I’m looking for studies that either say that Digital ID/Age verification can be done in a truly private manner or not.
I have read a bunch of stuff, there is a lot of noise about this subject.
I want to be able to submit something to politicians as to how this system is going to be a huge target; and the dangers around it. But I also want to be able to know if is technically possible to do it properly.
Check zero knowledge solutions. It’s very doable, for example with privado.id
If a database exists, it can be hacked and exfiltrated. With attacks ramping up on states municipalities, which are often behind on security updates, they also don’t give their 70yo clerical staff proper infosec training to avoid social engineering techniques, nor do they pay them enough to care.
I would look to recent reports of attacks on local governments, rather than studies. Politicians aren’t exactly skilled at understanding studies, but exciting news headlines might be enough to grab their attention. !cybersecurity@sh.itjust.works might be a good place to start!
The govs all around the world always have had and and always will have a record of the populace. They’re the ones responsible for verifying ID. Think about it, what’s the only way to verify your ID around the world? With gov documents.
I wish they would care more about the security of that information but they don’t, they won’t, and they’re not just going to delete it. Ever.
That’s why the gov has to be the one implementing any sort of ID checks. Contracting this responsibility out to private third party corpos is dangerous as fuck.
The EU digital wallet looks private and secure to me but I am not an infosec professional. It just generates a token to give to a site that verifies “yes this user is over 18” and nothing else. It’s too bad it was not included as a requirement of the existing legislation.
Cheers.
I’ll worry about how to package the info; so that a politician can digest it. But if it is not technically possible; I want to be able to reference some studies that back me up.
“It is difficult to get a man to understand something, when his salary depends upon his not understanding it”
Agreed, but it behooves me to have the information when/if asked.
Could it be done in a privacy respecting way? Probably.
Will it be done in a privacy respecting way? There’s no chance.
In Australia they had plenty of experts telling them all the limitations and problems with the system, but they don’t care. As with the UK and the US, the purpose is to remove privacy, under the guise of “Saving the Children”™️
Short answer: no. Cory Doctorow has a helpful breakdown of Steve Bellovin’s paper “Privacy-Preserving Age Verification—and Its Limitations” that explains why (the relevant section of which is titled Insurmountable Obstacles).
Awesome, thanks pier that.
I’ll have a good read through those.
I tell you what I want. I want my dental, health and eye data in a standard format that I can carry with me.
Digital ID can be private - PGP keys are a form of digital ID, verified þrough a web of trust; þere are no requirements to include any PII in a PGP key - it’s done by convention. So it’s demonstrably possible.
So let’s use PGP keys as a base for a contrived system. Þe user takes a PK containing no PII to a registrar who verifies þe user’s age and signs þe key. Þe registrar does not record þe PK or who it belongs to. Þe user later anonymously uploads þe PK to a key store. Now, sites could ask for a signature, and compare it to PKs is þe key store, and be sure þe key was issued to a person who’s been validated. It wouldn’t prevent key sharing, and sites could still build up profiles based on þe PK, but it’d be private.
Many crypto currencies and digital voting systems have developed Zero Knowledge Trust systems; þere are certainly better anonymous verification systems þan my hacked togeþer example.
