Europe

11061 readers

694 users here now

News and information from Europe 🇪🇺

(Current banner: La Mancha, Spain. Feel free to post submissions for banner images.)

Rules (2024-08-30)

This is an English-language community. Comments should be in English. Posts can link to non-English news sources when providing a full-text translation in the post description. Automated translations are fine, as long as they don't overly distort the content.
No links to misinformation or commercial advertising. When you post outdated/historic articles, add the year of publication to the post title. Infographics must include a source and a year of creation; if possible, also provide a link to the source.
Be kind to each other, and argue in good faith. Don't post direct insults nor disrespectful and condescending comments. Don't troll nor incite hatred. Don't look for novel argumentation strategies at Wikipedia's List of fallacies.
No bigotry, sexism, racism, antisemitism, islamophobia, dehumanization of minorities, or glorification of National Socialism. We follow German law; don't question the statehood of Israel.
Be the signal, not the noise: Strive to post insightful comments. Add "/s" when you're being sarcastic (and don't use it to break rule no. 3).
If you link to paywalled information, please provide also a link to a freely available archived version. Alternatively, try to find a different source.
Light-hearted content, memes, and posts about your European everyday belong in other communities.
Don't evade bans. If we notice ban evasion, that will result in a permanent ban for all the accounts we can associate with you.
No posts linking to speculative reporting about ongoing events with unclear backgrounds. Please wait at least 12 hours. (E.g., do not post breathless reporting on an ongoing terror attack.)
Always provide context with posts: Don't post uncontextualized images or videos, and don't start discussions without giving some context first.

(This list may get expanded as necessary.)

Posts that link to the following sources will be removed

on any topic: Al Mayadeen, brusselssignal:eu, citjourno:com, europesays:com, Breitbart, Daily Caller, Fox, GB News, geo-trends:eu, news-pravda:com, OAN, RT, sociable:co, any AI slop sites (when in doubt please look for a credible imprint/about page), change:org (for privacy reasons), archive:is,ph,today (their JS DDoS websites)
on Middle-East topics: Al Jazeera
on Hungary: Euronews

Unless they're the only sources, please also avoid The Sun, Daily Mail, any "thinktank" type organization, and non-Lemmy social media (incl. Substack). Don't link to Twitter directly, instead use xcancel.com. For Reddit, use old:reddit:com

(Lists may get expanded as necessary.)

Ban lengths, etc.

We will use some leeway to decide whether to remove a comment.

If need be, there are also bans: 3 days for lighter offenses, 7 or 14 days for bigger offenses, and permanent bans for people who don't show any willingness to participate productively. If we think the ban reason is obvious, we may not specifically write to you.

If you want to protest a removal or ban, feel free to write privately to the admin that applied the rule (check modlog first to find who was it.)

founded 2 years ago

MODERATORS

federalreverse@feddit.org

poVoq@slrpnk.net

anzo@programming.dev

EuroMod@feddit.org

EU Is Rolling Out an Online Age Verification App That Could Become the Global Blueprint (gizmodo.com)

submitted 2 weeks ago by CAVOK@lemmy.world to c/europe@feddit.org

37 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] arcterus@piefed.blahaj.zone 3 points 1 week ago* (last edited 1 week ago) (1 children)

Hm, I'm reading the spec. It seems more simplistic than I was expecting.

Issuance of Proof of Age attestations (step 3)

Once the User's age has been verified, the AP may either issue the Proof of Age attestation directly to the User's AVI or generate a pre-authorized code and provide it to the User as part of a credential offer. At a later stage, the User can present this credential offer through their AVI to obtain the Proof of Age attestation.

Confirmation and presentation (step 5)

The AVI receives the Proof of Age request and presents it to the User. The User reviews the request details, verifies the information, and confirms the transaction to proceed.

The AVI securely transmits the Proof of Age attestation to the RP.

Guess it does just pass the attestation around.

2.2.3 Revocation and Re-Issuance In its current form, the solution does not support revocation or re-issuance. Adding support for these features would introduce additional complexity, which could hinder the rapid adoption of the solution.

The attestation is ideally only used once and issued in batches, so this is both good and bad I guess, since if they ask to track you and they haven't already recorded all the attestations, they'll need to wait for you to generate more.

Unlinkability: The goal of the solution is to prevent user profiling and tracking by avoiding linkable transactions. Initially, the solution will rely on batch issuance to protect users from colluding RPs. Zero-Knowledge Proof (ZKP) mechanisms will be considered to offer protection. More details are provided in Section 7.

Basically a big TBD. Lovely.

The more subtle attack you mention could probably be avoided if the root certs and so on or whatever equivalent they're using are public and you check that the attestation given to you doesn't include extraneous details (which ideally the app would do for you). Not sure how that'll interact with the zkSNARK solution provided as an "experimental feature."

It doesn't really matter though since they can just record the attestations when they're issued, so they just have to say "look for these attestations" to whatever site and they can track your visits.

It is recommended that the Proof of Age attestation be designed as a single-use credential and remain valid for a maximum period of three (3) months from the date of issuance. If a revocation mechanism is required, a status list may be utilized as an effective solution for managing the revocation status of attestations.

Of course, using it in batches is only "recommended," so I guess they could just issue it once and continuously reuse it, in which case it would be very easy for websites to link it to you.

There's probably more I could pull out, but yeah, doesn't seem great based on the spec :|

EDIT: based on my reading of the ZKP spec linked in the main spec, it seems like it should work correctly, but as long as it's an "experimental feature" and not always used it's not really useful. They mention that in cases where the ZKP setup can't be used it should be able to fallback to the token setup. Ideally it really shouldn't do that, especially if it doesn't specifically tell you that it can't continue without using ZKPs and thus potentially leaking your identity.

[–] General_Effort@lemmy.world 1 points 1 week ago

After I first skimmed the specs, I had thought it would require constant check-ins with the attestation provider. Apparently, you need to get the attestation installed only once. I have trouble seeing how that could work out.

So a kid gets a phone from some cool older brother or an unaware grandpa. What stops them using that single phone to verify everyone in school?

Of course, the kids might not bother when you can just use a VPN or some non-compliant, foreign service.