←back to thread

Supreme Court's ruling practically wipes out free speech for sex writing online

(ellsberg.substack.com)
693 points macawfish | 6 comments | 12 Jul 25 18:14 UTC | HN request time: 0.001s | source | bottom
Show context
al_borland ◴[12 Jul 25 18:53 UTC] No.44544145[source]
All these ID check laws are out of hand. Parents are expecting the government, and random websites, to raise their kids. Why would anyone trust some random blog with their ID?

If these laws move forward (and I don’t think they should), there needs to be a way to authenticate as over 18 without sending picture of your ID off to random 3rd parties, or giving actual personal details. I don’t want to give this data, and websites shouldn’t want to shoulder the responsibility for it.

It seems like this could work much like Apple Pay, just without the payment. A prompt comes up, I use some biometric authentication on my phone, and it sends a signal to the browser that I’m 18+. Apple has been adding state IDs into the Wallet, this seems like it could fall right in line. The same thing could be used for buying alcohol at U-Scan checkout.

People should also be able to set their browser/computer to auto-send this for single-user devices, where it is all transparent to the user. I don’t have kids and no one else’s uses my devices. Why should I need to jump through hoops?

replies(36): >>44544207 #>>44544209 #>>44544223 #>>44544253 #>>44544375 #>>44544403 #>>44544619 #>>44544667 #>>44544797 #>>44544809 #>>44544821 #>>44544865 #>>44544875 #>>44544926 #>>44545322 #>>44545574 #>>44545686 #>>44545750 #>>44545798 #>>44545986 #>>44546467 #>>44546488 #>>44546759 #>>44546827 #>>44547088 #>>44547591 #>>44547777 #>>44547788 #>>44547799 #>>44547881 #>>44548019 #>>44548400 #>>44548482 #>>44548740 #>>44549467 #>>44560104 #
conradev ◴[12 Jul 25 19:57 UTC] No.44544667[source]
You mean like this?

https://webkit.org/blog/16993/news-from-wwdc25-web-technolog...

It’s a W3C spec led by Okta, Apple and Google based on an ISO standard and it is being rolled out as we speak.

This part

  other iOS applications that have registered themselves as an Identity Document Provider.
Has some fun history: California went with an independent contractor for its mDL implementation, which ultimately pressured Apple into integrating open(-ish) standards to interoperate.
replies(5): >>44545214 #>>44546545 #>>44547146 #>>44547326 #>>44548570 #
al_borland ◴[12 Jul 25 21:13 UTC] No.44545214[source]
This is interesting, but I’d like to go a step further. I watched the first quarter of the video on where they go over how it works. The site requests data from your ID and they get that data. The site chooses which data it needs and if it will store it or it or not. Sites these days have a tendency to ask for more than what they need, and to store it for profiling purposes. The user can deny the request, but then can’t use the site. They are then left with a dilemma. Give up this personal information or not have access at all? Companies are betting on users giving up privacy in exchange for access.

What I’d like to see is for the site’s request to contain their access rules. Must be over 18, must be in country X, etc. Then on-device it checks my ID against that rule set, and simply returns a pass/fail result from those checks. This way the site would know if I’m allowed to be there, but they don’t get any specific or identifiable information about me. Maybe I’m 18, maybe I’m 56… they don’t know, they both simply send a pass. For a simple age check, a user’s exact birthday, name, address, etc are irrelevant, but I bet companies will get greedy and try to pull it anyway.

I see the monkey paw of the ID spec as leading to more companies seeking to get all our data, when they really don’t need it, and have shown they can’t be trusted with it.

I already see this with Apple Pay. When buying a digital item, some companies are awesome and simply take the payment with no other data. Others pull name, address, email, etc to make a payment when none of that is required.

replies(3): >>44545418 #>>44548053 #>>44550006 #
conradev ◴[12 Jul 25 21:39 UTC] No.44545418{3}[source]
The spec is being implemented by Apple, who is sensitive to privacy issues.

The intent of the ISO spec is to allow you to request fine-grained data, like birth year only, but if you read the W3C standard, they explicitly call out privacy as a complex thing that maybe should be regulated.

The spec spells out the complexity: some ID verification processes actually need a lot of info! But some, like an alcohol age check, do not. The spec can do both, but it’s hard to differentiate these technically. The spec does lay out what user agents should do to make it clear which information is going where.

A bad scenario would be designing an API that is too hobbled to replace the invasive “photo of an ID” companies, which this spec seeks to do.

I’d prefer an open web standard that can be abused (with user consent) to a closed App Store-only API or the status quo

replies(2): >>44546122 #>>44548124 #
AnthonyMouse ◴[12 Jul 25 23:29 UTC] No.44546122{4}[source]
> The intent of the ISO spec is to allow you to request fine-grained data, like birth year only, but if you read the W3C standard, they explicitly call out privacy as a complex thing that maybe should be regulated.

Aren't the regulations the problem here? If not for that nobody would be getting pressured to divulge this personal information to every shady app and website in the first place.

Suppose I want to make a service that verifies your age by asking you questions about what life was like before 9/11. Can I do that? And if I can't, is the problem the standards, or the law?

replies(4): >>44546267 #>>44546344 #>>44548080 #>>44550288 #
mlyle ◴[12 Jul 25 23:56 UTC] No.44546267{5}[source]
I think most age verification ranges from silly to chilling to speech. But I don’t think we can somehow punt these problems to the quiz from the beginning of Leisure Suit Larry (which never stopped 10 year old me).
replies(1): >>44546584 #
AnthonyMouse ◴[13 Jul 25 01:02 UTC] No.44546584{6}[source]
Requiring someone to have a government ID isn't anywhere near 100% effective because people will just borrow one from dad's wallet while he's not looking or use a device already signed in as someone else or the high school freshmen will get one from the high school seniors etc.

If we're admitting solutions that aren't 100% effective, why can't we admit solutions that aren't 100% effective but are much better at preserving privacy?

replies(1): >>44548100 #
dcow ◴[13 Jul 25 06:54 UTC] No.44548100{7}[source]
Well this time around the phone will ask the person presenting an ID for biometrics before allowing them to use Dad’s ID. We are improving. There is no perfect solution; we don’t live in a perfect world. Surely we shouldn’t give up and regulate nothing…
replies(1): >>44548864 #
1. AnthonyMouse ◴[13 Jul 25 09:35 UTC] No.44548864{8}[source]
> Well this time around the phone will ask the person presenting an ID for biometrics before allowing them to use Dad’s ID. We are improving.

How is this improving? It's the most invasive proposal yet, serves to prohibit devices that are controlled by their owners and still doesn't actually work because a) there are still a zillion devices with security vulnerabilities and b) none of this applies to websites hosted in other jurisdictions, so you're not actually limiting the access of minors to anything, you're only inconveniencing anyone who does have servers in the US or interacts with any that are. Which is an extremely large number of people to trouble for a benefit that rounds to zero.

> Surely we shouldn’t give up and regulate nothing...

When we're in the category of speech, let's go with this option all the way to the wall.

replies(1): >>44551386 #
2. dcow ◴[13 Jul 25 16:05 UTC] No.44551386[source]
I’m not following your argument, sorry. How are device owners being prohibited from anything? Which zillion vulnerabilities in the TPM are you referring to? Because that’s how seriously these standards take security. These are device bound TPM secured identity credentials where the wallet stack is audited and certified by security professionals before credentials are allowed to be stored. There’s no less secure option.
replies(2): >>44554742 #>>44564991 #
3. mlyle ◴[13 Jul 25 23:26 UTC] No.44554742[source]
> How are device owners being prohibited from anything?

I think a lot of us are wary of a world where we have limited selections of software stacks that we can run and do essential things. At some point, we don't own the devices anymore.

I like that Apple is a benevolent overlord, for now.

But I like to be able to run software that I control and participate in the world, and that has alternated between being somewhat harder and prohibitively so. Lockdown of devices (chain of trust, mandatory signed binaries, limitations of device drivers, bootloaders that won’t unlock) makes it increasingly difficult to experiment, repair, or even trust the tools we rely on, and is viewed as a prerequisite for many of these solutions.

--

(I appreciate the alternatives are really hard, and that there are substantial potential downsides creating pressure towards these types of solutions, above and beyond the desires to lock down marketplaces and capture rents).

replies(1): >>44557451 #
4. dcow ◴[14 Jul 25 07:49 UTC] No.44557451{3}[source]
I empathize with many of your concerns here and share your frustration. Man do I wish there was some sum that Apple would let me pay to own my iPhone. If anything we need more legislation that prevents the amount of exclusivity Apple has over their hardware.

I don’t see digital identity documents as a threat, though. It’s mostly orthogonal to software provenance, device ownership, secure boot, etc.

PS: we already live in a world where by and large all the software you use is only licensed to you individually. It’s crap. If digital identity makes this more plainly obvious then good. We need fuel to fight unethically and impractically licensed software.

replies(1): >>44564723 #
5. mlyle ◴[14 Jul 25 20:13 UTC] No.44564723{4}[source]
I get to choose what software to run, though. If it becomes difficult for me to prove identity in more of everyday life without such a remotely-owned device, I am hosed on privacy.

This is true even if the protocols themselves protect privacy well, use zero knowledge proofs, etc… if Google can vacuum it all up from the device representing me, all the privacy-centric design makes no difference.

6. AnthonyMouse ◴[14 Jul 25 20:41 UTC] No.44564991[source]
> How are device owners being prohibited from anything?

Biometric data isn't cryptographic in nature. Once you've recorded someone's fingerprint -- which any device using it for authentication would have to do and have the hardware to do -- you can then replay it to any service using the same data for authentication. You don't even have to lift them off of any of the objects people leave them on just by existing, which is also a way to get them. And once someone has them, you can't change it.

Which means the only way to use biometrics to gate this sort of thing is for everyone to be locked out of their own devices (or unable to use devices they're not locked out of), or they could use the device they control to play back the biometric data to whatever external service is nominally authenticating it.

> Which zillion vulnerabilities in the TPM are you referring to?

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=TPM

And those are only the ones specific to a TPM, not any of the ones that impact privileged code the TPM is attesting to the security of.

Notice also that this doesn't require every device to be vulnerable, it only requires any device to be vulnerable. Cheap devices are more likely to be vulnerable and then anyone who wants to bypass anything can get one of those.

This is one of the reasons these systems are so nefarious. You get an iPhone for unrelated reasons and it may not have any current known vulnerabilities, so you are locked out of your own device. Meanwhile some $50 Android or old netbook does have a vulnerability which any kid can get if they want to view age-gated sites, or people set up services to do it over the internet -- and then those services become attack vectors because kids start plugging their parents' IDs and fingerprints into shady bypass services.