It all sounds scary at first. Digital gulag, age verification and internet deanonymization, all that jazz.
But what is a “social media” EU got scared so much of?
How this applied to federated platforms and protocols like ActivityPub and Fediverse?
How this applied to messengers? Especially to “small” messengers? Or federated, like Matrix or DeltaChat or SimpleX or XMPP-based stuff?
It all does not have sense beyond WhatsApp, Signal, and Telegram, when it goes to Messengers, and FB & Instagram, or IX, may be Reddit and Youtube with TikTok.
But as it happens, state not just impose some restriction against something but defines it in the most stretchy and rubber way possible, so anyone can be declared a criminal just because. It just depends on pure luck, on whether some people in power will use new restrictions to block Kremlin propaganda and disinfo, or these restrictions will end up into making EU yet another bastion of internet censorship and suppression of human rights.
I seen lately some news about EU-wide project about payments and money transfers at EU scale and scope.
I wonder how it come that EU still did not create any “ActivityPub for payments and money transfers” to be used together by payment gateways, online merchants, banks, digital wallets or who else today involved in payments at principle “join in one EU country and interact with each other easily as need” .
And this surely should not be a system limited only within EU borders, it should be capable to accept payments towards EU merchants from abroad. For example, it should be able to process the payment from person living in e. g. Georgia country who buying a no-DRM game from GOG games store.
I gave extra example with payments coming from outside EU as to remind that if such protocol like “ActivityPub for payments and money transfers” fits very well not only for local economy, making a reality more affordable payments for a grocery shop or a cafe, but also for everyone in EU, including EU merchants with worldwide audience.
For local economies some low-fee or even non-commercial solution with zero-fees for local transfers and payments would be very useful for local communities, because it can make everything a bit more affordable for everyone within community.
Instead of panic and screaming “AAAAAAAGRHHH!! EU will forbid VPNs!!! DIGITAL CIVIL LIBERTIES AND FREEDOMS ARE DYING! WE ARE GOING TO A DIGITAL GULAG!!!!!” I decided to explore some boring details. It seems to be something less stressful thing for me to do.
Drawing of hel goddess looks good as image of justice goddess who do not want be blindfolded anymore. Image from https://www.alamy.com/drawing-sketch-style-illustration-of-face-of-norse-goddess-hel-with-face-half-skeleton-and-half-flesh-with-gloomy-downcast-appearance-viewed-from-image358228525.html
I guess VPN would have to adapt, like “ok, we will update our products to bind age markers into traffic without exposing what kind of traffic goes through us”. I guess that some W3C work group or IETF already exists for all that.
This can be done via updating specs and demand some special headers with “signed age token” being passed through the network requests. With this you provide some bit of data (age verification document? Government ID?) at VPN product sign up or profile page, and get some token (age attestation token) you pass through to VPN connection server). These “age attestation tokens” can be different for each origin (protocol, host name, port). This can be reasonable thing, because, if I understand this correctly, VPN provider can see your traffic anyway.
VPN provider still can offload actual authentication to some third-party service, especially smaller and free VPNs. And this is another place where things can go ugly. Not sure whether some age verification providers will exist as NGOs as this would require a strong PCI compliance, likely. But non-commercial age verification system whose purpose would be to provide age verification and online identity service would be necessary in such legal landscape, as large commercial service would have motivation to sell advertising data based on such digital identity and binding it a behavior profile.
Then this age verification/attestation can be expanded to non-VPN connection at ISP level at some point, after people would use various tricks which invented for people surviving in dictatorships where VPNs are being suppressed or outlawed already, e. g. in Russia. Such as special packets fragmentation tactics, or wrappings into IMAP or HTTP requests, when encrypted part of traffic is represented as an image or PDF attachments or other tricky ways.
And most of the people would accept the need to go through digital identification, especially if it would be bound to integration of passkeys, like as way to grid of annoying passwords, when you use same identity (or few identities, created once at digital identity provider) instead filling same username, email, nickname, profile picture, and password boxes at sign up, making this a single-click activity. “Ease of use” peppered with some security improvement (or fancy promise of it) will sell very well to most of people.
Percentage of people who would be against all that would be same as people who do not use any Meta product, such as WhatsApp, Instagram, Facebook, Oculus headset, or what else they have now. And this is not some panic boo, this is description of reality where I live, when 95% of Georgia country people use Facebook and WhatsApp, and during travels, hotels and taxi travels by default assume we have WhatsApp. So this is sorta worldwide thing. That happens no matter what Meta does or does not.
