Keeping kids safe online is a top priority.
-
@david @bjoreman @HennaVirkkunen that site somehow doesn't seem to work here. But in general, these proposals fail, because sites can regularly probe for age brackets. If you do this on a regular basis, you can figure out someone's birthday.
E.g. if 12 years is a bracket boundary, the day that age gets attested is the birthday of the kid. Even more likely because someone is more likely to check close after their birthday to unlock some site/functionality.
Excuse me Daniël, but I don't understand the problem. Wasn't the goal to prevent people under the legal age from accessing the service? Once that was achieved, what's the failure?
CC: @bjoreman@toot.cafe @HennaVirkkunen@ec.social-network.europa.eu
-
Excuse me Daniël, but I don't understand the problem. Wasn't the goal to prevent people under the legal age from accessing the service? Once that was achieved, what's the failure?
CC: @bjoreman@toot.cafe @HennaVirkkunen@ec.social-network.europa.eu@david @bjoreman @HennaVirkkunen The problem with most age attestations is that you can work out someone's birthday by keeping track of past attestations. When the attestation changes, someone had their birthday, thus the attestation gives away information that someone might not want to reveal.
This gets worse with implementations with which you can test age brackets (different age brackets under 18, to allow some content).
-
@david @bjoreman @HennaVirkkunen The problem with most age attestations is that you can work out someone's birthday by keeping track of past attestations. When the attestation changes, someone had their birthday, thus the attestation gives away information that someone might not want to reveal.
This gets worse with implementations with which you can test age brackets (different age brackets under 18, to allow some content).
@david @bjoreman @HennaVirkkunen So, the problem with age verification is that it is yet another attack on privacy. Not surprisingly, behind the scenes Meta is pushing this a lot through various sock puppets.
-
@david @bjoreman @HennaVirkkunen So, the problem with age verification is that it is yet another attack on privacy. Not surprisingly, behind the scenes Meta is pushing this a lot through various sock puppets.
@david @bjoreman @HennaVirkkunen Also, age verification is strongly detrimental to open source and your freedom to choose your OS.
Most implementations of 'anonymous' age verification require remote hardware attestation (eventually), because otherwise you can manipulate the app/process that partakes in the attestation.
Mandatory remote attestation is pretty much the end of free OS choice, because you running your own non-approved software will shut you out of services.
-
@david @bjoreman @HennaVirkkunen Also, age verification is strongly detrimental to open source and your freedom to choose your OS.
Most implementations of 'anonymous' age verification require remote hardware attestation (eventually), because otherwise you can manipulate the app/process that partakes in the attestation.
Mandatory remote attestation is pretty much the end of free OS choice, because you running your own non-approved software will shut you out of services.
@david @bjoreman @HennaVirkkunen Age verification + remote attestation is big tech's pipe dream. Google can already shut out competing systems from phone NFC payments, because pretty much every bank only supports Google/Apple Pay and Google doesn't attest alt-OSes.
Remote attestation of websites would be another level, making it practically impossible to live outside the Google/Apple duopoly.
-
@david @bjoreman @HennaVirkkunen Age verification + remote attestation is big tech's pipe dream. Google can already shut out competing systems from phone NFC payments, because pretty much every bank only supports Google/Apple Pay and Google doesn't attest alt-OSes.
Remote attestation of websites would be another level, making it practically impossible to live outside the Google/Apple duopoly.
@david @bjoreman @HennaVirkkunen For these reasons, Europeans should outright reject age verification.
Yes, I know it is difficult when kids can pretty much access anything, but as parents we have to find better ways than those that further kill privacy and entrench big tech players.
-
@david @bjoreman @HennaVirkkunen Age verification + remote attestation is big tech's pipe dream. Google can already shut out competing systems from phone NFC payments, because pretty much every bank only supports Google/Apple Pay and Google doesn't attest alt-OSes.
Remote attestation of websites would be another level, making it practically impossible to live outside the Google/Apple duopoly.
-
@david @bjoreman @HennaVirkkunen For these reasons, Europeans should outright reject age verification.
Yes, I know it is difficult when kids can pretty much access anything, but as parents we have to find better ways than those that further kill privacy and entrench big tech players.
@danieldk @david @HennaVirkkunen Yeah, it’s not like there are no tools today for parents to control what kids can access.
-
We say this loud and clear: online platforms are responsible for protecting minors, and they need to do more to deliver on this responsibility.
The full press releases:
https://ec.europa.eu/commission/presscorner/detail/en/ip_26_722 https://ec.europa.eu/commission/presscorner/detail/en/ip_26_723@HennaVirkkunen and I have said it loud and clear too: protecting your children is the prime responsibility of parents and the tools to do so have become easier and easier to use and implement.
Apart from that what is a minor?
Apart from that, what’s the scientific evidence of seeing porn in the age bracket of say 12 to 18 is damaging? There is hardly any.
Apart from that, read the comments of @danieldkok@mastodon.social
Because he is right and knowledgeable. -
@david @bjoreman @HennaVirkkunen For these reasons, Europeans should outright reject age verification.
Yes, I know it is difficult when kids can pretty much access anything, but as parents we have to find better ways than those that further kill privacy and entrench big tech players.
We're talking about very different systems. In Spain, for the past 82 years, all citizens have had an official identity document issued by the state. This document contains an electronic certificate that allows us to identify ourselves online to government agencies. With this type of infrastructure, a neutral state point is viable, one that simply certifies and responds with true or false to the legal requirements of any particular online service. The online service does not receive any other information than the complaining (or not) of the person on the other side of the connection with law requirements. No other data have to be shown or saved.
I don't see the connection with free software because I'm not aware of any legal restrictions on using free software repositories by underage, and I cannot imagine it as a political possibility.
CC: @bjoreman@toot.cafe @HennaVirkkunen@ec.social-network.europa.eu
-
Keeping kids safe online is a top priority.
Today, the Commission has preliminarily found porn platforms Pornhub, Stripchat, XNXX, and XVideos in breach of the Digital Services Act for allowing minors to access adult content.We’ve also launched investigation into Snapchat under doubts that the platform has failed to adequately protect minors from harmful content, grooming, and illegal products like drugs and vapes. We also suspect that they have failed to verify users age sufficiently.
Forcing consumers to reveal their identity to data abusers keeps no one safe, not children, not adults. Breaking and bypassing privacy technology actively makes the Internet less safe. Curtail data brokers and abusive targeted ad industry, regulate and monitor what GDPR already legislated.
@HennaVirkkunen -
We're talking about very different systems. In Spain, for the past 82 years, all citizens have had an official identity document issued by the state. This document contains an electronic certificate that allows us to identify ourselves online to government agencies. With this type of infrastructure, a neutral state point is viable, one that simply certifies and responds with true or false to the legal requirements of any particular online service. The online service does not receive any other information than the complaining (or not) of the person on the other side of the connection with law requirements. No other data have to be shown or saved.
I don't see the connection with free software because I'm not aware of any legal restrictions on using free software repositories by underage, and I cannot imagine it as a political possibility.
CC: @bjoreman@toot.cafe @HennaVirkkunen@ec.social-network.europa.eu@david @bjoreman @HennaVirkkunen
You are missing my first point, even if an age attestation method does not reveal the birth date, you can infer the birth date from it because some day the attestation will flip from 'false' to 'true'.
Second, Spain is piloting the EUDI Wallet for age verification, which will implement remote attestation:
SafetyNet and integrity checks. · Issue #42 · eu-digital-identity-wallet/av-app-android-wallet-ui
Please replace SafetyNet and Play Integrity with bootloader and root checks on Android ASAP.
GitHub (github.com)
-
@david @bjoreman @HennaVirkkunen
You are missing my first point, even if an age attestation method does not reveal the birth date, you can infer the birth date from it because some day the attestation will flip from 'false' to 'true'.
Second, Spain is piloting the EUDI Wallet for age verification, which will implement remote attestation:
SafetyNet and integrity checks. · Issue #42 · eu-digital-identity-wallet/av-app-android-wallet-ui
Please replace SafetyNet and Play Integrity with bootloader and root checks on Android ASAP.
GitHub (github.com)
@david @bjoreman @HennaVirkkunen On the point of using identity documents directly: either you have to send the signed attestation to the site/app for verification, which would deanonymize you; or some gatekeeper like a government site would have to do it and give the result to a site/app and in that case the gatekeeper knows what apps/sites you are using, which is a huge privacy invasion. Also doesn't protect well against a kid using someone else's ID to verify, so it's mostly security theater.
-
@david @bjoreman @HennaVirkkunen On the point of using identity documents directly: either you have to send the signed attestation to the site/app for verification, which would deanonymize you; or some gatekeeper like a government site would have to do it and give the result to a site/app and in that case the gatekeeper knows what apps/sites you are using, which is a huge privacy invasion. Also doesn't protect well against a kid using someone else's ID to verify, so it's mostly security theater.
@david @bjoreman @HennaVirkkunen At any rate, Mastodon is too short a format to go into the details of issues with ZKPs for age attestation, so some useful pointers:
The limits of zero-knowledge for age-verification | Brave
ZKPs are often advanced as a technical remedy, promising privacy-preserving attestations of age or eligibility. Yet their deployment in practice exposes both conceptual and practical limits.
Brave (brave.com)
Zero Knowledge Proofs Alone Are Not a Digital ID Solution to Protecting User Privacy
In the past few years, governments across the world have rolled out digital identification options, and now there are efforts encouraging online companies to implement identity and age verification requirements with digital ID in mind. This blog is the first in this short series that will explain...
Electronic Frontier Foundation (www.eff.org)
-
Keeping kids safe online is a top priority.
Today, the Commission has preliminarily found porn platforms Pornhub, Stripchat, XNXX, and XVideos in breach of the Digital Services Act for allowing minors to access adult content.We’ve also launched investigation into Snapchat under doubts that the platform has failed to adequately protect minors from harmful content, grooming, and illegal products like drugs and vapes. We also suspect that they have failed to verify users age sufficiently.
@HennaVirkkunen If some of the companies/services violate/fail laws or rules, you need to sanction them, not violate users privacy. It's that simple.
-
R relay@relay.infosec.exchange shared this topic
