What's wrong with EU age verification? Nothing

3 pointsposted 6 hours ago
by Zababa
(blog.vrypan.net)

6 Comments

Zababa

6 hours ago

The article says the website doesn't need to know your date of birth, that the state will issue you a certificate once you're over 18. Since many people I think will do that as soon as they can, it's easy then to see patterns of "this person created an account on age restricted websites with the same email address, they didn't have one before, therefore they probably just turned 18".

I find it also sad (and maybe a bit suspicious) to see someone that has blogged since 2003 use AI to generate blog articles, especially for a controversial law that has been pushed again and again in undemocratic ways.

jjgreen

5 hours ago

Sad indeed; AI is cultural Alzheimer's.

throw310822

5 hours ago

Can you explain better what do you think the issue is? Btw, date of birth is one of those informations that is asked endlessly by all sorts of websites and services, and revealed by all sorts of calendars, birthday greetings and cards. It's probably one of the least private things about anyone and the easiest to obtain by any motivated party.

The real concern about age verification is that I don't want any party (the one that requires it or the authority that provides it) to track my identity or my usage of it. As outlined the system seems to work fine.

Zababa

4 hours ago

Here are my issues:

- the author claims the website doesn't need to know the date of birth, but as said it is easy to derive it. Therefore the author was wrong on that point, which makes me wonder if he's wrong about the rest too

- the author list 10 "Things that would break the promise", saying we should fight for them to be respected. That seem to imply, to me, that as is they may not be respected, and even if the implementation he imagines is possible in theory, it might not be in practice. The author also hasn't considered that maybe people are against age verification precisely because the promise of a well implemented, privacy-preserving age verification is easy to break.

- the author hasn't considered adversarial use, for example using the identity verification from someone else, and what other checks could be added to ensure those. There is a slippery slope of "first we check your age in a privacy-respecting way, then we realize we can't really enforce it like that but you already agreed to age verification so we can reduce the privacy respect to better enforce it"

- the author is using a possible implementation at one point in time to transform a political/ideological issue into a technical issue, while not considering all aspects of said policital/ideological and technical issues; as explained above.

throw310822

an hour ago

> the author claims the website doesn't need to know the date of birth, but as said it is easy to derive it.

Yeah, I didn't understand the reasoning here. Is it because you assume that every newly created account must be of someone who has just turned 18? Or because multiple accounts on different age-restricted websites tied to the same email would all be created in a short time as soon as one becomes 18? This could indeed give an approximate hint as to the age if one could cross-reference the same email across several accounts, but it doesn't seem to be high risk.

For the rest, I understand the objections, but they are either ideological or slippery-slope ones. I.e., they're not about the thing per se for how it's presented and implemented now. As the author notes, nobody objects to age verification in real life, so the problem is not with verifying people age per se. It's about how this can be either leaky now or modified in the future for abuse.

Zababa

9 minutes ago

It's not a high risk, but it's a thing the author said that's wrong, which puts into question the rest.

I think ideological objections to a law that will be imposed on ~300 millions of people through a process without much democracy, oversight or traceability of the decisions is pretty important, more than the technical details.

Some actually object to age verification in real life, for example some people find ways to consume alcohol or buy it before they're the legal age. Some people drive before the legal age especially in the countryside. So it is wrong to say that nobody objects to age verification in real life.

The way the thing per se is presented is skipping the ideological debate to focus on the implementation, which I think is pretty bad from a democracy/freedom point of view, and then proceeds to be wrong about something quite basic like "you don't need to give your birthday", which makes me worried about the rest, and then lists a laundry list of possible issues. So it seems clear that it can be leaky right now. The date of day easily leaks, we can argue about how important it is, but the author explicitly says:

>To prove to a porn site, a gambling site, an online liquor store, or a religious forum that I'm an adult, I should not have to hand over my name, date of birth, ID number, face, address, or passport. That is a dangerous amount of information to give any private website, let alone one dealing with sensitive content.

Note the "or" and "dangerous amount of information".

There is also no built-in way to ensure the person using the ID is the person they actually are, and no privacy-respecting way to confirm that is presented.