←back to thread

Supreme Court's ruling practically wipes out free speech for sex writing online

(ellsberg.substack.com)
693 points macawfish | 1 comments | 12 Jul 25 18:14 UTC | HN request time: 0.001s | source
Show context
al_borland ◴[12 Jul 25 18:53 UTC] No.44544145[source]
All these ID check laws are out of hand. Parents are expecting the government, and random websites, to raise their kids. Why would anyone trust some random blog with their ID?

If these laws move forward (and I don’t think they should), there needs to be a way to authenticate as over 18 without sending picture of your ID off to random 3rd parties, or giving actual personal details. I don’t want to give this data, and websites shouldn’t want to shoulder the responsibility for it.

It seems like this could work much like Apple Pay, just without the payment. A prompt comes up, I use some biometric authentication on my phone, and it sends a signal to the browser that I’m 18+. Apple has been adding state IDs into the Wallet, this seems like it could fall right in line. The same thing could be used for buying alcohol at U-Scan checkout.

People should also be able to set their browser/computer to auto-send this for single-user devices, where it is all transparent to the user. I don’t have kids and no one else’s uses my devices. Why should I need to jump through hoops?

replies(36): >>44544207 #>>44544209 #>>44544223 #>>44544253 #>>44544375 #>>44544403 #>>44544619 #>>44544667 #>>44544797 #>>44544809 #>>44544821 #>>44544865 #>>44544875 #>>44544926 #>>44545322 #>>44545574 #>>44545686 #>>44545750 #>>44545798 #>>44545986 #>>44546467 #>>44546488 #>>44546759 #>>44546827 #>>44547088 #>>44547591 #>>44547777 #>>44547788 #>>44547799 #>>44547881 #>>44548019 #>>44548400 #>>44548482 #>>44548740 #>>44549467 #>>44560104 #
conradev ◴[12 Jul 25 19:57 UTC] No.44544667[source]
You mean like this?

https://webkit.org/blog/16993/news-from-wwdc25-web-technolog...

It’s a W3C spec led by Okta, Apple and Google based on an ISO standard and it is being rolled out as we speak.

This part

  other iOS applications that have registered themselves as an Identity Document Provider.
Has some fun history: California went with an independent contractor for its mDL implementation, which ultimately pressured Apple into integrating open(-ish) standards to interoperate.
replies(5): >>44545214 #>>44546545 #>>44547146 #>>44547326 #>>44548570 #
al_borland ◴[12 Jul 25 21:13 UTC] No.44545214[source]
This is interesting, but I’d like to go a step further. I watched the first quarter of the video on where they go over how it works. The site requests data from your ID and they get that data. The site chooses which data it needs and if it will store it or it or not. Sites these days have a tendency to ask for more than what they need, and to store it for profiling purposes. The user can deny the request, but then can’t use the site. They are then left with a dilemma. Give up this personal information or not have access at all? Companies are betting on users giving up privacy in exchange for access.

What I’d like to see is for the site’s request to contain their access rules. Must be over 18, must be in country X, etc. Then on-device it checks my ID against that rule set, and simply returns a pass/fail result from those checks. This way the site would know if I’m allowed to be there, but they don’t get any specific or identifiable information about me. Maybe I’m 18, maybe I’m 56… they don’t know, they both simply send a pass. For a simple age check, a user’s exact birthday, name, address, etc are irrelevant, but I bet companies will get greedy and try to pull it anyway.

I see the monkey paw of the ID spec as leading to more companies seeking to get all our data, when they really don’t need it, and have shown they can’t be trusted with it.

I already see this with Apple Pay. When buying a digital item, some companies are awesome and simply take the payment with no other data. Others pull name, address, email, etc to make a payment when none of that is required.

replies(3): >>44545418 #>>44548053 #>>44550006 #
rocqua ◴[13 Jul 25 06:46 UTC] No.44548053{3}[source]
Zero knowledge proofs are the solution.

The website sends the verification function to the user device. The user device then returns a proof that it knows an input that the verification function accepts.

The verification function should include a digital signature check.

This is generally possible already with SSI based credentials, including standards created by W3C.

replies(1): >>44548694 #
tanewishly ◴[13 Jul 25 08:57 UTC] No.44548694{4}[source]
Or attribute-based credentials. Basically, you're challenged and get a one-time, challenger-specific credential for exactly the requested attribute(s) from a credential provider. Eg. government (municipality, province, national) can become a credential provider.

Eg. Yivy: https://docs.yivi.app/technical-overview/

replies(1): >>44548859 #
1. ac50hz ◴[13 Jul 25 09:34 UTC] No.44548859{5}[source]
Exactly. Yivi isn’t new having been renamed from IRMA (https://privacybydesign.foundation/en/). Nevertheless, adoption outside the Netherlands remains almost non-existent.

Except for the additional download requirement for a user, the friction is pretty low once it’s setup and you have created some attributes.

The project would benefit from a rebranding review, standardization, an enterprise-capable infrastructure to promote and support alternative service providers, and a review of clients. The current Yivi mobile app hasn’t changed much over the years and when I last used it I still needed a PIN instead Face ID.