It should be externalized to a degree. Facebook shouldn't be the ones verifying age, but there should be a trusted 3rd party service that does that, which just tells facebook "yes this user is old enough to use your service" or "no they're not old enough".
It abso-fucking-lutely should not be at the OS level though, for so many reasons. Even the implementation alone would be a nightmare. Do I need to input my ID to use a fridge or toaster oven? Ridiculous.
You might think you can keep 16 year olds from looking at porn, if they want to. You can't. You have never been able to. All you can do is teach them that the law is stupid and pointless, and they should treat rules with contempt. But they'll still be able to look at porn.
What you can do is allow the government and private companies to track everyone, everywhere, all the time. And you can create more gatekeepers that hold personal identity data, misuse it, and leak it.
Yeah, I agree with this. I think age-related content moderation is a losing fight and one that will create more contempt for laws, more surveillance, and much more PII surface area that will be exploited.
There are really two "core" issues at play:
1. The prudish nature of US society
2. The fact that we don't have data privacy laws and restrictions on digital surveillance by private companies
Sixteen year olds? Sure, mysterious Forest Porn and the older brother who'd give you skin mags have always existed. And Cinemax at night, catching the odd frame that somehow gets thought the scrambler. Whatever.
But we can't realize all the supposed glorious promise of all this tech bullcrap for education and free exploration of younger kids if we can't at least come pretty damn close to guaranteeing that an eight-year-old won't stumble on Rotten.com or hardcore porn if an adult isn't looking over their shoulder constantly. And whatever that solution is needs to work for parents who don't have the know-how or time to be sysadmins for their household.
I'm not overly concerned with 16 year olds. But the tools for protecting younger children suck. A consistent account setting and header would do a lot to improve parental controls.
> What you can do is allow the government and private companies to track everyone, everywhere, all the time. And you can create more gatekeepers that hold personal identity data, misuse it, and leak it.
This is already happening. A central setting would improve privacy over the way things are right now.
> A central setting would improve privacy over the way things are right now.
What? How? What improvement are you seeing that I'm not?
Putting all our PII into one huge repository and then letting corps and govts access it sounds like a dystopian nightmare. This is why we don't like Palantir.
What happens if a bad guy steals that data and your identity? They go and look at CSAM using your ID? The police turn up at your door and cart you off to prison? Are you really going to be able to argue that it wasn't you? If so, what is the point of the system? If we're relying on IP addresses and other evidence for access (so you can fight these charges) can't we just use them in the first place?
I don't know what you're talking about, but it's not what this kind of bill is about.
This kind of bill is about the OS telling things whether you're: 0-12, 13-15, 16-17, 18+
No databases, no stealable identity, only the barest sliver of 2 bits of PII.
As for how it's an improvement, we already have sites asking to see your driver's license or pictures of your face for much worse age verification paradigms. If most of those changed to a local age setting, privacy would go up.
How does the OS know that you moved from the "13-15" bracket to the "16-17" bracket without knowing your DoB?
And this is the thin edge. Because in a few years there'll be a bill saying something like "too many children are lying about their age online. We need to verify their age" and then we're capturing IDs and storing them somewhere.
> The OS could require the parent to manually update it.
How is their age verified?
At some point one of two things is required:
1) A promise that the user is a certain age
- Which puts us exactly where we are
2) Official identification is used to verify age
- Which creates a PII nightmare
That's it. There's only those two options. You may not believe #2 is going to be a privacy nightmare but we're already seeing it happen with Discord/OpenAI/LinkedIn and everyone else that uses Persona[1]. They aren't doing the minimal security things and already aren't doing what they claimed (processed on device, then deleted). This "hack" couldn't happen if that was true
The difference here is it can be set by the parent on the OS and locked. Requiring sudo equivalent to change.
The way it is now, there's nothing stopping a (18-) user from logging out of a 'parental control enabled' account and making a new account without those controls on any service from Facebook to Steam. So the only effective option at that point is to entirely block that app or service.
This gives more power to parental control software. And yeah moves the responsibility from the service to the parents, which is what the services want cuz COPPA and other similar laws.
But you do bring up another issue people aren't discussing. That the default setting is under 18.
So we protect the children from adults by... having no way to actually verify someone is a child?
The problem is less kids getting access to porn and more pedos getting accounts to spaces designed for children. Places like Club Penguin or very famously Roblox.
Here's the problem, you can't verify children. They don't have identification in the same way adults do. And worse, if we gave them that then it only makes them more vulnerable!
Then we have the whole problem of a global internet. VPN usage is already skyrocketing to circumvent these policies.
So the only real "solution" to this is global identification systems where essentially everyone is carrying around some dystopian FIDO key (definitely your phone) that has all your personal information on it and you sign every device you touch. Because everything from your fridge to your car is connected to the Internet.
But that's a cure worse than the poison. I mean what the fuck happens to IOT devices? Do we just not allow them on the internet? That they're assumed 18+? So all kids need to do is get a raspberry pi? All they need to do is install a VM on their phone? On their computer? You might think that kids won't do this but when I was in high school 20 years ago we all knew how to set up proxies. That information spread like wildfire and you bet it got easier as the smarter kids put in the legwork.
This is a losing battle. It's not a cat and mouse game it's While E Coyote vs Road Runner.
We're on HN FFS. If there's anywhere on the Internet that the average user is going to understand how impossible this is it should be here. We haven't even talked about hacking! And yes, teenage script kiddies do exist.
These policies don't protect kids, they endanger them. On top of that they endanger the rest of us. Seriously, just try to work it out. Try to create a solution and then actually try to defeat your solution. Don't be fucking Don Quixote.
> But you do bring up another issue people aren't discussing. That the default setting is under 18.
Some things do that. This law doesn't have a default. If the admin sets all the user accounts to 18+, then the users are stuck with the setting being 18+.
> I mean what the fuck happens to IOT devices? Do we just not allow them on the internet?
Sounds pretty good to me.
But yeah they need a different handling of some manner. Maybe a "give no access to anything age-gated" category, though is that really different from under-13 in practice?
> So all kids need to do is get a raspberry pi? All they need to do is install a VM on their phone? On their computer? You might think that kids won't do this but when I was in high school 20 years ago we all knew how to set up proxies.
Just delaying unrestricted access to high school would already solve most of the problem.
> These policies don't protect kids, they endanger them. On top of that they endanger the rest of us.
They do not. Some totally different system could endanger people, but this one doesn't.
Really? Be a bit more serious now. There are a lot of things that connect to the internet, and not just for stupid data harvesting reasons. I gave other examples. I think you can understand that this gets pretty hairy pretty quickly. If you don't, then dig in deeper to how the networking is done. You're an older account so I'm assuming you actually understand computers.
> They do not.
They definitely do. I explicitly stated how that happens too. If you want me to take you seriously you have to respond with something better than "trust me bro".
There is no evidence that these companies are actually handling that data properly. There is a lot of evidence that they are handling it improperly. That data being leaked does in fact, endanger kids.
I'm also unconvinced these things even achieve the goals they claim to be after. Which is keeping pedos away from kids. i.e. the reason I said you're missing the point. So either it is not achieving that goal, or lulling people into a false sense of security. Imagine if Roblox was saying "we don't allow adults on the platform" and so now all the tech illiterate parents and kids think their kids are exclusively talking to other kids. That's just a worse situation than now.
> They definitely do. I explicitly stated how that happens too. [...] data being leaked
Again "Some totally different system could endanger people, but this one doesn't."
Any system that has companies handling personal data and able to leak it is not the system this kind of law talks about.
> false sense of security. Imagine if Roblox was saying
In that situation, Roblox is the problem, not the law.
> So what do these laws even solve?! I'm serious
If widely implemented, a parent can set a single toggle and then the accounts their kids make will all be appropriately restricted.
It wouldn't replace direct checks from the parent on what their kids are doing, but it would greatly reduce the risk profile. And making it simple and built-in means that non-tech-expert parents can set it.
>> Be a bit more serious now.
> The serious answer is in the next line.
> ...
> Again "Some totally different system could endanger people, but this one doesn't."
>> If you want me to take you seriously you have to respond with something better than "trust me bro".
I do have a hard time taking you seriously
> If widely implemented, a parent can set a single toggle and then the accounts their kids make will all be appropriately restricted.
People keep telling you option 1 is the correct one, and that it's not actually useless.
You keep describing privacy problems that only exist with option 2.
This law is not option 2. Stop interpreting people as if they're badly defending option 2. They're not.
> HOW
They take an OS where only admins can change the age setting. They set the age on a non-admin account, which they give their child access to. The OS passes the age setting along to programs, which pass it along to services that need to restrict behavior.
This is not the same as how it works today. It's impossible for a parent to do this today. The best they can do is try to keep track of every account their child has and dig through the settings manually.
Heard exactly the same thing about VPN use (kids won't know how to set up a VPN). Then Australia age verification kicked in, and VPN use went through the roof [0]
And, of course, the response so far has included similar thoughts as the UK about banning VPNs [1]
> How does the OS know that you moved from the "13-15" bracket to the "16-17" bracket without knowing your DoB?
The OS has the birth date. Of probably 1-5 people.
> And this is the thin edge. Because in a few years there'll be a bill saying something like "too many children are lying about their age online. We need to verify their age" and then we're capturing IDs and storing them somewhere.
Those things are already happening. I see this kind of mechanism as significantly more of an alternative to privacy invasion than an enabler of privacy invasion.
The political establishment used to be able to control what you read, through control of the media. Then 1995 happened and everyone got access to anything they wanted. The establishment have wanted to put that genie back in the bottle ever since. This is part of that effort.
> Requiring the central database is the scary part.
Yes, agreed.
And this type of proposal has no central database, so it removes the scary part.
(Unless you're talking about the local accounts on each computer storing dates of birth for a single household as a "central database" in which case you're being ridiculous and please stop doing that.)
A), which is the status quo. I don't see any other option as realistic.
B) makes things worse in several ways, but primarily by stifling innovation. Only large incumbents will have no trouble paying for the measures required to ensure compliance.
There's also the cost of enforcement, which will likely have to be borne by the taxpayers. I don't think this is a good thing to spend money on.
C) cannot be enforced, and any good faith attempts will cost more than the damage from harm they're supposed to prevent.
Option A isn't really the status quo. The status quo has a bunch of sites doing invasive checks and other sites region blocking users.
> Only large incumbents will have no trouble paying for the measures required to ensure compliance.
Oh my gawwwwwd. People trot this out any time any regulation is mentioned. Option B is a single easily accessible age category value. It's simpler than the status quo.
I'm not really focused on the exact wording of this bill. But mandating distros have a useradd and glibc with an extra couple functions is not a significant burden.
I mean, how is the OS going to actually verify the age of the operator?
I see how this helps Facebook - if you lie to the OS, and the OS tells Facebook that you're over 18, then it's not Facebook's fault if they provide you an 18+ service.
It's set by the administrator of the computer, so a parent can set it for their child instead of hoping their child is honest to every single individual site.
That's the difference between a parental control and a pinky swear.
The thing we want (well, that other people want, I have other views) is that large tech companies are not able to brainwash kids.
The thing this creates is liability on parents, or schools, or anyone who provides computer access to children. And access to PII for bad guys (who can ask your computer for your date of birth in this proposal, right?)
> The thing we want (well, that other people want, I have other views) is that large tech companies are not able to brainwash kids.
That has little connection with this law.
And having no age settings at all is where you'll have the most brainwashing.
> The thing this creates is liability on parents, or schools, or anyone who provides computer access to children. And access to PII for bad guys (who can ask your computer for your date of birth in this proposal, right?)
They're already responsible for controlling that. I think they should have more tools to help.
> And access to PII for bad guys (who can ask your computer for your date of birth in this proposal, right?)
Did you look at the law(s)? They get one of four age ranges.
> It's set by the administrator of the computer, so a parent can set it for their child instead of hoping their child is honest to every single individual site.
You are assuming the parent is the administrator of the computer.
I hope the number of downvotes you’re receiving makes you consider the absurdity of your suggestion.
Have you seen distrowatch? Are you going to go track down maintainers from every distro - many of whom live outside of the U.S. - and demand they implement this? The smaller ones would probably ignore you or tell you to get fucked, the larger ones with funding might decide to drag you into court.
Does "the government doesn't get to decide what people can look at on the internet" count as C or D to you? It is the situation we've been in technically for 20 years now anyway; the world hasn't ended and it generally seems to be pretty workable. The status quo isn't an especially radical one.
20 years ago was only 2006. The internet has been around for much longer. The first consumer focused ISPs launched in the early 90’s, 35 years ago, but CompuServe and others were providing access to chat and BBS’s in the 80s.
I’d say nearly 50 years is precedent enough that government intervention is unnecessary.
What about every other system where we rely on parents to parent?
Kids can turn apple juice into wine in their closet
they can drive their bicycle to a drug dealer
they can rub a butter knife against the sidewalk until it's pointy
Do we need govt AI cameras in kids closets and on their bicycles? How do we verify they're cycling somewhere safe? How do we make sure they're not getting shitfaced on bootleg hooch they made with bakers yeast and a latex glove?
This is more like a store being able to see their age just by looking at them, and make restrictions because of that. We don't rely on parents to prevent a 10 year old from going into a bar.
Which, unlike this, does not create issues, since the bar is a place staffed by people, employed to serve drinks, who can reasonably be required to look at their customers, while an operating system is some software, perhaps written by an enthusiast, which cannot reasonably be required to inspect its users.
C and D, combined. New internet for kids-only. This internet would be WHITELIST only. We would not be wack-a-mole trying to catch porn sites (sigh...)
Rather, companies would have to submit a formal proposal to get their website listed on Kid Internet. This inverts the responsibility. It's not my cost, or your cost, it's their cost now. If they want kids, they better prove it.
Then, you can trivially configure your router or any computer, with any operating system, to use the Kid Internet DNS. It's now completely operating system and device agnostic. It can be organizational wide with the flick of a switch. It can be global, if we want.
The proposal we're seeing here is bad, bad, bad. Not just for privacy reasons, but because it will not work. Not might, will. This will not work. For many reasons:
1. Most operating systems are not going to implement some stupid ass bullshit.
2. Most websites do not give a single fuck. Porn websites will not care. Trying to play wack-a-mole is ALWAYS a losing game, no exceptions.
3. This is trivial to bypass.
4. If it's not trivial to bypass, it still will not work, but it will now be the end of computing as we know it.
So we have some kind of control to stop your router from connecting to Adult Internet DNS? Because the difficult bit here is not allowing connections to the Kid Internet, but stopping connections to the Adult Internet.
How do we decide what sites resolve as part of the Kid Internet? Is there some process where a site submits itself for approval to be part of the Adult Internet?
How do we stop the government from using this to stop access to parts of the internet it doesn't like?
> So we have some kind of control to stop your router from connecting to Adult Internet DNS?
Yes, all routers currently have this built-in. Most software outside of routers does, too.
Will it be perfect? No. But, for example, this is how content filters work at schools and just about every workplace. And it seems to be good enough for them.
And, this will work better than that. Because the key point is we're not blacklisting anything. Nobody has to maintain a list of banned websites.
> How do we decide what sites resolve as part of the Kid Internet?
Companies or people send an application. The website is reviewed by a human, and they get approved or denied. If you don't care to target kids, which most people don't, you do nothing.
So I don't have to do anything, nor do you. But Meta does. Google does. I'm fine with that.
And, this "board" or whatever who hands out Kid-Friendly certificates can also take complaints. Why not?
> Is there some process where a site submits itself for approval to be part of the Adult Internet?
No, this it the beauty of it. If you want to be a part of adult internet, you do nothing. You already are.
Every website is implicitly adult internet, and it naturally completely subsumes kid internet. So, if you're just making a blog or whatever, nothing changes. In fact, you don't have to update anything from right now. It will all still work. Because Kid Internet is new thing, and it's whitelist only.
> How do we stop the government from using this to stop access to parts of the internet it doesn't like?
Related to above, adult internet is what we currently have. Nothing changes. You and I won't notice, and we can't notice. There will be the free-range internet, and then the subset of the internet approved for kids.
Yes, they are more sophisticated, or at least I'm assuming from how pi-hole and my workplace blocking works. Meaning, it works.
But those are not the best solutions, because of blacklisting. There are basically infinite porn websites. So, if you're going to try to block every porn website, you will lose, point blank.
So, even considering that, they do quite good. So if we just take the principle and invert it, it will be very good.
I mean, whitelisting vs blacklisting is why I am able to open my computer up to the internet via SSH. I'm not out here blocking 1 billion sites. No, I'm just allowing my laptop. And that gives me a lot of confidence, and it works.
And, I agree with culture change. But, culture change is very hard and I don't think it's something we can rely on.
So, you whitelist Kid Internet sites, and you have a DNS server that handles Kid Internet.
And everything else is Adult Internet, and there are many DNS servers that serve Adult Internet.
You sign your household router up for Kid Internet, and it ignores Adult DNS servers, and only routes according to Kid DNS, is that right?
I can think of about 50 ways around this already, but let's assume we're not talking about anyone with any knowledge of how the internet works. So the entire household is signed up for Kid Internet, and there's no way an adult can view an Adult Internet site from this household, is that right?
Well most DNS can be done per-device, just like in an IT setting. For example look at iOS. The device controls DNS, so set up little Timmy's iPhone to do Kid DNS.
That sounds an awful lot like this proposal, right? Well yes and no. No because this would actually work. Just letting the iPhone say "im a kid" does fuck all, because all the websites we're targeting with that will just ignore it.
And of course there are ways around this. Wanting a solution with no ways around it is dystopian. But is it a better solution than this? I think yes, it is.
If Little Timmy signs in then OS chooses the Kids DNS, but if Uncle Bob signs in then it chooses the Adult DNS?
As you say, I can see a few ways around this ;)
Again, this feels like it just moves the responsibility for everything onto the parents, without meaningfully giving them any control. If something screws up and Little Timmy gets to see some boobies, who gets blamed? Is it the OS provider, the hardware provider, or the parents? Did the parents actually configure this themselves? If so, who taught them how to do that? Or did they buy the machine pre-configured? So does the vendor take responsibility?
Sure, or per-device, or per-network, or per-organization. It depends on how each particular person wants to implement it.
> As you say, I can see a few ways around this ;)
Yes, notably less than the current proposal. Which, again, will just straight-up not work.
> f something screws up and Little Timmy gets to see some boobies, who gets blamed?
I think this really hit the nail on the head. None of this is about solving problems or helping little Timmy. It's about accountability management.
If we implement the OS syscall, then Meta gets to point their grimey finger at someone else while they continue to fuel genocide in Myanmar.
> Did the parents actually configure this themselves? If so, who taught them how to do that? Or did they buy the machine pre-configured? So does the vendor take responsibility?
Well, um, both. You can configure your router, sure, or your Linux computer. But I imagine a new iPhone would just come with a checkbox you can check at account creation time. Again, very similar to this proposal, except it works.
Yes, parental controls already exist. You’re up and down this thread advocating for this particular bill, but what does the technical solution actually look like to you beyond the controls already available? And with regards to account creation specifically, what do you see as a workable solution that isn’t defeated by a “pinky swear”?
Can you name a piece of parental control software that tells relevant apps and sites whether I'm above 13/18?
I'm sure there's plenty of software that can block sites entirely, but that's a lot less useful.
And how much should I trust the popular products on a scale of 1-10? An OS setting doesn't need much trust.
> And with regards to account creation specifically, what do you see as a workable solution that isn’t defeated by a “pinky swear”?
I'll copy a different reply: "It's set by the administrator of the computer, so a parent can set it for their child instead of hoping their child is honest to every single individual site. That's the difference between a parental control and a pinky swear."
The idea of something like this isn't to replace parents, it's to give them a simple centralized tool. The parent has the admin account.
E. Platforms that want to serve violent, sexual, predatory, scammy, snake oil content in the most addictive way possible to exploit minors and other vulnerable populations for profit should save some of their revenue for lawsuits when they hurt people. Hold products that cause harm responsible.
The Illinois bill is not about 18+ content. It's about controlling who your children can talk to on social media. The OS age check is just a means to that end. The end is blatantly unconstitutional. The bill of rights doesn't mention age limits. Freedom of assosiation applies to kids just as much as it does to adults. If the bill passes, then any racist parent could block all comms from kids of a different color for example.
I get what you’re saying but it’s a false premise. In today’s era, racist parents already block their children from even attending school with someone of a different color. Merely blocking comms would be a step before that in severity of control.
Parents have always had the ability (though maybe not explicitly the right to) control their children’s environment for the purposes of teaching personal beliefs. So long as the belief itself wasn’t deemed harmful to the child, society would allow it to continue propagate that way. Racism unfortunately has never been seen as innately harmful. It’s looked down on, yes, but not to the point of making it illegal to enforce in family life.
To be fair, as a parent I don’t want my under age children hooking up with literal nazis on social platforms, whoever that might be. The current tools and controls are lacking. A lot.
The spin control on this story is intense. Saying that it's "just parental controls" when we've had fscking parental controls since the 1990s is disingenuous as hell. Obviously it's something new, but that's really all they have got to try to spin it back into their favor.
Once you force OS to communicate data about the user, here we’re talking age, is it a slippery slope? Once the architecture is created, why not put other things about you in there?
I'm reminded of a video essay I watched about AI once, which took a side tangent into surveillance capitalism:
"Google's data harvesting operation became a load bearing piece of the Internet before the public understood digital privacy. And now we can't get rid of it."
The public has been conditioned to expect web services free at point of use. Legitimately it's hard to monetize things like YouTube without ads, and I get that. But turning our entire ecosystem of tech into a massive surveillance mini-state seems like an astonishingly shitty idea compared to just... finding a way to do advertising that DOESN'T involve 30 shadowy ad companies knowing your resting blood pressure. My otherwise creative and amazing industry seems utterly unwilling to confront this.
Edit: Like, I don't know, am I crazy for thinking that simply because we can target ads this granularity, that it simply must be that? I get that the ad-tech companies do not want to go back to blind-firing ads into the digital ether on the hope that they'll be seen, but that's also plus or minus the entirety of the history of advertising as an industry, with the last 20 or so years being a weird blip where you could show your add to INCREDIBLY specific demographics. And I wouldn't give a shit except the tech permitting those functions seems to be socially corrosive and is requiring even further erosion of already pretty porous user privacy to keep being legally tenable.
Society won’t delay reward now for future good on its own. Even if one person will, there’s a line of people who will step in to pollute the lake or kill the whales for a bag of money.
It will just decay until it’s a short squeeze into oligarchy or worse (the corrupt will be forced into an arms race of accelerating corruption as opportunity becomes scarce). Then some other country who isn’t leaving it up to their society to do the right thing will be in charge. Until the same happens to them.
This is the value of religion historically, one of the few ways of coercing a population into doing the right thing for their own good. But every group can be spoiled or hijacked by a small handful of bad actors who are willing to do what others are not.
We don't externalize age verification when buying alcohol or visiting the strip club. It's on the responsibility of those establishments to verify age.
In those in-person contexts, the identification document is still externalized - they're checking a government-issued photo ID in the vast majority of situations.
It works for the in-person context because it's a physical object, making it easier to control access to it. A high resolution picture of the same ID is a privacy problem as it can be copied, shared, transferred, etc without the knowledge of the ID holder.
I think that main goal would be to keep the ability to have accounts be anonymous or pseudo anonymous.
If social mean company has to verify an accounts age themselves they then have to use some for of official government identification and with that any chance of anonymous or pseudo anonymous access.
Facebook has less than zero interest in allowing people to use their platform anonymously. They very much want to know everything about their users including their age and they would never back a law that would stop them from collecting that data. Now that you know that facebook isn't pushing this law to protect anyone's anonymity why do you think they're doing it?
> Now that you know that facebook isn't pushing this law to protect anyone's anonymity why do you think they're doing it?
My comment was not about what I knew/know about facebook or not. I was answering the question of why age verification should be externalized to a degree and in this case externalized means the power stays with the user and parents rather than being in the hands of say facebook/meta.
I was not talking about why facebook/meta would want it or not want it. Large companies want lots of different things. Sometimes it is required to know their motivations to discuss or decide on something. I think it can be detrimental to do that though without discussing/analyzing a topic/idea on its own merits first or at least parallel. My comment was focused on the merits not the motivations or desires of companies like facebook.
The point is that you can't just externalize age verification and expect that data to never be sent to facebook because facebook needs that data to do anything (good or bad). It doesn't matter if your OS broadcasts that your child is 6-9 to facebook or if facebook has to ask the government to tell them that same information, either way, in the end facebook will know that your child is 6-9. The power is then in facebook's hands. Facebook won't see a copy of their government issued ID, but what difference does that make when they've got their age, their selfies, and a list of every friend and family member.
> The point is that you can't just externalize age verification and expect that data to never be sent to facebook
facebook and similar social media companies have a ton of ways to get peoples age and or to narrow it down.
> either way, in the end facebook will know that your child is 6-9.
The main point of the law is not about restricting facebook or similar operator in the laws lanuage from knowing user ages. Though the does say the age bracket can not be used for anything other than to implement the intent of the law.
> The power is then in facebook's hands. Facebook won't see a copy of their government issued ID, but what difference does that make when they've got their age, their selfies, and a list of every friend and family member.
May not matter much for facebook or similar, it matters a bunch for any random website/forum/service you might sign up for where the intent of the service is not about public posting that sort of personal infromation.
> facebook and similar social media companies have a ton of ways to get peoples age and or to narrow it down... May not matter much for facebook or similar, it matters a bunch for any random website/forum/service you might sign up for
You're right about that. There are websites and services that won't have the kind of data needed to identify an individual using the age bracket data, and there are those who could do it anyway or could make some guesses about the ages of users even without having OS gathered age data sent to them. That said, I've seen how bad companies are at making those kinds of assumptions. For example, I've seen youtube's AI age guesser fail completely and mischaracterize viewers ages in both directions.
> Though the does say the age bracket can not be used for anything other than to implement the intent of the law.
I didn't see that anywhere in the text. It does have a section where it says that the age data collected can't be shared with third parties unless they're made a part of the implementation of age-check scheme. There's also this: "All information collected for the purpose of obtaining the verifiable parental consent required under this Section shall not be used for any purpose other than obtaining verifiable parental consent and shall be deleted immediately after an attempt to obtain verifiable parental consent" but it's entirely unclear if age bracket data is considered part of the data collected when "obtaining verifiable parental consent". I suspect that it isn't and this language is intended to protect the data of the adults who will be forced to prove they are the child's parents. In fact they don't define at all what "obtaining verifiable parental consent" should or shouldn't involve.
You are right it is hard to use it for anything else though given the constraints.
> An operator that receives a signal in accordance with 20this Section shall use that signal to comply with this Section 21but shall not: 22 (1) request more information from an operating system 23 provider or a covered application store than the minimum 24 amount of information necessary to comply with this 25 Section;
You know the age bracket but nothing else and are not allowed to store more data on the topic to figure anything out. So you can not legally figure out someones age by keeping track of when they change age brackets.
> In fact they don't define at all what "obtaining verifiable parental consent" should or shouldn't involve.
It is the "Account holder". The user that set up the account and provide the age is considered the parent or legal guardian.
Do we make contractors do age verification on their supplies when building a liquor store or strip club? The OS is a tool used by Meta, just like the utilities and the compute itself.
Meta Apps can have age verification but it should be at the point of service, not the supply chain.
And even if we were to agree to this, uploading your IDs to an untrusted third party is asking too much.
It's not enough for the government to know. Platforms, websites, and advertisers want to know. That's why the law facebook has been pushing for doesn't have a simple "is 18+" flag but instead has a long list of age buckets so that advertisers and platforms can target specific demographics even when they are minors.
The law doesn't require any protection levels at all. It just requires your OS to tell every website you visit which bucket your children fall into. Every website and platform can use that information in whatever ways they want, even if it's just to adjust how best to groom a victim or to decide which ads to push at a child. They could also use it to say that a 9 year old can't watch a certain video that a 13 year old can, but that would be entirely their choice.
I'd much rather a third party ID that I can easily bypass because they're lazy and cost saving every step of the way, than a governmental ID which will be x100 harder to bypass and can be abused by the goverment whenever there's a man-child in power who likes going after groups of people who don't agree with him.
But in a perfect world it would be parents doing their job and parenting. You can grab your child's pad, phone, laptop, whatever, and black list the entire internet allowing only a few select white lists of your choice. But it's too hard to educate parents on how to do that I guess, assuming this was ever about children and not data collection, which it is that.
I mean, as much as I don't want the Government to be able to do that, I don't want private industry to be able to do that even more tbh. Though both options are pretty horrendous privacy-wise.
Until recently I felt the opposite way -- what they could do with that was more targeted advertising. The government currently in power is demonstrating that they can do far worse, and plans to.
Very good point. But there are businesses that are via the barcode on the back of the license. They're using machines to validate and do who knows what with that data.
I'm surprised that people think this is some new 'save-the-children' thing ? Didn't Zuck say like 10 years ago, you should not be allowed to be anonymous on the internet ? This just seems on-brand at this point.
A different approach that would keep incentives properly aligned is for Facebook (et al) to publish labels in website headers asserting the age (and other) suitability of content on various sections of the site. It would then be up to client software (eg a browser) to refuse to display sites that are unsuitable for kids on devices that have been configured for kid use.
As there has been a market failure for decades at this point, it would be reasonable to give this a legislative nudge - spelling out the specific labels, requiring large websites to publish the appropriate labels, and requiring large device manufacturers to include parental controls functionality. The labels would be defined such that a website not declaring labels (small, foreign, configuration mistake, etc) would simply not be shown by software configured with parental controls, preserving the basic permissionless nature of the Internet we take for granted.
But as it stands, this mandate being pushed is horribly broken - both for subjecting all users to the age verification regime, and also for being highly inflexible for parents who have opinions about what their kids should be seeing that differ from corporate attorneys!
Except none of these bills (California or the one in question) as currently written require an ID to actually be verified, merely that the user provide an age. This seems intentional as it's seems to solve the user journey where a parent is able to set a reasonable default by simply setting up an associated account age at account creation. It's effectively just standardizing parental controls.
I think this is a reasonable balance without being invasive as there's now a defined path to do reasonable parenting without being a sysadmin and operators cannot claim ignorance because the user input a random birthday. The information leaked is also fairly minimal so even assuming ads are using that as signal, it doesn't add too many bits to tracking compared to everything else. I think the California bill needs a bit of work to clarify what exactly this applies to (e.g. exclude servers) but I also think this is a reasonable framework to satisfy this debate.
I've seen the argument that this could lead to actual age verification but I think that's a line that's clearly definable and could be fought separately.
Kids aren't stupid. They'll just create another account when they're old enough to figure it out. They'll tell their friends how to do it and the rest of us will be stuck with these stupid prompts forever like it's a cookie banner.
Actually given boot chain protection, this will probably get harder as time goes on but even assuming some kids are able to, this is clearly definable as a user error: the fault lies with the kid and as a parent you need to think about your threat model.
Right now, it's not even clear how to create parental controls at a reasonable level so there's no clear path for what to do or how to respond.
Maybe we can agree that if you're mature enough to hack your own phone, you're mature enough to see a nipple. Why am I rate limited though? Dang must hate this opinion.
I don't think "real" age verification with ids is immune to this either. (kids paying an adult to get an id for it or fooling an ai classifier, whatever).
Basically unsolveable, so why worry about that edge case? Kids will always get through to some adult content somewhere. A token system will make parents feel better in the meantime.
From a parent's perspective, that's the great part about bubbling it up to the OS user account level.
Its trivially easy to see if the user (child) has indeed created multiple OS level user accounts with different permission levels if you want to spot check the computer.
You'll see it on first startup and then you can have "a chat". With Guest account access disabled, spawning a new account on a computer takes 2-3 minutes, will send emails and dashboard notices to the parent.
Its very much near impossible to verify that the child is not just going to Facebook etc. and using separate accounts and just logging out religiously.
That said I wish Apple/Microsoft/Google had more aggressively advertised their Parental Control features for Mac/Windows/ChromeOS as a key differentiator to avoid Ubuntu/Open Source distros from having to implement them.
> You'll see it on first startup and then you can have "a chat". With Guest account access disabled, spawning a new account on a computer takes 2-3 minutes, will send emails and dashboard notices to the parent.
On what OS? Microslop Windows? On my computer no one is notified when an account is created. And the account list isn't visible when I log in. I log in to the TTY.
Now, granted, I am not the norm. But my OS falls under these regulations. So what is my OS vendor supposed to do? For that matter, who is the vendor? What if I were using LFS? Who even would be the vendor for LFS? It's not even a distro!
Yes it doesn't show up probably because you were able to pretty easily mindlessly click through the part where you were asked if this is being provisioned as a child's computer.
When you provision a Windows, Mac or Chromebook these days as a child's device using your parental account, it will require a parental account to enable new user accounts and/or re-enable guest user on the device.
Like I said - my preference would have been for Microsoft, Apple, Google and Meta and TikTok to have made an industry effort to educate parents about the existence of such tools a priori of any legislation, we could have avoided Linux etc. getting sucked in.
It's pointless. Kids who want an uncensored internet will use a VPN or proxy the same way they've been getting around the restrictions and filers put on the computers and networks at schools. These laws will do nothing to protect children but will instead enable them to be targeted.
I don't think its quite so easy anymore that I can tell, with parental tools today - on a properly provisioned device you can require parental permission for app installs such as VPN, etc.
So you're advocating for stronger and more invasive controls?...
I think this is a sensible compromise. It gives parents more control than before without relying on shady third-party software or without turning every platform into a cop. Yeah, it also aligns with Meta's interests, but so what?
The age attestation solutions pursued by the EU are far more invasive in this respect, even though they notionally protect identity. They mean that the "default" internet experience is going to be nerfed until you can present a cryptographic proof that you're worthy.
> I think this is a sensible compromise. It gives parents more control than before without relying on shady third-party software or without turning every platform into a cop.
It doesn't give parents any control whatsoever. It just forces the OS to tell every website your child goes to how old they are. It doesn't require those websites to hide certain content for certain age groups. It doesn't define what types of content are appropriate for which age groups, it just makes sure that every advertiser bidding on your child's eyes knows what age range they fall into to.
If anything this takes control away from parents because even the cases where a website does their best to restrict content based on which age the OS tells them your kid is, it's the website setting the rules and not the parents. You might think that your 16 year old can read an article about STDs, but if the website your kid visits doesn't think so you as the parent don't get any choice.
With 3rd party software parents are controlling what software is used, they have the ability to decide which kinds of content are appropriate for their children and can be allowed and which types of content should be blocked. They can black/whitelist as they see fit. All of the power is in the parent's hands. This law gives parents one choice only: "Do I honestly tell my OS how old my child is". That's the end of the parent's involvement and the end of their power.
I mean on a UNIX OS you could make it yet another group the user needs to be part of. Like the group for access to optical media or for changing network credentials. Whether the child gets root access is on the parent, but that is like with anything else. A child can get around this, but it means finding and exploiting a 0-day on the OS. If they are able to pull this of I would congratulate them.
There is a huge attack surface for this. For example, kid manages to buy an old phone. Resets the phone and creates an account. Kid buys something like a Pi 3 manages to get a regular phone to become an access point. Etc. If a laptop is not completely locked down, a kid might boot a live USB stick.
The problem is that these laws tend to escalate. Once a government starts regulating, it doesn't stop.
It is also the wrong model. Instead of creating child-safe devices, just like there is a difference between toys and power tools, this regulation pretends that all devices are child safe and parents have to figure out which ones really aren't.
I don’t care if it’s part of the user setup, but make it an App Store dotfile. Don’t issue fines to Debian for offering a Docker image without a user setup script.
Except how is this done on GNU/Linux or FreeBSD or Haiku? Who's going to implement it, who's going to ensure it can't be bypassed and who's going to be responsible if it's not?
I agree. There is a real drive to catastrophize here but so far, none of the bills actually take any steps to prevent users from lying about their age.
I want to be able to hire a licensed Identity Service Provider that gets all of my verified identity data in an encrypted token and let me register it with the OS, and control what amount of the data I expose to apps, with age verification being one of the lower levels of access.
I pay the company to verify me, I am their customer. They take on the liability of the OS makers and app makers of age verification.
If you have a valid token signed by a licensed IDS that verified your age in your OS, that's all anyone needs to know.
So we have to pay some 3rd party service to hoard information about Children? Why we want to set that up? Why would we want to take that power from the parents and give it to some company?
So, they want to profit off children, but do nothing to protect them?
> but there should be a trusted 3rd party service that does that
Gee, if only Facebook would use their incredible might to create this, rather than trying to rob our representative government from underneath us.
> It abso-fucking-lutely should not be at the OS level though
It's not my problem. It shouldn't involve me at all. I don't use social media and I think if you let your kids on there unsupervised you have a screw loose.
If social media, alcohol, drugs, gambling, phones are so, so, so bad for children. Just ban them from children.
We were completely fine 30 years ago without any phone. They will survive. They will probably thrive because now they have to learn how to hack the system.
Instead, we just give them everything they need and all the thinking they do is scrolling.
It abso-fucking-lutely should not be at the OS level though, for so many reasons. Even the implementation alone would be a nightmare. Do I need to input my ID to use a fridge or toaster oven? Ridiculous.