EU parliament accepted a last minute amendment, mandating age verification for pornographic (whatever that is) content online, punishable with up to one year prison sentence.
This was rolled into a directive concerning CSAM. Because adults accessing porn need to be de-anonymised to avoid child exploitation?
Are there any issues with a system where the website in question (let’s say, a porn site) doesn’t get your ID, but just a confirmation from your government that yes, you are of age?
It has a name but I can’t find it right now.But it would protect your privacy from their website you’re visiting, and the website can uphold the rules.It’s called double blind: https://www.biometricupdate.com/202504/double-blind-age-assurance-requirement-for-porn-sites-takes-effect-in-france
😏
No way I’d trust the government to just throw away that information.
The same government that last minuted attached this amendment to an unrelated directive asks you to trust them with your most private information. 🙄
Alternatively you could provide them with a genitalia pic (which they need to discard in limited time) and they verify your age that way or something (it’s a joke, don’t shit on me for it). How the fuck is age verification anonymous? Either the site gets your ID or the government issues a confirmation, which puts you on the porn viewer list.
It can be done with zero knowledge proof…it probably won’t, but it could be.
a digital wallet with ZKP could resolve ‘are you old enough?’ without the query ever needing to leave your device.
without a digital wallet, it could be done with fully homomorphic encryption.
both of these would be innovations which i feel require guided development. innovation counter to the goal of the legislation, which is surveillance. innovation driven by the self-proclaimed purpose of ‘protecting children’; innovation driven by the impetus to make it harder for people to masturbate.
since the general attitude right now has been ‘require agegates and just leave it up to The Market™’, then the solution in practise will probably be a private third party that brokers this information, probably with a natural monopoly, that will charge exorbitantly for their API, have Google Analytics running on every page, leaks like a sieve, leaves logs everywhere, and will probably get caught selling data, which will incur a one-time fee equal to 80% the size of the company’s rainy day fund, and maybe the CEO will be asked to step down, shielding the rest of the C-suite from consequences (and allowing them to just do it again). they’ll work closely with law enforcement, they’ll be breached in the first year, and probably have a huge leak 4 years later.
in that time, due to real changes in the law or jurisprudence, or companies just ‘playing it safe’, age verification will come to encompass queer identity, sexual education and health, war coverage, counterculture and even history. more online regulation just means more barriers to entry which means a larger monopoly for multinational corporations.
i think there are better uses for this technology than controlling pornography.
I believe the idea (in an ideal world) is that Website A requests data from Service B, which then asks about you to government C. So Government C doesn’t know what you’re asking about, and the Website A doesn’t know who you are. That does mean Service B would have to be trusted / vetted, which might relocate the problem but it would be easier to verify (FOSS for example) than trusting your government to not put you on a list.
There’s no need for the middleman in this scheme. Instead, a much simpler solution would be:
$TOKENThe person with $TOKEN is of legal age. You have to provide your ID or whatever here, but the government doesn’t know who made the token.This can be automated in some way; maybe with a browser extension or some referrer-less redirect sort of thing.
It’s still fundamentally shitty though, because now the government pretty much knows that you want to watch adult stuff, it just doesn’t know which adult stuff exactly.
A better (but almost impossible to implement) solution would be for the government to issue everyone a smartcard as an identity document (many countries already do, but without the following features). On that smartcard is a private key, with the corresponding public key signed by the government. The smartcard can then sign any
$TOKENwith true statements about you, e.g.The person with $TOKEN is of legal age, orThe person with $TOKEN is called $NAME, orThe person with $TOKEN has a driving license, etc. You have to connect it to your computer in some way so the website can talk to it, but it should be trivially doable with almost any modern smartphone. This way, everyone has the ability to attest stuff about them without the government being directly involved.The reason this won’t work is because it would be quite expensive to do and would take a long while to implement.
the problem is that people are being verifiably linked to their ‘adult’ preferences. this is data that is being generated, in bad faith, and handled by multiple parties. your legal identity should not need to be tied to this information. this information can be used against you both now and in the future.
we’ve already seen in the US where there is a push for information about gender and basic sexual education being labelled as ‘adult’. when i was in school, information about countries like Cuba, Afghanistan or China was considered ‘too mature’ (or marked as ‘terrorism-related’ by the school firewall) for children; i could see this thus extending to require age verification before you can access ‘subversive’ information, on the basis of ‘protecting children’ from ‘political extremism’.
Double blind means that the age provider doesn’t know why your age is requested, and the service (website) doesn’t know you, they only know that the age provider says “yes” or “no”.
cc @iii@mander.xyz
How does one “follow the tokens” then?
Assuming it’s based on this EU prototype:
They don’t know why it was requested, but do know who, where and when.
So they gather the logs of A, the token provider. Is the target present? They have his token. They also see where and when the token was used. Did you have a fun time yesterday evening, on your phone at home, on websites B, C and D?
Next up, if they want even more detail, gather the logs of B, look for the token.
the provider knows who’s asking because of the IP address and API key of the requester. if it uses a form with a redirect, they even know your IP and what page you were on, tied to your legal identity. if the provider makes any API requests to a government registry, now that knows the when, the how, and (categorically) the what. short of a statement of ‘no logs’ and an audit to confirm as such, there is definitely logs. hackers love this information. data brokers love this information.
the problem is not the service knowing. it’s anyone knowing. the provider deänonymised you the moment you gave your id. the precise implementation details are important here.
Yes. Anyone that can request both the logs of this third party and the website fully deanonymises the users.
Who could have this access? The same people that last minute added this amendment to unrelated legislation.