|
> Perhaps there's a way to do age verification while minimizing privacy risks? For example, verify their age, give them their credentials, then delete the PII? I wonder why trusted third parties haven't sprung up around this very concept to the degree of OIDC (it's almost everywhere), you could have companies that allow uniquely identifying people, without having to manage or even get their PII directly. Service wants to check age or whether user is banned --> they are redirected to some-identity-platform.com where they can deal with any ID documents and other PII --> some-identity-platform.com gives back a token and a UUID, so all the service really needs is a JSON object with the UUID and whether user is of age (if that was in scope). That service can also let the user granularly choose what information to return: just the UUID, whether they're of age, or specific data like where they're located, actual PII if needed (e.g. auth with govt. site) etc., the UUIDs could also be service specific, so they cannot be cross referenced across different sites in case of leaks. Things a bit like that exist, for example here's a few random ones: https://www.jumio.com/
https://aws.amazon.com/rekognition/identity-verification/
https://www.veriff.com/
https://www.yoti.com/
https://ondato.com/
It does feel like the privacy problem could be solved in exactly these services, without passing too much information to the service itself. Because currently there are crazy amounts of hate and content out there that I might not want from a certain person on a site I operate, so I could just ban 914582c9-289a-4f8c-9e1c-f4193066e210 and the same person (at least with the same legal identity) could never get another account on my platform. I wouldn't even know that it's John Doe from country X and region Y that's uploading problematic content. Vice versa, I might just sell stuff to 5b9ee810-605b-40ce-9ead-85102e92df74 without ever risking compromising their identity. |