Digital ids are inevitable in my view, just as digital currency has become inescapable because it is more convenient and efficient, these ids will
be issued and things like paper proofs of identity will fall away over time. Physical tokens like bank cards and driving licenses are neither necessary nor a good solution in a networked world.
Our focus therefore should be controlling what governments can do with them - for example disallowing blocking/removing someone’s id, just as we should disallow removing citizenship.
I think even digital IDs will tend to exist as physical tokens? Also worth noting that you can have a digitized and cryptographically signed ID on "paper" which can serve much the same purpose (security, machine readability) as an electronic one. Where electronic tokens shine (for IDs or otherwise) is attesting to the physical possession of a single copy.
This is not the same. For instance, we can access the internet without needing that ID. But right now there are attempts to force a digital ID in order to access information on the www - this is the whole idea behind "age verification". The kids are just used as excuse here. It has never been about the kids.
I don’t see why they would bother with physical tokens nor would they be popular - things like passports are really quite expensive to manage and largely unecessary these days. An app or identity on people’s phone might be a good stopgap.
However I suspect biometric methods of id verification will render carrying anything redundant long term.
The databases for digital id already exist, they’re just not fully utilised yet and these databases will always be centralised.
I doubt everyone will still be carrying phones as we know them in a decade, so we might indeed be headed for a future where governments keep giant databases of biometric information. Works OK if you trust your government to handle that properly and not abuse it in the future. The real headache is crossing borders, where your details end up in the hands of a foreign state.
I don’t see why they would bother with physical tokens nor would they be popular - things like passports are really quite expensive to manage and largely unecessary these days.
OK. I'll bite. Why are they unnecessary?
Passports have two things. They have information on them, which can be read by looking at them. And they have information on them in chip form, which can be scanned, and is also cryptographically signed by the issuing authority (eg, a government).
To verify a passport you can look at it visually, but you can also scan and validate the info, including photo, in digital form. All you need is the CSCA, the 'country signing certificate' to do so, and there aren't may of those. Small readers exist which are updated with these certs, and so even in the middle of a war zone, with RF jamming, you can verify a country signed what you're looking at.
Relying upon the Internet being there for ID purposes is a massive fail. You'd don't need a networked reachable database to validate that your ID is valid, in a digital way, which can be really helpful with 1M refugees show up at your door during a war, or when the capital city of the issuing nation has been bombed.
You may think this unimportant, but the edge cases are what 99.999% uptime is all about. And the edge cases with ID really need 100% uptime. The last thing you need during a natural disaster is an inability to ... well, do anything.
So even if you have biometric methods to identify someone, you'll also want a local, on person method which has those on chip, and signed by a government saying who you are.
I don't see it as inevitable at any stage. Why would it be necessary? Why is access to information tied to a digital id suddenly? Also, where is digital currency inscapable? I can not pay with a bank note suddenly?
> Physical tokens like bank cards and driving licenses are neither necessary nor a good solution in a networked world.
I see absolutely nothing wrong with physical tokens. You could reason that this or that has more or fewer advantages but to insinuate that digital is always better, all of the time, is simply wrong.
In some places you cannot. I was in London post-COVID and there were a bunch of tourist things, like a riverboat on the Thames, where you could only pay with a card. Went to a craft cider bar out in the countryside and again, they didn’t accept cash. Personally, I think businesses should be forced to accept all legal tender, which means cash stays as a first class payment method, but that’s not how it is in many places.
On the other hand, in Austria there are many places that are cash only, especially small restaurants in the countryside or community sporting events with coffee bars.
> just as we should disallow removing citizenship.
However lots of countries do allow removing citizenship In the UK it is a political decision too. Lots of countries allow locking people out of other things (e.g. freezing bank accounts). I therefore doubt we an effectively prevent this.
I do not see the problem with physical tokens. They are simple, do not create a single point of failure (if I lose my phone I still have my cards and cash), robust to network and systems failures. What is the drawback? Having to carry a few cards?
It's not a trojan horse, it's spelled out in the decision, debates, and legal texts to be the explicit goal. The age verification requirement was picked both as a means to prove the technology is sound and as a simple starting point for a full digital ID solution.
The EU already has some form of digital ID in fact, every government provides some kind of OIDC-like service tied to either smart cards or accounts that authenticate the user against a government. The digital wallet solution is an extension to that system that will allow foreign EU citizens to authenticate themselves more easily (eIDAS 2 already implemented an OIDC-like solution but implementation isn't automatic) as well as offer to store the (often mandatory to carry) ID on your phone.
The "what if you buy alcohol for your kids" sscenario of somone giving someone else their age verification tokens is tired and nonsensical. You can already do that in the real world. We accept that risk and, depending on the country, make it a crime in case they do catch you. It hasn't made liquor stores send someone along to see you drink your booze or watch you enjoy your porn mag.
With the way elections changed after social media became big. Govts want to have control back, like they did before. And are increasingly curbing open internet with boogeyman CP or terrorists, new fear of mass AI CP. Ultimately we'll get 2nd hand version of great firewall and social credit system. Some "liberal democracies" already have root of such systems implemented.
I don't know if it has anything to do with changes in elections directly. My government has been talking for a while making the case that social media use makes us dumber, sadder, and more scared. I believe it's true that they also see that playing out in elections, but that's not where they want to solve a problem.
Wouldn't it be strange if solving a problem didn't affect elections?
>My government has been talking for a while making the case that social media use makes us dumber, sadder, and more scared. I believe it's true that they also see that playing out in elections, but that's not where they want to solve a problem.
The governments themselves are "dumber, sadder, and more scared". They are worried because social media puts regular people talking on equal footing to official propagandas (being able to reach everybody else). That's what they fear, because they have the lowest approval ratings and legitimization in over half a century, and they're also making everything shittier and shittier to the benefit of their corporate overlords.
You couldn't be more wrong. There's no equal footing when propaganda buys you thousands of bots to parrot what you want on every related post. And there is no ability to "reach everyone" when intransparent algorithms decide what reaches who. Moreover, some kind of content is explicitly suppressed and censored.
I will agree that governments are happy to bend the knee to corporations. But corporations control social media, so why would the corporations themselves not further their agenda using the platforms they control? Be that simply letting chaos ensue (see the UK Southport riots that were sparked by a "news story" from Pakistan) or from tuning the algorithms directly.
People have control over their government, at least in democracies that are functioning to a basic level (see Hungary recently). But they have zero control over social media, in fact the only organisations that can control global billion dollar tech companies are nation state governments...
This has been noticeable since Tahrir square; I used to say that Twitter gives you a revolution whether you need it or not.
But it's becoming increasingly clear how badly compromised the whole thing is with fake opinions and enemy propaganda.
I don't like either of the options. I don't like control by the state, and I don't like control by mad billionaires. I don't like the far right cesspool of 4chan, but can't disagree with their position that they shouldn't have to care about OFCOM.
I think it has more to do with digital verification for social media in a hope of killing bot accounts that are interfering in the public debate. Some of the biggest social media influencer accounts turns out to be Chinese/Russian bots trying to fuel hate/division our democracies, and with LLMs it is only getting worse. Some form of digital ID to verify social media account identities is probably the only hope left of having a real public debate.
Then the politicians should be honest about this goal. The best way to solve a problem requires understanding what the problem is. If we pretend to solve another problem, the solution for the actual will be less than ideal.
The bot problem is solvable by using a web of trust system. You don't need a digital ID for that (i.e. you don't need to tie your digital world identity to a real world identity, nor you need a central agency to manage these).
In web of trust, anyone could publicly certify who they know is a real person (i.e. validate a link from their id to another id). Then, if you received a message from someone, the system would find the path in the graph of real people you trust, to determine the trustworthiness of the source. So if the account is a bot, there would be no path from it to you in the trust graph.
The advantage is that everyone could supply their own subjective trustworthiness score, altering the graph. They could even publish it, so that other people could use trustworthiness assesment of accounts they personally trust.
The big issue with a system of web of trust is that it is too efficient, and just kills commercial advertising (and also propaganda). Because that is all about overcoming the natural web of trust that humans have.
>Some of the biggest social media influencer accounts turns out to be Chinese/Russian bots trying to fuel hate/division our democracies
This is propaganda, none of those supposed networks exists or were successful in anything and when the media do show some supposed accounts they don't have a lot of views. Please stop falling for this, your democracy sucks because the politicians suck and the people want change so they turn to extremist parties.
Yes, obviously, the Romanian supreme court having to overturn and annul a presidential election due to Russian social media inference is entirely made up propaganda.
> In any case, it was always presented as a toolbox that countries should adapt into their apps – so judging the app by itself does not make much sense, it depends on how these techniques are implemented in each country’s verification app. There will be no single EU app, despite what the honchos of EU say.
Even more reason to make the "demo" app do things correctly because it's very unlikely that all member states actually implement things correctly.
> The internet is scary, parents think they can’t protect their children from many bad things happening, and someone came to provide a “solution."
A simple solution is just not providing your kids with a phone or computer.
Don't forget that many sources of porn will not obey this. Think the pirate bay will ask for age verification? If they obeyed the law they wouldn't even exist.
It's a solution for nothing, as the article points out too.
Whether there is a single app or not doesn't really matter - i'm more concerned about the database itself and the inter-connectivity between them and most importantly by which control acceptance protocol we abide between states.
The idea that we want a single database or a network without any kind of control is frightening me
Is all data about you "surveillance". When your doctor produces a medical record after your visit, are they "surveilling" you? How about when the railway company stores your travels to bill you later?
I'll assume your answer is no, and I that case surely you must see the value in that medical record being correct.
Are you equaling mass surveillance to a doctor keeping track of your health for diagnostic accuracy purpose ?
Concerning the railway example, they only need to store how much I owe them, not my travels. Storing travel history on their end is already surveillance.
Data keeping purpose and consents are what make something surveillance or not.
Forcing every citizen to use ID to access the web is surveillance plain and simple.
> Are you equaling mass surveillance to a doctor keeping track of your health for diagnostic accuracy purpose ?
No, I am legitimately asking to clarify your position, hence why I assumed you wouldn't call that surveillance. The point was for us to agree that the right to correct data is a meaningful and useful right to have.
Once we've clarified that, the rest of the arguments comes down on the separation of "surveillance" from "record keeping", a separation you attribute to "Data keeping purposes and consents". That aligns with current EU law, and I largely agree with treating that as a separation point. If you have a valid purpose, either by law or by duty to your customer, you get to keep records necessary to fulfill that need. I would note that these "duty to your customer" clauses are usually pretty broad and would, I imagine, allow the railroad company to keep and process your travel record for fraud prevention purposes.
The issue we encounter is what a valid "data keeping purpose" is, and if we trust our public institutions and infrastructure to govern that question. Especially when the potential data processors is a government agency. This I'm entirely uninterested in debating that question with a rando on HN. We likely live in two very distinct regulatory frameworks and have vastly different local governments. There's no basis for us to agree here.
I would however end by noting that the two clauses of your statement
> Data keeping purpose and consents are what make something surveillance or not.
and
> Forcing every citizen to use ID to access the web is surveillance plain and simple.
Are in tension with one another. Clause 1 opens up for the idea that there exists valid "non-surveillance" record keeping, and that the distinction of such record keeping from surveillance requires determination of consent and purpose. Clause 2 then foregoes that determination and just presupposes the argument. All ID checks are definitionally surveillance irrespective of purpose and consent.
In the current legal framework, government derives it's unilateral consent from the vote. If the law passes in a democratic system then it is, by that very process, a consensual and valid purpose.
> Are in tension with one another. Clause 1 opens up for the idea that there exists valid "non-surveillance" record keeping, and that the distinction of such record keeping from surveillance requires determination of consent and purpose. Clause 2 then foregoes that determination and just presupposes the argument.
"Forcing" highlights the lack of consent, the distinction is still present.
> In the current legal framework, government derives it's unilateral consent from the vote. If the law passes in a democratic system, then it is, by that very process, a consensual and valid purpose.
Absolutely not. Being voted in a parliament doesn't mean citizens consented to it.
Simple example: compulsory military enrollment vs voluntary military enrollment. Only one of them derive from consent, even if both derive from a law discussed in parliament.
Since you are bringing a semantic argument you might like to know that your doctor does in fact surveil you, hence the term "public health surveillance"
Governments need to identify citizens. They currently do this via paper records and extensive digital databases that those tie into. They will in future do this via digital records/tokens but this won’t change much.
Some amount of id verification and surveillance is of course required for a government to function, the question should be more what is allowed and what is not.
I mean that there is a big difference between a state automatically providing your data to any other state while having "their database disconnected" - and a human operator in the loop and an administrative verification of the appropriate access ;
For example this would allow a state to refuse access to the PI of their citizens for cases that are not administratively documented. This forces the access audit sufficiently that a malign actor cannot simply request data for a citizen without having probable cause ; another vector we want to protect ourselves against is simply the psycho/sociopaths that have access to these data without surveillance.
It seems unlikely that a true Zero Knowledge Proof system for things like age verification would ever be allowed.
Also, remote attestation doesn't work that way and for good reason. Under a true ZKP system, a single defector (extracted/leaked/etc key) would be able to generate an infinite number of false attestations without detection.
> It seems unlikely that a true Zero Knowledge Proof system for things like age verification would ever be allowed
This article is about EU age verification which is specifically and definitely stated as using zero knowledge proof in all technical docs that I've seen:
Not a fan, but unfortunately a "digital proof of citizenship" seems to inevitable due to the en-shitification of the internet, autocratic state actor's doctrines to destabilise free societies through disinformation that matches well with social media's en-rage-ment business model, and the more recent AI slopification / AI bots running wild.
The question is whether citizens can build enough pressure for such verification systems to be state-based and truly zero-knowledge (akin to the EU's) versus having the private sector 'verify' each user to siphon data, profit off it (Thiel's Persona) and fortify surveillance-capitalism and autocratic administrations.
At the moment in the UK (where any mention of digital ID sends half the population mental) you have to email a whole raft of ID docs and personal data to estate agents, mortgage brokers, solicitors etc. to get an ID check done. Or use a private ID service that can have a cost associated and may not be any more secure than my passport scan sitting in someones M365 mailbox. You can't know.
I'd be happy to have a government service replace all that nonsense, where a one-time challenge code could verify my ID. There is now a UK.gov "One Login" authentication used by other government services that is essentially a digital ID as far as I can see. It just needs to be made mandatory for ID checks by law.
Such a service can also be used for age verification with the correct privacy controls in place, far better than all the dodgy age verification services that exist now.
Digital ID and age verification are going to be a part of the internet going forward. I'd rather have a government service that (in a functioning democracy) has accountability to the citizens that use it. ID verification is also a natural monopoly, so the government picks a winner anyway.
We’ve had eID for a long time and I’m fine with it becoming more prominent online. Same for age verification, once we settle on a way to do it without US/Palantir being involved in the process.
Interesting point about ZKP systems. The challenge
with age verification is balancing privacy with
enforcement — any centralized solution creates a
honeypot for data breaches.
> There will be no single EU app, despite what the honchos of EU say.
This shows that the EU commission is systematically lying.
This problem used to exist in the past with Leyen - she is ultimately a lobbyist and that has to stop. Friedrich Merz too by the way - there is a reason why recent polls indicate that the german voters want him out of politics at once.
The EU needs to reform. Right now lobbyists have too much abuse-power. The age sniffing is a great example here - isn't it suspicious how this goes in sync right now in so many countries? Who is paying for this? Nobody needs that, except for some companies.
> Big platforms must verify age for certain content.
But why is their concern, suddenly my concern? I see no need to be in support of any law that would require people to ID in order to access information on the world wide web. That's very obviously the real goal and agenda - everyone with a bit of brains sees this.
> It is the same EU that hates these American corporations and wants EU alternatives for everything
That's not true. The EU commission I consider a lobbyist group, for instance. They lie and lie and lie.
Nothing will seriously changed. The current way how the EU is structure is totally wrong; and it will not be fixed because those in the system, benefit from it financially. See the recent attempt to force EU taxpayers to pay more for those goons. They constantly try to inflate their own budget, at our cost.
> yet no one can make a phone usable for age verification without the blessing of Google
Indeed. We have total incompetence at the leadership level. It should be replaced with technical prowess, but as long as lobbyists such as Leyen are running the show, nothing will change. See the corruption scandals when she was still in Germany. Interestingly the AfD is also full of that, yet voters don't see it - Weidel was working for many years for Goldman sucks. So a next generation of lobbyists will replace the older generation soon. That's why this system how it is, is unfixable. It is broken by design.
When did any EU representative ever lie about this? It has been very clear from the beginning that every member state would make their own apps.
I don't really see what internal German politics and lobbying has to do with anything.
As for the "Google" part, that's up to the member states to decide. In essence, the law states that apps should be secure and untampered. It doesn't specify any remote attestation partner, nor even the strict need for remote attestation although it's hard to accomplish any kind of phone-based authentication security without it. Android's native attestation solution also exists and works for phones sold without Google services, though it's an absolute pain to work with.
Sailfish, pmOS, or any other mobile OS could implement the security requirements if they ever get enough serious popularity to convince governments to make apps for them.
Digital ids are inevitable in my view, just as digital currency has become inescapable because it is more convenient and efficient, these ids will be issued and things like paper proofs of identity will fall away over time. Physical tokens like bank cards and driving licenses are neither necessary nor a good solution in a networked world.
Our focus therefore should be controlling what governments can do with them - for example disallowing blocking/removing someone’s id, just as we should disallow removing citizenship.
I think even digital IDs will tend to exist as physical tokens? Also worth noting that you can have a digitized and cryptographically signed ID on "paper" which can serve much the same purpose (security, machine readability) as an electronic one. Where electronic tokens shine (for IDs or otherwise) is attesting to the physical possession of a single copy.
Many EU countries already issue a chipcard IDs which can be used to auth for government services (via NFC or a dedicated reader).
So yeah, I'd expect those to move to a phone as an alternative to the card
This is not the same. For instance, we can access the internet without needing that ID. But right now there are attempts to force a digital ID in order to access information on the www - this is the whole idea behind "age verification". The kids are just used as excuse here. It has never been about the kids.
I don’t see why they would bother with physical tokens nor would they be popular - things like passports are really quite expensive to manage and largely unecessary these days. An app or identity on people’s phone might be a good stopgap.
However I suspect biometric methods of id verification will render carrying anything redundant long term.
The databases for digital id already exist, they’re just not fully utilised yet and these databases will always be centralised.
I doubt everyone will still be carrying phones as we know them in a decade, so we might indeed be headed for a future where governments keep giant databases of biometric information. Works OK if you trust your government to handle that properly and not abuse it in the future. The real headache is crossing borders, where your details end up in the hands of a foreign state.
What? What to replace the phones with? And why whatever replaces them wouldn't be able to do the same things?
> so we might indeed be headed for a future where governments keep giant databases of biometric information
Don't want to wake you from that nice dream but that ship has sailed quite a while back, at least here in the EU.
I don’t see why they would bother with physical tokens nor would they be popular - things like passports are really quite expensive to manage and largely unecessary these days.
OK. I'll bite. Why are they unnecessary?
Passports have two things. They have information on them, which can be read by looking at them. And they have information on them in chip form, which can be scanned, and is also cryptographically signed by the issuing authority (eg, a government).
To verify a passport you can look at it visually, but you can also scan and validate the info, including photo, in digital form. All you need is the CSCA, the 'country signing certificate' to do so, and there aren't may of those. Small readers exist which are updated with these certs, and so even in the middle of a war zone, with RF jamming, you can verify a country signed what you're looking at.
Relying upon the Internet being there for ID purposes is a massive fail. You'd don't need a networked reachable database to validate that your ID is valid, in a digital way, which can be really helpful with 1M refugees show up at your door during a war, or when the capital city of the issuing nation has been bombed.
You may think this unimportant, but the edge cases are what 99.999% uptime is all about. And the edge cases with ID really need 100% uptime. The last thing you need during a natural disaster is an inability to ... well, do anything.
So even if you have biometric methods to identify someone, you'll also want a local, on person method which has those on chip, and signed by a government saying who you are.
Inevitable indeed. Rabbit hole ahead. UE has been for many years the way to prevent "controlling what governments can do with them". https://escapekey.substack.com/p/europe-goes-full-digital
I don't see it as inevitable at any stage. Why would it be necessary? Why is access to information tied to a digital id suddenly? Also, where is digital currency inscapable? I can not pay with a bank note suddenly?
> Physical tokens like bank cards and driving licenses are neither necessary nor a good solution in a networked world.
I see absolutely nothing wrong with physical tokens. You could reason that this or that has more or fewer advantages but to insinuate that digital is always better, all of the time, is simply wrong.
> I can not pay with a bank note suddenly?
In some places you cannot. I was in London post-COVID and there were a bunch of tourist things, like a riverboat on the Thames, where you could only pay with a card. Went to a craft cider bar out in the countryside and again, they didn’t accept cash. Personally, I think businesses should be forced to accept all legal tender, which means cash stays as a first class payment method, but that’s not how it is in many places.
On the other hand, in Austria there are many places that are cash only, especially small restaurants in the countryside or community sporting events with coffee bars.
> just as we should disallow removing citizenship.
However lots of countries do allow removing citizenship In the UK it is a political decision too. Lots of countries allow locking people out of other things (e.g. freezing bank accounts). I therefore doubt we an effectively prevent this.
I do not see the problem with physical tokens. They are simple, do not create a single point of failure (if I lose my phone I still have my cards and cash), robust to network and systems failures. What is the drawback? Having to carry a few cards?
It's not a trojan horse, it's spelled out in the decision, debates, and legal texts to be the explicit goal. The age verification requirement was picked both as a means to prove the technology is sound and as a simple starting point for a full digital ID solution.
The EU already has some form of digital ID in fact, every government provides some kind of OIDC-like service tied to either smart cards or accounts that authenticate the user against a government. The digital wallet solution is an extension to that system that will allow foreign EU citizens to authenticate themselves more easily (eIDAS 2 already implemented an OIDC-like solution but implementation isn't automatic) as well as offer to store the (often mandatory to carry) ID on your phone.
The "what if you buy alcohol for your kids" sscenario of somone giving someone else their age verification tokens is tired and nonsensical. You can already do that in the real world. We accept that risk and, depending on the country, make it a crime in case they do catch you. It hasn't made liquor stores send someone along to see you drink your booze or watch you enjoy your porn mag.
With the way elections changed after social media became big. Govts want to have control back, like they did before. And are increasingly curbing open internet with boogeyman CP or terrorists, new fear of mass AI CP. Ultimately we'll get 2nd hand version of great firewall and social credit system. Some "liberal democracies" already have root of such systems implemented.
I don't know if it has anything to do with changes in elections directly. My government has been talking for a while making the case that social media use makes us dumber, sadder, and more scared. I believe it's true that they also see that playing out in elections, but that's not where they want to solve a problem.
Wouldn't it be strange if solving a problem didn't affect elections?
>My government has been talking for a while making the case that social media use makes us dumber, sadder, and more scared. I believe it's true that they also see that playing out in elections, but that's not where they want to solve a problem.
The governments themselves are "dumber, sadder, and more scared". They are worried because social media puts regular people talking on equal footing to official propagandas (being able to reach everybody else). That's what they fear, because they have the lowest approval ratings and legitimization in over half a century, and they're also making everything shittier and shittier to the benefit of their corporate overlords.
It could be both
You couldn't be more wrong. There's no equal footing when propaganda buys you thousands of bots to parrot what you want on every related post. And there is no ability to "reach everyone" when intransparent algorithms decide what reaches who. Moreover, some kind of content is explicitly suppressed and censored.
I will agree that governments are happy to bend the knee to corporations. But corporations control social media, so why would the corporations themselves not further their agenda using the platforms they control? Be that simply letting chaos ensue (see the UK Southport riots that were sparked by a "news story" from Pakistan) or from tuning the algorithms directly.
People have control over their government, at least in democracies that are functioning to a basic level (see Hungary recently). But they have zero control over social media, in fact the only organisations that can control global billion dollar tech companies are nation state governments...
This has been noticeable since Tahrir square; I used to say that Twitter gives you a revolution whether you need it or not.
But it's becoming increasingly clear how badly compromised the whole thing is with fake opinions and enemy propaganda.
I don't like either of the options. I don't like control by the state, and I don't like control by mad billionaires. I don't like the far right cesspool of 4chan, but can't disagree with their position that they shouldn't have to care about OFCOM.
I think it has more to do with digital verification for social media in a hope of killing bot accounts that are interfering in the public debate. Some of the biggest social media influencer accounts turns out to be Chinese/Russian bots trying to fuel hate/division our democracies, and with LLMs it is only getting worse. Some form of digital ID to verify social media account identities is probably the only hope left of having a real public debate.
Then the politicians should be honest about this goal. The best way to solve a problem requires understanding what the problem is. If we pretend to solve another problem, the solution for the actual will be less than ideal.
The bot problem is solvable by using a web of trust system. You don't need a digital ID for that (i.e. you don't need to tie your digital world identity to a real world identity, nor you need a central agency to manage these).
In web of trust, anyone could publicly certify who they know is a real person (i.e. validate a link from their id to another id). Then, if you received a message from someone, the system would find the path in the graph of real people you trust, to determine the trustworthiness of the source. So if the account is a bot, there would be no path from it to you in the trust graph.
The advantage is that everyone could supply their own subjective trustworthiness score, altering the graph. They could even publish it, so that other people could use trustworthiness assesment of accounts they personally trust.
The big issue with a system of web of trust is that it is too efficient, and just kills commercial advertising (and also propaganda). Because that is all about overcoming the natural web of trust that humans have.
>Some of the biggest social media influencer accounts turns out to be Chinese/Russian bots trying to fuel hate/division our democracies
This is propaganda, none of those supposed networks exists or were successful in anything and when the media do show some supposed accounts they don't have a lot of views. Please stop falling for this, your democracy sucks because the politicians suck and the people want change so they turn to extremist parties.
Yes, obviously, the Romanian supreme court having to overturn and annul a presidential election due to Russian social media inference is entirely made up propaganda.
> Govts want to have control back
By forcing us to go through devices completely controlled by US companies?
What are you referencing here?
Many of the proposed EU digital solutions require a Google or Apple verified phone. This makes escaping American companies difficult.
Yes. Control of information and citizen's behaviour is a higher priority for them than sovereignty.
> In any case, it was always presented as a toolbox that countries should adapt into their apps – so judging the app by itself does not make much sense, it depends on how these techniques are implemented in each country’s verification app. There will be no single EU app, despite what the honchos of EU say.
Even more reason to make the "demo" app do things correctly because it's very unlikely that all member states actually implement things correctly.
> The internet is scary, parents think they can’t protect their children from many bad things happening, and someone came to provide a “solution."
A simple solution is just not providing your kids with a phone or computer.
Don't forget that many sources of porn will not obey this. Think the pirate bay will ask for age verification? If they obeyed the law they wouldn't even exist.
It's a solution for nothing, as the article points out too.
Whether there is a single app or not doesn't really matter - i'm more concerned about the database itself and the inter-connectivity between them and most importantly by which control acceptance protocol we abide between states.
The idea that we want a single database or a network without any kind of control is frightening me
What do you mean by "control" here? It's my understanding that EU law afford citizens the right to correct data that is wrong about them.
The problem is not about the data being correct or not, it's about its existence in the first place.
Why would you correct data about you very own surveillance ?
Is all data about you "surveillance". When your doctor produces a medical record after your visit, are they "surveilling" you? How about when the railway company stores your travels to bill you later?
I'll assume your answer is no, and I that case surely you must see the value in that medical record being correct.
Are you equaling mass surveillance to a doctor keeping track of your health for diagnostic accuracy purpose ?
Concerning the railway example, they only need to store how much I owe them, not my travels. Storing travel history on their end is already surveillance.
Data keeping purpose and consents are what make something surveillance or not. Forcing every citizen to use ID to access the web is surveillance plain and simple.
> Are you equaling mass surveillance to a doctor keeping track of your health for diagnostic accuracy purpose ?
No, I am legitimately asking to clarify your position, hence why I assumed you wouldn't call that surveillance. The point was for us to agree that the right to correct data is a meaningful and useful right to have.
Once we've clarified that, the rest of the arguments comes down on the separation of "surveillance" from "record keeping", a separation you attribute to "Data keeping purposes and consents". That aligns with current EU law, and I largely agree with treating that as a separation point. If you have a valid purpose, either by law or by duty to your customer, you get to keep records necessary to fulfill that need. I would note that these "duty to your customer" clauses are usually pretty broad and would, I imagine, allow the railroad company to keep and process your travel record for fraud prevention purposes.
The issue we encounter is what a valid "data keeping purpose" is, and if we trust our public institutions and infrastructure to govern that question. Especially when the potential data processors is a government agency. This I'm entirely uninterested in debating that question with a rando on HN. We likely live in two very distinct regulatory frameworks and have vastly different local governments. There's no basis for us to agree here.
I would however end by noting that the two clauses of your statement
> Data keeping purpose and consents are what make something surveillance or not.
and
> Forcing every citizen to use ID to access the web is surveillance plain and simple.
Are in tension with one another. Clause 1 opens up for the idea that there exists valid "non-surveillance" record keeping, and that the distinction of such record keeping from surveillance requires determination of consent and purpose. Clause 2 then foregoes that determination and just presupposes the argument. All ID checks are definitionally surveillance irrespective of purpose and consent.
In the current legal framework, government derives it's unilateral consent from the vote. If the law passes in a democratic system then it is, by that very process, a consensual and valid purpose.
> Are in tension with one another. Clause 1 opens up for the idea that there exists valid "non-surveillance" record keeping, and that the distinction of such record keeping from surveillance requires determination of consent and purpose. Clause 2 then foregoes that determination and just presupposes the argument.
"Forcing" highlights the lack of consent, the distinction is still present.
> In the current legal framework, government derives it's unilateral consent from the vote. If the law passes in a democratic system, then it is, by that very process, a consensual and valid purpose.
Absolutely not. Being voted in a parliament doesn't mean citizens consented to it.
Simple example: compulsory military enrollment vs voluntary military enrollment. Only one of them derive from consent, even if both derive from a law discussed in parliament.
Since you are bringing a semantic argument you might like to know that your doctor does in fact surveil you, hence the term "public health surveillance"
I have never heard the term "public health surveillance" and it's hypothetical use has no bearing on my argument.
Governments need to identify citizens. They currently do this via paper records and extensive digital databases that those tie into. They will in future do this via digital records/tokens but this won’t change much.
Some amount of id verification and surveillance is of course required for a government to function, the question should be more what is allowed and what is not.
I mean that there is a big difference between a state automatically providing your data to any other state while having "their database disconnected" - and a human operator in the loop and an administrative verification of the appropriate access ;
For example this would allow a state to refuse access to the PI of their citizens for cases that are not administratively documented. This forces the access audit sufficiently that a malign actor cannot simply request data for a citizen without having probable cause ; another vector we want to protect ourselves against is simply the psycho/sociopaths that have access to these data without surveillance.
> A simple solution is just not providing your kids with a phone or computer.
That’s not a solution. Nowadays many schools require access to a computer.
It seems unlikely that a true Zero Knowledge Proof system for things like age verification would ever be allowed.
Also, remote attestation doesn't work that way and for good reason. Under a true ZKP system, a single defector (extracted/leaked/etc key) would be able to generate an infinite number of false attestations without detection.
> It seems unlikely that a true Zero Knowledge Proof system for things like age verification would ever be allowed
This article is about EU age verification which is specifically and definitely stated as using zero knowledge proof in all technical docs that I've seen:
https://eudi.dev/2.5.0/discussion-topics/g-zero-knowledge-pr...
Not a fan, but unfortunately a "digital proof of citizenship" seems to inevitable due to the en-shitification of the internet, autocratic state actor's doctrines to destabilise free societies through disinformation that matches well with social media's en-rage-ment business model, and the more recent AI slopification / AI bots running wild.
The question is whether citizens can build enough pressure for such verification systems to be state-based and truly zero-knowledge (akin to the EU's) versus having the private sector 'verify' each user to siphon data, profit off it (Thiel's Persona) and fortify surveillance-capitalism and autocratic administrations.
At the moment in the UK (where any mention of digital ID sends half the population mental) you have to email a whole raft of ID docs and personal data to estate agents, mortgage brokers, solicitors etc. to get an ID check done. Or use a private ID service that can have a cost associated and may not be any more secure than my passport scan sitting in someones M365 mailbox. You can't know.
I'd be happy to have a government service replace all that nonsense, where a one-time challenge code could verify my ID. There is now a UK.gov "One Login" authentication used by other government services that is essentially a digital ID as far as I can see. It just needs to be made mandatory for ID checks by law.
Such a service can also be used for age verification with the correct privacy controls in place, far better than all the dodgy age verification services that exist now.
Digital ID and age verification are going to be a part of the internet going forward. I'd rather have a government service that (in a functioning democracy) has accountability to the citizens that use it. ID verification is also a natural monopoly, so the government picks a winner anyway.
We’ve had eID for a long time and I’m fine with it becoming more prominent online. Same for age verification, once we settle on a way to do it without US/Palantir being involved in the process.
DEAD, archive: https://web.archive.org/web/20260426040218/https://juraj.bed...
Thanks, we'll put that in the toptext too.
Archive returns 503 ATM....
Where is the big to what we have now?
Not much more freedom, but the control is outside voters reach.
Just ask Nicolas Guillou
Interesting point about ZKP systems. The challenge with age verification is balancing privacy with enforcement — any centralized solution creates a honeypot for data breaches.
ai;dr
> There will be no single EU app, despite what the honchos of EU say.
This shows that the EU commission is systematically lying.
This problem used to exist in the past with Leyen - she is ultimately a lobbyist and that has to stop. Friedrich Merz too by the way - there is a reason why recent polls indicate that the german voters want him out of politics at once.
The EU needs to reform. Right now lobbyists have too much abuse-power. The age sniffing is a great example here - isn't it suspicious how this goes in sync right now in so many countries? Who is paying for this? Nobody needs that, except for some companies.
> Big platforms must verify age for certain content.
But why is their concern, suddenly my concern? I see no need to be in support of any law that would require people to ID in order to access information on the world wide web. That's very obviously the real goal and agenda - everyone with a bit of brains sees this.
> It is the same EU that hates these American corporations and wants EU alternatives for everything
That's not true. The EU commission I consider a lobbyist group, for instance. They lie and lie and lie.
The EU parliament is not much better - you can buy legislation quite easily: https://en.wikipedia.org/wiki/Qatar_corruption_scandal_at_th...
Nothing will seriously changed. The current way how the EU is structure is totally wrong; and it will not be fixed because those in the system, benefit from it financially. See the recent attempt to force EU taxpayers to pay more for those goons. They constantly try to inflate their own budget, at our cost.
> yet no one can make a phone usable for age verification without the blessing of Google
Indeed. We have total incompetence at the leadership level. It should be replaced with technical prowess, but as long as lobbyists such as Leyen are running the show, nothing will change. See the corruption scandals when she was still in Germany. Interestingly the AfD is also full of that, yet voters don't see it - Weidel was working for many years for Goldman sucks. So a next generation of lobbyists will replace the older generation soon. That's why this system how it is, is unfixable. It is broken by design.
When did any EU representative ever lie about this? It has been very clear from the beginning that every member state would make their own apps.
I don't really see what internal German politics and lobbying has to do with anything.
As for the "Google" part, that's up to the member states to decide. In essence, the law states that apps should be secure and untampered. It doesn't specify any remote attestation partner, nor even the strict need for remote attestation although it's hard to accomplish any kind of phone-based authentication security without it. Android's native attestation solution also exists and works for phones sold without Google services, though it's an absolute pain to work with.
Sailfish, pmOS, or any other mobile OS could implement the security requirements if they ever get enough serious popularity to convince governments to make apps for them.
Site seems slashdotted? Or HNd? Do we call it that here? :)
Some call it the HN hug of death. Same like with Reddit.