This isn’t a simple solution to the problem but it reminds me that it is not a new problem. We should remember that
This shouldn't even be a consideration concerning adults.
Further to that, companies are required to do this in a strict data minimization approach, results need to be anonymized and destroyed immediately after the check is complete.
The internet has grown into a bit of a letdown to some degree, especially social media. If I have to upload an ID or insert a grey hair into a scanner, that website or app will be dead to me and I will move on to something else or nothing at all.
If we are all subject to the same monitoring and there are no exceptions, that would be fair. However, if some people are exempt from monitoring because of their connections, relations, etc. then that would be unfair.
And if some people are allowed to harass and stalk others based on some attribute (race, religion, nationality, etc.) because they are in a monitoring position (while others are not) then that would be unfair as well.
We need full transparency.
As a rhetorical trick this is generally ineffective.
When there are no consequences, it by definition isn't.
I also acknowledge that there is a reasonable debate to be had if the disadvantages to adults and businesses from imposing these rules are worth the harms prevented.
There is also a reasonable debate to be had about the merits of various technical and legal schemes being implemented to achieve these goals.
But this take is neither of those. For one, surveillance isn't the number one harm being prevented (even though, a number of legal codes attempt to make this the case).
As has been pointed out previously, there absolutely can be age verification that is without surveillance. The fact that these solutions aren't always legally mandated and therefore age verification can be used to increase surveillance is a reasonable thing to attempt to amend to the implementations of these laws.
> I also acknowledge that there is a reasonable debate to be had if the disadvantages to adults and businesses from imposing these rules are worth the harms prevented
Nobody on the "we need age verification" side wants a debate. They want to run face first in to dumb legislation giving governments and companies even more power to track every movement and know exactly who you are.
Of course, YMMV.
That said, if such a nanny state is inevitable: zero-knowledge-proof-based age verification would not only be possible, it would further protect these kids from a bad state actor. In that spirit, I agree with your last point. The fact that any other alternatives are even being considered makes it on principle a non-starter to me, because it betrays the actual goals of the political actors involved.
Thank you.
It has never been about "protecting the children" either. That was always a lie - the red herring. Many pointed that out from the get go too.
The much more fascinating thing is how legislation is still being actively changed to sustain that narrative. This is like a pre-scripted event what we are seeing here. I find it quite fascinating. It shows how real lobbyism actually works.
My prediction is that mandatory age sniffing will come, they will continue to claim it is all for children, and the openness of the world wide web will factually be transformed into a two-class apartheid system. The latter has already happened actually - you have walled gardens e. g. discord rather than oldschool phpBB webforums (aka privately controlled access to information), Google already ruined its search engine, AI slop continues to ruin more here. These are all not isolated. This is a deliberate mega-slop attack, combined with payments to key lobbyists. We see a degradation of services here. That they attack VPNs is very logical - after all VPNs allow people to break out of the global ghetto system they are building here. They want to know who is who.
Interestingly I see this attack also related to them trying to abolish the right to repair movement. Now, there is no direct connection here, but right to repair also attempts to put people at the center - you purchased something, you should be able to freely change it to your own liking, without some random private company being able to proxy-deny any change to that. With mandatory age sniffing coming, it also means that people will lose the ability to change software. Recently a university here in Europe started to demand that students must own a smartphone AND must install an app from a private company (via google store) in order to be able to read email sent to them via a webmail account. I also found this fascinating, because now people need to submit to Google, in order to study in a small european country, if they study at that university (which is paid for by taxpayers by the way). These interdependencies will keep on increasing here. Even Linux will fall victim - systemd already added data fields to track your age. More to come in the future despite Poettering's claim that it is all very, very harmless. Until it is not. And then it is too late.
It would be nice if the author actually spelled out the specific weaknesses of those approaches or even referencing those those laws instead of fear-mongering about "spying on kids", but I suppose that would be to much to ask of someone who made a career out of vibes based rage. Ironic that Doctorow has no problem with capitalizing on the enshittification of journalism.
I and pretty much everyone else in my childhood TeamSpeak server did at roughly 14 years of age.
Consider "log in with apple" as it is today. Depending on what you share, a relying website might not even get your name or email.
It seems like all the tech stack is there to implement a very simple and privacy-persevering solution.
It does not even smell of state censorship because a website does not have to check your age if it decides to be "non compliant".
Why isn't it implemented like that? Based on the comments it seems more like a "free-for-all implement-your-own-PPI-handling-thon".
This will ofc make life harder for a some groups of people - like people without / limited access to IDs etc. And i do not even argue that the whole thing is necessary.
But there seem to be vastly superior technical means to implement that, aren't there?
Whenever you want to prove your adult you go to "am I an adult.gov" and you use your credit card or whatever to prove you are an adult. At which point you get a 1-time 5-digit code that is UNIVERSAL TO EVERY SINGLE HUMAN and good for 1 hour (everybody who uses the site gets the same code that hour).
Then when you want to look at porn or something, you use this code. Boom simple and done.
There are even much better much more private techniques that use cryptography, and AI is happy to explain these graduate-degree level topics to you at your own pace.
Of course there are situations where people steal things, and use deep-fakes, etc, but those exist in every model.
sure, i'll put my favorite two. though you'll find much more detailed and thought-out versions of these (and others) in the dozens of other giant threads on the same topic.
- buy a card with a UUID from anywhere that sells alcohol/tobacco that is valid for some period of time. most people are comfortable with flashing their ID at the clerk. the UUID card is non-identifying.
- websites issue content tags, browsers consume them, you enter your age into the OS during setup.
Why should I pay continuously to prove I'm an adult? And those cards will be getting sold to kids faster than you can blink. I bet a lot of parents would buy them for their kids.
there's a reason i said 90% and not 100% effective. alcohol and tobacco get resold to kids, too.
Kids aren't going to trade Pokemon cards in the playground anymore...
Let websites issue a "window.isUserOver(16)" call once and then move forward based on the response to that query.
As soon as you loosen off the requirements to "reasonable effort", you can start looking at account age, facial features, social attestation, and include retrospective tools to revisit someone's verification if they get in and start acting like a child. Heuristically messy but far from impossible to demand a stronger form of verification if their original might have been borderline.
The goal is broad coverage, not complete. Screening doesn't have to get 100% to have an effect.
The government issues an eID to your wallet. The ID is signed by the government and linked to the device to prevent transferring the credential. A public/private key-pair is generated by the secure enclave in your phone, the public key along with proof of possession of the private key is included in the request for the government eID. The government signs individual attributes combined with the public key with the government private key. The government certificate containing the public key is, well, public.
One of the attributes is ‘over_18’ (In the EU eID scheme countries can add other over_XX attributes if they want, but over_18 is mandatory).
When a website wants to requests attributes, in this case the over_18 attribute, they send a request to the user’s wallet app, including a challenge. The wallet sends back a package including the government-signed attribute, which contains the device public key and the over_18 attribute plus a response to the challenge (proving the credential didn’t get transferred).
The website only sees the ‘over_18’ attribute, which is backed by the government signature. They don’t see any other attributes (the wallet app shows in advance which attributes you are sharing). The government never sees which website wants to know if you’re 18+.
Of course this is all a bit simplified, check OIDC4VCI and OIDC4VP for details.
The only real issue is the wallet app and device binding. Because a compromised device could allow credentials to be transferred some form of attestation of device and wallet app is required. In practice this means no rooted/jailbroken phones.
But some of the easiest middle ground solutions that solve 90% of the problem are things like simple math problems. Get asked "3+7" and that will pretty quickly filter out almost anyone under the age of 6. If you can accept that there are some smart 4 or 5 year olds who can do simple math, congrats you recognize there's a 10%.
On that website, you can click "give me a verification code", it gives you a code that is single use and only valid 24 hours. You type that into whatever 18+ website you need to, they use a public API provided by the government to just check "yes this is a valid code and the user is 18" - bang, done, verified. The website knows nothing about you at all, except for the fact that you're 18.
In fact, the UK government ALREADY HAS THIS. For the EU settlement scheme, you can give your employeer(or anyone else who needs it) a special magic code that they type in on the government website, and it just says "yet his person has the right to reside in the UK" without spilling any of your personal information at all. The code is single use and valid a limited amount of time. And you can do the same with your driving licence, where anyone can verify you hold a valid licence without actually seeing it or any details on it.
Like, am I being stupid here? It seems like an almost trivial solution to the problem, especially given that it already exists for at least 2 services named above.
And yes, I know people will say "oh but that requires the government having this data on you, and that's bad" or "but then the government will know you've authenticated with pornhub!".
And yes, both of these are true - but on point 1 - like, I'd love some ideal situation where the government can simultaniously give me a passport or a driving licence AND not have any information about me at the same time, but that ain't happening, and on point 2 - yes, but that's still infinitely preferable to the current implementation, and it can be easily solved with legislation saying that the code authentication service doesn't log who requested verification, it just answers with yes/no and that's it.
Who are these adults giving children their verification codes for adult websites?
And "the government will know you've authenticated with pornhub" is extremely harmful, in my opinion.
- purely random
- sponsored but without user tracking (like old school TV ads)
- sponsored for user selected geographical area feed
- sponsored for user current location geographical area feed
- follow "friends" or influencers
- purely timeline
- discussion boards
- timeline (IRC like)
- threaded
- user votes (not magic platform votes)
- follow keywordsEdit: huh, I'm probably stupid, but can you explain more?
Wasn’t that in the Chat Control proposal? i.e. politicians and other important individuals are exempt
Chat control is a lot of things, but Slavery 2.0 is not one of them. The hyperbole only hurts your position.
Not everyone is an exhibitionist. Some people thrive when they are very public about their life. Some prefer a much more private life.
john_strinlai•1h ago
its been said 1000 times here, but: age verification doesn't have to be a nightmare dystopia of 24/7 fine-grained tracking and recording unless you are somehow hoping to achieve 100% success rate (something we have not done with any other law ever). there are several reasonable proposals that would be 90%+ successful without stepping on anyone's toes.
i am convinced that enough people in power know it, too, but see this as their chance to get the full-dystopia version rolled out.
pokstad•1h ago
SecretDreams•48m ago
normie3000•47m ago
win311fwg•28m ago
rationalist•20m ago
I guess I could make an ID (not a counterfeit government ID) that uses the same encoding for the birthday.
hacker_88•59m ago
kazinator•54m ago
The shit is horrible if 100% successful, and yet not worth doing if it isn't.
mindslight•51m ago
The other problem you're up against is in the low-friction online environment, 90% easily turns into a much lower percentage. Which will actually manifest itself as the initial methods that achieved "90%" being declared insufficient in favor of stronger methods of identity verification.
I say this as a parent staring down having to deal with the catastrophe that is the modern web in the next short year or two - the only sane way to address this problem is through client-side parental control software that works based on website/app tags supplied by the server / app creator / etc. There is indeed a market failure here, but the sensible regulation is to make websites over a certain size publish labels about the suitability of their content for age brackets, whether a site is social media, contains user generated content, has algorithmic feeds, and so on - affirmative assertions about the content that carry legal weight and liability for them not being true. Device manufacturers over a certain size would need to include parental control software that can be enabled during the setup process. If parental controls are enabled and a website has not published tags (too small, foreign jurisdiction, misconfiguration, etc), then it simply fails closed and doesn't display the site. This keeps decisions about content suitability in the hands of parents where it belongs, rather than putting it in the hands of corporate attorneys who will often make decisions directly contrary to what parents want - remember this whole topic is being pushed by big tech to absolve themselves of liability for pushing harmful products!
john_strinlai•38m ago
well, i mean, you put a decently reasonable one in your own comment: "client-side parental control software that works based on website/app tags supplied by the server / app creator / etc."
another sibling comment mentions alcohol sales. government could issue a scratch card with UUID that's valid for some time, sold at anywhere alcohol/tobacco is already sold. most people are already comfortable with flashing an id at the beer store.
read any other the other dozen similar threads with hundreds of comments, and there are a handful of other neat ideas usually voted pretty high up.
sharperguy•43m ago
sneak•42m ago
That it is technically possible to do age verification in a privacy-preserving way is thus entirely irrelevant.
They want all online activity tied to ID so they can violently, illegally retaliate in the dark of night against protected expression online that they don’t like.
That’s all this is. Privacy-preserving techniques are irrelevant because they do not accomplish this goal.
inigyou•22m ago
sneak•11m ago
Banning Instagram ain’t gonna fix that.
This is not in any way whatsoever about children.
Wowfunhappy•41m ago
Heck—in most cases, we can't even tell the difference between humans and bots anymore! And it's true that we basically accept that some bots will slip through the cracks—but identifying bots also strikes me as significantly easier than identifying children.
armchairhacker•34m ago
Wowfunhappy•29m ago
armchairhacker•24m ago
AFAIK you don’t need ID to buy juice, sugar, and yeast to make your own alcohol, so I think it should be the same for computer parts.
impure-aqua
XorNot•38m ago
Who wants this? God damn everyone. And in so much as Facebook might do something with the data, what they really want is a legal moat of sufficient depth to drown possible competitors.
bluebarbet•5m ago
akmiller•30m ago
john_strinlai•28m ago
no, it means that <10% of kids under 16 or whatever age will still make it onto instagram
akmiller•25m ago
inigyou•22m ago
john_strinlai•22m ago
there are laws against underage drinking and buying alcohol. some kids still get access to alcohol. the law is mostly successful, with an acceptable amount of failure rate.
same concept.
Retr0id•29m ago
john_strinlai•24m ago
there are thousands of comments on these threads every time it comes up. there's tons of what i consider reasonable solutions proposed. there's examples below, too, which don't require face scans.
>Concretely, half the websites I visit from the UK want me to either scan my face or upload ID documents
yeah, i agree that really sucks.
Retr0id•18m ago
john_strinlai•13m ago
Retr0id•4m ago
ordu•19m ago
I believe you are missing the point. "To protect kids" is just a cover, the nightmare dystopia is the real goal. So age verification have to be a nightmare dystopia or it would be useless for those, who push for it.
john_strinlai•18m ago
did i miss the point? because my last sentence literally says this.
ordu•14m ago
amanaplanacanal•16m ago
shevy-java•13m ago
Personally I don't care how much age sniffing is mandatory in that I think it is inacceptable on any level. Do you try to insinuate that a little bit of tracking is ok? Because I can not buy into that premise. To me the whole assumption is wrong from the get go.