> The Supreme Court on Tuesday declined to temporarily block a Texas law that requires pornographic websites to verify their users’ ages. In a brief unsigned order, the justices turned down a request from a group of challengers that included an adult industry trade association to put the law on hold to give them time to seek review of a ruling by a federal appeals court.
To add, this is a part if the legal process that isn't well understood by the public, and often misrepresented in the media. It's not even well-understood by experts, frankly, but it's important to note that this is a stage in the legal appeal process where SCOTUS can choose to kind of temporarily pre-rule on a law being challenged, based on very brief arguments. It's often used in cases where failing to act on one side or another presents a serious risk of something happening before the court can rule. For example: an execution. SCOTUS can "stay" an execution, that is, prevent the execution from happening, because, well, if the guy gets killed before the trial, and then they find in his favor, they can't undo the execution.
In a case like this, it's not surprising that they found no significant irreparable harm to Texans if the law remains until the courts can rule.
We need a "dumb it down for the non-lawyers" on every article that mentions courts. ELIANAL. I always try to ask my lawyer friends, but they are sadly not very good at dumbing it down.
It's fun to think about a technical solution that if implemented by the state and porn websites it would be privacy preserving, I have a hunch some form of cryptography can be part of this solution. some form of cryptography that would allow the website to check if something like a hash of a state identification number is of a real ID number, but this hash-like thing would not allow the website nor the state to know to what ID number it belongs to (e.g. with a database lookup of the hash), it would allow them only to know that it belongs to some real/actual ID number.
does anybody know of any form of cryptography that would allow anything like this?
All sorts of sticky bits here. If the main thing the age verification service is used for is watching porn then how much privacy can you really have? The verification side knows you're watching porn and can look at your ISP records or ask the registered providers if you accessed using token / session x if they really need to e.g. unmask your specific fetish or find out about your activity.
There are some difficult tensions between building for privacy vs being auditable.
Another specific part that seems difficult is the need for a biometric bind. There's no clear way to do this without invasive UX that's bad for the use-case.
If you want to make assertions about a natural person then you need to bind them to the credential with a biometric match, to prevent IDs from being copied or shared.
If you perform that on the client it's amenable to all sorts of hacking, "the drm problem" where you are asking a computer or mobile device to act as a little policeman. The device is no longer "yours".
If you perform it on the server you need to be passing images or better video back to a service. You can have the best protocol and procedures in the world but you will never convince customers that is private & anonymous.
It all depends on requirements tho. If the goal is mainly to prevent say, 8 year olds stumbling across porn websites, and not to stop a motivated 8 year old from accessing them by stealing parent credentials or using workarounds they found on a forum, then the problem is fairly tractable and could probably be solved within the credit card ecosystem alone.
There is some discussion of that sort of system here [1]. Search for "zero knowledge proof of age" or "zero knowledge age verification" or similar and you should find more.
Another approach uses digital signatures.
The naive approach that isn't very good from a privacy point of view would work something like this. We have three parties: (1) U, a user that wants to use a site V, (2) V, a site that wants verification that its users are at least 18, and (3) T, a site that U is willing to reveal personal information to that proves their age to T.
Good candidates for T would be sites that already have U's information, such as a site run by their government or their bank.
In this naive approach what would happen is V would give U some sort of login token, U would pass that token to T along with sufficient proof for T to verify U is at least 18, and then T would sign the token and give the signed token back to U.
T would use a signature that they only use for for verifications that age is at least 18. If they offered other verification service, such as verification that a person lives is a resident of a specific state, they would have a different signature for those.
U would verify that the token was signed with T's "at least 18" signature, and U has passed age verification.
That's not good as far as privacy goes because T sees the contents of the token. They could log it, and someone who obtained those logs and the logs of V could match them up. Also T could recognize from the format of the token that it is a V token so T would know what site you are trying to sign up for.
That can be addressed by replacing the signature with a blind signature. A blind signature is a kind of digital signature where before sending the token to T to sign U can apply a special transformation that essentially randomizes the token. T only sees that transformed token and signs it.
What's special about the transformation is that if the inverse transformation is applied to the signature of the transformed token it produces a signature for the original token. You then end up with the original token and a T signature for that token, which you can give to V just as in the naive case.
What T sees no longer matches anything V issues, and no longer looks like a V token.
If the volume of verifications at T is too low and the volume of people verifying at V is too low someone who obtains both T and V logs might make some deductions from timing.
If age verification requirements become widespread so that it isn't just porn sites but nearly all social media sites and e-commerce sites, the T sites should have enough volume that timing attacks aren't effective. You could further reduce their effectiveness by adding some delays. Wait a few hours after getting your transformed token signed by T before completing the verification at V.
You could also toss in fake requests to T. Send them random tokens every now and then to sign and then throw the tokens and signatures away. Then T, or someone who is spying on T, won't have any idea which of those requests are for real verifications and which are just noise.
There is no such thing just because of logistics alone. All it would take is one 'adult ID' to be shared enmasse. If they can start analyzing the patterns to see that one adult provides 1000s of uses per minute across many IPs, then it isn't privacy preserving.
Besides, they are clearly looking to build a panopticon. Privacy preservation is the opposite of their goal.
>> "We are persuaded that the CDA lacks the precision that the First Amendment requires when a statute regulates the content of speech. In order to deny minors access to potentially harmful speech, the CDA effectively suppresses a large amount of speech that adults have a constitutional right to receive and to address to one another. That burden on adult speech is unacceptable if less restrictive alternatives would be at least as effective in achieving the legitimate purpose that the statute was enacted to serve. ... It is true that we have repeatedly recognized the governmental interest in protecting children from harmful materials. But that interest does not justify an unnecessarily broad suppression of speech addressed to adults. As we have explained, the Government may not "reduc[e] the adult population ... to ... only what is fit for children."[1]
..but...
>> Justice O'Connor, joined by Chief Justice Rehnquist, agreed with the decision "as of 1997" but expressed interest in the idea of creating an "adult zone" on the Internet that was made inaccessible to minors through "gateway technology" that had been investigated by a lower district court. If such technology could be introduced, they wrote, zoning portions of the Internet to prohibit adult content could be as constitutional as such zoning is in the physical world.[8]
Can a website with a specific barrier to entry be thought of as "zoning"? Perhaps.
First paragraph:
> The Supreme Court on Tuesday declined to temporarily block a Texas law that requires pornographic websites to verify their users’ ages. In a brief unsigned order, the justices turned down a request from a group of challengers that included an adult industry trade association to put the law on hold to give them time to seek review of a ruling by a federal appeals court.