How so?
Please explain in detail, because there are already schemes such as "verifiable credentials" which allow people to prove they are of age without handing over ID to online services.
You need to 100% trust those verification services. And considering their success rate [1], you shouldn't.
[0] https://thinkingcybersecurity.com/DigitalID/
[1] https://discord.com/press-releases/update-on-security-incide...
First link - mitigation: use a well supported standard like OIDC, not a home-cooked scheme. Duh.
Second link - this is part of the problem such schemes as verifiable credentials are designed to address, random third parties collecting ID they don't need.
Yes, any system needs to be executed well. Neither of these really display that.
The point is that systems today, aren't really well executed. So it is unreasonable to expect them to be well executed.
If you can't trust people not to build the bomb well - then don't let them build a bomb.
Who was talking about the government implementing it? I wasn't.
And also "This has been done poorly in the past so we should never attempt to do it again, better" seems an odd way to go about things. There are well put together schemes by international standards bodies in this area now. Neither of the above links followed them.
Because we don't believe anyone will ever use the standards in this area, despite loads of companies and government bodies actually using OIDC already?
I'm not really sure what you're driving at.
MyGovID _is_ an age verifier. Sorry. The successor after the rebrand, is called myID [0], and advertised as:
> myID is a secure way to prove who you are online.
---
> I'm not really sure what you're driving at.
Clearly. You seem to think that because it might one day be done correctly, by one group, the rest of the world is safe. However, over in this reality, we have fuck ups by governments and private corporations, who are the people the rest of the world actually deals with.
You cannot enforce these real groups, to actually follow good practices. Thus, in practice, everyone gets fucked when you bring in these laws. Because it will always be done the wrong way, by someone.
It's an identity scheme and SSO solution for accessing government services. As said at [0] in the "What is myID" section.
I sincerely hope that they're using something standard and well tested like OIDC behind the scenes this time, because otherwise it's ripe for another fuckup like the one you linked. If it is also used for age verification that appears to be secondary.
> You cannot enforce these real groups, to actually follow good practices. Thus, in practice, everyone gets fucked when you bring in these laws. Because it will always be done the wrong way, by someone.
So we need to stop the Australian government from ever using an SSO/identity solution again because it can't be trusted to do it properly, having messed up in the past, and the rest of us have had to live with the consequences. And as they aren't the only ones to have messed up, companies do it all the time too, we should also ban all identity and SSO solutions (because that's what we're talking about in this thread, banning of age verification, not mandating it).
I don't think you get to call out age validation as a uniquely hard problem that cannot possibly be made safe, but allow other identity-style services a pass. There are many areas in which we (through the government) can and do mandate good practice, both by government and private entities.
Its a sovereign identity verification service. That is not limited to above PL2 verifications. There are age-only accredited entities in the registry.
Its one of the approved verification tools for the Online Safety Act 2021 . It was renamed as part of the passage of the law. You're just not forced to use it, for verification.
And yes, it does it poorly, and does not follow a standard. Its using Vanguard's PAS behind the scenes [1], with extras ServiceNow tacked on. Until they rearchitect the entire damn thing.
So... As I might have doxxed myself a little just now... No, uploading identity documents is never a safe process. Its a king's hoard in treasure before nations that never sleep.
Name a provider, and there will be a breach, and it will continue to affect the victims most of their lives.
[1] https://www.sec.gov/enforcement-litigation/administrative-pr...
You should probably stop pretending you understand verifiable credentials then.
Because if you did, you'd understand that they don't need to involve uploading identity documents anywhere.
The idea is to defer to service providers such as banks that have already performed such verification, often physically. And if you want to argue that banks should stop verifying who people are when they open accounts... well that's going to be an interesting conversation.
Without doxxing myself too much, I'm going to say that I know intimately the details of a project within Australia to build a standards-based non-government VC system that won't touch a single piece of ID at any stage, as an additional capability on a commercial identity system that's already active and in use.
Perhaps what we're really saying is "Ban age verification that collects lots of personal information".
Or perhaps we could distil it down further to "Ban unnecessary collection and storage of PII". In which case, Congrats! You've arrived back at the GDPR :)
Which I think is a good thing, and should be strengthened further.
(Also the other response to "because most implementations are not going to be like that" is "why not?". People are already building such ecosystems.)
There is a problem with schemes like that.
The way computer security works is, attacks always get better, they never get worse. A scheme that nobody has found any privacy holes in when it's enacted will have one found a week after.
The way governments work is, the compromise bill passes if the people who care about privacy support it because then it has the votes of the people who care about privacy and the people who want to ID everyone. But then when the vulnerability is found, the people who care about privacy can't get it fixed because they can't pass a new bill without also having the votes of the people who want to ID everyone, and those people already have what they want. More specifically, many of them then have what they really want, which is to invade everyone's privacy, as they were hoping to do once the vulnerability was found.
Which means you need it to be perfect the first time or it's already ossified and can't be fixed. But the chances of that happening in practice are zero, which means it needs to not happen at all.
/goes on to discuss how government legislation of specific schemes is the issue, not the schemes themselves.
Then we don't legislate specific schemes? The GDPR doesn't do that, for instance, it spells out responsibilities and penalties but doesn't say "Though shalt use this specific algorithm".
Remember, this discussion started with a call to ban all age checks, which itself is a government action and restriction on the agency of private business.
There are ways that private entities can implement age checks both securely and without leaking much other information, so it seems very heavy-handed to ban them. Private entities are building such systems between themselves already, without government mandates on the specifics.
(at least not yet)
To get it from Discord you need to sneeze.
The internet has scale and availability, that physical locations do not.