Supreme Court's ruling practically wipes out free speech for sex writing online

All these ID check laws are out of hand. Parents are expecting the government, and random websites, to raise their kids. Why would anyone trust some random blog with their ID?

If these laws move forward (and I don’t think they should), there needs to be a way to authenticate as over 18 without sending picture of your ID off to random 3rd parties, or giving actual personal details. I don’t want to give this data, and websites shouldn’t want to shoulder the responsibility for it.

It seems like this could work much like Apple Pay, just without the payment. A prompt comes up, I use some biometric authentication on my phone, and it sends a signal to the browser that I’m 18+. Apple has been adding state IDs into the Wallet, this seems like it could fall right in line. The same thing could be used for buying alcohol at U-Scan checkout.

People should also be able to set their browser/computer to auto-send this for single-user devices, where it is all transparent to the user. I don’t have kids and no one else’s uses my devices. Why should I need to jump through hoops?

You mean like this?

https://webkit.org/blog/16993/news-from-wwdc25-web-technolog...

It’s a W3C spec led by Okta, Apple and Google based on an ISO standard and it is being rolled out as we speak.

This part

  other iOS applications that have registered themselves as an Identity Document Provider.

Has some fun history: California went with an independent contractor for its mDL implementation, which ultimately pressured Apple into integrating open(-ish) standards to interoperate.

This is interesting, but I’d like to go a step further. I watched the first quarter of the video on where they go over how it works. The site requests data from your ID and they get that data. The site chooses which data it needs and if it will store it or it or not. Sites these days have a tendency to ask for more than what they need, and to store it for profiling purposes. The user can deny the request, but then can’t use the site. They are then left with a dilemma. Give up this personal information or not have access at all? Companies are betting on users giving up privacy in exchange for access.

What I’d like to see is for the site’s request to contain their access rules. Must be over 18, must be in country X, etc. Then on-device it checks my ID against that rule set, and simply returns a pass/fail result from those checks. This way the site would know if I’m allowed to be there, but they don’t get any specific or identifiable information about me. Maybe I’m 18, maybe I’m 56… they don’t know, they both simply send a pass. For a simple age check, a user’s exact birthday, name, address, etc are irrelevant, but I bet companies will get greedy and try to pull it anyway.

I see the monkey paw of the ID spec as leading to more companies seeking to get all our data, when they really don’t need it, and have shown they can’t be trusted with it.

I already see this with Apple Pay. When buying a digital item, some companies are awesome and simply take the payment with no other data. Others pull name, address, email, etc to make a payment when none of that is required.

The spec is being implemented by Apple, who is sensitive to privacy issues.

The intent of the ISO spec is to allow you to request fine-grained data, like birth year only, but if you read the W3C standard, they explicitly call out privacy as a complex thing that maybe should be regulated.

The spec spells out the complexity: some ID verification processes actually need a lot of info! But some, like an alcohol age check, do not. The spec can do both, but it’s hard to differentiate these technically. The spec does lay out what user agents should do to make it clear which information is going where.

A bad scenario would be designing an API that is too hobbled to replace the invasive “photo of an ID” companies, which this spec seeks to do.

I’d prefer an open web standard that can be abused (with user consent) to a closed App Store-only API or the status quo

> The intent of the ISO spec is to allow you to request fine-grained data, like birth year only, but if you read the W3C standard, they explicitly call out privacy as a complex thing that maybe should be regulated.

Aren't the regulations the problem here? If not for that nobody would be getting pressured to divulge this personal information to every shady app and website in the first place.

Suppose I want to make a service that verifies your age by asking you questions about what life was like before 9/11. Can I do that? And if I can't, is the problem the standards, or the law?

Yes, they are! but also because the law sets the standard, it can also provide a new one. For example:

a) you are still legally required to age verify online alcohol purchases but

b) it’s illegal to use information collected for that purpose for other purposes and

c) Which information is collected is made legible by the user agents

Maybe something around only collecting minimal data, too.

Some of the first eager customers are banks with onerous KYC requirements – they want one click account creation! Good luck changing financial disclosure laws, though, my bank knows quite a bit about me.

> but also because the law sets the standard, it can also provide a new one.

If the people writing the law cared about privacy they wouldn't have passed that one, and anybody who does would be repealing it rather than trying to find the best shade of lipstick for the pig.

> Which information is collected is made legible by the user agents

This is the part you don't need a law in order to do because the user can choose their user agent. Or if they can't, you should stop talking about any of this and go fix your antitrust problem.

> you are still legally required to age verify online alcohol purchases but

By conceding this you've already lost, because:

> it’s illegal to use information collected for that purpose for other purposes

This is the part which is hopeless. If they have the information, you're already screwed, because once they have it it's almost impossible for you or the government to know what they're doing with it, which makes those laws nearly impossible to enforce. And on top of that, a large part of the problem is what criminals or governments do once there is a legally-mandated database of all of that stuff, and those entities aren't constrained by laws.

Which is why anybody who really cares about this knows that the only solution is to not have the law requires that data to be collected.

> Good luck changing financial disclosure laws, though

"Slippery slope is a fallacy", they said. "It's just one inch", they said.

I figured I’d get this response, but:

I don’t see my primary care doctor selling my health data, due in part to data privacy laws like HIPAA. Consumer companies take COPPA seriously.

You absolutely cannot control what companies do with data, so you want to prevent its collection in the first place – but you can penalize them when they do something wrong, which does influence their beyavior. The jury is still out on the effectiveness of the GDPR, but to say it had no effect would be an odd claim.