EU Age Verification App Announced To Protect Children Online (dw.com)
- Reference: 0181725228
- News link: https://yro.slashdot.org/story/26/04/16/0717208/eu-age-verification-app-announced-to-protect-children-online
- Source link: https://www.dw.com/en/eu-chief-urges-bloc-wide-push-on-age-verification-app-to-protect-children-online/a-76788202
> Once released, users will be able to download the app from an app store and set it up using proof of identity, such as a passport or national ID card. They can then use it to confirm they are above a certain age when accessing restricted content, without revealing their identity. According to the Commission, the system is similar to the digital certificates used during the COVID-19 pandemic, which allowed people to prove their vaccination status.
>
> The app is expected to support enforcement of the bloc's Digital Services Act, which aims to better regulate online platforms. This includes restricting access to content such as pornography, gambling and alcohol-related services. Officials say the app will be "completely anonymous" and built on open-source technology, meaning it could also be adopted outside the EU.
>
> [...] While there is no binding EU-wide law yet, the European Parliament has called for a minimum age of 16 for social media access. For now, enforcement would largely fall to individual member states, but the new app is intended to help platforms comply with future national and EU rules.
[1] https://www.dw.com/en/eu-chief-urges-bloc-wide-push-on-age-verification-app-to-protect-children-online/a-76788202
Alert: Your New Opinion (Score:1)
Just swallowing their framing whole, huh?
Confused about the process... (Score:2)
So will there be an 'app' for FreeBSD desktop computers? For all the Linux variants?
What about those phones running Linux itself (not android)?
Sign me confused how this could work.
Re: (Score:1)
and we'll become cyber-anarchist to run wireless mesh network out of old unrestricted hardware.
Re: (Score:2)
That would make it really easy for someone operating a Reaper to triangulate, jam, and hit with a Hellfire/send in heavily arm{or}ed goons
Re: (Score:2)
Don't forget [1]calculators [pcgamer.com]. Need to protect the kids from downloading and playing "mature" games like [2]"Drug wars" [wikipedia.org] instead of listening in Pre-Calc class.
[1] https://www.pcgamer.com/software/operating-systems/a-new-california-law-says-all-operating-systems-including-linux-need-to-have-some-form-of-age-verification-at-account-setup
[2] https://en.wikipedia.org/wiki/Drug_Wars_(video_game)
Re: (Score:2)
Why not, if the app is open source.
Re: (Score:1)
They'll bug the compilers.
Re: (Score:2)
No, it's for locked down systems which allow integrity verification for hardware&os&app. So official Android or iOS devices only. In theory Windows, ChromeOs and MacOS have integrity mechanisms too, but those are easier to hack and we all have phones.
If the physical ID chips had been designed from the start for pseudonomous age verification, the remote service could just E2EE communicate with the ID through untrusted gateways, but they were not. So they need to build a new trusted system around the
EU (Score:2, Flamebait)
Online I keep hearing I'm supposed to be jealous of the EU with their great "UN Quality of Life Index" scores and whatnot, but it sure is getting heavy-handed over there.
Re: (Score:2)
Age verification and all of it will be coming to the US too.
Re: (Score:2)
It's already been proposed at the federal level
: [1]https://www.congress.gov/bill/... [congress.gov]
articles about it:
[2]https://www.osnews.com/story/1... [osnews.com]
[3]https://itsfoss.com/news/os-le... [itsfoss.com]
[1] https://www.congress.gov/bill/119th-congress/house-bill/8250/all-info
[2] https://www.osnews.com/story/144803/nationwide-bill-to-put-age-verification-in-operating-systems-introduced-in-the-us/
[3] https://itsfoss.com/news/os-level-age-verification-across-us/
Re: (Score:2)
Every country has problems with the Epstein class. Some more than others. These laws are getting pushed by social media, AI and surveillance companies so they can track us and control us.
If you don't like it you need to convince the rest of the world that they don't need a ruling class.
Re: EU (Score:2)
Canada senate just passed AV requirements, too. Nowhere is safe from privacy erosion.
Re:EU (Score:4, Insightful)
It turns out a bit of privacy is not as much of a quality of life issue as free school, free medicare, not living in a place with insane gun crime, or at risk of being deported by ICE.
Now if you have a point to make I suggest you not conflate it with a completely different issue, otherwise it just reflects poorly on you.
Re: (Score:3, Insightful)
If you're going to enforce age restrictions, this is the way to do it, preserving anonymity. It beats 3rd party age verification services like the ones that porn sites used to use. They needed your credit card, name and address, and the age verification provider could see which sites you were visiting.
Re: (Score:1)
It's better than use our sketchy 3rd party age verification provider , but still is completely pointless if it can be bypassed via a VPN or just going to a site that doesn't care to comply with the regulations. Like remember that story yesterday about Anna's Archive, where the court delivered an absolutely toothless verdict because they have no idea who is running the site...
Realistically, the only thing this will actually be good for is keeping kids off of the major social media networks. At least until t
Re: (Score:1)
Short of zero-knowledge proof interracting with the physical world, there will be no way to ever have secure ID verification with leakage.
Re: (Score:2)
You can just lie. They can't verify your identity through the app, only that you have an official ID with a NFC chip of someone with a certain age.
Re: (Score:2)
That should be: "without revealing your identity to the site requesting your verified age". And hopefully it will also be without revealing the website you're visiting to the age verification provider. Both requirements can be fulfilled, and hopefully this system will employ such a scheme.
Re: (Score:2)
Think you're going to be disappointed when you find out that this won't be opt-in.
Profiling and tracking on overdrive! (Score:3)
Does anyone believe this will not be used to profile and track users? If you have to use ID to verify / validate against an app, how is that processed? Unless it's done offline in a secure enclave, the government / body will know you've uploaded the ID, and have all device identification, resulting in a large fingerprint. Once they know that, any site you visit can likewise be linked, resulting in the government knowing what you visit and what.
I've not against age verification, I'm against bad age verification. I've explained the idea a few times, but the short version, an online enclave downloads databases full of ID hashes, then disables any network connectivity, a full blackout. The offline enclave starts with a hard kill switch if any network connectivity is detected. The DBs will be transferred into the offline enclaves and the ID will be privately verified, with an age range stored. Then the ID and all DBs for this process are wiped, the enclaves are destroyed, and securely wiped, and network connectivity is restored.
Once that's done, you've verified your age, without handing over your paperwork, it's private, and accomplishes the same goal.
Re: (Score:2)
Oh definitely, that's already in the works, if not present.
Re:Profiling and tracking on overdrive! (Score:4, Insightful)
I'm sure some governments will do a verifiable build, so for those you can just check the source code. The white label source code is available if you want a headstart.
[1]https://github.com/eu-digital-... [github.com]
[1] https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui
Re: (Score:2)
Interesting, I'll take a look at that later :) - Thanks!
Re:Profiling and tracking on overdrive! (Score:4, Interesting)
The way it is supposed to work is that it allows the site to do a cryptographic challenge and response. The site can't tell which device was used, or even if the same device is used each time. There is not communication with the government after the initial confirmation of ID.
That is assuming that all the crypto works properly, of course. Hopefully they have some experts involved.
I'll still VPN into a country that doesn't have such laws as a matter of course, but given that most people seem to think this is a good thing, and we live in a democracy, it's probably the best possible outcome. The current situation in the UK, for example, where you need to prove your age to each site individually, and they all get your real ID and then abuse it and it gets stolen, is close to the worst.
Re: (Score:2)
The second you say "client-side", the response will be "jail-break". Client-side verification allows the device to fraudulently approve requests, server-side allows the server to save meta-data. Short of a hardware dongle doing all this, and getting replaced every year, this is an intractable problem.
In reality, the biggest problems are theft and spying. Unfortunately, there's no way to stop theft of any Identity document: All we can do is reduce the surface and the current habit of making every serve
Conflicting needs (Score:2)
We need to know your identity, without knowing your identity.
Protect Children Online (Score:1)
Or, translated into realspeak...
Reduce freedom and increase government interference for poorly defined political purposes based on fear and ignorance
UK Already Pretty Creepy (Score:1)
When I visited the UK last year, I went through customs. It took one of those facial recognition scans. There was no opt-out, there was no agent at the booth, I got no stamp in my passport.
Whatever system they're using already needs to be so pervasive that their solution to "papers, please" is to take the "paper" part out of it. This doesn't surprise me at all...but it would be somewhat fun to attempt using this app on a rooted phone.
complete security theater (Score:3, Interesting)
I don't know if it was on purpose or not, but the app is very badly done, has been hacked with very simple techniques, for instance, one can reset the PIN just by opening one of the configuration xml files and deleting the PIN section, next time the app opens it asks for a new PIN, which was only stored in the device (also encrypted and not hashed), similar attacks remove facial and digital locks, and I'm sure many more bug will appear.
Re: (Score:2)
If you can get root there are no secrets for long, you can just midm the PIN entry too. If you can't get root you can't get to app specific storage.
Re: (Score:2)
what I saw the guy didn't specify if root was needed, but my guess it was not, and for storing a PIN number, it should have been validated on the server side not locally, or even if validated locally if an account already created it should check if the PIN has been set-up before instead of just asking for a new one, imagine if your bank or credit card worked like that, major flaw
Re: (Score:2)
the whole idea here is that there are no server side
This is pretty well done (Score:5, Insightful)
I expect a lot of comments on this article to be varieties of "this is terrible"... but it's really not, and I happen to have significant knowledge here. There is a big caveat, though, which I'll explain below.
First, the basic thing that makes strong, reliable age verification possible in the EU is national ID cards. In every EU country, as far as I know, you can get a national ID card basically from birth. A few issue at birth by default, but even those that don't allow parents to apply for cards for their kids at basically any age, and it's not uncommon.
I get the widespread American resistance to a national ID card, but I really think it's misplaced. There are risks, yes, but on balance the benefits are far larger.
Second, when the EU says you can verify your age without revealing your identity, they seriously mean it. I worked on the ISO 18013-5 mobile driving license standard, and its protocol is the basis for the age verification scheme (18013-5 also supports privacy-preserving age verification). The protocol enables cryptographically-secure privacy-preserving age verification, providing, essentially, a single cryptographically-verifiable bit answering the question "Is this person over age X", for specific legally-important ages. A great deal of effort goes into ensuring that the keys used to sign the bit cannot be linked to the identity of the person. One important element of that is the signing keys are single-use, so if your prove your age to two different web sites, they can't compare notes and notice that your proof of age used the same signing key, thereby proving that whoever you are, you visited both.
Note that under the 18013-5 design, if the verifier (e.g. the web site receiving proof of age) could collaborate with the issuer (the government), they could deanonoymize the holder (the person proving their age). Work is ongoing to devise protocols using group signatures or other cryptographic constructs that make verifier/issuer collusion fruitless. It's been a couple of years since I worked in this space, so I don't know if those new approaches have gone into production, but if they haven't, they will.
The big caveat I mentioned at the top is that there is no way for these systems to verify that the person who is providing age verification is the legitimate holder of the national ID upon which it's based. That is, a kid can steal their dad's ID and use it. Because the age verification is truly, strongly anonymous, there is no way for anyone to detect or prevent this... yet.
The "yet" is because people are working on incorporating privacy-preserving biometric authentication into the scheme. This is a little tricky because to provide privacy it's critical that the biometric acquisition and matching happen entirely in the user's device (or in the chip in the national ID card). But it can be done. Making it sufficiently secure, sufficiently reliable and sufficiently cheap is a significant engineering challenge, but it's being worked on. In another decade or so, the caveat may be removed.
If all of this seems silly to you... well, the age verification for porn may be, but the privacy-preserving selective proof technologies are general-purpose, and able to answer any age verification question any many other useful questions in a strongly privacy-preserving way. In any case where you need to prove something about yourself (age, city of residence, driving privileges, etc.) right now you need to provide the complete contents of your ID, which reveals far more about you than is necessary. The combination of cryptography, secure hardware and clever protocols used in this age verification can fix that, generally, enabling us to identify, authenticate or prove things about ourselves with only the minimal information absolutely necessary. It's a good thing.
And, honestly, it's a good idea to keep very young children away from porn.
Re: (Score:2)
Question # 1; How do you get the world to subscribe to this?
Question # 2; If parents can't be bothered to supervise their kids what makes you think that this will work?
I have many more questions but just these 2 tell me that this is already just theatre to make some feel good. If you are using your phone then forget about privacy.
Re: (Score:2)
If you think this has anything to do with children or porn, you are a complete fool. There is no way you are this big of a fool, so I've decided that you're probably in on this.
Re:This is pretty well done (Score:4, Insightful)
> If you think this has anything to do with children or porn, you are a complete fool.
Look, we know governments have ulterior motives, but that doesn't change the fact that kids actually are accessing things online that they shouldn't be. It doesn't cease to be a genuine problem just because the nanny state solutions have thus far all sucked.
The reason there isn't much pushback against these age gate laws is because most rational people do agree that kids shouldn't be looking at porn, we just disagree on how that can best be accomplished. Yes, parents should be using the damned parental controls that are present on every modern smart device these days, but many of them are not.
Re: (Score:2)
It's a conspiracy to increase sales of tinfoil hats.
Re: (Score:2)
> One important element of that is the signing keys are single-use, so if your prove your age to two different web sites , they can't compare notes and notice that your proof of age used the same signing key, thereby proving that whoever you are, you visited both.
(emphasis mine)
The flaw in this implementation, as with the age gate laws we already have for porn in Texas and Florida, is that it requires every damn adult site on the internet to comply . The lawmakers haven't been able to get rid of piracy from the internet, what makes them think this scheme will be any more successful?
Realistically, putting the age gate at the OS level (as Apple has been doing) and then just forcing parental controls to "ON" if the user can't pass the age check, is the least insane of
Re: (Score:2)
Yes, that may all be true, but what really worries me is the precedent this sets for more half-assed, for-profit implementations that are going to get driven through by other states and countries just because the EU is doing it.
And I suspect that for many, the loophole that you may not be the legitimate holder of the ID is going to be a major sticking point, and require some sort of ultrasonic face scan and extensive biometric data storage.
This is the end
Beautiful friend
This is the end
My only friend, the en
Re: (Score:3)
> I get the widespread American resistance to a national ID card, but I really think it's misplaced. There are risks, yes, but on balance the benefits are far larger.
The only problem with national ID cards in America is the requirement to use them to exercise your rights without first ensuring that all Americans have them.
Re: (Score:2)
- Multiple countries are planning age verification for social media with definitions of social media so broad that it might even cover traditional forums, chats etc.. If we knew the system was only required for porn pages it could be easily avoided and would not cause so much controversy.
- Bringing up offline cases where privacy might be improved are not helpful for online cases where anonymity used to be the default.
Re: (Score:2)
Do any of these strongly privacy preserving implementations come with any type of guarantees by the governments requiring them? For example, should the government as the issuer fail to secure their end so that they get hacked and now all past logged verifications can be tied to individuals, all those individuals get large budget covered by the government (or their insurance) to pay any fallout that might come from this (both compensation as well attorneys or other investigation or enforcement costs).
Such
Re: (Score:2)
> I was told universal ID is inherently racist.
Except ofc that you never once where told this. Stop listening to the voices in your head.
Build ON open source (Score:2)
That's not good enough. We need the app itself to be open source so that it can be audited if anyone wished to do so.
Otherwise, no one's going to trust it.
Re: (Score:1)
Open-source is one thing, but you need deterministic builds, and independant compiler chain. Any blob in the chain can be hijacked to introduce exploits and compromise the resulting binary.
Headline designed for Slashdot (Score:2)
That wording!
Guaranteed to make old farts go ballistic.
Yet, here we are.
COVID-19 certificates are a horrible example (Score:2)
The COVID-19 certificates absolutely revealed the full identity of users. It had full names and date of birth encoded in it. It was entirely up to the implementation of the end user's app to respect the privacy of the scanee. E.g. the Austrians gave a green tick in their app, no further info. The Dutch provided first name, or last name, or month of birth, or day of birth, or year of birth, but never more than one at a time to verify against the person displaying the pass. But all of this information was sti
Make parents parent (Score:2)
Make parents responsible for their kids. Stop with this nanny state bullshit. I know it's how the governments are framing their argument ("think of the children!") in order to try to sprinkle some seasoning on the shit salad they're trying to ram down our throats so they can track our every movement online to make it more palatable for the public to swallow, but come on!
Parents having to be responsible for what their kids are looking at online? Gasp! I'm so sick and tired of all this age verification cra
Re: (Score:2)
No child chose its parents.
but your solution is to punish the child.
Statistical fact, 50% of parents are below average as parent, out of these I would guess 90% of IT illiterate too.
Statistical fact 1/3 of girls are sexually abuse by age 16. About 1 in 10 boys by the same age.
No one is forcing you to go onto age required sites, you are 100% free to avoid them
Sites are ALREADY tracking you, data matching, etc etc etc and then the three letter spaghetti US agencies are openly buying that information
Beginning of the End (Score:2)
It starts...
Think of the children data harve$ting! (Score:2)
When government overreach and business opportunity meat, there is tyranny.
Facebook (Score:4, Funny)
Why not just avoid all this government involvement and just use Facebook as an OAUTH provider. I don't imagine there's anyone under 40 with a facebook account.
Digital cert for covid vaccine proof? (Score:2)
Yikes. I'm glad that didn't happen in my country.
I got a little covid card when I got my shots, which promptly went in the trash.
LSL age verification FTW (Score:2)
No tracking, just answer a question that prove your age!
Who recorded "Tiptoe Through the Tulips"?
"What would a physician do if he were on an island with Bo Derek"
"Who was Sergent Pepper"
will piss off OMG "for the children" liers (Score:2)
Compared to that dumb OS requirement, I love this. If it can actually preserve anonymity, this is so much better.
I'm sure will piss off financial backers for all the full ID because we want to track and sell your data companies in the U.S. and/or the NSA/Admin who seem to want to fully track everyone too E.G. IME and the new personal router ban which black-box requirements for the exception that every company will need.
Bridge for sale (Score:1)
Does anybody believe this?
Re: (Score:1)
Hello Canadian Residential School, because only the government should indoctrinate kids.
Re: (Score:3)
I bet they think no kids would ever try to circumvent this. Trust me, kids are going to work around whatever they try to put in their way. It's only going to train a generation how to bypass restrictions.
Re:Bridge for sale (Score:5, Insightful)
Believe what?
- That the open source app does what the specs say it does? Likely yes.
- That the functionality of signed store versions corresponds to the open source version? Likely yes.
- Believe in god? No.
Please be more specific.
Re: (Score:1)
we should not go along with it.
Re: (Score:3)
I sure don't believe the "completely anonymous" part.
Re: (Score:2)
why not? The government already know how old you are so they don't need this app to get access to that data.