From what I can tell from the ZKP spec and the research paper linked there, it seems like it should work correctly. In other words, even if the government and the website collaborate, it can’t actually determine it’s you. That requires that it’s implemented right and that it’s always used though, which is not the case since it’s an “experimental feature.”

Hm, I’m reading the spec. It seems more simplistic than I was expecting.

Issuance of Proof of Age attestations (step 3)

Once the User’s age has been verified, the AP may either issue the Proof of Age attestation directly to the User’s AVI or generate a pre-authorized code and provide it to the User as part of a credential offer. At a later stage, the User can present this credential offer through their AVI to obtain the Proof of Age attestation.

Confirmation and presentation (step 5)

The AVI receives the Proof of Age request and presents it to the User. The User reviews the request details, verifies the information, and confirms the transaction to proceed.

The AVI securely transmits the Proof of Age attestation to the RP.

Guess it does just pass the attestation around.

2.2.3 Revocation and Re-Issuance In its current form, the solution does not support revocation or re-issuance. Adding support for these features would introduce additional complexity, which could hinder the rapid adoption of the solution.

The attestation is ideally only used once and issued in batches, so this is both good and bad I guess, since if they ask to track you and they haven’t already recorded all the attestations, they’ll need to wait for you to generate more.

Unlinkability: The goal of the solution is to prevent user profiling and tracking by avoiding linkable transactions. Initially, the solution will rely on batch issuance to protect users from colluding RPs. Zero-Knowledge Proof (ZKP) mechanisms will be considered to offer protection. More details are provided in Section 7.

Basically a big TBD. Lovely.

The more subtle attack you mention could probably be avoided if the root certs and so on or whatever equivalent they’re using are public and you check that the attestation given to you doesn’t include extraneous details (which ideally the app would do for you). Not sure how that’ll interact with the zkSNARK solution provided as an “experimental feature.”

It doesn’t really matter though since they can just record the attestations when they’re issued, so they just have to say “look for these attestations” to whatever site and they can track your visits.

It is recommended that the Proof of Age attestation be designed as a single-use credential and remain valid for a maximum period of three (3) months from the date of issuance. If a revocation mechanism is required, a status list may be utilized as an effective solution for managing the revocation status of attestations.

Of course, using it in batches is only “recommended,” so I guess they could just issue it once and continuously reuse it, in which case it would be very easy for websites to link it to you.

There’s probably more I could pull out, but yeah, doesn’t seem great based on the spec :|

EDIT: based on my reading of the ZKP spec linked in the main spec, it seems like it should work correctly, but as long as it’s an “experimental feature” and not always used it’s not really useful. They mention that in cases where the ZKP setup can’t be used it should be able to fallback to the token setup. Ideally it really shouldn’t do that, especially if it doesn’t specifically tell you that it can’t continue without using ZKPs and thus potentially leaking your identity.

I’m kind of surprised they’re actually going through with the zero-knowledge proof setup. This is pretty much the only method I find mostly acceptable for stuff like this tbh.

which would work on any device

This part seems unlikely. It’ll work on “most” devices but if you’re running something weird like a Linux phone I doubt it’ll work (although since it’s open-source I guess someone could potentially add support).

EDIT: nvm I read the spec, it’s more like “minimal knowledge” but they can still track everything pretty easily currently.

I realize this probably won’t change anything given what you’ve said, but I felt compelled to reply.

I do not think banning something because it has queer representation or something similar is a good idea. I haven’t watched that show, so I cannot comment on it in particular, but if all it was doing was going “here are these queer people living normal lives like everyone else,” then there’s no real harm. All banning stuff like ylthat really does is cement in your child’s head that these people are weird and abnormal when she finds out they exist (especially if she asks your wife, it sounds like). Importantly, hiding stuff from your kids isn’t gonna stop them from learning about it, they’ll learn through alternate sources eventually.

Anecdotally, my conservative parents did something similar with my younger brother. They banned certain children’s networks on TV when he was growing because they didn’t like the content. Well, he eventually got unfettered access to YouTube and the internet as a whole and is now a fascist (self-described). Presumably the only reason he isn’t virulently anti-LGBTQ+ is because I am LGBTQ+. I, on the other hand, had to research practically everything myself because I felt like I had no one I could talk to given my parents’ views (especially given some of the horror stories on the internet). Note that I grew up when LGBTQ+ representation in children’s shows was pretty much nonexistent or super minor still.

Not sure if it’s intentional (or just something funky in my settings), but I noticed that the single line comment layout is no longer showing the score for comments unless I expand the actions for them. The multiline layout displays them fine though. This started in 1.81.0 AFAIK.

This was my first thought lol. Like, there are flattering photos of Hegseth? At best he looks smarmy.

They’d work. You might need to install play services for those, not totally sure (Google has shoved an annoying amount of functionality into play services). NFC itself is functional, but various apps that support NFC may not work because of Play Integrity.

Generally there are no real problems. If you’re fine with mostly stock AOSP, you should be fine with GrapheneOS.

If you use Google Pay, you’re out of luck. There are alternatives for that depending on where you live though (mostly in Europe, in the US there’s no other option AFAIK). Rarely an app won’t work, but usually fiddling with some security settings for the app will fix it. Very rarely an app won’t work at all because (like Google Wallet) it uses Play Integrity and requires a level that requires Google to certify the OS.

Pretty much the only thing I miss is the ability to do NFC payments.

What the fuck is going on in this thread? Feels like there are a lot of new low-quality accounts recently.

I didn’t really get this impression from the post since there was nothing negative about generative AI beyond the pro-copyright argument. Frankly, it seems closer to pro-AI to me. The OP’s reply to the top-level comment doesn’t help either.

“cheap old ten years old low-end laptop”

Pretty sure they’re actually a bot given that they nearly instantly reply and they’ve replied to almost every top-level comment in this thread.

If not, they’re just a total shithead tbh given that they talk about homosexuality being a choice elsewhere.

I guess you’d be fine if everyone treated you as a lizard and required you to live and act like a lizard. It’s all good because you know you’re not, right?

People can be wrong about literally anything. That is not an excuse to say “fuck everyone else in this group.”

If you extend this argument, we shouldn’t believe what anyone tells us about absolutely anything because they might have made a mistake. Truly a great basis for human society.

The amount of people who detransition is incredibly small compared to the overall trans population, and even then most people detransition because society didn’t accept them and battered them down until they gave up.

I listened to some of the “music.” I’m not sure wtf is going on in his head at this point, and I’m glad I don’t understand.

Ah interesting. I would probably avoid using it that way except for a one-off alias or something.

I may be mistaken, but I believe the built-in email server is purely for aliases, so it’s basically something like SimpleLogin or addy.io combined with Bitwarden.

Not sure if they’ve resolved this, but last I checked you couldn’t reply using the aliases (or maybe that was just their cloud offering?). Everything else I’ve seen has been pretty cool though, so I’m really hoping they succeed.

Yeah, I feel like a lot of the people here going “just don’t use social media then” are missing part of the point. Like, as she specifically mentioned, the misogynistic discourse happening online is also happening offline. Even if you yourself manage to avoid most online misogyny by not using social media, you’ll still be exposed to it through everyone else who is and all the people watching and reading stuff like Fox. It’s just kind of everywhere.