Age verification online can be done safely and privately. Here's how

Resident Pulser@infosec.pub · 2 days ago

Age verification online can be done safely and privately. Here's how

Kairos@lemmy.today · 2 days ago

Basically, it reduces to

User does face scan or whatever
Service verifies this
Service generates cryptographic ticket of some sort and promises to not attach this ticket to the user’s face
User uses ticket.

Fundamentally there’s always a way to break that promise.

Hirom@beehaw.org · 2 days ago

That approach is indeed easy to break, not privacy friendly. But also, it’s not what this article is referring to.

For example, the German eID exchanges data directly between a microprocessor in a person’s plastic “eID card” and the platform. The microprocessor proves it belongs to a government-issued eID via a cryptographic key, which is shared with 9,999 other eIDs. This means the only thing a platform learns is that one of 10,000 potential people signed up.

Kairos@lemmy.today · edit-2 2 days ago

You did not listen to me. The German government could keep a map between this chip and the ID it’s issued to. They just don’t. (Edit: don’t know anything about if they do.)

It might be easier to understand this via algorithm runtime.

Imagine there’s some EID database of some sort. A storage of which of all possible keys are tied to valid IDs, or something. Doesn’t matter what it stores, really.

Now imagine that Germany wants to issue another one of these EIDs to an adult. This would change that database in some way. This change will only touch some small amount of data in the database. Maybe just adding a row. It’d be infeasible to recompile the database, or something.

Now, if this adult were to want to verify their ID or whatever, this process would necessarily touch this and pretty much only this data. If the German government were to keep metadata tying that DB entry or whatever to the person’s name, they can tie the cryptographic process of age verification to their real ID.