Comment by codedokode
17 hours ago
I don't understand your comment, the government knows which sites you visit anyway because it can see the SNI field in HTTPS traffic.
The main point is that the verification is done on the device. The device has a digitally signed flag, saying whether it is owned by an adult user or not. And the OS on the device without the flag allows using only safe apps and websites sending a "Safe: yes" HTTP header. User doesn't need to send your ID to random companies, doesn't need to verify at every website, and website operators and app developers do not need do anything and do not need to do verification - they are banned from unverified devices by default. It is better for everyone.
Also, as I understand the main point of the Act is to allow removing the content the government doesn't like in a prompt manner, for which my proposal is not helpful at all.
> because it can see the SNI field in HTTPS traffic
ECH (the successor to eSNI) is becoming more and more common and with Let's Encrypt soon offering IP certificates, any website will be able to hide their SNI.
Digital verification exclusively on-device doesn't work because addons and alternative applications make it possible to bypass those checks. There's no credible reason to trust local software to protect the kids.
The point of the Act is that the UK government no longer pretends to believe that the "I am 18 or older" checkbox is actually stopping anyone, and that there are no better alternatives. The public (in most democratic countries, not just the UK) doesn't want kids to be able to freely access porn the way you can now and the government is acting in the interests of the public here. If the tech industry had felt any responsibility, they would've been working on a solution to this problem somewhere in the last thirty or so years of internet pornography, but so far they've done nothing and are all out of ideas.
The EU's reference digital wallet representation seems to be the best solution so far (though it's not finished yet and has some downsides as well), hopefully the UK will set up a similar (compatible?) programme so UK citizens can skip the stupid face scans and ID uploads.
> Digital verification exclusively on-device doesn't work because addons and alternative applications make it possible to bypass those checks.
The OS on device with "isAdult == false" would allow only to install apps from app store, which are marked by developers as "safe". Alternative apps which do not respect isAdult bit won't be marked as safe and cannot be installed from an app store. And sideloading or bootloader unlocking, of course, will be disabled if the phone has "isAdult == false". There is no simple way to bypass this protection, even for a skilled adult, because modern OSes are closed-source and digitally signed and you don't have the source code or private key.
> The point of the Act is that the UK government no longer pretends to believe that the "I am 18 or older" checkbox is actually stopping anyone, and that there are no better alternatives.
The better alternative is "isAdult" bit that is stored on device, cannot be changed by the user, and respected by an OS and white-listed apps. It doesn't require sending one's IDs or photos of one's face anywhere. It is better in every aspect and requires ZERO costs from website operators and app developers for compliance. The only ones who will bear the costs would be OS developers, like Apple or Microsoft who have a lot of money and engineers to implement this.
> The point of the Act
I glanced through the overview of the Act and it seems that the main point is in letting the government (Ofcom) to remove online content promptly without long procedures.
> If the tech industry had felt any responsibility, they would've been working on a solution to this problem somewhere in the last thirty or so years of internet pornography, but so far they've done nothing and are all out of ideas.
OS developers like Apple and Microsoft, and hardware vendors simply don't want to spend money on what gives them no returns.
Also, current UK Act divides websites into categories and has different content moderation requirements for them. With my approach, all websites that do not mark content as "safe" would be blocked by default, which is much safer and leaves no loopholes.
What about open source browsers that don't respect this convention?
In case with a smartphone, you will be able to install only white-listed apps from an app store on an unverified device, so you won't be able to install such browser. As for PCs, Windows might also prevent sideloading on unverified devices.