[texas2toss]

AV is already widely utilized by thousands of internet companies and represents a significant market.

The issue is the companies being targeted have simply chosen to not enact any AV or gating measures because it would impact their existing business. Additionally, the targeted companies have solutions available but are leveraging legal and lobbying efforts vs. changing their business.

Source: I work for a company that distributes a widely used AV product.

[judge2020]

And? The point of the article is that it's incompatible with privacy on the internet, or rather the spirit of what the internet is - widely accessible, not pseudo-AIM.

[shkkmo]

How are users supposed to know where they can and can't safely upload a sensitive picture of their ID?

[vlovich123]

You’re thinking about AV as it’s been rolled out in the past few years in places. But the mDL / mobile passports don’t require that - it’s a signed record that a certain government agency signs. It can be something like signing what kind of vehicles you can operate but also can be just an anonymous age verification check. The standards body for this was explicitly thinking about privacy-preserving mechanisms to do AV (I know because I attended some meetings and observed the discussions they were having).

[creer]

In practice, how do these system expect the kids (much more technically savvy than their parents, and with a motive) not to get their hands on their parents'? (As you know, kids often get access to credit cards without parents knowledge.)

[vlovich123]

Biometrics identification required to release the record (eg the Secure Enclave in iOS could sign it)

You can believe that a standard committee of very smart people (technical and regulatory) was thinking about all these problems so saying “what about X” isn’t helpful when X is an obvious concern.

A sufficiently advanced attacker could probably figure something out (especially with these 3p apps which are bound to have security flaws), but it will be out of reach for most people (these apps will hopefully be discontinued once the OS wallets integration is complete - they should only be used for pilot programs and if they’re not they will be stopped once they become a known vector of identity theft).

The harder problem is attestation for >13 services since kids that age may not have digital devices and government ID but that’s a government policy problem to figure out.

[creer]

> You can believe that a standard committee of very smart people (technical and regulatory) was thinking about all these problems so saying “what about X” isn’t helpful when X is an obvious concern.

Really? Doesn't HN show on a monthly basis that no, exactly nothing directly follows from that premise? Typically the committee has completely different incentives and directions from, well, half the planet's wants?

At that stage though, mine was just a question. I was curious.

> they will be stopped once they become a known vector of identity theft

Okay. I'll agree to disagree. See US Social Security Numbers, cell phone numbers, credit card system...

[texas2toss]

The vast majority (90%+)of all AV is not photo ID. It’s phone number or name/address (in the US), depending on the industry. This info is usually collected.

For adult industry, the issue is gating web traffic. But as I explained to a regulator mentioned in the article, as long as there are shady companies who won’t comply and can’t be fined, it’s a moot point.

[shkkmo]

Phone numbers? That seems like a bunch of security theater. (Edit: presumably that's why the states that have passed porn AV laws require IDs, not phone numbers.)

> For adult industry, the issue is gating web traffic.

Clealry that is not the only issue as adult sites have chosen to stop operating rather than comply in jurisdictions that require AV.

[stjohnswarts]

The adult sites will simply move offshore where the country trying to stop the flow of information doesn't have jurisdictions. It's whack-a-mole. The only solution is that parents control their kids, install nanny software, and teach them what is age appropriate. I chose to skip all that but supposedly I'm supposed to just accept that they are taking more of my freedom away and expect me to turn my ID over to random internet companies and trust that they'll "do the right thing"