68
Will Lemmy/ the fediverse become age verified platforms? (lemy.lol)
submitted 2 days ago by Ladislawgrowlo@lemy.lol to c/asklemmy@lemmy.ml
38 comments fedilink hide all child comments

Age verification becomes more common. Australia, France, etc. introduce such laws to ban children below 15 years from social media platforms, to protect them.

Will these laws also be relevant to fediverse/lemmy specifically?

Personally I think these laws will focus on the big platforms at first (facebook/meta, youtube, discord, instagramm), which will force younger users with technical skills onto smaller and niche sites. Over time focus on this question will increase for the fediverse.

you are viewing a single comment's thread
view the rest of the comments
[-] warm@kbin.earth 3 points 2 days ago

Depends if the wallet records data of what site required verification. Any amount of privacy being eroded is bad.

[-] dsilverz@calckey.world 4 points 2 days ago

@warm@kbin.earth @Ladislawgrowlo@lemy.lol @asklemmy@lemmy.ml @SirHaxalot@nord.pub

Depends if the wallet records data of what site required verification.

They have to.

Otherwise, the wallet wouldn't be able to verify whether the website is authorized to request age check (say, if a website asks the wallet's API "Hey, please hand me the age checking token for the email foo@bar.baz which you checked for me some time ago, they're trying to access the gatekept sections of my website again", the wallet needs to be sure that this website did request it previously and is not trying to exfiltrate someone else's data), or the person wouldn't be able to know which sites previously got their age checking data (eventually the users will have lots of websites where they previously had to check their age, and as part of GDPR's "Right to be forgotten", they'd need to be sure which ones they would want to revoke previously handled data).

The Age check authn+authz flow isn't unidirectional (i.e only the wallet handing out the result of age check to a website). In a nutshell, it works this way (at least, it's how I think, as a DevOps formerly accustomed with building APIs for websites, how it would work):

  1. User requests to access sensitive ("adult") content from a website.
  2. Website requests the user to check their age.
  3. User agrees to proceed with age check.
  4. Website redirects the user to the governmental wallet
  5. The wallet asks for user authentication and/or 2FA ("open the gov app" or something)
  6. After authentication and/or 2FA flow within the gov app, the gov app redirects the user to an OAuth endpoint within the original website, alongside a unique token
  7. The Oauth endpoint will be invoked by user's browser's request, then the website will check the wallet API if this token is valid.
  8. Gov wallet will check if this website previously went through a flow, then will check the requested token and answer "yes" to the website's endpoint.
  9. Website redirects the user to the walled-garden they requested initially, storing the token both server-side and, indirectly, in the client-side via the framework session id (things such as PHPID cookie key-value pair which identifies a session_start() for PHP websites)

Notice how both the website and the wallet need to communicate in order to establish the authorization needed for the user to access the website.

Any amount of privacy being eroded is bad.

Yeah... Fully agree. And, sadly, this is becoming "normalcy"... ☹

[-] SirHaxalot@nord.pub 1 points 2 days ago

It sounds like you are assuming that the wallet needs to re-validate each session and I don't see why this would be needed. Each user account would just need to validate their age once then the website operator could store this in their database. If you've validated once you can be sure the user keeps being old enough.

[-] yelling_at_cloud@programming.dev 1 points 2 days ago

I believe that it's specified in the architectural reference framework that it has to re-validate every session, to ensure that the token hasn't been revoked. I'd be happy to be corrected, though!

[-] dsilverz@calckey.world 2 points 2 days ago

@yelling_at_cloud@programming.dev @SirHaxalot@nord.pub @asklemmy@lemmy.ml

Exactly! This, too. I forgot to mention it in the reply I just sent to SirHaxalot. And given the GDPR "Right to be forgotten", an authorization must be revocable, so this means an authorization must be re-validated, even if this doesn't necessarily mean having to go through the age check flow all over again.

load more comments (1 replies)
load more comments (1 replies)
load more comments (1 replies)
this post was submitted on 17 Feb 2026
68 points (97.2% liked)

Asklemmy

53148 readers
658 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 6 years ago
MODERATORS
Cloak@lemmy.ml
14specks@lemmy.ml
mekhos@lemmy.ml
tmpod@lemmy.pt