Where does this 3rd party identity token provider come from?
For government-issued identity tokens, there are not separate parties. It's just the government, and they can choose to link whatever they want in their internal system if they decide it's in the interests of national security.
You're also forgetting that lottery tickets are tracked. This is how they can announce which store sold the winning ticket before anyone steps forward with it. It would be trivial to match a buyer to the ticket if they wanted to inspect the records. In the case of a government identity token service, there isn't even a separation of parties providing the records. They do it all and can have all the data.
Some oracle whose job it is to print tokens and hand out rolls to the stores (and to the websystems). They would know which store got which roll, and which website authenticated it, but not who each ticket from that roll went to.
With a big enough roll, this is essentially anonymous.
Yes, lotteries know which store got the winning ticket, but they have no idea which of the patrons in the store got it. Not unless they ask Eve to get her telescopic lens and notepad out.
You're saying the real solution is that we bring in a private, 3rd-party company to start checking our IDs to access websites now?
I am not actually advocating for it. I'm just saying how it's possible to solve it given those constraints.
I’ve sold lottery tickets, and you have to be legal age to both buy and redeem them, so I’m not sure that this analogy or hypothetical solution is comparable to lottery tickets, nor is it likely to be the panacea you think it is.
I don’t think that the nascent online age verification schemes are good for society in general, either, but that’s not really the point you were making in your comment, so I don’t assume that you believe they’re good or bad, but simply advocating for a more privacy-preserving implementation. Which is kind of the whole point of the argument against bad implementations, but those who mandate and implement the systems likely view uniquely identifying people as a boon, whereas you and I probably don’t, which is why I am not hopeful that your ticket system will be used, because it will be higher friction for more people than uploading scans of their IDs and/or their face.
The ticket system, if implemented, would be used by so few people that the folks who do could likely be re-identified by Bluetooth tracking beacons and facial recognition in the same stores which they bought the ID tickets you suggest, and so I think the number of people who would escape tracking by any such means to be so few as to be a rounding error.
Those folks who do pursue this privacy hobby/fetish are statistically likely to ultimately mess up on their opsec eventually on a long enough timeline, so it’s hard to even imagine a scenario in which it matters either way what individual privacy activists do or don’t do from the point of view of the panopticon designers or implementers. Those not identified to a desired confidence interval by the mass surveillance system will just be retargeted for more sophisticated surveillance measures.
Despite how we rage, we’re still just rats in a cage.
More and more, the privacy debate feels like a quixotic struggle against giants, when everyone already knows that those giants are actually windmills; the majority of society now lives on reclaimed lands which rely on those windmills’ continued existence, and so no one cares about privacy in the way that you or I might care, because they are incapable of perceiving windmills as giants, nor do they have the intellectual or philosophical or political beliefs which would allow them to even entertain such perceptions even for the purposes of discussion. The privacy debate is beyond their ken.
What prevents a commercial "AI" security camera analysis firm from doing a decent job of linking footage of a store's customers to a likely subset of tokens, based on the knowledge of which tokens are sent to which store and how many tokens have been pulled off of the roll so far? Remember that you can design the token roll packaging so the easiest thing for a clerk to do is to pull off the rolls in the order in which they were shipped. Or -hell- you can design the token dispenser so that it phones home to the oracle that sent the roll to the store with the range of tokens in the roll when the roll is loaded into the dispenser (for "security purposes").
> It's the exact same process by which you buy lottery tickets in a world where they don't need to verify your identity when you redeem them.
I've seen many people buy lotto tickets. I've never seen anyone asked for ID. Perhaps the merchant is supposed to check for ID, but they don't. Relatedly:
> The clerk pulls a scratch-off ticket from the front of a ticket tape. The ticket contains a token identifier.
What prevents rolls of those tickets from falling off of a truck and either being handed out for free or at a substantial markup, no questions asked? [0]
In the real world, the system you propose absolutely will not function to the standards required by the people agitating for these systems. You can't "protect the children" if "children" can easily get their hands on anonymous access-granting tokens.
[0] The fact that this doesn't happen with lotto tickets often enough to be newsworthy is not a compelling counterexample. Stores make a decent amount of money selling those, and wouldn't want to get cut off from that revenue source by regularly "losing" shipments of tickets. What you propose doesn't make stores any money, so either you have to spend a bunch of money to induce them to carry the tokens [1], or you have to have harsh penalties for "losing" shipments of tokens. If you risk harsh penalties for choosing to sell the tokens, why even bother? Stores put up with the risk of selling booze because it's quite profitable... selling 5c or 0c tokens absolutely is not.
[1] Where does that money come from? From you and me, of course!
Lottery tickets don’t “fall off of trucks” or get “lost in the mail” because they aren’t valid for redemption until they’re activated at the POS terminal of a licensed store, and the lottery company knows which store receives each ticket roll, because they are shipped to known locations with tracking numbers and delivery verification and/or delivered in person by lottery employees. Even the rolls of blank lottery ticket receipt paper have different serial numbers every few inches, and it’s forbidden by policy to swap receipt paper between stores. All of these things are audited both regularly and randomly by state lottery officials.
Oh yeah, true. A few minutes after I posted the comment, it occurred to me that lotto tickets always get scanned at the register, which is the obvious way to track their distribution and make it annoying to use a whole bunch of winning ones that fell off of a truck. Thanks for the first-hand industry info.
If it's effective, all that tracking and auditing can't be cheap. The lotto gets to pay for it with ticket sales... I don't expect folks would tolerate paying for that [0] for this "I'm an adult" token-distribution system.
[0] ...whether that payment is paid by the token purchaser or by the taxpayers, generally...
Now that you mention the auditing etc, a lottery system would probably be an easy way to get people to literally buy into an online ID scheme, not because it would necessarily be privacy-preserving, which would depend on implementation details, but because a not insignificant number of folks seem to like the chance to win money. Considering many states already have lottery systems, the ID code tickets could probably be provided alongside lottery tickets for free or nearly free, and employees already have the training to check/scan IDs. If there was an incentive such as the possibility to get discounts, win prizes, or tie-in purchases of some kind, I think it could work.
Many stores that sell lottery tickets also sell gift cards, so that technology could also be used instead or in addition to ID tokens at the point of sale. There are a lot of sponsorship opportunities available for cross-promotion.
“Please drink a verification can” was probably more prescient than was at first apparent. Mike Judge saw this whole thing coming from a mile away.
> In the real world, the system you propose absolutely will not function to the standards required by the people agitating for these systems. You can't "protect the children" if "children" can easily get their hands on anonymous access-granting tokens.
What stops children from paying someone to buy beer and cigs for them? What's the difference between age-controlled liquor and an age-controlled token falling off the back of a truck?
You can introduce as many soft-verification systems as you want to tweak this. The roll of numbers doesn't become active unless installed in a dispenser that phones home when it is installed, for example. The empty bobbins containing the roll have to be returned to the oracle, and need to register installation in a dispenser. The dispenser can even count each dispensed ticket. The only requirement is that the sale and the process of paying for the sale isn't linked to the ticket. If you maintain that, the system is anonymous. If you break it, it's not.
I preempted this line of questioning. I'll quote the section for you:
What you propose doesn't make stores any money, so either you have to spend a bunch of money to induce them to carry the tokens [1], or you have to have harsh penalties for "losing" shipments of tokens. If you risk harsh penalties for choosing to sell the tokens, why even bother? Stores put up with the risk of selling booze because it's *quite* profitable... selling 5c or 0c tokens absolutely is not.
[1] Where does that money come from? From you and me, of course!
> The only requirement is that the sale and the process of paying for the sale isn't linked to the ticket.
Unless you make it turbo-illegal to link those pieces of information (even weakly), then those two pieces of information will be linked lickety-split. As aspenmaver mentions, lotto tickets are activated at time of sale by phoning home to -I assume- the issuer of the ticket, providing a ready-made mechanism to correlate which tickets are sold to which person. When the people who are crying to protect the under-eighteen from the "evils" of computing notice that under-eighteens are -shock! outrage!- still exposed to that "evil" despite this token-distribution scheme, they will demand any such laws be weakened or eliminated.
[0] ...or fail to strictly follow all of the regs when giving one to a "Token Commission" officer doing an undercover buy, as absolutely happens with alcohol sales...
A simple law against linking those two pieces of information would be sufficient. Sure, someone like the NSA wouldn't give two shits about what's legal, but they also wouldn't have the means to clandestinely get the necessary hardware installed in every one of the million stores that exist in the country.
Eventually this becomes common knowledge and "something must be done". Facebook (the corpo sponsoring these age verification laws to absolve their own liability) and their ilk decide that the token system no longer meaningfully proves age. They switch to demanding full government ID in cleartext, as there is still no comprehensive privacy law that would prevent such a thing.
Every single approach that puts the onus on the company to verify age falls apart this way, possibly including a de facto mandate for remote attestation (ie say good bye to libre operating systems and browsers that aren't MSIE, Safari, or Chrome). The only workable systems are ones in which the onus remains on parents giving their kids networked computing devices to enable parental controls and/or otherwise monitor their kids' usage, with those parental controls based on information flowing strictly from the website to the user agent (eg a content tag that asserts "this page is suitable for kids").
(and I say this as a parent who is staring down having to deal with this problem in a short year or two)