this post was submitted on 27 Jul 2025
555 points (99.1% liked)

Technology

73379 readers
4154 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
555
EU age verification app to ban any Android system not licensed by Google (www.reddit.com)
submitted 2 days ago* (last edited 2 days ago) by Gsus4@mander.xyz to c/technology@lemmy.world
115 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] iii@mander.xyz 1 points 23 hours ago* (last edited 23 hours ago) (1 children)

It's that "whatever way" that is difficult. This proposal merely shifts the problem: now the login to that 3rd party can be shared, and age verification subverted.

[–] General_Effort@lemmy.world 2 points 22 hours ago (1 children)

A phone can also be shared. If it happens at scale, it will be flagged pretty quickly. It's not a real problem.

The only real problem is the very intention of such laws.

[–] iii@mander.xyz 1 points 20 hours ago (1 children)

If it happens at scale, it will be flagged pretty quickly.

How? In a correct implementation, the 3rd parties only receive proof-of-age, no identity. How will re-use and sharing be detected?

[–] General_Effort@lemmy.world 1 points 18 hours ago (1 children)

There are 3 parties:

  1. the user
  2. the age-gated site
  3. the age verification service

The site (2) sends the request to the user (1), who passes it on to the service (3) where it is signed and returned the same way. The request comes with a nonce and a time stamp, making reuse difficult. An unusual volume of requests from a single user will be detected by the service.

[–] iii@mander.xyz 1 points 10 hours ago* (last edited 10 hours ago) (1 children)

from a single user

Neither 2 nor 3 should receive information about the identity of the user, making it difficult to count the volume of requests by user?

[–] General_Effort@lemmy.world 1 points 3 hours ago (2 children)

Strictly speaking, neither needs to know the actual identity. However, the point is that both are supposed to receive information about the user's age. I'm not really sure what your point is.

[–] iii@mander.xyz 1 points 2 hours ago (1 children)

I must not be explaining myself well.

both are supposed to receive information about the user's age

Yes, that's the point. They should be receiving information about age, and age only. Therefore they lack the information to detect reuse.

If they are able to detect reuse, they receive more (and personal identifying) information. Which shouldn't be the case.

The only known way to include a nonce, without releasing identifying information to the 3rd parties, is using a DRM like chip. This results in the sovereignty and trust issues I referred to earlier.

[–] General_Effort@lemmy.world 1 points 1 hour ago (1 children)

The site would only know that the user's age is being vouched for by some government-approved service. It would not be able to use this to track the user across different devices/IPs, and so on.

The service would only know that the user is requesting that their age be vouched for. It would not know for what. Of course, they would have to know your age somehow. EG they could be selling access in shops, like alcohol is sold in shops. The shop checks the ID. The service then only knows that you have login credentials bought in some shop. Presumably these credentials would not remain valid for long.

They could use any other scheme, as well. Maybe you do have to upload an ID, but they have to delete it immediately afterward. And because the service has to be in the EU, government-certified with regular inspections, that's safe enough.

In any case, the user would have to have access to some sort of account on the service. Activity related to that account would be tracked.

If that is not good enough, then your worries are not about data protection. My worries are not. I reject this for different reasons.

[–] iii@mander.xyz 1 points 51 minutes ago* (last edited 48 minutes ago)

is being vouched for by some government-approved service.

The reverse is also a necessity: the government approved service should not be allowed to know who and for what a proof of age is requested.

And because the service has to be in the EU, government-certified with regular inspections, that's safe enough

Of course not: both intentional and unintentional leaking of this information already happens, regularly. That information should simply not be captured, at all!

Additionally, what happens to, for example, the people in Hungary(*)? If the middle man government service knows when and who is requesting proof-of-age, it's easy to de-anonymise for example users of gay porn sites.

The 3rd party solution, as you present it, sounds terrible!

(*) Hungary as a contemporary example of a near despot leader, but more will pop up in EU over the coming years.