Many might’ve seen the Australian ban of social media for <16 y.o with no idea of how to implement it. There have been mentions of “double blind age verification”, but I can’t find any information on it.

Out of curiosity, how would you implement this with privacy in mind if you really had to?

  • incogtino
    link
    fedilink
    English
    arrow-up
    24
    arrow-down
    3
    ·
    1 month ago

    A joke answer, but with the kernel of truth - IRL age verification often requires a trusted verifier (working under threat of substantial penalty) but often doesn’t require that verifier to maintain any documentation on individual verification actions

    https://chinwag.au/verification/

    • onlinepersona@programming.devOP
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 month ago

      As in, you have to roll up to an “age verification bureau” and say “I’d like to sign up to $platform, please verify that I’m of legal age to use it and tell them so”, then you buy a “token” that you can enter upon signing up? Am I understanding that correctly?

      Anti Commercial-AI license

      • incogtino
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        1 month ago

        I wasn’t thinking in detail, just addressing an assumption I think a lot of age verification discussions include, which is that the verifier would have to be trusted to maintain some sort of account for you, retaining your data etc.

        I have no idea what the legislation says, but I’d be a happier privacy-conscious user if the verification platforms were independent (i.e. not in any other data business) and regulated, with a requirement they don’t retain my personal data at all (like the liquor store example)

        So the verifier gathers data from you, matches it with a request from the platform, provides confirmation that some standard has been met, and deletes almost all personal information - I acknowledge that this may not rise to the double-blind standard of the original request

        Edited to add:

        • you don’t have to ‘buy’ a token, the platform needs to pay verifiers as a cost of business

        • some other comments are asking how you prevent the verifier knowing the platform - to my mind you don’t, instead the verifier retains a request id record from the platform, but forgets entirely who you are

      • JustEnoughDucks@feddit.nl
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        1 month ago

        Here in Belgium we have cryptographically signed tokens on our legally mandated IDs.

        You can use that token to do all sorts of things (my company uses them as authorship signatures for our quality system for medical devices), but if we had some standard like that, then we could have some software that would have a OTP based on that that is a huge list of valid OTPs in a website API or so, not linked to the token itself. (So you would have to trust this software that generates the OTP). You will get people using the same OTP, but that wouldn’t matter because it would just be a validity check. Lind of like the old product key generators for games.

        Sure this could be abused or gotten around by a programmer or hack, but for 95% of the population it would be effective age verification without giving away any information or statistics. Sure, people could also abuse it and save a code and use it constantly, but then they would already have been verified. Sharing a code around would also happen with teens, but it would be far more effective than not, especially for the low stakes of age verification.

      • Pup Biru@aussie.zone
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 month ago

        yes and no: the government already has systems in place that know your age, or they can pay 3rd parties to have maintain records… so yes kinda you’d have to verify with them or they’d already have them, but you wouldn’t need to do that for each platform: it’d likely act like a social login (“login with facebook” etc) where you just tap a button and have the service attest to identity details without providing the identity itself