Hacker News

The article talks about the possibilities of malicious cloning of these tokens by third parties, but fails to identify the much more common use case, and one that makes this scheme useless for age verification.

It's one thing to be concerned about someone stealing my credential, but another to prevent the transfer of these credentials, especially if they are limited use credentials.

The entire point of age verification systems is to prevent minors from accessing certain resources. I think we all know that this is basically impossible; but what these various governments and social media companies want to do is to make it high friction to do so.

The highest friction version of this is that the credential ties to a real world identity somehow; maybe locked behind legal barriers, etc., but if a minor is caught using someone's credential, then the person whose credential they are using can be investigated, and, if necessary, charged with a crime roughly equivalent to providing alcohol to a minor. Without the possibility of real world enforcement, none of these identity solutions can possibly work.

Keep dreaming of a technological solution -- there is none that does not lead to the world that FIRE is warning about, except to accept that we can only make a solution "good enough" and leave it at that, without expanding into full on identity verification. The solution here is likely to just try to provide better abilities for parents to monitor and limit their children's use of the internet. Let individual parents decide on the level of harm that they are willing to accept, and accept that there will be ways to work around this even if parents are vigilant, but just try to reduce it on the margins.

There is a much easier solution that already exists - parental controls on children's devices. I honestly don't understand why is it not solving the problem?

Yes, parents are responsible to set this up. But parents are also responsible to lock their alcohol, drugs or guns, condoms, etc., and many other things.

Perhaps parental controls are not good enough? That's where the regulation could genuinely help - require child-certified devices to implement minimum set of parental controls, and make them easy to use.

I've noticed that tech people will respond to an encroachment on civil rights with a technological alternative. I think this is a mistake, because the excuse is presented in bad faith, and to present an alternative is to accept their framing. The correct response is something to the effect of "I know what you're trying to do, fuck off."

I wouldn't trust governments, today or in the future, to keep such a system private and I don't see a foolproof way of building some kind of audit mechanism into it to make sure the data is always truely private.

I've also always been curious how a truely anonymous identity verification could possibly work. At best for age verification, I could be given some kind of token that would still have to verify my age and be verifiable with a central authority to ensure my token is valid. The central authority could always keeper records of my token, revoke it whenever they please, and every entity that can verify the age associated with, or embedded into, the token knows at least some of my PII.

>Modern versions of this technique allow one to associate metadata (like a proof of age exceeding a threshold) in such a way that the verifier can't even correlate repeated requests across users.

If it's unlinkable, what's preventing someone from setting up a site that hands out anonymous tokens for anyone to use?

EU is (trying at least) go in that direction with Zero Knowledge Proof:

https://ageverification.dev/Technical%20Specification/archit...

As you say, it's doubtful governments want it to be private. So we should expect them to not use these kind of elegant solutions, and the public is generally not sophisticated enough to distinguish between the options already.

I don't think they are serious about privacy and even if they were I don't even want to distinguish between "children" and "adults" on the internet. Things seem to have worked fine up to this point, there doesn't appear to be a public demand for age verification, rather some murky corporations/NGOs/agencies pushing for this. I think it's pretty clear there is some other intention besides protecting children that is the goal here.

The problem is that you still have to trust something you don't control and can't verify that the technological solutions are correctly implemented and applied.

Zero Knowledge Proofs are worthless for this.

Either they validate so little information that a single homeless person can authenticate the entire country or they validate so much information as to not have a significant privacy guarantee.

There is no in-between for ZKP validating someone's age.

Both Governments and industry players are, in actuality, interested in and moving in this direction, for some use cases. ex https://docs.withpersona.com/relay

None of this is really about age verification, the goal is for it to be invasive so a real ID can be connected to every piece of speech online.

Governments are serious about knowing who’s doing what online, and all this age verification is just an excuse. It will also raise the barrier to entry for newcomers in the market, so it’s convenient for platform owners as well.

> There are at least some technological solutions here, such as anonymous credentials.

Identity verification is busy being rolled out across the entire developed world right now, and I have yet to see or hear about even one single mention of anonymous credentials in the discussion of any of the laws.

>There are at least some technological solutions here, such as anonymous credentials.

Technological solutions for what problem?

> There are at least some technological solutions

I think the main takeaway is that the concept of such verifications is fundamentally incompatible with privacy. Today we have a simple "are you an adult" check but who is to say we wouldn't want further levels of segmentation (legal age to drive, age to allow health insurance etc)?

And this just one signal. Nobody likes the EU cookie/consent prompts but what they've shown us is that most websites are perfectly happy to fingerprint you the moment you step on their pages, and then share/broker your activity with hundreds and thousands of "legitimate interest" partners of theirs.

So the real-world equivalent of this situation is that you walk on the street and whenever you need to wait for a traffic light, board a bus or the tube, go into a shop, etc... you have a security person who needs to faceID(or fingerprint) you and make you wait until they find a match of your profile... and then they ask you to present your ID (which you have to carry at all times) but hey, it's private because you need to enter your PIN for them to read the chip.

No. The point of these initiatives IS TO GET ID, not to protect children.

Anonymous credentials don’t allow the state to retaliate in the dark of night against protected expression that they don’t like. Anonymous credentials do not allow for that, so they are irrelevant.

Yep, there are a variety of ways this can work well, but the overwhelming 'vibe' here at HN is a) that the tech is too complex and b) that governments actually want to end privacy anyway for their own nefarious reasons.

I find 'a' amusing as we'll often see in the same conversation that users appeal to parents to take responsibility and lock down their kids' access to things, as if that's trivial for non-tech folk and foolproof. It's also silly because the user interface to such a system doesn't need to show all that complexity.

And 'b' is often supported by some out of context quote that at first glance looks incriminating but doesn't actually mean much.

The saddest thing is that the article you link addresses most of the objections people have brought up in the thread, but few have read it.

This seems to come up in every discussion, in practice it’s irrelevant both because it’s too complicated for normal people to understand, and because the point of all this nonsense really is identification so anything that defeats that will be a non starter.

According to the article:

> Australia does order that personal information collected for age verification “must be destroyed once all purposes have been met.”

Most likely there's some huge breach where all the IDs are stolen and resold, which would maybe fix this problem while creating a bunch of others.

The biggest angle for me is censorship. You associate your online identity with your legal identity, there is no longer any recourse if you are banned from a platform. You could easily be arrested if your posts are determined to be 'offensive' in some manner considered to be in breach of the law, or simply have no ability to rejoin a platform under a new identity, or have identities across multiple platforms banned in parallel.

I've found that many people are actually in favor of these when they believe that it will only be enforced against people they disagree with. I'm hoping that people will be more likely to listen when they realize that their enemies may in future be able to get into power and change the definition of what is 'offensive', 'misinformation' or 'disinformation' to their own personal opinions.

> privacy advocates need to be much more specific

I'm starting to think we need to lean on conspiracy theories in order to get broader population on train with this - and I'm saying this in utmost regret. That's a borrowing game from a right wing/extremist playbook.

Start with this: requiring IDs online is a first step in micro-chipping the population.

...or how about this: marxists/atifa/nazis/zionists/islamist/whoever-group-people-think-is-in-power want to erode your privacy online so it can be used against you. Some nefarious group what to know your every move!

...or how about this: remember Epstein files!? Well the pedos now want to id your children online!

I simply saying truth/evidence/rational based approach to this will not get people attention. People just don't care.

I think it is going to be the time to get off the internet in general, as much as possible

Sadly your take doesn’t matter since the other voting bloc is parents and people concerned about their kids.

I wish this resulted in techies spending more time to look at the substance of the harms playing out, however I see denial of the situation altogether more than anything else.

> these systems expose you to coercion, extortion, blackmail, ID theft, etc. by criminals and immoral people

I'd prefer to have safety from that regardless of privacy.

I think privacy is a stopgap semi-solution to those problems that might lessen the pressure to actually solve them in a reasonable manner.

I second this. Get off the net and away from the established society and into the parallel ones

Which is precisely why powers will try to make all these illegal

I have been slowly moving towards that for a decade or two now. I still do some internet stuff (mostly here) but it is greatly diminished. The rest is just at work.

agree with most of what you wrote but "Find like-minded people and meet in person." this is where things can escalate

Got to the same conclusion. Guess I will go back to in-person only, and lots lots of time away from devices (which I already have).

Renting and work already require ID in the UK. Every landlord and employer is supposed to take a copy of original documents proving the right to rent/work in the UK. Technically you can do that without handing the docs to the government, but there's less potential liability to do so via the Home Office website.

Here in Australia we already have the first part of 1 then most of 3,4,5. We are almost there. And you thought our wildlife was the torment nexus.

Its a tragedy of the commons situation. The benefits of being offline are dampened by the kid being out of the loop

This isn’t about children, mate. It’s about controlling the population’s access to content.

The children are fine. Many countries no longer allow smartphones at school, which lowers the peer-pressure factor to be online.

Parents are doing their best to steer kids. But these pesky adults, goshdarnit, they access whatever content they want without approval from The State, potentially reading dissident materials, borrowing 1984 from libraries… politicians don’t like that.

I agree, I think kids should have limited access to the internet. I pretty much did and it worked out for me but I have seen so many reports about it causing harm in schools and personal life. (Specifically I think LLMs should not be used in education also, but different point) However, I think the main problem people have with this "think of the children" narrative is that it will force EVERYONE to give up their credentials to access the internet, not just kids. And the general consensus is that we as adults do not want to and should not have to prove our identity to access the internet.

That's their parents' decision to make, not yours.

I mean its only a hope and a skip away from having to validate ones age to turn on the router.

Unfortunately I don’t think it has the public’s attention, it’s still very niche. Nowhere near enough to change anything yet.

I like your spirit :)

Most folks already know the internet is not a safe place to express political thought. The powerlessness the public feels is obvious.

It won't be an issue until mainstream media makes it one. Since the media is owned by right wing billionaires, that media will reflect the biases and interests of those billionaires - many of which own internet platforms that would benefit from knowing the exact identity of every single user.

>I’m glad this is finally becoming the cause célèbre du jour.

It really isn't, though. Don't mistake the internet for reality. The majority of people in the US and Europe support laws like these, and most of the rest don't care.

Even on Hacker News the consensus is mostly in favor of anything from age restriction to making all social media illegal.

This is 100% wrong. Privacy has been the norm every time someone wandered a week by feet from home, or sent a letter. Famous authors published for a whole lifetime under pseudonyms.

We are living in a panopticon that never existed before.

This is much bigger than online privacy. It is about survailance and control of society. And possibly even a completely new society. Or a splitting of society into groups...

But to your point on anonymity. That has been protected in letter writing e.g. and also privacy has been considered a human right. Until now...

But maybe you have a point in saying that no temper tantrums are needed.

You see, when the governments are outraged that they can't monitor all facets of communication or are disallowed from using their shiny new ways to automatically observe and categorize billions of datapoints to automatically surveil-by-default millions of people, that is called having serious doubts and grave concerns, very important stuff. When the people are outraged that a freedom they've enjoyed for several decades now, many growing up with them, are taken away, that is called throwing a toddler temper tantrum, how abhorrent. Why can't you just be reasonable and compromise will all these legitimate concerns that they somehow didn't care about in the last 30 years? Stop protesting or being angry, you need to sit at the table and have a 'serious discussion' (in 100% of cases when this is brought up in this tone, that means "give endless concessions and compromises to make them go two steps forward, one step back - just give them everything they want, but incrementally this time!")

How do you define remote privacy? Beyond a few decades ago I could use a phone booth and pay in coins.

> REMOTE PRIVACY NEVER EXISTED BEFORE A FEW DECADES AGO!

That is plain wrong.

You could absolutely send a letter anonymously without showing your ID. You could use a phone booth without showing your ID. Increasingly more countries demand ID verification for such things like getting a SIM card that used to be remote privacy.

But much more importantly you are making a false differentiation between 'remote' and local privacy. Before the internet that made some amount of sense. What you do in the locality of your home is private and what you do in public is not, such as buying a book in a store.

However two things have fundamentally changed since then:

1. This difference largely does not exist anymore. Things that used to be in your home and private and are now in some way or another in internet connected computers that act as surveillance devices. Your movie and book library used to sit on a bookshelf in the privacy of your home and only you would know when you watch a movie. Today it sits on Amazon's or Netflix servers and they know exactly what and when you watch and read. In fact turning the digital library you "bought" into something you own by converting them into a format you can store locally and use without restrictions and surveillance (local privacy) is illegal and punishable with jail time under the DMCA.

Notes written in a note book used to be local privacy, now they are written on a computer that automatically, without consent uploads them to "the cloud", a server controlled by a large corporation that acts as a panopticon for the state.

I could go on forever. Our lives are increasingly digital. That in itself would not necessitate being "remote", but in reality that is what follows, because people do not control their devices. Instead these devices are surveillance appliances controlled by corporations and increasingly the state.

2. Technology did not just enable the means for more anonymity, but also for a completely new, fundamentally different level of automated, all encompassing surveillance.

Before the internet you went into a store and bought a book with cash. You were not anonymous in the strict sense, the cashier could see you and might even recognize you, but you did not have to show your ID for everything you buy. The cashier did not create a log with your legal name and all the items you bought. Sure, the cashier might know you bought that book, but no one else did. There was no central surveillance log of every purchase accessible to corporations and the state.

Today credit cards are exactly that. Many countries have begun attacking cash as part of the war on privacy. We are heading towards a world where you effectively have to show your ID for absolutely everything you buy and every purchase will be logged.

CCTV is old, but the footage used to sit on tapes in the possession of individual stores and tracking someone's movements with this was a massive amount of work that would only make sense for specific investigations like murder cases.

Now CCTV is everywhere and systems like Palantir collect them all in a central system that logs everyone's movements all the time. The government can just search for "people who met with X in the last month" and get a log of all these people, their complete movement profiles, the people they met with etc.

Letters weren't exactly well protected, but no one would read your letters because it was infeasible. Now we have the infrastructure to automatically read all messages sent by anyone and the government can just get notified of anyone who voices in private communications that they do not like strawberries or the ruling political party.

Western democracies are building the wet dream of the Stasi, something that just a few years ago was supposedly an authoritarian dystopia and our great enemy. We were supposedly so much better than the bad guys of the Stasi. Now we are building a future where we are still different from the Stasi, because we are making it outdated.

Yup, demoractic governments existed before the internet and repressive dictators have risen with it.

The idea that being anonymous online will save a society from a dictator/repression is wishful thinking.

Only good faith engagement with an existing democractic system will ensure the success of democracy, but that is too hard for most poeple.

99.9% on anonymous engagement online is bad faith.

Better, official link https://papersplea.se/ since it has been released on multiple platforms

Do you think there could be legislation that prohibits use of tor and mesh?

Only if it can be turned into gray market business: additional layers of proxies and VPNs, and whatever new is invented.

As simple "I care about privacy" need is not a reason to bother with setup for a regular person. So it could work only if it's as easy, as current internet. And for profit businesses provide it.

As for another protocol all together: there are some experiments already, but again, why use those?

No. Tor does most of this and the number of users is trivial.

only for a short while longer. US, EU, China, and Russia are all on the same page about you-vill-ovn-nothing-und-you-vill-be-happy kind of future, and they will bully the rest of the world into compliance.

Haha stop already friend

> Soon you'll need a passport to read a Wikipedia article

Hopefully you'll need a passport to edit a Wikipedia article, since they can't be bothered doing anything about all the neckbeards writing them.

Yes I fear this is true. It does not sound like progress ;(

Renaissance of LAN parties and SneakerNets?

None of this is necessary. First, the only devices that actually need to be gated are cell phones.

The user agent should simply send the user’s age of the parental lock is set up and the websites required to respect this.

Parental controls and the OS should be robust enough to not let kids bypass it (e.g.: by installing a browser that skips the header, or blocking proxy websites)

Done.

Cellphones only because those are the devices kids can have on them all the time and can easily use in private unsupervised.

They want it to equal identity verification! When virtually every top tech executive who wants a favor is at the inauguration and you have companies doing 180 degrees on support for something they previously furiously opposed, someone is getting something they wanted. It seems naive to think otherwise. Furthermore, the current administration in the U.S. fired or ignored the competent people to which you’re referring, and those people oppose a centralized repository of various metadata because it creates a central point of failure, otherwise known as a target, that is generally a bad idea for both our nation and our citizens. Of course there are agencies in the federal government that possess this information already, but they possess it for their purposes only. This is good because it means that it’s both more difficult to abuse internally in addition to being more cumbersome to collect externally.

It's a political problem, not a technical problem.

Yeah this is a basic problem that's been solved since the advent of PGP. As many other posters have said, this isn't about age verification.

There's still a whole DB matching IDs to keys waiting to be leaked. The US government can't even keep it's own personnel records safe and you think this won't get stolen and used to target people?

This still criminalizes sharing "adult" information with people who are not on the government's approved list (the things states do to crush dissent are not safe for children.)

why would any site on the internet need to give a damn about is_citizen? That's just gross to me at the mere suggestion. If it's a government service site, then they already know that information. If you're trying to use something like social media, then it couldn't possibly matter less.

doesnt' impact the author's original meaning.

How is hitting the library an act of rebellious defiance? Getting a library card requires an ID and proof of address. The library then tracks which books you've signed out. Unless you're reading the books inside the library without signing them out.

Do you know any librarians? Public libraries have always been a bit punk rock.

"just"?

It is fine in some cases. But what is at stake here is not identifying yourself in a couple of common sense situations.

It is enabling control infrastructure for governments whom are becoming increasingly undemocratic in a society where the elite gets more and more influence and where the middle class is becoming ruined.

Thought experiment: How do you get a phone or electricity in the most impoverished, backwards parts of the USA?

You need to identify yourself to the phone and electricity utilities so they know where to send your monthly bill. My ISP knows my name because I pay them for connectivity. I am okay with this.

If I misbehave here, dang can just ban me. There's no reason HN needs to know my real name. The only reason to mandate blanket age and identity verification is to control online speech.

You aren't required to identify yourself to get a phone. You can get a prepaid phone with no ID.

You are required to identify yourself for an electricity account because it is essentially extending you credit. You use the electricity first, and then they bill you for it later. They also only identify the person who is receiving the bill. You could have a house with a dozen people in it but the electric company only knows the name of the person responsible for the bill.

You are free to identify yourself on the internet right now. People who are intelligent and/or believe in freedom and free speech are opposed to this authoritarian power grab.

The government is largely incompetent about proactively sifting through vast amounts of information for relevant bits.

That’s minimal defense, but it’s worth remembering the difference between what it in theory knows and what its actually paying attention to.

If they already know everything, why is there always a push toward adding friction to the process they already know everything about?

There is a difference between the NSA knowing and being every petty burocrat being a trivial administrative subpoena away from everything.

We could try investing in positive infrastructure that improves peoples life's in stead of creating the panopticon torment nexus. Things like third spaces where people can spend time is save spaces where they form communities and public transit so that people can get to those places. Incentivize positive behaviors instead of closing off public spaces and pricing more and more people out of being able to do anything with the minuscule amount of free time they have besides going on the internet.

> including the half ass Australian solution.

It was designed to be half-arsed so Digital ID can come along and save the day. Australia's Digital ID opens up to the private sector on 30 November.

And yet as the article mentioned, the "problem" is a lie... an excuse to justify the surveillance state.

Unrelated, but you remind me of how absolutely useless ad technology is. The literal second I cross the border into Spain on holiday all I see is completely Spanish ads for stuff I never heard of and aren't even appropriate for my gender. This is for a ten year old YT account that basically knows everything there is to know about me. Even when I continue and look for English videos they keep shoving Spanish bullshit into my face.

Even at home I still get ads for music festivals, shoes and toothpaste, none of which are withing a thousand yards of my personal preference. The times I saw an ad for mechanical keyboards, interesting APIs, IDEs etc I can count on literally one hand and that's being online for decades.

iPhones' builtin autocomplete, Netflix and Spotify's recommendations all have robbed me of the illusion that smart people are actually working on this problem. If they are, it ain't working. The money printer works but not because of clever tech. YT's ad tech basically boils down to a geolocation of IP and I sometimes even question that.

It’s not just kids. Adults are having their brains fried on AI generated political videos online right now. The state of the internet is an absolute disaster.

Parents taking responsibility for their kids.

I grew up in a neighborhood full of drug dealers. Street sellers, not the classy Walter White kind.

Ironically being on a computer all day kept me out of trouble.

But with these laws in place I guess you might as well start doing stupid ish in real life.

Most people want to operate within the boundaries of their society.

A simple G/PG/PG-13/R header for websites would solve 97% of actual issues anyone could care to present. (violence, porn, etc)

Forcing people to identify themselves will not solve skinner boxes, gambling-for-children, focus-degrading slop, etc.

Bluey-themed slot machines are still harmful.

The simplest cure, even though it is US law but would also benefit the UK, would be to repeal Section 230 safe-harbors when the platform uses an algorithm to curate content. If they are covered by the "safe harbor" then they are not responsible for the content. Otherwise, they'd be liable for libel/defamation/conspiracy stuff.

https://en.wikipedia.org/wiki/Section_230

A "safe harbor" is a section of the law where they basically say "as long as you do X, those other laws won't apply". https://en.wikipedia.org/wiki/Safe_harbor_(law)#

>Tech companies should ignore it and just publicly name whoever attempts to prosecute them

The most powerful tech companies are in favor of this.

The internet is not free. We've been running out of IP addresses for ages and most people don't have direct internet access these days so are completely dependent on man-in-the-middle servers. All it would take is a broad ban on VPN and end-to-end encryption. Governments have been wanting to ban strong encryption ever since the public got access to it in the 90s (see PGP/Zimmermann).

Freedom of speech is contextually misunderstood. It's about political speech and the commons. Social Media is overwhelmingly private space, subject to contract terms and conditions. It may be a de-facto commons to some people but I do not believe this axiomatically, or legally makes it so, for the purposes of law and constitution. Law and constitutional bounds on speech online hit the international nature of the media very quickly.

Extra-territorial issue are huge here. What is the limit of the boundary on a given nations constitution and law? How much does the economy of the user, the hosting company, the owning company, the receiving parties matter?

Social Media has advertising and publishers. It has people who can effect editorial control over what is seen and by who and to who it is "said" -And that imposes obligations on them, and on people lodging content. Differentially depending on their economy, the reach of law, registration of legally incorporated entities.

All of this is being implemented somewhat haphazardly internationally, enforced differently, subject to legal and financial and social pressures differently depending on the times and the context.

If you want to ask questions about America, about Americans, using American companies, speaking to Americans, believe me you don't neccessarily have a simpler task here. It may well be clearer to some of you, but to me, its just as fraught.

It's just not clear to me "free speech" is the bastion rule which applies here. The EFF may think so, I don't think they have actually demonstrated it all the way to the end.

Have you ever heard the joke, how do you know if someone does CrossFit? Don’t worry, they’ll tell you

In my experience Trump supporters aren’t exactly quiet about it.

> ...you should be forced to identify yourself for posting...

The Supreme Court has repeatedly held that the right to anonymous speech is inherent in the first amendment [1] [2]. See also The Federalist Papers or Common Sense, without which the US might not exist at all.

[1] https://www.law.cornell.edu/supremecourt/text/362/60

[2] https://www.law.cornell.edu/supct/html/93-986.ZO.html

I disagree because the people who have the most important things to say have the most to lose by saying it.

Also anonymity can actually improve social media polarization (see Chris Bail’s research)

> My privacy is already decimated. For 2 decades we’ve already known about the NSA slurping up everything[1] on top of the Snowden leaks.

If you were correct, there would be no need for them to push these new laws. The fact is, you will have less privacy after these identification requirements are fully enforced.

Mate, you have to revise your stance on Russia, more people are imprisoned annually in the UK for speaking than people in Russia in a decade. The UK banned RT while you can access any western propaganda outpost from within Russia.

You’re on Hacker News, this website is known for attracting open minded free thinkers that do not fall under the influence of government financed propaganda. Learn and reassess your thoughts.

If it was just social media and pornography, I wouldn't be too bothered but it's not.