Mastodawn

Lauren Weinstein

It's important to understand that "age verification" schemes being passed by states, ostensibly to "protect the children", won't do that and will bring about incredible abuses.

In order to age verify children, obviously EVERYBODY of any age must be verified, for every account, under every name or pseudonym, ultimately on every site no matter how public or private the topic, and before downloading any apps.

Children will find ways to work around this. They'll use the accounts of adults, which will be openly traded. But because these age verification systems must by definition be based on government IDs, the verification process creates a linkage between your account names and your actual identity, subjecting you to all manner of leaked personal information, government abuses (think MAGA in charge), and worse. Firms will claim their systems either don't keep this data or can't be abused. History strongly suggests otherwise, and when courts step in, those firms will have to do what the courts say, often in secret, when it comes to collecting data.

Age verification is in actuality a massive Chinese-style Internet identity tracking project -- nothing less -- and there are many politicians in the U.S. who look with envy at how China controls their Internet and keeps their Internet users under police state controls.

Ralph058 (S/he/it) AF4EZ Mar 26, 2024

@lauren I just wonder how long it will be before they extend it that all sites require IDs because somebody said how batshit crazy they are.

Lauren Weinstein Mar 26, 2024

@Ralph058 Oh yes, that's just a matter of time.

Riley S. Faelan Mar 26, 2024

@Ralph058 Remember when Pumpkin tried to pretend that people already need to present IDs in order to buy groceries?

ಚಿರಾಗ್ 🌹✊🏾Ⓥ🌱🇵🇸 (he/him)Mar 26, 2024

@lauren Absolutely. @emanuelmaiberg of @404mediaco wrote an article about this that I saw today too:

https://www.404media.co/age-verification-laws-will-drag-us-back-to-the-dark-ages-of-online-porn/

Age Verification Laws Drag Us Back to the Dark Ages of the Internet

Invasive and ineffective age verification laws that require users show government-issued ID, like a driver's license or passport, are passing like wildfire across the U.S.

404 Media

Fluffy Kitty Cat Mar 26, 2024

@chiraag @lauren @emanuelmaiberg @404mediaco banger article. I've had these sane thoughts myself

Howard Cohen Mar 26, 2024

@lauren That is exactly what I was thinking. How can you possibly have an age limiting system without a real identity to tie verification to?

Lauren Weinstein Mar 26, 2024

@hoco You can't, of course. And everybody must be identified of all ages, or else you can't identify children as children. And only government IDs will be considered authoritative. These are key points so many people are missing. They assume this all applies only to children. But that's a logical impossibility. It's universal, and ripe for abuse of both children and adults. A tracking nightmare, that government has wished for since the earliest days.

Howard Cohen Mar 26, 2024

@lauren I can not think of any aspect of the internet more fundamental than the fact that it is possible to be anonymous. Despite my utter distaste for how this enables bullies, I know in my heart it would be much, much worse to lose anonymity on the internet.

DarylSomething Mar 26, 2024

@hoco @lauren cryptography (encryption) suffers the same paradox - you have to suffer its abuses, because a government backdoor removes its benefits. You can't remove criminals' ability to have a private conversation without removing everyone's ability to have a private conversation

Stephen Gentle Mar 26, 2024

@hoco @lauren Then again, it’s surprising how enforcing real names doesn’t help much in that respect - plenty of cases of people still bullying people literally to death on Facebook/Messenger posting under their real names (and before they had end-to-end encryption)…

Lauren Weinstein Mar 26, 2024

@stephengentle @hoco Studies have shown this to be correct, yes.

tdietterich Mar 26, 2024

@lauren @hoco I think we need cryptographic digital ids. These will probably need to be government-issued (although perhaps government could license third parties?). Each person could have a collection of digital ids, each of which reveals different information. The base id would just certify that you are a human being. It would replace CAPCHAs. Another could certify citizenship. Another could certify minimum age. Finally, some could certify your full identity. Other use cases?

tdietterich Mar 26, 2024

@lauren @hoco Does anyone know of research or development along these lines?

Lauren Weinstein Mar 26, 2024

@tdietterich @hoco Such systems already exist in some countries, with some spectacular abuses and personal data exposures on large scales as a result. Such complex systems bring with them an array of new failure points and illegal exploitation channels. You really don't want to go there. I've been running the PRIVACY Forum on the Net continuously for over 30 years. Trust me on this one.

tdietterich Mar 26, 2024

@lauren @hoco Given the proliferation of deep fakes, we need some way to certify authenticity. What do you propose instead?

tdietterich Mar 26, 2024

@lauren @hoco I'm trying to learn more about this area. What is a good starting point for learning about the failure modes?

Howard Cohen Mar 26, 2024

@tdietterich @lauren On the one side, anonymity is all that stands between a fascist government and those who criticize it and expose its bad actions. So, that is pretty important. If we lose anonymity then it will be easy to pick out and punish anyone who bucks the system. On the other side it is really a point of reality, that either you are identified, or you are not. If you are identified then things like your age are knowable. If you are not, any age attribute can be forged.

Lauren Weinstein Mar 26, 2024

@tdietterich @hoco There is unfortunately no obvious solution that doesn't cause greater harm than good. It's in much the same category as "Internet voting", which cannot be accomplished without enormous risk to the political system. These areas have all been studied for decades, and key aspects have remained intractable. There are various essays and columns of mine and others covering various of these issues over the years, though I do not have a concise bibliography since there is so much stuff over such a long period of time.

Alaric Snell-Pym Mar 26, 2024

@tdietterich @lauren @hoco you don't need to link to government ID to have a useful ID. What mostly counts online is "Do X and Y have the same creator", eg "Is this another post by this blogger I have come to trust". I don't care about their real name. Public key crypto does that just fine without any government involvement. I've written more detail on this at https://www.snell-pym.org.uk/archives/2008/07/05/identity/

Snell-Pym » Identity

ludiusvox Mar 26, 2024

@tdietterich @lauren @hoco @kitten_tech

It was so complelling of a post I left a comment.

Lauren Weinstein Mar 26, 2024

@kitten_tech @tdietterich @hoco The whole point of the ID push in this context is provable adult status (at least ostensibly the reason). To do that, you have to link to a government ID in most countries, which are the only authoritative source of this data.

Alaric Snell-Pym Mar 26, 2024

@lauren @tdietterich @hoco yep. And although I can see ways a government might make such a system non - terrible (I dunno, a government service that attests if the holder of a private key is under or over 18, if it's given a recently signed-by-that-key permission slip allowing the requestor to know that information, or something), I am also quite certain no government will be able to resist the excuse to justify a pervasive ID card scheme...

Howard Cohen Mar 26, 2024

@tdietterich @lauren If they are tied to you, they destroy anonymity. It isn't the data inside the ID that is the problem, it is that it becomes possible to identify you using the ID. So, encrypting the content doesn't insulate you from being identified.

tdietterich Mar 26, 2024

@hoco @lauren I wonder if there is a way to combine differential privacy with cryptography to achieve some of these goals. Certificate distribution and usability would also be huge challenges, I'm sure. Thank you for your advice.

Lauren Weinstein Mar 26, 2024

@tdietterich @hoco This kind of tech is the quintessential example of how the more complex the system, the more subject it is to abuse and mission creep. And worse.

Matt Austern Mar 26, 2024

@tdietterich @hoco @lauren I'm pretty sure there is no such way. By definition, differential privacy means nothing is linked to any one individual. Literally, that's the definition: what makes it "differential" is that the presence of absence of a single record doesn't affect a query result. (This can all be made precise with probabilities and εs.) You're talking about a token that's tied to an individual, which is the direct opposite of differential privacy

tdietterich Mar 26, 2024

@austern @hoco @lauren The simplest idea: Suppose there is a token shared by a group of people who all satisfy some property (e.g., age). Observing the token doesn't tell you the identity of the person, but only the shared property. I'm sure this is buggy, but perhaps something along these lines can be worked out?

tdietterich Mar 26, 2024

@austern @hoco @lauren I realize this isn't classic DP. And some authority would still need to certify the ages and distribute appropriate tokens.

Tor Iver Wilhelmsen Mar 26, 2024

@tdietterich @lauren @hoco What would be the bearer of these IDs? NFC cards? Your phone? They would also need to be tied to biometrics for verification in some way else they can be lent out to someone easily.

doctorlaura Mar 26, 2024

@lauren @hoco There is at least one solution I know of that does age verification without storing personal information. It is currently being introduced in Europe.

谦宏 Mar 26, 2024

@lauren There is a government maintained baseline on what to censor in China. While this is not the case in America, platforms like Facebook and X are free to censor as they like, and they censor outright antisemitism as much as China censors outright anticommunism.

Free speech is never unlimited.

Lauren Weinstein Mar 26, 2024

@makendo The situations are not comparable, even putting aside that X no longer censors antisemitism or much of anything else under Musk. In China when you violate content rules -- with content strictly monitored along a wide range of different content types -- you may be arrested and simply vanish -- depending on the specific offense. Key to this is the ability to track what every user does at every site. This is specifically what U.S. age verification schemes would ultimately enable, and doing so would be irresistible to either party in control at any given time, under one pretext or another.

John Philip Bell Mar 26, 2024

Oh, and they WILL have to keep the data, meaning ID images and details, either for compliance reasons, or because company legal departments say "we might need to prove some day we verified someone's age".

This is also data-breach heaven, a boon to identity theives and the identity theft industry.

Cave Cattum Mar 26, 2024

@lauren I guess one would be deluded in hoping that legislators, from the same side that claims to distrust invasive gummint, may understand that one can have a zero-knowledge proof of age.

Lauren Weinstein Mar 26, 2024

@fgcallari Nope. Age verification wet dreams are fully bipartisan.

Cave Cattum Mar 26, 2024

@lauren Guess the way to educate them would be along the lines of: what if the next category of websites that are mandated to do age verification were all those that show gun & ammo porn?

Lauren Weinstein Mar 26, 2024

@fgcallari In fact, efforts are already in progress to extend to all sites that might contain "content unsuitable for children." Pretty clear what the endgame is, eh?

DarylSomething Mar 26, 2024

@fgcallari @lauren the cleverest way I've seen for that was an old game (circa 1990) called Leisure Suit Larry that was intended for adults, and it asked you questions you'd presumably have to be adult to answer. I think one of the questions was picking the name of one of The Beatles out of a list. This wouldn't work today, of course, but I can't believe the only other solution is "protecting all the children by tracking all the adults"

david koblas Mar 26, 2024

@lauren This is particularly hard when we're already trying to get everybody to use google for login to help reduce the exposure of password leaks.

Ideally we just have some solid attestation services (see RATS RFC) that can answer the question "over_14_years_old" at get out of the business of collecting IDs or identities.

Lauren Weinstein Mar 26, 2024

@koblas But the unspoken rationale is because governments WANT to be able to do as much tracking as possible. Systems that don't provide that capability (at least under court order) will not be viewed as sufficient.

HTPC NZ Mar 26, 2024

@lauren While everyone is too busy chasing the China bogeyman. American Taliban tells their Afghan cousins "hold my beer", that's who they are trying to one up...

David Chisnall (*Now with 50% more sarcasm!*)Mar 26, 2024

@lauren It doesn’t have to be. There are cryptographic schemes that can give a verifiable attestation of some aspect of identity (for example, age or eligibility for means-tested benefits) without giving a linkable identifier or disclosing any other information.

Unfortunately, there are two problems:

Implementing them correctly is harder than implementing schemes that leak and government IT procurement always seems to hire the least competent people.
There are strong commercial incentives for tracking and so there are business reasons for not implementing these things correctly.

The only way that it can work is if you start with strong privacy legislation that makes the penalties for linking identities much larger than the commercial advantages.

Lauren Weinstein Mar 26, 2024

@david_chisnall Unfortunately, linking identities is a major bipartisan effort now, for all manner of claimed purposes to create an "orderly society".

The Penguin of Evil Mar 26, 2024

@lauren Scammers are already running fake id checking setups because it's training people to give their photo, driving licence, state id and passport pictures to anyone who asked,

Kids already get around it in fun ways. Taking a photo of mummy's passport then asking mum to pose for a selfie whilst actually running the age check app photo step isn't beyond the average 10 year old

Tesmaia Mar 26, 2024

@lauren There are technical ways around it, but it will not be user friendly so even if a good system was built initially, that just normalises it enough to make room for the shitty tracking methods.

enoch_exe_inc Mar 26, 2024

@lauren That’s what I’ve been noticing about the regular Internet for a while now. The Chinese Internet is closed off to the rest of the Internet outside of China because the CPC, rightfully in my opinion, fears foreign interference and surveillance of their own citizens. But, the regular Internet doing this, well, look at the handful of people who own all the platforms and services and tell me if they have such noble intentions.

Lauren Weinstein Mar 26, 2024

@enoch_exe_inc Actually, what China fears is anything said anywhere that might destabilize the Communist leadership. That's the whole ball game.

enoch_exe_inc Mar 26, 2024

@lauren @enoch_exe_inc And those fears were justified given what has been happening to the American democracy.

enoch_exe_inc Mar 27, 2024

@lauren @enoch_exe_inc Through Facebook, a terrorist attack was organised and carried out in China. China demanded Facebook to give them the organisers’ names, and Facebook refused. That was reason enough for the country to give Facebook the boot.

Ernie Smith Mar 29, 2024

@lauren you explained perfectly why I hate this. The civil liberties cost of this measure? Unfathomable.