Comment by xp84
13 days ago
I do like the idea of the “this is a child” taint (ok, terrible name but I really think it should be a near-unremovable thing on a platform like Apple’s that’s so locked down/crypto signed etc).
Like, you’d enroll it by adding a DOB and the computer/phone/etc would just intentionally fail all compatible age checks until that date is 18 years in the past. To remove it (e.g. reuse a device for a non-child), an adult would need to show ID in person at Apple.
Government IDs could be used to do completely privacy preserving, basically OpenID Connect but with no identifying property, just an “isEighteenOrMore” property. However, i agree it’ll never happen in the US because “regular” people still don’t know how identity providers can attest without identifying, and thus would never agree to use their government ID to sign into a pornsite. And on top of all that yeah nobody trusts the government, basically in either party, so they’d be convinced the government was secretly keeping a record of which porn sites they use. Which to be fair is not entirely unlikely. Heck, they’d probably even do it by incompetence via logs or something and then have people get blackmailed!
When I played an MMOG, if the admins found out that a child was underage, it was customary for them to suspend their account until their 13th birthday. I thought this was a clever policy, but I just can't understand the reverse of authenticating someone's age based on that of their account...
This assumes people are putting in their real birthdays, which IMO is a terrible practice to encourage.
I never put in my real birthday. It's just one more datapoint to leak in an inevitable hack and help scammers exploit me.
Just because a website sticks a field on a form, doesn't mean you need to fill it out.
I can think of maybe 1 website I use that has a legitimate use to know this info about me... and a dozen that use my fictious birthday for no other purpose than an excuse to market at me under the shallow guise of a 'Happy Birthday' email.
There are many websites that believe I was born on January 1st, in a year close to my actual birth year.
When it's actually required by some law or regulation (e.g. financial stuff) I give my actual birthday. But when some site is just wanting to comply with age verification? Yep, I'm over 30, so you don't need to see my identification. (Jedi hand wave).
2 replies →
They were not, actually.
IIRC, it went like this: the account creation screen prompted them for a birthdate. They entered a fictitious one and pretended to be over 13. (I saw my niece do this in front of me, and I just sighed a very heavy sigh. She was way more interested in Club Penguin.)
Then later, they let the cat out of the bag. They tell their friends "lol I'm only 10! Today's my birthday, so give me a hat!" or something. And so if they claimed they're 10 they got 3 years suspension.
I think there was never any verification done, and no verification was possible: think about it, under COPPA, a service in the USA cannot collect PII from children under 13, so what do you do when a kid gives you two contradicting datapoints? Err on the side of caution.
I gave Yahoo! a false birthdate when I signed up. I was 27, but I also just felt they weren't entitled to knowing it. However, I soon found that maintaining a fraudulent identity is tiresome and error-prone. And Yahoo! wouldn't let me simply change my birthdate as often as I wanted to.
I once had a conversation with a friend about cheating on IRS taxes. She said "can you lie to a piece of paper?" like fudging numbers wasn't like lying to an auditor's face. It was a rhetorical question, of course.
2 replies →
Exactly, that's the problem: with OIDC the ID provider gets to know which sites you visit. That is unavoidable given how the protocol works. And you don't want to give all that information to the government in the first place.