I'm a little confused here from the explanation and examples - how is this anonymous exactly? The examples require that you pass their 'changefly user id' and ip address. Both of these are fairly unique identifiers (especially when combined). The mention in the developer documentation that you may prompt them for the user's changefly PIN in the case of an IP address mismatch implies that you are storing the user's IP in some form or another - so basically users are having to trust that you aren't storing information about these 'changefly connections'. This is just one further hop from having the government provide this service themselves, since if they really wanted to, what is stopping them from coming to you and saying 'I want a list of all websites that user at X ip address did age verification on'?
How is this any different from outsourcing attestation to a third-party?
Considering most regulations require the party reliant on validating the data to store the source or proof, it seems like the only plausible mass-deployment of this approach would be US state-based ID systems specifically for drinking/anonymous patrons. That excludes driving, gambling, restricted entertainment, medicine etc.
Countries wouldn’t adopt it nationally or federally, they’d copy it.
Maybe online games or communities that want to keep age of users above a set amount? I don’t see them paying for this though.
I know Cardano has something similar (not sure how it's anonymized but it operates on the need-to-know basis) called Veridian[1][2]. And, of course, there are identity platforms from Ethereum[3].
The linked article seems purposely vague so much so that I'm wondering if you're a scam. It just has some privacy keywords like "zero knowledge proofs", but it doesn't really explain what's going on. Diving deep into your privacy policy, to know how it works - shows you use third party for the initial verification?
>For example, our Third-Party Providers may verify your government ID when you register for Changefly Anonymized Identity Protection[1]
While a zk-proof solution for IDs is sorely needed, I too am wondering how the initial setup works.
Just have a simple video on the homepage like https://heyblue.com showing someone new to the product start using it. Montage with a few examples would be nice.
Kind of wild you're willing involving yourself with the PII footgun.
There is no acceptable amount of PII a business should hold unless required to by the government for extremely limited industries (ie, banking or medicine or the act of employment).
Every single government that is requiring age verification is not also legally indemnifying companies that are performing this. Every single company that is trying to provide this will be hung out to dry when this blows up in their face: the company will be heavily fined under the existing laws in that country.
In many countries, banks that have to follow KYC or similar laws or hospitals that have to follow HIPPA or similar laws are given at least some form of partial legal indemnification as long as they can prove they were following the law. This is why they almost uniquely keep getting away with it with a slap on the wrist when they inevitably fuck up.
This will never be offered to companies like yours. You are taking on, essentially, infinite legal risk to make a quick buck.
If your legal council is telling you they can defend you from this, I suggest finding new legal council. IANAL, IANYL, but proceed very carefully. This is not a technological problem, this is a legal problem, and you cannot solve this with technology.
This is definitely something that is needed. But I don't know if you're doing the privacy bit right and I can trust you. What I'd like to see next is a technical paper where you explain all your claims.
You're in the trust business. You haven't earned it yet.
If you can't really do the privacy bit with 100% absolute guaranteed certainty using technical means, you could also do a third party audit you daily. Yep, daily. That would be fine by me too.
Seems to require an app. Which instantly gives ChangeFly my PII. Nope.
Anonymized identity requires some entity to certify that a given token proves what it says it does. That is an awesome power, and given the abuse of that power by private companies who have gained it in the past, I'm not going to give it to ChangeFly, whoever they are.
Which begs the question of who we DO trust enough to do provide this service. Perhaps our banks?
This is definitely the future: non-governmental entities compete for business, users KYC and self-identify with one or more of them, and they take the legal risk via insurance policies if children slip through. Then third-party sites trust the third-party vendors, who approve users without passing the PII.
Sure, the third-party identity vault companies could be hacked, but I would prefer one of those over a million various sites of dubious quality taking my PII themselves.
I'm a little confused here from the explanation and examples - how is this anonymous exactly? The examples require that you pass their 'changefly user id' and ip address. Both of these are fairly unique identifiers (especially when combined). The mention in the developer documentation that you may prompt them for the user's changefly PIN in the case of an IP address mismatch implies that you are storing the user's IP in some form or another - so basically users are having to trust that you aren't storing information about these 'changefly connections'. This is just one further hop from having the government provide this service themselves, since if they really wanted to, what is stopping them from coming to you and saying 'I want a list of all websites that user at X ip address did age verification on'?
How is this any different from outsourcing attestation to a third-party?
Considering most regulations require the party reliant on validating the data to store the source or proof, it seems like the only plausible mass-deployment of this approach would be US state-based ID systems specifically for drinking/anonymous patrons. That excludes driving, gambling, restricted entertainment, medicine etc.
Countries wouldn’t adopt it nationally or federally, they’d copy it.
Maybe online games or communities that want to keep age of users above a set amount? I don’t see them paying for this though.
Am I missing something?
I know Cardano has something similar (not sure how it's anonymized but it operates on the need-to-know basis) called Veridian[1][2]. And, of course, there are identity platforms from Ethereum[3].
[1] https://www.veridian.id/
[2] https://cardanofoundation.org/blog/veridian-digital-identity...
[3] https://ethereum.org/en/decentralized-identity/
The linked article seems purposely vague so much so that I'm wondering if you're a scam. It just has some privacy keywords like "zero knowledge proofs", but it doesn't really explain what's going on. Diving deep into your privacy policy, to know how it works - shows you use third party for the initial verification?
>For example, our Third-Party Providers may verify your government ID when you register for Changefly Anonymized Identity Protection[1]
[1]: https://www.changefly.com/policies/privacy-policy
What is the enrolment process for users that want to prove an attribute or credential?
While a zk-proof solution for IDs is sorely needed, I too am wondering how the initial setup works.
Just have a simple video on the homepage like https://heyblue.com showing someone new to the product start using it. Montage with a few examples would be nice.
The app screenshots could be improved.
Edit: clarity
Kind of wild you're willing involving yourself with the PII footgun.
There is no acceptable amount of PII a business should hold unless required to by the government for extremely limited industries (ie, banking or medicine or the act of employment).
Every single government that is requiring age verification is not also legally indemnifying companies that are performing this. Every single company that is trying to provide this will be hung out to dry when this blows up in their face: the company will be heavily fined under the existing laws in that country.
In many countries, banks that have to follow KYC or similar laws or hospitals that have to follow HIPPA or similar laws are given at least some form of partial legal indemnification as long as they can prove they were following the law. This is why they almost uniquely keep getting away with it with a slap on the wrist when they inevitably fuck up.
This will never be offered to companies like yours. You are taking on, essentially, infinite legal risk to make a quick buck.
If your legal council is telling you they can defend you from this, I suggest finding new legal council. IANAL, IANYL, but proceed very carefully. This is not a technological problem, this is a legal problem, and you cannot solve this with technology.
This is definitely something that is needed. But I don't know if you're doing the privacy bit right and I can trust you. What I'd like to see next is a technical paper where you explain all your claims.
You're in the trust business. You haven't earned it yet.
If you can't really do the privacy bit with 100% absolute guaranteed certainty using technical means, you could also do a third party audit you daily. Yep, daily. That would be fine by me too.
Seems to require an app. Which instantly gives ChangeFly my PII. Nope.
Anonymized identity requires some entity to certify that a given token proves what it says it does. That is an awesome power, and given the abuse of that power by private companies who have gained it in the past, I'm not going to give it to ChangeFly, whoever they are.
Which begs the question of who we DO trust enough to do provide this service. Perhaps our banks?
I would not consider identity/age verification to offer a path to a "less-intrusive internet".
This is definitely the future: non-governmental entities compete for business, users KYC and self-identify with one or more of them, and they take the legal risk via insurance policies if children slip through. Then third-party sites trust the third-party vendors, who approve users without passing the PII.
Sure, the third-party identity vault companies could be hacked, but I would prefer one of those over a million various sites of dubious quality taking my PII themselves.