This should be held up as a visceral demonstration of how the "slippery slope" isn't inherently a fallacy, as many oft like to claim: it is merely a form of argument that is easy enough to get wrong--leading to a fallacy when the cause is disconnected--that people have become overly-wary of it, reacting to the premise of the conclusion without even bothering to analyze how steep the slope might be before tuning the idea out :(.
IMO slippery slope is a fallacy when the small step only supports the big step symbolically, shifting the “Overton Window”. It’s true that the Overton Window has some effect, but we shouldn’t avoid taking a step towards the middle just because it’s also a step towards the opposite bad side, if the middle is good.
Wrt. privacy, the real issue is that the small step helps the big step not just symbolically. ID-based age-verification, even when used for good reasons, gives the state and government access to its people’s history of age-restricted content. If this government decides to, say, prosecute anyone who viewed/bought/consumed (inane) X, it’s far easier vs. a government that doesn’t have age-verification. Both governments face major opposition, but the latter government’s opposition is more effective, because the former’s has already shared their history.
One thing the article doesn’t state but implies, that I don’t agree with, is: the slippery slope is still a fallacy, when a government first decides to age-gate reasonable X (e.g. porn) then unreasonable Y (e.g. history books). Because said government will receive almost as much opposition and people doing work-arounds for Y, as if they went straight to age-gating Y; although not exactly as much, I generally assume (and hope) the difference doesn't outweigh the benefits of "stepping towards the middle". In the article, X is porn, and Y is facial cream, dating apps, and diet pills. But these things arguably should be age-gated; and even the article’s talking points are not that these are OK for children, but that gating them gives the government data on more people (which is a real slippery-slope, not a fallacy, as explained in the above paragraph), specifically people who don’t watch porn (perhaps some of the readers don’t mind porn viewers being monitored because they aren’t one of them). If states were to actually start age-gating history books, I guarantee there would be serious opposition, including from people who are completely fine with age-gating porn.
IMO the problem isn't ID-based age verification specifically, it's that such verification is usually impelemnted in a way where the service in question gets a lot more data than they need, with no real control over how that data is kept and processed.
It would absolutely be possible to implement that stuff in a fully privacy-preserving way, with nothing but basic cryptography, and the government could absolutely enforce that implementation.
Nobody is actually interested in promoting that though, the anti-big-tech crowd just wants verification no matter what, and the pro-privacy crowd just wants something to get angry about. Nobody is looking for a reasonable compromise here.
> It would absolutely be possible to implement that stuff in a fully privacy-preserving way, with nothing but basic cryptography, and the government could absolutely enforce that implementation.
There are ways to do this which are less bad, but there is no way to do it "in a fully privacy-preserving way" without also making it fully ineffective, because if there is no way to prove who someone is then there is no way to catch anyone providing false age verification as a service to minors. But if there a way to prove that, you've demonstrated the existence of a privacy failure because you could then use the same mechanism to determine what someone is looking at.
I don't see how it could be fully privacy preserving. It's the government trying to get the information, the repository is not secure!
However, you could come close. Sell a simple USB device that generates codes. It can only be purchased in person by showing ID--but the ID is not recorded. Down the road it can only be traced to the device, not to the purchaser. But you would no doubt see them for sale by unscrupulous individuals reselling them.
You don't need hardware. You don't need cryptography. You show your ID and you get a password. The password is the same for everyone so it can't be correlated with anyone.
Will people share the password? Of course, and they would also share the signatures or devices or whatever else, because you can't prevent that while also preserving privacy.
You can verify who someone is without knowing specifically who "who" refers to. We do it all the time. I give a one-time code to service X and it knows I am who I say I am, but the code I gave is virtually worthless information. All it knows is that I have credentials, and I am the authorized person to have those credentials because I have physical access to some device, unknown, which is known to belong to said person.
You're omitting the part where you have to disclose who you are to the party issuing the credential. If they issue you a unique credential while knowing your identity then they can trace back all your uses of it to your identity. When that party is the government or within the government's jurisdiction, the government has the capacity to do that even if the services where you use the credential are operated by a third party, so you very much haven't solved the privacy problem.
The only way to actually solve it is to make the credential non-unique, i.e. issue the same one to everybody so they're fully indistinguishable. That does solve the privacy problem, but then you have the "who is telling the kids the secret password" problem.
The party that you must disclose your identity to doesn’t necessarily need to see the credential you will present to the party you wish to demonstrate your age to.
A blind signature could be used to have the ID checking party sign the credential without seeing it.
That's just introducing a complex new vector for compromise without getting out of the dichotomy.
Option 1: Bob gets a credential that can be traced back to Bob; privacy fail.
Option 2: Bob gets a credential that cannot be traced back to Bob, shares it with everyone; defeats the system.
Notice also the tradeoff you're forcing for no benefit. If Bob has a unique blinded signature, even if the signer doesn't know the unblinded value, the verifier would and so Bob has to get a new signature for each use or the verifiers could correlate one use with another. But needing a new signature for each use creates a timing attack because now you can see that every time "someone" presents a signature to use a particular service, Bob had just requested a new signature.
In this context blinded signatures have only costs and no benefits over universal shared passwords.
Let W be a website that wants you to give evidence you are an adult.
Let C be an age check service.
A first stab at this would be something like this:
1. W gives you a token T
2. You show T and proof of identity/age to C
3. C signs T
4. You return the signed T to W
5. W checks the signature and sees it is from C
The problem with that is what you noted. W and C could get together and then W could learn your full identity and C could learn that you use W.
C had to see the token to sign it, so at that point C and W both know T, and so that enables that matching up.
A blind signature addresses that by allowing C to sign with C needing to receive a copy of the token.
The way a blind signature works is that when you get the token, T, from W you apply a transformation to it which produces T'. It is T' that you send to C to sign for you. That gives you T' and a signature for T'. The signature algorithm and the blinding transformation are chosen so that they have this property:
• Given a document D, a blinded document D' produced by applying a blinding transformation do D, and a signature S' of the blinded document D', if you know the blinding transformation you can compute from D' and S' a signature S for D that will verify with the same key that produced S'.
The blinding transformation involves a random number that you pick. Even if C and W get together and compare lists of tokens they have seen they won't see any matches because W only saw unblinded tokens and C only saw blinded tokens and without knowing the random number used for that particular blinding they can't tell which unblinded token matches which blinded token.
They might try to match based on timing. If there isn't enough volume of people verifying they might be able to figure something out so care would definitely be needed especially at the start.
> They might try to match based on timing. If there isn't enough volume of people verifying they might be able to figure something out so care would definitely be needed especially at the start.
The timing attack is worse than that.
Suppose Bob has a pseudonymous account with the service. So he signs into his account, NotBob99, which is not supposed to be associated with Bob. Or even just uses a device with the same cookie or device fingerprint. On a dozen separate occasions.
Is he unmasked the first time? Maybe not, there could have been thousands of people requesting a signature at that time, although you have immediately narrowed it down by 99.999% from hundreds of millions. Is he unmasked the second time? Pretty good chance of that, because you can exclude anyone who didn't request a signature the first time. Even if it isn't fully unique yet, the number of candidates can now be counted on one hand. Has he been unmasked by the twelfth time? Almost certainly.
It's also not clear what the fancy cryptography is supposed to be buying you over the alternative. If you use blinded signatures, you have a timing attack, but Bob can still share the signatures unless the timing attack is being actively exploited, which it obviously isn't supposed to be as if it was it would only prove the signature scheme ineffective.
Now suppose you just have secret "is over 18" and "is over 21" passwords, changed on the same interval as the signatures would expire. The passwords aren't unique, everyone in the eligible age group gets the same one (and services that are 18+ request the 18+ password even from people over 21), so you can't correlate them with an individual and each person only has to request the password once per change interval (e.g. 30 days) rather than once per use. What advantage do blinded signatures have over this?
Thanks so much for that explanation. You even addressed timing attacks, which is what I was about to ask as a follow-up until I scrolled down and saw the final paragraph. I appreciate the write up!
Yeah, the whole “we have to scan your driver’s license” which has my name, address, etc., encoded is way more than I want to share. I am mostly bald and even my beard is gray. There is no plausible situation where you think I might be under 21.
> It would absolutely be possible to implement that stuff in a fully privacy-preserving way, with nothing but basic cryptography, and the government could absolutely enforce that implementation.
Yeah, it seems like it would not be as much of a problem if you were able to have assurances that your data isn't being held onto. If I give my ID to a bouncer at a strip club, he isn't able to scan it and put it into a digital file. He just looks at it*, goes "yep this guy is of age", and gives it back. If we ensured a similar data flow for the Internet, then it wouldn't be nearly as much of a privacy issue.
*These days I doubt I would even get carded as well. Getting older and all that. IDK how you could implement a similar check for the Internet though.
> It would absolutely be possible to implement that stuff in a fully privacy-preserving way, with nothing but basic cryptography, and the government could absolutely enforce that implementation.
What are some implementation(s)?
Different implementations vary in effectiveness. Anyone can give a minor access to their device, or a minor can steal their device. So in order to prevent access then, you'd need something like constant face monitoring (via a local model, possible to do anonymously, but expensive and fallible), or legal threats (impossible to do anonymously, because you must track the adult who gave their kid access; and many people are dumb with technology even when it matters, so you either have to fine or jail many people or selectively enforce).
The easiest implementation I can think, which I'd recommend, is to make locked-down kid devices, require ID or even just a credit card (18+) to purchase a normal device, put the burden on adults to not share their device with kids, and only police merchants (for selling normal devices without ID) and websites (for serving adult content without blocking kid devices). Like what we do with alcohol, except not even trying to police people for sharing, because it would be ineffective and messy. Like alcohol, many kids will get access anyways, although less than now.
I like this approach because, IMO importantly, kids who don't try to see adult content will be far less likely to, and parents who try to restrict their kids from adult content will be far more successful. I don't think you can stop determined kids with neglectful parents without drawbacks.
If you look at it less as "if A then B" and more like "if A then possibly B" as it's usually intended then I think you can strip the fallacy.
Almost anything is possible, but even in this case it was never inevitable or inherently true that age verification for X meant age verification for Y. Which means the value - if any - for a slippery slope argument is "consider the possibilities X might open up"
It depends upon what Y is. If X and Y require age verification for in-person purchases and age verification is required to purchase X online, it is reasonable to assume that age verification for Y will follow. Some may call that a slippery slope. In reality it is simply a loophole in the law. Either way, it is reasonable to assume there is a bottom to that slope. It is not reasonable to assume that X opens up all possibilities.
That said, I understand where the EFF is coming from. Data collection and "sharing" is rampant these days. Any meaningful form of age verification opens up the potential for abuse. What I don't understand is their failure to address how to handle restricted goods.
They no longer teach Rhetoric at schools. Rhetorical arguments have been completely forgotten and debased in the public mind.
Rhetorical arguments are more important than ever in the age of AI, because AI is our attempt to simulate that. Probabilistic AI mimics rhetoric (inexpertly). It uses past knowledge to predict future behavior (rather, just the next token) based on probability.
To be clear - I'm not arguing that logical argument aren't important; I am a logical person, and prefer logical arguments to rhetorical ones. I prefer the certainty. I still recognize the need for rhetoric. Not everything is certain, and you have to make decisions based on probabilities and unknowns.
If you saw what modern formal debate looked like in America, you’d be happy that we abandoned teaching it.
Here’s the beginning of the rabbit hole you need to go down to understand why so many former debaters not only hate the activity but specifically cite it as an example of post-modern neo Marxism:
The slippery slope fallacy is not just the argument style, it is when the argument style is used by the event being held up as a cause is not justifiably believed to be likely to lead to the cited effect. (It is an informal fallacy, rather than a deductive fallacy, and, as such, requires evaluation of evidence, not mere shape of the argument.)
Also, neither deductive nor informal fallacies mean that the conclusion of an argument is wrong, in any case, so the conclusion of an argument being right does not disprove (or even provide strong counterevidence) that the argument contained a fallacy. Fallacies are about whether and to what degree a conclusion is supported by the reasoning (and evidence, in the case of informal fallacies) offered to support it, not about whether or not it is true.
If we do X, Y becomes more likely. Y is bad, making a bad thing more likely is bad, therefore doing X has a bad consequence.
That isn't a fallacy at all, it's just an argument that requires you to establish its premises, like all sound arguments. People call it a fallacy as a pejorative when they want to dismiss the legitimate concern and shut down the debate even in the cases where the premise is correct.
You're describing the fallacy fallacy, the fallacy that just because an argument might be an example of a logical fallacy, doesn't mean the claim is incorrect.
Ad hominem is a weird one where the more abstract the argument, the less it applies, but the more concrete and visceral it is the better it is as a first-pass filter.
Like, think of the worst guy you know. Now think of what that guy thinks about the state of the world, in as concrete detail as you can. That's probably a pretty good reason in itself not to think that, because if you think like that for too long, you risk becoming that guy yourself.
This feels like it should work far less often than it actually does.
This is less true, slippery slope as a fallacy is having large unclear jumps chained together to make a really improbable outcome because each improbable chain scales off all the previous pieces. But ad hominem as an argument is only really valid when the attack against the person is highlighting conflicts of interest, which is more reason for scrutiny of the original argument than it is cause for ignoring it entirely. You should still attack the argument itself.
That's what the opponent wants you to do. The law by itself looks ok, but you're dealing with limited information, mainly not knowing how they're going to use it next.
It’s only a fallacy when dealing with logical relations under certainty. Once uncertainty and probability is introduced the slippery slope just is relating Bayes’ Rule in plain English.
> It’s only a fallacy when dealing with logical relations under certainty.
Incorrect. Slippery slope is an informal fallacy, which applies to arguments based on evidence not logical relations under certainty. But it is a component of the slippery slope fallacy that the implicit premise (that the precondition that is the subject of the argument is likely to lead to the result that is the endpoint of the slippery slope) is inadequately justified, not merely that a slope from the precondition to the endpoint is presented.
