home tags events about rss login

Things happen.

networkstring honked back 09 Dec 2024 09:34 +0000
in reply to: https://mastodon.neilzone.co.uk/users/neil/statuses/113622039470510121

@neil

it is to a standard that would be accepted by regulators responsible for enforcing "online safety" laws

  • Incorporate a limited company
  • Generate a tonne of SHA256 hashes (or UUIDs) and store them in a bloomfilter ( https://en.wikipedia.org/wiki/Bloom_filter )
  • Provide small libraries that can trivially verify that a given hash is in a bloom and distribute the bloom filter to the site operators for a teeny tiny fee (a SaaS model is an option but for privacy reasons please no)
  • Create a 'gig economy' style system for verified adults to hand out the hashes to anyone who asks
  • The Limited company holds the verified distributors liable for verification of who they give the codes out to
  • The site owners hold the Limited company liable for the integrity of the system as a whole
  • The Limited company only knows which verifier issued which SHA256 hash (or UUID or whatever) and (SaaS aside) never knows who has what hash, in fact it never even sees them again as the bloom filters are distributed to the site operator and checked locally


There's still a whole set of problems, distribution of block lists of 'known bad' codes, penalizing verifiers who hand out codes to anyone thereby weakening the claimed efficacy of the platform, confirmation attacks against the bloom, verifiers needing compensation to be worth their time, verifiers excessively charging for access, verifier deserts etc etc.

The tech side is trivial to implement, the human side would be difficult.

networkstring honked back 05 Dec 2024 17:33 +0000
in reply to: https://mstdn.party/users/pandorablake/statuses/113601293721634292

@pandorablake

What I want is a security expert to review the age verification solutions currently on offer - not the methods themselves, but the actual products on the market - and report on which ones, if any, pass muster from a privacy perspective. Any volunteers?

Sadly the day after the review they could undo/change anything and break whatever privacy the evaluators found it had.

But I suppose it'd be possible to look at things on a gradient scale like the EFFs Tor explainer ( https://tor-https.eff.org/ ).

E.g.

  • AppA knows who you are and what websites you ID against.
  • AppB knows what websites you ID against and your IP address but doesn't know who you are
  • AppC knows which intermediary broker you used but doesn't know the websites you've visited, who you are or even your IP address