It's designed for parents to enact parental controls on their children. If you're root, you're the parent. Obviously root can turn off parental controls.
I wouldn't be so sure, I think the ultimate goal is to link your network activity to your government id, just like the way it's done in China. So the only root left is the government basically.
The whole point of the California/Colorado laws is to provide an alternative to that. The whole point is that it provides a privacy preserving way to provide a signal about whether someone is in a particular age bracket, without requiring any kind of third party ID verification.
I am so puzzled by everyone who objects so strongly to these operating system based opt in systems; all it does is provide for a way for a parent to indicate the age of a child's account, and an API for apps and browsers to get that information. If you're the owner/admin of a system, you get to set that information however you want, and it's required that it only provides ranges and not specific birthdays in order to be privacy preserving.
Meta being behind all of these efforts makes it incredibly suspicious, especially given the New York law is ridiculously more invasive than the California one. It sure makes it seem like there's likely a larger plan here that this is merely facilitating.
So I don't think I can still buy it at face value that California's version is a good-faith attempt to balance privacy and child safety, even if that's what it is in the eyes of the legislature, given who's actually behind it and what else they've been pushing for.
Having age verification in every operating system? I think it is onerous. Imagine you need to update every embedded system because your wise lawmakers made it a crime to run any code that does not include age verification API.
Just because Facebook supports it doesn't mean it's bad. They may not support it for the same reasons, they probably just don't want the cost and liability of doing identify verification themselves and so want to make sure all of the cost and liability is on the OS vendor.
Yes, the New York proposed law is far worse, and we absolutely should be pushing back against that. And Facebook doesn't care, because they only care about moving the liability onto the OS vendor, not on actual privacy.
But still, just because this was supported by Facebook doesn't make it bad. Sure, Facebook doesn't care about privacy, but they do care about not being liable for this, and in this case, they're right, it is actually much more efficient to centralize this function in the OS, and it happens that that way it can be done in a privacy preserving way as California's law shows.
It doesn't make sense to move this function to the OS because so long as the OS remains under the user's control, any signal from the OS has no value because the OS reports whatever the user wants it to report.
At any rate, why legislate operating systems when all of the harm comes not from computers themselves but rather from certain websites? And there are already mature solutions for controlling access to specific websites. Client-side parental controls for internet access have existed for decades, dating back to Surfwatch from the Win95 era. A credit card requirement would also effectively impose an age filter.
The law acknowledges that. It doesn't require actual verification. That's why people are saying it's just a parental controls law and not an ID verification law.
> I am so puzzled by everyone who objects so strongly to these operating system based opt in systems
The government legislating APIs is an uncomfortable precedent given the culture wars that are raging right now. There seems little reason to expect this will stop here.
They are not legislating specific APIs. They are legislating that an API has to be provided, just like other laws legislate that you have to provide accessibility APIs, but the details of the APIs are left up to the companies.
I work in aviation, a highly regulated field. And that's a good thing. It does take some work to regulate well; there has been a migration in aviation to more prescriptive regulation about how things need to be, to less prescriptive like what the ultimate performance needs to be. But yeah, the aviation regulations aren't that you have to implement something a specific way, but that you have to be able to show that your aircraft has no more than a certain probability of catastrophic failure (where the probability varies base on certain things like the size and type of aircraft).
For this age verification law, all that is required is that there is an API provided for this purpose, and there is a way for the owner of the machine to set up user accounts with age information indicated, and that the APIs need to provide several rough age ranges, not specific birthdays.
Years later: "The current measures are a step in the right direction, but we have found them insufficient. We are now requiring the use of this specific proprietary binary blob for any action related to the verification process. It will conveniently run as a daemon so its exposed API will be accessible to any application that needs to query it, and it will automatically update itself so you don't have to worry about it, just set it up once and forget about it."
It might also include some additional text like "we have decided to collaborate with systemd to integrate this proprietary binary blob, to maximize the reach and eliminating any pains in the setup process caused by the vibrant ecosystem of package managers, while at the same time avoiding disrupting the development process of the Linux kernel".
We shouldn't object to a reasonable law just becasue it might, theoretically, pave the way to an unreasonable law.
In fact, this is put in place as an alternative to the kind of law being enacted elsewhere, right now, which is much worse; the ones requiring ID based verification for accessing many online services. This one provides an alternative solution, which is far more privacy preserving, and leaves all of the actual power in the hands of the owner of the computer.
BS. Does TempleOS support it? What about Plan9? MenuetOS?
Are these illegal operating systems?
Either you or someone else mentioned this talking point the other day, I asked for even a single example of an OS maker being sued over this successfully, and I got nothing.
I'm confused. What's the age definition of child? 12, 15, 18? Does this mean its against the law for children to install an operating system? What is the penalty for a child doing this and putting the wrong age or just doing it at all? What is the penalty for a parent or guardian of the child that does this? What happens to the parent or child if the child circumvents this control? Will child services be involved? Criminal penalties? Of course the only way to know an adult is the administrator is to tie the users government I'd to the account. Could this be done in some zero knowledge anonymous way? Sure, but I don't think it's likely. This seems to be the thin end of yet another wedge. The trend seems to be to be that we should be identified and survield every moment of our lives. The question is who does this surveillance serve? How much access do you have to your government or employer's data or advertisers or educators or ...? How does their access serve you?
It requires that operating systems provide a way, at account setup, to specify the age or birthdate of a user, and provides an API for indicating which age range the user falls in (under 13, 13 to 16, 16 to 18, or over 18) to an application, so the application can use that information to comply with any laws or regulations relating to the age of the user.
It doesn't make any requirement that the parent actually truthfully put that information in. It doesn't require that anyone verify the information. It doesnt provide for any requirement that a child not set up a user themselves. It explicitly calls out that there is no liability on any of the parties if one user uses a computer under another user's account.
So all it's doing is saying that there must be a reasonably accessible mechanism for a parent to indicate a child's age so that rough information about which age range the child is in can be provided.
Now, is it perfect? No.
It does seem a bit over broad as there are lots of things which be classified as computers uner this, like routers, smart TVs, graphing calculators, cars, etc. Having to provide account setup with age and an API to accesss it in all of these environments could be a bit of a lift in the time frame given. And it doesn't leave a lot of time for something like standardization of Unix APIs between operatings systems, so for systems not running graphical environments I'm sure we're going to get a bunch of different solutions from different OSes as everyone sticks it in a different place and provides a different way to access it. And this would need to be a new feature added into long-term supported maintenance releases operating systems.
So yeah, could it have been done better? Yes. Is it likely that they are actually going to fine OpenWRT developers if they don't implement this? I doubt it; it's pretty clear that the legislative intent is desktop and phone OSes, and other mass market consumer oriented devices that might offer app stores.
So yeah, I see some issues, but overall this seems like the right way to do things; just provide a way for parents to set an age on their children's account, and then provide that to any apps that might need to do age verification. That's it.
You put a lot of effort into understanding it. Will Docker images need API passthrough? Will Debian need to solve its location for the purposes of deciding its legal exposure?
I don’t see why we should burden OSes this way. An App Store does all that better.
That's a very long list of questions, most of which you wouldn't need to ask if you spent ten minutes reading the law. And the rhetorical point you seem to be working toward is much less effective when more than half of those questions evaporate.
Because it's inverted. If it's opt in on the parent's part anyway then there's no reason to send additional information along with the request. The service should rather send additional information about content categorization alongside the response.
So what reasons can you imagine for it to be designed in such an obviously unnecessary way?
No more or less than sending age information or registering an ID does. In all cases they must track content classification at some granularity (individual resource, single page, subdomain, some other scheme) and act on that information. The only thing that varies is how they act.
Yes, when it's client-sent they can hide classified parts of the page. When it's server-sent you either mark the whole website 18+ or you hide 18+ content for everyone.
You're just making things up. There's no technical reason a header based solution can't be granular. It could also specify alternative resources similar to how multiple image resolutions are handled today. It all depends on what is standardized.
Right now the only one I'm aware of is RTA which theoretically applies on a per-request basis although I expect that approximately all present usage is uniform site wide.
If such a feature were specified then a site would merely have the option of providing alternatives. In the event that it did, whether or not to follow such redirects would be entirely up to the client.
Such a system is clearly the technically superior solution. It regulates the provider as opposed to the client, forcing the market to provide a workable solution for concerned parties while the client maintains complete control over how things are handled. It further steers well clear of any slippery slopes by not mandating the broadcast or collection of personal information.
Perhaps important from a liability perspective, it places the onus on the client as opposed to these latest attempts to shift it squarely onto the service provider. Right now the legality of serving content across jurisdictional boundaries is extremely convoluted. With ID or age reporting laws it clearly becomes the service provider's responsibility. In contrast, a mandatory metadata standard for classification would create a situation in which it is clear that the legal responsibility (if any) to appropriately configure filters falls to the client.
Of course such a solution would be of no help to the anti-porn and pro-surveillance lobbies. That's the entire point.
Well I think the goal is to link it with hackernews account such that ycombinator can accuratly measure how many of their startups you're interacting with.
Oh nice! I’ve been wanting to ask someone of your age, how was the Middle Miocene Climate Optimum?
The climate was optimal. Everything else was kinda mid tbh.
It being Linux those would obviously be seconds so they are roughly half a year old.
Unless it represents seconds since the epoch which would make it a birthday - May 31st 1970.
It's designed for parents to enact parental controls on their children. If you're root, you're the parent. Obviously root can turn off parental controls.
I wouldn't be so sure, I think the ultimate goal is to link your network activity to your government id, just like the way it's done in China. So the only root left is the government basically.
The whole point of the California/Colorado laws is to provide an alternative to that. The whole point is that it provides a privacy preserving way to provide a signal about whether someone is in a particular age bracket, without requiring any kind of third party ID verification.
I am so puzzled by everyone who objects so strongly to these operating system based opt in systems; all it does is provide for a way for a parent to indicate the age of a child's account, and an API for apps and browsers to get that information. If you're the owner/admin of a system, you get to set that information however you want, and it's required that it only provides ranges and not specific birthdays in order to be privacy preserving.
I had the same reaction as you this entire time until half an hour ago when I saw the second link in this comment: https://news.ycombinator.com/item?id=47382650
Meta being behind all of these efforts makes it incredibly suspicious, especially given the New York law is ridiculously more invasive than the California one. It sure makes it seem like there's likely a larger plan here that this is merely facilitating.
So I don't think I can still buy it at face value that California's version is a good-faith attempt to balance privacy and child safety, even if that's what it is in the eyes of the legislature, given who's actually behind it and what else they've been pushing for.
The larger plan is probably to avoid banning social media for under-18s
Or get another source of demographic data and suppress smaller competitors who can't comply with onerous regulation.
I don't see how this regulation is onerous or hard to comply with.
Having age verification in every operating system? I think it is onerous. Imagine you need to update every embedded system because your wise lawmakers made it a crime to run any code that does not include age verification API.
Probably both.
Just because Facebook supports it doesn't mean it's bad. They may not support it for the same reasons, they probably just don't want the cost and liability of doing identify verification themselves and so want to make sure all of the cost and liability is on the OS vendor.
Yes, the New York proposed law is far worse, and we absolutely should be pushing back against that. And Facebook doesn't care, because they only care about moving the liability onto the OS vendor, not on actual privacy.
But still, just because this was supported by Facebook doesn't make it bad. Sure, Facebook doesn't care about privacy, but they do care about not being liable for this, and in this case, they're right, it is actually much more efficient to centralize this function in the OS, and it happens that that way it can be done in a privacy preserving way as California's law shows.
> Just because Facebook supports it doesn't mean it's bad.
I didn't say just because Facebook supports a law that it makes it bad.
I said the fact that Facebook has been lobbying for such legislation across a ton of jurisdictions, that makes it suspicious.
I stand by that. This is suspicious, whether it's ultimately bad or good.
It doesn't make sense to move this function to the OS because so long as the OS remains under the user's control, any signal from the OS has no value because the OS reports whatever the user wants it to report.
At any rate, why legislate operating systems when all of the harm comes not from computers themselves but rather from certain websites? And there are already mature solutions for controlling access to specific websites. Client-side parental controls for internet access have existed for decades, dating back to Surfwatch from the Win95 era. A credit card requirement would also effectively impose an age filter.
The law acknowledges that. It doesn't require actual verification. That's why people are saying it's just a parental controls law and not an ID verification law.
> Just because Facebook supports it doesn't mean it's bad.
It definitely makes it more deserving of a closer look. I think that's undeniable.
> I am so puzzled by everyone who objects so strongly to these operating system based opt in systems
The government legislating APIs is an uncomfortable precedent given the culture wars that are raging right now. There seems little reason to expect this will stop here.
They are not legislating specific APIs. They are legislating that an API has to be provided, just like other laws legislate that you have to provide accessibility APIs, but the details of the APIs are left up to the companies.
I work in aviation, a highly regulated field. And that's a good thing. It does take some work to regulate well; there has been a migration in aviation to more prescriptive regulation about how things need to be, to less prescriptive like what the ultimate performance needs to be. But yeah, the aviation regulations aren't that you have to implement something a specific way, but that you have to be able to show that your aircraft has no more than a certain probability of catastrophic failure (where the probability varies base on certain things like the size and type of aircraft).
For this age verification law, all that is required is that there is an API provided for this purpose, and there is a way for the owner of the machine to set up user accounts with age information indicated, and that the APIs need to provide several rough age ranges, not specific birthdays.
Years later: "The current measures are a step in the right direction, but we have found them insufficient. We are now requiring the use of this specific proprietary binary blob for any action related to the verification process. It will conveniently run as a daemon so its exposed API will be accessible to any application that needs to query it, and it will automatically update itself so you don't have to worry about it, just set it up once and forget about it."
It might also include some additional text like "we have decided to collaborate with systemd to integrate this proprietary binary blob, to maximize the reach and eliminating any pains in the setup process caused by the vibrant ecosystem of package managers, while at the same time avoiding disrupting the development process of the Linux kernel".
Slippery slope fallacy.
We shouldn't object to a reasonable law just becasue it might, theoretically, pave the way to an unreasonable law.
In fact, this is put in place as an alternative to the kind of law being enacted elsewhere, right now, which is much worse; the ones requiring ID based verification for accessing many online services. This one provides an alternative solution, which is far more privacy preserving, and leaves all of the actual power in the hands of the owner of the computer.
Shit like this is why I run Gentoo on the desktop, OpenBSD on the server.
If you were a real one you would run BSD on the desktop and Gentoo on the server
Linux runs faster and has recent GPU drivers. OpenBSD is reliable and has useful server stuff in base.
What does "the government legislating APIs" mean? The ADA means every OS has to support screen readers.
BS. Does TempleOS support it? What about Plan9? MenuetOS?
Are these illegal operating systems?
Either you or someone else mentioned this talking point the other day, I asked for even a single example of an OS maker being sued over this successfully, and I got nothing.
I believe those are illegal because they violate the ADA.
I'm confused. What's the age definition of child? 12, 15, 18? Does this mean its against the law for children to install an operating system? What is the penalty for a child doing this and putting the wrong age or just doing it at all? What is the penalty for a parent or guardian of the child that does this? What happens to the parent or child if the child circumvents this control? Will child services be involved? Criminal penalties? Of course the only way to know an adult is the administrator is to tie the users government I'd to the account. Could this be done in some zero knowledge anonymous way? Sure, but I don't think it's likely. This seems to be the thin end of yet another wedge. The trend seems to be to be that we should be identified and survield every moment of our lives. The question is who does this surveillance serve? How much access do you have to your government or employer's data or advertisers or educators or ...? How does their access serve you?
Here's the law: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
It requires that operating systems provide a way, at account setup, to specify the age or birthdate of a user, and provides an API for indicating which age range the user falls in (under 13, 13 to 16, 16 to 18, or over 18) to an application, so the application can use that information to comply with any laws or regulations relating to the age of the user.
It doesn't make any requirement that the parent actually truthfully put that information in. It doesn't require that anyone verify the information. It doesnt provide for any requirement that a child not set up a user themselves. It explicitly calls out that there is no liability on any of the parties if one user uses a computer under another user's account.
So all it's doing is saying that there must be a reasonably accessible mechanism for a parent to indicate a child's age so that rough information about which age range the child is in can be provided.
Now, is it perfect? No.
It does seem a bit over broad as there are lots of things which be classified as computers uner this, like routers, smart TVs, graphing calculators, cars, etc. Having to provide account setup with age and an API to accesss it in all of these environments could be a bit of a lift in the time frame given. And it doesn't leave a lot of time for something like standardization of Unix APIs between operatings systems, so for systems not running graphical environments I'm sure we're going to get a bunch of different solutions from different OSes as everyone sticks it in a different place and provides a different way to access it. And this would need to be a new feature added into long-term supported maintenance releases operating systems.
So yeah, could it have been done better? Yes. Is it likely that they are actually going to fine OpenWRT developers if they don't implement this? I doubt it; it's pretty clear that the legislative intent is desktop and phone OSes, and other mass market consumer oriented devices that might offer app stores.
So yeah, I see some issues, but overall this seems like the right way to do things; just provide a way for parents to set an age on their children's account, and then provide that to any apps that might need to do age verification. That's it.
You put a lot of effort into understanding it. Will Docker images need API passthrough? Will Debian need to solve its location for the purposes of deciding its legal exposure?
I don’t see why we should burden OSes this way. An App Store does all that better.
That's a very long list of questions, most of which you wouldn't need to ask if you spent ten minutes reading the law. And the rhetorical point you seem to be working toward is much less effective when more than half of those questions evaporate.
> I am so puzzled by ...
Because it's inverted. If it's opt in on the parent's part anyway then there's no reason to send additional information along with the request. The service should rather send additional information about content categorization alongside the response.
So what reasons can you imagine for it to be designed in such an obviously unnecessary way?
That design would require websites to have separate sections per age bracket.
No more or less than sending age information or registering an ID does. In all cases they must track content classification at some granularity (individual resource, single page, subdomain, some other scheme) and act on that information. The only thing that varies is how they act.
Yes, when it's client-sent they can hide classified parts of the page. When it's server-sent you either mark the whole website 18+ or you hide 18+ content for everyone.
You're just making things up. There's no technical reason a header based solution can't be granular. It could also specify alternative resources similar to how multiple image resolutions are handled today. It all depends on what is standardized.
Right now the only one I'm aware of is RTA which theoretically applies on a per-request basis although I expect that approximately all present usage is uniform site wide.
If you can redirect based on over18 every site will do that to learn the same information as if the client just sent it, but slower.
If such a feature were specified then a site would merely have the option of providing alternatives. In the event that it did, whether or not to follow such redirects would be entirely up to the client.
Such a system is clearly the technically superior solution. It regulates the provider as opposed to the client, forcing the market to provide a workable solution for concerned parties while the client maintains complete control over how things are handled. It further steers well clear of any slippery slopes by not mandating the broadcast or collection of personal information.
Perhaps important from a liability perspective, it places the onus on the client as opposed to these latest attempts to shift it squarely onto the service provider. Right now the legality of serving content across jurisdictional boundaries is extremely convoluted. With ID or age reporting laws it clearly becomes the service provider's responsibility. In contrast, a mandatory metadata standard for classification would create a situation in which it is clear that the legal responsibility (if any) to appropriately configure filters falls to the client.
Of course such a solution would be of no help to the anti-porn and pro-surveillance lobbies. That's the entire point.
So we're back to every website having a link to the over18 version of itself
This holds true until you pass to the next age bracket for the first time.
Well I think the goal is to link it with hackernews account such that ycombinator can accuratly measure how many of their startups you're interacting with.
Are we talking about what actually happened, or are we talking about doomsday fantasies?
we are talking about doomsday fantasies and equating them to doomsday fantasies about what is supposedly happening in china
pocksuppet, please do tell us how it feels to be birthed by Google and Apple?
or do you have root on your iPhone?