zlacker

it looks like MitID is basically country-wide SSO, isn't it? then isn't MitID collecting every website you authenticate to via the redirect uri?

>>sterli+(OP)
Ah, yeah, that actually makes sense: now that the USA no longer shares intelligence information with some countries it previously did (or can't be trusted to do so), they have to implement alternatives.

>>sterli+(OP)
Yes, but MitID is also only intended to be used in places where you are not anonymous to begin with, so this is actually OK and also gives you access to a central audit log of where your MitID credentials were used.

MitID is different from the proposed app-based solution for age verification which is designed to not leave a trail. The age verification app will initially be enrolled using MitID (or perhaps by a physical visit to a citizen service point where you can show physical credentials and answer security questions), but subsequent presentations of age verification proofs to service providers will be done without involving a central party.

All in all it is a good design from a privacy perspective. The major issue with it is that ONLY a smartphone based solution is planned, and that there is a high likelihood that it will depend on Play Integrity attestation. This will force everyone to be customers of Google or Apple if they want access to the full internet. I think it is technically possible to also offer alternative solutions based on secure hardware tokens which would still enable people without smartphones to verify their age in a privacy preserving way, but this is not planned.

>>ulrikr+mk4
When it comes to age verification - I still don't understand how you'd make it subpoena-proof? Like, the ones I've seen proposed protect you from the site itself getting more data than it should. But what about a government agency subpoenaing the website to see what credential this account was verified with and then comparing with the age-assuring agency's logs?..