← Back to context

Comment by codedokode

18 hours ago

In Russia there is a plan to make special SIM cards for children, that would not allow registration in social networks. Isn't it better than UK legislation?

The whole idea that every site or app must do verification is stupid. It would be much easier and better to do verification at the store when buying a laptop, a phone or a SIM card. The verification status can be burned in firmware memory, and the device would allow only using sites and apps from the white list. In this case website operators and app developers wouldn't need to do anything and carry no expenses. This approach is simpler and superior to what UK does. If Apple or Microsoft refuse to implement restricted functionality for non-verified devices, they can be banned and replaced by alternative vendors complying with this proposal. It is much easier to force Apple and Microsoft - two rich companies - to implement children protection measures than thousands of website operators and app developers.

23 comments

codedokode

Reply
aDyslecticCrow  15 hours ago

Rare case of Russian doing something more honestly. Implementing it as a device flag sent to websites, and making it easy to set for the device of any minor, is an elegant and unintrusive solution.

If you get w3.org and major browser and os vendors in on it, it simply becomes a legally enforced an universal parental control without much drawbacks.

But that would not permit the complete tracking of identity of all individuals in a country with their ptivate Internet activity and political stance.

And that's a massive loss to the true purpose of any law pretending to protect children; Just like the multiple attempts to outlaw encryption or scan all private or messages.

myaccountonhn  4 hours ago

A simple solution would just be an enforced response header marking content as NSFW as well as mandatory phone parental controls that enforce them.

  • codedokode  3 hours ago

    No, the header should mark content as safe (for example: "Content-Safety: US-14; GB-0"), and lack of header should mark the content "unsafe". In this case, existing websites do not need to change anything.

    • myaccountonhn  3 hours ago

      That works too. Anything is better than this. Infinitely less work for existing websites, not as privacy invasive, not such a massive security risk.

Zarathustra30  14 hours ago

That solution reminds me of the evil bit. However, if someone has the skills or resources to unset the bit, they likely are allowed to anyway.

https://archive.org/details/rfc3514

  • codedokode  14 hours ago

    In case with Windows laptop, the verification proof might be for example, a digitally signed serial number of the motherboard (and the OS is itself signed to prevent tampering). While it's possible to work around this, an average kid or adult is unlikely to do it. And in case with a phone there is almost zero chance to hack it.

jbjbjbjb  5 hours ago

Apple, Google etc are already implementing the Digital Credentials API standard which would make this type age verification much more secure.

  • codedokode  3 hours ago

    No, "digital credentials" is an awful idea because it requires to store your ID on your phone and thus make it accessible to Apple and Google and secret courts. What I suggest is simply to store a single "isAdult" bit on device, without revealing any identity, and make apps like browser do the censorship on device, without sending any data to a webite. The algorithm is as follows:

        if isAdult == 0 and website doesn't send a "safe-content" header, then:
        browser refuses to display content
    if isAdult == 0 and photo in a messenger doesn't contain a "safe-content" metadata, then
        photo viewer refuses to display content
    if isAdult == 0 and the app is not marked as safe, then
        app store refuses to download the app and OS refuses to launch it

    With my approach, you don't need to store your ID on your device, you don't need to send your ID anywhere, and website operators and app developers do not need to do anything because by default they will be considered not safe. So my solution's cost is ZERO for website operators and app developers. As a website operator you don't need to change anything and to verify the age.

    • jbjbjbjb  1 hour ago

      I think you misunderstood how the digital credentials api works. It keeps it in your phone’s secure element and lets you share just a “yes/no” proof like “over 18” without revealing anything else. It’s basically the cryptographically secure version of the isAdult bit you’re describing. It also has trust by cryptographically signing the proof and it can handle different jurisdictions.

dartharva  3 hours ago

Are social networks in Russia mandated to ask for phone numbers to login?

  • codedokode  3 hours ago

    Every website is required by law to do phone verification or use other method that confirms real identity (for example, auth through government services website or biometric data). As for social networks like Vk, they require a phone number since long ago before the law changed.

    Also a phone number verification is needed if you want to connect to free WiFi in a subway or a bus or a train. Foreign phone numbers are often not supported in this case.

preisschild  17 hours ago

> Isn't it better than UK legislation?

Not at all, because SIM cards are bound to your real identity. So the government knows exactly which websites you visit.

  • codedokode  17 hours ago

    I don't understand your comment, the government knows which sites you visit anyway because it can see the SNI field in HTTPS traffic.

    The main point is that the verification is done on the device. The device has a digitally signed flag, saying whether it is owned by an adult user or not. And the OS on the device without the flag allows using only safe apps and websites sending a "Safe: yes" HTTP header. User doesn't need to send your ID to random companies, doesn't need to verify at every website, and website operators and app developers do not need do anything and do not need to do verification - they are banned from unverified devices by default. It is better for everyone.

    Also, as I understand the main point of the Act is to allow removing the content the government doesn't like in a prompt manner, for which my proposal is not helpful at all.

    • jeroenhd  3 hours ago

      > because it can see the SNI field in HTTPS traffic

      ECH (the successor to eSNI) is becoming more and more common and with Let's Encrypt soon offering IP certificates, any website will be able to hide their SNI.

      Digital verification exclusively on-device doesn't work because addons and alternative applications make it possible to bypass those checks. There's no credible reason to trust local software to protect the kids.

      The point of the Act is that the UK government no longer pretends to believe that the "I am 18 or older" checkbox is actually stopping anyone, and that there are no better alternatives. The public (in most democratic countries, not just the UK) doesn't want kids to be able to freely access porn the way you can now and the government is acting in the interests of the public here. If the tech industry had felt any responsibility, they would've been working on a solution to this problem somewhere in the last thirty or so years of internet pornography, but so far they've done nothing and are all out of ideas.

      The EU's reference digital wallet representation seems to be the best solution so far (though it's not finished yet and has some downsides as well), hopefully the UK will set up a similar (compatible?) programme so UK citizens can skip the stupid face scans and ID uploads.

      3 replies →