Most active commenters
  • _Algernon_(6)
  • chgs(4)
  • xp84(3)

←back to thread

Supreme Court's ruling practically wipes out free speech for sex writing online

(ellsberg.substack.com)
693 points macawfish | 23 comments | 12 Jul 25 18:14 UTC | HN request time: 0.634s | source | bottom
Show context
xp84 ◴[12 Jul 25 19:01 UTC] No.44544217[source]
So, while I agree that this feels foreign and wrong to me as someone who has experienced "The Internet" for so long, I can't help but wonder if we can separate that from how the offline world works.

I'm asking this in good faith.

Given that:

1. The Internet is not an optional subscription service today the way it was in 1995. Every kid and adult has 1,000 opportunities to get online including on the multiple devices every one of their peers owns, which a single set of parents has no control over. So "Just keep them off the Internet/control their devices" seems like a silly "Just" instruction.

2. The Internet is nearly infinite. The author of this editorial says "then install a content blocker on your kids’ devices and add my site to it". This is a silly argument since the whole point is that no one has ever heard of him/her and it's obviously impossible for a filter (let's just assume filters can't be bypassed) can "just" enumerate every inappropriate site even if it employed a full-time staff who did nothing but add new sites to the list all day long.

So given all of that, how do we justify how the Internet must operate on different rules than the offline world does? One can't open a "Free adult library" downtown and allow any child to wander in and check out books showing super explicit porn. I'd have to check IDs and do my best to keep kids out. It also seems like it would be gross to do so. If you agree with that, why should the Internet operate on different rules?

I'd also like to separate the logistics from the morality here. If you believe it's hard to do it without satisfying privacy concerns, totally true! But then the focus should be on finding a good privacy-respecting solution, not just arguing for the status quo.

replies(12): >>44544288 #>>44544347 #>>44544450 #>>44544850 #>>44545884 #>>44545971 #>>44546073 #>>44546385 #>>44547167 #>>44547340 #>>44547886 #>>44556828 #
1. _Algernon_ ◴[12 Jul 25 19:18 UTC] No.44544347[source]
The fundamental problem—and it's a big one—is that in the physical world, age verification does not result in a centralized log of when and where I was, and what I did. If I buy cigarettes I show my paper id to some dude and then buy smokes. It's transient with no record (except the fallible memory of the bloke doing the ID check).

This is not true for the proposed age verification schemes for the internet and that is a big problem. Unless this is solved, these schemes deserve every level of resistance we can muster.

replies(3): >>44544404 #>>44544804 #>>44546260 #
2. _Algernon_ ◴[12 Jul 25 19:24 UTC] No.44544419[source]
Age verification is easy. Age verification that leaves no record, is anonymous, and not circumvent-able is difficult. In the physical world it relies on the fallibility of human memory. No such luck with replicated databases.
replies(3): >>44544499 #>>44544539 #>>44550639 #
3. danaris ◴[12 Jul 25 19:30 UTC] No.44544462[source]
...Who is accurately and reliably doing age verification online?

How can you guarantee that the credential you're getting belongs to the actual person on the other side of the screen?

replies(1): >>44552028 #
4. chgs ◴[12 Jul 25 19:34 UTC] No.44544487[source]
We can’t do it because our priority as an industry is to get data to monetise. Anonymity is a bug, not a feature.
5. chgs ◴[12 Jul 25 19:36 UTC] No.44544499{3}[source]
Site generates random key

Key and verification passed to verifier

Verified list is published

Site pulls list and checks its number has been verified

Site doesn’t know who it is, and verifier doesn’t know which site was verified against

replies(2): >>44544527 #>>44548633 #
6. _Algernon_ ◴[12 Jul 25 19:39 UTC] No.44544527{4}[source]
How do you prove that the generated key by the site is actually randomly generated? I certainly don't trust a random porn site to do this right.

If the verified list is tied against identity, there is only a simple law change required to de-anonymize everything.

replies(2): >>44545351 #>>44552067 #
7. baq ◴[12 Jul 25 19:41 UTC] No.44544539{3}[source]
An id card is a bearer token.

You can get an anonymous, cryptographically signed, certified legal bearer token confirming your age only, or identity or whatever by a centralized service, be it government or high trust private organizations who need to verify your identity anyway like banks. With some smarts you can probably make such a token yourself so the root bearer token issuer doesn’t have the one you use to browse pornhub.

replies(1): >>44544559 #
8. _Algernon_ ◴[12 Jul 25 19:43 UTC] No.44544559{4}[source]
Which inevitably can be deanonymized after a simple law change, mandating the required data to be reported.
replies(1): >>44550505 #
9. kelnos ◴[12 Jul 25 20:18 UTC] No.44544804[source]
That's not even universally true, though. I've been to bars where they scan the barcode on my drivers' license. I assume that's more convenient than reading the data off it, so maybe they're just doing it for convenience and aren't storing the data anywhere, but who knows, maybe they are. Maybe there's a database somewhere with a list of name, date, time, location tuples for some of my bar visits from years ago. Creepy.
replies(1): >>44546124 #
10. chgs ◴[12 Jul 25 21:29 UTC] No.44545351{5}[source]
Doesn’t really matter surely, you only need to trust the identity provider not to leak your identity and your porn provider not to have a key that your identity provider can link to.
11. mixmastamyk ◴[12 Jul 25 23:30 UTC] No.44546124[source]
Yeah, grocery stores swipe ids too. Thankfully I’m too old, they don’t ask. Have to teach kids to not allow it. Definitely stored.
replies(1): >>44551980 #
12. rustcleaner ◴[12 Jul 25 23:55 UTC] No.44546260[source]
Pot shops in legal states are compiling databases with their compliance CRM systems.

Pot industry needs to anonymize their customer records or stop using SaaS packaged solutions.

Now if China hacks Meadows or something, they have customer and purchase lists which may include security cleared personnel who can now be blackmailed.

If you run a pot shop, or an SaaS solution for them like Meadows, you really have to figure out how to divorce customer PII from purchases.

I am back to the black market in Oregon for this reason!

13. sigwinch ◴[13 Jul 25 08:42 UTC] No.44548633{4}[source]
Break the key in half.

Otherwise, why wouldn’t I just try the last entries from that list?

replies(1): >>44548999 #
14. chgs ◴[13 Jul 25 10:01 UTC] No.44548999{5}[source]
They key would be hashed with the user’s details (ip address, value in a session cookie etc) so someone else can’t reuse it. Hell there are things like elliptic curves and DH which still seem magic to me.

Now sure if the identity provider and the site work together they could negate the anonymity, but given that for the identity provider anonymisation would be the key selling feature they wouldn’t want to risk that. Mullvad I’m sure would be trustworthy enough.

15. techjamie ◴[13 Jul 25 13:58 UTC] No.44550505{5}[source]
https://datatracker.ietf.org/wg/privacypass/about/

Perhaps a system like Privacy Pass would be ideal. Where a verifier generates a verified client a number of redeemable signed tokens for a session, but when presented by a client, the site doesn't know who that token was issued to, but they know they authenticated this person and can verify they made the token. Therefore they get access.

replies(2): >>44555228 #>>44557369 #
16. 2OEH8eoCRo0 ◴[13 Jul 25 14:20 UTC] No.44550639{3}[source]
That verification doesn't even exist in meatspace though. We are setting an impossibly high bar to try to weasel out of implementing anything.
17. xp84 ◴[13 Jul 25 17:29 UTC] No.44551980{3}[source]
> Definitely stored

Not well-designed ones. I think you overestimate how much retailers want to even possess sensitive information like that.

What's going to be stored is the fact that an of-age ID was scanned, and possibly the DOB. This is to protect honest cashiers and to have a way to punish ones who might sell to the underage. If an underage sale is reported, they check the audit log and it says the transaction had an ID scanned the cashier can be cleared of wrongdoing. Unless it's the same DOB always being scanned, which seems like some kind of dishonesty.

I do not buy that the supermarket chain wants to use your ID card data for any purpose. First of all, they don't need to, they have (most people's) loyalty cards that do a much better job as they're swiped or entered even without buying any beer. Second, again, only downsides come from saving it. If they were to sell the data and be caught, terrible. If they were to get hacked, terrible.

replies(1): >>44553564 #
18. xp84 ◴[13 Jul 25 17:36 UTC] No.44552028{3}[source]
> ...Who is accurately and reliably doing age verification online?

ID.me for one is doing full identity verification by looking at your face and your ID card (and I assume having a human check up on it if the algorithm doesn't work). If Apple can do their fancy cloud-AI server thing with provable attestations that they aren't saving your information, someone could build a version of this which has those kind of safeguards and which passes back an emum (UNDER_18, 18_TO_20, ADULT) rather than a name or ID number to the caller.

Whether people would trust it is again, shrug. Most people barely understand how any kind of cryptography works so at the end of the day you do your best and people make their choices on whether to trust you. But the fact is that if the system actually IS designed properly, there isn't any risk of "oh no, 2029 fascism, now Supreme Commander Trump knows what porn sites I use" because that data was never saved.

19. thinkharderdev ◴[13 Jul 25 17:42 UTC] No.44552067{5}[source]
You don't trust people who run a massive-scale streaming video platform to have the technical chops to generate random numbers?
replies(1): >>44553364 #
20. _Algernon_ ◴[13 Jul 25 20:20 UTC] No.44553364{6}[source]
I trust them to have the capability to do it. I don't trust them to be willing to do it despite legal duress (which is only ever a law-change away).
21. mixmastamyk ◴[13 Jul 25 20:43 UTC] No.44553564{4}[source]
Your comment made sense perhaps only twenty years ago. But today, everyone is desperate for this kind of info. Third-parties provide these services for free or close to it, especially to get access to the data stream.

It's a several hundred billion dollar industry, in the US alone. Retail is definitely a source: https://market.us/report/data-broker-market/

Someone was on here a couple of years ago stating that even "line item" level data on your receipt is now being transmitted in a lot of cases, and growing.

The bottom line today—never expect a company to default to respect of your privacy. Simply too lucrative.

22. heavyset_go ◴[14 Jul 25 00:39 UTC] No.44555228{6}[source]
You're looking for a technical solution to a political problem. This tech is useless the second a law is passed that identities have to be logged. It's also useless if implementers decide to collect identifying information without telling you.
23. _Algernon_ ◴[14 Jul 25 07:31 UTC] No.44557369{6}[source]
That also weakens circumventability. What's stopping me to sell my signed tokens to the highest bidder on ebay?