Most active commenters
  • Tadpole9181(3)
  • bawolff(3)

←back to thread

Supreme Court's ruling practically wipes out free speech for sex writing online

(ellsberg.substack.com)
693 points macawfish | 23 comments | 12 Jul 25 18:14 UTC | HN request time: 1.377s | source | bottom
Show context
al_borland ◴[12 Jul 25 18:53 UTC] No.44544145[source]
All these ID check laws are out of hand. Parents are expecting the government, and random websites, to raise their kids. Why would anyone trust some random blog with their ID?

If these laws move forward (and I don’t think they should), there needs to be a way to authenticate as over 18 without sending picture of your ID off to random 3rd parties, or giving actual personal details. I don’t want to give this data, and websites shouldn’t want to shoulder the responsibility for it.

It seems like this could work much like Apple Pay, just without the payment. A prompt comes up, I use some biometric authentication on my phone, and it sends a signal to the browser that I’m 18+. Apple has been adding state IDs into the Wallet, this seems like it could fall right in line. The same thing could be used for buying alcohol at U-Scan checkout.

People should also be able to set their browser/computer to auto-send this for single-user devices, where it is all transparent to the user. I don’t have kids and no one else’s uses my devices. Why should I need to jump through hoops?

replies(36): >>44544207 #>>44544209 #>>44544223 #>>44544253 #>>44544375 #>>44544403 #>>44544619 #>>44544667 #>>44544797 #>>44544809 #>>44544821 #>>44544865 #>>44544875 #>>44544926 #>>44545322 #>>44545574 #>>44545686 #>>44545750 #>>44545798 #>>44545986 #>>44546467 #>>44546488 #>>44546759 #>>44546827 #>>44547088 #>>44547591 #>>44547777 #>>44547788 #>>44547799 #>>44547881 #>>44548019 #>>44548400 #>>44548482 #>>44548740 #>>44549467 #>>44560104 #
1. alwa ◴[12 Jul 25 19:00 UTC] No.44544207[source]
And we could call this way… zero-knowledge proof! :)

https://en.m.wikipedia.org/wiki/Zero-knowledge_proof

I bet we could even get a major phone OS vendor to support such a thing…

https://blog.google/products/google-pay/google-wallet-age-id...

replies(7): >>44544256 #>>44544433 #>>44544457 #>>44545411 #>>44545492 #>>44545617 #>>44547292 #
2. michaelt ◴[12 Jul 25 19:05 UTC] No.44544256[source]
Do we expect Apple to implement a special, privacy-preserving age proof for porn viewers? Apple hates porn, when it's on websites like Tumblr.
replies(3): >>44544341 #>>44544342 #>>44545075 #
3. alwa ◴[12 Jul 25 19:17 UTC] No.44544341[source]
At the same time they seem pragmatic about putting their mark on standards. It seems to me like we’re at a confluence: a regulatory tipping point where there really is pressure to bring laws to bear on online harms affecting kids; and a socio-technological moment where “gotta distinguish kids from adults” can realistically happen separately from “…by handing over personal info directly to shady random counterparts.”

Individual smartphones with biometrics are these days a whole-of-society norm, technologists have developed a mature body of cryptographic work to assert ZKPs, the US population seem to have lost their aversion to centralized ID systems… and the periodic moral panic about the kids seems to be at a high tide.

In the same way that Apple don’t prevent, say, Safari from being used for prurient purposes, or Final Cut Pro from being used to edit naughty bits, I don’t see why they wouldn’t want an opinionated implementation as a concept develops of a generic “digital tool to assert your age, and only that.” Especially since Android is doing it and leaning into the privacy angle.

4. meowkit ◴[12 Jul 25 19:17 UTC] No.44544342[source]
Zero knowledge proof smart contract verification called by the site interested in your age. You provide your public key wallet with its government issued soul bound NFT of your identification.

This can be done, its not that crazy, it just requires a bunch of people to get their heads out of their sand in regards to tech and blockchain, which admittedly might be a harder problem.

——

Additonal thought- if you don’t understand what I’m saying or have a negative reaction just plug the comment + thread context into an LLM and see what it says / ask for a clearer explanation.

replies(1): >>44544811 #
5. ◴[12 Jul 25 19:26 UTC] No.44544433[source]
6. ◴[12 Jul 25 19:29 UTC] No.44544457[source]
7. root_axis ◴[12 Jul 25 20:19 UTC] No.44544811{3}[source]
ZKP is all you need. The NFT or blockchain stuff is unnecessary can be discarded.
8. tzs ◴[12 Jul 25 20:53 UTC] No.44545075[source]
I expect Apple will implement a general privacy-preserving arbitrary attribute proof, with age proof just one of the things it could be used for, probably using something similar to the library that Google recently released [1].

[1] https://news.ycombinator.com/item?id=44457390

9. macawfish ◴[12 Jul 25 21:38 UTC] No.44545411[source]
Yet then again how hard is it to just grab your parents' ids while they're not looking and add it to your phone wallet?
replies(3): >>44546188 #>>44547504 #>>44547732 #
10. andrepd ◴[12 Jul 25 21:49 UTC] No.44545492[source]
Eh. So now I'm forced to have all my IDs stored at an advertising behemoth. Not really a great situation either.

You're practically forced to have a Google/Apple account and a google/apple smartphone to even exist in today's world.

11. Aerroon ◴[12 Jul 25 22:09 UTC] No.44545617[source]
I bet that in practice, at scale, these zero knowledge proofs end up being a lot more than zero.

Not to mention that you're almost certainly going to have to tie this stuff to specific accounts that will then forever and ever keep your habits collected. One day somebody enterprising is going to add all that data together too.

replies(2): >>44546306 #>>44546565 #
12. __turbobrew__ ◴[12 Jul 25 23:41 UTC] No.44546188[source]
Gate it in the touch id secure enclave. Then only the biometrics of the adult can provide the proof that they are over 18.
replies(1): >>44546303 #
13. macawfish ◴[13 Jul 25 00:02 UTC] No.44546303{3}[source]
I'm just saying that if age verification is done via a "smart card" then it shouldn't be hard to just add that to the phone.

Unless of course they're planning on making us go to some facility to ensure our phones get the digital components of the IDs get loaded into the secure enclave? Which sounds dystopian as heck given the scenes coming out of the US right now.

14. Tadpole9181 ◴[13 Jul 25 00:03 UTC] No.44546306[source]
VPNs and zero knowledge proof systems are vulnerable to traffic analysis (based on packet size and timestamps) and there's almost no cure.

Mullvad is the only VPN I know of that has a mode that normalizes all packets to the same size (going into the VPN) and sends fake packets that don't get sent as real traffic. But that's only obfuscation and, at low traffic or high bandwidth (videos) or with sufficient heuristics, it can be beaten.

The US has basically zero regulation on selling this data. I can imagine a world where within a couple decades the US has one of the largest blackmail crisis ever seen, as foreign governments target civil workers. Or, I guess, at this point, the US government against the "undesirable" party within this administration.

replies(2): >>44546585 #>>44547129 #
15. bawolff ◴[13 Jul 25 00:59 UTC] No.44546565[source]
> I bet that in practice, at scale, these zero knowledge proofs end up being a lot more than zero.

Zero knowledge proof is not a marketing term, its a math term. Maybe sometimes they are implemented wrong, but if they are implemented correctly its pretty rock solid. Certainly more rock solid than much cryptography which rests on sketchy foundations.

16. bawolff ◴[13 Jul 25 01:03 UTC] No.44546585{3}[source]
> VPNs and zero knowledge proof systems are vulnerable to traffic analysis

Zero knowledge proofs are not vulnerable to traffic analysis the same way VPNs are.

replies(1): >>44547419 #
17. cryptonector ◴[13 Jul 25 02:59 UTC] No.44547129{3}[source]
> VPNs and zero knowledge proof systems are vulnerable to traffic analysis (based on packet size and timestamps) and there's almost no cure.

All comms are subject to traffic analysis except surreptitious, covert channels (which can't be covert if the implementations are widely available).

18. Springtime ◴[13 Jul 25 03:41 UTC] No.44547292[source]
It would be preferable if the prover party that holds the credentials in this scenario weren't Google. If anything I'd prefer a government issued digital ID with some form of local-only cryptographic exchange where neither the government knows someone has verified at a particular site/service and the verifier doesn't get info about one's identity. Just some cryptographic proof that verifies an age ('just' is doing some heavy lifting).

In past HN comments this apparently exists IRL in Germany and/or Canada, where age can be proven via a smartphone without leaking one's identity to the verifier and without any communication back to the government.

19. Tadpole9181 ◴[13 Jul 25 04:09 UTC] No.44547419{4}[source]
It really depends on the implementation around it, how a user conducts themselves, and what data you can buy. While there is zero knowledge inside the proof, its use creates a side channel that reveals information.

For instance: The relying party server needs to call the auth server on novel users. Thats a new, unavoidable indicator!

How large are token batches and how long do they last? Will the implementation force them to wait a time period between redemption and use?

A bad implementation means the user IP will talk to the A server, then it will contact the RP server, who will contact the A server. Because this happens once per connection (or 60 minutes in this bill) and takes maybe a few hundred milliseconds. there's not going to be a huge number of candidates to have to sort through. And that's just the handshake.

replies(1): >>44547457 #
20. bawolff ◴[13 Jul 25 04:17 UTC] No.44547457{5}[source]
> For instance: The relying party server needs to call the auth server on novel users. Thats a new, unavoidable indicator!

Not really. There is no requirement here for an auth server to neccesarily even exist.

That said, your broader point is correct, that the details matter a tremendous amount.

replies(1): >>44547950 #
21. sigwinch ◴[13 Jul 25 04:26 UTC] No.44547504[source]
Accessing my site after that would violate CFAA, right? Minors are not exempt from CFAA.
22. cloverich ◴[13 Jul 25 05:18 UTC] No.44547732[source]
They can require a selfie to compare against, multiple documents, a video, etc. IMHO best bet is to consolidate the validation to a small set of reputable companies, delegate validation to them, then improve regulations around access. Eg non-reputable site needs to know you are 18 (etc) but not see your actual id if they can have a third party do it in a blind-to-them fashion.
23. Tadpole9181 ◴[13 Jul 25 06:19 UTC] No.44547950{6}[source]
Oh, that's my bad, I re-read the privacy pass protocol to brush up and it does use signing without requiring the RP to necessarily make another call to the original approver server. I also see there's been work on hidden witness ZKP, so the RP may not even know who approved a given token.

Very cool! Always happy to be proven wrong with cool tech!