A big problem is that the Silicon Valley playbook drives companies like Discord to be winner take all. It’s hard to avoid using them, but then they require that give up sensitive documents. I shouldn’t have to choose between keeping sensitive documents private and being able to participate in most gaming communities. Some open source projects have also starting adopting Discord to manage their communities.
> Some open source projects have also starting adopting Discord to manage their communities.
And I've chosen not to engage with more than one such community because I'm not perpared even to give Discord my phone number, let alone any kind of ID document. Luckily there's nothing on Discord I care about that much, so I'm not having to make too difficult a choice. I totally get why most people won't take such a stand.
Not sure what you mean by "like europe" because in Europe they are trying to implement `European Digital Identity (EUDI)` for age verification, which will make stuff like this even worse ....
“Linkability is especially problematic because untrusted entities, such as attribute providers and relying parties acting together, can correlate and link auxiliary information to the same user, thereby breaching privacy and enabling tracking, profiling, or de-anonymisation.” [1]
That’s assuming EUDI never gets breached — but if Google and every major tech company has been, it’s only a matter of time, but this will have way more personal info ....
I've been using discord for 5 years and never upload my ID … And I don't want discord (or any other company) to know my age, or any other identification ...
For sure, but with the EU system you'd just give discord an expiring certificate that proves you're over 18. They can leak that all they want, it's worthless otherwise. Right now you have to upload your actual ID which is obviously extremely dangerous if leaked. So yes, even though there are obvious problems that you mentioned, the EU implementation is better.
Again, for sure and I agree with you - but we're talking about institutions that already have our IDs in some form or another, so just asking them to issue a certificate that says "yeah this user is actually over 18" seems like a no brainer functionality on top of an existing system. Like obviously our government office has a copy of my passport and ID card, but if those leak then we have a much bigger problem as a country.
> we're talking about institutions that already have our IDs in some form or another
The issue isn’t who already has our IDs, it’s that EUDI introduces new auxiliary information (public keys, signatures, revocation identifiers) that create globally unique, linkable identifiers.
Even if the same institutions issue the wallet, each transaction generates additional personal data that can be misused for tracking and profiling, far beyond the data already stored in government registries.
Right, and I'm firmly in the camp that everything on the internet should be both anonymous and accessible to anyone from anywhere.
But clearly this isn't the way the internet is going. As much as I hate it, it seems inevitable that globally every government is introducing at least a requirement for websites to check the age of their users.
So right now this can be done(here in the UK anyway) either by scanning your ID with a 3rd party provider who "promises" to delete it straight away, or by linking your bank account(yes, I'm definitely going to do that to go on pornhub, 100%). Both methods have the problems you mentioned + the additional risk of leaking my personal details because they are getting more info than they need to fulfil their legal obligations.
But if the government could just issue me an expiring cert that says "yep, this user is 18", without any of my other data on it.....then that's vastly preferable to having to scan my passport or driving licence to browse reddit or discord or whatever? Like yeah, maybe someone could still track it somehow(don't see how if every certificate has a unique ID and doesn't contain any identifiable info other than "yep this is a valid certificate and yes the user is over 18", but let's just say they can), but at least my IDs are not at risk of being leaked anywhere.
That is not true, EUDI is a security problem instead of a solution. It is trivial to correlate the info and there is a critical path where a breach would expose even more.
Best security: Don't collect. Nothing comes close, no even the best ZK setup.
Also, as a European citizen I really don't want it. Ironically governments aren't mature enough for that.
You are not supposed to use EUID for age verification. Instead you use the age verification system.
EUID is made for working with government agencies, banks, etc where you need proper identification of the person and the age verification for verifying ones age (it doesn't even say how old you are just that you are over X years old)
End goal is to unify them into the same app at some point but the certificates/validation flows are different. Also as the use cases are very different for the proper identification a whilelist is used on who is allowed to request it. With age verification as it is just a certificate that anyone can validate against the public key so no whitelisting possible (or wanted really)
