Comment by simoncion
20 hours ago
Okay? That is not parental controls that are
[L]egally require[d] ... to be effective and easy-to-use-if-you-take-a-few-minutes-to-read-the-instructions.
Additionally, I expect that -due to kids lying about their ages- within five or ten years, the regs will have "graduated" from self-attestation to ID and biometrics collection. It's likely that other states will require that sort of collection much sooner, causing every US-based company to do that regardless of the existence of less-invasive regs.
Like, seriously... if "the kids can lie about their age and there are no consequences for lying" is the bar you want to set, just do the 1990's thing where sites and programs have a "Warning! This might not be suitable for kids!" page/screen that has a checkbox that the kids can check or button that they can press that lets them lie that they're over-seventeen and grants them access.
I'm not the biggest fan of the current age verification schemes, but I don't think the idea kids can lie about their age differs in the threat model posed under either system. Presumably, under the law, parents would be the ones to create a child account with a non-editable-by-the-child-account age fields which would then be used as a legal source of reference. If you assume the child can create an account without such features or can edit the age themselves, then I don't see why the equivalent threat model in the parental control system would be giving the child control over the parental control toggles rendering it meaningless by simply disabling it.
That being said, age based restrictions isn't a fine grained control over the system as perhaps one would like but that also would be inherently more complicated to think about from a legislative perspective (e.g. how fine grained and how to categorize possible dangers) and user control perspective when it looks like a lot of parents are looking for a blunt generic button that basically goes "this is agreeable with general practices". This seems more or less how real systems are gated.
The other issue is that both present privacy challenges but this just a little more so from a fingerprinting perspective. Presumably you need quite a few bits to completely specify the filter whereas age is only a ~1.58 bit field in the CA model. Not really sure how much this matters when there are so many other signals for fingerprinting and we should probably make fingerprinting from it illegal but just some thought.
> Instead, what we get proposed is a system that cares very much about how old you are, and not one bit about the things that one's guardian understands one needs to be protected from.
Regarding your linked comment, I think it's a bit strange to say that if legislators really did care about child safety they would mandate fine grained controls instead. I'm not sure what additional fine grained factors you may be thinking of precisely, but we already use age as a gate in real life for many things we consider dangerous so it's quite natural for legislators to transpose those. Our laws already very much care about how old you are.
> I'm not sure what additional fine grained factors you may be thinking of precisely...
Read [0] and consider the array of specific things that a guardian may wish to protect their ward from. Make sure to make your list cover children of all ages as well as adults with a wide array of cognitive impairment.
> That being said, age based restrictions isn't a fine grained control over the system as perhaps one would like but that also would be inherently more complicated to think about from a legislative perspective...
So? Legislative or regulatory restrictions on human behavior must be as restrictive as required to achieve the stated goal, and not significantly more. The courts are especially concerned about this when it comes to restrictions on speech. If a set of legislators need to sit with something for a quarter or two to understand it well enough to properly regulate it, then that's what they're getting paid to do.
> ...when it looks like a lot of parents are looking for a blunt generic button...
You can have preset lists of categories to block in a system that doesn't care at all what your age is. Surely you know that.
> Presumably, under the law, parents would be the ones to create a child account with a non-editable-by-the-child-account age fields...
The California law has no such requirement. Go read it, it will only take like ten minutes. [1] My summary of it as "the kids can lie about their age and there are no consequences for lying" is not even a little bit unfair.
> Our laws already very much care about how old you are.
The identity-verification systems we're talking about didn't exist twelve months ago. These are new systems being designed in a world in which it's trivial to have a centralized database that contains dossiers of all of everyone's customers everywhere. [2] Nearly all other regs that restrict based only on age were written in a world where that was either impossible, or extremely expensive and time-consuming.
Even if that weren't true, all one needs to do to see how these regs will be actually interpreted by most businesses is to look at all of the companies that are preemptively requiring upload of live video, pictures of one's face, pictures of one's government-issued ID, and/or deep analysis of one's activities with their systems. No US state requires any of that, but it all got slammed in when legislators started talking about doing age-based restriction of Internet services.
Had legislators clearly said "We're going to be designing and enacting laws that require designated guardians to be able to prevent their wards from engaging in guardian-selected categories of activities. We want every guardian to be able to protect their wards, regardless of the age of those wards.", you'd see companies building and deploying very different systems.
[0] <https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...>
[2] Am I saying that there exists a centralized database of all of everyone's customers everywhere? Absolutely not.