What's the Alternative to Age and Other Verifications?
Every case is unique. Some of these emerged naturally. Some of them are imposed by governments.
CAPTCHA, the way we still encounter it, is the result of ignorance of the first signs of passing the Turing test. The KYC is more complicated: usually it’s associated with reductionistic opinions, that it’s just the lobbyists’ mass surveillance thing, while still this also could happen semi-unconsciously because of a lack of proper alternatives that governments could even consider in order to counterattack… their own helplessness and accumulated stress from the polycrisis we are all facing, probably.
My proposal here is to recontextualize the issues, observe more fundamental problems, and solve them instead. Solve something that at least seems to be solvable today.
CAPTCHA/PoW Torture Test
It seems like CAPTCHAs are almost testing the opposite thing already: if user is so desperately passing these puzzles all the time, if user doesn’t feel tortured enough to leave these absurd pages—it’s probably a bot.
Detecting simple malicious attacks (dumb social spamming, dumb technical DoSing, etc.) still makes a lot of sense. Using (unexpected) traffic as a source of useful computations makes even more sense (especially traffic from the users who were reported by highly trusted ones, e.g. from WoTs). But attempts to specifically target bots—this doesn’t have the potential to work in the long run (if at all, already).
A partial solution is already there
CAPTCHAs have been testing the wrong thing. Now it’s also weird to see how some PoW pages still say “we’re checking that you are not a bot”—this is obviously false; they are checking that I’m a “non-malicious bot” now. And that’s much better!
But still, PoW pages are torturous as well: they shouldn’t block users from interacting with a website; the mining should happen only in the background, probably for certain actions only, so non-malicious users/bots won’t even notice it. That’s why I’m relatively tolerant of NIP-13, even though it’s far from an ecologically optimal solution.
The best solutions will possibly arise from decentralized UPoW.
I think it’s the best time to start working on the related NIPs.
KYC and “children’s safety”
Massive papers uploading to servers, besides obvious privacy issues, is something like another irrelevant cookie banner annoyance tyranny: it won’t solve the core issue of the so-called children’s safety. It will produce even more chaos: more advanced AI systems to bypass such checks will become a new normality. New absurd AI regulations as the result of this mistake.
A domino of mistakes. Then they will require full access to the servers to ensure they are “safe enough”. What’s next? Even if it’s full hardware surveillance totalitarianism with client side included, what will they do with the radio amateurs and open-source hardware, for example? Pointless tyranny.
It seems this won’t ever work, no matter how much tax money will be wasted. But that’s not obvious to the masses, which pay for all this circus. And postmodern-ish art doesn’t really help them; we need to be clear, and we need to provide actual solutions. Ideally, change the trend.
Dating example
I recently discovered how ethically and legally running a dating/friendship app became problematic today. Especially for children.
I also heard that some people are now asking governments to require KYC as a solution 🤦♂️ And I can understand them. Imagine you’re an average non-hacker parent that faces your child’s abuse using one of these apps. What would you do? Blame those who made the app? Configure a parent control?
The way the society is currently structured is that it would be a natural thing to complain specifically to governmental systems about everything related to the online abuse issues.
But bureaucrats are not designed to solve issues of such complexity! Bureaucrats are not hackers, and unfortunately, historically, they were always dramatically bad at systems thinking.
It’s not just a conspiracy/authoritarianism, if you will; it’s also a lack of cognitive complexity in these systems. It’s better to interpret some of them as naive medieval inquisitors rather than stereotypical Dr. Eggman/Evil/etc.
Protesting by implementing something better is only a partial solution
Now we’re not perfect as well. We’ve put ourselves in a position where we’re always in an ideological confrontation with the governments and teaching people how to resist them. How sustainable is that position?
I believe just teaching the masses about privacy isn’t enough. We tell them what not to do, but what should they then do to address the issues like child abuse on the dating websites?
This is a complex question. But when it comes to a specifically technical part—I think we need new social institutions, made by ethical hackers, specialized on the socio-technical issues in various systems. Not something like EFF (which works in the scope of confronting governments), but something that focuses on monitoring, receiving, and processing the relevant complaints, and something that designs solutions that all sides, including governments, actually may like. Something that ideally competes with and outruns governments before they even need to “think” about the next regulation.
And we need to teach the masses to ask these institutions for relevant solutions, not the governments that tend to oversimplify everything and literally solve technical problems with bureaucratic barbarianism.
Now, of course, while we still lack these institutions, we need to keep exchanging better ideas and implementing them, demonstrating that they are actually possible.
Alternative to KYC
What would be an appropriate nostr-based dating/friendship app solution? Specifically designed for finding people in the same location for further offline dating. Let’s try to imagine one.
Dating from a normal trusted npub is probably not appropriate for many people. On the other hand, new, almost empty pseudoanonymous npubs don’t make much sense, as they have no trust.
Suppose you create special pseudoanonymous profile(s) designed specifically for dating. Such a profile will be visible in dating apps only.
Here you can set your bio with the relevant facts that you like foot hugs certain hobbies, or whatever, without being embarrassed. You can set your age and so on, just like on the normal dating websites.
This pseudoanonymous profile is still not trusted, but users can explicitly give permission to trust ranking services of their choice to acknowledge the normal-pseudoanonymous connection (with cryptographic proofs from both profiles) so the services could assign the same trust rank as on the normal profile.
Now this dating profile can be prioritized for matching. Untrusted profiles will receive a corresponding warning badge (or will simply be ignored, using the app settings, probably by default).
What would we do with the abusive scenarios?
Every pseudoanonymous dating profile can report another one (if they at least had a conversation). They can provide the related location and even forward some of the DM messages as part of the report (much better than cryptographically unverifiable, possibly fabricated screenshots with “removed” messages that are usually shown to cops). The reports should be private. But who is the receiver?
Now the scary part. It’s scary, but only for abusers.
Suppose you also have the cop bots, dedicated to specific locations, a FOSS solution that can:
- receive the private reports
- probably analyze them with local AI models (from simple spam checks to identifying the severity and priority of the report, aggregating them somehow)
- forward the reports to the real cops of the related location
- send acknowledgement/proof back to the reporter that the report is actually recognized as valid, that it’s accepted and forwarded to the real cop
- provide the possibility for further communication with a real cop for the reported case, for instance, for additional DMs forwarding; or to help with a new date arrangement with the abuser, but also with a cop instead of the victim this time.
All this without prematurely revealing the real identity of both the reporter and the reported. Reporters technically aren’t required to reveal their identity at all if they don’t trust the real cops; they may keep reporting abusers without further legal procedures; these reports later will be useful if some other reporter attempts to start a legal case against the same abuser.
This can go with further complexification, to the point where this cop bot would attempt to deceive the reported abusers by automatically generating fake pseudoanonymous profiles relevant enough to the abusers. These profiles will automatically match only with the abusers and will be instantly removed when neither of the expected abusers accepts the match with them. Those who matched will be provided to the real cops for the “special dating”.
Of course the connection between real cops and the bot cops should also be cryptographically verifiable by apps. Real cops should have the .well-known/nostr.json (NIP-05) on their governmental website. The cops can run the bots themselves if they want and if they have enough capabilities for that.
Real cops that would attempt to abuse the system will be, for instance, disconnected from trust services: their fake dating profiles will become invisible to most dating app users.
If cops don’t really work in your country—maybe you have any related volunteers? They can also run these bots and, for instance, spread certain cases to journalists and provide statistics to them.
This is briefly it
No KYC is required to catch another Appstein. And no KYC would ever help there. Real abusers will fake KYC, but they won’t be able to fake the dating with a… sudden cop.
And all this has nothing to do with the particular age range. When the boundaries are that healthy, this is useful for everyone. Further legal processes will take age into account as usual.
My guess is that governments will be interested in these bots. If they don’t or if they attempt to pervert this idea somehow—this will be another sign that they are interested in something different from solving the real systemic issues.
