[tialaramex]

I would much prefer my government to take on responsibility for providing this sort of service as they do e.g. driver qualification.

Once upon a time the usual thing to get OK'd to rent a van (e.g. for students who are moving house) is you rock up to the rental place with the legal documents showing you're entitled to drive. You're relying on the fact that the person renting you a van doesn't much care and isn't keeping the exact details from those documents.

But although you can do this today, obviously the documents get scanned into a permanent data repository, so, that's not great. But, the UK government added a site so you can prove you're you, and get codes, which for a limited period show someone that yup, this person is legal to drive and so on.

They do this for right to work too. Although, annoyingly only for foreigners. If you're a citizen, you can't prove right to work this way, you need to be like "Look, I'm a citizen, here's proof" to your employer. But if you are foreign you can just go "Check this URL, your government says I'm entitled to work here" and they needn't know whether that's because your husband is a "Cultural Attaché" to the Russian Embassy, or you've got special refugee status, or you're actually an Italian and you just speak and look Russian for some reason, just that you're entitled to work here.

[lifthrasiir]

I in general agree to a sort of governmental (or even inter-governmental) services for lightweight identity verification. Lightweight in a sense that these services do not give any new personally identifiable information to clients, they are only given cryptographic proofs. If implemented very well, it may be usable for a whole lot of applications other than just age verification.

However a partial or faulty implementation of the concept can be very dangerous. South Korean websites used to receive a Resident Registration Number (RRN, 주민등록번호) for all imaginable reasons, including just catching double registration. RRN was and remains crucial for identity verification and it is estimated that virtually every SK national has been subject to multiple accidents that exposed their RRNs before such practice is forbidden. After that the Accredited Certificate of Authentication (공인인증서, nowadays the Recognized Common Certificate 공동인증서) is in place, which was another travesty that is based on X.509 but with non-standard practices based on ActiveX. Nowadays age and identity verification is commonly done with mobile phones, and there are multiple such services mostly run by CICs and telcos. This did dramatically reduce the use of RRNs and is much more convenient for typical people, but if you do not own SK mobile phones (e.g. you are foreigners) you can't use them and there are frequently no fallbacks. Also I generally don't trust the security of those services.

[derefr]

In Canada we have https://verified.me/government-sign-in-by-verified-me/, which is ultimately “the government taking on responsibility for providing this sort of service” — but the government then turning around and delegating that responsibility to major banks (the Verified.Me service acting as the SSO intermediary, is a joint venture of seven major Canadian banks, and then supports other non-shareholding financial institutions as well.) Since you need a proof of identity to open a bank account, an SSO through your bank functions as a pretty good proof of identity.

Right now, the Verified.Me service sends through your actual non-anonymized identity (Social Security Number, I think) to the service being signed into, meaning it’s only really good for services you’d want to hand information like that to anyway (i.e. government service websites.)

But it’d be only a little tweak to enable a provider like this to send the service being logged into a persisted random-per-service token, or a per-service-salted hash of that info, instead. If this was done, a flow like this would then be perfect for KYC/AML: it would precisely restrict each legal person to only having one account per service, while also not revealing who that legal person is to that service. And the only person in this flow who’d ever see your ID, is the bank clerk you interacted with to open your bank account, years/decades earlier.

[vintermann]

It's similar in Norway. There's a government service (IDporten) which aggregates a few commercial offerings (most notably BankID, a two factor auth scheme used by the banks). But it's very restricted who gets to use these services.

[ajkdhcb2]

Does this basically force people to have a Canadian bank account to survive?

[derefr]

Not strictly (as the sibling comment says), but also, in practice it doesn’t matter, as there are effectively no “unbanked” Canadians the way there are “unbanked” Americans.

From https://www.canada.ca/en/financial-consumer-agency/services/... :

> In Canada, you have the right to open a bank account at a bank or a federally regulated credit union as long as you show proper identification.

> You can open an account even if you: don’t have a job; don’t have money to put in the account right away; or have been bankrupt.

But that requirement to show identification is important. What it means in practice is that everyone who resides in Canada except illegal immigrants can open a Canadian bank account.

And the fact that so many crucial government services assume that you have a Canadian bank account (not just for SSO, but also because they assume things like the ability to do direct deposit for tax refunds, welfare/unemployment, etc.), means that it’s really hard to be an illegal immigrant in Canada. Which is probably one reason among many that people generally aren’t interested in trying. (Other reasons: we don’t have any land borders except with the US, and it’s easier to be an illegal immigrant in the US, so why not just stop there? And: the Canada Border Services Agency is terrifying to interact with, even for Canadian citizens.)

[ajkdhcb2]

I don't know about Canada specifically, but generally there are situations where one can be waiting for a residence permit or waiting to be fully registered as a resident, etc. It can take several months in some western European countries despite the same laws that nobody can be denied a bank account. This can create a lot of inconvenience for legal residents that recently immigrated since some of those countries also have systems that use banks for ID.

[philistine]

There are ways around this and I have seldom seen it used outside of government services, so not really.

[rkagerer]

I would much prefer my government to take on responsibility for providing this sort of service

After witnessing enough leaks and hacks of government databases, this is one application where I'd favor a cryptographically secure, decentralized solution based on open-source code that's been competently audited to show the system keeps my sensitive info provably private.

Ideally something that's been in the wild under sustained and motivated efforts to hack it for long enough to convince me there's some substance to the claims.

[xboxnolifes]

Each government already has a complete list of all their citizens (probably multiple duplicated across various departments). Having the government have a service that provides temporary keys associated with an identity isn't much of an add toward security risk.

[adolph]

> "Look, I'm a citizen, here's proof"

Sounds a bit like e-verify. Don’t forget to lard it up with some denials for folks on domestic terrorist watchlists, wife beaters, bench warrants for parking tix, etc. etc.

[emilfihlman]

>But, the UK government added a site so you can prove you're you, and get codes, which for a limited period show someone that yup, this person is legal to drive and so on.

Could you link us the site?

[Symbiote]

I think it is this: https://www.gov.uk/prove-right-to-work

(Just from a search, I've not needed to find this before.)

[LegitShady]

I'd rather not subsidize roblox with government systems. If they can't figure out an age verification system that works thats on them. The government shouldn't be verifying the age of people for businesses. It's a waste of tax dollars to subsidize a business with major profits.

[wizzwizz4]

Roblox has an age verification system that works. It's just not good for the public. Isn't that what governments are for?

[LegitShady]

No. If its not good for the public, then either don't use it, or pass legislation to ban it. subsidizing a business because they can't do it is wasting tax money for a video game.

[xboxnolifes]

Regulating that vast swarms of businesses need to make their own age verification system seems like a waste of economic value. Especially considering how many normal tasks that near everyone does would also benefit from such a government system: Loans, Rentals, Housing, etc.

You would also only need to provide the evidence once to the governing body that gave it to you in the first place, instead of giving it to dozens of companies.

[LegitShady]

My taxes shouldn’t provide economic value to random companies who want to verify age, and creating a centralized identification system that is available to non governmental entities is ripe for abuse.