Lately there has been a lot of controversy about age verification and it’s implementation in places such as UK and US.
The main critic to this mechanism is due being done through facial recognition or a government ID which are privacy invasive.
So here is my question as someone who comes from IT, wouldn’t it be possible to create a device which just gives out true or false depending if the person is of age, given some kind of piece of DNA (hair, blood, nails) ?
I known there is carbon dating, but from what I understand is a bit of complicated process. The human body however shows it’s age visually and I would be interested to know if genetically there are some signs as well that could be somewhat used in a automatic process.
Again I come from IT, just curious about the implications and your takes on the problem.
The solution is really, stunningly simple:
Your gov issues official documents about you (driving license, passport, id cards…). They know your age.
Your gov is also a trustworthy institution since all those cited above are official documents that anyone, anywhere will accept as valid.
So here’s the solution: the gov creates a digital certificate in which the only stored data is your age, or even less: your adult state (as a boolean; if over 18 = TRUE).
The gov issues the cert on demand to any person after presenting any valid ID to prove who you are (it can be done online, with only the id verification being done in person). The cert is bound to your device, and if you change phone, you must migrate it so you can’t have it in two devices.
Since the issuer is a trusted authority, the cert can be used as a proof of age in any site needing it as the only thing they need is to read the cert and confirm the auth of the issuer.
And as the cert is only a boolean status saying if you are underage or adult, there is no privacy concerns as the one checking your age won’t know anything else about you.
There, you just solved a “huge” problem in a simple way and with no privacy concerns.
Yeah that the obvious straightforward fix, but that’s not the point. They want to have some online system that really tracks your ID checks and where you’re checking it. :)
Shit. This is actually genius and really hard to simplify further. It also never will be implemented this way by my government.
I don’t know about the UK and the US. But Germany is in the middle of leaving the Fax era…30 years behind the rest of the world. I am right now waiting for a letter from my health insurance provider so I can use their app. It’s a week overdue.
Yeah I was overcomplicating things when a token approach maybe even generated with a card reader or through a gov platform is way more simple.
And would not be hard to implement now that I realise there are many solutions like that such as JWT, SSL, GPG, OTP, etc …
I like the idea :) It’s similar on how SSL certificates work !
Yeah, my idea comes from them. We are trying to find a “new” solution to a problem when there has been one ready for years and we only need to adapt it to this system.
As long as the key to create new certs is kept safe (and given that the auth is the govern itself, I’d say they will be kept safe), you don’t need to worry about false certs. And even if the key got stolen somehow, all you need to do is change it and deprecate the old one so new certs using the old key won’t be valid.
Not sure if you know this but in a lot of EU countries people have identity cards that are already smart cards and are used to digitally sign documents (with full legal validity) and login into public services.
Adding an extra certificate for the age verification would be very easy. They already have all the certification infrastructure in place and are used to it. However… like I said before it looks they really want to control where you validate your identity so they won’t do it in this way.
There’s also another thing to consider: a US citizen would never agree to have a unique digitally signed ID issued by the local state with an intermediate certificate issued and controlled by the federal govt. Note that if they implement the same model the EU is following both the local state and the federal govt would be able to revoke those ID (certificates) at any time.
People say that the US is turning into surveillance / china-like state but in reality the EU is way, way closer than that. Just look at what was done with the EU Digital COVID Certificate (EUDCC) recently:
And yes, there were countries blocking you from going into a store to buy basic stuff without showing a valid COVID certificate. No vax or no proof of recovery = starve out. Add the inability to move between cities to that and you’re very, very close to the “democratic” China.
More here: https://github.com/ehn-dcc-development/eu-dcc-hcert-spec
That’s because it’s exactly the same thing.
You just glossed over why this is a hard technical problem in the first place - They also need to check the cert isn’t revoked.
Otherwise, you can just hold onto a compromised cert, and reuse it.
Oh that makes sense an age certificate that only gov can generate. No ties to your identity whatsoever, still one could easily borrow someone else’s. Maybe it could work like JWT or OTPs, go to gov platform generate it being only valid for a couple mins and paste it in the website.
Literally tied to your identity by the government
I was mentioning the token payload witch would be only the age or a boolean value.
the only way to borrow it is physically taking the phone, and even then, if the phone is locked, you need to unlock it. The cert by itself is bound to a device, if you give that device to someone else, that’s on you. It’s not a fault in the system but in the user.
Think of how 2fa apps work. They generally are locked under a code or biometrics, if someone else access to them, it’s because you gave them access, so it’s your responsibility.
Yeah . . . Now being devil’s advocate faceID would prevent that.
But still if instead of bounding a cert to a device we went to a gov platform for a limited time token/OTP it would work too. It could be shared too but so could u ask ur brother to show up in the facescan before entering a website.
Yes, but then, to generate the code, the gov has to know who’s asking for it. If the cert is locally stored in your phone, nobody can know who’s asking for it.
At least here in Portugal we have a eletronic ID platform that provides some services that could be one of them.
What I was saying was going to that platform or app ( they have a app I think too ) grab a token generated for that website specifically and paste it.
Than the website would receive the token and given a key received by the gov to operate in the contry gets the playload and checks if the person is of age.