We’ve said it before: online age verification is incompatible with privacy. Companies responsible for storing or processing sensitive documents like drivers’ licenses are likely to encounter data breaches, potentially exposing not only personal data like users’ government-issued ID, but also information about the sites that they visit.

This threat is not hypothetical. This morning, 404 Media reported that a major identity verification company, AU10TIX, left login credentials exposed online for more than a year, allowing access to this very sensitive user data.

A researcher gained access to the company’s logging platform, “which in turn contained links to data related to specific people who had uploaded their identity documents,” including “the person’s name, date of birth, nationality, identification number, and the type of document uploaded such as a drivers’ license,” as well as images of those identity documents. Platforms reportedly using AU10TIX for identity verification include TikTok and X, formerly Twitter.

Lawmakers pushing forward with dangerous age verifications laws should stop and consider this report. Proposals like the federal Kids Online Safety Act and California’s Assembly Bill 3080 are moving further toward passage, with lawmakers in the House scheduled to vote in a key committee on KOSA this week, and California’s Senate Judiciary committee set to discuss AB 3080 next week. Several other laws requiring age verification for accessing “adult” content and social media content have already passed in states across the country. EFF and others are challenging some of these laws in court.

In the final analysis, age verification systems are surveillance systems. Mandating them forces websites to require visitors to submit information such as government-issued identification to companies like AU10TIX. Hacks and data breaches of this sensitive information are not a hypothetical concern; it is simply a matter of when the data will be exposed, as this breach shows.

Data breaches can lead to any number of dangers for users: phishing, blackmail, or identity theft, in addition to the loss of anonymity and privacy. Requiring users to upload government documents—some of the most sensitive user data—will hurt all users.

According to the news report, so far the exposure of user data in the AU10TIX case did not lead to exposure beyond what the researcher showed was possible. If age verification requirements are passed into law, users will likely find themselves forced to share their private information across networks of third-party companies if they want to continue accessing and sharing online content. Within a year, it wouldn’t be strange to have uploaded your ID to a half-dozen different platforms.

No matter how vigilant you are, you cannot control what other companies do with your data. If age verification requirements become law, you’ll have to be lucky every time you are forced to share your private information. Hackers will just have to be lucky once.

  • peregus@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    6 months ago

    I agree with what you say, but how can we prevent kids to use those websites? Todays parents are too IT ignorant and they don’t know that they can protect their kids by using tools that they already have (parental control on smartphones and routers). So, how do we protect those kids? Pornography (for example) can do huge damage to kids.

    • FeelzGoodMan420@eviltoast.org
      link
      fedilink
      English
      arrow-up
      18
      ·
      edit-2
      6 months ago

      You guys do realize that porn has existed for generations right? You could get porn on the Internet back in like 1998. And before that people had magazines and vhs videos.

      But for some reason people act like it’s some recent immergent phenomena that’s only NOW damaging kids. Makes no sense…

      Just talk to your damn kids about sex. It’s not a big deal. Just be parents for Gods sake. Stop outsourcing your parenting responsibility to our dysfunctional and idiotic government, and corporations.

      • peregus@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        6 months ago

        Guys, come on, in the '80/early '90 it was almost impossible to have access to porn, maybe some magazine found somewhere. Today a 10 years old can see porn video on a smartphone everytime he wants! You can’t say that it’s the same!

        P.s. In my original message I didn’t say that I’m ok with that law, I was asking (to start a kind discussion) what other possibilities there are.

        • abrinael@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          6 months ago

          I’m in that age group. Kids had vhs and magazines. IMO the faces of death vhs going around was more scarring than any porn.

        • abrinael@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          6 months ago

          Nah. I’m in that age group. The kids around me had magazines and vhs. By the early-mid 90’s there was digital porn.

          Sometime around 92 (I was leaving my tweens) my mom gave me a stack of magazines (pretty sure she thought I was gay or something). No sex talk. Just hey, have this stack of magazines (I refused out of embarrassment).

    • TuxOnBike@norden.social
      link
      fedilink
      arrow-up
      15
      ·
      edit-2
      6 months ago

      @peregus @ForgottenFlux

      Education and trust. We should educate children and parents about the web, its advantages, and dangers. Parents need a starting point on what they can and can’t do to protect their children, and we (technical people) can provide them with best practices. We should also improve the mutual trust between children and their parents. If kids see something bad on the internet, they need to feel safe talking to their parents about it to get help instead of blame.

      • refalo@programming.dev
        link
        fedilink
        English
        arrow-up
        3
        ·
        6 months ago

        This sounds like the right answer at first, but really, the entire reason ID verification exists is because the whole “just parent your kids” thing already didn’t work, and now here we are. You can’t fix stupid, meanwhile the kids are still doing bad things, and everyone else doing nothing too, solves nothing.

      • peregus@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        I know, but what were the risks there? There was no Internet! The firsts with wide Internet access were the late millennials.

        • Norah - She/They@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          5
          ·
          edit-2
          6 months ago

          I don’t know what you lived through, but there was wider internet access in the late 90s and early 00s that caused widespread panic amongst the boomers when I was a kid (born early 90s). I grew up in the era of the first social networks, MySpace being the biggest early one I remember. What surprises me more is that so many millennials have grown up to be just like their parents in that regard.

          • peregus@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            6 months ago

            In fact I wrote:

            The firsts with wide Internet access were the late millennials.

            which seems to be you.

            • Norah - She/They@lemmy.blahaj.zone
              link
              fedilink
              English
              arrow-up
              3
              ·
              6 months ago

              Yes. What is your point? I was commenting on the fact you thought this was a current parents problem when it’s been a problem for over 20 years now.

              • peregus@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                6 months ago

                My point is that you can’t compare today’s problem with 20 years ago! 20 years ago the access to the Internet was through the home PC for the amount of time the kid was allowed to use and with people in the house (usually); today the access to the Internet for a kid is 24/7 and everywhere. There is no comparison. Parents should be more present in the kids life? Sure! Parents should block Internet access to porn website at least until a certain age? Yes! But most of them doesn’t even know that ths is possible. Maybe we (society, givernment) should work more here.

                • Norah - She/They@lemmy.blahaj.zone
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  ·
                  edit-2
                  6 months ago

                  You invoked the comparison by using the phrase “today’s parents are too IT ignorant”. If anything, they know more about tech than ever before.

                  Edit: In response to the rest. Parents just don’t want to have uncomfortable conversations with their kids, they never have. Because, no, it isn’t actually easy to block all pornographic websites reliably.

    • Father_Redbeard@lemmy.ml
      link
      fedilink
      English
      arrow-up
      3
      ·
      6 months ago

      These laws don’t help when it’s insanely easy to install VPN clients on pretty much any device kids have access to. I have Adguard Home on our home network with the malicious and adult websites blocked. But still had a conversation with my kids about porn. And it turns out one of them had already been using a VPN on his phone and PC to bypass the local restrictions. We talked about it more, about being a good and safe “netizen” while discussing how unhealthy porn can be. I’m not anti-porn, but there is a lot of mistreatment of the people making it and can lead to some unhealthy misconceptions about sex and intimacy.