You’re right in theory, but it’s Spez we’re talking about. I tend to consider that the following is a rational reaction to Spez preparing to take any action about anything in any context:
There is a bot problem but ID checks are invasive, and you can stop the bots with things like Hcaptcha Passive and Turnstile which use POW to waste the CPU cycles of bots and look for signs of things like Selenium and Puppeteer controlling the browser.
Passkeys and hardware attestation are also good as they require a fingerprint or face and bare metal hardware instead of a VM, but Spez also wants to introduce things like the Worldcoin Orb and IDs as well which are too invasive IMO.
Passkeys. This won’t work over a medium term, period. It’s tantamount to saying that SSH keys prove someone is human. If there’s enough interest, they’ll just make a software passkey solution that can work. Passkey being “human interactive” is purely a client-side construct.
Biometric services. Strictly speaking, not an ID but it’s not hard to imagine leveraging capturing biometrics to an ID like scenario.
Government IDs. Well that’s self explanatory.
They do state distancing themselves from the ID by trusting a third party service, but 3rd party ID service is still a thing.
Of course, this seems to be only after someone accuses you of being a bot and Reddit bothering to pay attention. Which may be almost no one.
Precisely. Any of the listed options is better than a captcha. None of the options are perfect, obviously, we’re using yesterday’s tech to solve a tomorrow’s problem, but it’s something, and it doesn’t immediately mean “privacy online is dead”.
Like, you verify the account and then give it away to a bot? My assumption is that the “proof of human” would be a unique identifier, meaning that once you’ve attached it to an account, you can’t use it to verify another.
You have to read between the lines. This just gives them the option to label anybody they want as a “bot” with virtually no way to challenge them. They can now ban anybody they wish for posting content they don’t agree with (pro-gaza, anti-israel, anti-capitalist, etc).
Yup! Which is why institutions that already handle identities (governments, banks, etc) should be involved.
The way I see it: an institution verifies your identity as a human and has your personal details (such as DoB). A tool (similar to, e.g. Sweden’t BankID) is available to the user. When a website says “you must be 18 years old to access this”, a QR code is generated. You scan the code with your tool, and agree to send only the information about whether or not you’re an adult. Not the DoB, not anything else, just a token of “yup, adult”. If a website has a strong anti-bot policy, same same goes for your “proof of human”.
This can be set up in a way that guarantees the user’s privacy (e.g. by just not storing any logs).
Yes but how does that prevent the authority, in this case a govenment, from being able to link the token that was used (QR code) back to what it was used for?
Depends on how you create it. It could be set up that your app talks to the website, and the identity provider, but the identity provider never talks to the website. As in: you get a token from the IP, store it locally, send it out to he website, the website confirms retrieval and logs you in, and then all the logs get purged on your device so they can’t be retrieved.
The IP side would only see that someone has requested access to some of your data (e.g. proof of age, proof of human, maybe citizenship, if the content is region-locked), and that you have agreed to share it.
The website would only see the tokens of proof, but not who you actually are.
Ironically, the tech behind NFTs might be super helpful with this.
If I am understanding this correctly, I guess the only problem I see with that is both entities need to trust that the user is indeed being truthful and not sharing a token. I think a system with a neutral third part that takes a token from the identity provider and a token from the webite, validates them and sends a result. Or maybe that is what you said.
It’s really weird to me how literally anything they say or do is immediately interpreted in the worst possible way here, on Lemmy.
Let’s get real for a second.
Is there a bot problem on the Internet in general? That’s a resounding “yes”.
Do we want to do something about it?
According to OP - no, not at all.
I mean, if OP considers malicious everything that Spez listed, the only remaining course of action is inaction and hoping for the best.
You’re right in theory, but it’s Spez we’re talking about. I tend to consider that the following is a rational reaction to Spez preparing to take any action about anything in any context:
There is a bot problem but ID checks are invasive, and you can stop the bots with things like Hcaptcha Passive and Turnstile which use POW to waste the CPU cycles of bots and look for signs of things like Selenium and Puppeteer controlling the browser.
Passkeys and hardware attestation are also good as they require a fingerprint or face and bare metal hardware instead of a VM, but Spez also wants to introduce things like the Worldcoin Orb and IDs as well which are too invasive IMO.
This is not ID checks.
FFS, do you guys just not understand a thing you’re reading, or flat out refuse to read anything on Reddit?
Who says anything about ID checks or HCaptchas?
Well, it looks like they state three options:
Passkeys. This won’t work over a medium term, period. It’s tantamount to saying that SSH keys prove someone is human. If there’s enough interest, they’ll just make a software passkey solution that can work. Passkey being “human interactive” is purely a client-side construct.
Biometric services. Strictly speaking, not an ID but it’s not hard to imagine leveraging capturing biometrics to an ID like scenario.
Government IDs. Well that’s self explanatory.
They do state distancing themselves from the ID by trusting a third party service, but 3rd party ID service is still a thing.
Of course, this seems to be only after someone accuses you of being a bot and Reddit bothering to pay attention. Which may be almost no one.
Precisely. Any of the listed options is better than a captcha. None of the options are perfect, obviously, we’re using yesterday’s tech to solve a tomorrow’s problem, but it’s something, and it doesn’t immediately mean “privacy online is dead”.
I’d rather put up with a captcha than do any on those other things, especially if it was temporary. Or maybe they could do something like Anubis
Why would it be temporary?
One you prove your not a bot. Hopefully it work that way, but I suppose it may not
Not sure I understand what you mean.
Like, you verify the account and then give it away to a bot? My assumption is that the “proof of human” would be a unique identifier, meaning that once you’ve attached it to an account, you can’t use it to verify another.
https://lemmy.ml/post/45007584/24779562
If it’s a third party tool that does the verification, that’s false.
Ironically the only thing that will ever work is identifying a user to a person in one form or another. Otherwise it’s just a never ending arms race.
Yup! Which is why institutions that already handle identities (governments, banks, etc) should be involved.
The way I see it: an institution verifies your identity as a human and has your personal details (such as DoB). A tool (similar to, e.g. Sweden’t BankID) is available to the user. When a website says “you must be 18 years old to access this”, a QR code is generated. You scan the code with your tool, and agree to send only the information about whether or not you’re an adult. Not the DoB, not anything else, just a token of “yup, adult”. If a website has a strong anti-bot policy, same same goes for your “proof of human”.
This can be set up in a way that guarantees the user’s privacy (e.g. by just not storing any logs).
Yes but how does that prevent the authority, in this case a govenment, from being able to link the token that was used (QR code) back to what it was used for?
Depends on how you create it. It could be set up that your app talks to the website, and the identity provider, but the identity provider never talks to the website. As in: you get a token from the IP, store it locally, send it out to he website, the website confirms retrieval and logs you in, and then all the logs get purged on your device so they can’t be retrieved.
The IP side would only see that someone has requested access to some of your data (e.g. proof of age, proof of human, maybe citizenship, if the content is region-locked), and that you have agreed to share it.
The website would only see the tokens of proof, but not who you actually are.
Ironically, the tech behind NFTs might be super helpful with this.
If I am understanding this correctly, I guess the only problem I see with that is both entities need to trust that the user is indeed being truthful and not sharing a token. I think a system with a neutral third part that takes a token from the identity provider and a token from the webite, validates them and sends a result. Or maybe that is what you said.
Yeah, that’s essentially what I meant. The validation could happen much like with PGP keys and passwords.
“We can’t let the terrorists win!!”
You’d really hand over your government ID to Spez? Lmao
Did you not read anything from the linked post, or did you fail to understand it?
Who says anything about government ID?
Did you read the announcement? This has nothing to do with identification.