Where are the photos of the document processed though? And if not on the phone itself, is the server backend open source as well? Can I self-host it? And is the data which is used to generate certificates deleted immediately or stored in the backend? I have questions.
the zk proofs should be generated locally on whatever device you are using. It won’t be any actual photos, it’ll likely be NFC, it depends on verifying the cryptographic signature has signed the data you are trying to prove, and image doesn’t have that.
When I scan the qr code on my phone, it actually launched my country’s own eIDAS app. The EU verification app looks more like an application of eIDAS, data is stored on your national id card, that’s it.
It sounds like a better solution than sending photos of ID documents anywhere and everywhere, but at the same time it’s not really different, it’s just centralized. It removes other vectors of privacy breaches, but it doesn’t remove the possibility of a breach entirely.
Just stop requiring age verification to protect an open and anonymous internet. If governments are worried about what kids are doing online, start charging their parents with neglect, because they’re supposed to be the responsible party for their kids’ behavior.
To be honest, I simply wouldn’t feel comfortable storing this data on the third party servers hosted on hyper scaler infrastructure. That probably works for most but I’m not keen on a Telekom / AWS combination there.
The regulation itself is a totally different discussion. There’s arguments both in favor and against and I don’t really wanna judge that here. I’ll say though, that IMHO the OS level is totally the wrong place to do it. Just gives large non-European companies a powerful bonus datapoint.
Parents apparently cannot oversee the harm they are causing.
Then that’s still the parents’ fault, IMO. If you can’t teach your child to use the internet safely and responsibly, or adequately monitor the services they use, then you don’t give them internet-enabled devices.
Imagine if instead of the internet, we were talking about going out after dark. A few kids go out and do stupid things at night, but instead of blaming the parents who let them out unsupervised, we set a national curfew for everyone unless you obtain a nighttime permit from the government. Does that sound reasonable?
Your comparison with going out after dark is totally off. It’s much easier to monitor if the kid is in the house than if they access web site they shouldn’t.
Just to blame the parents is too easy. There’s a reason why porn, alcohol, and cigarettes is not allowed to be sold to minors in shops. What you’re asking is that parents shouldn’t allow their kids to to go to shops, just so you don’t have to be provide proof of your age to access to alcohol in your local shop.
More and more of our lives are online and I totally see why we need to do propper online verification for some things.
Agreed. The “parents are too blame” crowd is insane to me. How are you gonna control what your kid does on the wifi hotspot Derek in the last row on the school bus created?
The app (open source, cross platform, completely locally, no photo id, no 3rd parties involved) only provides sites with a yes/no on “is person over 18?”, via an on-device zkp.
So good luck pitching a solution that is more privacy friendly than this, because this is pretty much the perfect solution. I’m honestly elated that the EU is releasing this, because it means I’ll NOT need to deal with privacy-nightmare situations like in other countries where legislation came before a technical solution. This lays a fantastic baseline for the EU to force companies to use THIS solution for age verification, essentially killing the data harvesters dead.
The article says the document is not send to a third party, most likely it uses info on the passport (NFC, not photo) to generate a proof that the holder is an adult.
I’m fairly certain the app will use the NFC feature of your ID to verify age and only age. Everything else would be a gross violation of privacy, it does not need to store anything else.
Besides, photos only prove possession of an ID card, not ownership. Imagine if an ATM allowed withdrawing funds from a card without having to enter anything. Using the NFC feature requires entering a PIN only the owner should know.
Where are the photos of the document processed though? And if not on the phone itself, is the server backend open source as well? Can I self-host it? And is the data which is used to generate certificates deleted immediately or stored in the backend? I have questions.
It probably just uses the EU eID system. That uses NFC and not any camera pictures whatsoever
the zk proofs should be generated locally on whatever device you are using. It won’t be any actual photos, it’ll likely be NFC, it depends on verifying the cryptographic signature has signed the data you are trying to prove, and image doesn’t have that.
When I scan the qr code on my phone, it actually launched my country’s own eIDAS app. The EU verification app looks more like an application of eIDAS, data is stored on your national id card, that’s it.
Agreed.
It sounds like a better solution than sending photos of ID documents anywhere and everywhere, but at the same time it’s not really different, it’s just centralized. It removes other vectors of privacy breaches, but it doesn’t remove the possibility of a breach entirely.
Just stop requiring age verification to protect an open and anonymous internet. If governments are worried about what kids are doing online, start charging their parents with neglect, because they’re supposed to be the responsible party for their kids’ behavior.
To be honest, I simply wouldn’t feel comfortable storing this data on the third party servers hosted on hyper scaler infrastructure. That probably works for most but I’m not keen on a Telekom / AWS combination there. The regulation itself is a totally different discussion. There’s arguments both in favor and against and I don’t really wanna judge that here. I’ll say though, that IMHO the OS level is totally the wrong place to do it. Just gives large non-European companies a powerful bonus datapoint.
Disagree. Parents apparently cannot oversee the harm they are causing. And the social pressure is too high. So it needs to be regulated.
Not my problem.
Then that’s still the parents’ fault, IMO. If you can’t teach your child to use the internet safely and responsibly, or adequately monitor the services they use, then you don’t give them internet-enabled devices.
Imagine if instead of the internet, we were talking about going out after dark. A few kids go out and do stupid things at night, but instead of blaming the parents who let them out unsupervised, we set a national curfew for everyone unless you obtain a nighttime permit from the government. Does that sound reasonable?
Sure it’s the parents fault. The discussion is not whose fault it is but the result. Which means → regulate it.
Your comparison with going out after dark is totally off. It’s much easier to monitor if the kid is in the house than if they access web site they shouldn’t.
Just to blame the parents is too easy. There’s a reason why porn, alcohol, and cigarettes is not allowed to be sold to minors in shops. What you’re asking is that parents shouldn’t allow their kids to to go to shops, just so you don’t have to be provide proof of your age to access to alcohol in your local shop.
More and more of our lives are online and I totally see why we need to do propper online verification for some things.
Agreed. The “parents are too blame” crowd is insane to me. How are you gonna control what your kid does on the wifi hotspot Derek in the last row on the school bus created?
The app (open source, cross platform, completely locally, no photo id, no 3rd parties involved) only provides sites with a yes/no on “is person over 18?”, via an on-device zkp.
So good luck pitching a solution that is more privacy friendly than this, because this is pretty much the perfect solution. I’m honestly elated that the EU is releasing this, because it means I’ll NOT need to deal with privacy-nightmare situations like in other countries where legislation came before a technical solution. This lays a fantastic baseline for the EU to force companies to use THIS solution for age verification, essentially killing the data harvesters dead.
The article says the document is not send to a third party, most likely it uses info on the passport (NFC, not photo) to generate a proof that the holder is an adult.
Photos?
I’m fairly certain the app will use the NFC feature of your ID to verify age and only age. Everything else would be a gross violation of privacy, it does not need to store anything else.
Besides, photos only prove possession of an ID card, not ownership. Imagine if an ATM allowed withdrawing funds from a card without having to enter anything. Using the NFC feature requires entering a PIN only the owner should know.