> I once suggested to a PM from the GOV.UK Verify team that if the UK wants to do age verification for porn, which it has threatened many times over the last decade, that Verify would be the perfect tech for it as content sites would only find out you're over 18, and auth providers would only know they're proving basic details about you.
To me, that's still *way too much*.
Just from that, the government now immediately knows what site you've been to (via the token that you've given to the service), and what said site has access to, as well as when you've accessed it. On a long enough timescale, the government can build a daily profile of your life, that when coupled with geo-location data, can be used to see what & where an activity's happening in real time.
> Just from that, the government now immediately knows what site you've been to
If I understand the idea correctly, this isn't how it works. Your user agent sends a signed request (with proof of identity) to the GOV.UK verification server, saying "please give me a signed certificate that provides no information other than my age". Because GOV.UK knows who you are, they can provide such a certificate. Your user agent hands this to the porn site, saying "you requested proof I was over 18, here's proof". Because the certificate was signed by an authority the porn site recognizes, they approve the certificate and let you in the site.
So the government doesn't know what site you visit, and the porn site doesn't know any of your personal information.
Heh, until the UK logging requirements ensure some component of the token that can be decoded later gets left in the server logs, then Oops, we know exactly who was on the porn server.
I'm not sure on the specifics, but the entire point of Verify as a technology was to ensure there was no government database about people. The UK has very distributed technology for government services, there is no one big database, and people have pushed back hard on this many times over the years so the government is pretty paranoid about doing it.
Each agency holds only the data they need for the time they need it. There are no national ID cards. And in the case of Verify, the verification was purposefully outsourced to private companies that already had this data due to their business (e.g. your bank, PayPal, Amazon who have a trustworthy address history, Experian, and so on).
There is no way to argue against this kind of speculation.
Commenter 1: System X is evil!
Commenter 2: Actually, here is how system X works: (Demonstrates it does not work how Commenter 1 thinks it works)
Commenter 3: Well that's fine, until they change X to be evil!
I mean, sure, when X becomes evil, then we can say X is evil. But not until then. If your argument is that all systems eventually become evil, that may be true, but it's a different discussion.
Me (1995): says something really stupid on the internet
Me (2020): shit hope on one finds that 1995 post and cancels my ass
With internet traffic and logging the default assumption should be: "All this data is logged and monitored for marketing purposes, and there is nearly a 100% chance it will be leaked by some hacker group", with the 2023 corollary of "And then used to train a LLM"
To me, that's still *way too much*.
Just from that, the government now immediately knows what site you've been to (via the token that you've given to the service), and what said site has access to, as well as when you've accessed it. On a long enough timescale, the government can build a daily profile of your life, that when coupled with geo-location data, can be used to see what & where an activity's happening in real time.