>Could you be more specific as to what you're imagining?
sure, i'll put my favorite two. though you'll find much more detailed and thought-out versions of these (and others) in the dozens of other giant threads on the same topic.
- buy a card with a UUID from anywhere that sells alcohol/tobacco that is valid for some period of time. most people are comfortable with flashing their ID at the clerk. the UUID card is non-identifying.
- websites issue content tags, browsers consume them, you enter your age into the OS during setup.
> buy a card with a UUID from anywhere that sells alcohol/tobacco that is valid for some period of time. most people are comfortable with flashing their ID at the clerk. the UUID card is non-identifying.
This could be a good system if it's set up right. There's still some risk of being tracked if it isn't though. IDs could be linked to the cards at the time of purchase if retailers scan the drivers license, then scan the card creating a record that card #XXXXX was purchased using driver's license # XXXXX
Even if retailers aren't scanning the drivers licenses and collecting data that way, the cards and codes on those cards can be tracked and traceable to a retailer. That's how things like calling cards have been tracked. Say for example someone uses the code on a card to access a website, the police can match the code that was used to the serial number of the card, look up which retailer that card was sold at, and can then access security camera footage at that retailer to identify who bought the card from that location. This would also let them passively generate lists of IP addresses/device IDs matched to websites and specific retail locations over time.
> buy a card with a UUID from anywhere that sells alcohol/tobacco that is valid for some period of time
Why should I pay continuously to prove I'm an adult? And those cards will be getting sold to kids faster than you can blink. I bet a lot of parents would buy them for their kids.
>And those cards will be getting sold to kids faster than you can blink.
there's a reason i said 90% and not 100% effective. alcohol and tobacco get resold to kids, too.
What makes you think this will be close to 90%? Unless these cards are expensive I don't see that happening.
>What makes you think this will be close to 90%? Unless these cards are expensive I don't see that happening.
its obviously just an illustrative guess. but if the penalty of possessing the card is similar to underage possession of alcohol/tobacco, and larger penalties if a store/person is found providing a card to someone underage, i see no reason why it wouldnt have a similar success rate as alcohol/tobacco.
Why possess the card when you can just buy the UUID on the dark web
If they have access to the "dark web" they can already do anything that requires age verification there. In the same way you expect that the rule to "not sell UUIDs" wouldn't be respected there, I wouldn't expect other age-verification rules to be respected, no matter the verification method.
Well, it's rather harder to sell bottles of beer on the dark web than short text strings.
That is true, it is harder, although AFAIK people do sell all kinds of illegal things there.
sure? i feel like i need to reemphasize the "not going for 100% effectiveness" thing again.
hopefully some parent steps in if their kid is on the dark web trying to make purchases with their parent's credit card.
Well, yeah, I would just give them my code.
Why buy a UUID when you can just get porn on the dark web
Kids can buy drugs on the dark web too.
> I bet a lot of parents would buy them for their kids.
Good. I should be able to make judgement calls about what my children can or can’t access outside of school.
It’s better if they do it under my supervision than against my back, aided by a predator whose only moat is lending their ID, or their face.
> I bet a lot of parents would buy them for their kids.
That changes the default from "anyone can do anything" to "gotta ask parents". Defaults matter at scale. It adds friction.
Why should you pay for an internet connection, or a computing device with a screen? This isn't a serious counterargument.
Because those things cost money to make and to maintain, whereas there's no intrinsic cost to prove one is an adult.
Yes there is.
You need to pay for a drivers license or a passport and so on. So there is an intrinsic cost to prove who you are where you are from and what your birthday is already.
You have to pay for all sorts of small things to participate in normal society. This isn't a serious criticism.
By definition this is not a life critical thing, it's something that is procured in order to access specific services on the internet, which is not free.
>You need to pay for a drivers license or a passport and so on.
I have a government ID and I didn't pay for it. I can use it to travel to nearby countries in lieu of a passport. The assumption that IDs are necessarily non-free (to the issuee) is pretty funny to me.
>it's something that is procured in order to access specific services on the internet, which is not free.
The maintenance of the Internet is already paid for through ISP contracts.
I mean, if you really want to make the government subsidize an ID verification scheme or mandate that certain real-world locations provide age verification as a social service for everyone, that's fine.
It's orthogonal to the discussion, though, which is about whether we should do it or not, because the costs here aren't significant and don't change the terms of the debate.
I'm personally in favor of just banning children off the Internet, but I don't agree it's orthogonal to the discussion. What I replied to was the implication that someone should pay a recurring cost to prove they're an adult for the same reason that they pay to own a computer or to connect to the Internet. Don't disown the dumb thing you said.
I'm not disowning it at all. I think paying a recurring cost to prove you're an adult for purposes of accessing the internet is completely fine, trivial, and unimportant.
You have to pay a cost to go out in public, since there are nudity laws. You have to pay a cost to use an airport or a train station. You have to pay a fee to prove that you own a car. And so on.
It just doesn't matter. It's not important. It's consistent with how we organize our society in general, which makes focusing on it in this one particular instance more understandable as an attempt to distract from the substantive merits of these arguments about age verification.
>I think paying a recurring cost to prove you're an adult for purposes of accessing the internet is completely fine, trivial, and unimportant.
Okay, but the person you replied to doesn't, and instead of providing an actual answer to their question, you posed a false equivalence between proving your age and buying a computer.
>You have to pay a cost to go out in public, since there are nudity laws. You have to pay a cost to use an airport or a train station. You have to pay a fee to prove that you own a car. And so on.
You are purposefully muddying the waters by being lax with your use of language. The "cost" you "pay" by wearing appropriate attire in public is fundamentally different from the actual cost you actually pay when you engage in commerce; one is a trade of freedoms and the other is a trade of goods and/or services. If your argument is that the freedom you have to trade in exchange for the freedom to access the Internet, is that of not having to show an ID, that's one thing. If you also have to add a recurring monetary cost then that's another.
If you don't have an answer to the question of why someone should have to pay again to use the Internet beyond "*shrug* just 'cause, dude. Who cares?", then maybe you shouldn't have said anything.
> If you don't have an answer to the question of why someone should have to pay again to use the Internet
Of course I have an answer. To do something about the unlimited firehose of porn, violence, divisive, and addictive content that has been pointed at children for the past generation or so.
There's literally nothing confusing about the "why" in this discussion.
The fact that bad people use the "what about the children" argument regularly for bad reasons doesn't mean that all such arguments are bogus.
In fact, it's an indication of exactly the opposite, it's so regularly used because there is a broad consensus that we need to protect children from harm which is why it's often effective as an arguing tool.
The relevant frame for this discussion is will it actually work, and what are the tradeoffs. A trivially small amount of money for a simple age verification scheme isn't a particularly meaningful tradeoff against a genuine social problem. The bigger, more genuine issues are around privacy and censorship and I do in fact concede those are real.
>To do something about the unlimited firehose of porn, violence, divisive, and addictive content that has been pointed at children for the past generation or so.
See, you've answered a different question. The question you answered is, "why should children be protected from the Internet?" I'll give you for free that children should be protected from the Internet, for the reasons you've said, and now you get to convince me that I, who don't have or plan to have children, should spend my money to protect other people's children from the Internet.
> UUID card is non-identifying.
Kids aren't going to trade Pokemon cards in the playground anymore...
Well, they could trade identifying ones too or even stollen ID cards if you want to go this way.
They could also trade porn-filled thumb drive or old-school glossy paper magazine. There no way to prevent kid's exposure to stuff at a 100% success rate.
There no way to avoid exposure completely
Indeed but you are the one who claimed it was not a hard problem.
I don't think any one of us pushing back here on those claims do so for the heck of NOT finding a "solution", rather genuinely asking because so far it seems nobody did find such a solution without compromises that is in the end not worth it due to the flaw in said solution.
The point isn't to be critical of your process, only of the claim that it's a trivial problem.
> Indeed but you are the one who claimed it was not a hard problem.
Am I ?
I'm just left wondering, how would that be different than buying a phone? Most kids also don't have money to spend on devices, that's all coming from adults, how would the UUID work any different? In my view it seems we'll just reach the current state as with phones.
And honestly, all these should ultimately just be done client side in the browser. After the browser has verified "User is x or user is over 21" there's no reason to then send that information to the website.
Let websites issue a "window.isUserOver(16)" call once and then move forward based on the response to that query.
Don't even bother having the website ask the browser anything at all. Just have the website TELL the browser the content is intended for adults via HTTP header and let the browser decide to display it or not depending on parental controls.
Yeah, that's even better.
Multiple proposal for this exist for decades[1][2]
The RTA one was even pushed by the porn industry and is already in place in majors websites[3]
[1]:https://www.rtalabel.org/
[2]:https://icra.org/webmasters/
[3]:https://en.wikipedia.org/wiki/Association_of_Sites_Advocatin...
This would require browser attestation, wouldn't it? Otherwise kids are just going to download a custom build of Chromium where `window.isUserOver(16)` is always `True`.
The same system that blocks kids from downloading the Pornhub app would also block them from downloading the "Chrome but without parental controls" app.
No, it only "requires" browser attestation if we taken it as a given that the onus is on tech companies for verifying who they are talking to - ie identity verification that most of these schemes boil down to regardless of how cute they're dressed up.
To effectively keep adult content away from kids, it merely requires secure boot and closed app stores, which are already widespread. And they are only required on the devices actually given to kids, rather than every single computing device.
But this proposal has another problem: it's easy for a website to run isUserOver(n) in a loop to derive the exact age. And on a persistent account, it can be queried every day to derive an exact birthday! Which comes back to my main point that the only technical schemes we should be considering are ones where information strictly flows one way - the website/app supplies information to the browser/OS, which then [may] implement parental control policy. anything else fundamentally boils down to a mandate for identity verification.
> To effectively keep adult content away from kids, it merely requires secure boot and closed app stores
This is unacceptable. If I own a computer, I expect to be able to build and run any program, either written by myself or others, without asking anyone for permission.
Maybe I needed to say "it merely requires the existence ...". Because I then do go on to say:
> And they are only required on the devices actually given to kids
My whole point is that this limits the blast radius, compared to any solution involving "age" (read: identity) verification which has a blast radius of every computing device!
Perhaps my other comment will show you where I'm coming from better: https://news.ycombinator.com/item?id=48645646
> To effectively keep adult content away from kids, it merely requires secure boot and closed app stores, which are already widespread. And they are only required on the devices actually given to kids, rather than every single computing device.
...I guess I don't really see the difference.
Closed app stores are widespread on some platforms but certainly not others, and I for one would really like them to not spread any further.
For starters here, the difference is that only devices that parents give to kids need to have secure boot and controlled software sources. The point is that every other device remains completely unaffected.
But in general there is a huge difference between the freedom-destroying properties of secure boot with closed app stores, and the next step of remote attestation. Remote attestation lets the server insist that you only run software fully of their choosing rather than your choosing, as a condition of interacting with them. This completely destroys the idea of protocols that mediate between two parties with diverging interests, and computationally disenfranchises users. Imagine the next generation of the Cloudflare nagwall that doesn't let you past unless you buy a new computer, and that new computer must be running MSWin/OSX and MSIE/Chrome.
(also note that my use of "secure boot" here includes systems like on Pixels where you can straightforwardly unlock the bootloader (erasing the data on the device), install whatever you want, and then relock. I still find these systems philosophically objectionable, as there is still a privileged key baked in and retained by the manufacturer - similar security properties could be provided without the backdoor. But pragmatically they've been working okay)
Some probably will. 99% of them don't even know what "Chromium" is.
This doesn't have to be perfect.
Right now, they don't know. They're going to learn very quickly when they want to use some website and they can't.
We agree it doesn't need to be 100% perfect. But it needs to be at least, like, 60% perfect, right? And unless you make it at least a bit hard to bypass, it will stop virtually no one.
Some undoubtedly will.
Installing a new browser is already a bit hard for most people. I think you are a little skewed in your thinking being online on HN.
You also aren't thinking about age. Certainly 16 and 18 year old probably can get a new browser installed. But a 14 year old? 12 year old? 10 year old? That barrier is a lot higher the younger a kid is.
I just finished my second year as a fifth grade teacher, so I have a lot of experience with ten year olds. I am confident a majority of my students would be able to install an alternative web browser if they needed to, and a majority of the remainder would ask a friend to do it.
To give you an example of the workarounds kids will find: Youtube was blocked on school laptops, so the kids all started embedding Youtube videos inside of Google Sheets in order to watch stuff. This isn't, like, something a few savvy kids did, it was a widespread and common practice.
And, in my opinion, a healthy thing for the kids to learn and do.
Lol. I started building computers, installing operating systems and tinkering with Linux between ages 10-12. I also started watching porn not long after that, and guess what, I still became a more or less normal adult. There is absolutely no need to "protect the children."
This is how California is legislating it—requiring the OS to let an admin set the user's age, then let browsers and through them, websites, to query that setting.
You can get their exact age by binary search.
Typically these APIs are designed so you can't make arbitrary queries, but rather there are fixed age brackets.
Then it can't be bool isOver(int age)
> - websites issue content tags, browsers consume them, you enter your age into the OS during setup.
Why would that be acceptable though? What if a user does not trust the operating system? Even Linux may not be safe in the future, what with age sniffing coming by Red Hat integrating it into system already. And Red Hat plans more - xorg is abandoned on purpose, for instance.