Coffeezilla does a third part of his CS:GO gambling expose...where he squarely puts the blame on Valve
Coffeezilla does a third part of his CS:GO gambling expose...where he squarely puts the blame on Valve
Valve refused to comment for the video.
![[Coffeezilla] Deception, Lies, and Valve](https://sh.itjust.works/pictrs/image/0016eac1-193e-4b44-8e50-98c08316baa6.jpeg?format=webp&thumbnail=196)
You're viewing a single thread.
Honestly, Valve should just ask for proof that you are 18+ if you want to sell items on Steam market or trade them.
Easiest solution IMO.
When they were asked to implement age verification in Germany, they simply pulled anything off their platform in the country that would require it instead. Mind you Germany has a system that makes age verification anonymous so if privacy concerns you, you could just implement it. (Almost no platform does because they want your data though.)
Valve doesn’t want to touch age verification with a 10 yard stick and that tells me it is probably the way to go here. Because once they have it, the path for more regulations is clear.
In this arena, more regulation is needed. Anonymous age verification is a good idea, but I question the actual anonymity. It usually depends on trust of some entity. And I just can't fathom an entity that can really be trusted.
It uses the government ID, which has a built in NFC chip. You can use a phone in combination with your ID and it's pin to verify your age online. The ID scanner app will tell you which parameters the website requests from your ID, and its possible to only request the birthdate.
I don't like the system, but it is truly anonymous
Sounds like it is only anonymous if you fully trust the app. That app has all your information, and the site you are trying to access. And I bet it is completely closed source. It also likely has logs about what sires it is giving information to. Not who's info in that log. But elsewhere it probably has logs on who's id it verified. Get access to both, and software can start to crunch the numbers and figure out who went where. That if course is assuming they don't decide in the future that it is worth just keeping that data together in one spot. There is just no entity that could manage that app which wouldn't have a motive to use the data and power it has.
No, the app is completely open source and has reproducible builds. And the site you are accessing only gets the information it requested, and you see which information it requested in the app before scanning your ID
I looked deeper are read up. Everything I can find says the age verification function is not anonymous. There is an anonymous login function, but that doesn't seem to include age verification.
Now you are starting to sound like you know what your talking about. But I'm not convinced yet. So when the app sends just the requested data to the site, how does the site verify that the data is legit. A person could fork the app and hack it. I am sure they thought of this, I just don't know what thier solution is. And I can't read german.
(NotOP) these things will usually use cryptographic signatures and if the app has been altered, it'd fail the check.
No clue what they are specifically doing though.
Yeah, something like that. But while your device can validate the cryptographic sig for the app, the site requesting proof of age can't, since it isn't running on the same device as the app. The best I can guess, the app could request verification from the state run site, and specify what information it wants (based on what the requestor site asked for). The state site could use a private key to encrypt the response and give it back. The app could use a piblic key the state makes available to decode and confirm that only the intended information is present. Then the app can pass that to the requestor, who can get the public key from the state site and decrypt the information. But, the gap there is how does the requestor know the app it is talking to hasn't been modified. I don’t think there is a way that it can. Only the device the app is on can verify that. And the requestor can't trust the device either.
Some Authentication that I remember has a component where the requestor would then talk to the state to confirm the info it got from the app was requested from the state by the same app the site is talking to. This prevents using someone elses response as your own. But in this case, that would tie the site to the request which means the state would have both peices of info, who and what site. So I don’t know what there solution here could be that wouldn't result in the same problem.They could (but didnt) do it with zero knowledge proofs as well. Then the website could go back and verify against the state site and no private information would be leaked.
The state would know the site requesting it via IP, but they wouldn't know which proof they were validating.
It's often talked about in the blockchain crypto space, but it's not the only way to use them. You could use it in a centralized system like this too.
Well the entity is the government. You know, the guys who create your ID in the first place. It’s not perfect but it’s the best one I could conceive.
You can trust them to create the ID because it benefits them. But to guard you anonymity... that actually hurts them. So you can be sure they won't.
Foreign corporations are much more aggressive about harvesting data than the German government so you should think twice about using their products in the first place. Most of the time the German government is under fire for privacy concerns it’s because they trusted products from Microsoft or Huawei and the like.
My bad, I had the german government mixed up with probably the brits who are constantly saying they need to be able to read everyone's messages. That said. It's hard to know what the intelligence arm of a government is really doing. So if they give themselves a backdoor, it's hard to ensure only they come in. And the government is always only one election away from dramatic policy changes.
This. ID and anonymity are antithetical
If all the ID consists of, then no it's not.
As long as the part asking for ID trusts the part verifying the ID, there is no need for anonymity to be broken, since the verifier just has to confirm what the asking part needs to know.
Think of it like someone owns a bar and needs to know if a patron is old enough to drink, and the bar owners brother or best friend says "I know that guy, he is old enough".
Not necessarily. As another user noted, zero-knowledge proofs might be able to be used to anonymously age-verify people, if done correctly.
Not going to happen since Valve doesn’t want to manage a database of IDs. It’s why sex games with real life actors aren’t allowed on Steam since that would require Steam to have IDs and consent contracts of all the actors stored on their side.
And Gaben is a hardcore libertarian, probably despises government IDs.
Previously, I had mused over vague ideas about whether blockchain technologies could go into a "proof of real person" system, by one-way-hashing information used to verify only basic details about a person. Eg: They exist, are a unique person, and are over a certain age. Ideally, it could be set up in a way that cannot easily correlate them between company databases.
That said, no real need to poke holes in the idea, because...that was the easy part, and it will probably never happen (or be far more draconian than I describe)
It absolutely can be done with zero knowledge proofs, but it needs to be from an authoritative source.
It could prove you are over the age of 18 (or 21) without having to divulge any other sensitive information, and be untrackable between sites or any outside agency (e.g government doesn't know and can't know you visited a site or location that verifies your age)
They could add it to our drivers licenses or passports or whatever which would cover the authoritative part. Your ID is an NFT at that point, and could be fully digital.
Edit: they might even tie generating the proof to requiring a biometric verification (fingerprint) so you can't give your ID to someone else.
Zero Knowledge proofs are so fucking cool.
Say what you will about crypto in general, but the math behind some of the stuff is just so elegant.
No one has ever denied the math wasn't cool. It's just that the usecase (NFTs) were terrible. I guess the hype has now died down so we might see some actual uses, like land ownership information.
Well I was referring more to things like Monero, not NFTs...
It's just that the usecase (NFTs) were terrible.
It's the use case for digital images.
NFTs in general are still cool. Concert tickets, tokenzied stocks, land ownership, car ownership, digital keys (that can open digital or physical things), digital IDs, it's endless what can be done with them, but it's a long way until some of these things get adopted.
It's one thing to put those into the blockchain and it's a completely different challenge to have a software infrastructure which incorporates the tech end2end. Example - someone put a random image of someelse else's ticket into the blockchain. The ticket checker needs to have a checker app on his phone which can verify this in real time. It's trivial using centralized DBs.
Hopefully we'll get there one day.
I don't even think the business software side is that problematic for a lot of good use cases, it's the general non user friendliness of wallets and having to guard your seed phrase properly and just general technical knowledge.
As soon as your concert ticket is an NFT people can risk losing their ticket, and people will lose tickets.
Making the ticket and scanning the ticket for entry isnt too difficult a problem, and it's entirely fraud proof.
Edit: and so many people get scammed out of their seed phrases while trying to get help because they just don't understand.
Bit invasive if you have to provide photo id...
How often can one get a credit card at under the age of 18?
Surely that is a decent measure of it.
Also age of account? Mine is 21 in just over a week...
You would have to get a credit card though.
I don't have one and I don't want one. A debit card is good enough for me and those are possible and common to get before you turn 18.
I also imagine it's easier for kids to get their parents to enter their credit card details compared to an ID card without asking questions.
You should never use a debit card online, though.
Why?
It works perfectly well for me.
With a debit card that's your money at risk. With a credit card it's the credit card company's money.
Credit card companies are required by law to reverse fraudulent charges, but banks aren't.
What law? My bank will (and has) reversed charges.
Lots of American defaultism in this thread. I only want to state that outside of the US things can be different with regards to banking.
For example, taking up debt is discouraged, while in the US it is encouraged to get a good "credit score".
Here's the thing, I hate the debt obsession in the US, however it's also really not that difficult to not get into way more debt then you can manage (barring medical expenses) and having a high credit score (even though it is stupid) absolutely does help in a ton of ways here.
I would encourage Americans to play the game smart, use credit as if it were debit, do not intentionally go into debt unless absolutely necessary, and if you're in that position you should start seeking help, because getting crushed in debt is fucking awful.
I learned a lot of what NOT to do from my parents and paying attention during the 2008 crisis.
Plus there's extra protections for credit cards, at least in the UK. Spend a certain amount and if the company goes bust you get your money back. Saved my ass with two different airlines that got into financial trouble once they'd taken my money.
I think fraud is required to be refunded by banks as well as credit issuers, but I'm sure most people would rather have money to spend on food and bills while they investigate, and you're not going to get that if your account has been drained.
Don't most debit cards (the ones that have the "Visa" logo) get processed as credit cards online anyway? Unless you're entering your pin number (which, I would highly advise against ever doing on the internet), then it is processed as a Visa purchase.
Or is that only at the point of sale?
They might get processed via the visa network, but the money is still leaving your bank account. Visa never really had it.
So now you gotta deal with visa and your bank to get something back that was stolen, and no, you aren't ending up with the same protections. They aren't as motivated as none of them are out the money.
If it was a credit transaction, the credit card company is out the money, and if you say it's fraud and refuse to pay them, well now they are on the hook. They're now motivated to determine if it was fraud or not as their money is on the line. Also, they now lose out on a potential customer that gives them high interest on debt if they dont undo it (because most people don't pay off their credit cards). There's no debt when it's a debit card and transaction fees are smaller so they earn less from you.
Edit: and even IF you get the money back, it's going to take a lot longer, and that money is gone in the meantime. Needed it for rent? Sorry the fraud investigation takes 2 months. With credit, your rent money isn't gone.
Debit card is tied directly to your bank account with no rollbacks. If somebody gets that info and decides to clean out your bank account, that money is gone, period, and you'll never see it again.
With a credit card, you have a degree of separation and the ability to contest or roll back charges. Debit cards don't do that.
You're in America, right? This isn't necessarily true everywhere.
Yeah, guilty as charged
In Europe it's like this:
Want to do a chargeback with American express or similar credit cards: call the toll free number and do it in less than 90 seconds, instantly approved
Want to do a chargeback with a debit card: you need to go to the police station and report the seller for fraud, then find the chargeback form hidden somewhere on the bank website, fill it and send it back together with the police fraud report via FAX (no email) to the bank, which might or might not approve it in 90 days. If it approves that, they will take a 30 euro fee from what you will get
I just emailed my bank, that was literally all it took. When I log in to my banking website I can do it right there, too. I just emailed them because I was afraid there might be consequences, but they called me up saying they'd already done it for me and I should have no worries
Happened twice, so it's not a one-of, and since I could even do it myself right from the summary of transactions... All direct debit. I don't even have a credit card, so it can't be mistaken.
I guess it might vary depending on how much we're talking... If they're correct that credit card companies are requried by law and banks are not, then I can imagine a bank deciding to refuse to refund a purchase if they feel as if it's too much money. At which point, it becomes much more of a hassle (lawyers getting involved, etc.) to get the money back.
The do in Europe, mate.
I have just set so that I need a digital ID to use the card for digital purchases.
Also age of account? Mine is 21 in just over a week...
Then there will be a market for steam accounts (if there isn't one yet)
There definitely is already a resale market for Steam accounts, mostly used by cheaters or scammers who want a legitimate-looking account with no game or trade bans.
Same way as most kids got gta at 13
Or on the stock market or gambling which this is basically a mix of.
It is a solution for underage gambling, but adult gambling is also a problem
That’s not a solution at all. First of all, depending country, you will need a gambling license. This is a PITA as gambling laws will differ per country. In my country gambling is heavily regulated and you would need to check ID and keep track of how much a person gambles. You have a duty of care and if you notice a person’s gambling habits are becoming problematic you have to refuse them.