EU chief calls for a bloc-wide push on an age verification app to protect children online. If enforced, users will have to prove their age to access legally restricted sites.
No, that’s an app on your phone. That accumulates a ton of data in a way that didn’t exist before. The government knows I exist. Now it knows every website I’m visiting, and my identity on those sites. Now the new politician in my country decides to be a little bit more corrupt, and asks the app maintainer “hey, can you gather IDs and home addresses of all the people who criticized genocide online last couple of years, I would like to execute them publicly”, and they can do it with basically one sql equerry. The only defense against that will be “but that’s illegal, there are laws against that!”, which is shit defense nowadays.
I’m sorry, but have you read the technical documentation? The design is intentional created this way to avoid tracking.
You are issued a set of ZKP tokens that you hand back to websites. They cannot correlate these tokens back to you, nor can the operator of the system.
Now they could lie, of course, and violate the design (but being open source that’s a little harder), but if the government wanted to secretly track you, much more precise tools exist for this already.
That’s the stupid part, it doesn’t matter what it will look like at the beginning. It might be the best written documentation now, they can even implement the app correctly. The thing is, the jump from “people can use the internet” to “in order to access the internet you need to provide your government ID to your smartphone” is a big jump, one that can cost a politician career. The jump from “you need to use version 1.4.412 of the govenment id checker” to “you need to use version 2.0 of the Government Id Checker Plus” is minuscule. That’s where you introduce a persistent database of the tokens, somewhere on page 5 of the changelog. And only nerds care about that and nobody listens to them.
It’s so fucking easy, Russia did this exact gambit in 2017, Kazakhstan couple of years before.
But that slippery slope, which it sounds like you believe us to be on, also applies to phone location tracking, credit cards payments, mobile phone train tickets, smart homes, smart cars, home CCTV etc etc.
Do you leave your phone at home, always pay with cash, don’t use any apps? Most people do these things on the basis that the government doesn’t wantonly have access to what we’ve bought online. Why is age gating so different?
Of course things can break and something might be able to refer back to you, until it gets fixed.
But if your argument is that “the standard is fine, but something might not quite work”, then the same argument applies to your phone’s location tracking, your debit/credit payments etc. The vast majority of us happily use systems on the basis that they are secure, until they’re not, and then things get fixed.
It’s a matter of exposure and attack surface vs rewards for the attacker, and risk in companies are evaluated by the trio: freqency of occurrence, severity of occurrence (how large), severity of the occurrence. Banks can spend a lot because severity quickly gets very high in money.
What’s the incentive again for the next gov to properly fund the system? Oh yes: they would have to say “sorry! shit happens! that’s all because of the previous admin!!” and maybe throw one guy under the bus.
No, that’s an app on your phone. That accumulates a ton of data in a way that didn’t exist before. The government knows I exist. Now it knows every website I’m visiting, and my identity on those sites. Now the new politician in my country decides to be a little bit more corrupt, and asks the app maintainer “hey, can you gather IDs and home addresses of all the people who criticized genocide online last couple of years, I would like to execute them publicly”, and they can do it with basically one sql equerry. The only defense against that will be “but that’s illegal, there are laws against that!”, which is shit defense nowadays.
Yes, all of that happens. That is a valid worry. Which is why they tried to avoid it.
Did you see how much they did to avoid this? Do you see a flaw in their solution?
Yes, the flaw in their solution is that they require the government ID to access the internet now. That’s the flaw.
I’m sorry, but have you read the technical documentation? The design is intentional created this way to avoid tracking.
You are issued a set of ZKP tokens that you hand back to websites. They cannot correlate these tokens back to you, nor can the operator of the system.
Now they could lie, of course, and violate the design (but being open source that’s a little harder), but if the government wanted to secretly track you, much more precise tools exist for this already.
That’s the stupid part, it doesn’t matter what it will look like at the beginning. It might be the best written documentation now, they can even implement the app correctly. The thing is, the jump from “people can use the internet” to “in order to access the internet you need to provide your government ID to your smartphone” is a big jump, one that can cost a politician career. The jump from “you need to use version 1.4.412 of the govenment id checker” to “you need to use version 2.0 of the Government Id Checker Plus” is minuscule. That’s where you introduce a persistent database of the tokens, somewhere on page 5 of the changelog. And only nerds care about that and nobody listens to them.
It’s so fucking easy, Russia did this exact gambit in 2017, Kazakhstan couple of years before.
Ok, so it’s the slippery slope fallacy.
But that slippery slope, which it sounds like you believe us to be on, also applies to phone location tracking, credit cards payments, mobile phone train tickets, smart homes, smart cars, home CCTV etc etc.
Do you leave your phone at home, always pay with cash, don’t use any apps? Most people do these things on the basis that the government doesn’t wantonly have access to what we’ve bought online. Why is age gating so different?
At last a piece of code free of any flaw, any exploit, invulnerable to any known or unknown attack method!
Of course things can break and something might be able to refer back to you, until it gets fixed.
But if your argument is that “the standard is fine, but something might not quite work”, then the same argument applies to your phone’s location tracking, your debit/credit payments etc. The vast majority of us happily use systems on the basis that they are secure, until they’re not, and then things get fixed.
Your argument has to apply evenly.
It’s a matter of exposure and attack surface vs rewards for the attacker, and risk in companies are evaluated by the trio: freqency of occurrence, severity of occurrence (how large), severity of the occurrence. Banks can spend a lot because severity quickly gets very high in money.
What’s the incentive again for the next gov to properly fund the system? Oh yes: they would have to say “sorry! shit happens! that’s all because of the previous admin!!” and maybe throw one guy under the bus.