This would require browser attestation, wouldn't it? Otherwise kids are just going to download a custom build of Chromium where `window.isUserOver(16)` is always `True`.
No, it only "requires" browser attestation if we taken it as a given that the onus is on tech companies for verifying who they are talking to - ie identity verification that most of these schemes boil down to regardless of how cute they're dressed up.
To effectively keep adult content away from kids, it merely requires secure boot and closed app stores, which are already widespread. And they are only required on the devices actually given to kids, rather than every single computing device.
But this proposal has another problem: it's easy for a website to run isUserOver(n) in a loop to derive the exact age. And on a persistent account, it can be queried every day to derive an exact birthday! Which comes back to my main point that the only technical schemes we should be considering are ones where information strictly flows one way - the website/app supplies information to the browser/OS, which then [may] implement parental control policy. anything else fundamentally boils down to a mandate for identity verification.
> To effectively keep adult content away from kids, it merely requires secure boot and closed app stores
This is unacceptable. If I own a computer, I expect to be able to build and run any program, either written by myself or others, without asking anyone for permission.
Maybe I needed to say "it merely requires the existence ...". Because I then do go on to say:
> And they are only required on the devices actually given to kids
My whole point is that this limits the blast radius, compared to any solution involving "age" (read: identity) verification which has a blast radius of every computing device!
> To effectively keep adult content away from kids, it merely requires secure boot and closed app stores, which are already widespread. And they are only required on the devices actually given to kids, rather than every single computing device.
...I guess I don't really see the difference.
Closed app stores are widespread on some platforms but certainly not others, and I for one would really like them to not spread any further.
For starters here, the difference is that only devices that parents give to kids need to have secure boot and controlled software sources. The point is that every other device remains completely unaffected.
But in general there is a huge difference between the freedom-destroying properties of secure boot with closed app stores, and the next step of remote attestation. Remote attestation lets the server insist that you only run software fully of their choosing rather than your choosing, as a condition of interacting with them. This completely destroys the idea of protocols that mediate between two parties with diverging interests, and computationally disenfranchises users. Imagine the next generation of the Cloudflare nagwall that doesn't let you past unless you buy a new computer, and that new computer must be running MSWin/OSX and MSIE/Chrome.
(also note that my use of "secure boot" here includes systems like on Pixels where you can straightforwardly unlock the bootloader (erasing the data on the device), install whatever you want, and then relock. I still find these systems philosophically objectionable, as there is still a privileged key baked in and retained by the manufacturer - similar security properties could be provided without the backdoor. But pragmatically they've been working okay)
No, thank you. As a parent, I want to give a device to my child that they can hack, just like I had.
Why are we treating kids like adversarial threats? If my kid gets around parental controls, I’ll revoke their phone privileges. No need for invasive security.
Yes, as a parent you should be able to say this! You should also be able to say other things like I want my kid to have full access to wikipedia. Or I do not want my kid to have access to Faceboot, including a special Faceboot4Kidz version that their corporate attorneys have declared is completely suitable for minors.
My whole point arguing for client side controls is that it allows parents to express these types of fine-grained preferences, without merely putting the onus on tech companies to make these decisions in a top-down fashion serving their own self interest!
As for secure boot specifically, my point is that it is already here on basically every phone. One of the most security-forward phone OSs (Graphene) even requires it. I've got philosophical problems with manufacturers baking privileged backdoor keys into hardware, but it's already prevalent. If you think I'm arguing in favor of restrictions, then please go educate yourself on the security properties of remote attestation to see what I'm actually arguing in favor of heading off!
If you want to argue for client side controls, I’m on your side. I’ve expressed this opinion elsewhere in this thread.
I’m well educastes on what remote attestation means, and I know it’s the status quo. But it is not required by law. And I’d very much like for it to continue being optional indefinitely, and not bundled with a different “save the children” law.
More specifically, I don’t want to have to prove to the OEM that I’m an adult to unlock my bootloader or disable SecureBoot. Or, more realistically, I don’t want OEMs deciding it’s cheaper to stop offering that choice because they don’t want to risk unlocking the bootloader on a child’s device.
> If you want to argue for client side controls, I’m on your side
Yes, then we're coming from the same place here.
> I’m well educastes on what remote attestation means, and I know it’s the status quo
I wouldn't describe remote attestation as the status quo. I generally use the web from my libre desktop, and apart from all the constant nagwalls (Cloudflare et al), I can access sites just fine. Perhaps on many mobile apps it's become some kind of status quo ("Play Integrity" I think it's called?), but even mobile browsers don't do attestation (WEI, or whatever they've renamed it to these days), IIUC.
> But it is not required by law
This is a red herring. None of these laws are proposing to require remote attestation, but rather anything that puts the onus on big tech to "verify age" (aka verify identity) will eventually lead to it being de facto required, with no direct law required.
> More specifically, I don’t want to have to prove to the OEM that I’m an adult to unlock my bootloader or disable SecureBoot. Or, more realistically, I don’t want OEMs deciding it’s cheaper to stop offering that choice because they don’t want to risk unlocking the bootloader on a child’s device.
I'm right with you about the knife-edge we're currently teetering on, where what is a pragmatic system that "merely" has gotchas could get more restrictive at any time. But Google already requires you prove you're the device owner to unlock a bootloader, and far too many manufacturers already don't let you unlock. But if done right, then none of this really matters for the parental controls use case - rather when unlocking the bootloader erases the whole device, that is the flag that lets a parent know.
The same system that blocks kids from downloading the Pornhub app would also block them from downloading the "Chrome but without parental controls" app.
Right now, they don't know. They're going to learn very quickly when they want to use some website and they can't.
We agree it doesn't need to be 100% perfect. But it needs to be at least, like, 60% perfect, right? And unless you make it at least a bit hard to bypass, it will stop virtually no one.
That is a real problem but for an unreal situation. Nobody is advocating that we combine (A) a child-safe browser with (B) a completely unlocked device in every other way.
When I buy/configure a device which prevents Little Timmy from viewing smut, that device is also going to have a parental code for installing new apps. If that part is left open, then Little Timmy wouldn't have to even bother getting a different browser, he could just install direct porn apps.
> But it needs to be at least, like, 60% perfect, right?
That can easily be reached by ensuring that child-mode covers default browsers and also the ability to install a new browser. If Little Timmy is turning on debugging over USB to sideload, then a fundamentally different parenting strategy is required.
Installing a new browser is already a bit hard for most people. I think you are a little skewed in your thinking being online on HN.
You also aren't thinking about age. Certainly 16 and 18 year old probably can get a new browser installed. But a 14 year old? 12 year old? 10 year old? That barrier is a lot higher the younger a kid is.
I just finished my second year as a fifth grade teacher, so I have a lot of experience with ten year olds. I am confident a majority of my students would be able to install an alternative web browser if they needed to, and a majority of the remainder would ask a friend to do it.
To give you an example of the workarounds kids will find: Youtube was blocked on school laptops, so the kids all started embedding Youtube videos inside of Google Sheets in order to watch stuff. This isn't, like, something a few savvy kids did, it was a widespread and common practice.
Lol. I started building computers, installing operating systems and tinkering with Linux between ages 10-12. I also started watching porn not long after that, and guess what, I still became a more or less normal adult. There is absolutely no need to "protect the children."