>"Age verification" means that everyone who does anything online will have to submit to fine-grained tracking and recording of all their online activities.
its been said 1000 times here, but: age verification doesn't have to be a nightmare dystopia of 24/7 fine-grained tracking and recording unless you are somehow hoping to achieve 100% success rate (something we have not done with any other law ever). there are several reasonable proposals that would be 90%+ successful without stepping on anyone's toes.
i am convinced that enough people in power know it, too, but see this as their chance to get the full-dystopia version rolled out.
Could you be more specific as to what you're imagining? I don't personally see a way to verify someone's age which doesn't involve either credit card verification, photo id verification, or some sort of facial recognition. If you know enough about someone to verify their age—even to a relatively low degree of accuracy—you probably know enough to pinpoint who they are in general.
Heck—in most cases, we can't even tell the difference between humans and bots anymore! And it's true that we basically accept that some bots will slip through the cracks—but identifying bots also strikes me as significantly easier than identifying children.
The way identity wallets work:
The government issues an eID to your wallet. The ID is signed by the government and linked to the device to prevent transferring the credential. A public/private key-pair is generated by the secure enclave in your phone, the public key along with proof of possession of the private key is included in the request for the government eID. The government signs individual attributes combined with the public key with the government private key. The government certificate containing the public key is, well, public.
One of the attributes is ‘over_18’ (In the EU eID scheme countries can add other over_XX attributes if they want, but over_18 is mandatory).
When a website wants to requests attributes, in this case the over_18 attribute, they send a request to the user’s wallet app, including a challenge. The wallet sends back a package including the government-signed attribute, which contains the device public key and the over_18 attribute plus a response to the challenge (proving the credential didn’t get transferred).
The website only sees the ‘over_18’ attribute, which is backed by the government signature. They don’t see any other attributes (the wallet app shows in advance which attributes you are sharing). The government never sees which website wants to know if you’re 18+.
Of course this is all a bit simplified, check OIDC4VCI and OIDC4VP for details.
The only real issue is the wallet app and device binding. Because a compromised device could allow credentials to be transferred some form of attestation of device and wallet app is required. In practice this means no rooted/jailbroken phones.
> The website only sees the ‘over_18’ attribute, which is backed by the government signature
Not true. The device's public key is also sent, which functions as a stable device identifier.
We've spent years trying to get away from stable tracking IDs and fingerprinting. Returning to a system where devices are sending a stable ID to a website to prove ownership is a step backward.
There are proposed mitigations like issuing multiple sets of credentials or rotating them, but we're not going to get an infinite number of keypairs for every website or session in the secure enclave in practice.
Another reason why these proposals aren't getting much uptake is that they aren't addressing what the lawmakers are pursuing: They don't want anonymous authorization tied to the device. They want IDs tied to accounts and a way to discourage people from sharing IDs. In the anonymous systems it only takes one person a few minutes to put an over-18 identity into a device and there's no way to determine if someone is abusing the system by stealing IDs or if someone's 18 year old brother is setting up all of their younger brothers' phones for $5 each.
The situation gets stickier when you acknowledge that it's not possible to limit all of these websites to only mobile phone devices with secure enclaves that are not jailbroken. Once you open a door to desktop devices and other OSes accessing these sites, you open the door to replaying and proxying attacks, where someone will produce those `over_18` attestations on-demand for you, possibly for a minimal price. This brings us back to the public stable identifier to discourage fraud, which means governments won't be happy to issue as many keypairs as we want, which means we're back to semi-stable fingerprints.
> Not true. The device's public key is also sent, which functions as a stable device identifier.
This is covered by allowing for single-use credentials. IIRC the EU personal IDs will use this. Basically, the wallet requests a batch of single-use eIDs that all use different device key-pairs. Each credential is only used for one request and then deleted. The wallet will automatically request new credentials in batches when they run out. The old key-pairs are deleted along with the credential so you don’t run out of space in the secure enclave.
> Another reason why these proposals aren't getting much uptake
I’m not sure what you mean by not much uptake, EU countries are required to issue and accept them for official business by the end of 2026
There are schemes where you don't need key pairs for each user (assuming the government has some way of authenticating users). Private State Tokens use blinded tokens for this.
It doesn't prevent tokens from being stolen or sold, but the token issuer only accepts each token once and can limit the rate that tokens are issued and control how fast they expire, giving decent control over how practical using stolen or sold tokens are.
> In practice this means no rooted/jailbroken phones.
Personally - this is less acceptable to me than just having the site collect my image/id.
I'd support just putting the id in a dedicated device (ex - gov issues smart key) or just accepting that sometimes people will share id info (just like... physical ids).
It doesn't even close all the doors to transferring ids - since I can still just hand someone a phone (just like... physical ids).
If you use physical ids to verify your identity, they normally verify that your face matches the image on the id, no? That’s not possible for web id.
My experience has been that absolutely no one cares, as long as they could be construed to be "somewhat similar".
Ex - People change hair color, lose a boat load of weight, wear eye-color changing contacts, drastically change hair styles (facial and normal) etc...
No one bats an eye at an ID that "only sorta vaguely resembles you" outside of a very limited subset of places (the only one I can actually think of is Customs while traveling).
---
So my take is that as long as the gender appears similar and the ethnicity seems "close enough"... the store is still going to sell you alcohol, the bar is going to let you in, and the movie theater is going to sell you tickets.
Doppelgängers Don’t Just Look Alike—They Also Share DNA
https://www.smithsonianmag.com/smart-news/doppelgangers-dont...
Yeah, but being able to share Id with someone who happens to look eerily like you is different from just handing people your ID and they are able to use it like it was implied. That’s not how IDs are used.
> The only real issue is the wallet app and device binding. Because a compromised device could allow credentials to be transferred some form of attestation of device and wallet app is required. In practice this means no rooted/jailbroken phones.
Yeah, and no Linux PCs, no custom builds of web browsers (which would effectively become open source in theory only)—basically the end of any kind of open platform. I would much rather just scan my ID!
Oh you know it would be both not either.
If you are referring to EUID (not fully sure as you said EU eID, i dont know if you are referring the estonia of eID like system)
I have to mention that EUID is not private, since there's "provider" element which informs website if you are 18 or not. The flow is:
1) You scan QR code 2) Your EUDI wallet does verification, informs provider to tell you are 18+ 3) Provider informs website you are 18+
The EUID draft doesnt mention tech like ohttp for anonymizing requests. So there's risk of provider keeping track of who you are. So while everybody claims its fully anonymous which is just false. Government could ask website/service for the token or account information then use timestamp or token then combining with "provider" logs, your identity will be exposed.
EUID has another problem which is letting all countries implement system, which is wasteful duplication effort so this probably will be outsourced and to same company to reduce duplication efforts. Then it'll be centralized and they happen be collecting telemetry data for "experience improvements" as everysite out there do.
I haven't even mentioned biggest problems like requiring attestation Apple/Google. While spec doesn't require it, but the likehood country's app requiring it will be very high.
> A public/private key-pair is generated by the secure enclave in your phone
This is completely unacceptable. In practice, this solution means a locked down device, probably controlled by Google or Apple.
The Internet has existed without identity or age verification for more than 30 years, and there is no reason to change that.
The government still gets to know what you're doing online. How is that privacy?
Nope they don't. That's the whole point of privacy-preserving age verification.
Technically it is possible. The complaint that people have is that they don't trust that any government will get it right. But it is technically possible with known cryptography.
Which part of that is avoiding the distopian control?
the very first line, government issued digital id - we have been avoiding that for a very long time
how does this work on an open source operating system?
The ID is signed by the government and linked to the device to prevent transferring the credential. A public/private key-pair is generated by the secure enclave in your phone, the public key along with proof of possession of the private key is included in the request for the government eID.
IMO, there are two other issues that need to be solved. The major one is that there should be some way to do attestation of devices that are not Google-certified Android or iOS. If this does not happen, the smartphone duopoly is permanently entrenched and not a fair/free market anymore. There is no way to use a smartphone without basically losing your privacy to Google/Apple and given the increasing importance of online services it's becoming increasingly impossible to live without a smartphone.
It was very disheartening that the EU reference implementation was rolled out with only Play Integrity and Apple's counterpart. IMO, this should have been solved before the reference implementation was rolled out to member countries, because many of them won't bother to go beyond that [1]. It is also completely counterproductive when it comes to EU tech sovereignty. There is a group of pioneers that are growing the sovereign ecosystems and then you cut them off.
The second, perhaps lesser, problem is that the security story is not super strong, because most Android phones do not even have a secure enclave (outside Pixel and Samsung flagships/A5x, there are very few). Instead they rely on TrustZone etc. which are regularly targeted by side-channel attacks, etc. Ironically, GrapheneOS is cut off from most of these systems (because Google Play Integrity), while it actually requires a secure enclave and is more secure than... well I guess every other smartphone.
[1] There is some hope, e.g. the developers of the Dutch identity wallet acknowledge the issue and are open to supporting alternative systems.
Couldn't the public key be used as an identifier for tracking?
How does this work without a phone? I do 99% of my computer work, like now, not on a phone.
Do regular desktop and laptop computers have the same secure enclave feature?
>The government issues an eID to your wallet
So people in dubious legal circumstances are locked out the internet?
What about at the device level?
“You must be this tall to ride this ride”
“ you must be 18 to own an iPhone 18+ “
I apologize for the drive-by question, and I appreciate your takes!
This would run into the same deal as VINs in the real world being tied to licenses, or serial numbers to guns. But the car equivalent of VMs/open hardware/custom firmware (imagine a $7 pi zero flashed with lineageOS “overage phone”) then becomes equivalent to a gun without a serial number, and suddenly open source/hardware people are felons and there is insane amount of control on hardware and software like it’s 1982.
This assumes that the government would be able to verify independently a phone serial number so that people’s IDs aren’t leaked. If not, then you’re back to the same thing as before since “drivers licenses” are stored by sites and shared around with advertisers
There is no real practical difference between ‘attested devices’ and scanning ID…
> which contains the device public key
And there it is.
So now I have to have a mobile phone?
And one you don't fully own/control. Fully owned devices will be unsupported, obviously.
Sounds like what a government issued card should be used for, which seems fine
I feel the idea of public key encryption could be done without a phone but the device locking makes it harder to transfer the token off device. Like the parent comment said, I think 90% is all we can aim for. Nothing is going to be perfect.
Could probably be implemented by a smartcard or yubikey-like device as well. Shoot, just build it into my state issued ID card.
Do you know how hard it was to get RealID rolled out?
And now you're going to tell every state to do it again, but this time it's got a chip in it so "just trust the government, man".
This will go well.
It will go fine, because everything you want to do will require it. Even if you don't strictly have to, you will be effectively ostracized. Transit, entertainment, productivity tools. Haven't you noticed that things that have previously been easy to do are much harder now, even before this has rolled out? Like providing a government ID to visit a museum, for example. Or getting an email address. Using claude.
Identity wallets can be made to work anywhere.
You can have an ID card. Just like for buying alcohol and cigarettes.
Secure Enclave on a mobile phone, or an NFC smart card both work fine. It could be your passport, drivers license, national ID, whatever.
A lot of these age verifications things have to do with "protecting children". If that's the end goal we don't really need to verify anyone's age. Apple/Google, any smart phone maker, should be forced to add proper parental controls.
Parents should be able to control what apps can be used, what websites can be viewed, who the phone is able to contact.
That doesn't require knowing my age, or anyone else's.
Also, as an iOS developer, it's not my job to parent your child. The age ratings are clear on the app store, if you give your child unrestricted access to a phone that's on you, not me. If the OS doesn't have proper controls that's on Apple/Android, again, not my fault and not something I should be forced to police.
Thanks to Texas, I can see roughly how old your kid is. I'm not supposed to keep that information though. ;) I'm sure everyone who makes app will comply with that and not use that information for any other purposes and you can bet Texas has the means to audit every app on the app store to make sure that they're complying. lol
>Could you be more specific as to what you're imagining?
sure, i'll put my favorite two. though you'll find much more detailed and thought-out versions of these (and others) in the dozens of other giant threads on the same topic.
- buy a card with a UUID from anywhere that sells alcohol/tobacco that is valid for some period of time. most people are comfortable with flashing their ID at the clerk. the UUID card is non-identifying.
- websites issue content tags, browsers consume them, you enter your age into the OS during setup.
> buy a card with a UUID from anywhere that sells alcohol/tobacco that is valid for some period of time. most people are comfortable with flashing their ID at the clerk. the UUID card is non-identifying.
This could be a good system if it's set up right. There's still some risk of being tracked if it isn't though. IDs could be linked to the cards at the time of purchase if retailers scan the drivers license, then scan the card creating a record that card #XXXXX was purchased using driver's license # XXXXX
Even if retailers aren't scanning the drivers licenses and collecting data that way, the cards and codes on those cards can be tracked and traceable to a retailer. That's how things like calling cards have been tracked. Say for example someone uses the code on a card to access a website, the police can match the code that was used to the serial number of the card, look up which retailer that card was sold at, and can then access security camera footage at that retailer to identify who bought the card from that location. This would also let them passively generate lists of IP addresses/device IDs matched to websites and specific retail locations over time.
> buy a card with a UUID from anywhere that sells alcohol/tobacco that is valid for some period of time
Why should I pay continuously to prove I'm an adult? And those cards will be getting sold to kids faster than you can blink. I bet a lot of parents would buy them for their kids.
>And those cards will be getting sold to kids faster than you can blink.
there's a reason i said 90% and not 100% effective. alcohol and tobacco get resold to kids, too.
What makes you think this will be close to 90%? Unless these cards are expensive I don't see that happening.
>What makes you think this will be close to 90%? Unless these cards are expensive I don't see that happening.
its obviously just an illustrative guess. but if the penalty of possessing the card is similar to underage possession of alcohol/tobacco, and larger penalties if a store/person is found providing a card to someone underage, i see no reason why it wouldnt have a similar success rate as alcohol/tobacco.
Why possess the card when you can just buy the UUID on the dark web
If they have access to the "dark web" they can already do anything that requires age verification there. In the same way you expect that the rule to "not sell UUIDs" wouldn't be respected there, I wouldn't expect other age-verification rules to be respected, no matter the verification method.
Well, it's rather harder to sell bottles of beer on the dark web than short text strings.
That is true, it is harder, although AFAIK people do sell all kinds of illegal things there.
sure? i feel like i need to reemphasize the "not going for 100% effectiveness" thing again.
hopefully some parent steps in if their kid is on the dark web trying to make purchases with their parent's credit card.
Well, yeah, I would just give them my code.
Why buy a UUID when you can just get porn on the dark web
Kids can buy drugs on the dark web too.
> I bet a lot of parents would buy them for their kids.
Good. I should be able to make judgement calls about what my children can or can’t access outside of school.
It’s better if they do it under my supervision than against my back, aided by a predator whose only moat is lending their ID, or their face.
> I bet a lot of parents would buy them for their kids.
That changes the default from "anyone can do anything" to "gotta ask parents". Defaults matter at scale. It adds friction.
Why should you pay for an internet connection, or a computing device with a screen? This isn't a serious counterargument.
Because those things cost money to make and to maintain, whereas there's no intrinsic cost to prove one is an adult.
Yes there is.
You need to pay for a drivers license or a passport and so on. So there is an intrinsic cost to prove who you are where you are from and what your birthday is already.
You have to pay for all sorts of small things to participate in normal society. This isn't a serious criticism.
By definition this is not a life critical thing, it's something that is procured in order to access specific services on the internet, which is not free.
>You need to pay for a drivers license or a passport and so on.
I have a government ID and I didn't pay for it. I can use it to travel to nearby countries in lieu of a passport. The assumption that IDs are necessarily non-free (to the issuee) is pretty funny to me.
>it's something that is procured in order to access specific services on the internet, which is not free.
The maintenance of the Internet is already paid for through ISP contracts.
I mean, if you really want to make the government subsidize an ID verification scheme or mandate that certain real-world locations provide age verification as a social service for everyone, that's fine.
It's orthogonal to the discussion, though, which is about whether we should do it or not, because the costs here aren't significant and don't change the terms of the debate.
I'm personally in favor of just banning children off the Internet, but I don't agree it's orthogonal to the discussion. What I replied to was the implication that someone should pay a recurring cost to prove they're an adult for the same reason that they pay to own a computer or to connect to the Internet. Don't disown the dumb thing you said.
I'm not disowning it at all. I think paying a recurring cost to prove you're an adult for purposes of accessing the internet is completely fine, trivial, and unimportant.
You have to pay a cost to go out in public, since there are nudity laws. You have to pay a cost to use an airport or a train station. You have to pay a fee to prove that you own a car. And so on.
It just doesn't matter. It's not important. It's consistent with how we organize our society in general, which makes focusing on it in this one particular instance more understandable as an attempt to distract from the substantive merits of these arguments about age verification.
>I think paying a recurring cost to prove you're an adult for purposes of accessing the internet is completely fine, trivial, and unimportant.
Okay, but the person you replied to doesn't, and instead of providing an actual answer to their question, you posed a false equivalence between proving your age and buying a computer.
>You have to pay a cost to go out in public, since there are nudity laws. You have to pay a cost to use an airport or a train station. You have to pay a fee to prove that you own a car. And so on.
You are purposefully muddying the waters by being lax with your use of language. The "cost" you "pay" by wearing appropriate attire in public is fundamentally different from the actual cost you actually pay when you engage in commerce; one is a trade of freedoms and the other is a trade of goods and/or services. If your argument is that the freedom you have to trade in exchange for the freedom to access the Internet, is that of not having to show an ID, that's one thing. If you also have to add a recurring monetary cost then that's another.
If you don't have an answer to the question of why someone should have to pay again to use the Internet beyond "*shrug* just 'cause, dude. Who cares?", then maybe you shouldn't have said anything.
> If you don't have an answer to the question of why someone should have to pay again to use the Internet
Of course I have an answer. To do something about the unlimited firehose of porn, violence, divisive, and addictive content that has been pointed at children for the past generation or so.
There's literally nothing confusing about the "why" in this discussion.
The fact that bad people use the "what about the children" argument regularly for bad reasons doesn't mean that all such arguments are bogus.
In fact, it's an indication of exactly the opposite, it's so regularly used because there is a broad consensus that we need to protect children from harm which is why it's often effective as an arguing tool.
The relevant frame for this discussion is will it actually work, and what are the tradeoffs. A trivially small amount of money for a simple age verification scheme isn't a particularly meaningful tradeoff against a genuine social problem. The bigger, more genuine issues are around privacy and censorship and I do in fact concede those are real.
>To do something about the unlimited firehose of porn, violence, divisive, and addictive content that has been pointed at children for the past generation or so.
See, you've answered a different question. The question you answered is, "why should children be protected from the Internet?" I'll give you for free that children should be protected from the Internet, for the reasons you've said, and now you get to convince me that I, who don't have or plan to have children, should spend my money to protect other people's children from the Internet.
> UUID card is non-identifying.
Kids aren't going to trade Pokemon cards in the playground anymore...
Well, they could trade identifying ones too or even stollen ID cards if you want to go this way.
They could also trade porn-filled thumb drive or old-school glossy paper magazine. There no way to prevent kid's exposure to stuff at a 100% success rate.
There no way to avoid exposure completely
Indeed but you are the one who claimed it was not a hard problem.
I don't think any one of us pushing back here on those claims do so for the heck of NOT finding a "solution", rather genuinely asking because so far it seems nobody did find such a solution without compromises that is in the end not worth it due to the flaw in said solution.
The point isn't to be critical of your process, only of the claim that it's a trivial problem.
> Indeed but you are the one who claimed it was not a hard problem.
Am I ?
I'm just left wondering, how would that be different than buying a phone? Most kids also don't have money to spend on devices, that's all coming from adults, how would the UUID work any different? In my view it seems we'll just reach the current state as with phones.
And honestly, all these should ultimately just be done client side in the browser. After the browser has verified "User is x or user is over 21" there's no reason to then send that information to the website.
Let websites issue a "window.isUserOver(16)" call once and then move forward based on the response to that query.
Don't even bother having the website ask the browser anything at all. Just have the website TELL the browser the content is intended for adults via HTTP header and let the browser decide to display it or not depending on parental controls.
Yeah, that's even better.
Multiple proposal for this exist for decades[1][2]
The RTA one was even pushed by the porn industry and is already in place in majors websites[3]
[1]:https://www.rtalabel.org/
[2]:https://icra.org/webmasters/
[3]:https://en.wikipedia.org/wiki/Association_of_Sites_Advocatin...
This would require browser attestation, wouldn't it? Otherwise kids are just going to download a custom build of Chromium where `window.isUserOver(16)` is always `True`.
The same system that blocks kids from downloading the Pornhub app would also block them from downloading the "Chrome but without parental controls" app.
No, it only "requires" browser attestation if we taken it as a given that the onus is on tech companies for verifying who they are talking to - ie identity verification that most of these schemes boil down to regardless of how cute they're dressed up.
To effectively keep adult content away from kids, it merely requires secure boot and closed app stores, which are already widespread. And they are only required on the devices actually given to kids, rather than every single computing device.
But this proposal has another problem: it's easy for a website to run isUserOver(n) in a loop to derive the exact age. And on a persistent account, it can be queried every day to derive an exact birthday! Which comes back to my main point that the only technical schemes we should be considering are ones where information strictly flows one way - the website/app supplies information to the browser/OS, which then [may] implement parental control policy. anything else fundamentally boils down to a mandate for identity verification.
> To effectively keep adult content away from kids, it merely requires secure boot and closed app stores
This is unacceptable. If I own a computer, I expect to be able to build and run any program, either written by myself or others, without asking anyone for permission.
Maybe I needed to say "it merely requires the existence ...". Because I then do go on to say:
> And they are only required on the devices actually given to kids
My whole point is that this limits the blast radius, compared to any solution involving "age" (read: identity) verification which has a blast radius of every computing device!
Perhaps my other comment will show you where I'm coming from better: https://news.ycombinator.com/item?id=48645646
> To effectively keep adult content away from kids, it merely requires secure boot and closed app stores, which are already widespread. And they are only required on the devices actually given to kids, rather than every single computing device.
...I guess I don't really see the difference.
Closed app stores are widespread on some platforms but certainly not others, and I for one would really like them to not spread any further.
For starters here, the difference is that only devices that parents give to kids need to have secure boot and controlled software sources. The point is that every other device remains completely unaffected.
But in general there is a huge difference between the freedom-destroying properties of secure boot with closed app stores, and the next step of remote attestation. Remote attestation lets the server insist that you only run software fully of their choosing rather than your choosing, as a condition of interacting with them. This completely destroys the idea of protocols that mediate between two parties with diverging interests, and computationally disenfranchises users. Imagine the next generation of the Cloudflare nagwall that doesn't let you past unless you buy a new computer, and that new computer must be running MSWin/OSX and MSIE/Chrome.
(also note that my use of "secure boot" here includes systems like on Pixels where you can straightforwardly unlock the bootloader (erasing the data on the device), install whatever you want, and then relock. I still find these systems philosophically objectionable, as there is still a privileged key baked in and retained by the manufacturer - similar security properties could be provided without the backdoor. But pragmatically they've been working okay)
Some probably will. 99% of them don't even know what "Chromium" is.
This doesn't have to be perfect.
Right now, they don't know. They're going to learn very quickly when they want to use some website and they can't.
We agree it doesn't need to be 100% perfect. But it needs to be at least, like, 60% perfect, right? And unless you make it at least a bit hard to bypass, it will stop virtually no one.
Some undoubtedly will.
Installing a new browser is already a bit hard for most people. I think you are a little skewed in your thinking being online on HN.
You also aren't thinking about age. Certainly 16 and 18 year old probably can get a new browser installed. But a 14 year old? 12 year old? 10 year old? That barrier is a lot higher the younger a kid is.
I just finished my second year as a fifth grade teacher, so I have a lot of experience with ten year olds. I am confident a majority of my students would be able to install an alternative web browser if they needed to, and a majority of the remainder would ask a friend to do it.
To give you an example of the workarounds kids will find: Youtube was blocked on school laptops, so the kids all started embedding Youtube videos inside of Google Sheets in order to watch stuff. This isn't, like, something a few savvy kids did, it was a widespread and common practice.
And, in my opinion, a healthy thing for the kids to learn and do.
Lol. I started building computers, installing operating systems and tinkering with Linux between ages 10-12. I also started watching porn not long after that, and guess what, I still became a more or less normal adult. There is absolutely no need to "protect the children."
This is how California is legislating it—requiring the OS to let an admin set the user's age, then let browsers and through them, websites, to query that setting.
You can get their exact age by binary search.
Typically these APIs are designed so you can't make arbitrary queries, but rather there are fixed age brackets.
Then it can't be bool isOver(int age)
> - websites issue content tags, browsers consume them, you enter your age into the OS during setup.
Why would that be acceptable though? What if a user does not trust the operating system? Even Linux may not be safe in the future, what with age sniffing coming by Red Hat integrating it into system already. And Red Hat plans more - xorg is abandoned on purpose, for instance.
That's because you're treating AV as a system that must be 100% correct immediately. This isn't banking or an election.
As soon as you loosen off the requirements to "reasonable effort", you can start looking at account age, facial features, social attestation, and include retrospective tools to revisit someone's verification if they get in and start acting like a child. Heuristically messy but far from impossible to demand a stronger form of verification if their original might have been borderline.
The goal is broad coverage, not complete. Screening doesn't have to get 100% to have an effect.
I understand it doesn't need to be 100% correct. But I think what you're describing is either (A) going to be very privacy invasive, (B) going to create problems for lots of adults, or (C) going to be precisely as effective as a checkbox saying "I agree I am over 18 years old".
It's "social media". The whole thing is profiling for advertisers. The idea that there's privacy is laughable.
There is a network effect as a child's peers stop using social media though. Make it inconvenient enough for enough for kids and they'll read a book, take up slam poetry or whatever it was kids did before our attention became currency.
you generate a random number and send it to website you want to visit.
Website you want to visit generates a one-time private/public key for the purpose of this login attempt, hashes your random number, and sends the hash back to you.
You connect to the government auth platform, auth yourself to your government, and ask them to sign the hash you received.
You pass the signed hash as well as the original random number to the website you wanted to access (the original random number is used by the website to store the one-time key they generated for you). They can see it is signed by the government. They can see it is made with the hash they provided.
You get access to whatever content you wanted. The website doesn't know who you are. The government doesn't know where you logged in. Sure, it won't hold up against collusion between website and government, but nothing would.
the principles explained above are slight adaptations of PKCE authentication.
So now I have to get permission from the government to browse the web? And they can revoke that permission at any time? And we need a great firewall to block citizens from communicating with foreign websites that don't comply with this scheme?
This idea is worse than facial scanning, by a lot.
(Better idea is OS level parental controls combined with government-mandated content tags to let the OS know what content is child-safe.)
> Sure, it won't hold up against collusion between website and government, but nothing would.
Right, so it's just privacy theatre.
Not necessarily. Some sites have no interest in communicating your data to the government, unlike their 23019 affiliate ad programs.
If your government is paying private third parties to collect data on you (hello USA), the issue is much wider, and nothing would protect you from such a government. Even without age verification, if the government is interested in spying on you, and the sites are willing to sell, they would gladly trade your IP and connection log.
Sure here's one example of decentralizing it -- it's going to be overly simple just as a toy example to show how easy it could be:
Whenever you want to prove your adult you go to "am I an adult.gov" and you use your credit card or whatever to prove you are an adult. At which point you get a 1-time 5-digit code that is UNIVERSAL TO EVERY SINGLE HUMAN and good for 1 hour (everybody who uses the site gets the same code that hour).
Then when you want to look at porn or something, you use this code. Boom simple and done.
There are even much better much more private techniques that use cryptography, and AI is happy to explain these graduate-degree level topics to you at your own pace.
Of course there are situations where people steal things, and use deep-fakes, etc, but those exist in every model.
Headline news: children infiltrate the universal adult one time password scheme for porn, parents panic! Turns out the 18 year olds started selling access to their younger friends, who resold it to their younger friends.
this happens with alcohol and tobacco every day. i cant think of the last time it reached headline news.
My point is that the entire check is bypassed easily and instantly, and in the meantime the government gets data that someone _will_ figure out how to make personally identifying for adults, or will argue for changes to make it so. Alcohol age limits are a simple physical check for a vice that everyone accepts those who want it can get at. I’d rather demand that device manufacturers give parents effective controls before we try solving this problem by identifying internet users wholesale.
It does not reach headline news because everyone just accepts that the "filter" is imperfect.
But, for some reason, little twelve year old Jimmy obtaining access to porn evokes some kind of far more visceral reaction in Jimmy's parents (or if not Jimmy's parents, some "busybody" who wants to "protect all the children") than Jimmy managing to get himself a pack of Salem's or a Pabst Blue Ribbon tallboy.
right, that's exactly what i was getting at with my original comment. none of the laws we have are 100% effective. so i find it weird that this specific topic always devolves into "well some kid will be able to get access, so your proposal sucks".
> little twelve year old Jimmy obtaining access to porn evokes some kind of far more visceral reaction in Jimmy's parents
Because right now there's next to no barrier to access compared to Jimmy getting himself a beer. If you keep saying "Your proposal sucks because it isn't perfect and we should do nothing" then you're essentially surrendering to the people who really want facial scans.
are you kidding? there will always be a million porn sites not hosted in the US that everybody will have access too.
This sort of pedantry is really just supporting the opposition.
Hopefully it would be less of a criticism of the system, and more spurring people to ask questions like "Wait, why did you leave a hunting knife on the coffee table?"
Design a scheme that equips parents with better tools to be better parents, rather than one that reduces the scope of parenting responsibilities.
Same code for all people for 1 hour and you don't think we'd immediately have rotating codes to pass the gate?
I'd setup the .onion in a heartbeat. Take crypto donations, cash out in Monero
I sure hope so.
I think the only thing I actually have any concern about is phones and social media use for kids, and I think that has a much easier solution than any sorting of tracking-BS.
I think the German Personalausweis has an electronic ID function that does this: age verification without giving out other information like name etc. But the application chooses which information is requested and could/will request more.
Unfortunately few know and use this information although the usage via NFC is not that complicated. Have used it successfully already a few times for banks, but including name information etc.
Yubikey tokens support attestation. You can sell Yubikey tokens at places inaccessible to minors, like liquor stores, and having a token proves that one is adult. Another way is implementing "parent mode" when OS allows only installing apps from a government-approved whitelist and access sites from a whitelist.
Using existing parental controls parents could set their kids age and that could be used for the age controls. Could the parents let the kids around the age gate? Sure but they could do that even if a government ID and camera was required. This actually might be more effective than a lot of these systems because other adults could not let the kids use their IDs
Existing parental controls don't work - new ones would have to be created.
Cryptographically blinded age verification with a government signed digital ID
Perfect is the enemy of the good, right? I mean a page header or some other simple means to identify "adult" vs not is good for most cases? Just thinking about it.. obviously it can be bypassed but is there a good enough?
Make unrestricted devices like alcohol: you need ID to buy (but the box containing the device you’re sold is indistinguishable from any other, so the device may have a UUID but it can’t be traced to your ID); kids caught with unrestricted devices in school have them confiscated; maybe fine parents, but I think discouragement and banning in schools is enough. Kids can have restricted devices, distinguished from unrestricted by appearance in a way that’s hard to fake.
I don't know, treating general-purpose computers like alcohol seems a lot more dystopian to me. Does this extend to PC components? Can I build a machine and put Linux on it?
> I don't know, treating general-purpose computers like alcohol seems a lot more dystopian to me
Isn't this the logical end goal of basically every approach to "age verification", though? If you really want to control access to the internet, then you can't let people have a VPN or Tor, and if you don't want people to VPNs or Tor then you need to lock the device down.
> Can I build a machine and put Linux on it?
Maybe for the next few years you'll be able to do that. Analogy: back in the day you could just build your own airplane and fly it around. There were no regulations.
Do most kids have the ability and motivation to build their own machines?
AFAIK you don’t need ID to buy juice, sugar, and yeast to make your own alcohol, so I think it should be the same for computer parts.
> Do most kids have the ability and motivation to build their own machines?
I and pretty much everyone else in my childhood TeamSpeak server did at roughly 14 years of age.
Did the people in your Teamspeak server have issues with concentration and socialization like most social media addicts today?
Info-minimized oidc handshakes with certified identity providers could verify age-category of a user with no other information shared.
Consider "log in with apple" as it is today. Depending on what you share, a relying website might not even get your name or email.
Yes, that was my thought as well when i was visiting UK and reddit kept asking me to verify my age. It might be even more private and non-trackable than that - if "age.id.gov" central authority effectively "provides a new random user id" (implementation may vary and does not need to have a "literal username") every time you try to use it / log into a website that needs to verify your age - this way websites can not even track you across platforms.
It seems like all the tech stack is there to implement a very simple and privacy-persevering solution.
It does not even smell of state censorship because a website does not have to check your age if it decides to be "non compliant".
Why isn't it implemented like that? Based on the comments it seems more like a "free-for-all implement-your-own-PPI-handling-thon".
This will ofc make life harder for a some groups of people - like people without / limited access to IDs etc. And i do not even argue that the whole thing is necessary.
But there seem to be vastly superior technical means to implement that, aren't there?
The only way to know that is to trust Apple.
Easy, when you buy the device, during first setup, you set up the date of birth of the user. If the user is underage, the parent/guardian sets a password to unlock the device if needed before the user is 18. That device then sends "is_below_18" flag to whatever service wants it.
just do what they did in Leisure suit Larry, ask some skill testing questions that only someone older than 18 would know. Give them a short time to answer so they can't look it up.
If you don't think a checkbox saying "I am 13 or older" is adequate, with all the behavioral tracking available to say Meta, they can tell well enough. OpenAI talks about this too: https://openai.com/index/our-approach-to-age-prediction/
Knowing who someone is in general is different from having a photo of their face or government ID confirmation.
This is a classic case for one time ZKPs. Sure, you can't get around attestation, but the party that needs to verify that you meet age criteria doesn't need to know your age or other private information.
I presume you're concerned by the attesting party's knowledge of both the signature and identify information. Yes, in principle these can be linked, but in practice, it may be difficult or made very difficult, and today, very little of our online activity is really anonymous anyway. It is generally not too difficult to infer identity based on the content someone generates and the bread crumbs they leave behind.
Of course, if the intent is to use age verification as a wedge to monitor everyone, then it will be difficult politically to secure the protections needed to prevent that sort of data fusion.
Where are these mythical sweet-spot solutions? Concretely, half the websites I visit from the UK want me to either scan my face or upload ID documents to access their full featureset. Now that users have been conditioned to accept this, nobody seems very interested in figuring out how to collect less PII - only insulating themselves from liability by having the data processed by a third party.
They don't exist because the organizations who lobbied governments were YOTI, Persona, K-ID and others who have a vested interest in collecting data and rent seek by latching through regulations like diseased ticks.
The UK has draconian laws.
But some of the easiest middle ground solutions that solve 90% of the problem are things like simple math problems. Get asked "3+7" and that will pretty quickly filter out almost anyone under the age of 6. If you can accept that there are some smart 4 or 5 year olds who can do simple math, congrats you recognize there's a 10%.
They are indeed draconian, and the rest of the world is now eyeing up adopting similar legislation.
> half the websites I visit from the UK want me to either scan my face or upload ID documents to access their full featureset.
what kind of websites are you visiting to get age checked on half of the sites you visit? i've only been asked to verify for dating apps and "sexy stuff". and i definitely don't spend 50% of my total browsing time on those sites.
maybe this says more about the kind of content/sites you're accessing if it is really as high as 50%? UK age verification mostly only applies to sites which might end up hosting the content quoted below.
> pornographic images, and content that encourages, promotes, or provides instructions for eating disorders, self-harm, or suicide.
or you're just being hyperbolic? 79% of statistics are made up, after all.
reddit.com, discord.app, google.com with safe-search off (This one works sometimes, they are A/B testing force-enabling safe-search for unauth'd sessions)
Oh, reddit, yes. Good point.
I don't use that; it's worse for your brain than any regulated substance. Kick your reddit habit while you can.
Google safe search: I've only seen this from my PAYG mobile phone, because I've never bothered to lift the adult content lock on that after more than a decade, and Google is the only place I've seen ask, actually. Even so it rarely happens.
Discord: the mere idea of being in an adult-content-related discord group is enough to make my skin crawl.
Worth noting that of these three, only one of them is a UK-only decision, as far as I am aware: Google Safe Search respects UK phone companies' default adult content block on PAYG. They are about the only company that does. Reddit and Discord have made this decision globally, have they not? Because there are US state laws too.
>mythical sweet-spot solutions?
there are thousands of comments on these threads every time it comes up. there's tons of what i consider reasonable solutions proposed. there's examples below, too, which don't require face scans.
>Concretely, half the websites I visit from the UK want me to either scan my face or upload ID documents
yeah, i agree that really sucks.
I've yet to see one I consider reasonable.
if you think even the client-side "yes im 18" on OS setup proposals are unreasonable, i dont know what to say.
Privacy-wise I think they're completely acceptable, but in terms of circumvention I don't think the politicians will be satisfied. It's barely a step up from the "I'm over 18" buttons on websites.
>It's barely a step up from the "I'm over 18" buttons on websites.
i think its a pretty decent step up from that, but i know what you mean.
>I don't think the politicians will be satisfied.
and that circles back to my original point. the politicians aren't satisfied with a "mostly effective" solution (e.g. OS-enforced age attestation) as they are with literally every other law, and instead are taking advantage of the issue to justify mass surveillance.
I believe kids will always find circumvention pathways.
There is a signaling function these laws serve: things are the products we consider acceptable in society. We have these rules for cigarettes, booze, and vapes.
That said, privacy being sacrificed for signals, is an unacceptable trade, especially when better solutions can be crafted.
> kids will always find circumvention pathways
I'd consider this a feature. I'd be proud if my kids find a way to circumvent the parental controls on the family computer or use their own money to build their own computer like I did growing up. At that point they've earned the right to the full internet.
(However, I would not be willing to use any solution that sacrifices my or my kid's privacy.)
[flagged]
[dead]
Government builds a website where you can log in using any government issued ID or using one of the many many many available services that hold your details already(at least in the UK nearly everyone will have a DLVA account, HMRC account, HMPO account, NHS account.....all of these are government services which we can only assume hold our data securely already).
On that website, you can click "give me a verification code", it gives you a code that is single use and only valid 24 hours. You type that into whatever 18+ website you need to, they use a public API provided by the government to just check "yes this is a valid code and the user is 18" - bang, done, verified. The website knows nothing about you at all, except for the fact that you're 18.
In fact, the UK government ALREADY HAS THIS. For the EU settlement scheme, you can give your employeer(or anyone else who needs it) a special magic code that they type in on the government website, and it just says "yet his person has the right to reside in the UK" without spilling any of your personal information at all. The code is single use and valid a limited amount of time. And you can do the same with your driving licence, where anyone can verify you hold a valid licence without actually seeing it or any details on it.
Like, am I being stupid here? It seems like an almost trivial solution to the problem, especially given that it already exists for at least 2 services named above.
And yes, I know people will say "oh but that requires the government having this data on you, and that's bad" or "but then the government will know you've authenticated with pornhub!".
And yes, both of these are true - but on point 1 - like, I'd love some ideal situation where the government can simultaniously give me a passport or a driving licence AND not have any information about me at the same time, but that ain't happening, and on point 2 - yes, but that's still infinitely preferable to the current implementation, and it can be easily solved with legislation saying that the code authentication service doesn't log who requested verification, it just answers with yes/no and that's it.
Every time I search something, I open a fresh private tab and google it. If I want to turn safe-search off, I'd have to go through this code verification flow for every single search. Aside from just being annoying, they'd have to implement strict rate limiting to prevent automated code sharing, so I'd soon end up waiting for a rate limit to expire before I can search anything.
And "the government will know you've authenticated with pornhub" is extremely harmful, in my opinion.
Sadly we got to this place because there are other harms that are occurring and those are forcing this conversation.
The "other harms" are made up fearmongering by rightwing cowards and incompetent parents.
Hah. I wish.
I have personally had to remove NCII for teens and young adults. Grooming is a thing, self harm communities are a thing, as is sextortion.All of it at internet scale.
And this ignores the parts where the platforms released features they knew from their own tests, were harmful to teens.
It is convenient to dismiss them, because it makes it easier to hold positions that depend on them being minor harms.
This means giving the government complete insight into your internet browsing. All they need to do is store a database table of handed out keys to ids.
This is unacceptable tyranny on its face.
>>This means giving the government complete insight into your internet browsing.
...how? All they know is you've authenticated with service X. And like I said, we can make legislation to say they are not allowed to keep the record of who authenticated.
Besides, let's not let perfect be the enemy of the good - in the UK all ISPs are required to keep a full year of your browsing history, and 17 government agencies can access this data(including DEFRA - the agriculture agency lol). So like....the "the government will have a full history of your browsing" is a ship that sailed a few years ago. Obviously I don't agree with it, and I think we should be on the streets of London and protesting this, but here we are as a country.
So like yeah, I get your point. But UK is particularily fucked on this point, let's not make it even more fucked with the way things currently are, the authentication can and should be done better.
Why does the government need to know what pages you visit? It could just encode a string representing the date and 'above 18' and sign it with its private key. PH then just needs to verify it using the public key.
Even better solution then.
>>Why does the government need to know what pages you visit?
In the UK the government already knows, but that's beside the point. It's another bad law that should have been fought against much more than it was.
The codes can trivially be shared in this case
...and? Just like a child can "trivially" ask an adult to buy them a beer.
Who are these adults giving children their verification codes for adult websites?
Asking adults for beer doesn't scale, code sharing can. If you want to crack down on code sharing, you'd have to start surveilling who is signing up to what.
> If you want to crack down on code sharing, you'd have to start surveilling who is signing up to what.
Why? One code for one user account per site. If you're paranoid about privacy rotate codes and accounts weekly. As long as you can purchase the codes with cash in IRL stores the privacy impact is minimal.
So this solution is fine for proving your immigration status, getting employment or renting a house, but it's not good enough for browsing porn(to be a tiny bit flippant)?
>>If you want to crack down on code sharing
Right now, all the kid has to do is grab their parents passport while they are not home or asleep, scan it on their phone and they are in. It takes 30 seconds.
With the codes they would either need to convince their parents to generate a code for them, or find someone online who will - which of these solutions seems less prone to abuse to you?
Again, let's not let perfect be the enemy of the good.
Exactly. The same way that selling alcohol doesn’t require a paper trail of every beer I’ve bought.
I don't know about this, stores around me are scanning people's IDs to verify their age.
I guess I could make an ID (not a counterfeit government ID) that uses the same encoding for the birthday.
They are scanning the PDF 417 barcode on the back.
Here are the specs for what appears on the driving license/ID and how to read the barcode:
https://www.aamva.org/getmedia/99ac7057-0f4d-4461-b0a2-3a553...
They issue a new spec every 4 years.
Not anymore, at least. In these parts your alcohol purchases did require a paper trail once upon a time.
To be fair, I buy my beers on CC. If someone really wanted to know the best IPAs and session able beers they could get, they could audit my CC records and then cross check to the breweries and pubs to see what I was buying. Just depends how much someone wants to learns bout good beer.
Your point was what? No one should be allowed more privacy than you wanted?
Anything under 4% should be sessionable IME.
And yet in practice they do.
Well, not every beer but when you shop at Beers-R-Us they know.
It doesn't even need 'age verification'. Ostensibly, the goal is to prevent children from accessing content their parents don't want them to see. That means all that's needed is a standard way for parents to make sure that websites know their children are children. They don't need identity, they don't need actual age, we don't even need a complicated cryptographic solution.
California had the right idea - establish a standard way for a client to identify that the user isn't an adult (or you could do it the other way around, but that's less permissive), mandate that websites obey the flag, mandate that OSes include the feature and that browsers use it. In the end, anyone who owns a device can set their age group flag however they want it - it would be up to parents to make sure their children only use devices set the way they want. The parents could set their 8 year old's age group to whatever age group they want, and rest assured that websites would respect it.
> the goal is to prevent children from accessing content their parents don't want them to see
This has been mandated in TVs sold in the US. No one sets the thing.
https://en.wikipedia.org/wiki/V-chip
> Ostensibly, the goal is to prevent children from accessing content their parents don't want them to see
This is not even ostensibly the goal. Ostensibly, the goal is that the government controls what a child can do.
or don't put the burden on the website at all, but let the parent choose whitelists of child-appropriate sites based on whatever criteria they want.
This is already possible. There's not enough people doing it, so instead we get age verification schemes.
The benefit of an age attestation scheme is that it makes it easy for parents, while also diffusing future attempts to use children as an excuse for control.
[dead]
The age verification that doesn't have to be a nightmare dystopia of 24/7 fine-grained tracking and recording is called parental controls and it already exists in most systems. It doesn't require any proof of ID, internet connection, complex distributed systems, and so on. And it has near 100% success rate.
What's the point in making this distinction? This is HN, 99% of the users here are aware of what zero knowledge proof is and that it's possible to implement it that way.
The general consensus and what the article is alluding to is that it will be probably implemented in a way that allows individual tracking and identification.
>What's the point in making this distinction?
we're on a discussion board, so i started a discussion. that was the point.
I also only learned about Zero-Knowledge Proofs from links to articles, blogs, and discussions here so someone has to bring it up.
I don’t know? Maybe its the little give and take that helps build a solution that is mature and limits the kind of harms kid are facing, without sacrificing privacy?
It’s also the very cool, nuanced and technical tooling that people here tend to enjoy figuring out, and building.
It side steps the thought terminating tar pits of “privacy at all costs” or “save the children”.
They can track you with cookies , now they have age and identity signals .
So let's see some of the champions of these systems acknowledge this downside and make the case that they should be built in a way that avoids it and not back down on that when it becomes inconvenient.
Why would they ever do that? The spying is the point.
This isn’t about kids at all. The ID requirement is the WHOLE POINT.
That it is technically possible to do age verification in a privacy-preserving way is thus entirely irrelevant.
They want all online activity tied to ID so they can violently, illegally retaliate in the dark of night against protected expression online that they don’t like.
That’s all this is. Privacy-preserving techniques are irrelevant because they do not accomplish this goal.
My government shouldn't decide what content I'm viewing or providing, and that's the end of it.
>muh kids
That's the parents problem, not mine.
Any system the government comes up with will be insecure, inconvenient, invasive and cost the taxpayers billions, and you all know it's true.
You must have skipped reading Project 2025. Most of the editors/contributors have been appointed/hired/added to the administration/cabinet. More than half of the goals of Project 2025 had already been implemented.
There is also, separately from that, a need to protect kids from growing up into the people in Idiocracy.
Getting children to not grow up into idiots requires intense parental interactions, healthy environments, and the ability to explore and get hurt. Identification isn't even on the list.
Is that an argument for or against letting known pedophiles have direct messages with children?
They already failed to do that by steadily eroding the educational system and its standards over the last 50-70 years. We’re already there. The electorate can’t locate the countries on a map in which the US is fighting multiple wars in their name.
Banning Instagram ain’t gonna fix that.
This is not in any way whatsoever about children.
Is it possible that two or more things both harm children?
Let's ban books and skateboards too
I think they already did that.
Yeah, and once you have the non-intrusive system in place you can just switch it out for the tracking one without the user knowing.
Or there's probably some kind of correlation trail possible that will track you even with the anonymous systems.
> age verification doesn't have to be a nightmare dystopia
But I feel there's not a lot of trust that whatever implementation we could end up with wouldn't be such a dystopia. The real world equivalent would be checkpoints at every intersection verifying the driver's age, the cashier who carded the 20 yo with a beer now does it for everyone, makes a copy of your ID and stores it in a big folder shared with their 427 "business partners".
Imo we should scrap the whole idea of age verification. Kids get a kidPhone with kidOS, whitelist of age-appropriate resources & capabilities. You wouldn't let an 8 yo drive on the highway, yet they can have a supercar to drive unsupervised on the information highway, no biggie. Internet is full of adults doing all sort of stuff while kids need supervision and education: design safe spaces for children, not checkpoints at every corner.
This would be great and all, but all parties who are in a position to choose to implement this kind of system or to keep the status quo are already motivated to keep (and expand) the existing systems, for any number of reasons. Everybody (except the end users) loves to keep that juicy metadata and incidental logs of everything.
(Repost from 2021: <https://news.ycombinator.com/item?id=26560821>)
The so-called "social media" companies in the past have bragged to advertisers and the public about how much they know about their targets, also known as "users". Statements like, "We know more about you than your friends and family."
Now, is this really true. Probably not. It's exaggeration. It's hype
But these companies have learned that a 100% correct is not necessary to make money. For example, if they are correct 80% of the time, then maybe that's good enough
A law that achieves an 80% reduction in youth ad targets might also be "good enough"
The toes getting stepped on belong to the companies
The kids who will still access these companies' websites come hell or high water, the 20%, are unlikely to complain
Complaints come from the companies and those who rely on these companies to make money. Like the author of this blog post, they keep calling a handful of Big Tech websites/app endpoints "the internet"
Their toes are going to get crushed
"Social media" is not "the internet"
> there are several reasonable proposals that would be 90%+ successful without stepping on anyone's toes.
I have a feeling my definition of having my toes stepped on differs dramatically from yours.
> i am convinced that enough people in power know it, too, but see this as their chance to get the full-dystopia version rolled out.
Well there's plenty of idiots in power and I'm sure they have no idea. But there absolutely are evil ones who simply want more power and don't care what happens after they have it.
If this were actually about protecting children, maybe you could get something passed that wasn't just ground work for a panopticon hellscape. But it's not about children at all - the people truly worried about that are just useful idiots - it's about power, and so you can't pass anything without having the surveillance infrastructure forced in.
>I have a feeling my definition of having my toes stepped on differs dramatically from yours.
based on what?
Doesn't _have_ to be except not enough voters can tell the difference which is exactly the goal.
Doesn't 90% successful mean you are stepping on 10% toes???
>Doesn't 90% successful mean you are stepping on 10% toes???
no, it means that <10% of kids under 16 or whatever age will still make it onto instagram
Wouldn't this mean we don't know what age these 10% are in?
i dont know what point you are trying to make.
there are laws against underage drinking and buying alcohol. some kids still get access to alcohol. the law is mostly successful, with an acceptable amount of failure rate.
same concept.
Gating is not just for porn, they are talking about using for social media and various other things. You can imagine that many things end up age gated if this becomes legislation, as a preventative measure.
Then your 10% becomes problematic because you are either restricting or granting access based on invalid information. So in your world here we then need ways for people who were incorrectly gated to reach out and be corrected somehow.
You're mixing up false positives and false negatives. Nobody is going to be incorrectly blocked under this system unless they lost their ID, and the fix there is getting a new ID.
Some kids skipping the block sometimes isn't catastrophic, especially because there won't be all this peer pressure to join adult social media when 90% or more are blocked.
You know this? My guess is that companies will be held responsible for anyone accessing there content that is not supposed to. In that light they will feel the need to block any unknowns that come through rather than potentially face issues if someone who is technically banned from accessing gets in.
I'm not sure how you confidently can say that every company is going to allow the people we can't verify have access?
No, it means Instagram doesn't know.
It was never about the children. They are rolling this out, so online comments can be tracked to names and addresses.
It's to suppress free speech and arrest people that post anything against the government's narrative.
Many people have already been arrested in the UK for this. This is the next logical step.
i am convinced that enough people in power know it, too, but see this as their chance to get the full-dystopia version rolled out.
Correct. The goal here isn't "to save kids". That's just one of the Horsemen of the Infocalypse [0] used to market taking away our freedom.
0 - https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalyp...
Sweet summer child. This is not about age verification.
>Sweet summer child.
my comment is only 81 words long, yet it seems that multiple people fail to make it to the end for some reason.
("full dystopia" should be a hint that i recognize the ulterior motive)
Would you mind elaborating on the specific methods you're referencing? To me, the entire problem is framing the issue as "age verification" in the first place - this implies the web company is responsible for knowing and controlling who uses their service. Whether this is a full-on demand for drivers' license / face scan / verification can, or whether there can be a technical process that obscures some details doesn't change this underlying dynamic!
The other problem you're up against is in the low-friction online environment, 90% easily turns into a much lower percentage. Which will actually manifest itself as the initial methods that achieved "90%" being declared insufficient in favor of stronger methods of identity verification.
I say this as a parent staring down having to deal with the dumpster fire that is the modern web in the next short year or two - the only sane way to address this problem is through client-side parental control software that works based on website/app tags supplied by the server / app creator / etc. There is indeed a market failure here, so the sensible regulation is to make websites over a certain size publish labels about the suitability of their content for age brackets, whether a site is social media, contains user generated content, has algorithmic feeds, and so on - affirmative assertions about the content that carry legal weight and liability for them not being true. Device manufacturers over a certain size would need to include parental control software that can be enabled during the setup process.
If parental controls are enabled and a website has not published tags (too small, foreign jurisdiction, misconfiguration, etc), then it simply fails closed and refuses to display the site. This keeps decisions about content suitability in the hands of parents where it belongs, rather than putting it in the hands of corporate attorneys who will often make decisions directly contrary to what parents want! Remember this whole topic is being pushed by big tech to absolve themselves of liability for pushing harmful products!
>Would you mind elaborating on the specific methods you're referencing?
well, i mean, you put a decently reasonable one in your own comment: "client-side parental control software that works based on website/app tags supplied by the server / app creator / etc."
another sibling comment mentions alcohol sales. government could issue a scratch card with UUID that's valid for some time, sold at anywhere alcohol/tobacco is already sold. most people are already comfortable with flashing an id at the beer store.
read any other the other dozen similar threads with hundreds of comments, and there are a handful of other neat ideas usually voted pretty high up.
Isn't getting around showing ID for alcohol about as easy as clicking "Yes I'm above 18"? All you need is to know someone that would buy it. Or know someone that knows someone that would buy it. Or know someone that had it bought for them.
Or I guess in the case of the US... maybe even just steal it considering how lax people seem to be with theft.
>Isn't getting around showing ID for alcohol about as easy as clicking "Yes I'm above 18"? All you need is to know someone that would buy it.
and yet, most kids aren't walking around hammered. the penalties of underage possession and supplying to underage kids deters most people.
i will reemphasize that literally no law is 100% effective, so its silly to talk about age verification as if it has to be the first one to be 100% effective.
Note that what I outlined is decidedly not "age verification" or "identity verification" - rather it relies on on-device parental controls, where the decision process is still completely under the control of the end users (ie parents). The main point of the legislation would be to prime the network effects to overcome the current market failure.
The details of the setup are very important as they lay out which way the situation will be pushed as the calls invariably continue. There are many other neat ideas that are voted high up, that still fundamentally still just boil down to identity verification! This why we need to talk specifics - even most programmers are bad at designing secure systems, as it requires the additional skill of adversarial thinking.
For instance, the scratch card idea you bring up fails with the same problem - it still puts the onus for yes/no decisions on the companies, meaning when the scratch cards are declared not good enough, those companies will then move on to additional methods - and it would be a tall order to craft legislation that prohibited companies from employing any other identity verification methods beyond the scratch cards. And in case it's not obvious, the scratch cards will readily be seen as not good enough - if they're truly private, it's easy for anyone to make a couple extra bucks by buying some (up to the limit), and then selling the tokens online.
(never mind that many beer stores have moved to online verification of licenses where they scan your ID# and it gets backhauled to some centralized database, so even buying beer isn't appropriately described as "flash your ID" any more)
(also note that any "age verification" or "identity verification" scheme does not merely absolve big tech of liability, rather it moves that legal liability on to parents themselves! )
> age verification doesn't have to be a nightmare dystopia of 24/7 fine-grained tracking
Personally I don't care how much age sniffing is mandatory in that I think it is inacceptable on any level. Do you try to insinuate that a little bit of tracking is ok? Because I can not buy into that premise. To me the whole assumption is wrong from the get go.
> Do you try to insinuate that a little bit of tracking is ok?
Everything is going to contribute to tracking, though. It's really hard to ensure that data doesn't leak.
Example proposal: sites attach an X-AGE-RATING header to pages and browsers only render the page if X-AGE-RATING < USER_AGE.
Exploitable Issue: Send multiple requests from one page for various style sheets with different X-AGE-RATING headers. The ones that get loaded give you all you need to find the user's age cohort.
But, the unique combination of things like your screen dimensions, number of threads, charge percentage, default languages, available fonts, etc already makes tracking possible. I don't know if adding one more - carefully chosen feature - would really make the situation that much worse.
>Do you try to insinuate that a little bit of tracking is ok?
no, and you can read through other comments here and on the many threads of the same topic for proposals which have no tracking.
In tech, 10% unsuccessful today is 100% unsuccessful next week, when everyone learns how to join that 10% who got around it.
The shit is horrible if 100% successful, and yet not worth doing if it isn't.
I am convinced that no one will make any progress on this issue so long as they refuse to understand that their aren't a group of shadowy figures pushing for this but rather a sizeable chunk of the general population, buoyed on by various moral outrage interest groups including a great many HNers who have been happily stoking the narrative that social media is the cause of every negative statistical ill.
Who wants this? God damn everyone. And in so much as Facebook might do something with the data, what they really want is a legal moat of sufficient depth to drown possible competitors.
In fairness (i.e. looking at the data with an open mind), social media does seem to be the cause of (or at least strongly correlated with) a bunch of ills.
That's true but has anyone studied the good things that have happened from younger people being able to find community or other positive aspects?
Either way the solution again is not age gating, it's real meaningful data privacy laws that if enacted would have a huge effect on many companies today.
[dead]
> age verification doesn't have to be a nightmare dystopia of 24/7 fine-grained tracking and recording unless you are somehow hoping to achieve 100% success rate
I believe you are missing the point. "To protect kids" is just a cover, the nightmare dystopia is the real goal. So age verification have to be a nightmare dystopia or it would be useless for those, who push for it.
>I believe you are missing the point. "To protect kids" is just a cover, the nightmare dystopia is the real goal.
did i miss the point? because my last sentence literally says this.
Ah, well, no. Sorry, didn't read to the end of it. It is just I see no point at all to discuss other options, so sorta become bored reading about them.
Well, some who push it anyway. There is another group whose motive is to get rid of all porn.