The government will know who you are, but not what you are requesting the token for. The site will know what the token is for, but will not know who is presenting it.
Imagine it like buying an old fashioned paper bus ticket, in places where tickets are anonymous and interchangeable. The ticket vending machine will get your card info, but will not know what you’ll do with the ticket. Maybe you’ll board a bus, maybe you’ll trade it to a vagrant for a blowie. The ticket machine won’t judge or connect the blowie to your payment info.
Then the vagrant or the bus driver will not get your card payment info either, they’ll only get the ticket, which you could have gotten anywhere, including by blowing someone for it. The bus ticket is the token, it only confirms payment, not identity.
The government will know who you are, but not what you are requesting the token for.
Unfortunately, things don’t work like that. There are a nearly infinite number of ways for the identity provider to figure that out.
The site will know what the token is for, but will not know who is presenting it.
Same as above.
Wherever you go, whatever you do, there are many entities already tracking you that know precisely who you are and what you are doing. All such legislation would do is add governments to the list. There is no safe or anonymous version version of an identity provider.
What is there to stop the government from later issuing a request to the service owner/operator, by court order, for a list of those verified and the tokens used to verify them (thus linking the accounts and their data to the individuals and their identities)?
Deleting the tokens after verification, presumably. You don’t need to save the token after verification, you set a flag on either the account or the session and discard the token.
There are, of course, always ways. If the government starts tracking at which times tokens were used, and merchants store a timestamp of purchases of age gated content, which is probably required anyway for all purchases, you could get at least some hints on who bought what by comparing first purchase of account with verification time, since it’s likely for those two to be very close together. And that’s just off one data point.
Of course, the moment you pay with anything other than a prepaid voucher bought with cash in a place you don’t normally frequent, you can do similar things with the payment data. Or, if you pay with card, your info is right there.
That said, a government going that far will find any excuse to lock you up anyway, so I don’t have an issue with the method per se. However I still don’t think it’s very necessary to go this far to lock 18+ content online. If anything I’d rather want to see something like this used for spending limits in f2p games and such.
Your ID and associated government software.
The government will know who you are, but not what you are requesting the token for. The site will know what the token is for, but will not know who is presenting it.
Imagine it like buying an old fashioned paper bus ticket, in places where tickets are anonymous and interchangeable. The ticket vending machine will get your card info, but will not know what you’ll do with the ticket. Maybe you’ll board a bus, maybe you’ll trade it to a vagrant for a blowie. The ticket machine won’t judge or connect the blowie to your payment info.
Then the vagrant or the bus driver will not get your card payment info either, they’ll only get the ticket, which you could have gotten anywhere, including by blowing someone for it. The bus ticket is the token, it only confirms payment, not identity.
Unfortunately, things don’t work like that. There are a nearly infinite number of ways for the identity provider to figure that out.
Same as above.
Wherever you go, whatever you do, there are many entities already tracking you that know precisely who you are and what you are doing. All such legislation would do is add governments to the list. There is no safe or anonymous version version of an identity provider.
Name one.
What is there to stop the government from later issuing a request to the service owner/operator, by court order, for a list of those verified and the tokens used to verify them (thus linking the accounts and their data to the individuals and their identities)?
Deleting the tokens after verification, presumably. You don’t need to save the token after verification, you set a flag on either the account or the session and discard the token.
There are, of course, always ways. If the government starts tracking at which times tokens were used, and merchants store a timestamp of purchases of age gated content, which is probably required anyway for all purchases, you could get at least some hints on who bought what by comparing first purchase of account with verification time, since it’s likely for those two to be very close together. And that’s just off one data point.
Of course, the moment you pay with anything other than a prepaid voucher bought with cash in a place you don’t normally frequent, you can do similar things with the payment data. Or, if you pay with card, your info is right there.
That said, a government going that far will find any excuse to lock you up anyway, so I don’t have an issue with the method per se. However I still don’t think it’s very necessary to go this far to lock 18+ content online. If anything I’d rather want to see something like this used for spending limits in f2p games and such.
No u - go learn.
Would that essentially kick all non EU users out?