Oh look: #discord outsourced their age verification to some vendor.
-
Oh look: #discord outsourced their age verification to some vendor. You know, the #ageverification that countries like the UK want to make mandatory for basically every online service. And the vendor had a data breach exposing photos of government IDs for 70,000 people.
Do you feel safer? How many children did we protect by exposing the IDs of these 70,000 (presumably) adults? Thanks for taking one for the team, you 70,000 canaries in the #privacy coal mine.
-
Oh look: #discord outsourced their age verification to some vendor. You know, the #ageverification that countries like the UK want to make mandatory for basically every online service. And the vendor had a data breach exposing photos of government IDs for 70,000 people.
Do you feel safer? How many children did we protect by exposing the IDs of these 70,000 (presumably) adults? Thanks for taking one for the team, you 70,000 canaries in the #privacy coal mine.
@paco@infosec.exchange I don’t understand why operating system developers aren’t required to implement age verification. Apple, Microsoft, and Google could coordinate a standard that passes age group data to websites without revealing identities. It makes no sense for every app or site to handle this alone. Linux and Firefox users could use Google’s web service linked to their accounts. Problem solved. Everyone wins. Only these companies have the security scale to manage threats in real time.
-
Oh look: #discord outsourced their age verification to some vendor. You know, the #ageverification that countries like the UK want to make mandatory for basically every online service. And the vendor had a data breach exposing photos of government IDs for 70,000 people.
Do you feel safer? How many children did we protect by exposing the IDs of these 70,000 (presumably) adults? Thanks for taking one for the team, you 70,000 canaries in the #privacy coal mine.
@paco It’s never about children or safety, it’s about control (so they don’t give a sh.t about breaches).
-
Oh look: #discord outsourced their age verification to some vendor. You know, the #ageverification that countries like the UK want to make mandatory for basically every online service. And the vendor had a data breach exposing photos of government IDs for 70,000 people.
Do you feel safer? How many children did we protect by exposing the IDs of these 70,000 (presumably) adults? Thanks for taking one for the team, you 70,000 canaries in the #privacy coal mine.
@paco isnt it the platform @GrapheneOS goes to with their support channel? Great! Lest FOSS/DeGoogle communities go more into another data mess company!
-
N Marianne shared this topic
-
Oh look: #discord outsourced their age verification to some vendor. You know, the #ageverification that countries like the UK want to make mandatory for basically every online service. And the vendor had a data breach exposing photos of government IDs for 70,000 people.
Do you feel safer? How many children did we protect by exposing the IDs of these 70,000 (presumably) adults? Thanks for taking one for the team, you 70,000 canaries in the #privacy coal mine.
@paco This is why I don't use Big Tech and why I can't trust anything that relies on third-party stuff.
And why do they keep the ID photos?! If this must be done right, it must be upload > verify > delete. Not upload > verify > keep. Idiots!!
-
Oh look: #discord outsourced their age verification to some vendor. You know, the #ageverification that countries like the UK want to make mandatory for basically every online service. And the vendor had a data breach exposing photos of government IDs for 70,000 people.
Do you feel safer? How many children did we protect by exposing the IDs of these 70,000 (presumably) adults? Thanks for taking one for the team, you 70,000 canaries in the #privacy coal mine.
@paco@infosec.exchange the post states it was a customer support vendor, not K-ID, that had the breach
this incident is relating to stuff from before OSA. and was more influenced by apples age verification policies from way before the OSA.
I don't like the OSA, but I also don't like people spreading misinformation, intentionally or unintentionally -
Oh look: #discord outsourced their age verification to some vendor. You know, the #ageverification that countries like the UK want to make mandatory for basically every online service. And the vendor had a data breach exposing photos of government IDs for 70,000 people.
Do you feel safer? How many children did we protect by exposing the IDs of these 70,000 (presumably) adults? Thanks for taking one for the team, you 70,000 canaries in the #privacy coal mine.
@paco@infosec.exchange
Arguably, the likelihood of data-exposure is the whole point of gating things that could be embarrassing. -
@paco@infosec.exchange I don’t understand why operating system developers aren’t required to implement age verification. Apple, Microsoft, and Google could coordinate a standard that passes age group data to websites without revealing identities. It makes no sense for every app or site to handle this alone. Linux and Firefox users could use Google’s web service linked to their accounts. Problem solved. Everyone wins. Only these companies have the security scale to manage threats in real time.
@elaine The question, though, is whether age verification does enough good (any good?) to justify the risk. The negatives are largely borne by individuals. If the entity (government agency, OS maker, mobile phone company) royally botches it, they face minimal consequences. Individuals face consequences that range from trivial (a little spam) to very damaging identity theft.
Lots of people have spent lots of time and energy studying this stuff. The advocates of age verification don’t usually have a lot of research that supports it being effective at reducing the harms that people intuitively think it reduces. It creates a lot of risk for a lot of non-children under the premise that it somehow protects children.
If we make it too onerous, businesses opt to discontinue services. Eg they just don’t do things that require age verification. If we make it too lax, companies get cavalier about it and the end users suffer. It’s super hard to find the Goldilocks level of “just right” security.
-
@elaine The question, though, is whether age verification does enough good (any good?) to justify the risk. The negatives are largely borne by individuals. If the entity (government agency, OS maker, mobile phone company) royally botches it, they face minimal consequences. Individuals face consequences that range from trivial (a little spam) to very damaging identity theft.
Lots of people have spent lots of time and energy studying this stuff. The advocates of age verification don’t usually have a lot of research that supports it being effective at reducing the harms that people intuitively think it reduces. It creates a lot of risk for a lot of non-children under the premise that it somehow protects children.
If we make it too onerous, businesses opt to discontinue services. Eg they just don’t do things that require age verification. If we make it too lax, companies get cavalier about it and the end users suffer. It’s super hard to find the Goldilocks level of “just right” security.
@paco@infosec.exchange I agree we have to take things with a very careful approach. I don't think leaving content on the internet that could cause developmental harm and past generational trauma is a good idea to expose minors to. If age verification is just too risky then our next option is to conseuer the content. Removing the ease of access to harmful content such as pornography is an alternative we could consider. We could pass strict liability laws that can't be bypassed and include personal criminal liability to board members of data is breached. The status quo of clicking a yes im 18, would be like a gas station selling alcohol to teens and asking y'all are 21 right wink-wink! Some has to change and that's either safely verifying age over the internet and if that's not possible then removing it from the internet n I will close with the fact that to open a bank account online you have to provide your drivers licenses ID number and your social security number, if banks can do it securely so can the rest of the world.
