EU Age Control: The trojan horse for digital IDs(juraj.bednar.io) |
EU Age Control: The trojan horse for digital IDs(juraj.bednar.io) |
The EU already has some form of digital ID in fact, every government provides some kind of OIDC-like service tied to either smart cards or accounts that authenticate the user against a government. The digital wallet solution is an extension to that system that will allow foreign EU citizens to authenticate themselves more easily (eIDAS 2 already implemented an OIDC-like solution but implementation isn't automatic) as well as offer to store the (often mandatory to carry) ID on your phone.
The "what if you buy alcohol for your kids" sscenario of somone giving someone else their age verification tokens is tired and nonsensical. You can already do that in the real world. We accept that risk and, depending on the country, make it a crime in case they do catch you. It hasn't made liquor stores send someone along to see you drink your booze or watch you enjoy your porn mag.
Imagine if suddenly every grocery, pharmacy, petrol station, parking place, restaurant, bar etc. now would ask you for your ID AND would snap a picture and store in their database - you wouldn't be happy about it.
But you do have a point about "storing the picture". I think that's why it's very important for whatever solution is chosen to be something that proves you're old enough without saying who you are.
At least in my country, the ID app lets you generate 3 levels of QR:
Level 1: Just age (also shows a photo on the screen). This is what you would typically use to go in a club or buy alcohol.
Level 2: Adds Full name, birth date, validity date.
Level 3: All the data you can see on the physical ID card.
Oh, wait...
Is there a roadmap and/or a timeframe for that? I have a Slovak ID same as the author, when will it be useful for accessing internet services?
The legal framework behind all this was released all the way back in 2014 and has been officially adopted ten years later.
Officially, by December 2026, each member state must have at least one official wallet solution available for its citizens.
That said, eIDAS 2.0 also mandated that, as of this year, whatever Slovak digital identity solution has been rolled out so far must also work in other member states. In my experience, different governments adopt different foreign identity services at different paces, most of them seemingly missing the deadline.
Banks and other private institutions permitted to ask for ID are supposed to accept the wallet solutions by late 2027.
I expect deadlines to be missed given we've barely gotten the age verification PoC done, but with the groundwork laid out, things might just work out.
This argument stays on the sand of inadequate analogy. The way that flaw is described in the story it allows industrialization of bypassing the feature. It's huge difference with the "real world".
All i would say is that the solution doesn't need to be 100% effective. The same as real world "age gates" or ID verification (which is just some random person looking at your ID in most cases) are not.
The precedent set -- that everything online should NOT be immediately accessible to children -- provides parents (the ones that care at least) with some backup when trying to raise their children. Ultimately society as a whole is responsible children, and i don't want to live in a society that thinks it is fine for kids to scroll any content on social media and watch porn as soon as they are able to work out how to use a smartphone.
The replay attack mentioned may always be a loophole, I'm not sure. But any site hosting the replay attacks should be targeted for shutdown/blocking. The "source" ID must come from somewhere as well, so that could be a route to shutting them down (there are 100's of age verification requests against one ID each day, that's a bit weird...).
If parents are helping their kids bypass age gates or straight up don't care their 11 year old is watching porn, then there is not much to be done in that case. The key thing should be keeping the majority of children in compliance to give cover to the parents that do care. Not giving all the power to bad parents and social media companies as is the situation the moment.
What value is there to industrializing any of this? Kids who will pay someone for their age tokens to watch porn or create social media would probably be smart enough to download a free VPN instead.
Even in the very worst case scenario for the designers of this system, where large amounts of people manage to extract their tokens and hand them out for free, the downsides everyone fears won't apply anymore. I think a lot of people might be happy about that.
This discussion was already led ad nauseam with the Swiss eID proposal (which is supposed to be EUID compatible) and the reason why the system relies on rotating signatures instead of ZKPs is that the cryptography hardware modules in most phones don't support algorithms such as BBS+. This creates a tradeoff where the states would have to essentially roll their own crypto storage and bank on this being safer than simply rotating through batches of signatures generated by the hardware cryptography modules (which is largely unproblematic in the grand scheme of things). The major advantage of using the hardware module is that it makes it much harder for attackers to extract the actual secret should the device ever fall into someone else's hands, something that happens to phones from time to time.
Overall, as with every digital ID thread, it would help if some of the fearmon gering commentators would read the actually EUDI specs for once in their lives as it already addresses most of the concerns copy-pasted into these threads https://eudi.dev/1.6.0/architecture-and-reference-framework-....
Our focus therefore should be controlling what governments can do with them - for example disallowing blocking/removing someone’s id, just as we should disallow removing citizenship.
Even more reason to make the "demo" app do things correctly because it's very unlikely that all member states actually implement things correctly.
> The internet is scary, parents think they can’t protect their children from many bad things happening, and someone came to provide a “solution."
A simple solution is just not providing your kids with a phone or computer.
Don't forget that many sources of porn will not obey this. Think the pirate bay will ask for age verification? If they obeyed the law they wouldn't even exist.
It's a solution for nothing, as the article points out too.
The idea that we want a single database or a network without any kind of control is frightening me
That’s not a solution. Nowadays many schools require access to a computer.
Also, remote attestation doesn't work that way and for good reason. Under a true ZKP system, a single defector (extracted/leaked/etc key) would be able to generate an infinite number of false attestations without detection.
This article is about EU age verification which is specifically and definitely stated as using zero knowledge proof in all technical docs that I've seen:
https://eudi.dev/2.5.0/discussion-topics/g-zero-knowledge-pr...
It certifies devices running on Oreo (because vendor didn't provide updates),meaning there are almost infinite vulnerabilities that will allow to leak the keys.
It's not for digital IDs. It's for surveillance.
Digital IDs are fine (and desired even) if you are only requiring it for GOVERNMENT (same entity that released them) communication. Push for age control is scheme to make that info available for private companies and that's the trojan horse here.
That info being: {"over_18": true} or maybe {"over_16": true, "over_18": false} with a government signature.
Might be a problem if you've got a Vatican ID, I suppose? Though they don't participate in this system of course.
- If you rely on Big Tech for your identity and data you loose all privacy but can expect some security.
- If you go with your government you still loose your privacy but also all security.
I saw on HN just in the last month that the EU and France got hacked and very sensitive data is now on the Internet.
"EU Age Control" is not a Trojan Horse. The software (app) does what it purports to do. No one _wants_ to use it
The "Trojan Horse" is the corporate mobile OS. It's a "free gift". People such as the author happily accept it. These people _want_ to use the corporate mobile OS for what they believe it is, which is something other than software to defeat privacy for the benefit of Google, Apple and their advertiser business partners and customers
People don't think of the software as performing that function. Meanwhile it is the core "business model" of its distributor. The corporate mobile OS is a Trojan Horse
This is why the "age verification" app only works when using the corporate mobile OS. The author states:
"The apps will not work unless you have a Google or Apple approved device. Forget Linux, GrapheneOS, Huawei, after-market firmwares. It's part of the security model."
The bogus justification for requesting ID is not "age verification" it is "security". That's the nonsense reason why the computer owner cannot use an OS he/she compiles himself/herself and why people happily accept the Trojan Horse. The corporate mobile OS is an instrument of data collection, surveillance and online advertising but that's not how the author sees it. He does not see what's inside, he sees a beautiful "free gift"
The question is whether citizens can build enough pressure for such verification systems to be state-based and truly zero-knowledge (akin to the EU's) versus having the private sector 'verify' each user to siphon data, profit off it (Thiel's Persona) and fortify surveillance-capitalism and autocratic administrations.
I'd be happy to have a government service replace all that nonsense, where a one-time challenge code could verify my ID. There is now a UK.gov "One Login" authentication used by other government services that is essentially a digital ID as far as I can see. It just needs to be made mandatory for ID checks by law.
Such a service can also be used for age verification with the correct privacy controls in place, far better than all the dodgy age verification services that exist now.
Digital ID and age verification are going to be a part of the internet going forward. I'd rather have a government service that (in a functioning democracy) has accountability to the citizens that use it. ID verification is also a natural monopoly, so the government picks a winner anyway.
The fantastic irony is that in some weak attempt to protect against the "evil big tech companies" they directly facilitate increased mass surveillance and removal of individual rights, instead of choosing more scalable and robust answers such as funding and promoting the development of protocols and open standards that can be applied voluntarily and in a decentralized manner to help mitigate these problems.
I have computers side by side on my desktop running Linux, and it is amazing to me how I can call `wormhole send --message hello` and receive it on the machine next to me, knowing that only I can receive this message, without it running through an age approval mechanism, without it being client-side scanned, and without being logged in some government database.
This is the century of AI and robotics - technologies which can facilitate great concentration of power and wealth. Gradually introducing mechanisms that facilitate digital fascism seems like a really bad way to guard us against this.
https://www.nrk.no/norge/datatilsynet-bekymret-for-personver...
Anyone else here planning on blocking sites that require age / ID verification? Are there any publicly available domain deny-lists that could be added to uBlock yet?
Not much more freedom, but the control is outside voters reach.
Just ask Nicolas Guillou
Besides, if someone wants a digital ID, it already exists in many countries. Phones with NFC chips can read many passports, e.g. Germany has an "electronic passport" since 2005. It's barely used, though, because it's bullshit.
As mentioned digital ids are a thing and this is where everything is moving. The author mentions that it would be great to use it but does not believe it is possible and then says age checks will lead to it and it is bad. There are reasons why digital ids will be forced and one of the big ones is because bigtech companies do not want to invest into looking after the content, e.g. misinformation, bullying, etc. Not to mention the inability of companies to control the age of users, and everyone knows this is not in the interest of advertisers.
Criticism is good but it also has to offer some options. Saying everything is bad bad does not help. All in all I have kids and it is very difficult to filter all of their internet traffic and I am not your average parent. Kids are reading crap and get brainwashed everyday, and the idea that you should just let them is ridiculous. Cyber bullying is a thing and I wonder what would you do when your kids get to be on the receiving side.
IMO this is trying to blame politicians who represent their electorate who wants this without acknowledging that the issue is in huge ad funded companies whose interest is to gather all that private data without any supervision or filtering. BTW Data is constantly being leaked from large companies as well, not only gov entities.
In relation to guesstimates the author jumps to possible conclusions without sufficient proof.
What would the author suggest to fix the main issues though?
This shows that the EU commission is systematically lying.
This problem used to exist in the past with Leyen - she is ultimately a lobbyist and that has to stop. Friedrich Merz too by the way - there is a reason why recent polls indicate that the german voters want him out of politics at once.
The EU needs to reform. Right now lobbyists have too much abuse-power. The age sniffing is a great example here - isn't it suspicious how this goes in sync right now in so many countries? Who is paying for this? Nobody needs that, except for some companies.
> Big platforms must verify age for certain content.
But why is their concern, suddenly my concern? I see no need to be in support of any law that would require people to ID in order to access information on the world wide web. That's very obviously the real goal and agenda - everyone with a bit of brains sees this.
> It is the same EU that hates these American corporations and wants EU alternatives for everything
That's not true. The EU commission I consider a lobbyist group, for instance. They lie and lie and lie.
The EU parliament is not much better - you can buy legislation quite easily: https://en.wikipedia.org/wiki/Qatar_corruption_scandal_at_th...
Nothing will seriously changed. The current way how the EU is structure is totally wrong; and it will not be fixed because those in the system, benefit from it financially. See the recent attempt to force EU taxpayers to pay more for those goons. They constantly try to inflate their own budget, at our cost.
> yet no one can make a phone usable for age verification without the blessing of Google
Indeed. We have total incompetence at the leadership level. It should be replaced with technical prowess, but as long as lobbyists such as Leyen are running the show, nothing will change. See the corruption scandals when she was still in Germany. Interestingly the AfD is also full of that, yet voters don't see it - Weidel was working for many years for Goldman sucks. So a next generation of lobbyists will replace the older generation soon. That's why this system how it is, is unfixable. It is broken by design.
We'll need to apply for digital IDs for bots and AI agents?
Is it the following:
Issuer revokes the wallet of Alice and then publicly says “This ID is Alice btw” and then verifiers can check their lists to see whether any of their received signatures are revoked (in which case they must be Alice)
Yeah
I'm getting really really tired of the "crying wolf" crowd
Many Americans don't even have ID (and plenty of those are reluctant to the general concept of any kind of government ID), let alone any kind of digital ID. However, their governments are pushing frankly weird and absurd ID verification laws to businesses online. Meta seems to be bankrolling lobbying around these laws, so whatever their game is, it's probably very bad for normal people.
If you're coming from a place where the government tells companies they need to set up a system or hire private companies to verify users' ages without providing any kind of official mechanism themselves, leading to ridiculous hacks from cheap and incompetent "age verification" companies, I can understand why the European system seems absurd.
If the US is going to adopt their weird age verification laws, the least they could do is fork the European system already laid out for them. Put a little American flag on it, call it "America First Christian Age Truthness" or whatever the people in charge like, but at least keep the basic privacy properties intact.
It's bad somehow?
However lots of countries do allow removing citizenship In the UK it is a political decision too. Lots of countries allow locking people out of other things (e.g. freezing bank accounts). I therefore doubt we an effectively prevent this.
I do not see the problem with physical tokens. They are simple, do not create a single point of failure (if I lose my phone I still have my cards and cash), robust to network and systems failures. What is the drawback? Having to carry a few cards?
I think we should focus on laws against things like that which lead to tyranny rather than attempting to stop progress.
Cash in particular is expensive to produce/process and no longer honours the promise printed on it, it will be phased out as the transactions with it approach 0%.
Cards are really no different than a token in a phone and don’t work for long either in the absence of a network (both will work offline but do need to be reconciled). I haven’t habitually carried a card in about a decade, I think for similar reasons to cash they will die off by general consensus.
The ideal state is having both physical and digital ID. But that will lead to a slow erosion of the willingness to carry physical ID, even if it stays available (which I believe it will for many decades. Even if national ID cards and drivers licenses were to go digital only, passports won't)
So yeah, I'd expect those to move to a phone as an alternative to the card
However I suspect biometric methods of id verification will render carrying anything redundant long term.
The databases for digital id already exist, they’re just not fully utilised yet and these databases will always be centralised.
If I lose my passport I am obliged to call the police so that they revoke it, if I lose my phone with my digital ID on it they also need to be able to revoke that ID.
I don’t think governments should be allowed to do that. They do it with passports and I think it’s deeply wrong but also it would be far more damaging and immediate with a digital id (which will inevitably be used for a lot of services) - similar to being refused a bank account.
> Physical tokens like bank cards and driving licenses are neither necessary nor a good solution in a networked world.
I see absolutely nothing wrong with physical tokens. You could reason that this or that has more or fewer advantages but to insinuate that digital is always better, all of the time, is simply wrong.
In some places you cannot. I was in London post-COVID and there were a bunch of tourist things, like a riverboat on the Thames, where you could only pay with a card. Went to a craft cider bar out in the countryside and again, they didn’t accept cash. Personally, I think businesses should be forced to accept all legal tender, which means cash stays as a first class payment method, but that’s not how it is in many places.
On the other hand, in Austria there are many places that are cash only, especially small restaurants in the countryside or community sporting events with coffee bars.
The government should always be assumed to be evil, and work towards complete and ultimate power. It is a cancer that spreads.
Therefore decentralization, and a private libertarian society, is the only ethical and long term sustainable society possible. Every other society, eventually collapses into authoritarianism and the burning of the jews.
In web of trust, anyone could publicly certify who they know is a real person (i.e. validate a link from their id to another id). Then, if you received a message from someone, the system would find the path in the graph of real people you trust, to determine the trustworthiness of the source. So if the account is a bot, there would be no path from it to you in the trust graph.
The advantage is that everyone could supply their own subjective trustworthiness score, altering the graph. They could even publish it, so that other people could use trustworthiness assesment of accounts they personally trust.
The big issue with a system of web of trust is that it is too efficient, and just kills commercial advertising (and also propaganda). Because that is all about overcoming the natural web of trust that humans have.
This is propaganda, none of those supposed networks exists or were successful in anything and when the media do show some supposed accounts they don't have a lot of views. Please stop falling for this, your democracy sucks because the politicians suck and the people want change so they turn to extremist parties.
Wouldn't it be strange if solving a problem didn't affect elections?
But it's becoming increasingly clear how badly compromised the whole thing is with fake opinions and enemy propaganda.
I don't like either of the options. I don't like control by the state, and I don't like control by mad billionaires. I don't like the far right cesspool of 4chan, but can't disagree with their position that they shouldn't have to care about OFCOM.
The governments themselves are "dumber, sadder, and more scared". They are worried because social media puts regular people talking on equal footing to official propagandas (being able to reach everybody else). That's what they fear, because they have the lowest approval ratings and legitimization in over half a century, and they're also making everything shittier and shittier to the benefit of their corporate overlords.
By forcing us to go through devices completely controlled by US companies?
That kind of serves as a proof to your opinion it's a boogeyman.
https://www.reuters.com/legal/litigation/musk-summoned-by-fr...
But they would gladly use that for more control.
I don't really see what internal German politics and lobbying has to do with anything.
As for the "Google" part, that's up to the member states to decide. In essence, the law states that apps should be secure and untampered. It doesn't specify any remote attestation partner, nor even the strict need for remote attestation although it's hard to accomplish any kind of phone-based authentication security without it. Android's native attestation solution also exists and works for phones sold without Google services, though it's an absolute pain to work with.
Sailfish, pmOS, or any other mobile OS could implement the security requirements if they ever get enough serious popularity to convince governments to make apps for them.
My experience working on software for the German public sector sadly agrees with this assesment. Let's hope at least eventually something will work.
Law has privacy downsides and is trivially bypassable -> law is bad.
Also the class schedule including the substitutes are communicated per smartphone app
Section 5 mentions that this issue could be mitigated at some point in the future by using ZKPs, but here's what they're saying about the status of this ZKP integration:
"This topic will be revisited in Topic G to determine the foundational requirements needed for its future integration"
Doesn't sound like this will be implemented any time soon.
[1] https://eudi.dev/2.5.0/discussion-topics/a-privacy-risks-and...
1. They are physically separate. They are not likely to be stolen at the same time as a phone. 2. They do not require battery.
Cash has the same advantages, but even more so as it does not rely on networks at all.
If you only have phones as a means of payment what do you do if you phone is lost, stolen or out of battery? How do you even buy a new phone!?
I think phasing out cash is very short sighted. It is robust and reliable. There is a good reason the Swedish central bank recently recommended that people keep a certain amount of cash at home (1,000 SEK, equivalent to about £80/$108/94 EUR, per adult).
That would be a very gentle way to express hurt feelings, not the way to treat a guy who knowingly does that.
Unless you live at some place where they still accept cash of course, but the writing is on the wall already.
Countries have been interfering in the internal workings of other countries for centuries, if not millennia. If you want to read up on more recent accounts of this, many of which predate social media, the book Active Measures by Thomas Rid is a good place to start.
Or you can continue to think that this is all just made up "propaganda" and we're all fools, but you alone have seen the light.
As for why would they, the same reason there are hundreds of tracking cookies on every site.
I don't believe this. "Many" perhaps in raw out-of-context numbers but as a percentage of the population, very few functioning, self-supporting and employed adults in America do not have an ID. It's simply not possible to participate in society without one. You need an ID to register a car, to drive, to vote, to bank, to get a job, to buy a house, to rent an apartment, to get water, power, gas, internet....
If you don't have an ID, you are either a child, or you are deliberately trying to exist off the record. I.e. you are here illegally or you have chosen some very fringe antisocial survivalist offgrid way of living.
Around 10% of American adults do not drive.
6% of American adults do not have a bank account (4% for whites and Asians, 11% for Hispanic, and 14% for Black). It is 23% for people with incomes under $25k [1].
About 20% of adult Americans who are not retired do not have a job [1]. Did you forget that some people live with other people and in many of those arrangements only one of them has a job?
Many people have living arrangements where they are not the owner or the renter of record of the place they live. For example many people who live with others as described above.
Approximately 5% of the US economy is cash based and often does not care whether you have any formal ID. Often people who live mostly in the cash economy live in areas with many other such people, which makes it easier.
[1] https://www.cnbc.com/2024/08/02/23percent-of-low-income-amer...
[2] https://www.minneapolisfed.org/article/2022/whos-not-working...
Even with that: There's plenty of services dangerous to kids that we gate behind an ID check and I don't particularly see why internet is special in any way.
No one claimed the internet should receive special treatment. The two forms of ID check that you're attempting to equate aren't the same.
Whitelabel/demo implementation specifically pushes FOR Google Play Integrity after being explained why that's a bad idea: https://github.com/eu-digital-identity-wallet/av-doc-technic...
Via: https://discuss.grapheneos.org/d/24452-eu-might-enforce-goog... which specifically quotes the law that should forbid such approach (Article 6(4) DMA) - so EU initiative and engineers consciously and intentionality breaking EU law in the prototype that is supposed to be replicated later.
While I agree with this statement, I thought there was some kind of requirement that OFCOM goes through a process like this before being allowed to ask for a domain to be blocked in the UK?
The latter is, I think, something OFCOM should be allowed to do with a restriction that it can only come after other options fail.
Imgur have gone the other direction: they have voluntarily blocked the UK (!), which is very irritating when trying to browse Reddit.
There's certainly a process, but not a good one.
(separate from all this, the Internet Watch Foundation maintains a blocklist which ISPs voluntarily follow, of actual CSAM.)
Until the process is complete, that's not evidence of inability, that's just the process:
Where appropriate, if a provider fails to comply with its safety duties, we can also seek a court order for ‘business disruption measures’, such as requiring payment providers or advertisers to withdraw their services from a platform, or requiring Internet Service Providers to block a site in the UK.
> There's certainly a process, but not a good one.
Indeed. There does seem to be a mutual non-comprehension of how the internet functions amongst lawmakers and enforcers in both the UK and the USA; both seem to act like they have more sovereignty over the internet than is possible without reaching much faster for a block order for sites outside their respective jurisdictions.
The problem is the algorithm and the "explicitly suppressed and censored" and that's on the governments and corporations. So that's the worst argument for giving the government more control.
That argument seems easily debunked by pointing at the effectiveness of propaganda, which is in its essence indistinguishable from bots.
People have control over their government, at least in democracies that are functioning to a basic level (see Hungary recently). But they have zero control over social media, in fact the only organisations that can control global billion dollar tech companies are nation state governments...
Why would you correct data about you very own surveillance ?
Some amount of id verification and surveillance is of course required for a government to function, the question should be more what is allowed and what is not.
I'll assume your answer is no, and I that case surely you must see the value in that medical record being correct.
Concerning the railway example, they only need to store how much I owe them, not my travels. Storing travel history on their end is already surveillance.
Data keeping purpose and consents are what make something surveillance or not. Forcing every citizen to use ID to access the web is surveillance plain and simple.
For example this would allow a state to refuse access to the PI of their citizens for cases that are not administratively documented. This forces the access audit sufficiently that a malign actor cannot simply request data for a citizen without having probable cause ; another vector we want to protect ourselves against is simply the psycho/sociopaths that have access to these data without surveillance.
The way I understand it is more like tls certs, with each country managing their own root cert.
No, I am legitimately asking to clarify your position, hence why I assumed you wouldn't call that surveillance. The point was for us to agree that the right to correct data is a meaningful and useful right to have.
Once we've clarified that, the rest of the arguments comes down on the separation of "surveillance" from "record keeping", a separation you attribute to "Data keeping purposes and consents". That aligns with current EU law, and I largely agree with treating that as a separation point. If you have a valid purpose, either by law or by duty to your customer, you get to keep records necessary to fulfill that need. I would note that these "duty to your customer" clauses are usually pretty broad and would, I imagine, allow the railroad company to keep and process your travel record for fraud prevention purposes.
The issue we encounter is what a valid "data keeping purpose" is, and if we trust our public institutions and infrastructure to govern that question. Especially when the potential data processors is a government agency. This I'm entirely uninterested in debating that question with a rando on HN. We likely live in two very distinct regulatory frameworks and have vastly different local governments. There's no basis for us to agree here.
I would however end by noting that the two clauses of your statement
> Data keeping purpose and consents are what make something surveillance or not.
and
> Forcing every citizen to use ID to access the web is surveillance plain and simple.
Are in tension with one another. Clause 1 opens up for the idea that there exists valid "non-surveillance" record keeping, and that the distinction of such record keeping from surveillance requires determination of consent and purpose. Clause 2 then foregoes that determination and just presupposes the argument. All ID checks are definitionally surveillance irrespective of purpose and consent.
In the current legal framework, government derives it's unilateral consent from the vote. If the law passes in a democratic system then it is, by that very process, a consensual and valid purpose.
"Forcing" highlights the lack of consent, the distinction is still present.
> In the current legal framework, government derives it's unilateral consent from the vote. If the law passes in a democratic system, then it is, by that very process, a consensual and valid purpose.
Absolutely not. Being voted in a parliament doesn't mean citizens consented to it.
Simple example: compulsory military enrollment vs voluntary military enrollment. Only one of them derive from consent, even if both derive from a law discussed in parliament.
Cash is still mostly accepted while majority of transactions are digital.
Absolutely not. The population is fine with the status quo.
Don't want to wake you from that nice dream but that ship has sailed quite a while back, at least here in the EU.
OK. I'll bite. Why are they unnecessary?
Passports have two things. They have information on them, which can be read by looking at them. And they have information on them in chip form, which can be scanned, and is also cryptographically signed by the issuing authority (eg, a government).
To verify a passport you can look at it visually, but you can also scan and validate the info, including photo, in digital form. All you need is the CSCA, the 'country signing certificate' to do so, and there aren't may of those. Small readers exist which are updated with these certs, and so even in the middle of a war zone, with RF jamming, you can verify a country signed what you're looking at.
Relying upon the Internet being there for ID purposes is a massive fail. You'd don't need a networked reachable database to validate that your ID is valid, in a digital way, which can be really helpful with 1M refugees show up at your door during a war, or when the capital city of the issuing nation has been bombed.
You may think this unimportant, but the edge cases are what 99.999% uptime is all about. And the edge cases with ID really need 100% uptime. The last thing you need during a natural disaster is an inability to ... well, do anything.
So even if you have biometric methods to identify someone, you'll also want a local, on person method which has those on chip, and signed by a government saying who you are.
Having ID network connected is also a massive, huge, immense fail. There should be no network connected databases of anything about anyone, in any form. Why? It'll be hacked. This will never, ever, ever change. Never. Paper records can't be hacked en masse, and you can get the same protections by storing records on individual chips with other associated info in paper form.
Dismantling this infrastructure and replacing it with buggy, hackable, online databases just to get digital ID verification is a complete move in the wrong direction. Verifying digitally signed information is not.
And passports can be scanned by phones.
Which means that the info, cryptographically signed, can be verified by anyone in the world too.
Really, what we need is to have everyone chipped, like a pet. Because that's where this ends up, and that's also the only way to always have your ID with you.
As a snarky aside, I've spent my entire life interacting with society all the time, yet only in the last decade has it been necessary to be "carded" constantly to do so. We've literally taken a privacy conscious society, and turned it into a nightmare. I'm identified when I go buy a loaf of bread, the most dystopian, totalitarian government anyone could ever conceive of, is a joke compared to the amount of control and tracking now exercised over people's lives.
So I guess my point is...
If it's annoying and difficult to have to carry around a physical identifier of who you are? And use it regularly?
Why is the solution to make it easier to submit to slavery?
Think that's an over the top statement?
We all know how the US government has pivoted on many things during the current administration. We also know it has had, and continues to have (via private enterprise) a robust degree of information about every fiscal transaction made.
If you look at the McCarthy hearings, they literally went so far as to find documents from decades prior, paper records of course, of people joining socialist clubs in university. Eg, simply sign-in sheets, or their names listed in the minutes of such orgs.
Decades later, that information was used to blacklist careers, destroy lives, not for any proof of malfeasance by those accused, but simply because they were curious in college about socialism.
Those same accused were then used to "name names".
My point is, from the financial data currently being stored about people, anything that makes you stand out in any way could be turned into a problem 10 years down the road. Not to mention, how credit card usage, and digital tracking, and location tracking might hit some pattern.
No one who lived through the McCarthy hearings, just watching them, or lived through how Germany or Russia controlled the lives of their citizens, would ever think any of this increased fingerprint of people is a good idea.
It's all just very dumb. And it will not end well at all.
If CBP's systems go down, they will not process (foreign, they'll process US citizens still) arrivals [1], even with physical passports in front of them. I assume the EU ESS works the same.
"If the internet goes down, your border checkpoint is down" is not some terrifying future we need to protect against, it's the reality of the world as you live in right now.
[1]: I've had to wait for an hour, at SFO of all places, because of exactly that happening.
Why would you need internet? Document holder smartphone can cache the document for years and present it over NFC (including photo, signature, etc). Just like existing biometric passports work, but replace the physical passport with smartphone app.
The internet requirement is not there for the person presenting the document, it's for the person/system checking it.
Couldn't agree more. The more we know, the more susceptible we are to bias and division.
I don't want to have to read your noise.
In US tho? You can get SSN of literally everyone and that's somehow enough to ID yourself.
History of entry and visas/etc could be stored on device as well
But in the real world, the systems that deal with processing people's entries already cross-reference multiple other existing databases, require internet connectivity to do so, and I think you'll have hard time convincing anyone to stop doing that.
The big companies are still mining user data, they are just forced to use some extra dark patterns to trick people into compliance. Would-be criminals are not going to stop being criminals because of the threat of fines. And TLAs are not going to wait for due process to acquire access to data legally.
All that GDPR does is give the illusion that people are being protected and CYA for politicians and bureaucrats when asked "what are you doing about evil Zuckerberg?"
Yup, until they are regulated to do so in case you buy booze, porn, metal detectors, crossbows or who knows what else. And until silversmith tries to dodge the draft but he accidentaly bought some booze woth his gov eID to party with friends.
This is what our every day will be like, when the state has internalized the enormous power of a 100% controlled digital ID. Bye, bye, freedom of thought.
If you were to be treated worse than a jew in ww2 germany, you would not be writing about it here.
If you were from outside EU, I fully believe the experience was subpar. 99% or more of verifications went through the EU system, and if you showed up with different kind of documentation, the people tasked with verification "at the edge" might not even know if it was valid form of proof.
Overall, I struggle with being outraged by the concept of digital ID. It's just a digital form of "show me your passport please". We have had physical national ID (mandatory from certain age!) for as long as I can remember myself. The state knows I exist. If a madman gets put in charge, lack of unified digital ID is not going to prevent airport style passport gates being erected around the booze stand.
How will the current approach result in total surveillance?
I would much prefer hotels would have a scanner which just transmits the bare minimum of identifiable information from the ID instead of it being completely normalized in many countries/hotels that they take your ID card and scan the full thing.
Can you explain to me, how with an eID one would be prevented from communicating with anyone or buying food?
Not really. Government is not Big Tech. This happens with accounts of some tech companies precisely because they're private entities setting their own rules in the still wild "wild west" of the Internet. Governments set laws and processes to ensure the things you mentioned do not happen, except in very specific circumstances.
Think of it this way: being "locked out of life completely", resulting in "no banking, no traveling, no communication", etc. is not a new problem. In the off-line world we call that being sanctioned, imprisoned, deprived of personal freedoms, etc. Yes, it happens to some people, but usually for very specific reasons (called "crimes"), after a lengthy bureaucratic process (called "trial" and "sentencing"), with plenty of safeguards to catch and rectify mistakes during and after the fact (like "legal defenses", "appeals", or even "journalists"). It is not something you normally worry about.
Humanity has worked out best practices for these thing over thousands of years of various tribes and nations and governments forming, disbanding, collapsing, emerging, conquering or becoming conquered. Adding electronic IDs on top does not change the nature of the thing. So you won't get locked out of life for posting the wrong emoji in a tax report comment; that would be like being thrown to prison for drawing something on a government form - or rather, if that's even remotely possible in your country, you have much bigger problems than digital IDs, and your best move would be to emigrate somewhere sane before borders close or civil war starts.
Plenty of other things to worry about here (e.g. ID checks suddenly being required by every business, just because it's zero effort to them for some marginal KYC benefit), but getting banned from life due to ToS violation is not one of them.
A proper digital ID would eliminate a lot of problems we now have with identity theft, having to obsessively protect names, dates of birth, SSNs in our databases (these things were not considered secrets in the pre-internet era).
Yes, we need to be vigilant about freedoms and privacy. But the idea of a government-issued ID that "proves" who you are is not new and I struggle to think of any way identity can be "proven" without a central issuing authority.
Does it actually follow? It's there for 25 years in some European countries and "everyone" isn't on a government bad list dying of hunger.
The government of course can put you on the list, but they don't need digital id for that. They pass a law, the regulator sends the list to all the banks and boom, you are blocked. I guess we should not have banks or not have the government too.
Some government (will) make mandatory: social accounts (so also IM apps like IG, WA, X, messanger), banks, buying simcard, internet, buying alcohol, cigarettes, energy drinks).
Some companies will make it mandatory implicitly or explicitly just for profit: selling your consumption data, analytics for themselves. E.g. in poland it's harder and harder to pay with cash because reduced stuff and huge queues - they force your use self checking. The pricing changed also that you have to use their loyalty apps if you don't want to be ripped - otherwise you will be paying 50% more.
> I would much prefer hotels would have a scanner which just transmits the bare minimum of identifiable information from the ID instead of it being completely normalized in many countries/hotels that they take your ID card and scan the full thing.
I don't like it either the problem is right now you mostly this being abused only in some hotels. Whats misleading that that this digital id won't allow tracking because you supposed to "trasmitting the bare minimum of identifiable information"
I prefer hotels without ID requirements. There is not a single shred of sound argument why a hotel needs to know who I am. Therefore I often stay in B&B:s without authoritarian ID-controls.
For example hotels: Some chains may think to advertise using fear mongering, claiming that their hotels are the safest, because they perform background checks based on the information from their customers' ID. You don't want that? Fine! Go elsewhere then! This is private property, if you don't agree to these ToS, you are not allowed to enter or rent rooms, sooo sorry! All you had to do is sign your privacy away here and then let us mine your data ... You don't have anything to hide, do you??
The issue is, that every single involved party from business to government has an incentive to get more data from this system. If there are no laws with guaranteed severe punishments for violations edged into our inalienable human rights and constitutions and those are properly followed up on, in addition to making it technologically impossible to extract more information than necessary, the system sooner or later will be abused.
Why did you only ask about eID and not about "inescapable digital currencies" that was also mentioned in the same paragraph at the top of the thread?
See also: CCP
You see, the government wants to control the people so they can control the government /s
As always when information exists digitally and can be processed rather easily, there is a strong temptation to misuse it out of its original purpose. As always there is a high risk of information leaking at some point, especially when in the not that capable hands of big organizations and governments.
The worry is also the drift towards disabling people's IDs for even on of the things the GP listed, at some point for any reason. The one with the bank account for example seems not too unlikely. Say at some point they associate financial information with that id. Banks demand insight on this data on grounds of wanting to grant loans only to people with good history. Later on they don't even want to give you a bank account when you ask, because there is no gain in it for them, because your accounts in the past tended to not have a positive balance and maybe at some point you had solvency issues. Try getting a flat to live in without bank account. Try getting a job without bank account.
The point is, that while governments are not big tech, they are also not tiny friendly grandma Emma's village shop. There are still lots of incentives to misuse and mismanage data, while at the same time governments often do not pay competitive salaries as businesses and often attract a certain kind of people working with your data.
Also keep in mind, that so far basically every such system that was implemented in countries like Germany had severe security holes. Just read up on the "elektronische Patientenakte" for example, or the CCC and the initial eID security issues. Trust has been eroded so far, it is at level zero for the government to get such a thing done right.
In the US there's a requirement for banks to refuse to do business with anyone who would be a "reputational risk". I think it was intended to suppress money laundering. Anyway, when the government calls and says such and such a client represents a reputational risk, the bank doesn't have any choice.
I don't know how it works in other countries, but here in the US you'd be hard pressed to function normally in society without a credit card and bank account.
Options to get around that problem include regulating Apple and Google or mandating that essential services not require accounts with third-party providers.
I would call for both of these things, for independent reasons.
All providers who get relied on in this way should need suitable regulation, even for non-essential things like supermarket loyalty cards.
Apple and Google in particular are now too heavily associated with a government hostile to the EU, therefore the EU should as a matter of urgency ensure that essential services do not require them in particular, and the surest way to do so (and make sure no shenanigans happen with mergers) would be to mandate that essential services do not require accounts with any third-party providers. Not even the postal system or a telephone number, you should always have a viable fallback to some physical office which is open at reasonable hours and is in a reasonably accessible location.
Then comes this post-hoc rationalization about how it will inevitably be abused, Jews in Nazi Germany, apartheid and chips under the skin.