Most active commenters
  • dcow(8)
  • AnthonyMouse(6)
  • conradev(5)
  • mlyle(3)

←back to thread

693 points macawfish | 44 comments | | HN request time: 0.431s | source | bottom
Show context
al_borland ◴[] No.44544145[source]
All these ID check laws are out of hand. Parents are expecting the government, and random websites, to raise their kids. Why would anyone trust some random blog with their ID?

If these laws move forward (and I don’t think they should), there needs to be a way to authenticate as over 18 without sending picture of your ID off to random 3rd parties, or giving actual personal details. I don’t want to give this data, and websites shouldn’t want to shoulder the responsibility for it.

It seems like this could work much like Apple Pay, just without the payment. A prompt comes up, I use some biometric authentication on my phone, and it sends a signal to the browser that I’m 18+. Apple has been adding state IDs into the Wallet, this seems like it could fall right in line. The same thing could be used for buying alcohol at U-Scan checkout.

People should also be able to set their browser/computer to auto-send this for single-user devices, where it is all transparent to the user. I don’t have kids and no one else’s uses my devices. Why should I need to jump through hoops?

replies(36): >>44544207 #>>44544209 #>>44544223 #>>44544253 #>>44544375 #>>44544403 #>>44544619 #>>44544667 #>>44544797 #>>44544809 #>>44544821 #>>44544865 #>>44544875 #>>44544926 #>>44545322 #>>44545574 #>>44545686 #>>44545750 #>>44545798 #>>44545986 #>>44546467 #>>44546488 #>>44546759 #>>44546827 #>>44547088 #>>44547591 #>>44547777 #>>44547788 #>>44547799 #>>44547881 #>>44548019 #>>44548400 #>>44548482 #>>44548740 #>>44549467 #>>44560104 #
1. conradev ◴[] No.44544667[source]
You mean like this?

https://webkit.org/blog/16993/news-from-wwdc25-web-technolog...

It’s a W3C spec led by Okta, Apple and Google based on an ISO standard and it is being rolled out as we speak.

This part

  other iOS applications that have registered themselves as an Identity Document Provider.
Has some fun history: California went with an independent contractor for its mDL implementation, which ultimately pressured Apple into integrating open(-ish) standards to interoperate.
replies(5): >>44545214 #>>44546545 #>>44547146 #>>44547326 #>>44548570 #
2. al_borland ◴[] No.44545214[source]
This is interesting, but I’d like to go a step further. I watched the first quarter of the video on where they go over how it works. The site requests data from your ID and they get that data. The site chooses which data it needs and if it will store it or it or not. Sites these days have a tendency to ask for more than what they need, and to store it for profiling purposes. The user can deny the request, but then can’t use the site. They are then left with a dilemma. Give up this personal information or not have access at all? Companies are betting on users giving up privacy in exchange for access.

What I’d like to see is for the site’s request to contain their access rules. Must be over 18, must be in country X, etc. Then on-device it checks my ID against that rule set, and simply returns a pass/fail result from those checks. This way the site would know if I’m allowed to be there, but they don’t get any specific or identifiable information about me. Maybe I’m 18, maybe I’m 56… they don’t know, they both simply send a pass. For a simple age check, a user’s exact birthday, name, address, etc are irrelevant, but I bet companies will get greedy and try to pull it anyway.

I see the monkey paw of the ID spec as leading to more companies seeking to get all our data, when they really don’t need it, and have shown they can’t be trusted with it.

I already see this with Apple Pay. When buying a digital item, some companies are awesome and simply take the payment with no other data. Others pull name, address, email, etc to make a payment when none of that is required.

replies(3): >>44545418 #>>44548053 #>>44550006 #
3. conradev ◴[] No.44545418[source]
The spec is being implemented by Apple, who is sensitive to privacy issues.

The intent of the ISO spec is to allow you to request fine-grained data, like birth year only, but if you read the W3C standard, they explicitly call out privacy as a complex thing that maybe should be regulated.

The spec spells out the complexity: some ID verification processes actually need a lot of info! But some, like an alcohol age check, do not. The spec can do both, but it’s hard to differentiate these technically. The spec does lay out what user agents should do to make it clear which information is going where.

A bad scenario would be designing an API that is too hobbled to replace the invasive “photo of an ID” companies, which this spec seeks to do.

I’d prefer an open web standard that can be abused (with user consent) to a closed App Store-only API or the status quo

replies(2): >>44546122 #>>44548124 #
4. AnthonyMouse ◴[] No.44546122{3}[source]
> The intent of the ISO spec is to allow you to request fine-grained data, like birth year only, but if you read the W3C standard, they explicitly call out privacy as a complex thing that maybe should be regulated.

Aren't the regulations the problem here? If not for that nobody would be getting pressured to divulge this personal information to every shady app and website in the first place.

Suppose I want to make a service that verifies your age by asking you questions about what life was like before 9/11. Can I do that? And if I can't, is the problem the standards, or the law?

replies(4): >>44546267 #>>44546344 #>>44548080 #>>44550288 #
5. mlyle ◴[] No.44546267{4}[source]
I think most age verification ranges from silly to chilling to speech. But I don’t think we can somehow punt these problems to the quiz from the beginning of Leisure Suit Larry (which never stopped 10 year old me).
replies(1): >>44546584 #
6. conradev ◴[] No.44546344{4}[source]
Yes, they are! but also because the law sets the standard, it can also provide a new one. For example:

a) you are still legally required to age verify online alcohol purchases but

b) it’s illegal to use information collected for that purpose for other purposes and

c) Which information is collected is made legible by the user agents

Maybe something around only collecting minimal data, too.

Some of the first eager customers are banks with onerous KYC requirements – they want one click account creation! Good luck changing financial disclosure laws, though, my bank knows quite a bit about me.

replies(1): >>44546553 #
7. bawolff ◴[] No.44546545[source]
Personally i'd be much more excited about something like https://zkpassport.id/
8. AnthonyMouse ◴[] No.44546553{5}[source]
> but also because the law sets the standard, it can also provide a new one.

If the people writing the law cared about privacy they wouldn't have passed that one, and anybody who does would be repealing it rather than trying to find the best shade of lipstick for the pig.

> Which information is collected is made legible by the user agents

This is the part you don't need a law in order to do because the user can choose their user agent. Or if they can't, you should stop talking about any of this and go fix your antitrust problem.

> you are still legally required to age verify online alcohol purchases but

By conceding this you've already lost, because:

> it’s illegal to use information collected for that purpose for other purposes

This is the part which is hopeless. If they have the information, you're already screwed, because once they have it it's almost impossible for you or the government to know what they're doing with it, which makes those laws nearly impossible to enforce. And on top of that, a large part of the problem is what criminals or governments do once there is a legally-mandated database of all of that stuff, and those entities aren't constrained by laws.

Which is why anybody who really cares about this knows that the only solution is to not have the law requires that data to be collected.

> Good luck changing financial disclosure laws, though

"Slippery slope is a fallacy", they said. "It's just one inch", they said.

replies(1): >>44546685 #
9. AnthonyMouse ◴[] No.44546584{5}[source]
Requiring someone to have a government ID isn't anywhere near 100% effective because people will just borrow one from dad's wallet while he's not looking or use a device already signed in as someone else or the high school freshmen will get one from the high school seniors etc.

If we're admitting solutions that aren't 100% effective, why can't we admit solutions that aren't 100% effective but are much better at preserving privacy?

replies(1): >>44548100 #
10. conradev ◴[] No.44546685{6}[source]
I figured I’d get this response, but:

I don’t see my primary care doctor selling my health data, due in part to data privacy laws like HIPAA. Consumer companies take COPPA seriously.

You absolutely cannot control what companies do with data, so you want to prevent its collection in the first place – but you can penalize them when they do something wrong, which does influence their beyavior. The jury is still out on the effectiveness of the GDPR, but to say it had no effect would be an odd claim.

replies(6): >>44547147 #>>44547191 #>>44547277 #>>44547282 #>>44549844 #>>44549938 #
11. vlovich123 ◴[] No.44547146[source]
For what it’s worth these mDL providers are the people already contracted to provide the services for the government to manage the IDs and the IT system for the DMV. They were part of the ISO standardization body for mDL. Not sure California’s choice pressured Apple so much as it being an international standard that had support from the governing bodies in Europe, UK, North America and Japan (met all of them there).

Apple wasn’t there when I was and even broader Google joined about 6 months after I left Google in 2015 (I was just proactive about seeing the standard coming) but the big players hopped on board later in the process.

We were all also acutely aware of the privacy implications and making sure the bodies would sign records of >18, >21 to avoid having to share too much info (pre ZKproofs being more widely accepted recognized).

12. roenxi ◴[] No.44547147{7}[source]
> I don’t see my primary care doctor selling my health data

Without overstretching the metaphor, it is quite revealing - you wouldn't see your primary care doctor selling that information whether they are or aren't. You don't have an effective way of monitoring the situation. Nobody outside the hypothetical transaction does.

It is common for that sort of situation to go bad if the economics of selling the data make sense despite the risk of getting caught.

replies(1): >>44555824 #
13. socalgal2 ◴[] No.44547191{7}[source]
Every doctor I've been to makes me sign a paper that says I acknowledge all my data will be shared with all of their partners.
replies(1): >>44547368 #
14. inetknght ◴[] No.44547277{7}[source]
> I don’t see my primary care doctor selling my health data, due in part to data privacy laws like HIPAA. Consumer companies take COPPA seriously.

Insurance companies are laughing all the way to the bank.

15. mystraline ◴[] No.44547282{7}[source]
> I don’t see my primary care doctor selling my health data, due in part to data privacy laws like HIPAA.

I'm glad I didn't get a diagnosis and treatment for ADHD, ADD, or autism.

The enemy is also government, especially with RFK's anti-autism trend, along with trawling through all medical records with those diagnoses.

16. veeti ◴[] No.44547326[source]
> Marcos Caceres (Apple Inc.) > Tim Cappalli (Okta) > Mohamed Amir Yosef (Google Inc.)

Don't forget: these are the upstanding members of society who brought the dystopia to you.

17. vel0city ◴[] No.44547368{8}[source]
That doesn't mean any of those other companies are buying or selling that data.

The healthcare provider uses an EHR. They might have some managed service provider managing their IT assets and their EHR deployment. Two companies they have BAAs with. That EHR company could be cloud hosted, another BAA. They probably rely on other tools and contractors which might have BAAs. Later on when they go to bill they exchange that billing data through billing analysis tools (another BAA) and then submit to a clearing house (another BAA). All of those companies probably have companies they work with that potentially need BAAs as well, if they work directly with that PHI data in the role of working on behalf of that healthcare provider.

One trip to the doctor could potentially involve dozens of companies you've never heard of that might have a business use case to handle your healthcare data in some way or fashion and none of them actually sold that data or mishandled it under HIPAA.

18. rocqua ◴[] No.44548053[source]
Zero knowledge proofs are the solution.

The website sends the verification function to the user device. The user device then returns a proof that it knows an input that the verification function accepts.

The verification function should include a digital signature check.

This is generally possible already with SSI based credentials, including standards created by W3C.

replies(1): >>44548694 #
19. dcow ◴[] No.44548080{4}[source]
Are you arguing that we should not regulate porn, alcohol, and cigarettes? Or that we shouldn’t have digital ways to do the regulating we’ve been doing for decades?

If the discussion was a question of whether to regulate or not, I’d see more where you’re coming from. But the discussion is about how to effectively respond to the enforcement of existing laws now against websites. Society has grown up and we’re not comfortable giving the internet a pass because digital identity is hard.

replies(3): >>44548328 #>>44548971 #>>44549462 #
20. dcow ◴[] No.44548100{6}[source]
Well this time around the phone will ask the person presenting an ID for biometrics before allowing them to use Dad’s ID. We are improving. There is no perfect solution; we don’t live in a perfect world. Surely we shouldn’t give up and regulate nothing…
replies(1): >>44548864 #
21. chme ◴[] No.44548124{3}[source]
> The spec is being implemented by Apple, who is sensitive to privacy issues.

I generally agree with your points, but I wouldn't trust Apple, or any publicly traded company, to have any kind of ethics. Just because their incentive to make as much profit as possible, leads to them trying to differentiate themselves from other companies, and thus they choose to temporarily align with privacy concerns doesn't mean they will not compromise on them, if they see better profits elsewhere.

I rather have privacy enforcing regulations like the GDPR or policies that go even further, than relying on publicly traded companies to protect their users.

22. harvey9 ◴[] No.44548328{5}[source]
I took their post to mean the law steers implementations down a path which is not privacy- preserving.

Showing your driver's license to the store clerk didn't used to mean the store kept a copy.

23. ◴[] No.44548570[source]
24. tanewishly ◴[] No.44548694{3}[source]
Or attribute-based credentials. Basically, you're challenged and get a one-time, challenger-specific credential for exactly the requested attribute(s) from a credential provider. Eg. government (municipality, province, national) can become a credential provider.

Eg. Yivy: https://docs.yivi.app/technical-overview/

replies(1): >>44548859 #
25. ac50hz ◴[] No.44548859{4}[source]
Exactly. Yivi isn’t new having been renamed from IRMA (https://privacybydesign.foundation/en/). Nevertheless, adoption outside the Netherlands remains almost non-existent.

Except for the additional download requirement for a user, the friction is pretty low once it’s setup and you have created some attributes.

The project would benefit from a rebranding review, standardization, an enterprise-capable infrastructure to promote and support alternative service providers, and a review of clients. The current Yivi mobile app hasn’t changed much over the years and when I last used it I still needed a PIN instead Face ID.

26. AnthonyMouse ◴[] No.44548864{7}[source]
> Well this time around the phone will ask the person presenting an ID for biometrics before allowing them to use Dad’s ID. We are improving.

How is this improving? It's the most invasive proposal yet, serves to prohibit devices that are controlled by their owners and still doesn't actually work because a) there are still a zillion devices with security vulnerabilities and b) none of this applies to websites hosted in other jurisdictions, so you're not actually limiting the access of minors to anything, you're only inconveniencing anyone who does have servers in the US or interacts with any that are. Which is an extremely large number of people to trouble for a benefit that rounds to zero.

> Surely we shouldn’t give up and regulate nothing...

When we're in the category of speech, let's go with this option all the way to the wall.

replies(1): >>44551386 #
27. AnthonyMouse ◴[] No.44548971{5}[source]
> Are you arguing that we should not regulate porn, alcohol, and cigarettes?

Most of the important regulations around these things have nothing to do with the topic at hand. Requiring bourbon not to contain methanol and adult performers to be tested for STDs aren't related to the internet.

And once we're talking about the internet, those things are in a different category because alcohol and cigarettes are physical objects. You can't download vodka from Russia.

Whereas if you want to stop kids from downloading porn from other parts of the world, the police state that would require is the thing wars have been fought against and righteously so. Not because of the porn but because of what it would take to actually make those laws effective, and what it would be used for as soon as it's in place.

But ineffective laws aren't worth having, because they're all costs with no benefits, not least because then people will keep trying to make them effective and the only means to do that is the police state.

> Society has grown up and we’re not comfortable giving the internet a pass because digital identity is hard.

I feel like this kind of language is designed to make people angry. As if you're not an adult if you can look at a trade off against privacy and free speech and say "that's not worth having" instead of implementing every creeping authoritarian proposal specifically because the last one didn't solve the problem.

replies(1): >>44551445 #
28. salawat ◴[] No.44549462{5}[source]
>Society has grown up and we’re not comfortable giving the internet a pass because digital identity is hard.

I'm not comfortable giving society digital identity, because being a human and not abusing the primitive is even harder still. And we can't take it back once we've built it. It's just there for every wannabe despot to start building systems of oppression with. And there's an awful lot of them running around with the "best of intentions" to line the way to hell.

replies(1): >>44551334 #
29. rpdillon ◴[] No.44549844{7}[source]
You can only punish them if you find out about it.

I'm not going to do the legwork for you, but you should be looking around for the way Google is transferring the medical information on 50 million Americans as part of Project Nightingale a few years back, and you should be looking very seriously at medical sites that use Google Analytics in direct violation of HIPAA. The situation here is very much like the situation with the government collecting detailed profiles on every citizen and knowing their location in real time: they're not supposed to be doing it, but the reality is they can and they do.

Snowden's leaks were another great example about how the law doesn't actually matter, if you can't see whether or not it's being enforced.

My point here is if you're counting on the system to protect you, you're going to be disappointed.

Recent example was that I was supposed to give up my ID because I lost my 2FA for a particular site and I refused because I didn't believe they would delete my ID. My friends said that I was paranoid.

https://www.404media.co/id-verification-service-for-tiktok-u...

30. salawat ◴[] No.44549938{7}[source]
>I don’t see my primary care doctor selling my health data, due in part to data privacy laws like HIPAA.

Oh, you sweet summer child. Bless your little heart. You're right. Doctors don't. Insurance companies do! And that data is passed around like hotcakes to make actuarial datasets which basically have the effect of ensuring premium go up! Several states, in fact, have done everything they can lobbying wise to make sure it remains okay to trade in your personal health data! Also, from personal experience at a PBM, it is at least an offering to get covered populational reports on spend done on behalf of your covered group, meaning employers are given a view of the overall health of their workforce and what that translates to in dollars out the door on their behalf. Information that, of course, would never be used to do strategic layoffs or cross correlation with time taken off to further optimize for cost reduction right?

(Note: if I've had this idea, and rejected it on moral/ethical/legal grounds, there are absolutely people who have had it and hasn't done so).

31. OldfieldFund ◴[] No.44550006[source]
Those $99 fake driver's license sites are going to make a killing
32. Spooky23 ◴[] No.44550288{4}[source]
The theocracy types are making this terrible, but the technology has alot of potential to enhance privacy.

For example, I was involved in a project several years ago on this where this was explored before the big vendors became players. The issue we were studying was abuse of credentials in-person - many bars will capture people’s identity information when validating IDs.

The ability to provide only the attribute securely is awesome, but of course the systematic abuse of this technology by the reactionaries among us will drive adoption.

33. dcow ◴[] No.44551334{6}[source]
The problem is using physical identity online sucks. Well intentioned and honest people want to fix that issue. I have flown entirely with a mobile drivers license without pulling out a physical ID for the last few years. It’s objectively better and it’s already here. It’s heaven. You can’t really be arguing that when some service needs your ID that uploading photos of it is better from any angle. There’s not a one.
34. dcow ◴[] No.44551386{8}[source]
I’m not following your argument, sorry. How are device owners being prohibited from anything? Which zillion vulnerabilities in the TPM are you referring to? Because that’s how seriously these standards take security. These are device bound TPM secured identity credentials where the wallet stack is audited and certified by security professionals before credentials are allowed to be stored. There’s no less secure option.
replies(2): >>44554742 #>>44564991 #
35. dcow ◴[] No.44551445{6}[source]
You’re missing the point entirely. I’m talking about age requirements to purchase alcohol and cigarettes and view porn. There is not a world where we decide to restrict purchase by age in meatspace but throw up our hands and say “whelp we just can’t have digital ID presentation that would ruin society I guess we should give up on digital age verification and just let kids do whatever”. Whether the restrictions are justified or not or stupid or not, we’ve decided they should exist (and there are much more “legitimate” use cases for ID verification that happen entirely online with no meatspace concerns like banking and underwriting etc. so it’s somewhat a straw man to get hung up on porn). We’re not going to not apply our laws to the new technology that emerges as time progresses…
replies(2): >>44556368 #>>44558231 #
36. mlyle ◴[] No.44554742{9}[source]
> How are device owners being prohibited from anything?

I think a lot of us are wary of a world where we have limited selections of software stacks that we can run and do essential things. At some point, we don't own the devices anymore.

I like that Apple is a benevolent overlord, for now.

But I like to be able to run software that I control and participate in the world, and that has alternated between being somewhat harder and prohibitively so. Lockdown of devices (chain of trust, mandatory signed binaries, limitations of device drivers, bootloaders that won’t unlock) makes it increasingly difficult to experiment, repair, or even trust the tools we rely on, and is viewed as a prerequisite for many of these solutions.

--

(I appreciate the alternatives are really hard, and that there are substantial potential downsides creating pressure towards these types of solutions, above and beyond the desires to lock down marketplaces and capture rents).

replies(1): >>44557451 #
37. conradev ◴[] No.44555824{8}[source]
Yeah, that totally makes sense!

It is revealing: I went to same PCP for the first 18 years of my life and he was incredible as a doctor. He ran his own practice. He was also a great IT admin: he managed his own records, paid to digitize all of them including mine. If he betrayed that trust I’d be sad.

But I hear you. A product just needs to come along that provides some benefit, or the practice could be acquired, etc

38. jjk166 ◴[] No.44556368{7}[source]
> There is not a world where we decide to restrict purchase by age in meatspace but throw up our hands and say “whelp we just can’t have digital ID presentation that would ruin society I guess we should give up on digital age verification and just let kids do whatever”

We've been living in exactly that world for decades without issue.

It makes perfect sense for meat space to be treated differently from the internet. A downloaded picture of a cigarette can't be smoked. The only thing that can happen on the internet is the exchange of data, and an ID requirement for that is absurd.

> there are much more “legitimate” use cases for ID verification that happen entirely online with no meatspace concerns like banking and underwriting etc. so it’s somewhat a straw man to get hung up on porn

Amazing how those use cases have survived for these decades without such a law. If I don't need to send a copy of my ID every time I sign into my bank account, what possible argument could be made for the requirement I do so to watch porn?

> Whether the restrictions are justified or not or stupid or not, we’ve decided they should exist

No, we have not collectively decided they should exist. Plenty of laws exist which are unpopular either because of the goal or the execution. Even if a law has majority support, that doesn't mean the minority can't argue against keeping or expanding it. A restriction being unjustified or stupid is a very good argument for not doing additional unjustified or stupid things to enforce that law. It's rather silly that there is a federal law forbidding leaving the country with more than $25 in nickels but it's on the books. Ensuring this law is thoroughly enforced with universal mandatory cavity searches looking for rolls of nickels would be indefensible.

replies(1): >>44557417 #
39. dcow ◴[] No.44557417{8}[source]
Then change the law. I’d probably vote with you. That’s besides the point.

The hacked up solutions for the things existing “perfectly fine” over the last few decades are complete crap. Anybody who’s ever had to take photos of their ID then a confirmation selfie knows this. Anybody who’s had to apply for a loan or open a bank account online knows this. We have wonderfully secure cryptography and you’re arguing we should keep using plastic cards that you can’t even sha256sum.

40. dcow ◴[] No.44557451{10}[source]
I empathize with many of your concerns here and share your frustration. Man do I wish there was some sum that Apple would let me pay to own my iPhone. If anything we need more legislation that prevents the amount of exclusivity Apple has over their hardware.

I don’t see digital identity documents as a threat, though. It’s mostly orthogonal to software provenance, device ownership, secure boot, etc.

PS: we already live in a world where by and large all the software you use is only licensed to you individually. It’s crap. If digital identity makes this more plainly obvious then good. We need fuel to fight unethically and impractically licensed software.

replies(1): >>44564723 #
41. account42 ◴[] No.44558231{7}[source]
> There is not a world where we decide to restrict purchase by age in meatspace but throw up our hands and say “whelp we just can’t have digital ID presentation that would ruin society I guess we should give up on digital age verification and just let kids do whatever”.

Yes there is and we all grew up in that world.

replies(1): >>44562380 #
42. dcow ◴[] No.44562380{8}[source]
And after you take the rose tinted glasses off, it was full of spam and scams and abuse and all the other low reputation poor security crap that happens when anybody can be anybody all the time. And if that world was good/sustainable then nobody would be working to make digital identity possible, would they? We grew up in it, now it seems we’re work working to iron out the kinks.

Not everything needs or should have strong ID. But no I don’t want my children stumbling into a porn site because they got click jacked by unscrupulous advertisements they never consented to being solicited with. I don’t want them learning about the world that way. A simple age check without revealing any personal info supported by the digital credential standards being discussed here would absolutely be an improvement.

Having my age checked at the time of purchase for alcohol rather than having to present my ID to the delivery person would also be an improvement.

43. mlyle ◴[] No.44564723{11}[source]
I get to choose what software to run, though. If it becomes difficult for me to prove identity in more of everyday life without such a remotely-owned device, I am hosed on privacy.

This is true even if the protocols themselves protect privacy well, use zero knowledge proofs, etc… if Google can vacuum it all up from the device representing me, all the privacy-centric design makes no difference.

44. AnthonyMouse ◴[] No.44564991{9}[source]
> How are device owners being prohibited from anything?

Biometric data isn't cryptographic in nature. Once you've recorded someone's fingerprint -- which any device using it for authentication would have to do and have the hardware to do -- you can then replay it to any service using the same data for authentication. You don't even have to lift them off of any of the objects people leave them on just by existing, which is also a way to get them. And once someone has them, you can't change it.

Which means the only way to use biometrics to gate this sort of thing is for everyone to be locked out of their own devices (or unable to use devices they're not locked out of), or they could use the device they control to play back the biometric data to whatever external service is nominally authenticating it.

> Which zillion vulnerabilities in the TPM are you referring to?

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=TPM

And those are only the ones specific to a TPM, not any of the ones that impact privileged code the TPM is attesting to the security of.

Notice also that this doesn't require every device to be vulnerable, it only requires any device to be vulnerable. Cheap devices are more likely to be vulnerable and then anyone who wants to bypass anything can get one of those.

This is one of the reasons these systems are so nefarious. You get an iPhone for unrelated reasons and it may not have any current known vulnerabilities, so you are locked out of your own device. Meanwhile some $50 Android or old netbook does have a vulnerability which any kid can get if they want to view age-gated sites, or people set up services to do it over the internet -- and then those services become attack vectors because kids start plugging their parents' IDs and fingerprints into shady bypass services.