Imagine if suddenly every grocery, pharmacy, petrol station, parking place, restaurant, bar etc. now would ask you for your ID AND would snap a picture and store in their database - you wouldn't be happy about it.
But you do have a point about "storing the picture". I think that's why it's very important for whatever solution is chosen to be something that proves you're old enough without saying who you are.
As for why would they, the same reason there are hundreds of tracking cookies on every site.
Oh, wait...
Is there a roadmap and/or a timeframe for that? I have a Slovak ID same as the author, when will it be useful for accessing internet services?
The legal framework behind all this was released all the way back in 2014 and has been officially adopted ten years later.
Officially, by December 2026, each member state must have at least one official wallet solution available for its citizens.
That said, eIDAS 2.0 also mandated that, as of this year, whatever Slovak digital identity solution has been rolled out so far must also work in other member states. In my experience, different governments adopt different foreign identity services at different paces, most of them seemingly missing the deadline.
Banks and other private institutions permitted to ask for ID are supposed to accept the wallet solutions by late 2027.
I expect deadlines to be missed given we've barely gotten the age verification PoC done, but with the groundwork laid out, things might just work out.
This argument stays on the sand of inadequate analogy. The way that flaw is described in the story it allows industrialization of bypassing the feature. It's huge difference with the "real world".
All i would say is that the solution doesn't need to be 100% effective. The same as real world "age gates" or ID verification (which is just some random person looking at your ID in most cases) are not.
The precedent set -- that everything online should NOT be immediately accessible to children -- provides parents (the ones that care at least) with some backup when trying to raise their children. Ultimately society as a whole is responsible children, and i don't want to live in a society that thinks it is fine for kids to scroll any content on social media and watch porn as soon as they are able to work out how to use a smartphone.
The replay attack mentioned may always be a loophole, I'm not sure. But any site hosting the replay attacks should be targeted for shutdown/blocking. The "source" ID must come from somewhere as well, so that could be a route to shutting them down (there are 100's of age verification requests against one ID each day, that's a bit weird...).
If parents are helping their kids bypass age gates or straight up don't care their 11 year old is watching porn, then there is not much to be done in that case. The key thing should be keeping the majority of children in compliance to give cover to the parents that do care. Not giving all the power to bad parents and social media companies as is the situation the moment.
What value is there to industrializing any of this? Kids who will pay someone for their age tokens to watch porn or create social media would probably be smart enough to download a free VPN instead.
Even in the very worst case scenario for the designers of this system, where large amounts of people manage to extract their tokens and hand them out for free, the downsides everyone fears won't apply anymore. I think a lot of people might be happy about that.