Post · bonfire.cafe

@neil@mastodon.neilzone.co.uk · 6 days ago

"Email-based age assurance" has been deemed to be (capable of being) "highly effective" under the UK's #OnlineSafetyAct

Annoyingly, this means data sharing and only works if someone uses the same email address with multiple third parties.

My email address is well above the age of majority in the UK, but surely "Neil likes to reply in-line and signs email with GPG" is a good enough indication of grey-beardedness anyway.

qwerty9537

@qwerty9537@mastodon.social · 5 days ago

@neil I am rather worried about this act. Lol
We'll see what happens I suppose

AMS

@AMS@infosec.exchange · 6 days ago

@neil I can't wait for everyone involved in using emails for age verification to get GDPR'd back to the 90s.

Nigel Metheringham

@nmeth@mastodonapp.uk · 6 days ago

@neil I give every company I deal with a different email address… with a few exceptions (those that take email address from PayPal) - and that one I rotate occasionally

DavyJones

@DavyJones@c.im · 6 days ago

@neil I do not understand how this could possibly be GDPR compliant. I have used my email address at a number of large companies, but none of them had "age assurance" as a purpose of processing or sharing of my personal information so they cannot rely on consent.

Edinburgh Man

@edinburgh_man@mastodon.scot · 6 days ago

@neil I don't use my Gmail account much anymore, but I see that the settings page says that POP3 is enabled for all mails received since May 2007, so I guess I'll probably be okay. If I was willing to use it with a third part verification service.... that account must predate 2007 because it was during the invite only phase. I suspect my yahoo email address has been an adult for 10 years!

bonzi

@bonzi@glauca.space · 6 days ago

@neil I mean, if you're still rocking an ntlworld, blueyonder, or insert legacy ISP email, that's enough to date a person above 18 at this point 🤣

Derick Rethans

@derickr@phpc.social · 6 days ago

@neil I use a different email for (nearly) every site...

happyborg

@happyborg@fosstodon.org · 6 days ago

@neil Do domains count? Because I've owned two for decades and use a different name@domain for each third party who requests an email address.

Of course not.

Martin Hamilton

@m@martinh.net · 6 days ago

@neil It's that magic word "email" again, isn't it?

(drifts off into Ofcom reverie...)

If only everything could be email again.
Like in the good old days.
None of this nasty app stuff.
Or that terrible social media, whatever it is.
You knew where you were with email.
It was reliable and trustworthy.
I used to get several emails every day...
The widow of the late General Sani Abacha.
Winning the Green Card Lottery.
There was nothing quite like it.
I replied to every single one.

acb

@acb@mastodon.social · 6 days ago

@neil @ben That’s the dating-service approach of pinging data brokers with a hash of the email and, if they don’t have demographic data on the user, treating it as a probable psycho killer?

Norm Tovey-Walsh

@ndw@toot.wales · 6 days ago

@neil It's funny. I signed my email with PGP for 20+ years and finally gave up just this year. That extra attachment just confuses too many people and in 20 years, exactly two people sent me messages using my public key.

Mike Coats 🏴󠁧󠁢󠁳󠁣󠁴󠁿🇪🇺🌍♻️

@mike@mikecoats.social · 6 days ago

@neil If I hadn’t let my “alt”’s domain lapse a few years ago, I’d have had an email address old enough to vouch for its own access. As it stands, I’ve only got one that’s old enough to go to high school.

GinevraCat

@GinevraCat@toot.community · 6 days ago

@neil That's the perfect Bridget Jones mingle introduction line! 🤣

Tony Hoyle

@tony@toot.hoyle.me.uk · 6 days ago

@neil I don't see how email tells you anything.. easy to spoof, and almost nobody uses things like gpg for verification.

Neil Brown

@neil@mastodon.neilzone.co.uk · 6 days ago

@tony

> I don't see how email tells you anything

Leaving aside spoofability (which I presume a provider should be verifying by checking that the user can receive an email at the given address), the gist is that the email-based age assurance provider checks with a third party (e.g. a bank) who has already done age/ID assurance of the user.

penguin42

@penguin42@mastodon.org.uk · 6 days ago

@neil @tony Tricky given I use a specific address for every financial institution

Neil Brown

@neil@mastodon.neilzone.co.uk · 6 days ago

@penguin42 @tony

> Annoyingly, this ... only works if someone uses the same email address with multiple third parties

Indeed :)

Tony Hoyle

@tony@toot.hoyle.me.uk · 6 days ago

@neil Banks shouldn't be giving out customer details to 3rd parties, and I expect (well, hope) that's already regulated.

But as someone who tends to use unique emails, that wouldn't work.

OTOH a child with access to the family PC could easily 'prove' access to the parents email..

Ret

@ret@furry.engineer · 6 days ago

@tony @neil I’m guessing (hoping?) it’ll be hash-based. Services that do their own AV provide a “Hey is this email hash owned by someone over 18?” API to (presumably paying) services. So some measure of privacy is retained…

Buuuuut, we all know it won’t be done like that. It’ll be done in whatever way collects the most data and extracts the most value from customer information.