I think it was Ethan Zuckerman who once said that Congress is ill-equipped and incompetent to solve this kind of problem and that we need to design systems that guarantee outcomes and cites Signal as an example. We need to have that mindset now: a clarion call to software engineers.
There are at least some technological solutions here, such as anonymous credentials. [1] Modern versions of this technique allow one to associate metadata (like a proof of age exceeding a threshold) in such a way that the verifier can't even correlate repeated requests across users.
Governments that are serious about age verification and individual privacy (which, doubtful they truly are) should agree on a protocol and set up certificate issuers that are associated with a digital ID. Then age verification will not be an invasive procedure or risk data leaks or insider threats.
The article talks about the possibilities of malicious cloning of these tokens by third parties, but fails to identify the much more common use case, and one that makes this scheme useless for age verification.
It's one thing to be concerned about someone stealing my credential, but another to prevent the transfer of these credentials, especially if they are limited use credentials.
The entire point of age verification systems is to prevent minors from accessing certain resources. I think we all know that this is basically impossible; but what these various governments and social media companies want to do is to make it high friction to do so.
The highest friction version of this is that the credential ties to a real world identity somehow; maybe locked behind legal barriers, etc., but if a minor is caught using someone's credential, then the person whose credential they are using can be investigated, and, if necessary, charged with a crime roughly equivalent to providing alcohol to a minor. Without the possibility of real world enforcement, none of these identity solutions can possibly work.
Keep dreaming of a technological solution -- there is none that does not lead to the world that FIRE is warning about, except to accept that we can only make a solution "good enough" and leave it at that, without expanding into full on identity verification. The solution here is likely to just try to provide better abilities for parents to monitor and limit their children's use of the internet. Let individual parents decide on the level of harm that they are willing to accept, and accept that there will be ways to work around this even if parents are vigilant, but just try to reduce it on the margins.
Yes, this is the part of the issue that is so frequently ignored: Anonymous age verification schemes are easily defeated through proxying because there wouldn't be any consequences for selling your tokens. "Install this app on your phone and we'll pay you $1 per day" and it will mint your anonymous identity tokens and send them off to kids who want to buy them. If there's no way to track the tokens, there is no possibility of negative consequences.
So the schemes always start introducing features to reduce the anonymity of the tokens or make them more trackable in some way:
> The highest friction version of this is that the credential ties to a real world identity somehow; maybe locked behind legal barriers, etc., but if a minor is caught using someone's credential, then the person whose credential they are using can be investigated, and, if necessary, charged with a crime
Which requires that these identity tokens not be anonymous age-verification credentials. They become a traceable identity token tied to your government-issued ID.
Not if you use a challenge-response protocol where the client returns a zero-knowledge proof of age, where the proof incorporates a random string sent by the website.
The traceable stuff is private information that the website never sees. If a minor is caught with it, then law enforcement has local access to the minor's hardware and can probably view the private data.
At that point, the private key can be put on a public revocation list. The zero-knowledge proof can include a proof that you're not on the revocation list. Once you've been revoked, you have to go through the hassle of setting this all up again, which might be enough incentive to keep it reasonably secure.
I thought a solution to this would be to use a physical smartcard to store the certificate(perhaps on your government ID).
if the protocol is a challenge/response and the private key never leaves the card it would make proxying without the physical card more difficult.
Why can’t you just sell single use codes at gas stations/liquor stores/etc and they just check your ID before sale? Of course shady places can still sell them without ID check, but we have this problem already for liquor and tobacco.
> The highest friction version of this is that the credential ties to a real world identity somehow; maybe locked behind legal barriers, etc., but if a minor is caught using someone's credential, then the person whose credential they are using can be investigated, and, if necessary, charged with a crime roughly equivalent to providing alcohol to a minor. Without the possibility of real world enforcement, none of these identity solutions can possibly work.
Buying alcohol for a minor implies knowledge and intent.
Getting the tokens out of a phone doesn't require the user to do any of that, the user just has to be frugal and keep the phone longer than it's supported by the manufacturer, until some local exploit is found again, and that token will be extracted and available online for everyone to use.
Parents buy those phones, phones could easily have a "user is a minor" setting (and a flag sent to all the sites that want one) with a password for parents to unlock stuff if needed. This would be set during the phones first set up, and it's done. But nope, the plan is for everyone to install a form if a digital ID on their phones, and once it's there, requiring full-name identification when registering is just one step away.
There is a much easier solution that already exists - parental controls on children's devices. I honestly don't understand why is it not solving the problem?
Yes, parents are responsible to set this up. But parents are also responsible to lock their alcohol, drugs or guns, condoms, etc., and many other things.
Perhaps parental controls are not good enough? That's where the regulation could genuinely help - require child-certified devices to implement minimum set of parental controls, and make them easy to use.
That's not the problem governments are solving. They're solving the problem of convincing the public it's a good idea to end the anonymity of internet use.
I know! What puzzles me is responses every such article gets even on HN - let's build some cool tech that 95% of the general population and 100% of politicians won't even understand not to mention agree to.
Yes, government want to end anonymity and that's clear to some. But governments enjoy on a pretty broad support for this and many people supporting this believe it's a real problem. Suggesting to leave it unsolved or solve it in a way they can't trust or understand is only going to alienate them, making the government job easier.
I think suggesting a simple, cheap and effective solution to this problem that has no impact on privacy is a way better way to counter that. I think local parental controls fits the bill.
People on average aren't very smart and will happily support programs objectively harmful to them and everyone else because the government and a nice lady from the breakfast TV says it's necessary to think of someone's else's children watching porn (this soundbite is gross. I don't understand how it's okay for the serious people to repeat it).
> But governments enjoy on a pretty broad support for this
No they do not. They do an enormous amount of PR trying to convince people that they have it, though.
In the real world when there is a ton of support behind a position, you see representatives of it all over the place and they are pushing the agenda and the coverage. In the world of online age verification, you just see a bunch of lame duck politicians using procedure to sneak policy changes in and keep objections from being heard, and a few government contractor-surrogates writing op-eds (that they haven't read.)
When puritans go on the march, they're actually pretty loud. Most of the anti-social media people are hippy-dippy upper-middle class liberals who curse "screens," completely believed Cambridge Analytica's PR and think that Trump rules through mind control - who will be bothered by the end of anonymity; and the remainder are angry online right-wingers who think that they were censored by and as a result of social media. They're not marching together, they're not marching to have people identified when they're using the internet, neither of them are even prioritizing social media right now and they aren't putting pressure on anyone.
The fact that it's so unpopular is why there are lame ducks doing it. They're just assuring their fortunes on the way out, and the person on the way in will pretend like they had nothing to do with it even though it will be will be passed and implemented on their watch.
I don't understand why the act of buying internet access isn't considered a parental control. I doubt very many kids are doing it or can.
Ok, but parents buy internet access and then let their kids use it, because the kids need it for school. So? The parents job is to keep their kids out of trouble. Learning how to keep track of what their kids access shouldn't be difficult, and maybe should be part of the obligation parents have, kind of like their obligated to teach their kids to drive before giving them the keys to a car. Its analogious to saying "kids shouldn't walk home from school or be let out of the house at all because they might wander into a nude beach or join a drug smuggling satanic cult". Most of us don't hold that view because we trust that kids can be taught to be vaguely responsible.
What's more: tools to shield the kids have been around for longer than most of the parents have been alive at this point. The problem is pretty much solved in multiple ways, and wouldn't even be a problem if parents only followed their basic responsiblities. Also it isn't a problem in the first place, I haven't seen any clear, undisputed evidence that shows that kids are degenerating into fiends because of looking at adult stuff on the internet.
> The parents job is to keep their kids out of trouble. Learning how to keep track of what their kids access shouldn't be difficult
Unfortunately it is, but we could fix that with only minimally invasive legislation. Right now you either whitelist which breaks half the internet on a recurring basis (things are constantly changing) or you blacklist which is swiss cheese. Either way you're relying on third parties.
I think it would be much better to legally mandate a certain minimum level of self classification for website operators along with a simple and extensible scheme for communicating such. It might also be useful to mandate that devices ship from the OEM with parental control software supporting that standard but honestly I doubt that's necessary - if their were a standardized and above all reliable signal available I think browsers and operating systems would rapidly adopt support for it.
The problem with this idea is that it assumes responsible parents, which are not a given. I agree with you completely - I don't want any kind of controls on the Internet - but we live in a world where we cannot actually rely on parents to fulfill what you would consider to be basic and reasonable expectations of parental duties.
They certainly have other problems however the internet is unique in that it drops the entire world directly in your living room. Even with irresponsible parents zoning laws keep most children away from things like casinos and strip clubs (at least until they can drive) and everyone benefits from community efforts to keep the neighborhood safe.
I wouldn't trust governments, today or in the future, to keep such a system private and I don't see a foolproof way of building some kind of audit mechanism into it to make sure the data is always truely private.
I've also always been curious how a truely anonymous identity verification could possibly work. At best for age verification, I could be given some kind of token that would still have to verify my age and be verifiable with a central authority to ensure my token is valid. The central authority could always keeper records of my token, revoke it whenever they please, and every entity that can verify the age associated with, or embedded into, the token knows at least some of my PII.
> I've also always been curious how a truely anonymous identity verification could possibly work.
You go to a store. You show the clerk your id and give him a quarter. The clerk pulls a scratch-off ticket from the front of a ticket tape. The ticket contains a token identifier.
It's anonymous. The clerk or his POS system knows your name and age, but doesn't know your number. The vendor providing the tape doesn't know your number or your name. The system accepting the token knows your number, but doesn't know your name. The token is only valid for a day after use, so loss and transfer isn't much of an issue.
It's the exact same process by which you buy lottery tickets in a world where they don't need to verify your identity when you redeem them. The lottery has no idea who bought a particular ticket, only that a ticket was bought. The clerk knows you bought a ticket, but doesn't know which ticket.
Obviously, Eavesdropping Eve looking over your shoulder knows both your name and your ticket number, but that's not a practical attack.
> It's anonymous. The clerk or his POS system knows your name and age, but doesn't know your number. The vendor providing the tape doesn't know your number or your name.
Where does this 3rd party identity token provider come from?
For government-issued identity tokens, there are not separate parties. It's just the government, and they can choose to link whatever they want in their internal system if they decide it's in the interests of national security.
You're also forgetting that lottery tickets are tracked. This is how they can announce which store sold the winning ticket before anyone steps forward with it. It would be trivial to match a buyer to the ticket if they wanted to inspect the records. In the case of a government identity token service, there isn't even a separation of parties providing the records. They do it all and can have all the data.
> Where does this 3rd party identity token provider come from?
Some oracle whose job it is to print tokens and hand out rolls to the stores (and to the websystems). They would know which store got which roll, and which website authenticated it, but not who each ticket from that roll went to.
With a big enough roll, this is essentially anonymous.
Yes, lotteries know which store got the winning ticket, but they have no idea which of the patrons in the store got it. Not unless they ask Eve to get her telescopic lens and notepad out.
> It's anonymous. The clerk or his POS system knows your name and age, but doesn't know your number.
What prevents a commercial "AI" security camera analysis firm from doing a decent job of linking footage of a store's customers to a likely subset of tokens, based on the knowledge of which tokens are sent to which store and how many tokens have been pulled off of the roll so far? Remember that you can design the token roll packaging so the easiest thing for a clerk to do is to pull off the rolls in the order in which they were shipped. Or -hell- you can design the token dispenser so that it phones home to the oracle that sent the roll to the store with the range of tokens in the roll when the roll is loaded into the dispenser (for "security purposes").
> It's the exact same process by which you buy lottery tickets in a world where they don't need to verify your identity when you redeem them.
I've seen many people buy lotto tickets. I've never seen anyone asked for ID. Perhaps the merchant is supposed to check for ID, but they don't. Relatedly:
> The clerk pulls a scratch-off ticket from the front of a ticket tape. The ticket contains a token identifier.
What prevents rolls of those tickets from falling off of a truck and either being handed out for free or at a substantial markup, no questions asked? [0]
In the real world, the system you propose absolutely will not function to the standards required by the people agitating for these systems. You can't "protect the children" if "children" can easily get their hands on anonymous access-granting tokens.
[0] The fact that this doesn't happen with lotto tickets often enough to be newsworthy is not a compelling counterexample. Stores make a decent amount of money selling those, and wouldn't want to get cut off from that revenue source by regularly "losing" shipments of tickets. What you propose doesn't make stores any money, so either you have to spend a bunch of money to induce them to carry the tokens [1], or you have to have harsh penalties for "losing" shipments of tokens. If you risk harsh penalties for choosing to sell the tokens, why even bother? Stores put up with the risk of selling booze because it's quite profitable... selling 5c or 0c tokens absolutely is not.
[1] Where does that money come from? From you and me, of course!
I’ve worked in the industry, so just adding some extra info, as I agree with you that the ticket system is not really less tracked than other systems, just differently tracked:
Lottery tickets don’t “fall off of trucks” or get “lost in the mail” because they aren’t valid for redemption until they’re activated at the POS terminal of a licensed store, and the lottery company knows which store receives each ticket roll, because they are shipped to known locations with tracking numbers and delivery verification and/or delivered in person by lottery employees. Even the rolls of blank lottery ticket receipt paper have different serial numbers every few inches, and it’s forbidden by policy to swap receipt paper between stores. All of these things are audited both regularly and randomly by state lottery officials.
> It's the exact same process by which you buy lottery tickets in a world where they don't need to verify your identity when you redeem them.
I’ve sold lottery tickets, and you have to be legal age to both buy and redeem them, so I’m not sure that this analogy or hypothetical solution is comparable to lottery tickets, nor is it likely to be the panacea you think it is.
I don’t think that the nascent online age verification schemes are good for society in general, either, but that’s not really the point you were making in your comment, so I don’t assume that you believe they’re good or bad, but simply advocating for a more privacy-preserving implementation. Which is kind of the whole point of the argument against bad implementations, but those who mandate and implement the systems likely view uniquely identifying people as a boon, whereas you and I probably don’t, which is why I am not hopeful that your ticket system will be used, because it will be higher friction for more people than uploading scans of their IDs and/or their face.
The ticket system, if implemented, would be used by so few people that the folks who do could likely be re-identified by Bluetooth tracking beacons and facial recognition in the same stores which they bought the ID tickets you suggest, and so I think the number of people who would escape tracking by any such means to be so few as to be a rounding error.
Those folks who do pursue this privacy hobby/fetish are statistically likely to ultimately mess up on their opsec eventually on a long enough timeline, so it’s hard to even imagine a scenario in which it matters either way what individual privacy activists do or don’t do from the point of view of the panopticon designers or implementers. Those not identified to a desired confidence interval by the mass surveillance system will just be retargeted for more sophisticated surveillance measures.
Despite how we rage, we’re still just rats in a cage.
More and more, the privacy debate feels like a quixotic struggle against giants, when everyone already knows that those giants are actually windmills; the majority of society now lives on reclaimed lands which rely on those windmills’ continued existence, and so no one cares about privacy in the way that you or I might care, because they are incapable of perceiving windmills as giants, nor do they have the intellectual or philosophical or political beliefs which would allow them to even entertain such perceptions even for the purposes of discussion. The privacy debate is beyond their ken.
By some stroke of luck, the NZ government recently put into place a robust privacy-preserving framework for digital identity [1].
They just launched the GOVT.NZ [2] app, and it contains a wallet that can store digital credentials. It's built by a local company called MATTR [3], who specialise in trust technology and exotic cryptography like zero-knowledge proofs. The first credential available this year will be a mobile drivers license, and we'll then be able to prove things about ourselves like whether or not we're over 18 (according to an accredited institution), completely privately over the internet and without sharing any other information.
I'm cautiously optimistic about the direction our digital ecosystem is heading in NZ :')
>Modern versions of this technique allow one to associate metadata (like a proof of age exceeding a threshold) in such a way that the verifier can't even correlate repeated requests across users.
If it's unlinkable, what's preventing someone from setting up a site that hands out anonymous tokens for anyone to use?
No, I'm meant me, using my 18+ ID to generate a bunch of tokens that can't be linked back to me, and then giving it to random < 18 year olds for the lulz.
There are multiple approaches. One, which the Europeans use, hardware-locks the token. Each age attestation is unlinkable, but the cryptographic credentials you need to make the attestation aren't portable. Of course, this model requires a big statist apparatus that does implementation certification, but it does achieve the narrow goal of unlinkable, privacy-preserving age attestation that doesn't instantly decay to mass copying.
Other approaches are possible. I'm particularly keen on ones that treat attestations as anonymous digital currency and use cryptographic penalties like slashing to discourage copying post-hoc instead of relying on EU-style implementation certification.
There's a huge literature on the subject I don't want to reproduce here. The point is that yes, we do have the technology to do attestation without sacrificing privacy, which makes all the calls for non-privacy-preserving attestation awfully curious.
> as anonymous digital currency and use cryptographic penalties like slashing
Or make it so that tokens cannot be tested except by spending/burning them, which would significantly reduce (but not eliminate) a black market because it would be hard for any buyers to trust any sellers.
The best outcome here is going to rest on getting people to agree that "good enough" is the best outcome. We want a system that gets the broad social results (e.g. less brain-rot in the kids) without being so impossibly strict and overbuilt that it leads to an even-worse problem (e.g. authoritarian hellhole tools.)
I'm not familiar with this, but what your describing sounds similar to the hardware DRM keys used for protecting 4K streams from being downloaded from Netflix.
If so, this stuff is already broken, and imagine it would be pretty simple to apply the same principles here.
I'm probably wrong on this though I'm out of my depth
Because those <18 year olds will immediately flip and identify you to the cops to try to lighten their punishment.
The anonymous crypto token scheme does not have any trace-back mechanism like this at all. If there's no way to track those tokens back to you, why not sell them for $1 each on the internet to make some extra money?
Yes, this breaks the whole scheme. Anyone promoting it as a solution is delusional. There's a triangle of "robust", "private", and "practical" and you can only pick two. This one omits robust. The various mitigations people might suggest in response will have to sacrifice one of the other dimensions.
I don't think they are serious about privacy and even if they were I don't even want to distinguish between "children" and "adults" on the internet. Things seem to have worked fine up to this point, there doesn't appear to be a public demand for age verification, rather some murky corporations/NGOs/agencies pushing for this. I think it's pretty clear there is some other intention besides protecting children that is the goal here.
As you say, it's doubtful governments want it to be private. So we should expect them to not use these kind of elegant solutions, and the public is generally not sophisticated enough to distinguish between the options already.
There's two strong incentives - deanonymization for law enforcement is pretty useful so that's one. You want to make it easier to subpoena information about posters for various reasons, access to stores on different dates etc. Lots of reasons for that.
And you want to satisfy voters who are worried about children online or have heard scary things about anonymous criminals. You want to be seen to do something about those.
A distant third is that you want the system to be cheap and built up fast and relatively easy so voters don't complain about it.
All together this leads you to something like "any time a site needs to verify your age (based on this broad list of requirements) put in your government ID number / picture". The infrastructure already exists for that, banks need it, social media needs it, and the current president has agitated for it a few times now. If you're really aiming high you set up some digital ID attached to it that's easier for the users.
Either they validate so little information that a single homeless person can authenticate the entire country or they validate so much information as to not have a significant privacy guarantee.
There is no in-between for ZKP validating someone's age.
the truth is that the two extremes you listed can be titrated.
if you use nullifiers you can trade some privacy for some security. basically you convert your true identity into a private token which you can use to authenticate aspects of yourself, the price being that the token can be tracked with some effort across services. better than just using your identity at least. if a token/nullifier is abused it can be revoked and then you have to jump through a bunch of hoops to get another.
What combination of details can you validate on that is meaningfully privacy-preserving and couldn't result in wide-spread re-use of tokens?
Additionally - what would prevent some kids from getting a homeless man in the city to hand them his ID, get a facial scan, and everything else you can think of to generate a token and then pass that token around?
ZKP are a cryptography-nerd's joy but are are categorically unsuitable for the purpose of age verification. I stand by this without the slightest reservation.
the same thing that prevents them from doing reuse right now: platform detection mechanisms. the difference is that right now the identity of the subject is known whereas with ZKP (nullifier approach) only the dirty token is known and where that token was used.
So....what exactly would platform detection mechanisms be basing their decisions off of that wouldn't defeat the entire privacy-preserving premise of ZKP?
Wait - so you're advocating for use of a persistent identifier tied to a person? How is that any different than what advertising networks do right now beyond giving them additional guaranteed information of your age bracket?
To clarify - it's not cryptographically necessary to present the same token for each and every transaction and serves to categorically defeat the entire privacy guarantee of ZKP.
It also makes it trivial to associate your ZKP token with your real identity.
at the terminus, yes. there is no other way to avoid the homeless problem you listed. by terminus I am referring to where a central authority vouches for unforgability. this does not mean advertisers will have a token they can use (see remote attestation infrastructure).
> tied to a person
whether or not the terminus can tie a token to a real world identity will depend on how careless the user was and how much collusion there is between the terminus and the services. at the very least it will impose an investigation cost.
contrast this with the situation as it currently is (under ideal assumptions) where a central authority verifies your real identity and issues temporary rate limited tokens which are then saved by each service and can at any time be linked to you whenever the central authority can get the service to disclose the database entry. the nullifier will force the central authority to do an investigation about who the nullifier actually belongs to which may actually fail.
realistically I expect VPNs and Tor to just become more popular in response to such nonsense. I wouldn't be using government issued tokens for anything that isn't trivial to tie to your identity already: such as a personal bank access.
> at the terminus, yes. there is no other way to avoid the homeless problem you listed. by terminus I am referring to where a central authority vouches for unforgability. this does not mean advertisers will have a token they can use (see remote attestation infrastructure).
Where to even begin here....
To generate the token, it needs to be based on specific data. How do you prevent people from generating tokens based on fake data and submitting that to the "terminus" that you mention? We already have cases of people bypassing facial scan liveliness checks for banks using AI-generated footage.
What about validating tokens during the token enrollment process based on your government ID? Though that makes sure that poor or undereducated people who don't have such an ID are locked out of large swaths of Internet services.
Though there's also the matter of it being trivial to generate fake IDs using AI.
If you have no gatekeeping for the token enrollment process, anyone can submit an arbitrary number of new tokens.
And if you do have gatekeeping, you're right back to square one of needing to validate against more than just your age.
After all - the cryptography algorithms will be publicly known. If the only thing ZKP is validating against is age, it won't take long to figure out how to generate identifiers based on fabricated information.
> whether or not the terminus can tie a token to a real world identity will depend on how careless the user was and how much collusion there is between the terminus and the services. at the very least it will impose an investigation cost.
No it won't. A user submits a token to a server. The user also logs in with their e-mail address or phone number. Their email and/or phone number is hashed and it, along with the ZKP token and any additional information the website has on you, will be sent to data brokers.
This is the same as any other bit of information out there that data brokers collect on the internet. They just associate your new info with other info you are required to provide in order to use various services.
This will be automated and will cost next to nothing for data brokers to take advantage of.
> contrast this with the situation as it currently is (under ideal assumptions) where a central authority verifies your real identity and issues temporary rate limited tokens which are then saved by each service and can at any time be linked to you whenever the central authority can get the service to disclose the database entry. the nullifier will force the central authority to do an investigation about who the nullifier actually belongs to which may actually fail.
....what? What investigation by central authorities? You are talking of a system that would constantly mediate permissions for billions upon billions upon billions of devices across dozens of services and accounts per device.
You couldn't hire an army of people large enough to handle this and AI is infamously awful at detecting when a given image has been generated with AI.
> realistically I expect VPNs and Tor to just become more popular in response to such nonsense. I wouldn't be using government issued tokens for anything that isn't trivial to tie to your identity already: such as a personal bank access.
Their popularity would only rise in order to VPN into jurisdictions that don't enforce this. Assuming major websites don't just mandate age/identity verification for all new users regardless of jurisdiction just because it's easier and cheaper to apply one system to everyone.
Look - I know you mean well, but it is clear from this discussion you aren't familiar with cryptography, system security guarantees, Internet infrastructure scaling, or what would be needed to introduce new descriptive information about a person on the Internet and not have it become a new privacy risk.
This is an issue that has no tech-only solution. The specifics aren't just something to just figure out at a later date - the specifics are everything. And it's something that is enormously difficult to get right and extremely easy to get very, very wrong.
> Look - I know you mean well, but it is clear from this discussion you aren't familiar with cryptography, system security guarantees, Internet infrastructure scaling, or what would be needed to introduce new descriptive information about a person on the Internet and not have it become a new privacy risk.
it's actually clear that you are the one who isn't familiar with this, I referenced remote attestation which you appear to know little about as it addresses the problem of identifying information (the service has no way to link tokens across without help from the CA).
you also don't appear to know what a nullifier is, in a ZKP system you submit identifying information and a hash of a secret string. the CA adds the hash to a public database and in the future you prove you one of the members of the database with a nullifier - the anonymity-set is everyone in the database who entered it prior to your submission. this can also be done with a blind signature to the same effect.
The problem is that you still have to trust something you don't control and can't verify that the technological solutions are correctly implemented and applied.
This seems to come up in every discussion, in practice it’s irrelevant both because it’s too complicated for normal people to understand, and because the point of all this nonsense really is identification so anything that defeats that will be a non starter.
It doesn't have to be too complicated for normal people to understand.
Majority of people understand their SIN or SSN number or whatever, they understand they have a drivers license number. This could be built in such a way that it's basically just be another government issued "thing" that they have to know about and be able to produce when requested
Every government has been working on ways to identify and target individuals online since as long as the internet has existed. Governments are incentivized to continuously increase control. Why would you assume this is not yet another escalation towards their goal of being able to track and silence anyone who pushes back?
I didn't comment at all on what the governments goals are
Edit: I agree with you 100%, but the fact that governments want to track people online has no bearing on how technically possible it is to build a system where they can't
An anonymous internet auth system (probably) won't get built, but it is possible to build
> You’re not happy about it, but you hand over a photo of your passport and hope it doesn’t come back to haunt you.
I think for this argument to carry weight with voters, privacy advocates need to be much more specific about what "coming back to haunt you" looks like. They do a little bit of it later on[1], but I think most people do a rough cost benefit in their head and decide that the small benefit outweighs the small risk (to them).
[1] "And that creates a lot of risks for data breaches, overly broad data collection and retention, censorial legal demands for collected data, corporate and governmental malfeasance, pressure to self-censor, and perhaps blatant First Amendment violations. Every new layer and every new mandate brings more potential for risk. As we’ve unfortunately seen many times over the years, people including high-level government officials will maliciously seek to root out the identities of their critics, so the more layers of anonymity we can preserve in online speech, the better."
I'm starting to think we need to lean on conspiracy theories in order to get broader population on train with this - and I'm saying this in utmost regret. That's a borrowing game from a right wing/extremist playbook.
Start with this: requiring IDs online is a first step in micro-chipping the population.
...or how about this: marxists/atifa/nazis/zionists/islamist/whoever-group-people-think-is-in-power want to erode your privacy online so it can be used against you. Some nefarious group what to know your every move!
...or how about this: remember Epstein files!? Well the pedos now want to id your children online!
I simply saying truth/evidence/rational based approach to this will not get people attention. People just don't care.
I think both political extremes have their own angles: liberals might be concerned that conservative censors will censor kids from learning about LGBT people and minorities, conservatives will be concerned that liberals will force too much LGBT and minority content onto kids. Or whatever issue, they want to control what your kids read!
This will almost certainly be used to censor adults too, the only reason we aren’t doing that is because it hasn’t been possible to consistently identify people before. Considering who is pushing for this, they’re absolutely going to tie this into advertising, and if they know who you are so do all of the spooky upper echelons who could implement a true censorship regime.
“The only way they can do this is by controlling what you read, shouldn’t that be the parent’s choice?”
It's been decades since the very phrase "conspiracy theory" was introduced as a means to convert looking closer into something cringe. The normie position on most things is to accept something as no problem unless the mainstream designates it as such aliens), or it blows up enough that even unmotivated normies can't help but take notice (rich new york caribbean islanders). Privacy got close to that with Snowden, but it fizzled into apathy for most because imo there was no clear harm to present, it was perceived as abstract.
> I'm starting to think we need to lean on conspiracy theories in order to get broader population on train with this - and I'm saying this in utmost regret. That's a borrowing game from a right wing/extremist playbook.
How about "if you want to buy a dildo on aliexpress, you have to do a full scan of your face and send it to israelis"?
I mean.. au10tix does age verification for aliexpress, it is an israeli firm, and you can't even buy a scalpel (the DIY crafts one) without having to scan your face there due to EU regulation.
I’m glad this is finally becoming the cause célèbre du jour. This feels like THE FIGHT or at least one of the TOP 3 THE FIGHTS and it hasn’t had even a fraction of the public’s attention until now.
>I’m glad this is finally becoming the cause célèbre du jour.
It really isn't, though. Don't mistake the internet for reality. The majority of people in the US and Europe support laws like these, and most of the rest don't care.
Even on Hacker News the consensus is mostly in favor of anything from age restriction to making all social media illegal.
The main issue is that they are very careful not to frame it like that. In broader contexts, it's always framed as something like "do you favor limiting children's access to social media" without a word on what it would cost to actually institute such a ban.
You don't necessarily have to be in favor of any measures which reduce adult privacy to be in favor of that. Logically speaking, the liability for minors accessing age-gated products and services is the person who provides those products and services to the minor. In the case of the internet, that person is the parent, not the ISP or the website. It is the parent who contracts with the provider and then forwards the product to the unauthorized user, the child. A parent who purchases, say, access to porn and then provides that access to their child is no different than a parent who buys booze and provides access to it to their child.
I appreciate the wealth of technical solutions that don't violate privacy, but isn't this overlooking an important point: that children don't need to be connected to the Internet at all times from such an early age? Many internet and cell phone providers seem to take it for granted that children must be online, which is already a net loss for their privacy as they mature.
I agree, I think kids should have limited access to the internet. I pretty much did and it worked out for me but I have seen so many reports about it causing harm in schools and personal life. (Specifically I think LLMs should not be used in education also, but different point) However, I think the main problem people have with this "think of the children" narrative is that it will force EVERYONE to give up their credentials to access the internet, not just kids. And the general consensus is that we as adults do not want to and should not have to prove our identity to access the internet.
I am wholeheartedly against identity verification, especially when it comes to giving up privacy. And I hope these "think of the children" arguments can be pushed back at from multiple angles. If the danger is real, then by the time a child is online, 4 out of 5 in them in Australia can apparently access social media anyway. So even if everyone's privacy was somehow an acceptable price to pay, these requirements do nothing.
Should it also be their decision that they can gamble? Smoke cigarettes? Get a job? Have sex?
We draw the line somewhere because these things that "are the parents' decision" have consequences on broader society. They have consequences that impact you and me. And we also have a say.
You can make the argument that it's just the parents' decision. But you have to say why.
Assuming no revolutionary changes are coming to the USA, I am planning to opt out of the digital world when I retire. Physical media only. No subscriptions. Spend lots of time in the library. Find like-minded people and meet in person. Will only keep the bare minimum for survival, like banking.
Renting and work already require ID in the UK. Every landlord and employer is supposed to take a copy of original documents proving the right to rent/work in the UK. Technically you can do that without handing the docs to the government, but there's less potential liability to do so via the Home Office website.
No, it won’t. The internet is just getting smaller from my perspective because there’s no way I’m handing over my identification and allowing every connection made to a server to be tracked back to me.
It’s simply not on the cards, and I live a frugal enough life in a high paying industry that I can retire in a few years. If I was willing to bank on inheritance then I could retire now.
I feel for the people that are forced to engage though. But too many of them simply don’t care about privacy, which is why we’re here.
This seems more like a technical problem that we could actually solve well if we wanted to and had competent people advising the governments. You go to DMV and they generate a keypair and an entry in a DB. App looks up your age with your public key + signed private key authorization from you. Apps can ask for specific checks like is_over_21, is_citizen or whatever without any more data. Something like that, details are probably off ;) The whole infrastructure could be open source. Age verification doesn't need to equal identity verification by a 3rd party company that will leak your IDs.
None of this is necessary. First, the only devices that actually need to be gated are cell phones.
The user agent should simply send the user’s age of the parental lock is set up and the websites required to respect this.
Parental controls and the OS should be robust enough to not let kids bypass it (e.g.: by installing a browser that skips the header, or blocking proxy websites)
Done.
Cellphones only because those are the devices kids can have on them all the time and can easily use in private unsupervised.
They want it to equal identity verification! When virtually every top tech executive who wants a favor is at the inauguration and you have companies doing 180 degrees on support for something they previously furiously opposed, someone is getting something they wanted. It seems naive to think otherwise. Furthermore, the current administration in the U.S. fired or ignored the competent people to which you’re referring, and those people oppose a centralized repository of various metadata because it creates a central point of failure, otherwise known as a target, that is generally a bad idea for both our nation and our citizens. Of course there are agencies in the federal government that possess this information already, but they possess it for their purposes only. This is good because it means that it’s both more difficult to abuse internally in addition to being more cumbersome to collect externally.
There's still a whole DB matching IDs to keys waiting to be leaked. The US government can't even keep it's own personnel records safe and you think this won't get stolen and used to target people?
This still criminalizes sharing "adult" information with people who are not on the government's approved list (the things states do to crush dissent are not safe for children.)
why would any site on the internet need to give a damn about is_citizen? That's just gross to me at the mere suggestion. If it's a government service site, then they already know that information. If you're trying to use something like social media, then it couldn't possibly matter less.
All I can say is I will never vote for any politician who votes for any form of this. Even if the bill fails to pass, they will never, ever get my vote.
How is hitting the library an act of rebellious defiance? Getting a library card requires an ID and proof of address. The library then tracks which books you've signed out. Unless you're reading the books inside the library without signing them out.
My library, at least, is fanatical about their patron's privacy.
I don't know what their retention time is on circulation records, but beyond aggregate statistics for culling materials that aren't circulating I bet it isn't too long. Now I want to go check.
My library also only keeps 24 hours of video surveillance because they didn't want to be able to fulfill requests from the cops for footage of patrons. I really liked that.
Edit: In the patron portal it permits me to disable "borrowing history" and says it permanently deletes my records. I do contract IT work for them so next time I'm engaged I'll ask about the details. They're moving to Koha later this year (free / open-source ILS) so I could go look at the code to see what it does (which is nice).
On the theme of their privacy fanaticism:
Over a decade ago the library got a grant to do outdoor public WiFi in the park behind their building. As part of that grant they needed to report the number of distinct users using the WiFi each day. Their UniFi controller tracks MAC addresses of associated stations. I used a query against the underlying MongoDB to get the usage reports to satisfy the grant.
To minimize the potential of tracking individual users the library director had me write a script to grovel thru MongoDB, do a SHA-1 hash of each public MAC address tracked concatenated with a randomly-generated salt for that day, then write back the first 48 bits of the hash over the original MAC. The library gets their daily statistics and long-term traffic trend data, they don't double-count associations for the same device in the same day, but they can't track individual people over a span of multiple days.
Now that devices randomly-generating MACs are mainstream it's much less necessary. I thought it was really cool she thought this. (The whole salting/hashing bit was my idea. She just wanted to be able to fulfill the grant reporting requirements amd be unable to track people.)
Certainly, but I think you need to have a library card to use the computers.
I do see folks who look homeless using the computers, so I assume there must be a special accommodation for them.
But, if you’re just a regular middle class joe looking for anonymity on the internet, I don’t think the library is the place for you—it’s tied to your library card which knows your address, and anyway what would you want to be private that you would be ok to broadcast in an open library setting? Nobody watching corn or browsing whatever successor to Silk Road.
Usually the login screen says something about fairly restrictive terms of use, even for the WiFi on a personal device, and I don’t know if you can install software on the library computers.
When I look around at library patrons using the computers, it’s usually lower income folks applying to jobs or similar, and people playing chess.
You can. You just have to ignore all the privileged people being annoyed that they have to see you. They love posting on Nextdoor about how much they hate homeless people.
The anti-authoritarian, anti-government, anti-fascist, anti-capitalist music genre punk rock? Always right wing?
I mean, Nazis have always been attracted to punk because they like the loud noise but are too stupid to understand lyrics, but they tend to get their shit kicked in by punks more often than not. I don't think that's the same thing.
There will be your internet-connected computer which will be assumed to be compromised, & which little, if anything of use will be kept on, & then there will be the airgapped system you do work on, which will probably be the last trusted version of a Linux distro you have multiple copies stashed away of. It will be a very old-fashioned experience, & moving/sharing data will become a dicey business.
I can’t think of a better solution to the issue of children being so aggressively harmed by the internet. That doesn’t remove any of the problems associated with this.
It’s not just kids. Adults are having their brains fried on AI generated political videos online right now. The state of the internet is an absolute disaster.
I'm glad computers came in and saved you from your otherwise-inevitable life of cartel involvement, but I don't see what this has to do with the en-masse mental poisoning of children? I'm not even talking about politics yet. Cyber-bullying is insane.
Either way, I genuinely don't believe "let's just hope parents... start doing better?" is a solution.
The thing is, those dealers can end up in jail for selling drugs.
More to the point, if a kid walked into a convenience store and the clerk sold them a pack of cigarettes, the clerk wouldn't get off the hook by claiming, "well, the parents are responsible for their kids." I'm also not sure how one would justify holding parents legally liable for crimes they played no role in committing.
I'm not saying that I agree with these laws. They appear to be taking things too far. But that has more to do with there being no clear way to define sites that are only of interest to adults (no gatekeeping needed) and sites that should be restricted to adults.
Once upon a time they idea that Americans would surrender all of their God Given rights for an illusion of security was considered absurd, but that's where we're at.
>What happens when parents don’t lock the liquor cabinet? When they smoke in front of their kids? When they leave porn laying on the table?
The state can't control those things, it can control putting an age restriction on certain websites. Unless you are advocating for the complete abolition of all age restrictions throughout society.
How is it more like leaving a liquor cabinet open than not buckling them up with seatbelts?
I'm glad we're discussing parental liability. It seems no one else is advocating for "social media access is criminal neglect," so I appreciate the novelty.
I'm pretty sure this is a "pick your poison" problem. We as a society are damned no matter what we do or do not do. For my part, we need to do something, because things are not fine the way they are, including the half ass Australian solution. We can't keep putting the onus on private enterprise to address social issues.
I may sound crazy for saying so, but I think the answer is more government run infrastructure for enabling identity-based operations, like payments and authentication, with rules about standards, open source, contractor selection, and audit that make operation transparent. It can work if technical operations are legislated instead of "left for the engineers to figure out." Then at least the evolution of systems can become real political issues that map to election cycles.
My stance is probably a polarizing one, but this is precisely why we need to be able to debate the minutae of these systems through our political discourse instead of just "will we; won't we" legislation. This should be debated in democratic process.
We could try investing in positive infrastructure that improves peoples life's in stead of creating the panopticon torment nexus. Things like third spaces where people can spend time is save spaces where they form communities and public transit so that people can get to those places. Incentivize positive behaviors instead of closing off public spaces and pricing more and more people out of being able to do anything with the minuscule amount of free time they have besides going on the internet.
I think the lie is to look at the problems we have that the internet has enabled and say "things are ok as they are don't try to do anything to solve it."
If the problem is "social media bad for kids" then any parent that allows their children to access social media is as guilty of abuse or neglect as a parent that lets them play in traffic. Throw the parents in prison and put the kids in foster care. Problem solved.
This was in part caused by the general public’s comfort with federated identity for OAuth. If everyone already has one anyway (the thinking may go), why not mandate it?
How is it any different from being required to identify yourself to get a phone or electricity account? Identifying yourself on the internet is long overdue.
You need to identify yourself to the phone and electricity utilities so they know where to send your monthly bill. My ISP knows my name because I pay them for connectivity. I am okay with this.
If I misbehave here, dang can just ban me. There's no reason HN needs to know my real name. The only reason to mandate blanket age and identity verification is to control online speech.
You aren't required to identify yourself to get a phone. You can get a prepaid phone with no ID.
You are required to identify yourself for an electricity account because it is essentially extending you credit. You use the electricity first, and then they bill you for it later. They also only identify the person who is receiving the bill. You could have a house with a dozen people in it but the electric company only knows the name of the person responsible for the bill.
You are free to identify yourself on the internet right now. People who are intelligent and/or believe in freedom and free speech are opposed to this authoritarian power grab.
So everyone is on the same page on this issue. The First Amendment is the right to anonymous free speech. I doubt they teach it in the govt schools but the Federalist papers, which argued for the US Constitution, was published anonymously.
Singing: nobody wants this everybody hates you! Governments burning their capital hard to try to prove what tough guys they are against the Declaration of Independence of Cyberspace.
The discussion is not about whether it's a good or bad idea, but whether we will yield the power to these people to ratchet in further oppressive laws onto formerly free countries.
Tech companies should ignore it and just publicly name whoever attempts to prosecute them and see how the population responds. I think people today are orders of magnitude more informed about their privacy and the consequences of digital ID laws. A few countries are on the edge of revolt at the moment anyway, and this would be a good way to get young people into the streets.
20 years ago, people would have had no defense against it or understanding of what was being imposed on them. Today, normal people use Signal and encrypted messengers, faraday bags, and leave their phones at home. Where we were nerdy security guys back then, non-technologist women and girls use spy tradecraft level electronic opsec for their own safety and security from middle school. People are much more sophisticated about their privacy now. They're ready to take this on.
The laws coming into force are on people who are not in favour of them, and I'm so optimistic that I will not interrupt the enemies of privacy and human dignity while they are making a mistake.
I'm not sure "social media" is the best example. You've never had complete freedom of speech on there.
It's been true for decades in the USA that if they want to arrest you, they will. The age verification doesn't make this situation better, but at this point it's almost just a formality.
Freedom of speech is contextually misunderstood. It's about political speech and the commons. Social Media is overwhelmingly private space, subject to contract terms and conditions. It may be a de-facto commons to some people but I do not believe this axiomatically, or legally makes it so, for the purposes of law and constitution. Law and constitutional bounds on speech online hit the international nature of the media very quickly.
Extra-territorial issue are huge here. What is the limit of the boundary on a given nations constitution and law? How much does the economy of the user, the hosting company, the owning company, the receiving parties matter?
Social Media has advertising and publishers. It has people who can effect editorial control over what is seen and by who and to who it is "said" -And that imposes obligations on them, and on people lodging content. Differentially depending on their economy, the reach of law, registration of legally incorporated entities.
All of this is being implemented somewhat haphazardly internationally, enforced differently, subject to legal and financial and social pressures differently depending on the times and the context.
If you want to ask questions about America, about Americans, using American companies, speaking to Americans, believe me you don't neccessarily have a simpler task here. It may well be clearer to some of you, but to me, its just as fraught.
It's just not clear to me "free speech" is the bastion rule which applies here. The EFF may think so, I don't think they have actually demonstrated it all the way to the end.
My privacy is already decimated. For 2 decades we’ve already known about the NSA slurping up everything[1] on top of the Snowden leaks.
Then you have the mega corps like Facebook who can figure out every detail about you even from merely _not_ using their system because of the hole you leave in your social network that does use them.
The only privacy left is from anonymous troll farms claiming to be an American while talking about how the Texas oblast is valuable for its warm water ports.
I am fine for privacy on consumption of content, but you should be forced to identify yourself for posting so the common man at least has a chance to evaluate your statements instead of being misled, all while, as stated above, our governments and corporations don’t have that limitation.
> ...you should be forced to identify yourself for posting...
The Supreme Court has repeatedly held that the right to anonymous speech is inherent in the first amendment [1] [2]. See also The Federalist Papers or Common Sense, without which the US might not exist at all.
That’s pre the ability for foreign actors to engage in our public square en masse. I think technology has changed the situation.
Free speech absolutism that ends up in creating an environment where real speech is drowned out by lies is not valuable to me. It’s like the paradox of tolerance.
The first amendment doesn't have a clause that exempts Americans from anonymous speech if it's possible a foreigner could inadvertently take advantage of the freedom too.
You may as well advocate for no one to be allowed to drive cars because of the possibility of someone getting into a car accident.
Or (in case you're a fan of the second amendment) - advocate for guns not being allowed to be sold to law-abiding citizens because of the possibility of the gun later working its way into the hands of someone who would use it for a mass shooting.
Freedoms exist with the understanding that both positive and negative consequences can result from them. The argument is that the good vastly out-weighs the bad and are worth preserving.
Can you link said research? I have never seen anything but division pushed by anonymity.
Also again, the corporations and governments(for certain levels of government like the members of the Five Eyes) can pierce this veil of anonymity, the people who have a lot to lose already are risking it by speaking.
Edit: this also isn’t a newly diagnosed phenomena, I remember seeing this satirical description of the behavior as a kid back when Web 2.0 and social media was starting to change the internet[1]
> My privacy is already decimated. For 2 decades we’ve already known about the NSA slurping up everything[1] on top of the Snowden leaks.
If you were correct, there would be no need for them to push these new laws. The fact is, you will have less privacy after these identification requirements are fully enforced.
What scary me a lot, is the amount of people here or in real life that are not concerned about that, and that are like "it is to protect the children, so whatever it is, it worth it. And what else we can do?". And often it goes on with things like "anyway, social media are bad, they ruin people even adult, so good thing". Literally they all look like repeating a carefully crafted propaganda without that much more deep thinking.
Basically, to mean it is brain rot. The problem is that it might concern a big part of the population and that is why we have such laws.
To me, it is exactly what was described in G. Orwell "Animal farm" book. Pigs are now in control and big part of the crowd are "sheeps".
Afterward, we always have hard time to understand how people could have let Nazi, Stasi, or Stalin come in power and do such awful things. But it never came in one day, and with the "i don't care, they probably now better" attitude of the current western country populations, you understand easily how all of that could have happened in a first place.
In the recent, and most recent history, let's not forget what happened to Putin's Russia. Russia was opening and on a very good course for individual freedom and rights, then a ex-KGB officer took control of the power and little by little, year after year, suppressed freedom, privacy, and opposition to reach the point of today where the country is a total nightmare for human rights and liberty.
Anything to close Pandora's box. "They" liked the eras they could control the communications, and therefore the narrative. Boomers on their last legs, question is, will the future undo the unjustness that was forced upon them? Restore the rungs of the ladders that were removed, so they could have a chance too? Or are they going to stay in the fear narrative, and make this tragedy worse?
Governments that are serious about age verification and individual privacy (which, doubtful they truly are) should agree on a protocol and set up certificate issuers that are associated with a digital ID. Then age verification will not be an invasive procedure or risk data leaks or insider threats.
[1]: https://blog.cryptographyengineering.com/2026/03/02/anonymou...
It's one thing to be concerned about someone stealing my credential, but another to prevent the transfer of these credentials, especially if they are limited use credentials.
The entire point of age verification systems is to prevent minors from accessing certain resources. I think we all know that this is basically impossible; but what these various governments and social media companies want to do is to make it high friction to do so.
The highest friction version of this is that the credential ties to a real world identity somehow; maybe locked behind legal barriers, etc., but if a minor is caught using someone's credential, then the person whose credential they are using can be investigated, and, if necessary, charged with a crime roughly equivalent to providing alcohol to a minor. Without the possibility of real world enforcement, none of these identity solutions can possibly work.
Keep dreaming of a technological solution -- there is none that does not lead to the world that FIRE is warning about, except to accept that we can only make a solution "good enough" and leave it at that, without expanding into full on identity verification. The solution here is likely to just try to provide better abilities for parents to monitor and limit their children's use of the internet. Let individual parents decide on the level of harm that they are willing to accept, and accept that there will be ways to work around this even if parents are vigilant, but just try to reduce it on the margins.
So the schemes always start introducing features to reduce the anonymity of the tokens or make them more trackable in some way:
> The highest friction version of this is that the credential ties to a real world identity somehow; maybe locked behind legal barriers, etc., but if a minor is caught using someone's credential, then the person whose credential they are using can be investigated, and, if necessary, charged with a crime
Which requires that these identity tokens not be anonymous age-verification credentials. They become a traceable identity token tied to your government-issued ID.
Not if you use a challenge-response protocol where the client returns a zero-knowledge proof of age, where the proof incorporates a random string sent by the website.
The traceable stuff is private information that the website never sees. If a minor is caught with it, then law enforcement has local access to the minor's hardware and can probably view the private data.
At that point, the private key can be put on a public revocation list. The zero-knowledge proof can include a proof that you're not on the revocation list. Once you've been revoked, you have to go through the hassle of setting this all up again, which might be enough incentive to keep it reasonably secure.
Buying alcohol for a minor implies knowledge and intent.
Getting the tokens out of a phone doesn't require the user to do any of that, the user just has to be frugal and keep the phone longer than it's supported by the manufacturer, until some local exploit is found again, and that token will be extracted and available online for everyone to use.
Parents buy those phones, phones could easily have a "user is a minor" setting (and a flag sent to all the sites that want one) with a password for parents to unlock stuff if needed. This would be set during the phones first set up, and it's done. But nope, the plan is for everyone to install a form if a digital ID on their phones, and once it's there, requiring full-name identification when registering is just one step away.
Yes, parents are responsible to set this up. But parents are also responsible to lock their alcohol, drugs or guns, condoms, etc., and many other things.
Perhaps parental controls are not good enough? That's where the regulation could genuinely help - require child-certified devices to implement minimum set of parental controls, and make them easy to use.
Yes, government want to end anonymity and that's clear to some. But governments enjoy on a pretty broad support for this and many people supporting this believe it's a real problem. Suggesting to leave it unsolved or solve it in a way they can't trust or understand is only going to alienate them, making the government job easier.
I think suggesting a simple, cheap and effective solution to this problem that has no impact on privacy is a way better way to counter that. I think local parental controls fits the bill.
No they do not. They do an enormous amount of PR trying to convince people that they have it, though.
In the real world when there is a ton of support behind a position, you see representatives of it all over the place and they are pushing the agenda and the coverage. In the world of online age verification, you just see a bunch of lame duck politicians using procedure to sneak policy changes in and keep objections from being heard, and a few government contractor-surrogates writing op-eds (that they haven't read.)
When puritans go on the march, they're actually pretty loud. Most of the anti-social media people are hippy-dippy upper-middle class liberals who curse "screens," completely believed Cambridge Analytica's PR and think that Trump rules through mind control - who will be bothered by the end of anonymity; and the remainder are angry online right-wingers who think that they were censored by and as a result of social media. They're not marching together, they're not marching to have people identified when they're using the internet, neither of them are even prioritizing social media right now and they aren't putting pressure on anyone.
The fact that it's so unpopular is why there are lame ducks doing it. They're just assuring their fortunes on the way out, and the person on the way in will pretend like they had nothing to do with it even though it will be will be passed and implemented on their watch.
Ok, but parents buy internet access and then let their kids use it, because the kids need it for school. So? The parents job is to keep their kids out of trouble. Learning how to keep track of what their kids access shouldn't be difficult, and maybe should be part of the obligation parents have, kind of like their obligated to teach their kids to drive before giving them the keys to a car. Its analogious to saying "kids shouldn't walk home from school or be let out of the house at all because they might wander into a nude beach or join a drug smuggling satanic cult". Most of us don't hold that view because we trust that kids can be taught to be vaguely responsible.
What's more: tools to shield the kids have been around for longer than most of the parents have been alive at this point. The problem is pretty much solved in multiple ways, and wouldn't even be a problem if parents only followed their basic responsiblities. Also it isn't a problem in the first place, I haven't seen any clear, undisputed evidence that shows that kids are degenerating into fiends because of looking at adult stuff on the internet.
Unfortunately it is, but we could fix that with only minimally invasive legislation. Right now you either whitelist which breaks half the internet on a recurring basis (things are constantly changing) or you blacklist which is swiss cheese. Either way you're relying on third parties.
I think it would be much better to legally mandate a certain minimum level of self classification for website operators along with a simple and extensible scheme for communicating such. It might also be useful to mandate that devices ship from the OEM with parental control software supporting that standard but honestly I doubt that's necessary - if their were a standardized and above all reliable signal available I think browsers and operating systems would rapidly adopt support for it.
I've also always been curious how a truely anonymous identity verification could possibly work. At best for age verification, I could be given some kind of token that would still have to verify my age and be verifiable with a central authority to ensure my token is valid. The central authority could always keeper records of my token, revoke it whenever they please, and every entity that can verify the age associated with, or embedded into, the token knows at least some of my PII.
You go to a store. You show the clerk your id and give him a quarter. The clerk pulls a scratch-off ticket from the front of a ticket tape. The ticket contains a token identifier.
It's anonymous. The clerk or his POS system knows your name and age, but doesn't know your number. The vendor providing the tape doesn't know your number or your name. The system accepting the token knows your number, but doesn't know your name. The token is only valid for a day after use, so loss and transfer isn't much of an issue.
It's the exact same process by which you buy lottery tickets in a world where they don't need to verify your identity when you redeem them. The lottery has no idea who bought a particular ticket, only that a ticket was bought. The clerk knows you bought a ticket, but doesn't know which ticket.
Obviously, Eavesdropping Eve looking over your shoulder knows both your name and your ticket number, but that's not a practical attack.
Where does this 3rd party identity token provider come from?
For government-issued identity tokens, there are not separate parties. It's just the government, and they can choose to link whatever they want in their internal system if they decide it's in the interests of national security.
You're also forgetting that lottery tickets are tracked. This is how they can announce which store sold the winning ticket before anyone steps forward with it. It would be trivial to match a buyer to the ticket if they wanted to inspect the records. In the case of a government identity token service, there isn't even a separation of parties providing the records. They do it all and can have all the data.
Some oracle whose job it is to print tokens and hand out rolls to the stores (and to the websystems). They would know which store got which roll, and which website authenticated it, but not who each ticket from that roll went to.
With a big enough roll, this is essentially anonymous.
Yes, lotteries know which store got the winning ticket, but they have no idea which of the patrons in the store got it. Not unless they ask Eve to get her telescopic lens and notepad out.
You're saying the real solution is that we bring in a private, 3rd-party company to start checking our IDs to access websites now?
I am not actually advocating for it. I'm just saying how it's possible to solve it given those constraints.
What prevents a commercial "AI" security camera analysis firm from doing a decent job of linking footage of a store's customers to a likely subset of tokens, based on the knowledge of which tokens are sent to which store and how many tokens have been pulled off of the roll so far? Remember that you can design the token roll packaging so the easiest thing for a clerk to do is to pull off the rolls in the order in which they were shipped. Or -hell- you can design the token dispenser so that it phones home to the oracle that sent the roll to the store with the range of tokens in the roll when the roll is loaded into the dispenser (for "security purposes").
> It's the exact same process by which you buy lottery tickets in a world where they don't need to verify your identity when you redeem them.
I've seen many people buy lotto tickets. I've never seen anyone asked for ID. Perhaps the merchant is supposed to check for ID, but they don't. Relatedly:
> The clerk pulls a scratch-off ticket from the front of a ticket tape. The ticket contains a token identifier.
What prevents rolls of those tickets from falling off of a truck and either being handed out for free or at a substantial markup, no questions asked? [0]
In the real world, the system you propose absolutely will not function to the standards required by the people agitating for these systems. You can't "protect the children" if "children" can easily get their hands on anonymous access-granting tokens.
[0] The fact that this doesn't happen with lotto tickets often enough to be newsworthy is not a compelling counterexample. Stores make a decent amount of money selling those, and wouldn't want to get cut off from that revenue source by regularly "losing" shipments of tickets. What you propose doesn't make stores any money, so either you have to spend a bunch of money to induce them to carry the tokens [1], or you have to have harsh penalties for "losing" shipments of tokens. If you risk harsh penalties for choosing to sell the tokens, why even bother? Stores put up with the risk of selling booze because it's quite profitable... selling 5c or 0c tokens absolutely is not.
[1] Where does that money come from? From you and me, of course!
Lottery tickets don’t “fall off of trucks” or get “lost in the mail” because they aren’t valid for redemption until they’re activated at the POS terminal of a licensed store, and the lottery company knows which store receives each ticket roll, because they are shipped to known locations with tracking numbers and delivery verification and/or delivered in person by lottery employees. Even the rolls of blank lottery ticket receipt paper have different serial numbers every few inches, and it’s forbidden by policy to swap receipt paper between stores. All of these things are audited both regularly and randomly by state lottery officials.
I’ve sold lottery tickets, and you have to be legal age to both buy and redeem them, so I’m not sure that this analogy or hypothetical solution is comparable to lottery tickets, nor is it likely to be the panacea you think it is.
I don’t think that the nascent online age verification schemes are good for society in general, either, but that’s not really the point you were making in your comment, so I don’t assume that you believe they’re good or bad, but simply advocating for a more privacy-preserving implementation. Which is kind of the whole point of the argument against bad implementations, but those who mandate and implement the systems likely view uniquely identifying people as a boon, whereas you and I probably don’t, which is why I am not hopeful that your ticket system will be used, because it will be higher friction for more people than uploading scans of their IDs and/or their face.
The ticket system, if implemented, would be used by so few people that the folks who do could likely be re-identified by Bluetooth tracking beacons and facial recognition in the same stores which they bought the ID tickets you suggest, and so I think the number of people who would escape tracking by any such means to be so few as to be a rounding error.
Those folks who do pursue this privacy hobby/fetish are statistically likely to ultimately mess up on their opsec eventually on a long enough timeline, so it’s hard to even imagine a scenario in which it matters either way what individual privacy activists do or don’t do from the point of view of the panopticon designers or implementers. Those not identified to a desired confidence interval by the mass surveillance system will just be retargeted for more sophisticated surveillance measures.
Despite how we rage, we’re still just rats in a cage.
More and more, the privacy debate feels like a quixotic struggle against giants, when everyone already knows that those giants are actually windmills; the majority of society now lives on reclaimed lands which rely on those windmills’ continued existence, and so no one cares about privacy in the way that you or I might care, because they are incapable of perceiving windmills as giants, nor do they have the intellectual or philosophical or political beliefs which would allow them to even entertain such perceptions even for the purposes of discussion. The privacy debate is beyond their ken.
They just launched the GOVT.NZ [2] app, and it contains a wallet that can store digital credentials. It's built by a local company called MATTR [3], who specialise in trust technology and exotic cryptography like zero-knowledge proofs. The first credential available this year will be a mobile drivers license, and we'll then be able to prove things about ourselves like whether or not we're over 18 (according to an accredited institution), completely privately over the internet and without sharing any other information.
I'm cautiously optimistic about the direction our digital ecosystem is heading in NZ :')
[1] https://www.publicservice.govt.nz/about-the-commission/gover...
[2] https://www.digital.govt.nz/digital-government/key-areas-of-...
[3] https://mattr.global/
If it's unlinkable, what's preventing someone from setting up a site that hands out anonymous tokens for anyone to use?
Other approaches are possible. I'm particularly keen on ones that treat attestations as anonymous digital currency and use cryptographic penalties like slashing to discourage copying post-hoc instead of relying on EU-style implementation certification.
There's a huge literature on the subject I don't want to reproduce here. The point is that yes, we do have the technology to do attestation without sacrificing privacy, which makes all the calls for non-privacy-preserving attestation awfully curious.
Or make it so that tokens cannot be tested except by spending/burning them, which would significantly reduce (but not eliminate) a black market because it would be hard for any buyers to trust any sellers.
The best outcome here is going to rest on getting people to agree that "good enough" is the best outcome. We want a system that gets the broad social results (e.g. less brain-rot in the kids) without being so impossibly strict and overbuilt that it leads to an even-worse problem (e.g. authoritarian hellhole tools.)
I'm surprised anyone considers this viable.
It would limit access to those sites to a limited set of acceptable devices and operating systems.
I couldn't use my laptop, desktop, or a jailbroken phone.
If so, this stuff is already broken, and imagine it would be pretty simple to apply the same principles here.
I'm probably wrong on this though I'm out of my depth
Yes, that can eventually be worked around, but not really that different than doing the verification today on someone else's device.
So I'm constantly grabbing new tokens from the government every time I go from work WiFi to my cellular internet to the train WiFi and then home?
Sounds like a fantastic point for capturing more tracking data.
> /geolocation.
Which means I have to send my geolocation data to apps to confirm I can use my token?
Don't want that either.
> It would also throttle the number of identifications,
And if I move around too much in one day or change networks too often, I'm unable to log into anything until tomorrow?
Every time you set up an account, would generally be the idea. So relatively infrequently.
"Use this exact tor/vpn server"
>It would also throttle the number of identifications
So I can only wank off 5 times a day, or grant access to porn sites for 5 kids?
The anonymous crypto token scheme does not have any trace-back mechanism like this at all. If there's no way to track those tokens back to you, why not sell them for $1 each on the internet to make some extra money?
And you want to satisfy voters who are worried about children online or have heard scary things about anonymous criminals. You want to be seen to do something about those.
A distant third is that you want the system to be cheap and built up fast and relatively easy so voters don't complain about it.
All together this leads you to something like "any time a site needs to verify your age (based on this broad list of requirements) put in your government ID number / picture". The infrastructure already exists for that, banks need it, social media needs it, and the current president has agitated for it a few times now. If you're really aiming high you set up some digital ID attached to it that's easier for the users.
Either they validate so little information that a single homeless person can authenticate the entire country or they validate so much information as to not have a significant privacy guarantee.
There is no in-between for ZKP validating someone's age.
the truth is that the two extremes you listed can be titrated.
if you use nullifiers you can trade some privacy for some security. basically you convert your true identity into a private token which you can use to authenticate aspects of yourself, the price being that the token can be tracked with some effort across services. better than just using your identity at least. if a token/nullifier is abused it can be revoked and then you have to jump through a bunch of hoops to get another.
there are some other trade offs that can be made.
What combination of details can you validate on that is meaningfully privacy-preserving and couldn't result in wide-spread re-use of tokens?
Additionally - what would prevent some kids from getting a homeless man in the city to hand them his ID, get a facial scan, and everything else you can think of to generate a token and then pass that token around?
ZKP are a cryptography-nerd's joy but are are categorically unsuitable for the purpose of age verification. I stand by this without the slightest reservation.
tying multiple accounts and services together isn't ideal but its inarguably better than tying your real world identity to every single service.
To clarify - it's not cryptographically necessary to present the same token for each and every transaction and serves to categorically defeat the entire privacy guarantee of ZKP.
It also makes it trivial to associate your ZKP token with your real identity.
contrast this with the situation as it currently is (under ideal assumptions) where a central authority verifies your real identity and issues temporary rate limited tokens which are then saved by each service and can at any time be linked to you whenever the central authority can get the service to disclose the database entry. the nullifier will force the central authority to do an investigation about who the nullifier actually belongs to which may actually fail.
realistically I expect VPNs and Tor to just become more popular in response to such nonsense. I wouldn't be using government issued tokens for anything that isn't trivial to tie to your identity already: such as a personal bank access.
Where to even begin here....
To generate the token, it needs to be based on specific data. How do you prevent people from generating tokens based on fake data and submitting that to the "terminus" that you mention? We already have cases of people bypassing facial scan liveliness checks for banks using AI-generated footage.
What about validating tokens during the token enrollment process based on your government ID? Though that makes sure that poor or undereducated people who don't have such an ID are locked out of large swaths of Internet services.
Though there's also the matter of it being trivial to generate fake IDs using AI.
If you have no gatekeeping for the token enrollment process, anyone can submit an arbitrary number of new tokens.
And if you do have gatekeeping, you're right back to square one of needing to validate against more than just your age.
After all - the cryptography algorithms will be publicly known. If the only thing ZKP is validating against is age, it won't take long to figure out how to generate identifiers based on fabricated information.
> whether or not the terminus can tie a token to a real world identity will depend on how careless the user was and how much collusion there is between the terminus and the services. at the very least it will impose an investigation cost.
No it won't. A user submits a token to a server. The user also logs in with their e-mail address or phone number. Their email and/or phone number is hashed and it, along with the ZKP token and any additional information the website has on you, will be sent to data brokers.
This is the same as any other bit of information out there that data brokers collect on the internet. They just associate your new info with other info you are required to provide in order to use various services.
This will be automated and will cost next to nothing for data brokers to take advantage of.
> contrast this with the situation as it currently is (under ideal assumptions) where a central authority verifies your real identity and issues temporary rate limited tokens which are then saved by each service and can at any time be linked to you whenever the central authority can get the service to disclose the database entry. the nullifier will force the central authority to do an investigation about who the nullifier actually belongs to which may actually fail.
....what? What investigation by central authorities? You are talking of a system that would constantly mediate permissions for billions upon billions upon billions of devices across dozens of services and accounts per device.
You couldn't hire an army of people large enough to handle this and AI is infamously awful at detecting when a given image has been generated with AI.
> realistically I expect VPNs and Tor to just become more popular in response to such nonsense. I wouldn't be using government issued tokens for anything that isn't trivial to tie to your identity already: such as a personal bank access.
Their popularity would only rise in order to VPN into jurisdictions that don't enforce this. Assuming major websites don't just mandate age/identity verification for all new users regardless of jurisdiction just because it's easier and cheaper to apply one system to everyone.
Look - I know you mean well, but it is clear from this discussion you aren't familiar with cryptography, system security guarantees, Internet infrastructure scaling, or what would be needed to introduce new descriptive information about a person on the Internet and not have it become a new privacy risk.
This is an issue that has no tech-only solution. The specifics aren't just something to just figure out at a later date - the specifics are everything. And it's something that is enormously difficult to get right and extremely easy to get very, very wrong.
you also don't appear to know what a nullifier is, in a ZKP system you submit identifying information and a hash of a secret string. the CA adds the hash to a public database and in the future you prove you one of the members of the database with a nullifier - the anonymity-set is everyone in the database who entered it prior to your submission. this can also be done with a blind signature to the same effect.
there is no further point to this discussion.
Majority of people understand their SIN or SSN number or whatever, they understand they have a drivers license number. This could be built in such a way that it's basically just be another government issued "thing" that they have to know about and be able to produce when requested
Edit: I agree with you 100%, but the fact that governments want to track people online has no bearing on how technically possible it is to build a system where they can't
An anonymous internet auth system (probably) won't get built, but it is possible to build
I think for this argument to carry weight with voters, privacy advocates need to be much more specific about what "coming back to haunt you" looks like. They do a little bit of it later on[1], but I think most people do a rough cost benefit in their head and decide that the small benefit outweighs the small risk (to them).
[1] "And that creates a lot of risks for data breaches, overly broad data collection and retention, censorial legal demands for collected data, corporate and governmental malfeasance, pressure to self-censor, and perhaps blatant First Amendment violations. Every new layer and every new mandate brings more potential for risk. As we’ve unfortunately seen many times over the years, people including high-level government officials will maliciously seek to root out the identities of their critics, so the more layers of anonymity we can preserve in online speech, the better."
I'm starting to think we need to lean on conspiracy theories in order to get broader population on train with this - and I'm saying this in utmost regret. That's a borrowing game from a right wing/extremist playbook.
Start with this: requiring IDs online is a first step in micro-chipping the population.
...or how about this: marxists/atifa/nazis/zionists/islamist/whoever-group-people-think-is-in-power want to erode your privacy online so it can be used against you. Some nefarious group what to know your every move!
...or how about this: remember Epstein files!? Well the pedos now want to id your children online!
I simply saying truth/evidence/rational based approach to this will not get people attention. People just don't care.
I think both political extremes have their own angles: liberals might be concerned that conservative censors will censor kids from learning about LGBT people and minorities, conservatives will be concerned that liberals will force too much LGBT and minority content onto kids. Or whatever issue, they want to control what your kids read!
This will almost certainly be used to censor adults too, the only reason we aren’t doing that is because it hasn’t been possible to consistently identify people before. Considering who is pushing for this, they’re absolutely going to tie this into advertising, and if they know who you are so do all of the spooky upper echelons who could implement a true censorship regime.
“The only way they can do this is by controlling what you read, shouldn’t that be the parent’s choice?”
How about "if you want to buy a dildo on aliexpress, you have to do a full scan of your face and send it to israelis"?
I mean.. au10tix does age verification for aliexpress, it is an israeli firm, and you can't even buy a scalpel (the DIY crafts one) without having to scan your face there due to EU regulation.
It really isn't, though. Don't mistake the internet for reality. The majority of people in the US and Europe support laws like these, and most of the rest don't care.
Even on Hacker News the consensus is mostly in favor of anything from age restriction to making all social media illegal.
That doesn't sound right. Put up a poll. I'd put money on 90%+ choosing some flavor privacy/anonymity on the internet.
https://m.youtube.com/watch?v=ahgjEjJkZks
I can only say what I've observed from numerous threads - people's advocacy for privacy on the internet here does not extend so social media.
But OK this could be fun let's put my keyboard where my mouth is: https://news.ycombinator.com/item?id=48680434
Social media is full of astroturfing.
We draw the line somewhere because these things that "are the parents' decision" have consequences on broader society. They have consequences that impact you and me. And we also have a say.
You can make the argument that it's just the parents' decision. But you have to say why.
1. Age gating + VPN ban under the guise of protecting children from social media
2. Few years pass, Identity Passport gets ushered in under guise of convenience of not having to repeat those pesky age verification checks.
3. Utilities start to require ID Passport. Including signing up with an ISP.
4. Renting starts to require ID Passport.
5. Work requires ID Passport.
6. Well done, you built the torment nexus!
It’s simply not on the cards, and I live a frugal enough life in a high paying industry that I can retire in a few years. If I was willing to bank on inheritance then I could retire now.
I feel for the people that are forced to engage though. But too many of them simply don’t care about privacy, which is why we’re here.
The user agent should simply send the user’s age of the parental lock is set up and the websites required to respect this.
Parental controls and the OS should be robust enough to not let kids bypass it (e.g.: by installing a browser that skips the header, or blocking proxy websites)
Done.
Cellphones only because those are the devices kids can have on them all the time and can easily use in private unsupervised.
I don't know what their retention time is on circulation records, but beyond aggregate statistics for culling materials that aren't circulating I bet it isn't too long. Now I want to go check.
My library also only keeps 24 hours of video surveillance because they didn't want to be able to fulfill requests from the cops for footage of patrons. I really liked that.
Edit: In the patron portal it permits me to disable "borrowing history" and says it permanently deletes my records. I do contract IT work for them so next time I'm engaged I'll ask about the details. They're moving to Koha later this year (free / open-source ILS) so I could go look at the code to see what it does (which is nice).
On the theme of their privacy fanaticism:
Over a decade ago the library got a grant to do outdoor public WiFi in the park behind their building. As part of that grant they needed to report the number of distinct users using the WiFi each day. Their UniFi controller tracks MAC addresses of associated stations. I used a query against the underlying MongoDB to get the usage reports to satisfy the grant.
To minimize the potential of tracking individual users the library director had me write a script to grovel thru MongoDB, do a SHA-1 hash of each public MAC address tracked concatenated with a randomly-generated salt for that day, then write back the first 48 bits of the hash over the original MAC. The library gets their daily statistics and long-term traffic trend data, they don't double-count associations for the same device in the same day, but they can't track individual people over a span of multiple days.
Now that devices randomly-generating MACs are mainstream it's much less necessary. I thought it was really cool she thought this. (The whole salting/hashing bit was my idea. She just wanted to be able to fulfill the grant reporting requirements amd be unable to track people.)
Write your own books.
Make your own music.
I do see folks who look homeless using the computers, so I assume there must be a special accommodation for them.
But, if you’re just a regular middle class joe looking for anonymity on the internet, I don’t think the library is the place for you—it’s tied to your library card which knows your address, and anyway what would you want to be private that you would be ok to broadcast in an open library setting? Nobody watching corn or browsing whatever successor to Silk Road.
Usually the login screen says something about fairly restrictive terms of use, even for the WiFi on a personal device, and I don’t know if you can install software on the library computers.
When I look around at library patrons using the computers, it’s usually lower income folks applying to jobs or similar, and people playing chess.
What???
I mean, Nazis have always been attracted to punk because they like the loud noise but are too stupid to understand lyrics, but they tend to get their shit kicked in by punks more often than not. I don't think that's the same thing.
The government already knows everything about us, and I mean everything. It is extremely naive to think they don't or that you are safe behind a VPN.
That’s minimal defense, but it’s worth remembering the difference between what it in theory knows and what its actually paying attention to.
what do people think the billions of billions of pattern matching used in ads will be used for?
people think 'anonymous' credentialing will work here?
they've captured scroll patterns, typing patterns, language patterns, all sorts of fingerprinting.
the game unfortunately is basically already over.
Not a matter of if, but when, a breach happens.
Solution: Maximize the distance between yourself and the people
I grew up in a neighborhood full of drug dealers. Street sellers, not the classy Walter White kind.
Ironically being on a computer all day kept me out of trouble.
But with these laws in place I guess you might as well start doing stupid ish in real life.
Either way, I genuinely don't believe "let's just hope parents... start doing better?" is a solution.
More to the point, if a kid walked into a convenience store and the clerk sold them a pack of cigarettes, the clerk wouldn't get off the hook by claiming, "well, the parents are responsible for their kids." I'm also not sure how one would justify holding parents legally liable for crimes they played no role in committing.
I'm not saying that I agree with these laws. They appear to be taking things too far. But that has more to do with there being no clear way to define sites that are only of interest to adults (no gatekeeping needed) and sites that should be restricted to adults.
This is already a thing.
https://www.bu.edu/articles/2024/charging-parents-for-childs...
Once upon a time they idea that Americans would surrender all of their God Given rights for an illusion of security was considered absurd, but that's where we're at.
Too bad?
Too bad!
The state can't control those things, it can control putting an age restriction on certain websites. Unless you are advocating for the complete abolition of all age restrictions throughout society.
I'm glad we're discussing parental liability. It seems no one else is advocating for "social media access is criminal neglect," so I appreciate the novelty.
A simple G/PG/PG-13/R header for websites would solve 97% of actual issues anyone could care to present. (violence, porn, etc)
Forcing people to identify themselves will not solve skinner boxes, gambling-for-children, focus-degrading slop, etc.
Bluey-themed slot machines are still harmful.
I may sound crazy for saying so, but I think the answer is more government run infrastructure for enabling identity-based operations, like payments and authentication, with rules about standards, open source, contractor selection, and audit that make operation transparent. It can work if technical operations are legislated instead of "left for the engineers to figure out." Then at least the evolution of systems can become real political issues that map to election cycles.
My stance is probably a polarizing one, but this is precisely why we need to be able to debate the minutae of these systems through our political discourse instead of just "will we; won't we" legislation. This should be debated in democratic process.
If I misbehave here, dang can just ban me. There's no reason HN needs to know my real name. The only reason to mandate blanket age and identity verification is to control online speech.
You are required to identify yourself for an electricity account because it is essentially extending you credit. You use the electricity first, and then they bill you for it later. They also only identify the person who is receiving the bill. You could have a house with a dozen people in it but the electric company only knows the name of the person responsible for the bill.
You are free to identify yourself on the internet right now. People who are intelligent and/or believe in freedom and free speech are opposed to this authoritarian power grab.
Not in Australia
In my experience Trump supporters aren’t exactly quiet about it.
Tech companies should ignore it and just publicly name whoever attempts to prosecute them and see how the population responds. I think people today are orders of magnitude more informed about their privacy and the consequences of digital ID laws. A few countries are on the edge of revolt at the moment anyway, and this would be a good way to get young people into the streets.
20 years ago, people would have had no defense against it or understanding of what was being imposed on them. Today, normal people use Signal and encrypted messengers, faraday bags, and leave their phones at home. Where we were nerdy security guys back then, non-technologist women and girls use spy tradecraft level electronic opsec for their own safety and security from middle school. People are much more sophisticated about their privacy now. They're ready to take this on.
The laws coming into force are on people who are not in favour of them, and I'm so optimistic that I will not interrupt the enemies of privacy and human dignity while they are making a mistake.
It's been true for decades in the USA that if they want to arrest you, they will. The age verification doesn't make this situation better, but at this point it's almost just a formality.
Extra-territorial issue are huge here. What is the limit of the boundary on a given nations constitution and law? How much does the economy of the user, the hosting company, the owning company, the receiving parties matter?
Social Media has advertising and publishers. It has people who can effect editorial control over what is seen and by who and to who it is "said" -And that imposes obligations on them, and on people lodging content. Differentially depending on their economy, the reach of law, registration of legally incorporated entities.
All of this is being implemented somewhat haphazardly internationally, enforced differently, subject to legal and financial and social pressures differently depending on the times and the context.
If you want to ask questions about America, about Americans, using American companies, speaking to Americans, believe me you don't neccessarily have a simpler task here. It may well be clearer to some of you, but to me, its just as fraught.
It's just not clear to me "free speech" is the bastion rule which applies here. The EFF may think so, I don't think they have actually demonstrated it all the way to the end.
Then you have the mega corps like Facebook who can figure out every detail about you even from merely _not_ using their system because of the hole you leave in your social network that does use them.
The only privacy left is from anonymous troll farms claiming to be an American while talking about how the Texas oblast is valuable for its warm water ports.
I am fine for privacy on consumption of content, but you should be forced to identify yourself for posting so the common man at least has a chance to evaluate your statements instead of being misled, all while, as stated above, our governments and corporations don’t have that limitation.
[1] https://en.wikipedia.org/wiki/Room_641A
The Supreme Court has repeatedly held that the right to anonymous speech is inherent in the first amendment [1] [2]. See also The Federalist Papers or Common Sense, without which the US might not exist at all.
[1] https://www.law.cornell.edu/supremecourt/text/362/60
[2] https://www.law.cornell.edu/supct/html/93-986.ZO.html
Free speech absolutism that ends up in creating an environment where real speech is drowned out by lies is not valuable to me. It’s like the paradox of tolerance.
You may as well advocate for no one to be allowed to drive cars because of the possibility of someone getting into a car accident.
Or (in case you're a fan of the second amendment) - advocate for guns not being allowed to be sold to law-abiding citizens because of the possibility of the gun later working its way into the hands of someone who would use it for a mass shooting.
Freedoms exist with the understanding that both positive and negative consequences can result from them. The argument is that the good vastly out-weighs the bad and are worth preserving.
Also anonymity can actually improve social media polarization (see Chris Bail’s research)
Also again, the corporations and governments(for certain levels of government like the members of the Five Eyes) can pierce this veil of anonymity, the people who have a lot to lose already are risking it by speaking.
Edit: this also isn’t a newly diagnosed phenomena, I remember seeing this satirical description of the behavior as a kid back when Web 2.0 and social media was starting to change the internet[1]
[1] https://www.penny-arcade.com/comic/2004/03/19/green-blackboa...
If you were correct, there would be no need for them to push these new laws. The fact is, you will have less privacy after these identification requirements are fully enforced.
Basically, to mean it is brain rot. The problem is that it might concern a big part of the population and that is why we have such laws.
To me, it is exactly what was described in G. Orwell "Animal farm" book. Pigs are now in control and big part of the crowd are "sheeps".
Afterward, we always have hard time to understand how people could have let Nazi, Stasi, or Stalin come in power and do such awful things. But it never came in one day, and with the "i don't care, they probably now better" attitude of the current western country populations, you understand easily how all of that could have happened in a first place.
In the recent, and most recent history, let's not forget what happened to Putin's Russia. Russia was opening and on a very good course for individual freedom and rights, then a ex-KGB officer took control of the power and little by little, year after year, suppressed freedom, privacy, and opposition to reach the point of today where the country is a total nightmare for human rights and liberty.