EU parliament accepted a last minute amendment, mandating age verification for pornographic (whatever that is) content online, punishable with up to one year prison sentence.
This was rolled into a directive concerning CSAM. Because adults accessing porn need to be de-anonymised to avoid child exploitation?
the problem is that people are being verifiably linked to their ‘adult’ preferences. this is data that is being generated, in bad faith, and handled by multiple parties. your legal identity should not need to be tied to this information. this information can be used against you both now and in the future.
we’ve already seen in the US where there is a push for information about gender and basic sexual education being labelled as ‘adult’. when i was in school, information about countries like Cuba, Afghanistan or China was considered ‘too mature’ (or marked as ‘terrorism-related’ by the school firewall) for children; i could see this thus extending to require age verification before you can access ‘subversive’ information, on the basis of ‘protecting children’ from ‘political extremism’.
Double blind means that the age provider doesn’t know why your age is requested, and the service (website) doesn’t know you, they only know that the age provider says “yes” or “no”.
cc @iii@mander.xyz
How does one “follow the tokens” then?
Assuming it’s based on this EU prototype:
They don’t know why it was requested, but do know who, where and when.
So they gather the logs of A, the token provider. Is the target present? They have his token. They also see where and when the token was used. Did you have a fun time yesterday evening, on your phone at home, on websites B, C and D?
Next up, if they want even more detail, gather the logs of B, look for the token.
the provider knows who’s asking because of the IP address and API key of the requester. if it uses a form with a redirect, they even know your IP and what page you were on, tied to your legal identity. if the provider makes any API requests to a government registry, now that knows the when, the how, and (categorically) the what. short of a statement of ‘no logs’ and an audit to confirm as such, there is definitely logs. hackers love this information. data brokers love this information.
the problem is not the service knowing. it’s anyone knowing. the provider deänonymised you the moment you gave your id. the precise implementation details are important here.