- cross-posted to:
- technology@lemmy.zip
- cross-posted to:
- technology@lemmy.zip
You must log in or register to comment.
They’ve already found several security flaws: https://lemmy.world/post/45676911
I’m kind of surprised they’re actually going through with the zero-knowledge proof setup. This is pretty much the only method I find mostly acceptable for stuff like this tbh.
which would work on any device
This part seems unlikely. It’ll work on “most” devices but if you’re running something weird like a Linux phone I doubt it’ll work (although since it’s open-source I guess someone could potentially add support).
EDIT: nvm I read the spec, it’s more like “minimal knowledge” but they can still track everything pretty easily.
It doesn’t seem very sensible to me. The specs say that a ZKP proof “should” be used.
Basically, you get a token from some source that knows your age and identity, such as the government. You pass this token on to some other entity that wants to know if you are above a certain age.
If both of these parties record the tokens they send and receive, then your browsing history can be tied to your identity. Realistically, this would only happen if the government wants it.
Using ZKP, you could prove that you have a valid token, without disclosing the details. But if the government decides that the tokens have to be recorded, then sites simply would not accept the ZKP.
I think one could also make a more subtle and limited attack by issuing special tokens. Say, someone’s accused of being a terrorist, or violating copyright. Then they could be issued a special token which instructs receivers to record their activity and forward it to the police.
Hm, I’m reading the spec. It seems more simplistic than I was expecting.
Issuance of Proof of Age attestations (step 3)
Once the User’s age has been verified, the AP may either issue the Proof of Age attestation directly to the User’s AVI or generate a pre-authorized code and provide it to the User as part of a credential offer. At a later stage, the User can present this credential offer through their AVI to obtain the Proof of Age attestation.
Confirmation and presentation (step 5)
The AVI receives the Proof of Age request and presents it to the User. The User reviews the request details, verifies the information, and confirms the transaction to proceed.
The AVI securely transmits the Proof of Age attestation to the RP.
Guess it does just pass the attestation around.
2.2.3 Revocation and Re-Issuance In its current form, the solution does not support revocation or re-issuance. Adding support for these features would introduce additional complexity, which could hinder the rapid adoption of the solution.
The attestation is ideally only used once and issued in batches, so this is both good and bad I guess, since if they ask to track you and they haven’t already recorded all the attestations, they’ll need to wait for you to generate more.
Unlinkability: The goal of the solution is to prevent user profiling and tracking by avoiding linkable transactions. Initially, the solution will rely on batch issuance to protect users from colluding RPs. Zero-Knowledge Proof (ZKP) mechanisms will be considered to offer protection. More details are provided in Section 7.
Basically a big TBD. Lovely.
The more subtle attack you mention could probably be avoided if the root certs and so on or whatever equivalent they’re using are public and you check that the attestation given to you doesn’t include extraneous details (which ideally the app would do for you). Not sure how that’ll interact with the zkSNARK solution provided as an “experimental feature.”
It doesn’t really matter though since they can just record the attestations when they’re issued, so they just have to say “look for these attestations” to whatever site and they can track your visits.
It is recommended that the Proof of Age attestation be designed as a single-use credential and remain valid for a maximum period of three (3) months from the date of issuance. If a revocation mechanism is required, a status list may be utilized as an effective solution for managing the revocation status of attestations.
Of course, using it in batches is only “recommended,” so I guess they could just issue it once and continuously reuse it, in which case it would be very easy for websites to link it to you.
There’s probably more I could pull out, but yeah, doesn’t seem great based on the spec :|
Yeah as far as i am aware, there is no such thing as zero-knowledge proof in practice for this kind of thing. If there are “bad actors” in other words “the police” with access to both the government database and (through a warrant or backdoor) the websites data, then the whole anonymization is gone. Its a sandcastle concept and an attempt to trick the population by making it sound fancy when its not at all.
ZKP has a specific meaning in cryptography. In fairness, it does a little here. But yes, it is basically a marketing term. Like “blockchain” or whatever.
Eventually, the idea here is to divide the population into 2 classes, one of which is to be denied access to certain information or services. If privacy is the only potential problem one sees with that, then… well…
Well yeah the inherent absurdity of age verification itself is a whole separate topic, but i think that battle is already kind of lost sadly. Our societies are so overobsessed with safety, there is no way they will not fall for the whole protect the children shtick.
I’m kind of surprised they’re actually going through with the zero-knowledge proof setup.
We’ll see what it is when they publish the code (if they will publish it) but they claimed it will be zero-knowledge from the beginning so it’s not surprising at all that they still claim that.
Im a bit out of the loop on this one. Does anyone know why so many western governments are pushing for some kind of legislation towards age-id-verification? They say it’s to protect the youth, but I don’t buy our governments suddenly turning into altruistic patrons. So… what’s the real reason? What’s the hidden agenda? Data Acquisition? Survaillance? Chat Control?
There’s a political movement that gained steam in the EU to make social media companies responsible for the content they deliver.
This would have meant they’d have to implement robust age verification on their platforms to comply with EU youth protection laws (including fines per child that could access unsuitable content).
So they lobbied for delegating the age verification to the OS level instead.
That way they can continue to push harmful, addictive slop to children without being legally responsible.
They can just say “we check the age provided by the OS”.There’s a political movement that gained steam in the EU to make social media companies responsible for the content they deliver.
Which make sense since the same social media companies want the right to moderate what they want.
What happen is that the social media companies on one hand say “the network is ours, so we can remove what we don’t want” and on the other hand say “we are not responsible for what the user write” but you cannot have both.This would have meant they’d have to implement robust age verification on their platforms to comply with EU youth protection laws (including fines per child that could access unsuitable content).
Or simply say “look we are not touching anything is published, we are a medium. That content is illegal ? Fine, here the data we have to identify the user and if a judge say so, we will remove it since it is illegal”. Nobody think to accuse or fine a telephone company because a pedo uses a their network to commit crimes.
So they lobbied for delegating the age verification to the OS level instead. That way they can continue to push harmful, addictive slop to children without being legally responsible. They can just say “we check the age provided by the OS”.
Maybe, but if the OS say that the user is a minor and they show the content anyway they are responsible.
What? No.
Age Verification should be handled by the OS, otherwise they all will implement their own verification system which would be a nightmare for privacy. Every single implementation would need to verify you as a person before it can tell if you are the right age.
1 single implementation that sends nothing more than a yes or no when asked if the user is old enough is much better for privacy.
With verification on service level, I can simply not use that service if their implementation isn’t privacy-oriented.
Or skip the verification if I don’t need to access adult content.With government-mandated verification on the OS level, I have no choice.
I have to provide my ID just to use my computer online.
deleted by creator
Adding to what Pommes_fur_dein_Balg said.
Political movement originally pushed for responsibility of social media platforms over content they show, when such content is moderated by them. For example if you subscribe to crackpot theorists rambling about secret vampire society controlling the world that’s on you, but if social media shows you this content without subscription or annotation that this is misinformation as “recommended”, that is on them and they should be penalized by the law.
But of course money wins over people and lobbyists managed to re-scope the idea into “systemic age checks”, pushing responsibility from companies onto consumers and topic from misinformation to protection of minors.
In the end one can either assume it’s a honest advertising agenda to show people more targeted ads (showing twice the amount of toys to kids) or you may form suspicions about why rich and powerful want to know who online is a minor after their precious island got busted.
What’s the hidden agenda?
Censorship.
IP addresses already reveal the identity of most people, especially if they log into facebook or google. What the govrnment can’t do is silence the opposition. So far everybody can buy a cheap phone, go to a cafe with wlan and publish on the internet.
With age verification, every service where people can publish freely is under control of the government. The government can reject the age verification of critical people and they can’t log in anymore and cannot make themselves heard.
Because the single most important thing to centrist governments is apparently to create controls and legislation that will later enable an easy transition to tyranny under a populist leader.
I can’t read Gizmodo but if it’s the EUID app, this has been in the works for years.
As for why it’s suddenly accelerating? Age verification = ID verification. The gov wants to know who everyone is. They want unparalleled access to information.
Also companies like Meta are seeing the writing on the wall, and instead of pushing back, they’re pushing forward, but steering it away from them.
My piece of cake? it’s not a lose-lose situation for them, but a win-lose situation. They win safety for children at the cost of freedom and privacy of the rest, and they are convinced this doesn’t hurt the good people. How come they believe such a different thing than the rest of us? It could be that they’re evil and want to stay in power at all costs, but i believe there is a also a huge lobby of companies that can earn money: for them it is a win-win, safety for their children and wealth for mommy and daddy. This is why vocal public protest is so important, because it can act as a counter balance to influencial individuals who whisper in the ears of politicians in private.
Because the easiest argument against tech giants is “they hurt children”. If the tech giants can ‘prove’ they don’t serve children the argument is gone. So the techs are lobbying for age verification. They don’t even care if it works, when it is not their responsibility. Of course the problem is not about the kids only, but the whole business model based on advertising, data collection and manipulative algorithms. But it is easier and better for business to age verify and ‘ban social media for kids’ than to fix actual problems.
No Thanks.
The leash is getting shorter, paving the way for authoritarianism.
If it works the way they promote, isn’t it a good middle way and alternative to other options? If it is open source, we can check it how it really works. My opinion at the moment is, that they try better than a lot of others.
So this way a service the user wants to use could set automatically to child protected besides this app delivers a prove for more. This way also the big tech player could set into responsible way without collecting all your data to know if you are old enough?
I understand that also a education for all internet users is necessary and still a partly regulation of the big tech and others. I’m surprised that EU is going this router and really happy that it does not sounds like a surveillance system.
Any other Ideas how to solve the age check problem nowadays? And move the whole responsibility to the parents does not help. Also parents need help with all the stuff around to protect their children.
www.tor.org, right?
www.tor.gov, right?
www.tor.edu, right?
www.torproject.org! Right? :). Edit: nope. Per the reply below: https://i2p.net/en/.Ursula von der Leyen says it is “completely anonymous” and that it is tied to one’s passport or ID card. The technical details of how this apparent contradiction is resolved do not seem to be available.
I wonder if it will be as shitty as its various predecessors.
Who’s running the background here?
There isn’t one. Local, on-device zero knowledge proof in a cross-platform OSS app. You scan your ID’s NFC tag, once. Site only gets “is over 18 y/n” info. We all already have these IDs and they are used for a bunch of stuff, from doing taxes to creating bank accounts.
Oh, really? So it depends on some kind of user-inaccessible secure enclave TPM type of thing? That would sort of rule out the “works on any device” objective.
So when the site got “is under 18” yesterday and “is over 18” today, they now know your birthday. Cool.
The site can not request the information by itself, so you would have to actively do this procedure by yourself. And why would you try to send a certificate if you are under 18. And this trick only works once in a lifetime only on website that track you in a way (the certificate is not able to be used to track you, afaik not even across individual usages, so if you use a porn website every day and have to send a new certificate every day it’s not able to track you).
Still doesn’t know you name, location, sex, and every other verifiable metric.
And your plan only works once in a blue moon (literally).
No. As the other person said. The answers to the zkp do not refer to each other. All the site knows is SOME user was not 18 yesterday, and today SOME user is 18 (or 24… or 89…). No relation between the two zkps/certs.
Browser fingerprinting is a thing, though. The site already know who you are. This doesn’t really change anything.
deleted by creator
