Comment by mgfist
6 days ago
It should be externalized to a degree. Facebook shouldn't be the ones verifying age, but there should be a trusted 3rd party service that does that, which just tells facebook "yes this user is old enough to use your service" or "no they're not old enough".
It abso-fucking-lutely should not be at the OS level though, for so many reasons. Even the implementation alone would be a nightmare. Do I need to input my ID to use a fridge or toaster oven? Ridiculous.
Or, and hear me out, _maybe our computers shouldn't spy on us in the first place_?
Once you force OS to communicate data about the user, here we’re talking age, is it a slippery slope? Once the architecture is created, why not put other things about you in there?
So which situation do you want instead of anonymous age verification:
A) 18+ content is behind a pinky swear
B) 18+ content is behind a parental control (what this bill would do)
C) The internet can't have 18+ content anymore
D) Some other system? Please describe it.
(A), honestly.
You might think you can keep 16 year olds from looking at porn, if they want to. You can't. You have never been able to. All you can do is teach them that the law is stupid and pointless, and they should treat rules with contempt. But they'll still be able to look at porn.
What you can do is allow the government and private companies to track everyone, everywhere, all the time. And you can create more gatekeepers that hold personal identity data, misuse it, and leak it.
25 replies →
A), which is the status quo. I don't see any other option as realistic.
B) makes things worse in several ways, but primarily by stifling innovation. Only large incumbents will have no trouble paying for the measures required to ensure compliance.
There's also the cost of enforcement, which will likely have to be borne by the taxpayers. I don't think this is a good thing to spend money on.
C) cannot be enforced, and any good faith attempts will cost more than the damage from harm they're supposed to prevent.
12 replies →
Does "the government doesn't get to decide what people can look at on the internet" count as C or D to you? It is the situation we've been in technically for 20 years now anyway; the world hasn't ended and it generally seems to be pretty workable. The status quo isn't an especially radical one.
2 replies →
What about every other system where we rely on parents to parent?
Kids can turn apple juice into wine in their closet
they can drive their bicycle to a drug dealer
they can rub a butter knife against the sidewalk until it's pointy
Do we need govt AI cameras in kids closets and on their bicycles? How do we verify they're cycling somewhere safe? How do we make sure they're not getting shitfaced on bootleg hooch they made with bakers yeast and a latex glove?
3 replies →
D) Parents take sole responsibility for this.
C and D, combined. New internet for kids-only. This internet would be WHITELIST only. We would not be wack-a-mole trying to catch porn sites (sigh...)
Rather, companies would have to submit a formal proposal to get their website listed on Kid Internet. This inverts the responsibility. It's not my cost, or your cost, it's their cost now. If they want kids, they better prove it.
Then, you can trivially configure your router or any computer, with any operating system, to use the Kid Internet DNS. It's now completely operating system and device agnostic. It can be organizational wide with the flick of a switch. It can be global, if we want.
The proposal we're seeing here is bad, bad, bad. Not just for privacy reasons, but because it will not work. Not might, will. This will not work. For many reasons:
1. Most operating systems are not going to implement some stupid ass bullshit.
2. Most websites do not give a single fuck. Porn websites will not care. Trying to play wack-a-mole is ALWAYS a losing game, no exceptions.
3. This is trivial to bypass.
4. If it's not trivial to bypass, it still will not work, but it will now be the end of computing as we know it.
8 replies →
D) Parenting
4 replies →
>A) 18+ content is behind a pinky swear
Things were way, way, way sketchier in like 2005 than they are now and those people turned out mostly fine.
E. Platforms that want to serve violent, sexual, predatory, scammy, snake oil content in the most addictive way possible to exploit minors and other vulnerable populations for profit should save some of their revenue for lawsuits when they hurt people. Hold products that cause harm responsible.
1 reply →
The Illinois bill is not about 18+ content. It's about controlling who your children can talk to on social media. The OS age check is just a means to that end. The end is blatantly unconstitutional. The bill of rights doesn't mention age limits. Freedom of assosiation applies to kids just as much as it does to adults. If the bill passes, then any racist parent could block all comms from kids of a different color for example.
2 replies →
E) parenting
A. Not even a thought required.
The spin control on this story is intense. Saying that it's "just parental controls" when we've had fscking parental controls since the 1990s is disingenuous as hell. Obviously it's something new, but that's really all they have got to try to spin it back into their favor.
Every system intended to protect children ends up patronizing everyone as a child.
Protect people's rights and don't get tricked in to giving them up just cause someone has a story about a child.
I'm reminded of a video essay I watched about AI once, which took a side tangent into surveillance capitalism:
"Google's data harvesting operation became a load bearing piece of the Internet before the public understood digital privacy. And now we can't get rid of it."
The public has been conditioned to expect web services free at point of use. Legitimately it's hard to monetize things like YouTube without ads, and I get that. But turning our entire ecosystem of tech into a massive surveillance mini-state seems like an astonishingly shitty idea compared to just... finding a way to do advertising that DOESN'T involve 30 shadowy ad companies knowing your resting blood pressure. My otherwise creative and amazing industry seems utterly unwilling to confront this.
Edit: Like, I don't know, am I crazy for thinking that simply because we can target ads this granularity, that it simply must be that? I get that the ad-tech companies do not want to go back to blind-firing ads into the digital ether on the hope that they'll be seen, but that's also plus or minus the entirety of the history of advertising as an industry, with the last 20 or so years being a weird blip where you could show your add to INCREDIBLY specific demographics. And I wouldn't give a shit except the tech permitting those functions seems to be socially corrosive and is requiring even further erosion of already pretty porous user privacy to keep being legally tenable.
You are not crazy for thinking that.
However it appears that it takes pretty disasterous consequences for us to be able to walk anything back.
Society won’t delay reward now for future good on its own. Even if one person will, there’s a line of people who will step in to pollute the lake or kill the whales for a bag of money.
It will just decay until it’s a short squeeze into oligarchy or worse (the corrupt will be forced into an arms race of accelerating corruption as opportunity becomes scarce). Then some other country who isn’t leaving it up to their society to do the right thing will be in charge. Until the same happens to them.
This is the value of religion historically, one of the few ways of coercing a population into doing the right thing for their own good. But every group can be spoiled or hijacked by a small handful of bad actors who are willing to do what others are not.
It's not the gun that kills. It's not the computer that spies.
Agreed! We shouldn't be because wouldn't we go to jail for shit like that if it were you or I?
“Impossible to get a man to understand a thing, when his paycheck depends on his not understanding it.”
> It should be externalized to a degree.
Why?
We don't externalize age verification when buying alcohol or visiting the strip club. It's on the responsibility of those establishments to verify age.
In those in-person contexts, the identification document is still externalized - they're checking a government-issued photo ID in the vast majority of situations.
It works for the in-person context because it's a physical object, making it easier to control access to it. A high resolution picture of the same ID is a privacy problem as it can be copied, shared, transferred, etc without the knowledge of the ID holder.
[dead]
> Why?
I think that main goal would be to keep the ability to have accounts be anonymous or pseudo anonymous.
If social mean company has to verify an accounts age themselves they then have to use some for of official government identification and with that any chance of anonymous or pseudo anonymous access.
Facebook has less than zero interest in allowing people to use their platform anonymously. They very much want to know everything about their users including their age and they would never back a law that would stop them from collecting that data. Now that you know that facebook isn't pushing this law to protect anyone's anonymity why do you think they're doing it?
5 replies →
Do we make contractors do age verification on their supplies when building a liquor store or strip club? The OS is a tool used by Meta, just like the utilities and the compute itself.
Meta Apps can have age verification but it should be at the point of service, not the supply chain.
And even if we were to agree to this, uploading your IDs to an untrusted third party is asking too much.
uploading your IDs to an untrusted third party is asking too much.
So have the government do it? They already know who we are and when we were born.
13 replies →
Very good point. But there are businesses that are via the barcode on the back of the license. They're using machines to validate and do who knows what with that data.
I'm surprised that people think this is some new 'save-the-children' thing ? Didn't Zuck say like 10 years ago, you should not be allowed to be anonymous on the internet ? This just seems on-brand at this point.
A different approach that would keep incentives properly aligned is for Facebook (et al) to publish labels in website headers asserting the age (and other) suitability of content on various sections of the site. It would then be up to client software (eg a browser) to refuse to display sites that are unsuitable for kids on devices that have been configured for kid use.
As there has been a market failure for decades at this point, it would be reasonable to give this a legislative nudge - spelling out the specific labels, requiring large websites to publish the appropriate labels, and requiring large device manufacturers to include parental controls functionality. The labels would be defined such that a website not declaring labels (small, foreign, configuration mistake, etc) would simply not be shown by software configured with parental controls, preserving the basic permissionless nature of the Internet we take for granted.
But as it stands, this mandate being pushed is horribly broken - both for subjecting all users to the age verification regime, and also for being highly inflexible for parents who have opinions about what their kids should be seeing that differ from corporate attorneys!
Except none of these bills (California or the one in question) as currently written require an ID to actually be verified, merely that the user provide an age. This seems intentional as it's seems to solve the user journey where a parent is able to set a reasonable default by simply setting up an associated account age at account creation. It's effectively just standardizing parental controls.
I think this is a reasonable balance without being invasive as there's now a defined path to do reasonable parenting without being a sysadmin and operators cannot claim ignorance because the user input a random birthday. The information leaked is also fairly minimal so even assuming ads are using that as signal, it doesn't add too many bits to tracking compared to everything else. I think the California bill needs a bit of work to clarify what exactly this applies to (e.g. exclude servers) but I also think this is a reasonable framework to satisfy this debate.
I've seen the argument that this could lead to actual age verification but I think that's a line that's clearly definable and could be fought separately.
Kids aren't stupid. They'll just create another account when they're old enough to figure it out. They'll tell their friends how to do it and the rest of us will be stuck with these stupid prompts forever like it's a cookie banner.
Actually given boot chain protection, this will probably get harder as time goes on but even assuming some kids are able to, this is clearly definable as a user error: the fault lies with the kid and as a parent you need to think about your threat model.
Right now, it's not even clear how to create parental controls at a reasonable level so there's no clear path for what to do or how to respond.
Maybe we can agree that if you're mature enough to hack your own phone, you're mature enough to see a nipple. Why am I rate limited though? Dang must hate this opinion.
1 reply →
I don't think "real" age verification with ids is immune to this either. (kids paying an adult to get an id for it or fooling an ai classifier, whatever).
Basically unsolveable, so why worry about that edge case? Kids will always get through to some adult content somewhere. A token system will make parents feel better in the meantime.
It gives the parents the tools to age restrict things, but does not require parents to use them or use them well.
From a parent's perspective, that's the great part about bubbling it up to the OS user account level.
Its trivially easy to see if the user (child) has indeed created multiple OS level user accounts with different permission levels if you want to spot check the computer.
You'll see it on first startup and then you can have "a chat". With Guest account access disabled, spawning a new account on a computer takes 2-3 minutes, will send emails and dashboard notices to the parent.
Its very much near impossible to verify that the child is not just going to Facebook etc. and using separate accounts and just logging out religiously.
That said I wish Apple/Microsoft/Google had more aggressively advertised their Parental Control features for Mac/Windows/ChromeOS as a key differentiator to avoid Ubuntu/Open Source distros from having to implement them.
4 replies →
So you're advocating for stronger and more invasive controls?...
I think this is a sensible compromise. It gives parents more control than before without relying on shady third-party software or without turning every platform into a cop. Yeah, it also aligns with Meta's interests, but so what?
The age attestation solutions pursued by the EU are far more invasive in this respect, even though they notionally protect identity. They mean that the "default" internet experience is going to be nerfed until you can present a cryptographic proof that you're worthy.
1 reply →
I mean on a UNIX OS you could make it yet another group the user needs to be part of. Like the group for access to optical media or for changing network credentials. Whether the child gets root access is on the parent, but that is like with anything else. A child can get around this, but it means finding and exploiting a 0-day on the OS. If they are able to pull this of I would congratulate them.
4 replies →
I don’t care if it’s part of the user setup, but make it an App Store dotfile. Don’t issue fines to Debian for offering a Docker image without a user setup script.
Yeah, let's just boil the frog here. Makes sense.
Except how is this done on GNU/Linux or FreeBSD or Haiku? Who's going to implement it, who's going to ensure it can't be bypassed and who's going to be responsible if it's not?
I agree. There is a real drive to catastrophize here but so far, none of the bills actually take any steps to prevent users from lying about their age.
[flagged]
I want to be able to hire a licensed Identity Service Provider that gets all of my verified identity data in an encrypted token and let me register it with the OS, and control what amount of the data I expose to apps, with age verification being one of the lower levels of access.
I pay the company to verify me, I am their customer. They take on the liability of the OS makers and app makers of age verification.
If you have a valid token signed by a licensed IDS that verified your age in your OS, that's all anyone needs to know.
> trusted 3rd party service
So we have to pay some 3rd party service to hoard information about Children? Why we want to set that up? Why would we want to take that power from the parents and give it to some company?
> Facebook shouldn't be the ones verifying age
So, they want to profit off children, but do nothing to protect them?
> but there should be a trusted 3rd party service that does that
Gee, if only Facebook would use their incredible might to create this, rather than trying to rob our representative government from underneath us.
> It abso-fucking-lutely should not be at the OS level though
It's not my problem. It shouldn't involve me at all. I don't use social media and I think if you let your kids on there unsupervised you have a screw loose.
If social media, alcohol, drugs, gambling, phones are so, so, so bad for children. Just ban them from children.
We were completely fine 30 years ago without any phone. They will survive. They will probably thrive because now they have to learn how to hack the system.
Instead, we just give them everything they need and all the thinking they do is scrolling.
On the 50's, it is incredible the proctective bubble that gets pushed around in some countries nowadays, externalizing all responsabilities.
I guess the point is: delegate to kernel, then “oh, people with root can bypass with modules? Secure Boot!”
And then only trusted devices with an “acceptable” posture and valid manufacturer attestation can participate! Hellscape.
This is exactly what will happen.
The porn industry already figured this out and it’s super simple. Requires zero personal information.
https://www.rtalabel.org/index.html
And just which third party do you trust with your identity?
The trusted third-party is, in part, meant to be a society of responsible parents.
Yea, it's called Mom & Dad.
> but there should be a trusted 3rd party service that does that
No, there shouldn't be any such thing; everyone pushing for any shape of this should just bugger off.