You don't think that the digital ID provider is keeping logs of which sites requested to verify which users? Even government websites are not exactly known for their high security.
The digital ID provider is only involved in issuing the ID to you. When you use that ID to verify age to a site the only communication is between your phone and the site. The ID provider has no idea when you use the ID, how often you use the ID, or where you use the ID.
Briefly, when the ID provider issues the ID it gets cryptographically bound to your phone. When you use the ID to prove something to a site (age, citizenship, etc) the is done by using a zero-knowledge proof based protocol that allows your phone to prove to the site (1) that you have an ID issued by your ID provider, (2) that ID is bound to your phone, (3) the phone is unlocked, and (4) the thing you are claiming (age, citizenship, etc) matches what the ID says. This protocol does not convey any other information from or about your ID to the site.
This doesn't work because you can't prove the origin of a single bit of data without the associated identity and the origin of the data can only be verified by matching the biometric image on the ID against your real face with a camera.
Otherwise a single person could donate their ID card and let everyone else authenticate with it.
Now you might counter and say it would be enough to give each card a sequential number independent of the person's identity, but then you run into another problem. Each service might accept each card only once, but there are many services out there, so having a few thousand donations could be enough to cover exactly the niche sites that you don't want kids to see.
There is no way to implement this without a complete authoritarian lockdown of everything. There will always be people slipping past the cracks. This means all this will ever amount to is harm reduction, but nobody is selling it on that platform. Nobody is saying that they are okay with imperfect compromises.
Ah, so your phone is the trust point. That's better than it could have been, but it still leaves other issues, like sites with multiple domains or data brokers cross-identifying you based on phone and user information, e.g. 'this phone verified someone on porn site A. This same phone over on social media site B also verified, and on the social media site they have all their real-world info, so now we know their interests', etc.
And before anyone asserts that the phone can be anonymous, that doesn't work, otherwise you can just have an app that claims to have a verified ID attached.
The difference is meaningful. It's mostly prisoners dilemma. If only one persons porn habit is available thats bad for them. If everyones (legal) porn habits are available, then it gets normalized.
Normalized or not, the risk is you get something akin US drug enforcement: ignored for certain demographics, enforced for others. The ability to see someone's porn history is irrelevant until a government (or employer perhaps) wants to weaponize it.
The problem isn't my peers, it's the people in power and how many of them lack any scruples.
this seems to run parallel to the "i have nothing to hide" / "well they have everyone's data, so who cares about mine" arguments.
this is too narrow a view on the issue. the problem isn't that a colleague, acquaintance, neighbor, or government employee is going to snoop through your data. the problem is that once any government has everyone's data, they will feed it to PRISM-esque systems and use it to accurately model the population, granting the power to predict and shape future events.
Would social networks accepting Danish users have to implement the other end of that, or will they also be allowed to use less privacy-oriented age verification solutions (e.g. requesting a photocopy of the user's ID)?
It seems to me like it's either a privacy disaster waiting to happen (if not required) or everyone but the biggest players throwing out a lot of bathwater with very little baby by simply not accepting Danish users (if required).
The wording on the page also makes it sound like their threat model doesn't include themselves as a potential threat actor. I absolutely wouldn't want to reveal my complete identity to just anyone requesting it, which the digital ID solution seems to have covered, but I also don't want the issuer of the age attestation to know anything about my browsing habits, which the description doesn't address.
> everyone but the biggest players throwing out a lot of bathwater with very little baby by simply not accepting Danish users (if required).
The biggest players in social media are precisely the ones that this law is targeting.
No one in charge of implementing this law is going to care whether some Mastodon server implements a special auth solution for Danish users or not, they are going to care that Facebook, TikTok, Instagram, etc. do so.
> No one in charge of implementing this law is going to care whether some Mastodon server implements a special auth solution for Danish users or not, they are going to care that Facebook, TikTok, Instagram, etc. do so.
And if that little Mastodon server ends up hosting some content that is embarrassing or offensive to the Danish authorities, laws like this will surely not be used to retaliate...
Arbitrarily and selectively enforced laws seem like an obviously bad thing to me. If the government can nail me for anything, even if they practically don't, I'll be very wary of offending or embarrassing the government.
The law will obviously be framed in such a way as to hit the targets it is supposed to hit, avoid collateral damage. It's not like complete amateurs are writing our laws.
the social media platforms already measure more than enough signals to understand a users likely age. they could be required by law to do something about it
https://digst.dk/it-loesninger/den-digitale-identitetstegneb...