Pornhub and two other adult sites are suing the European Union over a landmark digital content law, the Digital Services Act, which imposes age verification and other obligations on large platforms. The European Commission last year named Pornhub, Xvideos and Stripchat as a category of “very large online platform” under the act, which includes obligations such as age verification measures for minors and creating a library of adverts published on their sites. Companies that fall foul of the law can be fined up to six percent of their global turnover. This lawsuit follows similar legal challenges by online retailers Amazon and Zalando.
I generally like the spirit of the DMA and the DSA, but the age verification policy is utterly garbage. Privacy and age verification are mutually exclusive
You can use the German ID card as a way to authenticate yourself via Internet (by using an open source app), including age. Shouldn’t it be possible to provide a limited interface that e.g. only signals if the person is above a certain age? You already have to enter a PIN in the app so it could also easily show which information is asked/transmitted.
The infrastructure to support such things are naturally anti-privacy. Ultimately it requires someone to simply ignore other info that would otherwise be accessible. There could be a unique governing body for that part which is chartered for only sharing appropriate info, but even then, it’s an ask for people to trust that body and that it wouldn’t leak.
Nah. The ID card says “here, have a proof that I’m an ID card issued by <state>, and I assert that the bearer is 18+”. The crypto involved can be furnished such that nothing but the issuing authority and the fact “18+” gets transmitted, no name, no id number, no nothing. You can’t even match up different times you age auth with the same ID as every time the proof will look different.
That said I’m still against that kind of auth online, but the crypto is not the issue. Unlike voting it’s actually solvable.
This is a best-case-scenario implementation. I just think it is extremely likely that any approach actually implemented would not have the privacy of the user in mind.
In essence, if that where possible someone could build an api and donate his ID into it that answers all the authentication requests for everyone. There needs to be a way to ensure different users use different IDs, which necessitates a bunch of tracking.
And that in the ideal case
A system doesn’t have to be perfect to accomplish most of its goals. I mean, mass usage could be easily caught. Smaller scale abuse would be like giving your younger friend a beer - technically against the rules but not really a huge problem.
To be able to catch that, you need tracking. Some identifier to determine if you had 1000 authentications from the same source or different ones.
Yes, correct. You have to assume that each party will be tracking everything they can, otherwise it doesn’t make sense. So the age verifier will know that you have requested many authentication in a given time.
Yes, and it can be done in a way where the organization validating the age doesn’t know the purpose. They would still know that you requested an age validation and when, but that’s it. So the German government wouldn’t know whether it was for porn or for signing up for a youth hostel.
I’m not saying that I agree with the restrictions, but it is possible technically.