As of Wednesday, all youth under 16 in Australia will be banned from major social media platforms like TikTok, Instagram, Snapchat, YouTube, Reddit, Twitch, and X. For over a decade, whistleblowers, politicians, academics, and experts around the world have sounded the alarm about the online harms people of all ages are exposed to.
…
The ban does nothing to prepare teens to respond to digital harms. It makes no investments in education, community training, or parental support. Youth will not be magically prepared to address problematic online behaviours or content when they turn 16.
The time and resources spent on the ban could be better spent on things like providing education and support for digital citizenship, media literacy, privacy rights or resource centres.
If social media is problematic for a 13, 14 or 15 year old, it’s still likely to be problematic for a 16, 25, or 80 year old. There is no body of research that establishes 16 as a “safe threshold” for social media use and the age for healthy use can vary across genders.
…
Under the current model, companies will not be inclined to improve their reporting systems for harmful content. In fact, in response to the ban, YouTube is actually removing a feature that would allow teens to report content they find inappropriate.
Youth under 16 who find ways to use these platforms, despite the bans, will be unlikely to come forward and ask for help if things go wrong. After all, they weren’t supposed to be online in the first place.
The answer to mitigating online harms is not kicking teens offline.
…
Social media companies also need to be accountable to the ways the platforms are designed and run. These platforms are designed in ways that push certain content and elicit particular engagements.
…
I’m not convinced that ZKP requires an identification number or any such deanonymizing data. If there is a ZKP protocol that implements this that is just one possible implementation.
How would you get by without one? If I produce a proof right now that I’m at least 32 years old, how else do you know it’s a proof for anyone in particular and I didn’t get it from my older brother or some random website that sells them?
Well, that same problem exists with many of the proposed verification models, like credit cards (how can you verify this is my credit card?) , photo ID, etc.
Here’s my proposal: your browser can send a request to a verification body (could be the government directly, let’s say) to respond to the challenge from the website you’re accessing, without sending information about which website is asking for the challenge. The verifier sends a cryptographically-signed approval back. The browser forwards this to the website. To prevent comparisons of timing as a deanonymization method, the browser can wait a random period of time before forwarding the request both ways.
Every time I’ve looked at the details of elaborate schemes resembling the one you imagine, I’m always left with a lot of doubts that they’re secure or practical. Every time I’ve looked at the systems that have actually been implemented in reality, I have no doubt that they suck.
I don’t feel it’s elaborate at all. I like these solutions because they are actually quite simple. It’s just signing and verifying requests using asymmetric key cryptography, techniques which are known to be robust and secure. The government never knows which web services you are verifying for, and the web services never know your identity or any more information than they need to. They don’t even learn your precise age, just that you’re over 16/18/21 whatever.
You are suggesting that a system which does not yet exist will be perfectly safe and secure. None of the ones for which I have seen actual design documents are anything like as safe as you imagine.
That’s valid. My preference is for device-side child locks. For instance, a header that says, “I am a child.” There is much to improve there still. But failing that, if the winds of politics dictate we must have verification – why not ZKP?
The authorizor, who provides the ZKP to the client, knows, not he client. This should probably be the licensing / ID provider in your country (because if they’re hacked everyone is screwed anyway, no additional risk) and already have your details, if not you’re likely young or a fairly extreme edge case. Facebook et.al. get bupkiss except older than X. Note in this model ZKP is a nice to have.
What do you mean, “no additional risk”? It’s a pretty big additional risk, creating a huge central database of everyone’s ID that will be frequently interacted with through a new interface that’s available to every sketchy website in the world. Even if it isn’t compromised it can collect data about how often your name gets looked up, and it isn’t easy to make a system where there isn’t the additional risk of more personal data being collected if the central authority colludes with Facebook. You’d really need to look carefully at the details to evaluate the risks of such a system, which they have not done at all in Australia.
Such databases already exist in the government, in order to provide services to everyone like healthcare, pension, elections, etc…