Michał "rysiek" Woźniak · 🇺🇦1d ago

I have recently been asked by @panoptykon if it was possible to create an online age verification system that would not be a privacy nightmare.

I replied that yes, under certain assumptions, this is possible. And provided a rough sketch of such a system.

But privacy is not the only issue with systems like that:
https://rys.io/en/178.html

#Privacy #AgeVerification #Web

Privacy of online age verification

I have recently been asked by the Panoptykon Foundation if it was possible to create an online age verification system that would not be a privacy nightmare. I replied that yes, under certain assumpti

Songs on the Security of Networks
Show threadAMS20h ago
@rysiek @panoptykon Any "trusted" app is a privacy nightmare. And given the spread of residential-proxy malware I'd expect that any age gate that depends on an app will promptly have a malware-backed bypass service.
Show threadMichał "rysiek" Woźniak · 🇺🇦

@AMS can you please offer a specific scenario of such an attack?

@panoptykon

Apr 25 at 2:17pmWeb
Show threadAMS18h ago
@rysiek @panoptykon Something like https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-proxylib-and-lumiapps-transform-mobile-devices-into-proxy-nodes/ but instead of selling proxy service it sells sending ID verification token clearance. Passes ID tokens to the victim's trusted app as though they visited the site.
Satori Threat Intelligence Alert: PROXYLIB and LumiApps Transform Mobile Devices into Proxy Nodes

HUMAN's Satori Threat Intelligence team uncovered a group of 28 apps that turned user devices into residential proxy nodes.

HUMAN Security
Show threadMichał "rysiek" Woźniak · 🇺🇦17h ago

@AMS @panoptykon sure, but the user of the trusted app would still get a notification asking them if they want to confirm their age to a given website.

And to have that trusted app even be able to issue requests to e-ID provider, they would need to log in using this app to the e-ID provider and verify their long-term key held in that trusted app.

I'm sure there are ways to improve on that, but it's not like that kind of proxy service could operate in a clandestine manner.