this post was submitted on 15 Apr 2026
438 points (97.0% liked)

Technology

83893 readers
2875 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
438
EU age verification app announced to protect children online (www.dw.com)
submitted 4 days ago by themachinestops@lemmy.dbzer0.com to c/technology@lemmy.world
198 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] sunbeam60@feddit.uk -4 points 2 days ago (1 children)

I don’t have to give up any rights for age gating to work anonymously and properly. Neither do you.

[–] Seldon@discuss.tchncs.de 3 points 2 days ago (1 children)

Explain basically every privacy, cyber security and child safety organization saying this is a bad idea, then.

[–] sunbeam60@feddit.uk 0 points 2 days ago* (last edited 1 day ago) (1 children)

I’d love to engage in this. Before we do that, please can we be clear if we are talking about the EU system, or the USA-proposed OS-based system? Given they are not the same, the reactions to these two systems have also not been the same.

[–] Seldon@discuss.tchncs.de 1 points 1 day ago* (last edited 1 day ago) (1 children)

Both. There's a difference between showing some clerk your ID compared to uploading it to the internet. It's not a question of if it being hacked. It will be. Denial of this is dangerous. If you don't see this as important, you're desensitized by the sheer number of yearly cyber attacks.

And that's only the start. Children will only be marginalized. Protected groups will be increasingly threatened. Take your pick on whatever organization you want to look at, and they'll say this doesn't help anyone, except maybe foreign adversaries and hacking groups. What happens when the next government comes along and decides to make a more US kind of implementation? The point is, that we should not make this the precedent. Ever. Kick it while it's down.

[–] sunbeam60@feddit.uk 1 points 1 day ago

Ok, but for what it’s worth, I’m only trying to defend the EU proposal. This discussion was about the EU proposal, from the very first OP. The US proposal, such as I understand it (I haven’t looked into it that much, since I don’t live there), seems a huge privacy risk that plays into the hands of corporations. No thanks.

In the EU system, you start with a verifiable online identity system. These differ from country to country but all perform the same task: They allow you to prove who you are.

So you go to an online portal and you log in, as you. This system issues you a set of tokens, which does not hold your PII. They solely say “This person is over 18”. If you want a token to say “this person is over 13”, you need a different token. A token is a number that has been signed by the issuing authority in a way that can only be done by the issuing authority. You store these tokens, encrypted, in your age verification app.

Now IF the issuing authority stored “I issued token X to person Y” we would have a huge problem. They don’t. All they do is store “this token was issued”. If they chose to store that a specific token was issued to a specific person, they could track what sites you used the tokens at. So you have to trust your state here, just like you have to trust them not to access your phone records, or your credit card transactions or which mobile mast your phone logs on to.

You proceed to a site that requires an age gate. You are presented with QR code, which you scan with your age verification app (the one that stores the age verification tokens). This QR code contains a URL that holds the verification attempt ID (created by the gater) and your app now connects to this URL (be advised this URL is not the URL of the gater, but of a third party gating service) and sends one of your verification tokens. The third party verification service checks this with the issuing authority and confirms it is a valid token, then retires it if it is. The third party service now calls to the gater and says “this verification attempt has indeed proven their age”.

The gater then lets you proceed.

Throughout this attempt the only place that can be hacked to reveal your PII would be the issuing authority - no other services knows anything about you. What a hacker would have to do is insert code that captures the issuing of tokens and somehow grabs your PII at tha time. But what’s important to understand is that the issuing service also doesn’t know who you are, because they don’t store all your PII when they issue your tokens - they just have the required information about you from the identity service you used to log in (chiefly your age). So even if a hacker got in here, they couldn’t grab who you were, merely when you were born).

Many security experts have analysed this flow and supported it. I myself cannot see what a hacker could really do here. So, in this case, specifically for the EU system, which this post was about, I am willing to accept that the advantages of not having minors access tobacco, alcohol or age gated media far outweighs the privacy risks.