I’m asking for public policy ideas here. A lot of countries are enacting age verification now. But of course this is a privacy nightmare and is ripe for abuse. At the same time though, I also understand why people are concerned with how kids are using social media. These products are designed to be addictive and are known to cause body image issues and so forth. So what’s the middle ground? How can we protect kids from the harms of social media in a way that respects everyone’s privacy?

  • PeriodicallyPedantic@lemmy.ca
    1·
    6 days ago

    How would that work online? How would they confirm it’s your passport, and that it’s a real passport that was really scanned (instead of a browser plugin)?

    • Kissaki@feddit.orgEnglish
      1·
      4 days ago
      1. Register as a service, with justification why you need to be able to read the fields or properties you say you need
      2. Upon acceptance, aquire a digital permission certificate
      3. Set up a server, that handles communication with the ID
      4. For a request, prove you own the permission cert through a challenge sent by the ID document
      5. ID document proves through a challenge to the server that it is what it is (a set of produced ID documents use the same private and public keys so they are not personally identifiable / associatable to an individual)
      6. User enters PIN so that this process can proceed
      7. Open secured connection between server and ID document
      8. Server can request/challenge age verification, and the ID document answers with “is met”

      At least the Wikipedia page is not detailed/technical on step 8, but if you were to attempt to man-in-the-middle, you could not because you can’t fake identifying as a valid ID document, which is ensured by the challenge and private/public key cryptography.

      • PeriodicallyPedantic@lemmy.ca
        1·
        4 days ago

        I’ll need to look into it a bit more, but I’m skeptical that this will work in practice:

        How can they confirm that I’m the owner of the passport? How do you prevent them from selling the fields they requested, that have been uniquely linked to you? How do you prevent the government from keeping track of all the services you’re using?

        • Kissaki@feddit.orgEnglish
          1·
          2 days ago

          The first factor is you physical passport, the second factor is your pin.

          I don’t see how an age verification could prevent selling verified age. Once they acquire data they could theoretically sell it, illegally, if they ignore law.

          The point is, you can share a small subset of fields without others. No need to share your face or passport number.

          I’m not sure about whether the authority knows about the request and response at all. I previously thought so, but this description did not mention it, and it doesn’t seem technically required, if both sides can verify public key/cert validity independently, and then communicate with each other.