All roads lead back to the only people who can stop the problem they created.This report was assisted by:Nick Devor at Barron's - https://www.barrons.com/art...
When they were asked to implement age verification in Germany, they simply pulled anything off their platform in the country that would require it instead. Mind you Germany has a system that makes age verification anonymous so if privacy concerns you, you could just implement it. (Almost no platform does because they want your data though.)
Valve doesn’t want to touch age verification with a 10 yard stick and that tells me it is probably the way to go here. Because once they have it, the path for more regulations is clear.
In this arena, more regulation is needed. Anonymous age verification is a good idea, but I question the actual anonymity. It usually depends on trust of some entity. And I just can’t fathom an entity that can really be trusted.
As long as the part asking for ID trusts the part verifying the ID, there is no need for anonymity to be broken, since the verifier just has to confirm what the asking part needs to know.
Think of it like someone owns a bar and needs to know if a patron is old enough to drink, and the bar owners brother or best friend says “I know that guy, he is old enough”.
Foreign corporations are much more aggressive about harvesting data than the German government so you should think twice about using their products in the first place. Most of the time the German government is under fire for privacy concerns it’s because they trusted products from Microsoft or Huawei and the like.
It uses the government ID, which has a built in NFC chip. You can use a phone in combination with your ID and it’s pin to verify your age online. The ID scanner app will tell you which parameters the website requests from your ID, and its possible to only request the birthdate.
I don’t like the system, but it is truly anonymous
Sounds like it is only anonymous if you fully trust the app. That app has all your information, and the site you are trying to access. And I bet it is completely closed source. It also likely has logs about what sires it is giving information to. Not who’s info in that log. But elsewhere it probably has logs on who’s id it verified. Get access to both, and software can start to crunch the numbers and figure out who went where. That if course is assuming they don’t decide in the future that it is worth just keeping that data together in one spot.
There is just no entity that could manage that app which wouldn’t have a motive to use the data and power it has.
No, the app is completely open source and has reproducible builds. And the site you are accessing only gets the information it requested, and you see which information it requested in the app before scanning your ID
Now you are starting to sound like you know what your talking about. But I’m not convinced yet. So when the app sends just the requested data to the site, how does the site verify that the data is legit. A person could fork the app and hack it. I am sure they thought of this, I just don’t know what thier solution is. And I can’t read german.
Yeah, something like that. But while your device can validate the cryptographic sig for the app, the site requesting proof of age can’t, since it isn’t running on the same device as the app.
The best I can guess, the app could request verification from the state run site, and specify what information it wants (based on what the requestor site asked for). The state site could use a private key to encrypt the response and give it back. The app could use a piblic key the state makes available to decode and confirm that only the intended information is present. Then the app can pass that to the requestor, who can get the public key from the state site and decrypt the information.
But, the gap there is how does the requestor know the app it is talking to hasn’t been modified. I don’t think there is a way that it can. Only the device the app is on can verify that. And the requestor can’t trust the device either.
Some Authentication that I remember has a component where the requestor would then talk to the state to confirm the info it got from the app was requested from the state by the same app the site is talking to. This prevents using someone elses response as your own. But in this case, that would tie the site to the request which means the state would have both peices of info, who and what site. So I don’t know what there solution here could be that wouldn’t result in the same problem.
When they were asked to implement age verification in Germany, they simply pulled anything off their platform in the country that would require it instead. Mind you Germany has a system that makes age verification anonymous so if privacy concerns you, you could just implement it. (Almost no platform does because they want your data though.)
Valve doesn’t want to touch age verification with a 10 yard stick and that tells me it is probably the way to go here. Because once they have it, the path for more regulations is clear.
In this arena, more regulation is needed. Anonymous age verification is a good idea, but I question the actual anonymity. It usually depends on trust of some entity. And I just can’t fathom an entity that can really be trusted.
This. ID and anonymity are antithetical
If all the ID consists of, then no it’s not.
As long as the part asking for ID trusts the part verifying the ID, there is no need for anonymity to be broken, since the verifier just has to confirm what the asking part needs to know.
Think of it like someone owns a bar and needs to know if a patron is old enough to drink, and the bar owners brother or best friend says “I know that guy, he is old enough”.
Well the entity is the government. You know, the guys who create your ID in the first place. It’s not perfect but it’s the best one I could conceive.
You can trust them to create the ID because it benefits them. But to guard you anonymity… that actually hurts them. So you can be sure they won’t.
Foreign corporations are much more aggressive about harvesting data than the German government so you should think twice about using their products in the first place. Most of the time the German government is under fire for privacy concerns it’s because they trusted products from Microsoft or Huawei and the like.
It uses the government ID, which has a built in NFC chip. You can use a phone in combination with your ID and it’s pin to verify your age online. The ID scanner app will tell you which parameters the website requests from your ID, and its possible to only request the birthdate.
I don’t like the system, but it is truly anonymous
Sounds like it is only anonymous if you fully trust the app. That app has all your information, and the site you are trying to access. And I bet it is completely closed source. It also likely has logs about what sires it is giving information to. Not who’s info in that log. But elsewhere it probably has logs on who’s id it verified. Get access to both, and software can start to crunch the numbers and figure out who went where. That if course is assuming they don’t decide in the future that it is worth just keeping that data together in one spot. There is just no entity that could manage that app which wouldn’t have a motive to use the data and power it has.
No, the app is completely open source and has reproducible builds. And the site you are accessing only gets the information it requested, and you see which information it requested in the app before scanning your ID
https://github.com/Governikus/AusweisApp
Now you are starting to sound like you know what your talking about. But I’m not convinced yet. So when the app sends just the requested data to the site, how does the site verify that the data is legit. A person could fork the app and hack it. I am sure they thought of this, I just don’t know what thier solution is. And I can’t read german.
(NotOP) these things will usually use cryptographic signatures and if the app has been altered, it’d fail the check.
No clue what they are specifically doing though.
Yeah, something like that. But while your device can validate the cryptographic sig for the app, the site requesting proof of age can’t, since it isn’t running on the same device as the app. The best I can guess, the app could request verification from the state run site, and specify what information it wants (based on what the requestor site asked for). The state site could use a private key to encrypt the response and give it back. The app could use a piblic key the state makes available to decode and confirm that only the intended information is present. Then the app can pass that to the requestor, who can get the public key from the state site and decrypt the information. But, the gap there is how does the requestor know the app it is talking to hasn’t been modified. I don’t think there is a way that it can. Only the device the app is on can verify that. And the requestor can’t trust the device either.
Some Authentication that I remember has a component where the requestor would then talk to the state to confirm the info it got from the app was requested from the state by the same app the site is talking to. This prevents using someone elses response as your own. But in this case, that would tie the site to the request which means the state would have both peices of info, who and what site. So I don’t know what there solution here could be that wouldn’t result in the same problem.