this post was submitted on 30 Nov 2024
128 points (99.2% liked)

Programming

17672 readers
54 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
128
How could digitial age verification be possibly implemented with privacy in mind? (programming.dev)
submitted 3 weeks ago by [email protected] to c/[email protected]
84 comments fedilink hide all child comments
 

Many might've seen the Australian ban of social media for <16 y.o with no idea of how to implement it. There have been mentions of "double blind age verification", but I can't find any information on it.

Out of curiosity, how would you implement this with privacy in mind if you really had to?

(page 2) 36 comments
sorted by: hot top controversial new old
[–] [email protected] 2 points 3 weeks ago (1 children)

Recently I saw an article on more needs to be done about age verification because it’s easy for children to falsify it (and most do). On the other hand you have adults who falsify it because it’s nobody’s business how old you are.

Current protections that ask you to confirm your age are completely pointless.

Now if you were required to provide ID to access X service, would you? If we’re talking adult content then children will simply look elsewhere, taking them to potentially more dangerous areas of the internet. (Heck, so would adults) Same if you deny them social media.

But if we’re implementing verification regardless then it needs to come from a third party. And it also has to be easy. Like something you do only once.

First: I would allow children access to social media under a child account that has limited access and ability to be audited by a parent. This is important because you don’t want them going somewhere you have no control over. (Which they will)

Secondly: An age verification gateway that can be implemented by developers seeking to use it. Possibly managed by the government body responsible for issuing ID (or a partner). This would be taking a short video of yourself plus uploading ID. (Banks are doing this now)

Thirdly: ease of use. Majority of us have a google or apple account associated with whatever device we have. Let those accounts hook into the 2nd step and share if an account is a child/adult account with any social platforms you log in using it with.

Just a few thoughts that came to mind whilst waiting dinner. Feel free to tear it apart!

[–] [email protected] 2 points 3 weeks ago

Ever heard of Id.me?

[–] [email protected] 2 points 3 weeks ago

It can't be. The entire concept is a Trojan horse to kill the anonymous internet.

[–] [email protected] -1 points 3 weeks ago (1 children)

I'd lean on the ISPs. Your ISP knows what sites you visit, and they have your location and payment information. They can just insert some verification page when a classified IP is contacted. This gives them hardly any information beyond what they already have. And since they are mainly located in Australia, it is easy to enforce laws on them.

You have to lean on ISPs anyway because it is quite ridiculous to assume that the entire global internet will implement Australian laws. Does anyone believe that their Lemmy instance will implement some AI face scan or cryptography scheme?

You would have to block servers that do not comply with the law anyway. The effective solution would be a whitelist of services that have been vetted. In practice, I think we'll see the digital equivalent of ok boomer.

If a whitelist seems extreme, then one should have another look at the problem. The point is to make sure that information is only accessed by citizens with official authorization. There is no technological difference between the infrastructure needed to enforce this (or copyrights) and some totalitarian hellscape.

[–] [email protected] 1 points 3 weeks ago (1 children)

This gives them hardly any information beyond what they already have.

Except now they know the individuals using your Internet.

Sure if you live alone they already can easily put that information together. However if you have a partner, a relative and children all living in one house they now know who is in that home.

Plus maybe no one in the house uses Twitter and Aunt Alice the Twitter user came to visit, does she need to reverify? Your ISP knows that now.

ISPs would be gaining a lot of new information.

[–] [email protected] -1 points 3 weeks ago

It's not necessary to expose the identities of the users. The age confirmation could happen via a password, PIN, or even a physical USB dongle. Tying such methods to a particular identity adds nothing to the age verification.

If that is not enough, then one would need a permanent, live webcam feed of the user. It could be monitored by AI, and/or police officers could make random checks.

Granted, one would have to make sure that not everyone behind the same router can use age-restricted services; eg with a VPN. That would let them assign connections to individual, anonymous adults. But I'd guess you could do that anyway with some confidence by analyzing usage patterns. Besides, information on who is in a home can also be found in other places such as social media or maybe company websites. So I do not think this is much new information.

But thinking about it, one could compartmentalize this.

The ISP only allows connections to whitelisted servers, including 1 or more government approved VPNs. The ISP refuses connection to these VPNs without age confirmation. The VPN provider does not need to be told the identity of the customer. There needs to be no persistence across sessions. The ISP need not know what sites are visited via VPN. While the VPN provider need not know about sites visited without.

If you do it that way, the ISP ends up knowing less than before.

Since both ISP and VPN servers and offices would be physically located in the country, one would have no problem enforcing prohibitions on data sharing, if desired by lawmakers.

Anyway, this is the only realistic approach in the whole thread. Everything else assumes that Australian law will be followed globally. And then the ISP still has all that usage data. Why not just use a blockchain...

[–] [email protected] -4 points 3 weeks ago* (last edited 3 weeks ago)

.

load more comments
view more: ‹ prev next ›