The reason is that this whole push for age verification is nothing to do with actually stopping kids seeing the content. If it was then this kind of solution would be being legislated for. It’s just about making everyone identifiable.
> The reason is that this whole push for age verification is nothing to do with actually stopping kids seeing the content.
The reason that mainstream politicians are pushing is because the public wants something done to protect their kids.
Are there likely to be bad actors pushing for it for nefarious reasons as well? Sure.
Are the 'solutions' inadequate and often tech- and privacy-illiterate? Absolutely.
Is the entire impulse to demand that government 'fix' this issue wrong? Maybe.
But the idea that this is all a smoke-screen from top to bottom needs to die. Not just because it's wrong, but because it's also unhelpful. If you wade into the debate saying "It's all a lie, this was never about the kids!" you're easily dismissed as a nut and an absolutist who doesn't appreciate that real people want their real kids to be protected.
Yep, and the tech companies had years to address these concerns and did not, so now the creaky gears of government regulation are turning. They (meaning YOU, a lot of tech company employees who are now outraged about this) could have headed this off years ago and provided a solution on their own terms.
So, why are those "real people" actually not willing to do their job? I am so pissed with parents who think the government is supposed to solve their own inability to raise a child.
Well for a start not all of them are very tech savvy, and we've built a world in which tech is essential to their day to day lives, including for their kids.
If school demands the kids have a variety of devices to do their work, and they have no idea how to lock those down to exclude (for example) social media services that we know have been designed to be as addictive as possible, can you not see why they might want someone to intervene?
(edit: Beyond that there are also tons of bad reasons, I'm not going to try and justify them. There are a lot of bad parents and just in general people who are not firing on all cylinders out there. And many of them absolutely love a government regulation to be brought in for just about anything.
We can and should argue with these people and point out why they're wrong. But saying it's "nothing to do with actually stopping kids seeing the content" fails here too.)
Right. I submit we are solving the wrong problem. Just establishing age vertification doesn't magically make these vast amounts of bad parents good parents. There is a ton of other things they can and will fail at, which their kids have to absorb. If we really cared about those kids, we'd have to reconsider a lot of things. And I know what I am talking about, had to grow up with an undiagnosed ADHS+anciety mother. It was hell. And even 30 years after i moved out, she still can't see what she failed at and continues to fail at. Age verification wouldn't have helped me. MAKING her seek treatment might have helped.
No argument here, I'm not saying they're right to demand that age verification is brought in to protect kids, or that we should give up privacy etc etc.
But coming at it from the angle that "It was never about protecting kids!" is itself incorrect and unhelpful to the debate.
It can be true that kids need to be protected, this (or some variation of it) is a good way to protect kids, therefore it's going to pass, and nefarious interests found a way to insert themselves into the process and piggyback off the efforts to increase real protection of real kids in order to also spy on the kids.
If you want to reject the nefarious actors you have to separate them from the other goals that are reasonable and sorely needed. If you treat it as a whole package, you'll fail because those other goals are too important not to try to achieve, and the package is going to get passed. If you separate them, we can advocate for the pretty sensible California-style law where it's a flag on your user account that root can change, instead of the utterly insane New-York-style law where you have to scan your face every time you open your phone.
If public school is supposed to be free, the school should supply the required devices and take on the burden of securing those devices.
For private schools, the parents are more involved in the first place, but I would expect them to also have guidance for parents to help the less tech savvy among them.
We expect every other consumer product/toy that kids are intended to use to be safe by default. This is like asking why parents shouldn't be responsible for testing all their kids toys for lead paint.
Yet when it comes to internet/social media technology, it's suddenly a parenting failure if they don't pre-vet every platform and website and device before allowing their kids to use it.
As a society, we collectively protect kids from stuff they aren't ready to handle. We don't let them gamble, or buy alcohol, cigarettes, or porn. For the most part, everyone buys in to this and parents can pretty much count on it. Are there exceptions, sure but they create scandals and consequences when they are discovered.
But social media and content platforms didn't feel that they had any social obligations. They did not honor this societal convention to keep inappropriate content away from kids. And the top people at these companies actually don't let their own kids use the platforms, they know how harmful they are and they know about all the addictive hooks and dark patterns of engagement that are baked into them.
We don't just assume every book and movie and telephone call are intended to be safe for kids by default. Why should we expect the internet to be like that?
The public largely wants whatever the media tells them to want and the media in turn tells people to want whatever the same bad actors want them to want.
If it is about making everyone identifiable how come California's version doesn't require providing any identifying information when setting it up on a child's device?
Because "making everyone identifiable" isn't an explicit design goal. Rather it is merely an implicit imperative (of Facebook et al, who are pushing these laws) that casts its shadow over the design. That shadow is what results in a design based around sending identifying information from the client to the server. Once this dynamic is normalized, servers will demand ever-more identifying information and evidence that it is correct.
Note that this design does the exact opposite of giving parents control to protect their own children - rather it puts the ultimate decision making ability into the hands of corporate attorneys! For example, we can easily imagine a "Facebook4Kidz" site that does the bare legal minimum to avoid liability for addicting kids to dopamine drips, and no more. Client side software based around RTA headers would allow parents to choose to filter things like that out, whereas when the server is making the decision its anything goes as long as the corporate attorneys have given it the green light.
As you've stated it, sure, for now. The point is that the dynamic is being set - the number of information-leaking security vulnerabilities in browsers should be headed downwards, not being increased with legislation.
But also, does the California law actually prohibit Faceboot from locking your account and requesting "extra documentation" including government IDs and whatnot? That would be news in its own right.
>If it was then this kind of solution would be being legislated for.
What's more likely a global conspiracy to get age verification passed to allow these unnamed groups to identify everyone for some unknown purpose or politicians just not understanding tech?
The way people try to pretend that there can't be any organic desire for these proposals is so bizarre and is a major cause for all these proposed solutions being so technically dubious. Refusal to recognize the problem means you won't be part of solving the problem.
You do realize that for whatever reason more and more people in government positions are on the path of authoritarian agendas? Its a pretty important topic right now. All of this privacy related stuff is happening in quick succession.
I mean I cannot believe I have to post these, but here we go:
Your argument has two main flaws. First, it relies on an inherent connection between age verification and authoritarianism that is just taken for granted as true. Meta could easily be in favor of age verification because it reduces their liability and raises the barriers to entry for potential competitors. It doesn't inherently have to be authoritarianism.
But more importantly even if that connection is true, your argument relies on the current proposals of age verification being the only way to satisfy the organic desire for protecting kids from the unfettered internet. OP gave an example that could be a compromise position that addresses the need and isn't authoritarian. Why can't you support that effort?
I can support any effort that puts the responsibility into the hands of the parent without a mechanism that advances identity verification to protect their children.
The way it stands now. this issue is being used by people in power to advanced an authoritarian agenda. Its really clear to see, if you only have the will to look.
>I can support any effort that puts the responsibility into the hands of the parent without a mechanism that advances identity verification to protect their children.
Which brings us right back to what I said here[1]. We don't have to agree on the motivations behind this push. Even if you believe this is all an authoritarian conspiracy, that conspiracy could be undermined by proposals like OP's, but instead people make enemies out of these potential allies which just further empowers the people who you consider to be authoritarians. It's a failure of basic political coalition building.
Im happy to have dialog with anyone that wants to protect children under the circumstances I already described. But if these initiatives push forward IDing people to have protection, then Im sorry you are on the wrong side of life and are involved in making the future of our society worse. I don't see you as an enemy, more misguided then anything. Im sure people are going to turn this into friends and enemies, but I don't look at it that way. I have to defend freedom under all circumstances. In most cases I support deontology over utilitarianism because I have seen how far we have slid in terms of being free as a people because we want to make everyone safe..
Taking away freedoms, for any reason, is not the answer. They make us less secure [0] and promote bad actors to make things worse.
>Im happy to have dialog with anyone that wants to protect children under the circumstances I already described.
But you're ignoring my point that your dialog is actively counterproductive when you don't engage with the root of the problem.
Nowhere in here did I advocate for "taking away freedoms" or for the age verification policies as discussed in this article. The only aspect of this issue that I have argued is that there is a real organic demand from people who want help in preventing children from having unfettered access to the internet.
The reason you see me as "misguided" is because you are refusing to actually listen to what I'm saying. And then you magnify the divide with your rhetoric implying I'm out to take away your freedom. Maybe you don't look at me as an enemy, but your rhetoric and behavior is actively repellent when it could instead be welcoming as you claim to sympathetic to the only issue I have actually advocated for here.
How am I not engaging with the root of the problem? I just see it differently than you. And thats ok. I dont think the problem is solved by id verification. This is the position I have been arguing all along and Im not seeing how my position is getting in the way of what you are talking about.
>How am I not engaging with the root of the problem?
The root of the problem is child safety on the internet.
>I dont think the problem is solved by id verification. This is the position I have been arguing all along
I have advocated for child safety, but nowhere in any of these comments have I advocated for id verification. If you have been "arguing all along" against id verification, then you must be equating all childhood internet safety advocates with those advocating for id verification.
>Im not seeing how my position is getting in the way of what you are talking about.
The equating of childhood safety on the internet with id verification is getting in the way. There exists compromises like the one OP suggested in the top comment in this thread that satisfy both my desire for childhood safety and your desire to prevent id verification. But instead of seeking that path of coalition building and compromise, you're actively repelling childhood safety advocates by misrepresenting their opinions and then calling them "misguided". You're making it clear that you won't be my ally when it comes to protecting kids on the internet because you're so worried about a policy for which I'm not advocating.
You asked me "How am I not engaging with...", I gave you a response, and then you refuse to engage with that response. I guess your behavior confirming my accusation is as satisfactory of an answer as I could expect from you.
The politicians that want to identify everyone capitalize on organic desire for these proposals in the form of fear-mongering and "Think of the children!"
Citizens that want these laws are unthinking drones who don't want to raise their children, and instead want legislators to do it for them.
Politicians that want these laws are the people who, ideally, want to track your every move online for a multitude of reasons, not least of which are censoring speech and controlling narratives.
Even if everything you said was true and there was a global conspiracy among the politicians, the tech crowd consistently denies and demeans these organic desires. We could cut the legs out from under these politicians if we listened to these people's concerns, considered actual solutions like OP did at the top of this thread, and turned these people into allies against those politicians. But instead we deny the actual desire to protect children and accuse them of either having ulterior motives or being sheep, turning them into permanent enemies thereby empowering those (hypothetically) conspiratorial politicians.
The public, and consumers in general often state a want or need for something that they don't actually want or that would harm their quality of life, it is correct to demean or deride these wants when they're identified, some aspects of human nature are amusing.
But there is a global conspiracy, a synchronised effort among western leaders to implement near identical solutions to this engineered "problem", the responsibility remains squarely on the shoulders of parents, I say this as a parent.
>The public, and consumers in general often state a want or need for something that they don't actually want or that would harm their quality of life, it is correct to demean or deride these wants when they're identified, some aspects of human nature are amusing.
Thank you for proving my point by doing the exact thing I said tech people do. Do you think that if you demean and deride enough people, the problem will go away?
Your lack of understanding why age verification does not constitute it being a conspiracy for another reason. There is a antiregulatory crowd that will invent any possible excuse to suggest tech companies shouldn't be accountable and we should just leave the Internet be. Those people make a lot of money exploiting everyone, as it happens, and they also pay for journalists to tell you that it's all about violating privacy or something. (The same folks will tell you opening up Android for third party AI tools would be a privacy and security risk, and not ask you to notice it would just cost Google a lot of money.)
We've been running essentially a social experiment on our kids for the past two decades and it has not gone well. Social media has had a toxic impact on kids. CSAM and child abuse are rampant, and most "privacy services" like disposable email and VPNs are the primary source. These are facts, whether you like them or not. There are, in fact, kids dying, school shootings, grooming, etc. which are all the direct result of our failure to regulate social media companies. Section 230 being the primary problem.
OS-level age verification is likely the best route, as private information can remain on a device in your control, and a browser then just needs to attest to websites whether or not the user should be allowed access, without conveying more detail. Obviously anyone with a Linux box will have ways around it, anything based in your own device will be exploitable in some way, but generally effective for the average child.
Any "verification" means unacceptable privacy violations.
The best route is better parental controls, that are not enabled by default. Locking down the OS like ransomware until the user submits to age verification is the wrong approach, and what Apple did in the UK needs to be highly illegal.
> Any "verification" means unacceptable privacy violations.
So I'm not necessarily arguing for age controls here, but purely on a technical level what do you think of schemes like Verifiable Credentials, which delegate verification to third parties that have already established your identity?
In theory you can set up a system that works like this:
1. User goes to restricted site and sets up an account
2. Site forwards them on to a verification service with a request "IsOver18?"
3. User selects their bank from a dropdown on the broker site
4. Broker forwards them to the bank, with a request "IsOver18?"
5. User logs in and selects "Sure, prove I am over 18 to this request"
6. Bank sends a signed response to the broker "Yep"
7. Broker verifies and sends its own signed response to the site "Yep"
8. The site tags the account as "Over 18 Status verified"
In this situation, the restricted site doesn't get anything other than a boolean answer from the broker. The broker can link a request to a given bank but doesn't get anything that gives away your identity. The bank knows your identity and that it has approved a request, but not necessarily where the request came from.
Verification broker tracks sites which make requests and records it attached to personal data. Site either sells or leaks personal data along with history of all sites visited which require age verification.
Also your solution requires a bank account, not something everyone has. Many do, but not all. Also the bank may not know "which" site you are visiting, but it does now know you are visiting sites which require age verification and how often.
> Verification broker tracks sites which make requests and records it attached to personal data.
How? What personal data?
The broker doesn't get anything other than "Site X wants to verify over 18, the user selected forward to Bank Y" and "Bank Y responds with TRUE"
> Also your solution requires a bank account, not something everyone has
True. Banks are only one example of an already trusted identity provider in this situation. But I get that there are gaps.
> Also the bank may not know "which" site you are visiting, but it does now know you are visiting sites which require age verification and how often.
Verification need only happen once per site, when setting up an account. This does introduce the possibility of a secondary market for approved accounts though, sure.
User installs a browser extension which forwards the request to everyoneisover18.com, owner of that site has a script set up to log into their bank and pass the verification challenge
Restricted-site.com gets the signed response from the broker, not the bank. In your situation there's not any need for "everyoneisover18.com" to defer to a real bank for a faked response as it signs things itself.
But restricted-site.com doesn't trust everyoneisover18.com's key, it only trusts realbroker.com's key, so the response isn't accepted. If it is found to trust fake brokers like that it gets in trouble with the law.
That's why everyoneisover18.com forwards the request to my bank or my broker and gets my signature on the behalf of literally anyone. I may charge them $5 for this service.
> That's why everyoneisover18.com forwards the request to my bank or my broker
Doesn't work. The response won't be signed by real-broker.com.
The permission request/response itself goes direct from the server at restricted-site.com to the server at real-broker.com over TLS, so you can't MITM it, it's not controlled by the client and you won't be able to just pass out a cached response.
Your malicious client plugin could potentially forward the client session details to you, so you could operate the broker page, then log in to your bank's portal and approve that request, but I don't think that's going to scale very well and I imagine your bank is likely going to rate limit you.
real-broker opens a web page allowing them to verify somehow. The browser extension sends me their URL and cookies so I can load the same page and verify myself. All automated of course.
You could, you could also go to their house and go through the process for them, but in either case I don't think it's going to scale very well (rate-limiting would seem to be called for, maybe with 2FA as well, to mitigate this sort of thing and remove the possibilities for automation).
But sure, you could subvert it on a small scale, just as you can borrow someone else's driving license to register in 'normal' systems already. You could also register an account, validate it and then sell the login details, regardless of what proof of age scheme you use.
The point is the scheme is no worse at validation than asking for ID and it protects user privacy by keeping all ID details away from individual websites, which is the more important part IMHO.
My cellphone provider will be pleased be paid to deliver all those 2FA text messages. Who's sending them? How are they getting paid? Maybe I'm actually my own phone company, so I get paid for delivering them to myself.
Your bank, like they have 2FA for every other access to your account. 2FA also doesn't need to be via SMS, and even when it is that's dirt cheap. Rate limits can be a couple of approvals per hour with daily limits of a small handful. Or a leaky-bucket style algortihm where you can do a few at a time, but you only get one more per hour. Whatever way it's done it precludes your large-scale automation attempt.
I tire of this now. We've entirely wandered off from "Here's a way to prove age without the privacy implications, that works just as well as handing over scans of ID"
Your bank would likely have a limit on the number of approvals it would issue over time, to stop automated exploits, sure. In theory you only need these approvals once per site on signup.
We are pre-supposing for the sake of this thread that proving you are over 18 is desirable, but that giving your ID to unknown third parties is not.
That being the case, having a rate-limit on site approvals would appear to be a relatively reasonable tradeoff to stop the system being exploited for gain by third parties like the commenter upthread.
If you don't want any of that in the first place, cool, but I'm not making an argument for it here, just saying that a system that meets these two requirements is possible.
[Citation Needed] As I understand it, the debate on whether social media is responsible for actual harms in kids is still open and ongoing. Social media has been found to do both harm and good for kids, and for some kids the good outweighs the harms [0]. Scientists are hoping to get some verification from the actual social experiments that we're conducting in the UK and Australia on this.
Mandating OS-level age verification effectively means not allowing kids access to OSS platforms, a step way too far in my opinion. For instance, we would have to outlaw Steam Decks for kids.
[0] https://pmc.ncbi.nlm.nih.gov/articles/PMC12165459/
"Social media and technological advancements’ impact on adolescent mental health is complex. It can be both a risk factor and a valuable support system. Excessive and problematic use has been linked to increased rates of MDD, anxiety, and mood dysregulation, while also exacerbating symptoms of ADHD, bipolar disorder, and BDD. Simultaneously, digital platforms provide opportunities for social connection, peer support, and mental health management, particularly for individuals with ASD and those seeking online mental health communities. The challenge is finding a balance. Although social media offers benefits, it also poses risks like addiction, negative social comparison, cyberbullying, and impulsive online behaviors"
> Social media has been found to do both harm and good for kids, and for some kids the good outweighs the harms
Indeed. For example, the strongest evidence for harm shows that negative mental health is correlated with increasing social media use, but it's an important question of whether using social media more causes mental health problems, or mental health problems mean more social media use (or both, which would suggest a spiraling effect is important to look out for and prevent).
> Mandating OS-level age verification effectively means not allowing kids access to OSS platforms, a step way too far in my opinion. For instance, we would have to outlaw Steam Decks for kids.
This is entirely false scare tactic nonsense, and you really need to look at where you sourced that idea and no longer use them as a reference point. There isn't even a concept of a method of doing this that would make that true, and certainly not in any of the implementations being considered in the US. The federal bill is called the Parents Decide Act, if it gives you some idea where the goal in decisionmaking is supposed to be.
We have not just woefully bad parental controls, but in the name of privacy, modern platforms make it exceptionally hard to implement parental controls. What is being pushed here is largely a mandate that a system for parents to control what their kids can reach needs to exist and Internet companies need to support it.
(Steam is, FWIW, probably one of the best actors in this regard already, Steam Family is incredibly nuanced in the features and tools it gives parents. I have a lot of gripes about Steam but this is not a place they will have difficulty complying with the law. Heck, Steam is better at parental controls than Nintendo and Disney).
> There isn't even a concept of a method of doing this that would make that true, and certainly not in any of the implementations being considered in the US. The federal bill is called the Parents Decide Act, if it gives you some idea where the goal in decisionmaking is supposed to be.
The Parents Decide Act (PDA) goes considerably farther than superficially similar sounding laws like California's.
The California law requires that an OS allow the parent or guarding to associate an age or birthdate with the account when setting up a child's account on a device that will primarily be used for the child. It does not require any verification of the age information that the parent provides.
The PDA requires that the birthdate be provided for anyone who has an account on the device, and leaves much of the details up to the Federal Trade Commission to work out in the first 180 days after is passed. The wording of the list of things the Commission is to do suggests that the OS is supposed to actually verify age information, rather than just accept whatever a parent enters when setting up the child's device and account, and that it also has to verify that it will require the birthdate of the parent and verify that.
A Steam Deck is just an Arch Linux box. There is, intentionally by by design, no method of securing it against its user. Anyone with root access can change anything on it. There is no method of enforcing an age verification scheme on it in a way that cannot be removed or altered by a sufficiently bright and motivated teenager.
the conclusion from that discussion was that kids should not be allowed Steam Decks because that would provide them a way of getting around age certification.
The California bill, which is not called the Parents Decide Act, lets parents decide. The federal Parents Decide Act doesn't say whether parents can decide or not - it says a commission shall decide whether parents shall be able to decide, and we can predict what that commission will decide.
> any possible excuse to suggest tech companies shouldn't be accountable
The entire impetus for these bills is for Facebook (the sponsor of these bills) to escape liability for how they're currently harming kids. Facebook's only goal here is to be receiving headers that say the user is over 18, so they can continue business as usual under the assertion that any users must be adults.
Then you recognize that the solution definitely does not require privacy invasion, since presumably Facebook does not want actual proof because they hope teenagers will get around it.
That being said, the antiregulatory wonks are not all working for Facebook, and some are indeed manifestly just always opposed to any regulation at all no matter what harm is occurring.
Bear in mind the alternative: Things like Discord collecting personal data to do verification at the website level. A push for a simple "user is over 18" header is incredibly preferable from a privacy standpoint and parents being able to control and monitor it themselves.
This legislation does not require it out of the gate, but it sets up the precedent and the incentives such that it will eventually be required down the line. That's the problem with anything that gives more power, and the expectation of even more power, to the server (ie to big tech).
FWIW I personally would be supportive of legislation where the data flow went the proper way of server->client, for the user-agent to decide. Consider: Any website over a certain size must publish an appropriate set of well known tags asserting whether its content is suitable for kids of certain ages, has social aspects, the type of content, etc. Any device preloaded with an operating system over a certain marketshare must include parental control software that uses tags, as an option in the set up flow. The parental control software "fails closed" and doesn't display websites without tags. The long tails of the open web, bespoke devices, new OSes, etc remain completely unaffected.