they normally verify that your face matches the image on the id, no? That’s not possible for web id.
Doppelgängers Don’t Just Look Alike—They Also Share DNA
https://www.smithsonianmag.com/smart-news/doppelgangers-dont...
Yeah, but being able to share Id with someone who happens to look eerily like you is different from just handing people your ID and they are able to use it like it was implied. That’s not how IDs are used.
> The only real issue is the wallet app and device binding. Because a compromised device could allow credentials to be transferred some form of attestation of device and wallet app is required. In practice this means no rooted/jailbroken phones.
Yeah, and no Linux PCs, no custom builds of web browsers (which would effectively become open source in theory only)—basically the end of any kind of open platform. I would much rather just scan my ID!
If you are referring to EUID (not fully sure as you said EU eID, i dont know if you are referring the estonia of eID like system)
I have to mention that EUID is not private, since there's "provider" element which informs website if you are 18 or not. The flow is:
1) You scan QR code 2) Your EUDI wallet does verification, informs provider to tell you are 18+ 3) Provider informs website you are 18+
The EUID draft doesnt mention tech like ohttp for anonymizing requests. So there's risk of provider keeping track of who you are. So while everybody claims its fully anonymous which is just false. Government could ask website/service for the token or account information then use timestamp or token then combining with "provider" logs, your identity will be exposed.
EUID has another problem which is letting all countries implement system, which is wasteful duplication effort so this probably will be outsourced and to same company to reduce duplication efforts. Then it'll be centralized and they happen be collecting telemetry data for "experience improvements" as everysite out there do.
I haven't even mentioned biggest problems like requiring attestation Apple/Google. While spec doesn't require it, but the likehood country's app requiring it will be very high.
There is no real practical difference between ‘attested devices’ and scanning ID…
Which part of that is avoiding the distopian control?
the very first line, government issued digital id - we have been avoiding that for a very long time
how does this work on an open source operating system?
What about at the device level?
“You must be this tall to ride this ride”
“ you must be 18 to own an iPhone 18+ “
I apologize for the drive-by question, and I appreciate your takes!
>The government issues an eID to your wallet
So people in dubious legal circumstances are locked out the internet?
How does this work without a phone? I do 99% of my computer work, like now, not on a phone.
Do regular desktop and laptop computers have the same secure enclave feature?
So now I have to have a mobile phone?
And one you don't fully own/control. Fully owned devices will be unsupported, obviously.
Sounds like what a government issued card should be used for, which seems fine
I feel the idea of public key encryption could be done without a phone but the device locking makes it harder to transfer the token off device. Like the parent comment said, I think 90% is all we can aim for. Nothing is going to be perfect.
Could probably be implemented by a smartcard or yubikey-like device as well. Shoot, just build it into my state issued ID card.
Do you know how hard it was to get RealID rolled out?
And now you're going to tell every state to do it again, but this time it's got a chip in it so "just trust the government, man".
This will go well.
Secure Enclave on a mobile phone, or an NFC smart card both work fine. It could be your passport, drivers license, national ID, whatever.
>Could you be more specific as to what you're imagining?
sure, i'll put my favorite two. though you'll find much more detailed and thought-out versions of these (and others) in the dozens of other giant threads on the same topic.
- buy a card with a UUID from anywhere that sells alcohol/tobacco that is valid for some period of time. most people are comfortable with flashing their ID at the clerk. the UUID card is non-identifying.
- websites issue content tags, browsers consume them, you enter your age into the OS during setup.
> buy a card with a UUID from anywhere that sells alcohol/tobacco that is valid for some period of time
Why should I pay continuously to prove I'm an adult? And those cards will be getting sold to kids faster than you can blink. I bet a lot of parents would buy them for their kids.
> I bet a lot of parents would buy them for their kids.
That changes the default from "anyone can do anything" to "gotta ask parents". Defaults matter at scale. It adds friction.
>And those cards will be getting sold to kids faster than you can blink.
there's a reason i said 90% and not 100% effective. alcohol and tobacco get resold to kids, too.
What makes you think this will be close to 90%? Unless these cards are expensive I don't see that happening.
>What makes you think this will be close to 90%? Unless these cards are expensive I don't see that happening.
its obviously just an illustrative guess. but if the penalty of possessing the card is similar to underage possession of alcohol/tobacco, and larger penalties if a store/person is found providing a card to someone underage, i see no reason why it wouldnt have a similar success rate as alcohol/tobacco.
Why possess the card when you can just buy the UUID on the dark web
If they have access to the "dark web" they can already do anything that requires age verification there. In the same way you expect that the rule to "not sell UUIDs" wouldn't be respected there, I wouldn't expect other age-verification rules to be respected, no matter the verification method.