undefined | Better HN

0 pointsrtkwe3mo ago0 comments

> Isn’t that the entire point of government ID of any variety?

Ideally this could be done without deanonymizing accounts to service providers unless the user wants to for a 'verified' account linked to their identity publically but I don't think any digital ID system has been built that way. Imagine it acting like OAuth but instead of passing back an identity token it's just verification of age, platforms would store that which would show they had performed the age verification and could be used for other age gates if there are any.

0 comments

sorenjan3mo ago

That's how EU's digital wallet is supposed to work:

> The selective disclosure of attributes will allow you to only share the specific information requested by a service provider, without revealing extra information.

> For example, with the selective disclosure of attributes you could choose to share your date of birth, but without revealing any other identifying details that could be used for profiling.

https://ec.europa.eu/digital-building-blocks/sites/spaces/EU...

xp843mo ago

You're totally right that it would be easy from a tech perspective to do that. it's a shame that:

(A) most people cannot grasp how it could be that "GovSSO" can attest "This person you just sent our way just logged into GovSSO [with biometric 2FA], and they are at least 16 years old" without the receiving system having any way of knowing who that citizen is or even whether they're 16 or 99.

(B) very real terrible government policies the UK has (like jailing people for speech, and like demanding encryption backdoors that compromise the security, at minimum, of the whole of every British citizen's devices, and at worst every device in the world) incline anyone who's paying attention to assume that the government will somehow use anything related to "ID" and "internet" to do idiotic things like figuring out who owns a Twitter account that committed some wrongspeak so the bobbies can come round them up.

Aurornis3mo ago

> (A) most people cannot grasp how it could be that "GovSSO" can attest "This person you just sent our way just logged into GovSSO [with biometric 2FA], and they are at least 16 years old" without the receiving system having any way of knowing who that citizen is or even whether they're 16 or 99.

The loophole that every kid everywhere would instantly figure out is that they just need to borrow their mom’s ID, their older brother’s ID, or a pay some Internet service $1 to use their ID.

This is why the services aren’t designed to totally separate the ID from the account. If nothing actually links the ID to the account then there is no disincentive for people to share their IDs or sell their use for a small fee. Stolen IDs would get farmed for logins.

So the systems invariably get some form of connection to the ID itself. The people making these laws aren’t concerned about privacy aspects. They want maximum enforcement of their goals.

xp843mo ago

> The loophole that every kid everywhere would instantly figure out is that they just need to borrow their mom’s ID, their older brother’s ID, or a pay some Internet service $1 to use their ID.

Do most kids have their parents' ATM card and PIN? Their Gmail credentials and 2FA device? Tons of stuff today relies on a secret the parents aren't supposed to share with their kids. When logging in on a device that wasn't marked "remember this next time" it should be requiring 2FA. Yes, your 19 year old bro can get you porn, but that's been true for like 60 years buying Penthouse at the liquor store.

Of course all this is academic, since the fact is that because things like oAuth are not intuitively grokkable by non-computer people, so no one would accept "having to sign into <porn site> with GovSSO" even if everything was verifiably privacy-respecting.

kdinn3mo ago

You just described OpenID

j / k navigate · click thread line to collapse

0 comments

sorenjan3mo ago

That's how EU's digital wallet is supposed to work:

> The selective disclosure of attributes will allow you to only share the specific information requested by a service provider, without revealing extra information.

> For example, with the selective disclosure of attributes you could choose to share your date of birth, but without revealing any other identifying details that could be used for profiling.

https://ec.europa.eu/digital-building-blocks/sites/spaces/EU...

xp843mo ago

You're totally right that it would be easy from a tech perspective to do that. it's a shame that:

Aurornis3mo ago

The loophole that every kid everywhere would instantly figure out is that they just need to borrow their mom’s ID, their older brother’s ID, or a pay some Internet service $1 to use their ID.

So the systems invariably get some form of connection to the ID itself. The people making these laws aren’t concerned about privacy aspects. They want maximum enforcement of their goals.

xp843mo ago

> The loophole that every kid everywhere would instantly figure out is that they just need to borrow their mom’s ID, their older brother’s ID, or a pay some Internet service $1 to use their ID.

kdinn3mo ago

You just described OpenID

j / k navigate · click thread line to collapse