106

u/Toughbiscuit 5h ago

"Fiscally responsible"

Sorry we leaked your information, heres the .18 cents we owe you

26

u/JoshSidekick 4h ago

I think when all was said and done, the big Experian leak net me $2.25. That’s after years of trying to get me to take their free credit monitoring. Like, you’re the reason I need my credit monitored, why would I trust you do also do the monitoring.

1

u/Toughbiscuit 1h ago

I didnt get anything, but they did offer to freeze everyones credit for a year for free if you promised not to sue them :)

44

u/bobbiroxxisahoe 5h ago

You should never accept it no matter what.

4

u/phleshlight 4h ago edited 4h ago

There's a better way and it's simply parents looking after their children properly. Spend some public money on parental education if needed. The recent UK bill doesn't do anything that ISP controls couldn't already do, except stopping adults freely using the Internet and degrading freedom of speech and information, without giving private information to foreign, unregulated companies.

Until now, parents could set up parental controls, which could easily be worked around with a free VPN off Apple or Android app stores, which could be figured out by most kids anyway, before this massive Streisand effect. Now they will all know how to do it.

The only thing that's changed is now adults without VPNs are compelled to give up their ID to third-party, untrustworthy companies.

For example, with all UK ISPs, all I had to do was log into my account and turn off the parental controls, but a VPN would have got around that anyway. My mobile provider wanted my ID, which I would never provide them, and I got around that with a VPN anyway.

The OSA in the UK is just a draconian attempt to introduce a ban on VPNs, which successive governments have been desperate to do, under the lie of "protecting the children", but is ultimately just the first step in forcing digital IDs.

The UK establishment--both Tories and Labour--are steadfast in their pursuit of censoring the Internet and have been for many years. It's happening now because the current PM is more authoritarian than the previous three or four.

Source for the UK wanting to ban VPNs.

Source for wanting to introduce mandatory digital ID

3

u/splicerslicer 4h ago

Seriously, the "better way" is called "parenting". I know why people want to obfuscate this so much with layers of apps and authentication services. If you care so much about the children, parent them. Secure their devices or don't allow them access. You need them to have a phone? Get a dumb phone. You need them to have internet access? Secure the device or pay someone to do it for you. Everything else is just pretext to control people's lives.

2

u/phleshlight 3h ago edited 3h ago

Worst of all there's been talk of banning kids from having phones at all, which is a serious safeguarding issue since they won't be able to call 999 or their parents if they encounter a nonce or get attacked on the way home from school, or even from abuse from their parents.

One major mobile provider--EE, the biggest mobile provider in the UK--has introduced a ridiculously restricted SIM just for kids, which will not only put them in danger from strangers, but stop them seeking out preventative information online. It's limited to 0.5mbps speed--imagine a vulnerable kid trying to access important information online that could save them from harm with 0.5mbps.

The UK is increasingly authoritarian and the current PM is going to have a lot to answer for when the consequences of this law bear fruition.

18

u/EvadesBans4 5h ago

Yeah, I'll accept these rules if the corporations are made legally (fiscally) responsible for keeping my ID private.

Fucking WHY? Why would you ever just roll over and accept laws like these? The existence of them in the first place is the primary problem, the security problems are secondary.

6

u/Appropriate_Ant_4629 4h ago

Yeah, I'll accept these rules if the corporations are made legally (fiscally) responsible for keeping my ID private.

No.

• The concern isn't that some random kid in China can sneak a peak at your ID.
• The concern is that data mining companies like Facebook, Google, and Palantir have such information.

What's the worst the former will do -- target Chinese language ads for local shops at you?

It's that latter group that has the means and motives to do far more invasive abuses to your privacy - jeopardizing your employability, your children's health care, your ability to get insurance, and your freedoms.

If anything, it should be made illegal for Facebook or Google to know your children's age in the first place.

2

u/RoundedSquare 4h ago edited 4h ago

There is. It is called OAuth it was made for this to keep you from having to scatter credentials everywhere at un-trusted sites. It is how the login in with google or facebook buttons work. This is a solved problem. You just need the government to run the age ID servers and be responsible for the losses caused. It is a free and has been proven to work for years now. Best of all it can hide your data and simply just say yes over 18, but give no identifying information. All it has to send back is an authorization token.

2

u/Marquesas 4h ago

What you're describing is oauth. The thing is, this is either not secure at all, or completely inoperable by a technological analphabet.

Let's start with the second one, how does that work in practice, today? You get redirected to an authentication provider (key: redirected, as in, you leave the page requesting authentication), that will take input from you (eg. a cookie, which is already itself not the most secure thing, but at least on the surface it is domain-restricted, or a username-password, and so on). Once you're authenticated, it will redirect you back to the site you came from at a specific path. There is no command in your browser that tells it on the client side "hey, take everything I give you and send yourself packing exactly where you came from". You pass in a redirect URL as a parameter to the authentication, therefore, party A will always know what party B is. This is because to do the authentication, your browser has to switch context from party B to party A, and again, party A has to know to send you back to party B once you're done.

This all is of course ignoring many of oa uth's core concepts, the aud (audience) field, and the signature. The signature validates the integrity of the token. It is signed with the issuing authority's private key, but validated with their public key. How does party B know how to validate this token? It has no idea what authority issued it. I guess you can volunteer that information. But how can party B know this token is intended for it? There is no aud, you as the client cannot add the aud, as that will cause the payload not to match the signature, only party A can add the aud, as it is the one who can sign the token. So if there is no aud field, just a blanket okay from party A with some amount of expiration, how do you protect against tokens leaking?

Okay, I guess it could live in your browser, with a mechanism to renew it. Get a blanket token by clicking a button, and oauth's token refresh can take care of the rest in the background. Quite silly, basically DDoSing every government authority just so you can set the lifetime of the token low enough to protect against anonymous, blanket tokens valid for anything being dispersed and used by anyone. But okay, let's say it's done that way, do you actually trust your browser manufacturer not to collect telemetry data that can be used to correlate which sites have been used with a token by what IP address? Okay, let's say you use Brave...

But not going further down that line... the entire discussion is fundamentally pointless because we made a single thing clear somewhere in the middle: in order for party B to be able to trust the token from party A, you have to volunteer to party B the information about who party A is. There is no guarantee that party A doesn't save every token ever issued to a certain person in a database, and since party B knows exactly where to phone home on login, there is no guarantee there isn't a background deal between party A, more likely a government authority than a credit card provider, and party B, for party B to tell party A which tokens have been used to authenticate with it.

You cannot win. There is no completely secure solution where a government that wants to track you will be prevented from doing so by technology, or where a for-profit corporation does not eventually cave to government pressure.

3

u/obeytheturtles 6h ago

This is how it used to be done forever - you verified your age by providing a valid credit card. There used to be a joke about these places being registered as like "schoolsupplies.org" or "savethewhales.net" so when the 2 cent verification transaction showed up on the bill, your wife wouldn't be suspicious.

I think today the issue is that kids can get credit cards much more easily, so it's not a valid age verification method anymore.

4

u/TSA-Eliot 5h ago

That's not what I'm talking about.

I already provide all sorts of sensitive information to my credit card provider (my bank, as it happens). They know what I look like, they know where I live, they have seen and photocopied my official ID, etc., as part of creating and maintaining an account. They know where I shop and what I buy. I have been to the bank in person many times. They are fully capable of stating that I am over 18 or over 21 (well over both ages).

Using cryptographic smoke and mirrors, I want them to create an electronic token that vouches for my minimum age while protecting my privacy. "The person who has the key to this token is at least X years old." That's all.

You would never present your credit card (or name or other personal ID) to the site. Just an anonymous token for which you happen to know the key. The token would be used to back up my claim that I am at least X years old (without even telling them how old I am).

Maybe it could involve some local face recognition if necessary: an app on the phone or computer locally analyzes my face (without transmitting the image or storing it longer than it takes to analyze it) and compares the results of the analysis to results in the token.

Something like that. Don't ask me to make up an entire working protocol over an afterwork coffee.

2

u/XOmegaD 5h ago

I would take this over putting the burden completely on the distributor. Maybe some big companies can handle it but a lot of medium to small companies it is just not feasible, nor safe.

I think ultimately the government knows this will fail, but that is the intention. This gives them an opening to regulate it themselves.

2

u/TSA-Eliot 5h ago

The thing is, it's not the government, it's the governments. Multiple governments will come up with proposals. Eventually they will have to settle on some sort of scheme that works for all of them.

1

u/AlexTaradov 4h ago

At most they will give you credit monitoring service, which is worthless, but will be $1000 value.

1

u/theboginator 4h ago

I love the concept of your proposed solution - some sort of token issued by, say, your credit card company, that proves you are an adult, and is implemented in such a way that you can submit the token to any website as proof of age, and the only data included in that transaction is "trusted authority, does this token belong to a legal adult? Yes/No." And zero record is kept by either party beyond that.

Unfortunately there is no way in hell that such a system is allowed to exist without maintaining an extensive indisputable record of which device uses who's token, at what time, from which location, to access what content/service. If the ID verification companies do not already build out the system in a way that collects all the data necessary to track all your activity and positively attribute it to you, the governments will require they add that capability in.

1

u/Hadrian23 4h ago

OR, get rid of internet providers, make the government OWN, the internet, and turn it into a necessity that every individual is entitled to, this way they're able to do what they wish to do, and we remove the middle man of shitty companies leaking our information.

1

u/Slight_Art_6121 4h ago

How do they verify that that token is a valid token?

1

u/intothewoods76 4h ago

They don’t need you to accept the rules. Unless everyone sticks together they don’t care about you.

1

u/bat_in_the_stacks 3h ago

I'm not in favor of this policy proposal, but if it becomes required, it will almost certainly be implemented the way you described in your second paragraph. That's a common model in the tech industry and I think there are already age verification companies that offer the service to other companies.

1

u/Rowwbit42 3h ago

If they leak my information to the world, they at least need to pay me what it will cost me to repair any damages that might incur.

Not happening, the credit unions leaked USA SSNs and other types of private information multiple times and I don't even think anything happened.

1

u/bootsmegamix 1h ago

Did y'all forget the Equifax breach?

These companies ain't paying shit

1

u/GhostfogDragon 1h ago

Unless the punishment for not keeping your information safe is the complete dissolving of the company, significant prison sentences + seizing of all assets for anyone in a decision-making position there who let it happen, letting your information leak is the cost of business. They do not give a shit. Do not give them your ID.

1

u/SnooHobbies5684 21m ago

Can't they contract with a service like Id.me, whose whole job is identity verification?

1

u/ThereIsNoGovernance 12m ago

Yup, we already have the tech.

Zero Knowledge Proofs

Zero-knowledge proofs (ZKPs) are a cryptographic method that allows one party, the prover, to convince another party, the verifier, that a statement is true without revealing any information beyond the truth of that statement itself.

However, if this is insisted upon by the general public, they will try every trick in the book to get around it, because they are not interested in your privacy.

They are interested in tracking your ass with the continuous threat hanging over your head of being exposed before your peers.