[1] https://xcancel.com/Paul_Reviews/status/2044502938563825820
[2] https://xcancel.com/paul_reviews/status/2044723123287666921
[3] https://csa-scientist-open-letter.org/ageverif-Feb2026
| "The saga is turning into a PR disaster for Brussels. "
imo: mostly because the Author wants it be a disaster.
The App has not launched, they published the source code in order to invite external review. I dont have time to every claim, but e.g. this [see quote below] seems to be blown out of proportions to me - the app fails to delete a temp. image, which results in a selfie being stored indefinitely(?) on the internal disk of your device - if an adversary has access to the internal disk of my phone, they can also just access the photo roll.
"For selfie pictures:
Different scenario. These images are written to external storage in lossless PNG format, but they're never deleted. Not a cache... long-term storage. These are protected with DE keys at the Android level, but again, the app makes no attempt to encrypt/protect them.
This is akin to taking a picture of your passport/government ID using the camera app and keeping it just in case. You can encrypt data taken from it until you're blue in the face... leaving the original image on disk is crazy & unnecessary."
The damage is limited because the selfie is only retained on device, but it still does not signal competency from the EU to fail at the most basic hurdle of disposing of the selfie once verification is complete.
This is misleading, yet everyone seems to repeat it. Discord's implementation of ID verification did not retain IDs. Reporting on this was so poor, but what appears to have happened was that people that failed age estimation / ID checks had to raise a support ticket and get manually reviewed. That support platform was pwned and the active support tickets were leaked. Who knows how long these support tickets were set to live for, but up to 70,000 active tickets getting leaked feels like a drop in the bucket. It's also not immediately clear to me what the alternative is (other than not getting hacked), when you require human intervention to review problematic IDs. Even if the ID only lived on their server for 24 hours during manual review, across a userbase of >200 million users, that's a lot of IDs at risk at any given moment, especially during these initial roll outs of age verification.
I read that from many reactions in discussions, but not from their own channels? (Maybe I missed that)
It is ready for deployment: https://commission.europa.eu/news-and-media/news/european-ag...
The message is that it is ready, 'ticks all the boxes' (the published code does not) and that is now ready for integration by other countries. https://xcancel.com/vonderleyen/status/2044340323120193595#m
Then in the article I read that what we see now is a 'demo' version. So the code on Github is not the current code?
Member states will either fork or redevelop their own apps around the proof-of-concept app. The app on Github that was "hacked" will never be deployed directly and that was never the plan either.
So far, this whole project has been an excellent way to gauge news outlets on whether they're trying to report the news or are just trying to win clicks through FUD and outrage. Most of them don't seem to know what they're writing about when they report about flaws and problems.
In other words, sorry but it’s here to stay.
The EU on the other hand does not have a common constitution, army etc. so is not a real state (yet). It is made up of soveraign nations who come together debate and decide there, but then it is still up to the members to implement that.
So the transition to the EU as one state is happening, but might never complete.
It is true that the EU institutions are ultimately subordinate to the member states in a way that, say, the US federal institutions are not, but the EU is still very much is its own thing. It even has legal personality these days: you can sue the EU and the EU can sue you.
https://en.wikipedia.org/wiki/Seat_of_the_European_Parliamen...
Spoiler, the parliamanet moves once a month between Brussel and there. That's how centralized the EU is, we cannot even decide on one fixed place to meet and decide.
Perhaps the earliest example is Pharaoh. It originally referred to the royal residence.
Which kind of proves your point.
It is not? But also it is.
You are right that when people say "Scotland Yard" they do frequently mean the whole Metropolitan Police. And you are also right that there is no other police entity (that I know of) which would be associated with that name.
But also, "Scotland Yard" was just the address of the original headquarters of the Metropolitan Police. Even then it wasn't the whole organisation, just the address of one of the buildings. Then they got a new headquarters and called it "New Scotland Yard". And to confuse matters further they repeated this multiple times. Which means there are 3 buildings which were called "New Scotland Yard" at various points in time.
And today of course the MET occupies far more real estate than just the famous "Scotland Yard". For example if you look at this FOI request[1] you can see that there were 226 other buildings the Metropolitan Police used in 2023. (Not counting covert/sensitive estate).
1: https://www.met.police.uk/foi-ai/metropolitan-police/disclos...
Scotland Yard was originally the name of the street in which headquaters of the Metropolitan Police.
Yes, I heard of the concept. My point was just that many have a misconception about the nature of the EU.
So while linguistically it's the same system as using 'Washington' or 'Moscow', Brussels is specifically in the bad spot where it gets blamed for impopular stuff but never praised for popular things.
So ‘Brussels suffered a deadly fire’ will always refer to the city. ‘Brussels decides on new aircraft regulations’ will almost always refer to either the city government, the Belgian government, or the EU Parliament headquartered there. Brussels is just an exceptional case because there is so much based there, as opposed to the Hague or the Vatican.
And Brussels is not the capitol of the EU because the EU is not a country.
Look, let's be clear here. The UK (as a member state) was concerned that the EU was becoming too federal. Therefore (following Machievelli) they decided to push for new members, mostly the eastern bloc countries.
Then, politically, it was difficult for them to refuse to allow immigration from those countries (many of the other members had a moratorium for a few years post-accession). This lead to lots of British people becoming very upset, at the EU for some reason (even though their government had done this).
Which it is. How nasty to engage in wrongthink.
It doesn't imply that people from Brussels are the ones to decide, not everyone has the same idea anyways. Though, as citizens of a EU member state, they have some responsibility, at least indirectly.
Except that half the time the assembly seats in Strasbourg. https://en.wikipedia.org/wiki/Seat_of_the_European_Parliamen...
The "Brussels" metonym is probably the most ambiguous reference to a government body on the planet.
The point of this is that you can use the credentials on your phone to prove that you are an adult to a website using zero-knowledge proofs to avoid disclosing your identity to anybody.
If somebody who has access to your unlocked phone can access the data in the app, then this is something that should be tightened up but it’s a substantial privacy improvement over the far more commonplace option of uploading your ID to every website that wants to know if you are an adult.
It’s an attempt to avoid things like this:
> Discord says 70k users may have had their government IDs leaked in breach (Oct 2025, 435 comments) - https://news.ycombinator.com/item?id=45521738
It is my understanding that this is not possible. I would be happy to be shown to be wrong, but to me it seems like you can either prevent people from lending out their credentials, or you can preserve the anonymity of the user, but not both.
You can use 0KP to prove you have a signed certificate issued by your government that says you are an adult, but then anyone with such a certificate can use it to masquerade as however many sock puppets they like and act as a proxy for people who aren't adults. You can have the issuing government in the loop signing one-time tokens to stop Adults-Georg from creating 10k 18+ attestations per day, but then the issuing government and the service providers have a timing side-channel they can use to correlate identities to service users. Is there some other scheme I'm missing that solves this dilemma?
This is not designed to prevent adults from coöperating with minors; that makes no sense as a design goal because any technical measure can always be bypassed with “download this for me and give me the file”. This is designed to prevent minors from being able to access systems without an adult.
Nothing prevents an adult from buying alcohol on behalf of minors; that doesn’t mean laws that prevent minors from directly buying alcohol are useless.
If the proof of adulthood scheme is truly anonymous, one adult with some technical chops who thinks "kids should be allowed to watch porn if they want" would be able to, say, run an adult-o-matic-9000 TOR hidden service that anyone can use to pinky promise that they are an adult without fear of repercussions. If such a service comes with a meaningful risk of being identified and punished, it is by definition not anonymous.
I suppose I'm just not convinced giving up some basic liberties for a law that converts into sternly worded advice if just one adult chooses to break it is a great idea.
For example, in the UK it’s only illegal to give alcohol to a child younger than 5 years old.
France has no limitations, giving a toddler wine is not explicitly illegal. Getting a child drunk would be.
I also don't think you'll find many ISPs terribly keen to fight for the neutral treatment of TOR connections when the reason for this fight is explicitly to serve porn to minors.
The certificates in question can use a few mitigations: short lived, hardware stored (in a TPM, making distribution harder), be single use, have a random id which the service being accessed can check how many times has been used.
> but then the issuing government and the service providers have a timing side-channel they can use to correlate identities
That's not reallya concern, IMO. That would always exist as a risk - most people would probably have a flow of trying to do something, having to prove ID/age, doing that step, continuing with the something, which means you'd probably be able to time correlate the two sides quite often. The solution here is legal with strong barriers, not technical.
Multiple accounts must be supported, because e.g. personal and work accounts must be separate to not mix them.
I think a zero-knowledge system here would be quite desirable. But a centralized repository that is e.g. maintaining tabs on every single adult-authorization for every single person with verifiable details of them is, by contrast, a dystopic disaster waiting to happen because it will be hacked, leaked, and abused, sooner or later.
Basically you can prove that you have an identification document and that a certain property is true without revealing anything else.
For some contrast this [1] is an infographic from NASA about the Apollo program in the 60s. Enough details to inform one from a technical perspective, but also organized well enough that even if you know nothing about space or space flights, you could walk away with a pretty good idea of what's going on, and it might even spark your interest enough to research some things you didn't follow.
[1] - https://assets.science.nasa.gov/content/dam/science/psd/luna...
This open source and transparent ZKP-based approach is extremely surprising to see, publishing a draft in advance and inviting the public to break it so it can be improved? Are you kidding me? What about the billions of private investment in all the companies that offer centralized ID checks like Persona, Socure, ID.me and more? Thats a growing billion dollar industry. They all counted on this as a future market opportunity that the EU just seem to have destroyed at least in the EU?
People fighting against this age id app might be paradoxically useful idiots for billion dollar investments and lobbying efforts. The demos is once again dragged into the trenches to fight a war they don't understand.
- MUST use either Google or Apple account - must not be banned by the provider or sanctioned in the USA
These issues have been flagged to the devs working on the blueprint since the inception, only to be handwaved away.
Getting banned can happen randomly even if you're not doing anything illegal or wrong (it's enough for a robot to decide you're within the blast radius), getting sanctioned can happen if you're an UN lawyer investigating human rights abuses USA actually likes.
So I do see a problem here.
Or just give parents easy to use parental controls. But that wouldn't grow the surveillance state.
That's the theory. How is it in practice?
In my opinion, it just means there is a single government database to hack to get copies of all IDs...
By the way have the "security experts" checking this app evaluated that part? Or they're just worried about the app users cheating?
That doesn't make sense, all IDs are already in a single government database. Kind of by definition in fact, for IDs to be useful they need to be emitted by a central authority with associated security and revokability guarantees.
The implementations I've seen rely on an app reading your physical ID and its NFC chip, comparing that with a selfie to ensure it's the same person, and being able to provide anonymous proof you are of age based on that, or proof that you are indeed who you say you are.
Yes and those databases are decently protected. However for an "app" someone will do a web 4.0 or 6.0 bridge to access these databases. Maybe even vibe code it. That's what I'm worried about.
It's the RESTLESS api being hacked I worry about.
The app checks your physical ID you have, and provides a certificate that you give the third party you're proving yourself to. The app knows you requested proof, but not what for. The third party knows you're proven to be 18+, but knows nothing else.
Many countries in EU already have electronic identity documents and delegate authentication to mobile apps one way or another.
eID or mobile identity application operating over QR codes and used to log into websites and apps is a commodity here.
This has nothing to do with age verification.
The article links to the source code repository here:
https://github.com/eu-digital-identity-wallet/av-app-android...
That links to the tech spec:
> The solution leverages the existing eIDAS infrastructure, including eIDAS nodes and the trust framework for trusted services, to ensure a high level of security and reliability. By aligning with the technical architecture of the EU Digital Identity Wallet ARF, the solution delivers secure, reusable, and interoperable proofs of age.
> The solution enables users to present their Proof of Age attestation to Relying Parties, primarily for online use cases. The system is optimised for secure and privacy-preserving online presentation, allowing users to prove their eligibility without disclosing unnecessary personal information.
— https://github.com/eu-digital-identity-wallet/av-doc-technic...
Annex A includes details on the ZKP:
> AVI SHOULD support the generation of Zero-Knowledge Proofs using the solution detailed in: "Matteo Frigo and abhi shelat, Anonymous credentials from ECDSA, Cryptology ePrint Archive, Paper 2024/2010, 2024, available at https://eprint.iacr.org/2024/2010".
— https://github.com/eu-digital-identity-wallet/av-doc-technic...
And the linked paper:
> Anonymous digital credentials allow a user to prove possession of an attribute that has been asserted by an identity issuer without revealing any extra information about themselves. For example, a user who has received a digital passport credential can prove their “age is ” without revealing any other attributes such as their name or date of birth.
Without exposing my citizenship, I was able to use by EU-nation issued ID to confirm only my year of birth.
The website supported this country's national ID login method, in the login challenge asked the server to provide my age, before I signed in to confirm (scanning qr code with my mobile app) I was informed what data was requested, then I consented to them confirming my data.
Not very sensitive things work without my physical ID present, sensitive have additional step with me providing my physical ID (to the NFC reader) and unlocking my key (stored on the ID) with a pin.
All in all it's really very sensible and fast.
Not necessarily the EU ID apps we're talking about but some of the existing implementations.
And yes, even sending an age bracket exposes the age over time as you can observe a repeat visitor changing brackets and compute the actual age from that. With the server sending the info instead you can't really tell if the browser blocked it, or if the user just didn't navigate further on the page. (The browser still need to fetch all the CSS and other resources though, otherwise that would be possible to tell apart.)
No it isn't.
Literally that is not the scope document, and such a solution would not be permitted by the EU as compliant with the legislation.
The app isn't zero knowledge. A prototype workflow has been designed for a one way transfer to sites that is zero knowledge, but it doesn't actually deliver zero knowledge because it you have to verify your age with an external provider to get the credential (which is not zero knowledge), the app has to be secured with either Apple or Google's attestation services (which are not zero knowledge), and the site has to be able to check with the original external provider that the credential hasn't been revoked (which is in no way zero knowledge).
The issue is that a lot of these services wave around a lot of words that _might_ mean that they are reasonably private, but it's damn hard to actually detemine if it is actually working like that in practice (the eIDAS standard seems to suggest the ZKP stuff is entirely optional, for example).
On top of that they didn't infiltrate anything.
I fully understand the people who say it's all about control.
I also understand why politicians feel they have to do something. My wife works with low IQ, low income and otherwise underprivileged kids. The completely unsupervised 'iPad' generation, if you will.
There are no adults in their lives. The 'adults' in their lives are mentally children, emotionally unavailable or working too many hours to do a good job at parenting. You cannot expect them to take any responsibility.
Also, every one of my 3 children has had classmates looking up porn during class. It starts around age 7-8 nowadays and it's always the same demographic.
"Some people can't support their health condition, and they should be helped to die". This end of life law is introduced like a care service for people having issue with health with no happy ending at sight.
The reality of the vision of Macron (liberale capitalist) is: All his actions are made to kill public health care, and aims to open the field to private corporate. People in need of bed at hospital are denied (public beds are getting more and more cut). People in need of teams for mental care are denied (public teams are getting more and more cut and overbooked). People in need are juste denied. They cant' pay? great, they can now legally choose death, it will be legal. Next client please. Everyone who can't pay doesn't need to feel a weight on his family/friend. Yay :/
This law is shown like a right of care, all the population can be legally targeted, while they could just have the right of health care and stay alive in decent condition. This could be another solution, but it doesn't meet Macron (and its sponsors) ultra capitalist's vision of open market.
Note: current concerned people are the first to call a big NOPE on this law.
I think you see where I go: I think you're highlighting a true and very important problem (I've worked 10 years with children, i confirm your point), but the current solution brings more issues than what it is supposed to solve, same for Macron's end of life law. Having a problem doesn't mean you have to risk the full society in a Orwellien way.
Sorry im not english speaking native, hope you understand more my feeling ?
Under Emmanuel Macron, France has been debating a law on “assisted dying” (aide à mourir). This is not a general idea that “some people should be helped to die,” but a narrowly defined proposal.
The draft would apply only in very specific situations:
- Adults (18+)
- With a serious and incurable illness
- Often life-threatening or terminal
- Experiencing unbearable suffering
- Who make a voluntary and well-considered request
If approved, the patient would typically self-administer the medication. Only if physically unable would a doctor be allowed to assist.
For context, Netherlands already has a regulated system for euthanasia. This policy allowed my terminally ill grandmother to pass away with dignity. She hated her final days, being bedridden, in pain, and dependent on others for basic needs like taking a shit.
Because of this policy, she was able to say goodbye to everyone she loved, over 100 family members, and make her own decision. No one questioned her choice.
Honestly, that’s the kind of dignity and control I would want for myself if I would ever end up in that situation.
I'm not trying to spread rumours, i said i wasn't english native, sorry if there is a misunderstanding.
Almost 100% of the population that is targeted by this law *should* not need it. When I said "people can't pay [for private paliative healthcare because public healthcare is going to be more and more broken]" I was talking about the people in the criteria of the law, not "all" the people.
I don't have the exact number, but for people under heavy care needs, palliative care, only something like x% (this is the number i cant recall, less says it's a "part") could ask themselves if they should access this end of life because science + our healthcare system cant do much more.
The other part, if they think about end of life is because the health care system failed them. Because in France public palliative healthcare teams are on budget cuts. Those people should have physical and mental healthcare, instead, they have just what the teams can do best as they can cuts after cuts. What happend when you are in paliative care, and there is no team to help your mental health? What could you think about and what does this law allow ?
There is no kind or dignity in Macron's law.
Really, we could save a "part" of that population, but instead priorise to allow them to die, for supposed kindness. True kindness would have been to focus to provide a decent public healthcare system especially in paliative field, for example, right ? (But Macron effort are to destroy the healthcare system and, in my opinion, not a rumour, that it is Orweilien to propose this law in this specific context in France)
2. "an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file"... Any android developer knows that to access the shared prefs file you need ROOT access on the phone, which is impossible on the stock os. Rooting the phone requires advanced knowledge. It means deliberately nuking your phone security, which most likely will require factory resetting the phone in the process. Or a hacker would need to use a sophisticated exploit, maybe even 0day, to access an app that would allow him to log in on some adult sites. Sounds reasonable (no).
So, the guy found two very superficial problems in a early demo app. Does not even look at the important code with the actual implementation of the zero knowledge proof cryptography, as it is way above his skill level. Throws malicious allegations mixed with blatant lies. Cries for attention to the whole internet and it gets augmented by news and people who understand security and technology even less than him. He dares calling it "hacking" in under 2 minutes. That's just disgusting.
He even calls himself "Security Consultant". Lord have mercy on whoever is going to work with him.
Sentiment on hacker news is surprisingly split on age verification as an abstract concept. There are always a lot of posts in favor of age verification.
I’ve tried engaging with some of them and it usually reveals a belief that age verification will only apply to certain sites they don’t use and don’t want other people using easily: Facebook, porn sites, TikTok, Instagram and the like.
As soon as age verification comes too close to services we might use, like Discord, the sentiment turns to complete outrage.
1) Obviously you can't be trusted to handle your own ID card, because you could lend it to someone else or manipulate it in some way, so there should be a trusted guard with you at all times to manage your ID card for you and hand it to the shopkeeper.
2) Obviously you can't be trusted not to try to influence or attack your guard, so you must be kept in handcuffs for your own safety.
3) Obviously you can't be trusted with acquiring unapproved tools or meeting unapproved people who might enable you to break out of your handcuffs, so the guard must only allow you to communicate with approved people and buy approved products.
Conveniently and profitably, this also puts the company supplying the guard in a position where they can sell access to their control over you (as a consumer and as a source of experimental data) to their trusted partners.
I love how a lot of the "this is the parents' responsibility" opinion-havers don't seem to remember what it was like to be a kid themselves and / or don't have kids of their own.
The app still hasn’t launched. There’s only so long you can run on hype before you lose the readers you were trying to win over.
> "Now, when we say it's a final version, it's ... still a demo version." He added the final product is not yet available for citizens and "the code will be constantly updated and improved … I cannot today exclude or prejudge if further updates will be required or not."
The whole idea of this age requirement is ridiculous in the first place, changing the focus to how good or bad the unnecessary tools are is nothing but a nice distraction.
Obviously that won't stop motivated teens from taking their parents ID cards or similar mechanisms. Thst means any system that likes to prevent that needs to additionally ensure the identity of the card holder. And then you create a privacy nightmare.
So my proposal would be to accept that nothing is ever perfect and just use the card and ensure that system works as well as it could.
Of course "card " is a standin for all manner of hardware that can do it, including phones.
This is the same as "What's the card holders age" by simply binary searching for it. A better way would be:
1. Have the card define the countries age access levels. (Example in Germany: >=16 [Beer/Wine], >=18 everything else)
2. The app can only ask: "Is [BEER] allowed for the card holder y/n?
This makes it immediately cross-legislative and protects the exposed data from meta analysis.
Edit: This would allow for self exclusion too. Make it possible for individuals to give up access to gambling/alcohol/tabacco/porn nationally.
This can go into the reader of anybody who e.g. sells beer to pick your example:
1. Reader knows beer >= 18 because reader is in Germany
2. Reader asks card to verify >= 18
3. etc.
Self exclusion would still be possible if there is a standard for it.
* Website asks for age verification * User is redirected to their bank * Bank asks the user to log in - username/password, 2fa, bank app (whose login is behind the device's security and a secondary verification like PIN code or biometrics) * Bank tells the requester that the user is 18+, no more
This leverages a trusted party (your bank, which is subject to heavy IT security regulation and audits) and you need to show ID to open an account anyway), secrets only you know (and your kids can't easily take), phone security systems, etc. Does not require uploading ID to a 3rd party, does not require changing how IDs work, etc.
The kind of developer you are going to get is either going to be somebody who knows what time it is and cynically works on a project that they know is going to fail (unethical) or someone who is not going at it with "the end in mind" but is just cosplaying as a software developer (incompetent)
EU is often portrayed as overly bureaucratic, slow moving. The way this app was developed seems more in the line of "move fast, break things".
I don't know if that says something about the EU, or about the EU-naysayers, but I thought it was worth pointing out.
I know a fair number of especially elderly people who want to disable PIN and bio-metrics from their phone, because they view it as a pain to deal with.
PINs can also be guessed or someone might look you over the shoulder and steal it that way. Many phones still doesn't have biometrics, or people don't want to use it.
Our realities might be different, but in my reality a cell phone, which you almost by definition brings with you out in the world, should never be considered a secure device.
I don't think you can guess pins, as the phones locks after a few failed attempts.
You can’t just leave every dangerous thing out in the open because you “view it as a pain to deal with” storing them safely and then blame everyone else for the situation that follows.
Our realities might be different but in my reality if you put 0 (zero) effort to keep some critical things safely away from your child because it’s too much of a hassle to do it, or they’ll get around that anyway, etc. then you’re failing your children.
What do you have on your phone that's dangerous? Phones aren't safety device, and they shouldn't be turned into one.
If you have anything on your phone that should be off limits to your child but make no effort to ensure that (give them the phone, no passwords, no supervision) because it’s too inconvenient you are failing the child. Can I put it in simpler words?
> What do you have on your phone that's dangerous?
I hope you were asking hypothetically.
For one, the phone itself since staring into a small screen at god knows what because supervising them is a chore is bad for anything you can imagine, from eyes, to posture, to brain development. But also a browser that can access anything on the internet (modern Goatse, Rotten, Ogrish, other wholesome sites like that). My credit card numbers. All my passwords. Hardcore porn. Facebook and TikTok. The app that delivers booze to my doorstep. 50 shades of grey (the book and the movie). X (Twitter), I left the worst for last. If you really think a completely open internet connected phone is perfectly safe for a kid at the very least you’re in the wrong conversation.
It doesn’t matter, the discussion is about age verification for things that a child should be kept away from, whatever that is. If you’re trying to protect the kids from anything, especially legitimate concerns, then you can’t expect some mechanism to magically do all that parenting for you. It can help but not be the parent when the parent thinks it’s too inconvenient to actually do some parenting.
Seeing something scary, disturbing, or sexual on the internet as a child does not result in a maladjusted adult. These laws are about one thing and one thing only - furthering the global surveillance network.
Everything else is a smokescreen. Pretending that a phone or any Internet-connected terminal is something that should be kept secured and away from children is a parenting decision, not a policy one, and any attempt to justify it as a policy decision is toxic nonsense at best and astroturfing for the surveillance state at worst.
Well thank God this about a double-blind way to verify your age and not that.
Maybe your argument is that it's not a surveillance state because it is implemented with a 0 knowledge proof. Sure, the age verification is, but that is only part of the system we are talking about. The rest of the system is the demand that every adult play keep-away with their verification, and every host on the internet (that can be adequately threatened) play, too.
The only way for this to be anything else is if every participant can individually decide what should and should not be kept away from children. Such a premise is fundamentally incompatible.
It has the internet on it.
And yes, phones are something parents do "just" share with their kids because nobody is bizarre enough to look at a phone the same way as a gun or a car. It's the YouTube device that can talk to grandma. All you have to do to see proof that it's something people "just" share is to walk into a grocery store and look at parents pushing kids in carts while those kids watch videos. 25 years ago those phones were Game Boys. Nobody is seeing them as a gun. That's the most disconnected from reality take I've seen in my life.
If this is a concept that you can't grasp, then words will never convey it. It's simply a detachment from reality to think people are viewing their phones as a loaded gun and their child as someone hellbent on betraying them and causing massive societal damage.
The phone is the YouTube device. If they get a notification that their kid ordered from Amazon, they'll cancel the order and tell their kid not to do it again. It's seriously that simple. Just go and talk to a parent. They'll think viewing their phones as a WMD is insane.
Okay, so trust them not to access age-gated sites using your credentials then.
In the meantime, I still don't understand why someone with no kids should have their access gated based on what opinions other people have on parenting. I literally don't have any stake in whether you give your kids access to your phone or not, and I don't make any claims that I would have any clue what the correct way to raise a kid is. That doesn't make it reasonable to have a policy that requires literally the exact people who aren't the ones that are ostensibly supposed to be protected by the system tracked by it.
It's pretty normal to treat kids differently to adults in specific areas.
> I still don't understand why someone with no kids should have their access gated based on what opinions other people have on parenting
This argument goes both ways - currently there are no safety rails for kids, and that is imposed on people who want safety rails.
> That doesn't make it reasonable to have a policy that requires literally the exact people who aren't the ones that are ostensibly supposed to be protected by the system tracked by it
And there are definitely situations where adults' experiences are degraded because a place has to accommodate children. I agree that I hate tracking and so forth, but I wouldn't pretend that children using smartphones isn't a pretty well-understood bad idea either.
No, it's imposed on every adult regardless of if they want safety rails, and in a way that literally only affects the people who aren't actually the ones the rails are ostensibly supposed to be protecting.
> I wouldn't pretend that children using smartphones isn't a pretty well-understood bad idea either.
You literally just said that it's "incredibly recent", and now you're claiming that it's well understood. I'd argue that those things are inherently at odds; we literally don't know what a young child who used a smartphone looks like at 30 years old right now because they haven't been around long enough. On top of all of that, there's literally nothing about invading someone's privacy that's needed to stop a child from using a smartphone: just don't give them the smartphone! That's always been an option, and nothing about this policy that will have any effect on whether parents give their kids access to their smartphones.
I don't understand. We're talking about something that hasn't happened yet. The safety rails do not exist, even for those who want them.
> You literally just said that it's "incredibly recent", and now you're claiming that it's well understood
Yes - incredibly recent in the grand scheme of history, but still we have a lot of evidence of the negative aspects of onlineness and phone use over the last 15 years at least. And, as another example, it's far more recent that girls turn 18 and celebrate that on OnlyFans. I would argue that while I haven't waited 30 years to see how they turn out at 50, that it's a bad idea.
> On top of all of that, there's literally nothing about invading someone's privacy that's needed to stop a child from using a smartphone: just don't give them the smartphone! That's always been an option, and nothing about this policy that will have any effect on whether parents give their kids access to their smartphones.
I agree - I think this is a parenting issue, but at least on the left, which the EU tends to, parents should offload their responsibility where possible to the state. But that's my answer to this overall. I'm just arguing specifics.
Not much the government should or could do about that - it’s a parental decision.
That's a solved problem and making an immense vulnerability out of it is silly.
This is a reference app implementation that uses a detailed framework which explicitly has as a core tenet double blindness. The place you prove your age to has no idea about anything other than you being of age, and the thing you use to prove your age has no idea about where you're using that proof.
Right because a child might get online with a phone or computer and see something bad.
I think you should take your own advice: >Stop with the scaremongering.
First, yes, it has been proven that there are things online children accessing is damaging to their development. From social media to porn.
Second, and much more important to me, proof that you are actually a human from an approved location. Bots and spam are a problem in general, but specifically foreign meddling in critical moments like elections and referenda is extremely dangerous for democracies. Being able to gatekeep participation in public forums based on you actually being a human in that country would kneecap foreign interference. It can't do anything against local interference, but at least it restricts its volume/scale, which is better than nothing.
> Being able to gatekeep participation in public forums
And now it becomes clear that what you want is non-anonymity, rather than age.
You should have to prove who you are when voting. Not when participating on the Internet.
(Social media that optimizes for "engagement" (e.g. outrage) needs to die, but that's orthogonal.)
No. Proving your age anonymously is more than enough to prove you're a human and that is all that is needed.
Precise age and general location is already sometimes enough to completely identify a person. That alone would make it far easier to, for instance, track people down based on their social media posts.
Forced proof of identity is damage, and the Internet should route around it. Every last bit of this should be destroyed, along with the political careers of anyone who supports it.
Yes, country. Generally proved enough by the ID being issued by that country, or a neighbouring one.
> Forced proof of identity is damage, and the Internet should route around it. Every last bit of this should be destroyed, along with the political careers of anyone who supports it.
Have you heard of the dead internet? The internet is already damaged beyond repair by hostile corporate and political interetests. The only way it becomes for humans again is by enforcing verification of humanness in critical parts of it.
Again, I'm not talking about identifying people individually, but identifying them as real people over 18. With the planned and starting to exist EU infrastructure around this, with double blind proof of age (and thus humanity), we have that and it's still Anonymous.
> and there will always be places to have discussions without doing so, whether you want there to be or not.
That is actually kind of irrelevant, because people discussing in small numbers is not the problem. Malicious actors twisting public discourse is. So all that's needed is strict guardrails around the big public forums (social media).
At least that's what the manufacturer's AI generated article says: https://eidas-pro.com/blog/eu-age-verification-app-hack-expl...
> "Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18."
Love the magic step in the middle, unlock my app. Ask for passcode or faceid to “unlock your app”. That’s a lot of legwork the adult has to do so the child can “trick” the system.
Some people will forever be shocked that if they leave on the table an open booze or medicine bottle, loaded gun, etc. a child can just take them and misuse them. The blame is unmistakably with bottle and gun manufacturers, right?
Put a modicum of effort to protect the sensitive apps or supervise the child when you share your device. They can do a lot of damage even with age appropriate apps. Wanna see how quickly your kid will tell everyone on the net how much money you have (via proxies), where you live, and when you go on vacation? Or tell someone the credit card number they swiped from your pocket if the other person makes it sound like a game?
The second premise you are avoiding is that the government can define, for every child, what constitutes misuse.
You are advocating thought crime. You do not have my support.
My government cannot adequately manage responsibility for my cupboards. It therefore shall not have authority over them.
Anyway, ultimately it's best effort. No security is flawless, but if it stops 99% or more of cases it's better than 0%.
That's how you sound.
The government already defines what misuse is both for children and adults, defines responsibility for a lot of things even in your cupboard, and has been doing so for as governments have been a thing. And I don’t think you understand what “thought crime” is.
You won’t hear me say this too often but next time use an LLM to write your comments, any LLM will do, can only get better.
You replied to a subset of the topic, and that's the point I was making. I felt the conversation needed relevant details from outside that subset, so I provided them.
I was terse in my comment, because that's how I like comments: short and to the point. That makes them much easier to skim through.
The government doesn't enforce its rules by going through my cupboards. It doesn't put a lock on them. Instead, it tells me what the rules and consequences are, placing both authority and responsibility for the cupboards themselves into my hands.
This is the primary change we are taking about: allowing the government to introduce its own code (lock) into my private digital interactions. Why are you so intent on focusing the conversation on the mechanics of that lock? Is it really so unreasonable for me to ask you to think about the rest of the topic?
While I appreciate the zero-knowledge proofs is considered, how the hell did no one in charge of the app design think of this? It's is literally the first question I asked when I first heard about this app. You go to the app in a store to buy alcohol, you're asked to verify your age, but that's not what you're doing. Your simply showing the store that you have a phone, with and app, which was configured by some over 18 (maybe).
Honestly I don't think it's possible to verify that you're over 18 without also providing something like a photo ID (and even that is error prone).
You can probably do something online, where the website or app does some back channel communication to a server that verifies a token. Even that is going to have issues. You could add a "List of sites that has verified your age" option where you can revoke the verification, in case your nephew borrows your phone.
They are going to implement this and it will be "good enough", but I don't see this being 100% secure or correct.
The credit card doesn't work as age verification.
I think they "fixed" it. I think it has some effect now that only works if you tilt the phone.
Maybe bundling these under the same system is a mistake and they should be separate systems with different considerations; it would certainly help with arguments about it online ;P
To be honest I just overhead the bouncer talking about them liking the app. Maybe I misheard it.
Why is that even a scenario to discuss?