Comment by lambda
9 days ago
The whole point of the California/Colorado laws is to provide an alternative to that. The whole point is that it provides a privacy preserving way to provide a signal about whether someone is in a particular age bracket, without requiring any kind of third party ID verification.
I am so puzzled by everyone who objects so strongly to these operating system based opt in systems; all it does is provide for a way for a parent to indicate the age of a child's account, and an API for apps and browsers to get that information. If you're the owner/admin of a system, you get to set that information however you want, and it's required that it only provides ranges and not specific birthdays in order to be privacy preserving.
I had the same reaction as you this entire time until half an hour ago when I saw the second link in this comment: https://news.ycombinator.com/item?id=47382650
Meta being behind all of these efforts makes it incredibly suspicious, especially given the New York law is ridiculously more invasive than the California one. It sure makes it seem like there's likely a larger plan here that this is merely facilitating.
So I don't think I can still buy it at face value that California's version is a good-faith attempt to balance privacy and child safety, even if that's what it is in the eyes of the legislature, given who's actually behind it and what else they've been pushing for.
The larger plan is probably to avoid banning social media for under-18s
Or get another source of demographic data and suppress smaller competitors who can't comply with onerous regulation.
3 replies →
Just because Facebook supports it doesn't mean it's bad. They may not support it for the same reasons, they probably just don't want the cost and liability of doing identify verification themselves and so want to make sure all of the cost and liability is on the OS vendor.
Yes, the New York proposed law is far worse, and we absolutely should be pushing back against that. And Facebook doesn't care, because they only care about moving the liability onto the OS vendor, not on actual privacy.
But still, just because this was supported by Facebook doesn't make it bad. Sure, Facebook doesn't care about privacy, but they do care about not being liable for this, and in this case, they're right, it is actually much more efficient to centralize this function in the OS, and it happens that that way it can be done in a privacy preserving way as California's law shows.
> Just because Facebook supports it doesn't mean it's bad.
I didn't say just because Facebook supports a law that it makes it bad.
I said the fact that Facebook has been lobbying for such legislation across a ton of jurisdictions, that makes it suspicious.
I stand by that. This is suspicious, whether it's ultimately bad or good.
It doesn't make sense to move this function to the OS because so long as the OS remains under the user's control, any signal from the OS has no value because the OS reports whatever the user wants it to report.
At any rate, why legislate operating systems when all of the harm comes not from computers themselves but rather from certain websites? And there are already mature solutions for controlling access to specific websites. Client-side parental controls for internet access have existed for decades, dating back to Surfwatch from the Win95 era. A credit card requirement would also effectively impose an age filter.
1 reply →
> Just because Facebook supports it doesn't mean it's bad.
It definitely makes it more deserving of a closer look. I think that's undeniable.
> I am so puzzled by everyone who objects so strongly to these operating system based opt in systems
The government legislating APIs is an uncomfortable precedent given the culture wars that are raging right now. There seems little reason to expect this will stop here.
They are not legislating specific APIs. They are legislating that an API has to be provided, just like other laws legislate that you have to provide accessibility APIs, but the details of the APIs are left up to the companies.
I work in aviation, a highly regulated field. And that's a good thing. It does take some work to regulate well; there has been a migration in aviation to more prescriptive regulation about how things need to be, to less prescriptive like what the ultimate performance needs to be. But yeah, the aviation regulations aren't that you have to implement something a specific way, but that you have to be able to show that your aircraft has no more than a certain probability of catastrophic failure (where the probability varies base on certain things like the size and type of aircraft).
For this age verification law, all that is required is that there is an API provided for this purpose, and there is a way for the owner of the machine to set up user accounts with age information indicated, and that the APIs need to provide several rough age ranges, not specific birthdays.
Years later: "The current measures are a step in the right direction, but we have found them insufficient. We are now requiring the use of this specific proprietary binary blob for any action related to the verification process. It will conveniently run as a daemon so its exposed API will be accessible to any application that needs to query it, and it will automatically update itself so you don't have to worry about it, just set it up once and forget about it."
It might also include some additional text like "we have decided to collaborate with systemd to integrate this proprietary binary blob, to maximize the reach and eliminating any pains in the setup process caused by the vibrant ecosystem of package managers, while at the same time avoiding disrupting the development process of the Linux kernel".
4 replies →
What does "the government legislating APIs" mean? The ADA means every OS has to support screen readers.
BS. Does TempleOS support it? What about Plan9? MenuetOS?
Are these illegal operating systems?
Either you or someone else mentioned this talking point the other day, I asked for even a single example of an OS maker being sued over this successfully, and I got nothing.
1 reply →
I'm confused. What's the age definition of child? 12, 15, 18? Does this mean its against the law for children to install an operating system? What is the penalty for a child doing this and putting the wrong age or just doing it at all? What is the penalty for a parent or guardian of the child that does this? What happens to the parent or child if the child circumvents this control? Will child services be involved? Criminal penalties? Of course the only way to know an adult is the administrator is to tie the users government I'd to the account. Could this be done in some zero knowledge anonymous way? Sure, but I don't think it's likely. This seems to be the thin end of yet another wedge. The trend seems to be to be that we should be identified and survield every moment of our lives. The question is who does this surveillance serve? How much access do you have to your government or employer's data or advertisers or educators or ...? How does their access serve you?
Here's the law: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
It requires that operating systems provide a way, at account setup, to specify the age or birthdate of a user, and provides an API for indicating which age range the user falls in (under 13, 13 to 16, 16 to 18, or over 18) to an application, so the application can use that information to comply with any laws or regulations relating to the age of the user.
It doesn't make any requirement that the parent actually truthfully put that information in. It doesn't require that anyone verify the information. It doesnt provide for any requirement that a child not set up a user themselves. It explicitly calls out that there is no liability on any of the parties if one user uses a computer under another user's account.
So all it's doing is saying that there must be a reasonably accessible mechanism for a parent to indicate a child's age so that rough information about which age range the child is in can be provided.
Now, is it perfect? No.
It does seem a bit over broad as there are lots of things which be classified as computers uner this, like routers, smart TVs, graphing calculators, cars, etc. Having to provide account setup with age and an API to accesss it in all of these environments could be a bit of a lift in the time frame given. And it doesn't leave a lot of time for something like standardization of Unix APIs between operatings systems, so for systems not running graphical environments I'm sure we're going to get a bunch of different solutions from different OSes as everyone sticks it in a different place and provides a different way to access it. And this would need to be a new feature added into long-term supported maintenance releases operating systems.
So yeah, could it have been done better? Yes. Is it likely that they are actually going to fine OpenWRT developers if they don't implement this? I doubt it; it's pretty clear that the legislative intent is desktop and phone OSes, and other mass market consumer oriented devices that might offer app stores.
So yeah, I see some issues, but overall this seems like the right way to do things; just provide a way for parents to set an age on their children's account, and then provide that to any apps that might need to do age verification. That's it.
You put a lot of effort into understanding it. Will Docker images need API passthrough? Will Debian need to solve its location for the purposes of deciding its legal exposure?
I don’t see why we should burden OSes this way. An App Store does all that better.
That's a very long list of questions, most of which you wouldn't need to ask if you spent ten minutes reading the law. And the rhetorical point you seem to be working toward is much less effective when more than half of those questions evaporate.
> I am so puzzled by ...
Because it's inverted. If it's opt in on the parent's part anyway then there's no reason to send additional information along with the request. The service should rather send additional information about content categorization alongside the response.
So what reasons can you imagine for it to be designed in such an obviously unnecessary way?
That design would require websites to have separate sections per age bracket.
No more or less than sending age information or registering an ID does. In all cases they must track content classification at some granularity (individual resource, single page, subdomain, some other scheme) and act on that information. The only thing that varies is how they act.
5 replies →
This holds true until you pass to the next age bracket for the first time.