Agreed this way is bad, but there can be a safe way of doing it. Basically, your digital ID has a way of signing that you are over 18 without giving any details. Estonia’s digital ID can do this. Imagine your digital ID has a way to sign documents with your age, but no other information. That way sites can know you’re over 18, without knowing your name, and the government doesn’t know what site you’re signing up to.
A less technical example of how this could work for the sake of explanation: You ask the government for a piece of paper that says you’re over 18. They don’t ask why you need it. All it has is a government stamp on it, saying you’re over 18. You give that piece of paper to someone trying to verify you’re over 18. They now know nothing about you other than that you’re over 18, and the government knows nothing about your activity other than that you want to prove your age for some reason.
Kids can still just use a VPN to get around this, but at least it doesn’t compromise the security of adults.
Kids can still just use a VPN to get around this, but at least it doesn’t compromise the security of adults.
And I can just sell my “you’re over 18” paper to some kid and he can use it. Spanish government proposed anonymous age verification certs some time ago. It’s also better solution than letting privet companies handle the verification but it doesn’t really solve anything. One leaked cert can be used by all the kids in Spain. If it’s truly anonymous you will never know who leaked it. If it’s not anonymous then… you know.
Well, I can also give my younger brother my ID to sign up to a site he shouldn’t be allowed to. It’s not perfect either. The advantage of this method, is that my digital ID that generates the certs can require authentication (e.g. a pin, or biometric) and sign a single cert which is valid for a single instance (this minute of this day) for a single site. It’s still anonymous, since this can be signed client side, but it can’t be abused.
If someone maliciously leaks their own certificate, and people start using third party software to sign stuff, that’s pretty dangerous, as your cert can be used to sign stuff with your ID attached as well if you want, meaning people could impersonate you for a lot of things, so you’d be pretty dumb to do that, and should report to the police that your ID has been compromised and get a new one issued.
Agreed this way is bad, but there can be a safe way of doing it. Basically, your digital ID has a way of signing that you are over 18 without giving any details. Estonia’s digital ID can do this. Imagine your digital ID has a way to sign documents with your age, but no other information. That way sites can know you’re over 18, without knowing your name, and the government doesn’t know what site you’re signing up to.
A less technical example of how this could work for the sake of explanation: You ask the government for a piece of paper that says you’re over 18. They don’t ask why you need it. All it has is a government stamp on it, saying you’re over 18. You give that piece of paper to someone trying to verify you’re over 18. They now know nothing about you other than that you’re over 18, and the government knows nothing about your activity other than that you want to prove your age for some reason.
Kids can still just use a VPN to get around this, but at least it doesn’t compromise the security of adults.
And I can just sell my “you’re over 18” paper to some kid and he can use it. Spanish government proposed anonymous age verification certs some time ago. It’s also better solution than letting privet companies handle the verification but it doesn’t really solve anything. One leaked cert can be used by all the kids in Spain. If it’s truly anonymous you will never know who leaked it. If it’s not anonymous then… you know.
Well, I can also give my younger brother my ID to sign up to a site he shouldn’t be allowed to. It’s not perfect either. The advantage of this method, is that my digital ID that generates the certs can require authentication (e.g. a pin, or biometric) and sign a single cert which is valid for a single instance (this minute of this day) for a single site. It’s still anonymous, since this can be signed client side, but it can’t be abused.
If someone maliciously leaks their own certificate, and people start using third party software to sign stuff, that’s pretty dangerous, as your cert can be used to sign stuff with your ID attached as well if you want, meaning people could impersonate you for a lot of things, so you’d be pretty dumb to do that, and should report to the police that your ID has been compromised and get a new one issued.
Find info on cl@ve.