Hacker News new | ask | show | jobs
by data-ottawa 44 days ago
I'm writing my (Canadian) MP to this effect.

There are a lot of issues with the UK approach. Privacy is a big one. But requiring this on every service is both a tax on the service and requires constantly authorizing stuff. That opens up the possibility for scams, data misuse, etc.

And no, saying we said to only use the data for verification clearly doesn't work. It didn't work for discord, or Persona, or Tea or AU10TIX or any others. Verification now means sharing that data with credit agencies and third party databases. Verification means keeping some data to resolve customer support disputes. There's data leakage for training and creating derived data products like biometric embeddings for future use.

Third party verification is a security nightmare.

I don't know why device based approvals abd controls aren't considered at all. Or really any privacy preserving technique.

And all this for ~54% efficacy?
1 comments
EmbarrassedHelp 43 days ago
There is no such thing as privacy protecting or anonymous age verification. If you tell Canadian that such a thing is possible, they are guaranteed to harm privacy with any legislation they proposal. Just tell them no.
link
palata 43 days ago
> There is no such thing as privacy protecting or anonymous age verification

There most definitely is privacy-protecting age verification. You go to a government office, you show your ID, they give you a piece of paper that officially says "over 18 years old". Now you have a piece of paper that says you're over 18 but doesn't say who you are, and the government won't know where you use it.

On the Internet, the idea is the same, but with cryptography.

link
data-ottawa 43 days ago
There is, a dumb header flag sent by the browser that attests to the user being in an age group.

Fakeable? Sure. Fakeable by an average 13-16 year old on a parental locked device? No.

link
palata 43 days ago
By privacy-preserving, we usually mean that you get some kind of cryptographic token from an entity that knows who you are (and can attest that you are above age), and that token is anonymous, so when you use it to access a random service, that service cannot extract information about you from the token, except that you are above age.

It is possible, it just had to be implemented properly. We could complain about politicians not understanding that, of course. But if you spend 5 minutes reading complaints about age verification, you will see that nobody cares about understanding... if the people doesn't care, why would the politicians?

link