The verification making sense and trust in government are 2 separate problems. Not defending here one or the other, just saying that the mixing up doesn’t help.
The verification could make sense with something like a physical gift card.
Go to a store or kiosk, show them your ID card or driver’s license, and they’ll give you a card randomly chosen from the shelf with a code to activate the +18 version of any social network of your choice.
Each code could only be used once. People would have to buy more, at a symbolic cost, for each social network they wished to activate.
I would tend to be against this on principle in the same way, but at least it would be something I could understand where the objective is actually what is being presented (protecting the children), albeit misguided, because to me it is clear that what is currently being promoted and proposed has nothing to do with age verification, but rather with mass surveillance, marketing and censorship. Fascistic authoritarianism.
It would still be made by the government and distributed by third parties and the government. What matters here to give me confidence is that it would be physical and only one person at the counter would know my age which would obviously be much safer and would ensure that no other information would be passed on.
The government derives the token from the id, which it created and knows, so there’s no privacy loss there.
Nothing is distributed to third parties, the third party just verifies the token with the government service and gets ok / not ok. It never sees any id data.
In your example, how do you know that the third party is not storing the data when scanning it? And how do you deal with online services?
The issues described in the article are serious, but not fundamental design flaws of the protocol, and it depends on how they’ve presented the app: did they say it can be used already? if it’s just a prototype it’s ok to e.g not store the token/pin in the security enclave yet. And the issues being easily found is facilitated by the project being released as open source, which is good. Not saying that everything is perfect, and there might be actual issues with the protocol, but this isn’t it. It’s in any case better than having to share your id with N third parties.
In my proposal, there is no need for them to scan your ID, they would only see your age written on the citizen card, just like they do when you want to buy cigarettes. Don’t pretend you didn’t understand the spirit of the suggestion.
P.S.: Nothing is safer than paper. I’m also against electronic vote.
P.P.S.: This app is open source, but you can’t confirm that the Play or App Store build matches the source. You’re not allowed to compile and install the app yourself, downloads are enforced by hardware attestation and there’s no way to verify what the EU servers are actually doing on the backend side.
In the very near future you must accept Google or Apple terms and conditions to discuss things online, because the surveillance app only runs on genuine Android and iOS devices. Age verification is a manufactured issue pushed by surveillance companies.
Even if the EU identity wallet, Russian MAX and Chinese WeChat apps were perfectly privacy‑preserving, it’s still outrageous to require age checks just to let people communicate with each other.
And how does that process guarantee that your token identifies only you? It seems that an adult can go to the store at different times and get n tokens, which they can then give to minors.
To your edits, indeed, the server handling is what I was alluding at previously with possible issues, specifically in the verification part. But that’s the good part that there’s an open source project, where these questions can be raised. It seems more complicated, but maybe not impossible to guarantee privacy on a trustless way also there.
As to the use, I imagine that it can be extended to other things such as proving that you’re a human, which is becoming pretty much impossible. It might be the most effective solution for “dead internet”.
Yes, an adult could give them, just as nowadays an adult can forge fake IDs to sell to kids, but it would be a crime. If they were caught, they would suffer appropriate consequences.
And what about online-only services (which is the majority)? Seems a partial and error prone solution not worth the effort over no verification at all.
The verification making sense and trust in government are 2 separate problems. Not defending here one or the other, just saying that the mixing up doesn’t help.
The verification could make sense with something like a physical gift card.
Go to a store or kiosk, show them your ID card or driver’s license, and they’ll give you a card randomly chosen from the shelf with a code to activate the +18 version of any social network of your choice.
Each code could only be used once. People would have to buy more, at a symbolic cost, for each social network they wished to activate.
I would tend to be against this on principle in the same way, but at least it would be something I could understand where the objective is actually what is being presented (protecting the children), albeit misguided, because to me it is clear that what is currently being promoted and proposed has nothing to do with age verification, but rather with mass surveillance, marketing and censorship. Fascistic authoritarianism.
But now you’re giving your id to third parties. Why do you trust them more than your government, which has that data anyway?
It would still be made by the government and distributed by third parties and the government. What matters here to give me confidence is that it would be physical and only one person at the counter would know my age which would obviously be much safer and would ensure that no other information would be passed on.
Also,
https://cybernews.com/security/eu-age-verification-app-hack/
LoL
The government derives the token from the id, which it created and knows, so there’s no privacy loss there.
Nothing is distributed to third parties, the third party just verifies the token with the government service and gets ok / not ok. It never sees any id data.
In your example, how do you know that the third party is not storing the data when scanning it? And how do you deal with online services?
The issues described in the article are serious, but not fundamental design flaws of the protocol, and it depends on how they’ve presented the app: did they say it can be used already? if it’s just a prototype it’s ok to e.g not store the token/pin in the security enclave yet. And the issues being easily found is facilitated by the project being released as open source, which is good. Not saying that everything is perfect, and there might be actual issues with the protocol, but this isn’t it. It’s in any case better than having to share your id with N third parties.
In my proposal, there is no need for them to scan your ID, they would only see your age written on the citizen card, just like they do when you want to buy cigarettes. Don’t pretend you didn’t understand the spirit of the suggestion.
P.S.: Nothing is safer than paper. I’m also against electronic vote.
P.P.S.: This app is open source, but you can’t confirm that the Play or App Store build matches the source. You’re not allowed to compile and install the app yourself, downloads are enforced by hardware attestation and there’s no way to verify what the EU servers are actually doing on the backend side.
In the very near future you must accept Google or Apple terms and conditions to discuss things online, because the surveillance app only runs on genuine Android and iOS devices. Age verification is a manufactured issue pushed by surveillance companies.
Even if the EU identity wallet, Russian MAX and Chinese WeChat apps were perfectly privacy‑preserving, it’s still outrageous to require age checks just to let people communicate with each other.
And how does that process guarantee that your token identifies only you? It seems that an adult can go to the store at different times and get n tokens, which they can then give to minors.
To your edits, indeed, the server handling is what I was alluding at previously with possible issues, specifically in the verification part. But that’s the good part that there’s an open source project, where these questions can be raised. It seems more complicated, but maybe not impossible to guarantee privacy on a trustless way also there.
As to the use, I imagine that it can be extended to other things such as proving that you’re a human, which is becoming pretty much impossible. It might be the most effective solution for “dead internet”.
Yes, an adult could give them, just as nowadays an adult can forge fake IDs to sell to kids, but it would be a crime. If they were caught, they would suffer appropriate consequences.
And what about online-only services (which is the majority)? Seems a partial and error prone solution not worth the effort over no verification at all.