← Back to context

Comment by simoncion

20 hours ago

> This is literally what California did with the Digital Age Assurance Act, AB1043.

There's apparently information that you didn't read contained in the footnote of the comment you replied to.

Based on this layman's reading of the law, [0] California did literally the opposite. They require major OS vendors to require users to enter their birthdate or indicate in some other way their current age, and then require programs and websites to act on that age information. This is entirely different from requiring major OS vendors to allow a "guardian account" to set fairly-fine-grained restrictions on one or more -er- "ward accounts", and then requiring programs and websites to refuse let the "ward account" do the things that those restrictions say that it isn't permitted to do.

"Restrict by age" neither accounts for precocious under-eighteens, nor does it account for vulnerable elderly or otherwise brain/developmentally-damaged adults who need protected. And because "restrict by age" cares very much about your age, and because it's not going to work nearly as well as promised by those pushing it, it will inevitably require scans of both a photo ID and one's face and/or other biometrics.

A "you don't need to know anything about this account other than that these are the things it's not supposed to be able to do" system gives zero shits about the identity of a person, so there's no plausible path for it to gate access behind submission of any identifying documents to any third party.

[0] <https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...>

It requires you to enter a birth date which is not required to be your birth date. In case of a conflict between the age verification birth date and any other birth date, only the age verification birth date may be used for age appropriateness checks.

  • Okay? That is not parental controls that are

      [L]egally require[d] ... to be effective and easy-to-use-if-you-take-a-few-minutes-to-read-the-instructions.
    

    Additionally, I expect that -due to kids lying about their ages- within five or ten years, the regs will have "graduated" from self-attestation to ID and biometrics collection. It's likely that other states will require that sort of collection much sooner, causing every US-based company to do that regardless of the existence of less-invasive regs.

    Like, seriously... if "the kids can lie about their age and there are no consequences for lying" is the bar you want to set, just do the 1990's thing where sites and programs have a "Warning! This might not be suitable for kids!" page/screen that has a checkbox that the kids can check or button that they can press that lets them lie that they're over-seventeen and grants them access.

    • I'm not the biggest fan of the current age verification schemes, but I don't think the idea kids can lie about their age differs in the threat model posed under either system. Presumably, under the law, parents would be the ones to create a child account with a non-editable-by-the-child-account age fields which would then be used as a legal source of reference. If you assume the child can create an account without such features or can edit the age themselves, then I don't see why the equivalent threat model in the parental control system would be giving the child control over the parental control toggles rendering it meaningless by simply disabling it.

      That being said, age based restrictions isn't a fine grained control over the system as perhaps one would like but that also would be inherently more complicated to think about from a legislative perspective (e.g. how fine grained and how to categorize possible dangers) and user control perspective when it looks like a lot of parents are looking for a blunt generic button that basically goes "this is agreeable with general practices". This seems more or less how real systems are gated.

      The other issue is that both present privacy challenges but this just a little more so from a fingerprinting perspective. Presumably you need quite a few bits to completely specify the filter whereas age is only a ~1.58 bit field in the CA model. Not really sure how much this matters when there are so many other signals for fingerprinting and we should probably make fingerprinting from it illegal but just some thought.

      > Instead, what we get proposed is a system that cares very much about how old you are, and not one bit about the things that one's guardian understands one needs to be protected from.

      Regarding your linked comment, I think it's a bit strange to say that if legislators really did care about child safety they would mandate fine grained controls instead. I'm not sure what additional fine grained factors you may be thinking of precisely, but we already use age as a gate in real life for many things we consider dangerous so it's quite natural for legislators to transpose those. Our laws already very much care about how old you are.