The one and only method I will participate in is server operators setting a RTA header [1] for URL's that may contain adult or user-generated or user-contributed content and the clients having the option to detect that header and trigger parental controls if they are enabled by the device owner. That should suffice to protect most small children. Teens will always get around anything anyone implements as they are already doing. RTA headers are not perfect, nothing is nor ever will be but there is absolutely no tracking or leaking data involved. Governments could easily hire contractors to scan sites for the lack of that header and fine sites not participating into oblivion.
I a small server operator and a client of the internet will not participate in any other methods period, full-stop. Make simple logical and rational laws around RTA headers and I will participate. Many sites already voluntarily add this header. It is trivial to implement. Many questions and a lengthy discussion occurred here [1]. I doubt my little private and semi-private sites would be noticed but one day it may come to that at which point it's back into semi-private Tinc open source VPN meshes for my friends and I.
This is exactly the way it should be done. Device with parental controls enabled disables content client-side when the header is detected. As far as I can tell, it's a global optimum, all trade-offs considered.
Well why haven't all the big tech companies done it then?
They have only themselves to blame. They had years to fix the problem of inappropriate content being delivered to kids and their response was sticking their fingers in their ears and saying "blah blah blah parenting blah blah blah"
And it really should be the opposite. Assume content is not kid-safe by default, and allow sites to declare if they have some other rating.
Because it isn't in their financial interest. They've either done nothing or actively lobbied for these ID laws. You can plausibly explain it in a number of ways, including regulatory capture, deanonimization, spam reduction, etc.
The reason is that this whole push for age verification is nothing to do with actually stopping kids seeing the content. If it was then this kind of solution would be being legislated for. It’s just about making everyone identifiable.
> The reason is that this whole push for age verification is nothing to do with actually stopping kids seeing the content.
The reason that mainstream politicians are pushing is because the public wants something done to protect their kids.
Are there likely to be bad actors pushing for it for nefarious reasons as well? Sure.
Are the 'solutions' inadequate and often tech- and privacy-illiterate? Absolutely.
Is the entire impulse to demand that government 'fix' this issue wrong? Maybe.
But the idea that this is all a smoke-screen from top to bottom needs to die. Not just because it's wrong, but because it's also unhelpful. If you wade into the debate saying "It's all a lie, this was never about the kids!" you're easily dismissed as a nut and an absolutist who doesn't appreciate that real people want their real kids to be protected.
Yep, and the tech companies had years to address these concerns and did not, so now the creaky gears of government regulation are turning. They (meaning YOU, a lot of tech company employees who are now outraged about this) could have headed this off years ago and provided a solution on their own terms.
So, why are those "real people" actually not willing to do their job? I am so pissed with parents who think the government is supposed to solve their own inability to raise a child.
Well for a start not all of them are very tech savvy, and we've built a world in which tech is essential to their day to day lives, including for their kids.
If school demands the kids have a variety of devices to do their work, and they have no idea how to lock those down to exclude (for example) social media services that we know have been designed to be as addictive as possible, can you not see why they might want someone to intervene?
(edit: Beyond that there are also tons of bad reasons, I'm not going to try and justify them. There are a lot of bad parents and just in general people who are not firing on all cylinders out there. And many of them absolutely love a government regulation to be brought in for just about anything.
We can and should argue with these people and point out why they're wrong. But saying it's "nothing to do with actually stopping kids seeing the content" fails here too.)
Right. I submit we are solving the wrong problem. Just establishing age vertification doesn't magically make these vast amounts of bad parents good parents. There is a ton of other things they can and will fail at, which their kids have to absorb. If we really cared about those kids, we'd have to reconsider a lot of things. And I know what I am talking about, had to grow up with an undiagnosed ADHS+anciety mother. It was hell. And even 30 years after i moved out, she still can't see what she failed at and continues to fail at. Age verification wouldn't have helped me. MAKING her seek treatment might have helped.
No argument here, I'm not saying they're right to demand that age verification is brought in to protect kids, or that we should give up privacy etc etc.
But coming at it from the angle that "It was never about protecting kids!" is itself incorrect and unhelpful to the debate.
It can be true that kids need to be protected, this (or some variation of it) is a good way to protect kids, therefore it's going to pass, and nefarious interests found a way to insert themselves into the process and piggyback off the efforts to increase real protection of real kids in order to also spy on the kids.
If you want to reject the nefarious actors you have to separate them from the other goals that are reasonable and sorely needed. If you treat it as a whole package, you'll fail because those other goals are too important not to try to achieve, and the package is going to get passed. If you separate them, we can advocate for the pretty sensible California-style law where it's a flag on your user account that root can change, instead of the utterly insane New-York-style law where you have to scan your face every time you open your phone.
If public school is supposed to be free, the school should supply the required devices and take on the burden of securing those devices.
For private schools, the parents are more involved in the first place, but I would expect them to also have guidance for parents to help the less tech savvy among them.
We expect every other consumer product/toy that kids are intended to use to be safe by default. This is like asking why parents shouldn't be responsible for testing all their kids toys for lead paint.
Yet when it comes to internet/social media technology, it's suddenly a parenting failure if they don't pre-vet every platform and website and device before allowing their kids to use it.
As a society, we collectively protect kids from stuff they aren't ready to handle. We don't let them gamble, or buy alcohol, cigarettes, or porn. For the most part, everyone buys in to this and parents can pretty much count on it. Are there exceptions, sure but they create scandals and consequences when they are discovered.
But social media and content platforms didn't feel that they had any social obligations. They did not honor this societal convention to keep inappropriate content away from kids. And the top people at these companies actually don't let their own kids use the platforms, they know how harmful they are and they know about all the addictive hooks and dark patterns of engagement that are baked into them.
We don't just assume every book and movie and telephone call are intended to be safe for kids by default. Why should we expect the internet to be like that?
The public largely wants whatever the media tells them to want and the media in turn tells people to want whatever the same bad actors want them to want.
If it is about making everyone identifiable how come California's version doesn't require providing any identifying information when setting it up on a child's device?
Because "making everyone identifiable" isn't an explicit design goal. Rather it is merely an implicit imperative (of Facebook et al, who are pushing these laws) that casts its shadow over the design. That shadow is what results in a design based around sending identifying information from the client to the server. Once this dynamic is normalized, servers will demand ever-more identifying information and evidence that it is correct.
Note that this design does the exact opposite of giving parents control to protect their own children - rather it puts the ultimate decision making ability into the hands of corporate attorneys! For example, we can easily imagine a "Facebook4Kidz" site that does the bare legal minimum to avoid liability for addicting kids to dopamine drips, and no more. Client side software based around RTA headers would allow parents to choose to filter things like that out, whereas when the server is making the decision its anything goes as long as the corporate attorneys have given it the green light.
As you've stated it, sure, for now. The point is that the dynamic is being set - the number of information-leaking security vulnerabilities in browsers should be headed downwards, not being increased with legislation.
But also, does the California law actually prohibit Faceboot from locking your account and requesting "extra documentation" including government IDs and whatnot? That would be news in its own right.
>If it was then this kind of solution would be being legislated for.
What's more likely a global conspiracy to get age verification passed to allow these unnamed groups to identify everyone for some unknown purpose or politicians just not understanding tech?
The way people try to pretend that there can't be any organic desire for these proposals is so bizarre and is a major cause for all these proposed solutions being so technically dubious. Refusal to recognize the problem means you won't be part of solving the problem.
You do realize that for whatever reason more and more people in government positions are on the path of authoritarian agendas? Its a pretty important topic right now. All of this privacy related stuff is happening in quick succession.
I mean I cannot believe I have to post these, but here we go:
Your argument has two main flaws. First, it relies on an inherent connection between age verification and authoritarianism that is just taken for granted as true. Meta could easily be in favor of age verification because it reduces their liability and raises the barriers to entry for potential competitors. It doesn't inherently have to be authoritarianism.
But more importantly even if that connection is true, your argument relies on the current proposals of age verification being the only way to satisfy the organic desire for protecting kids from the unfettered internet. OP gave an example that could be a compromise position that addresses the need and isn't authoritarian. Why can't you support that effort?
I can support any effort that puts the responsibility into the hands of the parent without a mechanism that advances identity verification to protect their children.
The way it stands now. this issue is being used by people in power to advanced an authoritarian agenda. Its really clear to see, if you only have the will to look.
>I can support any effort that puts the responsibility into the hands of the parent without a mechanism that advances identity verification to protect their children.
Which brings us right back to what I said here[1]. We don't have to agree on the motivations behind this push. Even if you believe this is all an authoritarian conspiracy, that conspiracy could be undermined by proposals like OP's, but instead people make enemies out of these potential allies which just further empowers the people who you consider to be authoritarians. It's a failure of basic political coalition building.
Im happy to have dialog with anyone that wants to protect children under the circumstances I already described. But if these initiatives push forward IDing people to have protection, then Im sorry you are on the wrong side of life and are involved in making the future of our society worse. I don't see you as an enemy, more misguided then anything. Im sure people are going to turn this into friends and enemies, but I don't look at it that way. I have to defend freedom under all circumstances. In most cases I support deontology over utilitarianism because I have seen how far we have slid in terms of being free as a people because we want to make everyone safe..
Taking away freedoms, for any reason, is not the answer. They make us less secure [0] and promote bad actors to make things worse.
>Im happy to have dialog with anyone that wants to protect children under the circumstances I already described.
But you're ignoring my point that your dialog is actively counterproductive when you don't engage with the root of the problem.
Nowhere in here did I advocate for "taking away freedoms" or for the age verification policies as discussed in this article. The only aspect of this issue that I have argued is that there is a real organic demand from people who want help in preventing children from having unfettered access to the internet.
The reason you see me as "misguided" is because you are refusing to actually listen to what I'm saying. And then you magnify the divide with your rhetoric implying I'm out to take away your freedom. Maybe you don't look at me as an enemy, but your rhetoric and behavior is actively repellent when it could instead be welcoming as you claim to sympathetic to the only issue I have actually advocated for here.
How am I not engaging with the root of the problem? I just see it differently than you. And thats ok. I dont think the problem is solved by id verification. This is the position I have been arguing all along and Im not seeing how my position is getting in the way of what you are talking about.
>How am I not engaging with the root of the problem?
The root of the problem is child safety on the internet.
>I dont think the problem is solved by id verification. This is the position I have been arguing all along
I have advocated for child safety, but nowhere in any of these comments have I advocated for id verification. If you have been "arguing all along" against id verification, then you must be equating all childhood internet safety advocates with those advocating for id verification.
>Im not seeing how my position is getting in the way of what you are talking about.
The equating of childhood safety on the internet with id verification is getting in the way. There exists compromises like the one OP suggested in the top comment in this thread that satisfy both my desire for childhood safety and your desire to prevent id verification. But instead of seeking that path of coalition building and compromise, you're actively repelling childhood safety advocates by misrepresenting their opinions and then calling them "misguided". You're making it clear that you won't be my ally when it comes to protecting kids on the internet because you're so worried about a policy for which I'm not advocating.
You asked me "How am I not engaging with...", I gave you a response, and then you refuse to engage with that response. I guess your behavior confirming my accusation is as satisfactory of an answer as I could expect from you.
The politicians that want to identify everyone capitalize on organic desire for these proposals in the form of fear-mongering and "Think of the children!"
Citizens that want these laws are unthinking drones who don't want to raise their children, and instead want legislators to do it for them.
Politicians that want these laws are the people who, ideally, want to track your every move online for a multitude of reasons, not least of which are censoring speech and controlling narratives.
Even if everything you said was true and there was a global conspiracy among the politicians, the tech crowd consistently denies and demeans these organic desires. We could cut the legs out from under these politicians if we listened to these people's concerns, considered actual solutions like OP did at the top of this thread, and turned these people into allies against those politicians. But instead we deny the actual desire to protect children and accuse them of either having ulterior motives or being sheep, turning them into permanent enemies thereby empowering those (hypothetically) conspiratorial politicians.
The public, and consumers in general often state a want or need for something that they don't actually want or that would harm their quality of life, it is correct to demean or deride these wants when they're identified, some aspects of human nature are amusing.
But there is a global conspiracy, a synchronised effort among western leaders to implement near identical solutions to this engineered "problem", the responsibility remains squarely on the shoulders of parents, I say this as a parent.
>The public, and consumers in general often state a want or need for something that they don't actually want or that would harm their quality of life, it is correct to demean or deride these wants when they're identified, some aspects of human nature are amusing.
Thank you for proving my point by doing the exact thing I said tech people do. Do you think that if you demean and deride enough people, the problem will go away?
Your lack of understanding why age verification does not constitute it being a conspiracy for another reason. There is a antiregulatory crowd that will invent any possible excuse to suggest tech companies shouldn't be accountable and we should just leave the Internet be. Those people make a lot of money exploiting everyone, as it happens, and they also pay for journalists to tell you that it's all about violating privacy or something. (The same folks will tell you opening up Android for third party AI tools would be a privacy and security risk, and not ask you to notice it would just cost Google a lot of money.)
We've been running essentially a social experiment on our kids for the past two decades and it has not gone well. Social media has had a toxic impact on kids. CSAM and child abuse are rampant, and most "privacy services" like disposable email and VPNs are the primary source. These are facts, whether you like them or not. There are, in fact, kids dying, school shootings, grooming, etc. which are all the direct result of our failure to regulate social media companies. Section 230 being the primary problem.
OS-level age verification is likely the best route, as private information can remain on a device in your control, and a browser then just needs to attest to websites whether or not the user should be allowed access, without conveying more detail. Obviously anyone with a Linux box will have ways around it, anything based in your own device will be exploitable in some way, but generally effective for the average child.
Any "verification" means unacceptable privacy violations.
The best route is better parental controls, that are not enabled by default. Locking down the OS like ransomware until the user submits to age verification is the wrong approach, and what Apple did in the UK needs to be highly illegal.
> Any "verification" means unacceptable privacy violations.
So I'm not necessarily arguing for age controls here, but purely on a technical level what do you think of schemes like Verifiable Credentials, which delegate verification to third parties that have already established your identity?
In theory you can set up a system that works like this:
1. User goes to restricted site and sets up an account
2. Site forwards them on to a verification service with a request "IsOver18?"
3. User selects their bank from a dropdown on the broker site
4. Broker forwards them to the bank, with a request "IsOver18?"
5. User logs in and selects "Sure, prove I am over 18 to this request"
6. Bank sends a signed response to the broker "Yep"
7. Broker verifies and sends its own signed response to the site "Yep"
8. The site tags the account as "Over 18 Status verified"
In this situation, the restricted site doesn't get anything other than a boolean answer from the broker. The broker can link a request to a given bank but doesn't get anything that gives away your identity. The bank knows your identity and that it has approved a request, but not necessarily where the request came from.
Verification broker tracks sites which make requests and records it attached to personal data. Site either sells or leaks personal data along with history of all sites visited which require age verification.
Also your solution requires a bank account, not something everyone has. Many do, but not all. Also the bank may not know "which" site you are visiting, but it does now know you are visiting sites which require age verification and how often.
> Verification broker tracks sites which make requests and records it attached to personal data.
How? What personal data?
The broker doesn't get anything other than "Site X wants to verify over 18, the user selected forward to Bank Y" and "Bank Y responds with TRUE"
> Also your solution requires a bank account, not something everyone has
True. Banks are only one example of an already trusted identity provider in this situation. But I get that there are gaps.
> Also the bank may not know "which" site you are visiting, but it does now know you are visiting sites which require age verification and how often.
Verification need only happen once per site, when setting up an account. This does introduce the possibility of a secondary market for approved accounts though, sure.
User installs a browser extension which forwards the request to everyoneisover18.com, owner of that site has a script set up to log into their bank and pass the verification challenge
Restricted-site.com gets the signed response from the broker, not the bank. In your situation there's not any need for "everyoneisover18.com" to defer to a real bank for a faked response as it signs things itself.
But restricted-site.com doesn't trust everyoneisover18.com's key, it only trusts realbroker.com's key, so the response isn't accepted. If it is found to trust fake brokers like that it gets in trouble with the law.
That's why everyoneisover18.com forwards the request to my bank or my broker and gets my signature on the behalf of literally anyone. I may charge them $5 for this service.
> That's why everyoneisover18.com forwards the request to my bank or my broker
Doesn't work. The response won't be signed by real-broker.com.
The permission request/response itself goes direct from the server at restricted-site.com to the server at real-broker.com over TLS, so you can't MITM it, it's not controlled by the client and you won't be able to just pass out a cached response.
Your malicious client plugin could potentially forward the client session details to you, so you could operate the broker page, then log in to your bank's portal and approve that request, but I don't think that's going to scale very well and I imagine your bank is likely going to rate limit you.
real-broker opens a web page allowing them to verify somehow. The browser extension sends me their URL and cookies so I can load the same page and verify myself. All automated of course.
You could, you could also go to their house and go through the process for them, but in either case I don't think it's going to scale very well (rate-limiting would seem to be called for, maybe with 2FA as well, to mitigate this sort of thing and remove the possibilities for automation).
But sure, you could subvert it on a small scale, just as you can borrow someone else's driving license to register in 'normal' systems already. You could also register an account, validate it and then sell the login details, regardless of what proof of age scheme you use.
The point is the scheme is no worse at validation than asking for ID and it protects user privacy by keeping all ID details away from individual websites, which is the more important part IMHO.
My cellphone provider will be pleased be paid to deliver all those 2FA text messages. Who's sending them? How are they getting paid? Maybe I'm actually my own phone company, so I get paid for delivering them to myself.
Your bank, like they have 2FA for every other access to your account. 2FA also doesn't need to be via SMS, and even when it is that's dirt cheap. Rate limits can be a couple of approvals per hour with daily limits of a small handful. Or a leaky-bucket style algortihm where you can do a few at a time, but you only get one more per hour. Whatever way it's done it precludes your large-scale automation attempt.
I tire of this now. We've entirely wandered off from "Here's a way to prove age without the privacy implications, that works just as well as handing over scans of ID"
Your bank would likely have a limit on the number of approvals it would issue over time, to stop automated exploits, sure. In theory you only need these approvals once per site on signup.
We are pre-supposing for the sake of this thread that proving you are over 18 is desirable, but that giving your ID to unknown third parties is not.
That being the case, having a rate-limit on site approvals would appear to be a relatively reasonable tradeoff to stop the system being exploited for gain by third parties like the commenter upthread.
If you don't want any of that in the first place, cool, but I'm not making an argument for it here, just saying that a system that meets these two requirements is possible.
[Citation Needed] As I understand it, the debate on whether social media is responsible for actual harms in kids is still open and ongoing. Social media has been found to do both harm and good for kids, and for some kids the good outweighs the harms [0]. Scientists are hoping to get some verification from the actual social experiments that we're conducting in the UK and Australia on this.
Mandating OS-level age verification effectively means not allowing kids access to OSS platforms, a step way too far in my opinion. For instance, we would have to outlaw Steam Decks for kids.
[0] https://pmc.ncbi.nlm.nih.gov/articles/PMC12165459/
"Social media and technological advancements’ impact on adolescent mental health is complex. It can be both a risk factor and a valuable support system. Excessive and problematic use has been linked to increased rates of MDD, anxiety, and mood dysregulation, while also exacerbating symptoms of ADHD, bipolar disorder, and BDD. Simultaneously, digital platforms provide opportunities for social connection, peer support, and mental health management, particularly for individuals with ASD and those seeking online mental health communities. The challenge is finding a balance. Although social media offers benefits, it also poses risks like addiction, negative social comparison, cyberbullying, and impulsive online behaviors"
> Social media has been found to do both harm and good for kids, and for some kids the good outweighs the harms
Indeed. For example, the strongest evidence for harm shows that negative mental health is correlated with increasing social media use, but it's an important question of whether using social media more causes mental health problems, or mental health problems mean more social media use (or both, which would suggest a spiraling effect is important to look out for and prevent).
> Mandating OS-level age verification effectively means not allowing kids access to OSS platforms, a step way too far in my opinion. For instance, we would have to outlaw Steam Decks for kids.
This is entirely false scare tactic nonsense, and you really need to look at where you sourced that idea and no longer use them as a reference point. There isn't even a concept of a method of doing this that would make that true, and certainly not in any of the implementations being considered in the US. The federal bill is called the Parents Decide Act, if it gives you some idea where the goal in decisionmaking is supposed to be.
We have not just woefully bad parental controls, but in the name of privacy, modern platforms make it exceptionally hard to implement parental controls. What is being pushed here is largely a mandate that a system for parents to control what their kids can reach needs to exist and Internet companies need to support it.
(Steam is, FWIW, probably one of the best actors in this regard already, Steam Family is incredibly nuanced in the features and tools it gives parents. I have a lot of gripes about Steam but this is not a place they will have difficulty complying with the law. Heck, Steam is better at parental controls than Nintendo and Disney).
> There isn't even a concept of a method of doing this that would make that true, and certainly not in any of the implementations being considered in the US. The federal bill is called the Parents Decide Act, if it gives you some idea where the goal in decisionmaking is supposed to be.
The Parents Decide Act (PDA) goes considerably farther than superficially similar sounding laws like California's.
The California law requires that an OS allow the parent or guarding to associate an age or birthdate with the account when setting up a child's account on a device that will primarily be used for the child. It does not require any verification of the age information that the parent provides.
The PDA requires that the birthdate be provided for anyone who has an account on the device, and leaves much of the details up to the Federal Trade Commission to work out in the first 180 days after is passed. The wording of the list of things the Commission is to do suggests that the OS is supposed to actually verify age information, rather than just accept whatever a parent enters when setting up the child's device and account, and that it also has to verify that it will require the birthdate of the parent and verify that.
A Steam Deck is just an Arch Linux box. There is, intentionally by by design, no method of securing it against its user. Anyone with root access can change anything on it. There is no method of enforcing an age verification scheme on it in a way that cannot be removed or altered by a sufficiently bright and motivated teenager.
the conclusion from that discussion was that kids should not be allowed Steam Decks because that would provide them a way of getting around age certification.
The California bill, which is not called the Parents Decide Act, lets parents decide. The federal Parents Decide Act doesn't say whether parents can decide or not - it says a commission shall decide whether parents shall be able to decide, and we can predict what that commission will decide.
> any possible excuse to suggest tech companies shouldn't be accountable
The entire impetus for these bills is for Facebook (the sponsor of these bills) to escape liability for how they're currently harming kids. Facebook's only goal here is to be receiving headers that say the user is over 18, so they can continue business as usual under the assertion that any users must be adults.
Then you recognize that the solution definitely does not require privacy invasion, since presumably Facebook does not want actual proof because they hope teenagers will get around it.
That being said, the antiregulatory wonks are not all working for Facebook, and some are indeed manifestly just always opposed to any regulation at all no matter what harm is occurring.
Bear in mind the alternative: Things like Discord collecting personal data to do verification at the website level. A push for a simple "user is over 18" header is incredibly preferable from a privacy standpoint and parents being able to control and monitor it themselves.
This legislation does not require it out of the gate, but it sets up the precedent and the incentives such that it will eventually be required down the line. That's the problem with anything that gives more power, and the expectation of even more power, to the server (ie to big tech).
FWIW I personally would be supportive of legislation where the data flow went the proper way of server->client, for the user-agent to decide. Consider: Any website over a certain size must publish an appropriate set of well known tags asserting whether its content is suitable for kids of certain ages, has social aspects, the type of content, etc. Any device preloaded with an operating system over a certain marketshare must include parental control software that uses tags, as an option in the set up flow. The parental control software "fails closed" and doesn't display websites without tags. The long tails of the open web, bespoke devices, new OSes, etc remain completely unaffected.
The tech companies are the ones lobbing for age verification.
The entire point of this scheme is mass surveillance and shifting responsibility away from big tech companies. It has nothing at all to do with "protecting" kids. Preventing kids from accessing adult material is not even remotely a goal, it is a pretext. Just like every other "think of the children" argument.
That's a good idea. There could be two headers, the existing RTA header that adult sites use today [1] and another static header that explicitly states there shall be no adult content.
What is adult content? I know parents who have no problem with their kids seeing porn. I know parents who give their kids a beer. I know parents who take their kids to violent movies. I used to know parents who will give their kids cigarettes. Most parents I know will disagree with their kids doing one of the above. I know songs that were played on the radio in 1960 that would not be allowed today, even though today we allow some swearing on the radio.
That's between parents and their local governments. Yes when I was a kid my mom let me watch whatever and go wherever. The parent in my example ultimately decides what a kid may or may not do which is in alignment with existing laws. If the parent is endangering their kid that is up to them and their government to sort out.
Point being, put the controls entirely into the hands of the device owner. Options can be to default to:
- Block everything by default unless header states otherwise.
- Block only sites that state they are adult.
- Do nothing. Obey the operator. (Controls disabled on child accounts or make them an adult or otherwise unrestricted account on the device).
I think the options are just limited to our imagination.
This is the problem. What is an "adult" web site? Websites that show porn? Websites that show gore? Websites that show violence? Websites that show non-porn naked people? Websites that have curse words? Websites that promote cults and alternate religions?
Why is it the site's responsibility to "state" that they are adult, given whatever parameters they dream up? Why is it the government's responsibility to say "This is adult content, but that isn't adult content?" Shouldn't the parent get to decide which categories of content count as "adult"?
Let’s not pretend like this is a brand new problem. Even pre-Internet, there have always (well, let’s just say definitely the whole lifetime of anyone GenX or younger) been tons of first-amendment-protected content falling under all 3 of these categories: “obviously fine for children” (e.g. Sesame Street, Paw Patrol), “obviously not appropriate for children” (Hustler magazine, Pornhub), and “Controversial / maybe ok for teens / still probably not okay for 6-year-olds” (e.g. sex ed, depictions of rape, graphic violence). This last category is obviously one where Opinions May Vary, but the way we have handled it in the past has been laws. Nearly every state has statutes prohibiting sale, display, rental, or distribution to minors of material deemed “harmful to minors” - the distinction between the second and third categories is determined by a court if it really has to be. This has worked fine in the offline sphere, and it’s why I couldn’t walk into a video store when I was 8 and rent a stack of porn tapes.
At minimum, it would be a reasonable legislation topic to at minimum mandate that websites publishing obviously “Harmful to minors” content tag it as such[1]. And also it would be ideal to create some kind of campaign to tag the first category as safe (honestly Apple and Google ought to be working together on that one). If you in good faith operate a site in the controversial category, that would be no different than selling books on sex ed in a Barnes & Noble - protected.
Parents could then choose, with simple device controls:
- Allow only “tagged safe” pages (parents with very young kids, or who have a hard time monitoring use)
- Allow safe + no-tag (open-minded parents who choose to err on the side of allow, and monitor the controversial stuff themselves)
- Allow all (parents who want to be solely responsible to regulate it)
I find it frustrating that people are talking like we have to either have a completely “no rules” Internet where obviously any kindergartener is going to stumble upon super disgusting stuff, or this gross surveillance state Internet, where people have to show ID to use any site. Neither of those are how things were before the Internet and it doesn’t have to be how things are now.
[1] you might ask, what do we do when say, a Russian porn site doesn’t want to comply with this tagging. In my opinion, it seems reasonable that someone could put obviously bad faith sites like that into a block list database. In a place like the UK I would expect that to be a government regulator, but there’s no reason why that couldn’t just be something private companies do in the US. As a parent, I would pay two bucks a month to subscribe to a service like that if it were integrated into the operating systems my kids use.
> I know parents who have no problem with their kids seeing porn.
I don't agree with showing actual children porn, but I also totally expect teenagers to find some way to get access to it in the age of the Internet.
Part of the challenge with this is cultural. Different places in the world think about sex, sexuality, and even the concept of what is a child differently. In the US, showing a woman's bare breasts to a person under 18 is generally considered wrong, and in many cases is illegal. In most of Europe it wouldn't even raise an eyebrow, because bare breasts are on television, sometimes in commercials even.
Set aside for a moment the question of age verification and age limits, we cannot even agree in any sort of universal sense what even qualifies as porn or adult content, and at what age someone should be able to see it. There's a difference between a 7 year old and a 17 year old seeing the same type of content, and there's also a difference between a photographic nude and a video of people engaged in coitus.
The story is basically the same for everything else you listed.
These age verification laws in many ways are trying to use the most heavy-handed mechanism possible to enforce American cultural norms on the entire planet. That's clearly wrong to do. What the GP suggested using RTA headers though puts the control into the parent's hands, which is as it should be.
I considered many of the same points you mentioned.
Though, one area I am still struggling to grasp is the harm that governments are trying to mitigate. If a child were to see inappropriate material, then what harm can truly arise? Also, why do governments need to enact such laws when the onus of protecting children should be on their parents?
I am not trying to start any kind of flame war, but I really cannot see any other basis for all this prohibition that is not somehow traceable back to Western religious beliefs and the societies born and molded from such beliefs.
It seems like you might be a big believer in cultural relativism and that nothing can be right or wrong, so this may be unsuccessful, but many of us do believe that it’s harmful to the normal development of children to be exposed to certain types of content. It is mostly about maturity. A five-year-old who sees explicit sexual acts performed on a screen is going to be curious about it and be interested in trying it. He or she will likely have no sense of what would be problematic (e.g. trying to initiate such an act with a peer or an adult. Consider how they probably don’t understand ideas of consent). It’s why it’s generally considered grooming for people to exhibit that type of thing to children. Children who have been groomed frequently abuse other children (including by force), and can be taken advantage of by pedophile adults.
I think it’s important, as tough as it can be to identify where exactly the line is, distinguish the concept of a 16-year-old cranking his hog to some Internet porn (which yes, probably pretty harmless and inevitable), with little kids being exposed to explicit types of content. And little kids are curious, so just the fact that they make an attempt to find the content doesn’t mean they’re ready for it.
I appreciate your well thought out response, and I apologize for the length of my response:
As to whether I believe in cultural relativism depends on the level of abstraction we are discussing. I believe there is no way to logically prove that something is morally right or wrong in a similar manner to how a mathematical concept can be proven from pure logic alone. But this fact does not often influence my beliefs in terms of morality in the context of social contracts, diplomacy, legal frameworks, etc.. To draw a parallel, I do not believe in complete free will, but I live my life as though it does exist (I believe in more of a 'sandbox' like an RPG video game with clear constraints and limitations).
> many of us believe that it’s harmful to the normal development of children to be exposed to certain types of content.
Are these beliefs supported by evidence or are they merely conjecture? Do not get me wrong, I am not saying I completely disagree. A child exposed to various types of abuse and neglect can have detrimental effects to his or her development, and there is plenty of evidence to support a statistical relationship.
> A five-year-old who sees explicit sexual acts performed on a screen is going to be curious about it and be interested in trying it.
I believe that is quite presumptuous. By that logic, if a child is exposed to comedic content, will that child become funnier? Such conclusions remind me of the debate as to whether violent video games and other media increase aggression and acts of violence in children. The data clearly does not support this conclusion. Now, I would not say there never has been/will be a case of a child trying to replicate a sexual act due to exposure -- much like violent content -- but outliers do not define the norm.
> He or she will likely have no sense of what would be problematic (e.g. trying to initiate such an act with a peer or an adult. Consider how they probably don’t understand ideas of consent).
Understanding consent is irrelevant. Children legally and morally (as determined by my culture) cannot consent to any sexual activity under any circumstances. Consent is de facto impossible. This is a social contract that I also strongly agree with.
> It’s why it’s generally considered grooming for people to exhibit that type of thing to children.
I was under the impression the intention behind the action was more important than the action itself. There is a difference in intentions between a child stumbling upon an adult getting undressed compared to an adult undressing and exposing themselves in front of a child. One action is happenstance and the other is predatory and abusive. It's why family pictures that might have a naked baby in a bathtub is not often considered CSAM.
> Children who have been groomed frequently abuse other children (including by force), and can be taken advantage of by pedophile adults.
I believe this myth is perpetuated too often. The vast majority adults that of sexually abuse children have no history of childhood sexual abuse. Certainly, some do perpetuate the abuse, but it's not as common as some might think. It is just another attempt for abusers to garner sympathy and decrease their punishment. It's very similar to the myth that public urination can result in a registered sex offender. To my knowledge, there are no instances of this type of case in the United States. However, it is a clever little lie to tell comfort folks into living next to a registered sex offender convict of a more heinous crime.
As for children-on-children abuse, I am not certain your claim holds up, but I admit I am less knowledgeable in this area.
Fundamentally, the laws around requiring ID to view adult content do not really prevent any of the harm we are discussing. Sure, I child might not accidentally stumble upon explicit content on Pornhub. However, the laws do not stop Chester Child Molester from sending their dick pics to a kid on Discord or Roblox or whatever.
Why is it the if a child stumbles upon a parent's firearm and hurts themselves or another, the parent can be held liable in both civil and criminal court. However, if a child stumbles upon sexually explicit content via a parent's computer, the onus is placed upon everyone but the parent(s)? If the harm of exposure of sexual material to youth is so damaging, then should parents not also be held to such civil and criminal punishments?
> if a child is exposed to comedic content, will that child become funnier?
Yes, of course they will. But you do make a good point that 'playing CoD leading to kids wanting to shoot people with real guns' isn't proven, but most parents I know still do not want their kindergarteners playing realistic violent games. As a parent, we are mainly looking for the ability to choose to introduce more adult themes like violence only when we can tell that the child's maturity level is sufficient to understand the morality involved. Shooting Nazis in a video game is fun, but they should first understand why we can't shoot that asshole who makes fun of them at school, or that hardass math teacher, or their annoying little brother.
> Understanding consent is irrelevant. Children legally and morally (as determined by my culture) cannot consent to any sexual activity
We agree there, but set aside this legal definition to understand my point better. If two 12-year-olds fool around with each other, willingly, I'm not that shocked and I don't think it's likely going to cause any real harm in most cases. On the other hand, if a kid (whether 5 or 8 or 12 or 14) forces another child into an act, that's worse. And the less mature, the less likely they understand the severity of that act and its impact on the victim. An immature brain might think that forcing themselves on a cousin or something is no more severe of an offense than borrowing their pokemon cards without asking.
> If the harm of exposure of sexual material to youth is so damaging, then should parents not also be held to such civil and criminal punishments?
As far as I know, in my country, if a kid says at school "My daddy showed me this cool website called PornHub" that school is 100% calling 'Child Protective Services' and the parents will 100% be investigated on suspicion of grooming and abuse because like I said, it's illegal to show such materials to children in most or all states.
We don't need to care what France or China thinks when we make our laws that are about our own citizens. They do the same over there.
> These age verification laws in many ways are trying to use the most heavy-handed mechanism possible to enforce American cultural norms on the entire planet. That's clearly wrong to do.
Yes there's a chance our rules spill over there naturally, and I don't consider that wrong either.
That was our struggle with implementing "blocking" tech at a school I worked at. Is a kid looking up how to do a breast self exam porn? What about a self testicular exam.. What about actual Sex Ed kinds of sites?
Then those parents can turn off their browser/client’s age protections. I think that’s actually a decent argument for the solution posed by this thread.
> I know parents who have no problem with their kids seeing porn.
Surely you mean at least teenagers, and not literally children, right? Consider the prevalence of violence, racial stereotyping, and escalation of fetishism into degeneracy that clearly exists within this medium; what's the line that these parents draw? Are they making sure it's only something vanilla? Or is there no line whatsoever?
The US. If they want to serve users in other countries, or if certain states make their own rules, it's business as usual whether to serve different content there or serve a different header or take the legal risk.
It's the exact same problem that age verification faces. There are different laws in different jurisdictions and operators have to figure out how to comply with the ones that matter to them.
Think of the (current) header as meaning "we would have blocked you if we saw you were under 18" or whatever equivalent and it should make sense.
i can make arguments as to potential merits of kids having a beer/cigarette, listening to swear words, or witnessing casual violence. i cant make an argument for letting kids see hardcore pornography in any capacity.
Swear words and violence don't cause addiction, alcohol can but it's way less likely and also easier to restrict... idk why a kid should have cigs even once though
there may be valid use cases in certain demographics eg the disabled. to me it is evidently advantageous teaching a teenager how to have a smoke or have a drink properly , so that they don't go overboard with self directed learning for a valid activity (loosening social inhibition). we could totally teach teenagers the generation and consumption of dispassionate violent relationship simulacra. may I ask what would be advantageous about this ?
it is literally always the same thing - who gets to make these decisions? if you come from a family of alcholics (there are many) you will view alcohol for what it is, one of the most dangerous drugs that someone decide should be "legal." if you come from family that lost loved ones to smoking - same thing with smokes. hardcode porn, eh, they will eventually start putting this into practice ("hard" part is personal preference) so while probably not the greatest thing to have kids exposed to who makes these decisions? Personally, if you gave me a choice between smokes and porn and I had to choose one for my kid - I would choose hardcode porn. the core issue as always - who is making decisions on what kids should or shouldn't be exposed to?! and what do you do when whenever someone else gets that power then decides that reading or math or fishing or camping or ... is not allowed?
why 90%? and who decide is it 90%? or 87%? or 94%? are we going to have a referendum to decide on this? we need 100% people to vote on this referendum or small fraction will work? ...?
Practically it's hard to ban something new across the entire country without overwhelming support like that. There are enough people who strongly think kids shouldn't be able to buy alcohol or cigarettes that it ended up getting banned in every form, in all US states (even before federal law). Wouldn't be possible with a slight majority opinion, even if an individual proposition only needs 50% of votes.
this is 1,000,000% not accurate. there are things that vast majority of people support that are never going to happen (e.g. universal background check for gun purchases) and there are things that ruling party easily gets through that are wildly unpopular.
I said it's hard to ban something without support, not that it's easy to ban with support. Not to mention, gun background checks are more controversial than you're making them out to be, in fact this is an example I would use. Even if more than 50% like the idea of a background check, not so many will trust the implementation, and not everyone will vote.
Just for completeness sake and just for fun about 40 or so states allow private sales of firearms without a background check. Of course it is on the seller to know they are not selling to a felon and they may be on the hook if the buyer does something bad though I am straying a bit off topic from age/ID verification and tracking.
you should look this up, the percentage of support is closer to 100% than 50% (84-90%) - about as great of a support as it is humanly possible and yet………
Yes, the RTA header was primarily a solution specific to porn sites. The broader problem is that parental controls don't have reliable standardized signals to filter on which has led to the current nonfunctional mess.
So ideally you want a standardized header that can be used to self classify content into any number of arbitrary and potentially overlapping categories. The presence of that header should then be legally mandated with specific categories required to be marked as either present or absent.
So for example HN might be "user generated T, social media T, porn F" or similar with operators being free to include arbitrary additional categories (but we know from experience that most of them won't).
While this would be required by law, I imagine browser vendors might also drop support to load sites that don't send the header in order to coerce global compliance.
Just an opinion which I know is not super valuable but categories won't help with most sites. Anything that permits user contributed content can become any rating at any minute unless all content would require approval by a moderator before anyone could see it. A few forums support that concept but it requires a proportionate number of moderators or I suppose a very accurate and reliable AI moderator if that is even a thing. I think it's easier and probably legally safer to just tag anything that is not guaranteed to be 100% child safe at all times as adult and let parents decide if they with to approve-list the site in parental controls.
Yeah, and this is a good one. Blacklist is less likely to be ignored by parents. Both have risks of corps doing CYA strats, but less so with the blacklist. Whitelist has the advantage of being more feasible without an actual law, and also better matching how parenting works. Generally kids are given whitelists irl.
An outstanding idea. Those lobbying for age verification hate it though, because they want to be the arbiters of age, and all that juicy PII that they can analyze and resell.
I'm not so sure. I think the push is from the government actually. But companies are not exactly opposed to it. Quite the contrary. Big corporations see compliance as a moat. Tobacco companies supported stricter regulations on tobacco advertisements, because they had the deep pockets required to follow the changing laws. Mr. Altman is all-in on AI regulation, because it will mire down competitors while OpnAI has already "slipped past the wire" and done all their training pre-crackdown. When given a choice between regulating their industry (platforms and operating systems) vs regulating someone else's (porn sites and the like) they'll always helpfully "volunteer" to be the first to be regulated. It's just good business.
"The government" is the same as those lobbying the government. The people in the government get paid to push it, so they push it, and get paid more when it goes through, by the people who want that PII to analyze.
Think about how they validate how old you are. Meta and Google, who are lobbying in support of this legislation,will force you to sign up with your real ID, and be the arbiter for questions like “are you old enough for this website”. For every request that you make through some third-party website that needs to know your age, Meta and Google will know where you tried to login, and for which content. They will then resell this data to the highest bidder. Additionally, through all their ad networks and tracking, they will follow your session and have verified ID to match your entire browsing history. This is the end of anonymity and privacy on the Internet.
None of this is true. The fact that there are many, many companies out here today that are doing exactly what you are claiming for the non-CA age verification laws (like in TN and TX), yet you went down the conspiracy route for Meta and Google shows how much you are being played like a fiddle.
They can feed you an conspiracy and you'll eat it up because you were primed to have a cognitive bias, and will ignore the actual, real-world harms going on.
Age verification companies literally require your personal information to function. They don't want you to be able to send them a simple boolean over Tor in exchange for whatever trackable token you need to access something.
If technically competent people specify and build this system, sure. But it’ll be specified by complete idiot politicians, influenced by Google and Meta, who 100% DO want to know your government name, DOB, etc., so we’ll end up flashing our IDs at the camera, turning around to be scanned, etc. The platform owners will tell us they “deeply care about our privacy.”
Interesting, I've never heard of this. I see an example that involves an HTTP response header "Rating: RTA-5042-1996-1400-1577-RTA". But does this actually still get used by parental controls? I didn't run into a lot of documentation about this, including on the very badly designed RTA web site https://www.rtalabel.org/
For anyone curious about the value, the numbering on the value is just a fixed number everybody decided to use for some reason that isn't clear to me.
I would deeply prefer to do it this way, but my goodness the RTA org needs a serious brush up of their web site and information on how to use this.
But does this actually still get used by parental controls?
Some parental control applications will look for it but it is not yet legislated to be mandatory on a majority of user-agents.
All I am suggesting is we legislate the header to be added to URL's that may contain material not appropriate for small children and mandate the majority of user-agents the ones that are default installed on tablets and operating systems look for said header to trigger optional parental controls. Child accounts created by parents on the device should not be able to install alternate user-agents or bypass the controls (at least not easily). Parents should be guided through this on device setup.
Indeed their site is old and rarely touched. The ideas and concepts have not changed. It really could just be a static text site formatted in ways that law makers are used to or someone could modernize it.
Back in the late 90s or so, there was a proposal to have sites voluntarily set an age header, so parents/employers/etc could use to block the site if they wish. People said it would never work, because adult sites had a financial incentive not to opt in to reduce their own traffic.
What, in the same way movie studios wouldn't comply with the Hayes Code, or comic book publishers wouldn't comply with the CCA, or games publishers wouldn't comply with the ESRB? The financial incentive is to police yourself, because government policing is much, much worse.
Quite true. The US corporations act like a giant global rabid dog. Fake legislation appears in the USA - lo and behold, it is copy/pasted into the EU. At the least lobbyists are getting rich right now.
At least the EU has GDPR. In the US, our personal data is collected by every app and website and company and packaged, sold and sifted through by a vast collection of private data brokers which the government already ingests.
You’d think that one could simply block sites that don’t have the age header set on child computers. This may block kids from hobbyist sites that don’t bother to set their headers as kid-friendly, but commercial sites would surely set their headers properly. Over time sending proper rating headers would become more normalized if they were in common use.
This still isn’t perfect, as it creates an incentive for legislators to criminalize improper age header settings and legislate what is considered kid-appropriate. But it’s still better than this age verification crap.
An age header is not the answer. Why should a site have to decide what content is appropriate for a 18 year old and what content is not? Who is qualified to make that decision for every 17 year old in the world? Do they know my 17 year old? Do they know the rules in our home? What if I'm OK with my kid seeing sex-education stuff, but some lawyer at Wikipedia just decides to tag sex ed articles as 18+? Now I have a shitty choice: Open up the floodgates of "18+" to my kid, do it temporarily while the kid browses the sex ed sites, or not let the kid browse them.
Letting a company or government decide what's appropriate for what exact specific age is fraught with problems.
Then this leads to a very unwelcome view that most of the problems we face are actually rooted in parents' unwillingness to invest too much time in education :)
Yes, that's how parental filters already work. They use a combination of rta tags and external data to block pages. Even works with Google safe search, firewall devices, etc. The rta ecosystem is already built out and viable.
What I am suggesting could address most of that. If they do not participate they get fined. The government loves to fine companies. This assumes they put enough "teeth" into a law that prevents companies from accepting fines as the cost of doing business. This would also require legislation that could block sites that operate from countries that do not cooperate with US laws. Mandatory subscriptions to BGP AS path filters, CDN block-lists which already exist, etc... People could still bypass such restrictions with a VPN but that would not apply to most small children. Sanctions and embargoes are always an option.
Exactly. If you’re hurting kids to make more money selling porn videos, straight to jail.
I’m glad there are solutions that won’t ruin the Internet. Now the uphill battle to convince our legislators (see: encryption & fundamentally technically ignorant calls for backdoors).
PICS was very complicated and attenpted to cover all possible "categories" of adult content. It was confusing, incomplete and only a handful of sites voluntarily labelled their sites with it. RTA is one simple static header that any site operator could add in seconds unless they get more complicated with it by dynamically adding it to individual videos say, on Youtube which means in that case the server application would need to send that header for any video tagged as adult.
I added PICS to my forums but it was missing many categories of adult content. I ended up just selecting everything as I could not predict what people may upload which made for a very long header.
Agreed though in my example the point would be to set the header in the case the child is logged in but for whatever reason the site does not know their age. Instead of a third party site, a header is sent with the video tagged as adult that triggers parental controls if they are enabled by the device owner.
We pay money online mostly through credit cards. Credit card transactions can be reversed. If children spend money on porn, those payments are likely to be reversed. This is really bad for the ability of the porn sites to continue receiving credit card payments, and continue making money.
An age header is a trivial step that can reduce the odds of the adult site receiving payments that later get reversed. Win, win.
But if someone is willing and able to pay, then the adult industry wants the choice of whether to access content to be up to them. If government tries to regulate them, they'll engage in malicious compliance - do the minimum to not be sued, in a way that they can still reach customers.
For example Utah tried to institute age verification. The porn industry blocked all IP addresses from Utah. Business boomed for VPN companies in Utah. Everyone, including porn companies, knows that a lot of that is for porn. But if you show up with a Nevada IP address, the porn's position is, "You're in Nevada. Utah law doesn't apply." Even if the credit card has a Utah zip code.
If you live in Utah, and you're able to purchase a VPN, the porn companies want your money.
If someone is willing and able to pay, they have a source of money. If they aren't allowed to buy something, that control should be applied at the level where they get the money. If the child is using an adult's credit card, responsibility lies with the adult. If children need to have their own credit cards, the obvious point of control is the credit card itself.
But also, most porn is ad-supported, pirated or free. Directly paid content is a small fraction. So all of this is moot for porn.
There's an anecdote about an attempt to ban porn in Utah, which cited a survey which found that most people were opposed to adult content. The defense argued that most people will oppose porn when asked in public in order to appear moral, even if privately they are avid consumers.
As proof, they provided records of cable TV pay-per-view purchases in Utah. The defense won.
Yeah this seems like the best tradeoff. You avoid the central control infrastructure and you provide information to clients. It's also a great match with free computing devices, which can then utilize the new information, empowering users (eg parents -> parental control on device, or individuals who want to skip some kinds of content).
There are issues today with this approach such as lacking granular information for sites that have many kinds of context, but if you stop investing in the central control infra and invest in this instead that could be remedied.
This doesn't address the wider array of age-verification related problems that people want to solve, like social media where age verification is needed to police interactions between users.
I could be misunderstanding the context but to me that sounds like a moderation issue assuming we even want small children on social media in the first place. There should probably be a dedicated child-safe social media site that limits what communication can take place for small children and has severe punishments for adults pretending to be children for the purposes of grooming.
Moderation is like law enforcement, it doesn't prevent crimes from happening it just punishes the people they can catch. There exist severe punishments for the kinds of behavior I'm talking about, but unsurprisingly, this does not stop kids from being harmed and it doesn't undo it.
This isn't hypothetical, by the way. There are adults catfishing kids into producing CSAM [0], kidnapping and assaulting minors [1], [2], and in the most extreme case, there's a borderline cult of crazy young adults who do terrorize people for fun [3].
It is a constant game of whackamole by moderators/admins to keep this behavior out of online spaces where kids hang out.
I recognize that this is a "think of the children" argument, but indeed that's the point. The anonymous web was created without thinking about the children, just like how all social media was created without thinking about how it could be used to harm people. Age verification is the smallest step towards mitigating that harm.
Now I disagree very strongly with the laws proposed (and indeed, I've been writing/calling/talking with state reps about this locally, because I don't want my state's bill passed). But the technical challenge needs to address the real problems that legislators are trying to go after.
I am only interesting in protected the majority of children which I believe my proposal more than covers. There will always be exceptions. Today teens share porn, warez, pirated movies and music with small children in rated-G video games. I am not proposing anything for that. It is up to businesses to detect and block such things.
Point being, there will be a myriad of exceptions. I am not looking to address the exceptions. Those can be a game of whack-a-mole as they are today. I am proposing something that would prevent the vast majority of children from being exposed to the trash we today call social media and of course also porn sites.
Look, please don't sideline/marginalize people by using the "whataboutism" term. Thats being used more and more to silence dialog from people that see problems outside the focus of a specific area. Its important that we see ALL sides of the problem.
Thank you for understanding. I know sometimes topics can get out of hand with comments about related things, but I this case. We might be better off looking at all the extremities.
These aren't exceptions or whataboutism. It's the debate being had on the floors of state legislatures.
> It is up to businesses to detect and block such things.
Which is exactly why age verification legislation is hitting the books. No one (serious) cares about whether kids can download porn and R rated movies. Parental controls already exist if the threat model is preventing access to specific content that is able to report itself as _being_ that content.
Your proposal also doesn't address the other domain that these legislators are targeting, which is addictive content. They define specifically what classifies as an addictive stream and put the onus on service providers to assert that they're not delivering addictive streams of media to kids. An HTTP header isn't enough, because it's not about the content being shown to kids but the design patterns of how it's accessed.
Essentially: age verification isn't about porn. 18+ content stirs the pot a bit with the evangelical crowd but it's really not what people are worried about when it comes to controlling digital media access with age gates.
Your proposal also doesn't address the other domain that these legislators are targeting, which is addictive content.
That sounds simple to me. If a type of content is addictive then require the RTA header.
- Adult content, or possible adult content.
- User contributed or generated content (this covers most of social media)
- Site psychological profiles that are deemed addictive (TikTok and their ilk)
Overall we are describing things that are harmful to the development of the minds of small children. If adults wish to avoid such content they can create a child account on their device for themselves to be excluded from this behavior as well. I use a child account in a couple of popular video games to avoid most of the trash talking and spam. I'm not hiding my age as the games have my debit card information but rather I opt-in to parental controls.
Servers can then infer user’s ages by whether or not the client renders pages given those headers or not no? See if secondary page requests (e.g images, scripts) are made or not from a client? A bad actor could use this to glean age information from the client and see whether the person viewing the page is a small child. That should be scary
I disagree. The ability to render a page could simply mean that parental controls were not enabled on the device. Some parents have assessed the situation and trust their children to be psychologically ready for adult situations. The client could be literally any age.
Today devices do not default to accounts being child accounts. Some day this may change and may require an initial administrator password or something to that affect but this can evolve over time.
The point and overall goal should be to not signal anything to the server operator unless a credit card is being used. Everyone is whomever they claim to be as far as anyone is concerned, until payments are required which today means sharing identity and age (via the credit card information on file with the financial institution and is shared today).
In the case of RTA the only signalling taking place is a server header being transmitted to the client. The client could be anyone at any age. Nothing to explicitly leak or disclose. Server operators can guess all they desire as some do using AI based on user behavior of which they sometimes get wrong.
How would this work with sites like YouTube which allow sharing of content, potentially not appropriate for children, but the content is generated by the site's users? Who will be fined for "violations"? And how would such a fine be levied, especially internationally?
I think that initially the onus would be on Youtube to figure this out. They have some very intelligent engineers. For example, if the Youtube client is receiving affiliate funds then they are easy to ID and fine. If they are random people then Youtube would have to share the violation data with the other countries and the US or UK would have to pressure those countries to participate in fining the end user. There could be financial incentives for the foreign country to participate. They can also just force label a video to be adult as they do today when enough people report it which is admittedly not uniformly applied.
This already has been solved. Youtube disables viewing via embeds for any content that has been age restricted. Either you view it on Youtube which requires logging in to see age restricted content in the first place, or you get the ! icon and the warning about needing to log in.
I agree with the general idea, but I would like this header to be more fine grained than just a binary "adult" or not. For example, so that you can distinguish between content that is age appropriate for teenagers and older from content that is suitable for all ages.
One possible method [1] though I am sure the network and security engineers here on HN could come up with simpler methods. Just blocking domains on the popular CDN's would kill access for most people as by default most browsers are using them for DoH DNS.
The question was about fining entities outside of the original jurisdiction, so I am not sure what you have in mind that could be done by network/security engineers here.
In terms of fines if they do not pay the fine their country is at risk of sanctions or embargoes which is probably a bit heavy handed but may incentivize their government to also enforce the rules, collect fines keeping some for themselves and passing the original fine back to the countries implementing child safety controls.
This is extremely naive and short-sighted. There is a literal example of this happening rn, and hopefully you will see why your approach isn't that good.
UK's OFCOM is currenly issuing legal threats to 4chan, for allegedly serving adult content and not willing to implement age verification. 4chan's lawyer tells them to pound sand[0], on the basis that 4chan is hosted in the US and has zero business presence in the UK, and UK is more than welcome to ban the website on their end through UK ISPs. The saga has been ongoing for a while, and the lawyer has been pretty prolific online talking about the case.
Anyway, following your approach, UK should embargo US over 4chan not willing to implement age verification as required by UK law? I plainly don't see this happening, or even being considered, ever.
4chan servers are in the US and the owner is in Japan. If the US wanted to they could seize all the servers but they will not because they have real time monitoring of all activity on the boards and have ever since Christopher testified before congress and the site was sold. If anything 5-eyes want that site to be unrestricted. 4chan has been a goldmine of people self reporting for wanting to shoot up or bomb places, as has Reddit leading to many body-cam videos of the site users and in some cases the moderators being busted.
The IP addresses are all captured by Cloudflare. It is literally next to impossible to post on 4chan without enabling javascript on Cloudflare or buying a 4chan-pass which leaves a money trail not perfect, nothing is but most mentally unstable people do not think these things through.
Should legislation be added to require the RTA header 4chan could and likely would add it in a heart-beat. They already have some decent security headers in place.
> If the US wanted to they could seize all the servers
Are you sure you didn't misread what I said? Asking because I am not sure how what you are saying has anything to do with my point.
Why would the US even consider seizing the servers? 4chan isn't breaking any US laws, and US indicated zero interest in pursuing 4chan.
The case I am describing is about 4chan breaking UK laws (by refusing to implement age verification), and UK OFCOM is threatening 4chan with fines and more. 4chan, as you said, is located in the US, so they claim they don't care about what UK wants, and that 4chan won't implement age verification due to 4chan not having such a requirement under their operating jurisdiction (US).
The only thing UK can do is block 4chan within their country, and that's pretty much it.
They break US laws every single day. Every loli in /b/ and /gif/ thread violate several laws and yes people do debate this endlessly which I will not, discuss that with lawyers that deal with CSAM. On that alone they could easily seize all the servers if they wanted to but that will never happen because like I said it's an goldmine for people self reporting they are going to shoot up a place or show intent for a myriad of other crimes. The feds would never throw away such an easy mode treasure trove nor would I expect them to. The site started glowing hard in 2008 and glowed even harder after 2012. I even showed people how to extract IP addresses using the hashes in the thread and post ID prior to their moving to Cloudflare and the users still went into full cope.
All of this aside it would be trivial to add the RTA header to the entire site. They could add it in the Cloudflare interface in a few seconds. It would cost them nothing. Only groomers would have their jimmies rustled even despite most of the groomers having moved to Roblox.
The header should be the other way around. It should inform your site will not contain adult material. The local government should scan sites participating.
Anyway, yes, that would just solve the problem and not destroy anything. What is the reason why nobody is talking about it.
I have probably never met anyone that is not committing at least three (3) felonies per day. That is at least how legal theory is applied. It's a fun topic to research. As a side note it would be interesting to see how far down the totem pole they venture in terms of verification of what sites are using age/ID verification and tracking.
I disagree. The legal requirement to apply a warning label is a well known, understood and accepted process that is applied to a myriad of hazards to children and adults. As just one example businesses in some states, most notably California are compelled to add warning labels to foods and other products that could cause cancer.
That's not the best example, since the levels set for Prop 65 warnings are so low that the warnings are effectively useless; every single commercial building in CA now somehow causes cancer.
Surely we both understand the point I was making in that labels are already compelled by laws today.
Fine, cigarettes must be labelled as being a risk of causing cancer. The punishment for failing to do this is both civil and federal penalties including massive fines and federal prison time.
Now that I think about it, perhaps that example did a good job of demonstrating how ill-conceived requirements can wind up having zero effect except for just making everything a little bit more inconvenient.
I never implied an internet license. Rather if a server operator a business has content that may be adult in nature they must label their site. Businesses require a license already but that is unrelated to this.
Clients could refuse to show content that does not have headers set.
On other hand servers might choose to lie. After all that is their free speech right.
So maybe you need some third party vetting list. Ofc, that one should be fully liable for any damages misclassification can cause... But someone would step up.
I a small server operator and a client of the internet will not participate in any other methods period, full-stop. Make simple logical and rational laws around RTA headers and I will participate. Many sites already voluntarily add this header. It is trivial to implement. Many questions and a lengthy discussion occurred here [1]. I doubt my little private and semi-private sites would be noticed but one day it may come to that at which point it's back into semi-private Tinc open source VPN meshes for my friends and I.
[1] - https://news.ycombinator.com/item?id=46152074