Your lack of understanding why age verification does not constitute it being a conspiracy for another reason. There is a antiregulatory crowd that will invent any possible excuse to suggest tech companies shouldn't be accountable and we should just leave the Internet be. Those people make a lot of money exploiting everyone, as it happens, and they also pay for journalists to tell you that it's all about violating privacy or something. (The same folks will tell you opening up Android for third party AI tools would be a privacy and security risk, and not ask you to notice it would just cost Google a lot of money.)
We've been running essentially a social experiment on our kids for the past two decades and it has not gone well. Social media has had a toxic impact on kids. CSAM and child abuse are rampant, and most "privacy services" like disposable email and VPNs are the primary source. These are facts, whether you like them or not. There are, in fact, kids dying, school shootings, grooming, etc. which are all the direct result of our failure to regulate social media companies. Section 230 being the primary problem.
OS-level age verification is likely the best route, as private information can remain on a device in your control, and a browser then just needs to attest to websites whether or not the user should be allowed access, without conveying more detail. Obviously anyone with a Linux box will have ways around it, anything based in your own device will be exploitable in some way, but generally effective for the average child.
Any "verification" means unacceptable privacy violations.
The best route is better parental controls, that are not enabled by default. Locking down the OS like ransomware until the user submits to age verification is the wrong approach, and what Apple did in the UK needs to be highly illegal.
> Any "verification" means unacceptable privacy violations.
So I'm not necessarily arguing for age controls here, but purely on a technical level what do you think of schemes like Verifiable Credentials, which delegate verification to third parties that have already established your identity?
In theory you can set up a system that works like this:
1. User goes to restricted site and sets up an account
2. Site forwards them on to a verification service with a request "IsOver18?"
3. User selects their bank from a dropdown on the broker site
4. Broker forwards them to the bank, with a request "IsOver18?"
5. User logs in and selects "Sure, prove I am over 18 to this request"
6. Bank sends a signed response to the broker "Yep"
7. Broker verifies and sends its own signed response to the site "Yep"
8. The site tags the account as "Over 18 Status verified"
In this situation, the restricted site doesn't get anything other than a boolean answer from the broker. The broker can link a request to a given bank but doesn't get anything that gives away your identity. The bank knows your identity and that it has approved a request, but not necessarily where the request came from.
Verification broker tracks sites which make requests and records it attached to personal data. Site either sells or leaks personal data along with history of all sites visited which require age verification.
Also your solution requires a bank account, not something everyone has. Many do, but not all. Also the bank may not know "which" site you are visiting, but it does now know you are visiting sites which require age verification and how often.
> Verification broker tracks sites which make requests and records it attached to personal data.
How? What personal data?
The broker doesn't get anything other than "Site X wants to verify over 18, the user selected forward to Bank Y" and "Bank Y responds with TRUE"
> Also your solution requires a bank account, not something everyone has
True. Banks are only one example of an already trusted identity provider in this situation. But I get that there are gaps.
> Also the bank may not know "which" site you are visiting, but it does now know you are visiting sites which require age verification and how often.
Verification need only happen once per site, when setting up an account. This does introduce the possibility of a secondary market for approved accounts though, sure.
User installs a browser extension which forwards the request to everyoneisover18.com, owner of that site has a script set up to log into their bank and pass the verification challenge
Restricted-site.com gets the signed response from the broker, not the bank. In your situation there's not any need for "everyoneisover18.com" to defer to a real bank for a faked response as it signs things itself.
But restricted-site.com doesn't trust everyoneisover18.com's key, it only trusts realbroker.com's key, so the response isn't accepted. If it is found to trust fake brokers like that it gets in trouble with the law.
That's why everyoneisover18.com forwards the request to my bank or my broker and gets my signature on the behalf of literally anyone. I may charge them $5 for this service.
> That's why everyoneisover18.com forwards the request to my bank or my broker
Doesn't work. The response won't be signed by real-broker.com.
The permission request/response itself goes direct from the server at restricted-site.com to the server at real-broker.com over TLS, so you can't MITM it, it's not controlled by the client and you won't be able to just pass out a cached response.
Your malicious client plugin could potentially forward the client session details to you, so you could operate the broker page, then log in to your bank's portal and approve that request, but I don't think that's going to scale very well and I imagine your bank is likely going to rate limit you.
real-broker opens a web page allowing them to verify somehow. The browser extension sends me their URL and cookies so I can load the same page and verify myself. All automated of course.
You could, you could also go to their house and go through the process for them, but in either case I don't think it's going to scale very well (rate-limiting would seem to be called for, maybe with 2FA as well, to mitigate this sort of thing and remove the possibilities for automation).
But sure, you could subvert it on a small scale, just as you can borrow someone else's driving license to register in 'normal' systems already. You could also register an account, validate it and then sell the login details, regardless of what proof of age scheme you use.
The point is the scheme is no worse at validation than asking for ID and it protects user privacy by keeping all ID details away from individual websites, which is the more important part IMHO.
My cellphone provider will be pleased be paid to deliver all those 2FA text messages. Who's sending them? How are they getting paid? Maybe I'm actually my own phone company, so I get paid for delivering them to myself.
Your bank, like they have 2FA for every other access to your account. 2FA also doesn't need to be via SMS, and even when it is that's dirt cheap. Rate limits can be a couple of approvals per hour with daily limits of a small handful. Or a leaky-bucket style algortihm where you can do a few at a time, but you only get one more per hour. Whatever way it's done it precludes your large-scale automation attempt.
I tire of this now. We've entirely wandered off from "Here's a way to prove age without the privacy implications, that works just as well as handing over scans of ID"
Your bank would likely have a limit on the number of approvals it would issue over time, to stop automated exploits, sure. In theory you only need these approvals once per site on signup.
We are pre-supposing for the sake of this thread that proving you are over 18 is desirable, but that giving your ID to unknown third parties is not.
That being the case, having a rate-limit on site approvals would appear to be a relatively reasonable tradeoff to stop the system being exploited for gain by third parties like the commenter upthread.
If you don't want any of that in the first place, cool, but I'm not making an argument for it here, just saying that a system that meets these two requirements is possible.
[Citation Needed] As I understand it, the debate on whether social media is responsible for actual harms in kids is still open and ongoing. Social media has been found to do both harm and good for kids, and for some kids the good outweighs the harms [0]. Scientists are hoping to get some verification from the actual social experiments that we're conducting in the UK and Australia on this.
Mandating OS-level age verification effectively means not allowing kids access to OSS platforms, a step way too far in my opinion. For instance, we would have to outlaw Steam Decks for kids.
[0] https://pmc.ncbi.nlm.nih.gov/articles/PMC12165459/
"Social media and technological advancements’ impact on adolescent mental health is complex. It can be both a risk factor and a valuable support system. Excessive and problematic use has been linked to increased rates of MDD, anxiety, and mood dysregulation, while also exacerbating symptoms of ADHD, bipolar disorder, and BDD. Simultaneously, digital platforms provide opportunities for social connection, peer support, and mental health management, particularly for individuals with ASD and those seeking online mental health communities. The challenge is finding a balance. Although social media offers benefits, it also poses risks like addiction, negative social comparison, cyberbullying, and impulsive online behaviors"
> Social media has been found to do both harm and good for kids, and for some kids the good outweighs the harms
Indeed. For example, the strongest evidence for harm shows that negative mental health is correlated with increasing social media use, but it's an important question of whether using social media more causes mental health problems, or mental health problems mean more social media use (or both, which would suggest a spiraling effect is important to look out for and prevent).
> Mandating OS-level age verification effectively means not allowing kids access to OSS platforms, a step way too far in my opinion. For instance, we would have to outlaw Steam Decks for kids.
This is entirely false scare tactic nonsense, and you really need to look at where you sourced that idea and no longer use them as a reference point. There isn't even a concept of a method of doing this that would make that true, and certainly not in any of the implementations being considered in the US. The federal bill is called the Parents Decide Act, if it gives you some idea where the goal in decisionmaking is supposed to be.
We have not just woefully bad parental controls, but in the name of privacy, modern platforms make it exceptionally hard to implement parental controls. What is being pushed here is largely a mandate that a system for parents to control what their kids can reach needs to exist and Internet companies need to support it.
(Steam is, FWIW, probably one of the best actors in this regard already, Steam Family is incredibly nuanced in the features and tools it gives parents. I have a lot of gripes about Steam but this is not a place they will have difficulty complying with the law. Heck, Steam is better at parental controls than Nintendo and Disney).
> There isn't even a concept of a method of doing this that would make that true, and certainly not in any of the implementations being considered in the US. The federal bill is called the Parents Decide Act, if it gives you some idea where the goal in decisionmaking is supposed to be.
The Parents Decide Act (PDA) goes considerably farther than superficially similar sounding laws like California's.
The California law requires that an OS allow the parent or guarding to associate an age or birthdate with the account when setting up a child's account on a device that will primarily be used for the child. It does not require any verification of the age information that the parent provides.
The PDA requires that the birthdate be provided for anyone who has an account on the device, and leaves much of the details up to the Federal Trade Commission to work out in the first 180 days after is passed. The wording of the list of things the Commission is to do suggests that the OS is supposed to actually verify age information, rather than just accept whatever a parent enters when setting up the child's device and account, and that it also has to verify that it will require the birthdate of the parent and verify that.
A Steam Deck is just an Arch Linux box. There is, intentionally by by design, no method of securing it against its user. Anyone with root access can change anything on it. There is no method of enforcing an age verification scheme on it in a way that cannot be removed or altered by a sufficiently bright and motivated teenager.
the conclusion from that discussion was that kids should not be allowed Steam Decks because that would provide them a way of getting around age certification.
The California bill, which is not called the Parents Decide Act, lets parents decide. The federal Parents Decide Act doesn't say whether parents can decide or not - it says a commission shall decide whether parents shall be able to decide, and we can predict what that commission will decide.
> any possible excuse to suggest tech companies shouldn't be accountable
The entire impetus for these bills is for Facebook (the sponsor of these bills) to escape liability for how they're currently harming kids. Facebook's only goal here is to be receiving headers that say the user is over 18, so they can continue business as usual under the assertion that any users must be adults.
Then you recognize that the solution definitely does not require privacy invasion, since presumably Facebook does not want actual proof because they hope teenagers will get around it.
That being said, the antiregulatory wonks are not all working for Facebook, and some are indeed manifestly just always opposed to any regulation at all no matter what harm is occurring.
Bear in mind the alternative: Things like Discord collecting personal data to do verification at the website level. A push for a simple "user is over 18" header is incredibly preferable from a privacy standpoint and parents being able to control and monitor it themselves.
This legislation does not require it out of the gate, but it sets up the precedent and the incentives such that it will eventually be required down the line. That's the problem with anything that gives more power, and the expectation of even more power, to the server (ie to big tech).
FWIW I personally would be supportive of legislation where the data flow went the proper way of server->client, for the user-agent to decide. Consider: Any website over a certain size must publish an appropriate set of well known tags asserting whether its content is suitable for kids of certain ages, has social aspects, the type of content, etc. Any device preloaded with an operating system over a certain marketshare must include parental control software that uses tags, as an option in the set up flow. The parental control software "fails closed" and doesn't display websites without tags. The long tails of the open web, bespoke devices, new OSes, etc remain completely unaffected.
We've been running essentially a social experiment on our kids for the past two decades and it has not gone well. Social media has had a toxic impact on kids. CSAM and child abuse are rampant, and most "privacy services" like disposable email and VPNs are the primary source. These are facts, whether you like them or not. There are, in fact, kids dying, school shootings, grooming, etc. which are all the direct result of our failure to regulate social media companies. Section 230 being the primary problem.
OS-level age verification is likely the best route, as private information can remain on a device in your control, and a browser then just needs to attest to websites whether or not the user should be allowed access, without conveying more detail. Obviously anyone with a Linux box will have ways around it, anything based in your own device will be exploitable in some way, but generally effective for the average child.