[jeroenhd]

It's not a trojan horse, it's spelled out in the decision, debates, and legal texts to be the explicit goal. The age verification requirement was picked both as a means to prove the technology is sound and as a simple starting point for a full digital ID solution.

The EU already has some form of digital ID in fact, every government provides some kind of OIDC-like service tied to either smart cards or accounts that authenticate the user against a government. The digital wallet solution is an extension to that system that will allow foreign EU citizens to authenticate themselves more easily (eIDAS 2 already implemented an OIDC-like solution but implementation isn't automatic) as well as offer to store the (often mandatory to carry) ID on your phone.

The "what if you buy alcohol for your kids" sscenario of somone giving someone else their age verification tokens is tired and nonsensical. You can already do that in the real world. We accept that risk and, depending on the country, make it a crime in case they do catch you. It hasn't made liquor stores send someone along to see you drink your booze or watch you enjoy your porn mag.

[pzo]

The difference you barely have to show you physical ID - mostly only when interacting with bank, signing document, government. I never got asked when buying alcohol and if asked at least I would only let to have a look instead of snapping a picture.

Imagine if suddenly every grocery, pharmacy, petrol station, parking place, restaurant, bar etc. now would ask you for your ID AND would snap a picture and store in their database - you wouldn't be happy about it.

[vladvasiliu]

It's pretty common to have to show some form of state-issued ID when entering bars and the like in France if the bouncer thinks you're underage. Ditto for buying alcohol. Hell, in the US I've had to go back to the hotel to grab my passport to enter a bar. My French driver's license and balding head weren't enough.

But you do have a point about "storing the picture". I think that's why it's very important for whatever solution is chosen to be something that proves you're old enough without saying who you are.

[maccard]

If you want an example of how this will be abused by companies, https://www.theguardian.com/money/2015/aug/12/airport-shops-...

[gib444]

And if you want an example of who has the power these days, I've encountered airport shops that are "take it leave it" (WHSmith in Spain in fact). I was told they can't require my boarding pass, but they won't sell me anything without it... (There was no language barrier)

[rightbyte]

Isn't that a tax thing on airports? I don't think it is the same problem.

[mambru]

That's not now it works.

At least in my country, the ID app lets you generate 3 levels of QR:

Level 1: Just age (also shows a photo on the screen). This is what you would typically use to go in a club or buy alcohol.

Level 2: Adds Full name, birth date, validity date.

Level 3: All the data you can see on the physical ID card.

[jeroenhd]

Why would they? The only reasons to show ID I can think of is when watching porn or maybe when buying alcohol online, though I doubt stores will want to risk driving customers away with that.

[dwedge]

Or using social media, signing up for any account where you can post content, and soon creating an account on your own device.

As for why would they, the same reason there are hundreds of tracking cookies on every site.

[pmlnr]

The same social media that stores everything down to your keystrokes? Sure, the problem is needing a gov ID, sure.

[dwedge]

Self aware wolf. You don't see the problem with associating that level of tracking with your gov id?

[throwthrowuknow]

Consider that stores create reward point systems specifically for the purpose of connecting a customer profile to purchases.

[oe]

Yeah, the bigger chain stores already have most of this information. I don’t know if tying it to an actual ID would make much difference.

[rglullis]

Yeah, imagine if every convenience store had CCTV security filming everyone 24/7.

Oh, wait...

[pzo]

they don't know necessary who are you and what are you buying. I don't think also for big shops with many customers that techonology and reliably do instance segmentation - this is not face id.

[rglullis]

They don't, but there is a significant chance that their "security solution" uploads all the data to a cloud provider (Amazon, Google, Oracle) which will be more than happy to analyze the data for them.

[jonathanstrange]

That's possible but would be completely and highly illegal, the EU regularly fines companies violating GDPR, and those fines are not trivial at all, they can be quite hefty.

[rglullis]

I was talking about the reality of the US, but even if I was talking about Europe: how does the GDPR even enter this equation here? I was never asked for consent to have my face recorded when I get into a shop in Germany. Were you?

[xorcist]

Do you not pay for you groceries? Then the store probably has a good idea about your identity. In any case, they payment processor knows exactly who you are, and the store and anyone else who cares can buy this information online, albeit in a slightly obfuscated form.

Unless you live at some place where they still accept cash of course, but the writing is on the wall already.

[SiempreViernes]

Doesn't stop the stores from posting clips of you embarrassing yourself online and your acquaintances giving your name away for clout.

[xethos]

Sure - that's saved for Visa or Mastercard to track your purchase history across time

[pando85]

Age verification today, digital ID tomorrow, mandatory tracking forever. The pattern never changes.

[tpm]

> The digital wallet solution is an extension to that system that will allow foreign EU citizens to authenticate themselves more easily

Is there a roadmap and/or a timeframe for that? I have a Slovak ID same as the author, when will it be useful for accessing internet services?

[jeroenhd]

Age verification has taken about three or four years to reach the concept stage, and that's the first stage that will be rolled out.

The legal framework behind all this was released all the way back in 2014 and has been officially adopted ten years later.

Officially, by December 2026, each member state must have at least one official wallet solution available for its citizens.

That said, eIDAS 2.0 also mandated that, as of this year, whatever Slovak digital identity solution has been rolled out so far must also work in other member states. In my experience, different governments adopt different foreign identity services at different paces, most of them seemingly missing the deadline.

Banks and other private institutions permitted to ask for ID are supposed to accept the wallet solutions by late 2027.

I expect deadlines to be missed given we've barely gotten the age verification PoC done, but with the groundwork laid out, things might just work out.

[tpm]

> I expect deadlines to be missed

My experience working on software for the German public sector sadly agrees with this assesment. Let's hope at least eventually something will work.

[broken-kebab]

>You can already do that in the real world.

This argument stays on the sand of inadequate analogy. The way that flaw is described in the story it allows industrialization of bypassing the feature. It's huge difference with the "real world".

[phatfish]

The article is actually one of the better ones I've read. The technical analysis is somewhat above my head, but appears reasonable, and it is suggesting solutions in some cases rather than just dismissing the concerns of parents, and going full privacy nut about our democratically elected governments.

All i would say is that the solution doesn't need to be 100% effective. The same as real world "age gates" or ID verification (which is just some random person looking at your ID in most cases) are not.

The precedent set -- that everything online should NOT be immediately accessible to children -- provides parents (the ones that care at least) with some backup when trying to raise their children. Ultimately society as a whole is responsible children, and i don't want to live in a society that thinks it is fine for kids to scroll any content on social media and watch porn as soon as they are able to work out how to use a smartphone.

The replay attack mentioned may always be a loophole, I'm not sure. But any site hosting the replay attacks should be targeted for shutdown/blocking. The "source" ID must come from somewhere as well, so that could be a route to shutting them down (there are 100's of age verification requests against one ID each day, that's a bit weird...).

If parents are helping their kids bypass age gates or straight up don't care their 11 year old is watching porn, then there is not much to be done in that case. The key thing should be keeping the majority of children in compliance to give cover to the parents that do care. Not giving all the power to bad parents and social media companies as is the situation the moment.

[jeroenhd]

And unlike in the real world, there's little to no real benefit to it online.

What value is there to industrializing any of this? Kids who will pay someone for their age tokens to watch porn or create social media would probably be smart enough to download a free VPN instead.

Even in the very worst case scenario for the designers of this system, where large amounts of people manage to extract their tokens and hand them out for free, the downsides everyone fears won't apply anymore. I think a lot of people might be happy about that.

[dwedge]

This "they'll just use a vpn" argument is infuriating to me because it's being used to downplay intrusive laws and make them more palatable. The obvious next step (the UK already hinted at it after the online safety act) is forcing VPNs to do ID verification.

[knollimar]

if anything, the "they'll just use a vpn" is an argument for the other way.

Law has privacy downsides and is trivially bypassable -> law is bad.

[throw-the-towel]

And then, blocking the VPNs that don't comply, Russia style. (If you're sure It Can't Happen Here,[0] you're part of the problem.)

[0] https://en.wikipedia.org/wiki/It_Can%27t_Happen_Here

[broken-kebab]

I'm not sure I understand your last para. Care to elaborate?