This keeps coming up and we keep having the same debates about what Age Verification isn't.
For the folks in the back row:
Age Verification isn't about Kids or Censorship, It's about Surveillance
Age Verification isn't about Kids or Censorship, It's about Surveillance
Age Verification isn't about Kids or Censorship, It's about Surveillance
Without even reaching for my tinfoil hat, the strategy at work here is clear [0 1 2]. If we have to know that you're not a minor, then we also have to know who you are so we can make any techniques to obfuscate that illegal. By turning this from "keep an eye on your kids" to "prove you're not a kid" they've created the conditions to make privacy itself illegal.
VPNs are next. Then PGP. Then anything else that makes it hard for them to know who you are, what you say, and who you say it to.
Please, please don't fall into the trap and start discussing whether or not this is going to be effective to protect kids. It isn't, and that isn't the point.
2) Cigarette vending machines accept VISA cards and government IDs and they're offline.
3) A medium-sized social media network required photos (not scans) of GovIDs, where only year of birth and validity date need to visible. The rest could be blacked out physically.
4) You can guess users' age and only request solid proof only for those you are unsure about.
The problem is that we technical users think of a one-size-fits-all technical approach that works, without a single fail, for all global users. That is bound to fail.
It is only a law and you can break it big time or small time. Reddit's approach might proof way too weak, it'll be fined and given a year to improve. Others might leave the market. Others will be too strict and struggle to get users. Others might have weak enforcement and keep a low profile forever. Others will start small, below the radar and explode in popularity and then enforcement will have to improve.
You can also request identity and then delete it. (Yes, some will fail to delete and get hacked.)
Giving Facebook a free pass is stupid. They're selling your age cohort "10-11" within 0.0037ms for 0.$0003 to the highest bidder on their ad platform.
Like many mention in other comments on this post, it's possible to implement using ZKPs. There are likely other methods that would be effective without compromising privacy. None of them are part of the Age Verification discussion because kids are not the actual point of Age Verification.
When I say "if we have to know you're not a kid, we have to know who you are" I'm not stating an actual truth, but the argument as it is playing out politically.
> None of them are part of the Age Verification discussion because kids are not the actual point of Age Verification.
The EU age verification solution says implementations SHOULD implement[1] their ZKP protocol[2]. Not linking it to the user is stated as an explicit goal:
Unlinkability: The goal of the solution is to prevent user profiling and tracking by avoiding linkable transactions. Initially, the solution will rely on batch issuance to protect users from colluding RPs. Zero-Knowledge Proof (ZKP) mechanisms will be considered to offer protection. More details are provided in Section 7.
> Age Verification isn't about Kids or Censorship, It's about Surveillance
We know this because, instead of putting easy-to-use parental controls on new devices sold (and making it easy to install on old ones) with good defaults [1], they didn't even try that, and went directly for the most privacy-hostile solution.
[1] So lazy parents with get whatever censorship the government thinks is appropriate for kids, while involved parents can alter the filtering, or remove the software entirely.
I am someone who is very privacy focused. I've literally never had a social media account on any platform and I'm 42. From day one of facebook, I never wanted my information online. Like many here, I'm deeply concerned about privacy and surveillance.
In real life, we think age verification is a good thing. Kids shouldn't buy porn. Teenagers shouldn't get into bars. etc... There has to be room somewhere for reasonable discussion about making sure children do not have access to things they shouldn't. I think it's important to note, that complete dismissal of this idea only turns away your allies and hurts our cause in the long run.
In the online world you can’t make sure of anything. Florida for instance requires age verification for porn sites. Guess how many mainstream sites not based in the US are completely ignoring the law and guess how many others are easily accessible via a VPN? If you guessed the sum total of both is less than 100%, you would be wrong - and even that is tilted toward sites that just ignored it.
The one thing you can control is your childs access through their device using parental controls.
I can absolutely guarantee you that any teenager can easily get access to weed, cigarettes and alcohol despite the laws and definitely can use a VPN. It only takes one smart kid to show them how.
In real life the situation is different. When I buy alcohol, someone looks at my drivers licence, does not make a copy of it, forgets it quickly, and cannot tie it to other information about me. As soon as it's online and it's copies, I can't tell what happens on anyone else's servers. I don't want any company knowing my actual name and location, then that can be tied to more data, which is what Google etc have been trying to do for years but this would just completely fast track that. I would in theory be fine with something where it never leaves my computer, but that is obviously impossible.
I'm not dismissing that idea. It is a perfectly reasonable thing to think about, part of why we have age verification techniques that already work well in critical places like online vape shops.
I'm even willing to talk about the possibility that we could use more robust systems deployed more broadly. A lot of folks here are talking about ZKPs in this regard, and that's not a bad idea at all.
The issue I'm trying to sound the horn on is that the current push for AF in the US and EU has nothing to do with kids. I think you could put together a working group on ZKPs and Age Verification, write up a paper and run experiments, and when you bring it to the lawmakers they're gonna say something to the tune of:
"yeah but that's not trustworthy enough and too technical for people to understand so we're just going to serve legal notices to VPN providers instead to tell them that they can't anymore"
...or something to that tune. I'm not a mind reader, I've just read the reports (by lawmakers) mentioning VPNs as an "area of concern".
This is a political gambit and not a new one. The more we treat the current issue as having anything to do with protecting kids the more we legitimize what is an obvious grift.
> The issue I'm trying to sound the horn on is that the current push for AF in the US and EU has nothing to do with kids. I think you could put together a working group on ZKPs and Age Verification, write up a paper and run experiments, and when you bring it to the lawmakers they're gonna say something to the tune of:
The EU is currently doing large-scale field tries of the EU Digital Identity Wallet, which they have been working on for several years. It uses ZKPs for age verification. They expect to roll it out to the public near the end of 2026.
I appreciate the mention - i had not yet heard of this EU DIW thing. That said, I can't find any resources on it that mention the use of ZKPs. Could you share a link?
> In real life, we think age verification is a good thing.
Ok. In real life, do we think having agents from the government and corporations following you everywhere, writing down your every move and word, is a good thing?
I think the equivocation of online and real life is a massive mistake. When you go into a grocery store you are constantly on CCTV. Does that mean when you shop on Amazon them recording you via webcam should be considered? Obviously not. The restrictions in real life are temporary. If you try to buy port, go into a bar, etc you are asked for ID and they look at it and hand it back. They don't take your ID, your picture and store it forever and then sell information about you to other people.
The concern about children is aimed at the wrong target. Instead of targeting everyone it would make far more sense to target the platforms. With Roblox having a pedo problem the company should face punishment. That will actually get them to change their ways. However all these massive platforms are major donors to politicians so the chance of that happening is low to none.
> They don't take your ID, your picture and store it forever and then sell information about you to other people.
It would not surprise me in the least if there are brick-and-mortar businesses doing this, especially larger companies in jurisdictions (such as the majority of the United States) with weak/nonexistent privacy protections.
They don't need to. If you bought something with a card they just store that - let the data brokerage handle connecting it with actual ID cards and other elements of your identity.
But yeah, walmart is for sure logging their transactions and selling the data. It's practically free money.
I feel like the EFF has stretched a bit far on this one. They need to be advocating for good solutions, not portraying age verification as fundamentally about surveillance and censorship.
As many are pointing out zero knowledge proofs exist and resolve most of the issues they are referring to. And it doesn't have to be complex. A government (or bank, or anybody that has an actual reason to know your identity) provided service that mints a verifiable one time code the user can plug into a web site is very simple and probably sufficient. Pretty standard PKI can do it.
The real battle to be lost here is that uploading actual identity to random web sites becomes normalised. Or worse, governments have to know what web sites you are going to. That's what needs to be fought against.
Yep this is the first time I've disagreed with the EFF on anything civil liberties related.
My view is that there's no reason why we can't come together and come up with a rating system for websites (through HTTP headers, there are already a couple proposals, the RTA header and another W3C proposal).
Once a website just sends a header saying this is adult only content, what YOU as a user do with it is up to you. You could restrict it at the OS level (which is another thing we ALREADY have).
This would match the current system, which allows households to set their devices to block whatever they want, and the devices get metadata from the content producers.
I'm just waiting for governments to start requiring OS makers to verify identity on consumer phone/laptop/console devices before you can use them.
After all, they can legitimately claim it solves much of the issues with other verification schemes - no need to trust third party sites or apps, lower risk of phishing, easier to implement internationally and with foreign nationals, etc.
Of course, the downside (for individuals) is it would take just one legal tweak or pressure from the government to destroy anonymity for good.
I'd be OK with an "I am a child" header mandated by law to be respected by service providers (eg. "adult sites" must not permit a client setting the header to proceed). On the client side, mandate that consumer devices that might reasonably be expected to be used by children (every smartphone, tablet, smart TV, etc) have parental controls that set the header. Leave it to parents to set the controls. Perhaps even hold parents culpable for not doing so, as a minimum supervision requirement, just as one may hold parents culpable for neglecting their children in other ways.
Forcing providers to divine the age of the user, or requiring an adult's identity to verify that they are not a child, is backwards, for all the reasons pointed out. But that's not the only way to "protect the children". Relying on a very minimal level of parental supervision of device use should be fine; we already expect far more than that in non-technology areas.
A server header exists to say something is adult and could be used for user-generated content as well. [1] It just needs legislation and an afternoon from interns at assorted companies. It's not perfect, nothing is but could easily trigger existing parental controls and parental controls that could be added back into user agents. No third parties required. I think I've beat this horse into dust [2] so I should just hire kvetchers to politely remind congress at this point.
I like the first part of the idea, which is the header. Heck, even enable it by default. As long as the tracking of the toggle isn't a thing its a perfect compromise. While we're at it, respecting do not track headers would also be nice.
This completely leaves it up to the families / parents to control and gives some level of compliance to make the effort worth while.
There may even be a way to generate enough noise with the request to prevent any forms of tracking. This sort of thing should really be isolated in that way to prevent potential abuses via data brokers by way of sale of the information
As long as the tracking of the toggle isn't a thing its a perfect compromise.
This concept does not involve any tracking if implemented as designed. The user agent detects the RTA header and triggers parental controls if enabled. Many sites already voluntarily self label. [1] Careful how far one drills down as these sites are NSFW and some may be malicious.
If we must do something like this, I think a good solution would be an optional server header that describes the types of objectionable content that may be present (including “none”). Browsers on child devices from mainstream vendors would refuse to display any “unrated” resources without the header, and would block any resources that parents deem age-inappropriate, with strict but fair default settings that can be overridden. Adult browsers would be unaffected. Legislatures could attempt to craft laws against intentionally miscategorized sites, as doing this would be intentionally targeting kids with adult content.
There is no perfect solution that avoids destroying the internet, but this would be a pretty good solution that shelters kids from accidentally entering adult areas, and it doesn’t harm adult internet users. It also avoids sending out information about the user’s age since filtering happens on the client device.
It was derided as a "system for mass censorship", and got shot down. In hindsight a mistake, and it should have been implemented - it was completely voluntary by the user.
My only gripe here is the idea of "perhaps hold the parents culpable." I'm not opposed to the idea, but what sucks is we are ultimately all paying the cost of it going wrong. The idea that we can shunt that away to a few irresponsible people is just demonstrably not the case.
Worse, it leads to situations where society seems to want to flat out be kid free in many ways. With families reportedly afraid to let their kids walk to and from school unsupervised.
I don't know an answer, mind. So this is where I have a gripe with no real answer. :(
Add to that, clearly those "bad parents" are the result of bad parenting in the first place, so really it's the grand parents that are to blame...
Wait, those grand parents also had bad models to work with, so really it's the great grandparents that were to blame...
No, wait, it was the society that they grew up in that encouraged poor behaviour toward them, and forced them to react by taking on toxic behaviours. We all should pay because we all actively contribute to the world around us, and that includes being silent when we see bad things happening.
>Worse, it leads to situations where society seems to want to flat out be kid free in many ways. With families reportedly afraid to let their kids walk to and from school unsupervised.
Less the false dichotomy, and more the stickiness of each of those options. To your point (I think), those aren't the only options available, but people do seem to be attracted quite heavily to them.
I was referencing the towns that have called the cops because there were some unsupervised kids in a park. I comfort myself by saying this isn't nearly as common as the fear mongers online would have you think. That there are cases it happens still worries me.
Note that I'm not even necessarily worried about cops getting called. Quite the contrary, I am fine with the idea of cops having a more constant presence around parks and such. I do worry about people that get up in arms about how things are too unsafe for kids to be let outside. If that is the case, what can we do to make it safe?
It could be added at the router? The child's computer could be identified and this header added, in a MITM situation... but, maybe that would be easy to defeat, by replacing the cert on the client? Not my area of expertise... really just asking...
There's no reason to hold the parents culpable. It would be up to the device manufacturer to ensure that this isn't possible on a system that has parental controls enabled. This is already a solved problem - see how MDM solutions do it, and see Apple's ban on alternative browsers.
It's not even necessary to block parents from giving their children Linux desktops or whatever. It'll largely solve the problem if parents are merely expected to enable parental controls on devices that have the capability.
> Perhaps even hold parents culpable for not doing so, as a minimum supervision requirement
Even the idea of prosecuting parents for allowing their child to access 'information,' no matter what that information is, just sounds like asking for 1984-style insanity.
A good rule of thumb when creating laws: imagine someone with opposite political views from yours applying said law at their discretion (because it will happen at some point!).
Another good question to ask yourself: is this really a severe enough problem that government needs to apply authoritarian control via its monopoly on violence to try to solve? Or is it just something I'm abstractly worried about because some pseudo-intellectuals are doing media tours to try to sell books by inciting moral panic?
As with every generation who is constantly worried about what "kids these days" are up to, it's highly highly likely the kids will be fine.
The worrying is a good instinct, but when it becomes an irrational media hysteria (the phase we're in for the millennial generation who've had kids and are becoming their parents), it creates perverse incentives and leads to dumb outcomes.
The truth is the young are more adaptable than the old. It's the adults we need to worry about.
> Even the idea of prosecuting parents for allowing their child to access 'information,' no matter what that information is, just sounds like asking for 1984-style insanity.
This assumes an absolutist approach to enforcement, which I did not advocate and is not a fundamental part of my proposed solution. In any case, the law already has to make a subjective decision in non-technology areas. It would be no different here. Courts would be able to consider the surrounding context, and over time set precedents for what does and does not cross the bar in a way that society considers acceptable.
But what if we didn't collectively spend $billions of dollars and hundreds of thousands of hours battling with money, lobbyists, lawyers, judges and political campaigns over what is largely a moral panic?
What could humanity do instead with all that time and resources?
I know the US is a nation built by lawyers, for lawyers, but this is both its best strength and worst weakness. Sometimes it's in everyones best interest to accept the additional risks individually as opposed to bubble wrapping everything in legislation and expanding the scope of the corrupt lawyer-industrial complex.
Maybe the lawyers could use the extra time fixing something actually important like healthcare or education instead.
I am a Russian proxy site, I make requests for you without the header. I serve you the content because I don't care about following American laws.
Alternatively, just use an older browser that doesn't serve the header.
If anything, you'd want the reverse. A header that serves as a disclaimer saying "I'm an adult, you can serve me anything" and then the host would only serve if the browser sends that header. And you'd have to turn it on through the settings/parental controls.
Now, this doesn't handle the proxy situation. You could still have a proxy site that served the request with the header for you, but there's not much you can do about that regardless.
> 1) Given that it just says you're a "child", how does that work across jurisdictions where the adult age may not be 18?
It's a client-side flag saying "treat this request as coming from a child (whatever that means to you)". I don't follow what the jurisdiction concern is.
[EDIT] Oooooh you mean if a child is legally 18 where the server is, but 16 where the client is. But the header could be un-set for a 5-year-old, too, so I don't think that much matters. The idea would be to empower parents to set a policy that flags requests from their kids as coming from a child. If they fail to do that, I suppose that'd be on them.
The concern is that websites have no way to tell the actual age in this scenario so you'd be potentially inconveniencing and/or blocking legitimate users (according to the server jurisdiction's rules)
It doesn't seem sufficient, and would probably lead to age verification laws anyway.
Say you're a parent, with child, living in country A where someone becomes an adult when they're 18. Once the child is 18, they'll use their own devices/browsers/whatever, and the flag is no longer set. But before that, the flag is set.
Now in country B or in country C it doesn't matter that the age of becoming an adult is 15 and 30. Because the flag is set locally on the clients device, all they need to do is block requests with the flag, and assume it's faithful. Then other parents in country B or country C set/unset the flag on their devices when it's appropriate.
No need to tell actual ages, and a way for services to say "this is not for children", and parents are still responsible for their own children. Sounds actually pretty OK to me.
Except that if you're in country B, which has a law that says "you may not make information available to children that discloses that Santa Claus is made up," and the age of becoming an adult in your country is 18 -- knowing that a person accessing your site from country A is an adult in country A (which means, say, ≥ 16) is not sufficient to comply with the law.
I’m not sure why the age of majority in the region of the server would be relevant. The user is not traveling to that region, the laws protecting them should be the laws in their own region.
I don't know if "should" is intended as a moral statement or a regulatory statement, but it's not at all unusual for server operators to need to comply with laws in the country in which they are operating…
> 1) Given that it just says you're a "child", how does that work across jurisdictions where the adult age may not be 18?
So namespace it then. "I'm a child as defined by the $country_code government". It's no more of a challenge than what identity-based age verification already needs to do.
> 2) It seems like it could be abused by fingerprinters, ad services, and even hostile websites that want to show inappropriate content to children.
This is still strictly better than identify-based age verification. Hostile or illegal sites can already do this anyway. Adding a single boolean flag which a large proportion of users are expected to have set isn't adding any significant fingerprinting information.
Why they don't use zero knowledge proof? Also question for the USA constitution experts, is this considered a violation of free speech? The article is not clear on this.
"Free Speech" in the American legal sense (1st Amendment to the Constitution) applies to government prohibition on speech, with a particular emphasis on political speech.
It doesn't prevent one person from prohibiting speech... I can tell a pastor to stop preaching on my lawn. But, the government cannot tell a pastor not to preach in the publicly-owned town square (generally, there are exceptions).
There are arguments that certain online forums are effectively "town squares in the internet age" (Twitter in particular, at least pre-Musk). But, I always found that analogy to fall apart - twitter (or whatever online forum) is more like an op-ed section in a newspaper, IMO. And newspapers don't have to publish every op-ed that gets submitted.
Also, the 1st Amendment does not protect you from the consequences of your speech. I can call my boss an asshole to his face legally - and he can fire me (generally, there are labor protections and exceptions).
Some proposed implementation do this. Without the requirement there is no chance of your ID or age being leaked, with zero knowledge proof, there is a chance they leak but can be made small, potentially arbitrarily so. Other implementations come with larger risks.
- If I can do a zero knowledge proof once per day against someone who is under age, I can eventually determine their birthday.
- If I can do a zero knowledge proof with an arbitrary age, I can eventually determine anyone's birthday.
- If the only time people need to verify their age is to visit some site that they'd rather not anyone know they visit and that requires showing identity - even if it's 100% secure, a good share of people will balk simply because they do not believe it is secure or creating a chilling effect on speech.
- If the site that verifies identity is only required for porn, then it has a list of every single person who views porn. If the site that verifies identity is contacted every time age has to be re-registered, then it knows how often people view porn.
- If the site that verifies identity is a simple website and the population has been trained that uploading identity documents is totally normal, then you open yourself up to phishing attacks.
- If the site that verifies identity is not secure or keeps records, then anyone can have the list (via subpoena or hacking).
- If the protocol ever exchanges any unique identifier from the site that verifies your identity and the site that verifies identity keeps records, then one may piece together, via subpoena (or government espionage, hacking) every site you visit.
Frankly, the fact that everyone promoting these systems hasn't admitted there are any potential security risks should be like an air raid siren going off in people's heads.
And at the end of all of this, none of it will prevent access to a child. Between VPNs, sharing accounts, getting older siblings/friends to do age verification for them, sites in jurisdictions that simply don't care, the darkweb, copying the token/cert/whatever from someone else, proxying age verification requests to an older sibling/rando, etc. there are way, way too many ways around it.
So one must ask, why does taking all this risk for so little reward make any sense?
Zero knowledge proof is either trivially defeated by re-using the same credentials or doesn't have useful privacy guarantees. There really isn't an in-between here for something like age verification.
The idea is that e.g. the government would give you an app that lives on your phone. When you apply for the app you provide some documents to prove your age, but you don't say anything about what sites you plan to visit. When you want to visit an age-restricted site you use the app to generate a proof that you have it, but the site doesn't learn anything more than that, and the government doesn't learn that you used the app.
It's funny because the same "perfect is the enemy of good" argument is used both to criticize age verification in the first place (why bother if it isn't perfect) but then also to dismiss proprosals to implement it better (why bother if they don't perfectly fix the problem).
No. It's mostly that the proposed age verification schemes have fundamental problems that disqualify them from being considered "good" and none of the "better" implementations fix those problems at all.
Age verification in general is not intended to defend against people lying or using stolen credentials. If you’re 13 but know the password to your dead grandpa’s account and the website in question has no idea he’s dead, there’s no way to defend against that, with or without a ZKP.
What the ZKP does is let you limit the information the site collects to the fact that you are under 18, and nothing else. It’s an application of the principle of least privilege. It lets you give the website that one fact without revealing your name, birthdate, address, browsing history, and all your other private data.
(IANAL) That demonstrates the opposite: that's a voluntary system with no force of law behind it—the private sector "self-regulating" itself, if you will.
The film rating systems were created under threat of legislation in the first half of the 20th century (so, in lieu of actual legislation). The transformative 1st Amendment rulings of the Warren Court would have made such laws unconstitutional after the 1960's, but the dynamic that created these codes predates that—predates the modern judicial interpretation of the 1st Amendment.
Because safeguarding user privacy is not a goal. Scoring political points with "think of the children" agendas, while getting kickbacks from companies salivating at the opportunity to gather even more personal data, is.
Onlyfans is legal prostitution so we need to protect that. Better to regulate the entire internet with taking your rights than question why it's allowed.
No, its legal (in some jurisdictions) pornography. Prostitution on the platform, as well as whatever the legal status is in the set of jurisdictions involved, is also, from what I understand, explicitly against the platform ToS.
Way to split hairs. Something being against the ToS can still be legal.
Prostitution obviously cannot physically happen on an online platform, but it sure is a convenient way to advertise and attract customers, and serve as the payment processor.
> Way to split hairs. Something being against the ToS can still be legal.
Well, no, violating a binding legal agreement is illegal.
> Prostitution obviously cannot physically happen on an online platform, but it sure is a convenient way to advertise and attract customers, and serve as the payment processor.
Which is explicilty prohibited by the law in many places OF operates, and judging from the number of people who are creators on the platform I've seen complaining about people jeopardizing their status with the platform by soliciting it on the platform, also by the actively-enforced terms of the platform. OF is simply not “legal prostitution”, and it is ridiculous to describe it that way
What they should do instead is invest in technology that can do age verification while protecting privacy. This is obviously a required piece of technology. It is not acceptable for children to grow up on the Internet and easily access pornography by simply going to a website. Imagine letting your children loose in a city where they can wander in and out of peep shows without friction.
While the "required piece of technology" aspect is debatable, there is certainly enough demand for it that it is going to happen in one way or another.
So I agree that instead of fighting some change that I think is inevitable, they should make it so that it works in the most privacy-conscious way possible. And I mean with real technical solutions, like an open-source app or browser extension you can download, a proof-of-concept server for age verification, etc... using the best crypto has to offer.
Any time law-makers claim that a law is meant to protect children you can guarantee that the safety of children had almost nothing to do with it. This is all a push to normalize digital ID (to protect the children!); once normalized it will become mandatory.
I always ask myself who wins with these laws (well, any law really). so far, the only winner seems to be the government and data collectors. It seems these laws are intended to collect leverage in the long run.
I'd argue that this is negligible for data collectors and governments. Governments already know who you are and what sites you vist for 99.99% of the population. Data collectors already know who you are and have a pretty good idea of the sites you vist.
What unique information is this going to give the government and data collectors to abuse? Lets establish one case that both affects average people and is "bad" and not waste time discussing things that only affect a tiny minority of privacy minded people.
Keep in mind the law states a platform must provide multiple ways to reasonably verify a user is older than 16. No mention of giving the specific user age or requiring govt id
Generally speaking, I share the HN consensus on age verification laws. But, there is a real problem with kid's unfettered internet access. Just think about all the adults who are hopelessly addicted to social media. The negative affects are amplified when it comes to developing minds.
My SO has been teaching for nearly 20 years now, and mental health in kids has fallen off a cliff in the last two decades. I could fill this page with online bullying stories. Some of which, are especially cruel. Half her students are on medication for anxiety. It's out of control, honestly.
That said, I don't know how to solve it. It's easy to put this on the parents, but that's not the answer. Otherwise, it would be solved already. Some don't care. Some don't have the time to care because they're trying to keep the lights on, and dinner on the table. And, some simply think it doesn't apply to them or their children. Parents on HN are hyper-aware of this sort of thing, but that's definitely the minority.
I know a family that would be most folks least likely candidate for something bad to happen online. Single income, relatively well off, the parent at home has an eye on the kids 24/7. And, if you met the kids, you would most likely qualify them as "good kids". Without going into detail, their life was turned upside down because one of the kids was "joking around" online.
Again, I don't know what the answer to the problem is. Clearly, age verification laws are a veiled attempt to both collect and control data. And, EFF's emphasis on advertising restrictions as a solution, seems off the mark. There's more to it than that. Idk, this shit makes me want to log off permanently, and pretend it's 1992.
I would be happy if we just moved to a way we could more realistically enable audits of information flow in our lives. I don't, necessarily, want to restrict my kids consumptions. It does worry me that I don't know how to teach them to audit all of the information that is being exposed to them. Or worse, collected about them.
I'm not entirely sure what you mean by 'audit', but teach them critical thinking, and show them the strategies the media uses to manipulates them. Teach them there's often more than 1 side to a story.
Things like this will give them a huge advantage in not being manipulated and lied to.
To explain it like budgeting. You can forward plan what you will spend money on. But you also need to be able to see where all of your money went. This is nigh impossible with data flow, nowadays.
I'd be comfortable with it having large segments of "uncategorized." But right now, if I scan over to my ISP to see how much data I have used for the month, I have little to no help in saying how much of that was what.
Ah okay. I think this would probably be pretty tricky, security-wise, no? One of my first thoughts that might help would be writing a simple tool that parses history from your browsers to categorize it. Other than that, there are things like https://activitywatch.net/ (which seems to have a desktop and Android version)
Yeah, just writing out the idea, I would imagine I should be able to see a lot of this with my router?
Again, I get that that will be a lot I have to write off as "uncategorized." I'm not even trying to drive all telemetry down to zero. I'm comfortable knowing that my HVAC may send diagnostic stuff in, as an example. But it seems kind of crazy to me that this is not something that is often discussed? Do I just miss those discussions?
> we must fight back to protect the internet that we know and love.
This is not compelling. The internet I know and love has been dying for a long time for unrelated reasons. The new internet that is replacing that one is an internet that I very much do not love and would be totally ok to see lots of it get harder to access.
The parts where traffic generates money for the kind of people who would think putting an advertisement on a screen on someone's home refrigerator is an acceptable thing to do (morally, not legally or whatever).
Not to mention people lose accounts because someone reported them as underage, and now they don't want to fully dox themselves over this. Who can blame them considering discord's own support ticket system was hacked which included people who had to validate their age.
I wonder what the psychological effect of having little or no privacy would do to people. Are we all going to be paranoid schizophrenics? How would a world of paranoid schizophrenics work? How insane are world events going to be from that point on?
China is an example of this. Somewhere that, according to the UN's data, executed "undesirable" people with such gusto that it incidentally decreased the organ donor waitlist time so low that it couldn't be explained by any other factor.
"Perfect" security is only attainable with zero dissent, zero individuality, zero privacy, and zero freedom.
Paranoid, maybe. Schizophrenics? No. Firstly, "paranoid schizophrenia" is an outdated diagnosis. Paranoia is a common symptom of schizophrenia, but schizophrenics exhibiting paranoia are not considered to have separate mental illness from those who are not. Secondly, schizophrenia is not caused simply by psychological stress, and is associated with a large cluster of positive and negative symptoms, with paranoia being only one of them.
Realistically all but the largest sites are going to contract out age verification to third parties. There will probably be verification companies that will have a wide range of verifications.
"SAN FRANCISCO-With ill-advised and dangerous age verification laws proliferating across the United States and around the world, creating surveillance and censorship regimes that will be used to harm both youth and adults, the Electronic Frontier Foundation has launched a new resource hub that will sort through the mess and help"
The surveillance and censorship system is built, administered and maintained by Silicon Valley companies who have adopted this as their "business model". "Monetising" surveillance of other peoples' noncommercial internet use
These Silicon Valley companies have been surveilling internet subscribers for over a decade, relentlessly connecting online identity to offline identity, hell bent on knowing who is accessing what webpage on what website, where they live, what they are interested in, and so on, building detailed advertising profiles (including the age of the ad target) tied to IP addresses, then selling the subscribers out to advertisers and collecting obscene profits (and killing media organisations that hire journalists in the process)
Now these companies are being forced to share some of the data they collect and store
Gosh, who would have forseen such an outcome
These laws are targeting the Silicon Valley companies, not internet subscribers
But the companies want to spin it as an attack on subscribers
The truth is the companies have been attacking subscriber privacy and attempting to gatekeep internet publication^1 for over a decade, in the name of advertising and obscene profits
1. Discourage subscribers from publishing websites and encourage them to create pages on the company's website instead. Centralise internet publication, collect data, perform surveillance and serve advertisements
I am disappointed to find no mentions of zero knowledge proofs or any other indications that we wont have to trust anyone with this task.
We have the technology to do age verification without revealing any more information to the site and without the verification authority finding out what sites we are browsing. However, most people are ignorant of it.
If we don't push for the use of privacy preserving technology we wont get it and we will get more tracking. You cannot defeat age verification on the internet, age verification is already a feature of our culture. The only way out is to ensure that privacy preserving technologies are mandated.
I think sadly, this is a lost battle in public opinion. And the gambling of digital assets on Roblox and other casino-like website is also starting to get public attention, and will turn public opinion further.
The CNIL gave up 3 years ago, and gave guidelines, you can read about it here [0]. At the time it read like "How well, we tried, we said it is incompatible with privacy and the GDPR multiple times, we insist one more time that giving tools to parents is the only privacy-safe solution despite obvious problems, but since your fucking law will pass, so the best we can do is to draw guidelines, and present solutions and how to implement them correctly".
I think the EFF should do the same. That's just how it is. Define solutions you'll agree with. Fight the fight on chat control and other stuff where the public opinion can be changed, this is too late, and honestly, if it's done well,it might be fine.
If the first implementation is correct, we will have to fight to maintain the statu quo, which in a conservative society, is the easiest, especially when no other solution have been tested. If it's not, we will have to fight to make it correct, then fight to maintain it, and both are harder. the EFF should reluctantly agree and draft the technical solution themselves.
online age verification is disingenuous and a pretext to give governments the hard coded technical option to regulate speech and association.
there's a great game being played out by these users of force against the advocates of desire. everything about the bureaucracies pushing digital ID is unwanted. this isnt about age verification tech, its about illegitimate power for unwanted people who are actuated by forcing their will on others.
we should treat these actions with the open disgust they deserve.
The net got too big, the 90% got in because of facebook and google, and automated bots took over from there.
Either we create the fix, or the feds take it over. we need to sever the idea of a global internet. per-country and allied nations only.
anonymous cert-chain verified ID stored on device. problem fixed.
In Switzerland you are forced to receive an SMS code to your phone on every portal in every public space everywhere to establish your identity on every network. No SMS = No public wifi anywhere in Switzerland.
That's a funny choice, I thought Europe was done with SMS. I can see this 1-to-1 mapping with other cellphone derived messaging like Whatsapp, etc being an issue for privacy but it's certainly possible to have multiple phones.
I believe cyber cafes in India must verify identity via ID before allowing internet access and maintain logs, browsing history, etc. for at least one year.
I understand this is a technology forum, frequented mostly by liberal adults, who built a lot of their internet nous on totally free internet of 90s and 00s. I am one of them.
Equally, I think insisting that there must be no controls to internet access whatsoever is not right either. There is now plenty of evidence that eg. social media are very harmful to teenagers - and frankly, before I noticed, going on FB got me depressed each time I did it at one point. And as a parent, you realise how little control you have over your children's tech access. Case in point - my kids seem to have access to very poorly locked down iPads at school. I complained, but they frankly don't understand.
We all accept kids can't buy alcohol and cigarettes, even if that encroaches on their freedom. But or course flashing an ID when you're over 18 is not very privacy-invading.
Likewise, I think it is much better to discuss better means of effecting these access controls. As some comments here mention, there are e.g. zero knowledge proofs.
I'm sure I'll be told it's all a sham to collect data and it's not about kids. And maybe. But I care about kids not having access to TikTok and Pornhub. So I'd rather make the laws better than moan about how terrible it is to limit access to porn and dopamine shots.
For the folks in the back row:
Age Verification isn't about Kids or Censorship, It's about Surveillance
Age Verification isn't about Kids or Censorship, It's about Surveillance
Age Verification isn't about Kids or Censorship, It's about Surveillance
Without even reaching for my tinfoil hat, the strategy at work here is clear [0 1 2]. If we have to know that you're not a minor, then we also have to know who you are so we can make any techniques to obfuscate that illegal. By turning this from "keep an eye on your kids" to "prove you're not a kid" they've created the conditions to make privacy itself illegal.
VPNs are next. Then PGP. Then anything else that makes it hard for them to know who you are, what you say, and who you say it to.
Please, please don't fall into the trap and start discussing whether or not this is going to be effective to protect kids. It isn't, and that isn't the point.
0 https://www.eff.org/deeplinks/2025/11/lawmakers-want-ban-vpn...
1 https://www.techradar.com/vpn/vpn-privacy-security/vpn-usage...
2 https://hansard.parliament.uk/Lords/2025-09-15/debates/57714...
That is untrue
(This includes being robust against law enforcement action, legal or otherwise.)
2) Cigarette vending machines accept VISA cards and government IDs and they're offline.
3) A medium-sized social media network required photos (not scans) of GovIDs, where only year of birth and validity date need to visible. The rest could be blacked out physically.
4) You can guess users' age and only request solid proof only for those you are unsure about.
The problem is that we technical users think of a one-size-fits-all technical approach that works, without a single fail, for all global users. That is bound to fail.
It is only a law and you can break it big time or small time. Reddit's approach might proof way too weak, it'll be fined and given a year to improve. Others might leave the market. Others will be too strict and struggle to get users. Others might have weak enforcement and keep a low profile forever. Others will start small, below the radar and explode in popularity and then enforcement will have to improve.
You can also request identity and then delete it. (Yes, some will fail to delete and get hacked.)
Giving Facebook a free pass is stupid. They're selling your age cohort "10-11" within 0.0037ms for 0.$0003 to the highest bidder on their ad platform.
When I say "if we have to know you're not a kid, we have to know who you are" I'm not stating an actual truth, but the argument as it is playing out politically.
The law does not mandate identity, so your argument does not hold.
The EU age verification solution says implementations SHOULD implement[1] their ZKP protocol[2]. Not linking it to the user is stated as an explicit goal:
Unlinkability: The goal of the solution is to prevent user profiling and tracking by avoiding linkable transactions. Initially, the solution will rely on batch issuance to protect users from colluding RPs. Zero-Knowledge Proof (ZKP) mechanisms will be considered to offer protection. More details are provided in Section 7.
[1]: https://ageverification.dev/av-doc-technical-specification/d...
[2]: https://ageverification.dev/av-doc-technical-specification/d...
https://blog.google/technology/safety-security/opening-up-ze...
We know this because, instead of putting easy-to-use parental controls on new devices sold (and making it easy to install on old ones) with good defaults [1], they didn't even try that, and went directly for the most privacy-hostile solution.
[1] So lazy parents with get whatever censorship the government thinks is appropriate for kids, while involved parents can alter the filtering, or remove the software entirely.
In real life, we think age verification is a good thing. Kids shouldn't buy porn. Teenagers shouldn't get into bars. etc... There has to be room somewhere for reasonable discussion about making sure children do not have access to things they shouldn't. I think it's important to note, that complete dismissal of this idea only turns away your allies and hurts our cause in the long run.
The one thing you can control is your childs access through their device using parental controls.
I can absolutely guarantee you that any teenager can easily get access to weed, cigarettes and alcohol despite the laws and definitely can use a VPN. It only takes one smart kid to show them how.
I'm even willing to talk about the possibility that we could use more robust systems deployed more broadly. A lot of folks here are talking about ZKPs in this regard, and that's not a bad idea at all.
The issue I'm trying to sound the horn on is that the current push for AF in the US and EU has nothing to do with kids. I think you could put together a working group on ZKPs and Age Verification, write up a paper and run experiments, and when you bring it to the lawmakers they're gonna say something to the tune of:
"yeah but that's not trustworthy enough and too technical for people to understand so we're just going to serve legal notices to VPN providers instead to tell them that they can't anymore"
...or something to that tune. I'm not a mind reader, I've just read the reports (by lawmakers) mentioning VPNs as an "area of concern".
This is a political gambit and not a new one. The more we treat the current issue as having anything to do with protecting kids the more we legitimize what is an obvious grift.
The EU is currently doing large-scale field tries of the EU Digital Identity Wallet, which they have been working on for several years. It uses ZKPs for age verification. They expect to roll it out to the public near the end of 2026.
Ok. In real life, do we think having agents from the government and corporations following you everywhere, writing down your every move and word, is a good thing?
The concern about children is aimed at the wrong target. Instead of targeting everyone it would make far more sense to target the platforms. With Roblox having a pedo problem the company should face punishment. That will actually get them to change their ways. However all these massive platforms are major donors to politicians so the chance of that happening is low to none.
It would not surprise me in the least if there are brick-and-mortar businesses doing this, especially larger companies in jurisdictions (such as the majority of the United States) with weak/nonexistent privacy protections.
But yeah, walmart is for sure logging their transactions and selling the data. It's practically free money.
As many are pointing out zero knowledge proofs exist and resolve most of the issues they are referring to. And it doesn't have to be complex. A government (or bank, or anybody that has an actual reason to know your identity) provided service that mints a verifiable one time code the user can plug into a web site is very simple and probably sufficient. Pretty standard PKI can do it.
The real battle to be lost here is that uploading actual identity to random web sites becomes normalised. Or worse, governments have to know what web sites you are going to. That's what needs to be fought against.
My view is that there's no reason why we can't come together and come up with a rating system for websites (through HTTP headers, there are already a couple proposals, the RTA header and another W3C proposal).
Once a website just sends a header saying this is adult only content, what YOU as a user do with it is up to you. You could restrict it at the OS level (which is another thing we ALREADY have).
This would match the current system, which allows households to set their devices to block whatever they want, and the devices get metadata from the content producers.
No ID checks needed.
After all, they can legitimately claim it solves much of the issues with other verification schemes - no need to trust third party sites or apps, lower risk of phishing, easier to implement internationally and with foreign nationals, etc.
Of course, the downside (for individuals) is it would take just one legal tweak or pressure from the government to destroy anonymity for good.
Forcing providers to divine the age of the user, or requiring an adult's identity to verify that they are not a child, is backwards, for all the reasons pointed out. But that's not the only way to "protect the children". Relying on a very minimal level of parental supervision of device use should be fine; we already expect far more than that in non-technology areas.
[1] - https://news.ycombinator.com/item?id=46152074
[2] - https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...
This completely leaves it up to the families / parents to control and gives some level of compliance to make the effort worth while.
There may even be a way to generate enough noise with the request to prevent any forms of tracking. This sort of thing should really be isolated in that way to prevent potential abuses via data brokers by way of sale of the information
This concept does not involve any tracking if implemented as designed. The user agent detects the RTA header and triggers parental controls if enabled. Many sites already voluntarily self label. [1] Careful how far one drills down as these sites are NSFW and some may be malicious.
[1] - https://www.shodan.io/search?query=RTA-5042-1996-1400-1577-R...
There is no perfect solution that avoids destroying the internet, but this would be a pretty good solution that shelters kids from accidentally entering adult areas, and it doesn’t harm adult internet users. It also avoids sending out information about the user’s age since filtering happens on the client device.
It was derided as a "system for mass censorship", and got shot down. In hindsight a mistake, and it should have been implemented - it was completely voluntary by the user.
Worse, it leads to situations where society seems to want to flat out be kid free in many ways. With families reportedly afraid to let their kids walk to and from school unsupervised.
I don't know an answer, mind. So this is where I have a gripe with no real answer. :(
Wait, those grand parents also had bad models to work with, so really it's the great grandparents that were to blame...
No, wait, it was the society that they grew up in that encouraged poor behaviour toward them, and forced them to react by taking on toxic behaviours. We all should pay because we all actively contribute to the world around us, and that includes being silent when we see bad things happening.
I'm not seeing the correlation / causation here.
A. "Your kid is not my problem"
B. "Your kid is everyone's problem"
Note that I'm not even necessarily worried about cops getting called. Quite the contrary, I am fine with the idea of cops having a more constant presence around parks and such. I do worry about people that get up in arms about how things are too unsafe for kids to be let outside. If that is the case, what can we do to make it safe?
It's not even necessary to block parents from giving their children Linux desktops or whatever. It'll largely solve the problem if parents are merely expected to enable parental controls on devices that have the capability.
Even the idea of prosecuting parents for allowing their child to access 'information,' no matter what that information is, just sounds like asking for 1984-style insanity.
A good rule of thumb when creating laws: imagine someone with opposite political views from yours applying said law at their discretion (because it will happen at some point!).
Another good question to ask yourself: is this really a severe enough problem that government needs to apply authoritarian control via its monopoly on violence to try to solve? Or is it just something I'm abstractly worried about because some pseudo-intellectuals are doing media tours to try to sell books by inciting moral panic?
As with every generation who is constantly worried about what "kids these days" are up to, it's highly highly likely the kids will be fine.
The worrying is a good instinct, but when it becomes an irrational media hysteria (the phase we're in for the millennial generation who've had kids and are becoming their parents), it creates perverse incentives and leads to dumb outcomes.
The truth is the young are more adaptable than the old. It's the adults we need to worry about.
This assumes an absolutist approach to enforcement, which I did not advocate and is not a fundamental part of my proposed solution. In any case, the law already has to make a subjective decision in non-technology areas. It would be no different here. Courts would be able to consider the surrounding context, and over time set precedents for what does and does not cross the bar in a way that society considers acceptable.
You have way too much faith in the fairness of the court system.
What could humanity do instead with all that time and resources?
I know the US is a nation built by lawyers, for lawyers, but this is both its best strength and worst weakness. Sometimes it's in everyones best interest to accept the additional risks individually as opposed to bubble wrapping everything in legislation and expanding the scope of the corrupt lawyer-industrial complex.
Maybe the lawyers could use the extra time fixing something actually important like healthcare or education instead.
Alternatively, just use an older browser that doesn't serve the header.
If anything, you'd want the reverse. A header that serves as a disclaimer saying "I'm an adult, you can serve me anything" and then the host would only serve if the browser sends that header. And you'd have to turn it on through the settings/parental controls.
Now, this doesn't handle the proxy situation. You could still have a proxy site that served the request with the header for you, but there's not much you can do about that regardless.
That's no different to a law mandating identification-based age verification though. A site in a different jurisdiction can ignore that just the same.
1) Given that it just says you're a "child", how does that work across jurisdictions where the adult age may not be 18?
2) It seems like it could be abused by fingerprinters, ad services, and even hostile websites that want to show inappropriate content to children.
It's a client-side flag saying "treat this request as coming from a child (whatever that means to you)". I don't follow what the jurisdiction concern is.
[EDIT] Oooooh you mean if a child is legally 18 where the server is, but 16 where the client is. But the header could be un-set for a 5-year-old, too, so I don't think that much matters. The idea would be to empower parents to set a policy that flags requests from their kids as coming from a child. If they fail to do that, I suppose that'd be on them.
It doesn't seem sufficient, and would probably lead to age verification laws anyway.
Say you're a parent, with child, living in country A where someone becomes an adult when they're 18. Once the child is 18, they'll use their own devices/browsers/whatever, and the flag is no longer set. But before that, the flag is set.
Now in country B or in country C it doesn't matter that the age of becoming an adult is 15 and 30. Because the flag is set locally on the clients device, all they need to do is block requests with the flag, and assume it's faithful. Then other parents in country B or country C set/unset the flag on their devices when it's appropriate.
No need to tell actual ages, and a way for services to say "this is not for children", and parents are still responsible for their own children. Sounds actually pretty OK to me.
> should
I don't know if "should" is intended as a moral statement or a regulatory statement, but it's not at all unusual for server operators to need to comply with laws in the country in which they are operating…
So namespace it then. "I'm a child as defined by the $country_code government". It's no more of a challenge than what identity-based age verification already needs to do.
> 2) It seems like it could be abused by fingerprinters, ad services, and even hostile websites that want to show inappropriate content to children.
This is still strictly better than identify-based age verification. Hostile or illegal sites can already do this anyway. Adding a single boolean flag which a large proportion of users are expected to have set isn't adding any significant fingerprinting information.
It doesn't prevent one person from prohibiting speech... I can tell a pastor to stop preaching on my lawn. But, the government cannot tell a pastor not to preach in the publicly-owned town square (generally, there are exceptions).
There are arguments that certain online forums are effectively "town squares in the internet age" (Twitter in particular, at least pre-Musk). But, I always found that analogy to fall apart - twitter (or whatever online forum) is more like an op-ed section in a newspaper, IMO. And newspapers don't have to publish every op-ed that gets submitted.
Also, the 1st Amendment does not protect you from the consequences of your speech. I can call my boss an asshole to his face legally - and he can fire me (generally, there are labor protections and exceptions).
Some proposed implementation do this. Without the requirement there is no chance of your ID or age being leaked, with zero knowledge proof, there is a chance they leak but can be made small, potentially arbitrarily so. Other implementations come with larger risks.
There were major Supreme Court rulings on the topic recently, see
https://news.ycombinator.com/item?id=44397799 ("US Supreme Court Upholds Texas Porn ID Law (wired.com)"—5 months ago, 212 comments)
https://en.wikipedia.org/wiki/Free_Speech_Coalition_v._Paxto...
- If I can do a zero knowledge proof with an arbitrary age, I can eventually determine anyone's birthday.
- If the only time people need to verify their age is to visit some site that they'd rather not anyone know they visit and that requires showing identity - even if it's 100% secure, a good share of people will balk simply because they do not believe it is secure or creating a chilling effect on speech.
- If the site that verifies identity is only required for porn, then it has a list of every single person who views porn. If the site that verifies identity is contacted every time age has to be re-registered, then it knows how often people view porn.
- If the site that verifies identity is a simple website and the population has been trained that uploading identity documents is totally normal, then you open yourself up to phishing attacks.
- If the site that verifies identity is not secure or keeps records, then anyone can have the list (via subpoena or hacking).
- If the protocol ever exchanges any unique identifier from the site that verifies your identity and the site that verifies identity keeps records, then one may piece together, via subpoena (or government espionage, hacking) every site you visit.
Frankly, the fact that everyone promoting these systems hasn't admitted there are any potential security risks should be like an air raid siren going off in people's heads.
And at the end of all of this, none of it will prevent access to a child. Between VPNs, sharing accounts, getting older siblings/friends to do age verification for them, sites in jurisdictions that simply don't care, the darkweb, copying the token/cert/whatever from someone else, proxying age verification requests to an older sibling/rando, etc. there are way, way too many ways around it.
So one must ask, why does taking all this risk for so little reward make any sense?
And you don’t sss a problem with this part?
What the ZKP does is let you limit the information the site collects to the fact that you are under 18, and nothing else. It’s an application of the principle of least privilege. It lets you give the website that one fact without revealing your name, birthdate, address, browsing history, and all your other private data.
Not in principle
See the limits on curse words on TV. Or MPAA ratings for movies.
(IANAL) That demonstrates the opposite: that's a voluntary system with no force of law behind it—the private sector "self-regulating" itself, if you will.
The film rating systems were created under threat of legislation in the first half of the 20th century (so, in lieu of actual legislation). The transformative 1st Amendment rulings of the Warren Court would have made such laws unconstitutional after the 1960's, but the dynamic that created these codes predates that—predates the modern judicial interpretation of the 1st Amendment.
https://en.wikipedia.org/wiki/Hays_Code (history background)
https://en.wikipedia.org/wiki/Motion_Picture_Association_fil... ("The MPA rating system is a voluntary scheme that is not enforced by law")
No, its legal (in some jurisdictions) pornography. Prostitution on the platform, as well as whatever the legal status is in the set of jurisdictions involved, is also, from what I understand, explicitly against the platform ToS.
Prostitution obviously cannot physically happen on an online platform, but it sure is a convenient way to advertise and attract customers, and serve as the payment processor.
Well, no, violating a binding legal agreement is illegal.
> Prostitution obviously cannot physically happen on an online platform, but it sure is a convenient way to advertise and attract customers, and serve as the payment processor.
Which is explicilty prohibited by the law in many places OF operates, and judging from the number of people who are creators on the platform I've seen complaining about people jeopardizing their status with the platform by soliciting it on the platform, also by the actively-enforced terms of the platform. OF is simply not “legal prostitution”, and it is ridiculous to describe it that way
So I agree that instead of fighting some change that I think is inevitable, they should make it so that it works in the most privacy-conscious way possible. And I mean with real technical solutions, like an open-source app or browser extension you can download, a proof-of-concept server for age verification, etc... using the best crypto has to offer.
It also lets someone who knows more than I to elaborate with more depth.
I'd argue that this is negligible for data collectors and governments. Governments already know who you are and what sites you vist for 99.99% of the population. Data collectors already know who you are and have a pretty good idea of the sites you vist.
What unique information is this going to give the government and data collectors to abuse? Lets establish one case that both affects average people and is "bad" and not waste time discussing things that only affect a tiny minority of privacy minded people.
Keep in mind the law states a platform must provide multiple ways to reasonably verify a user is older than 16. No mention of giving the specific user age or requiring govt id
https://www.consumermedsafety.org/safety-articles/how-childr...
Required reading: https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalyp...
My SO has been teaching for nearly 20 years now, and mental health in kids has fallen off a cliff in the last two decades. I could fill this page with online bullying stories. Some of which, are especially cruel. Half her students are on medication for anxiety. It's out of control, honestly.
That said, I don't know how to solve it. It's easy to put this on the parents, but that's not the answer. Otherwise, it would be solved already. Some don't care. Some don't have the time to care because they're trying to keep the lights on, and dinner on the table. And, some simply think it doesn't apply to them or their children. Parents on HN are hyper-aware of this sort of thing, but that's definitely the minority.
I know a family that would be most folks least likely candidate for something bad to happen online. Single income, relatively well off, the parent at home has an eye on the kids 24/7. And, if you met the kids, you would most likely qualify them as "good kids". Without going into detail, their life was turned upside down because one of the kids was "joking around" online.
Again, I don't know what the answer to the problem is. Clearly, age verification laws are a veiled attempt to both collect and control data. And, EFF's emphasis on advertising restrictions as a solution, seems off the mark. There's more to it than that. Idk, this shit makes me want to log off permanently, and pretend it's 1992.
Things like this will give them a huge advantage in not being manipulated and lied to.
I'd be comfortable with it having large segments of "uncategorized." But right now, if I scan over to my ISP to see how much data I have used for the month, I have little to no help in saying how much of that was what.
Again, I get that that will be a lot I have to write off as "uncategorized." I'm not even trying to drive all telemetry down to zero. I'm comfortable knowing that my HVAC may send diagnostic stuff in, as an example. But it seems kind of crazy to me that this is not something that is often discussed? Do I just miss those discussions?
i am a child header = i am verifying myself as valid target header
has anyone realized that whatever at all the "good" guys do, the "bad" guys will abuse it.
we need canaries [bots with child header], to get a metric on any increase of attempted crimes vs a child.
This is not compelling. The internet I know and love has been dying for a long time for unrelated reasons. The new internet that is replacing that one is an internet that I very much do not love and would be totally ok to see lots of it get harder to access.
Extrapolate that how you will.
https://news.ycombinator.com/item?id=45989890
At best, you go back and forth between no privacy, a heavily condition privacy. At best.
Let’s take privacy back, but that’s a big process.
If you haven’t internalized surveillance, start working on it!
"Perfect" security is only attainable with zero dissent, zero individuality, zero privacy, and zero freedom.
https://en.wikipedia.org/wiki/Organ_transplantation_in_China
Paranoid, maybe. Schizophrenics? No. Firstly, "paranoid schizophrenia" is an outdated diagnosis. Paranoia is a common symptom of schizophrenia, but schizophrenics exhibiting paranoia are not considered to have separate mental illness from those who are not. Secondly, schizophrenia is not caused simply by psychological stress, and is associated with a large cluster of positive and negative symptoms, with paranoia being only one of them.
It's deanonymizing and intrusive and mandatory for sites to implement without protecting them from sockpuppets and foreign troll farms.
The surveillance and censorship system is built, administered and maintained by Silicon Valley companies who have adopted this as their "business model". "Monetising" surveillance of other peoples' noncommercial internet use
These Silicon Valley companies have been surveilling internet subscribers for over a decade, relentlessly connecting online identity to offline identity, hell bent on knowing who is accessing what webpage on what website, where they live, what they are interested in, and so on, building detailed advertising profiles (including the age of the ad target) tied to IP addresses, then selling the subscribers out to advertisers and collecting obscene profits (and killing media organisations that hire journalists in the process)
Now these companies are being forced to share some of the data they collect and store
Gosh, who would have forseen such an outcome
These laws are targeting the Silicon Valley companies, not internet subscribers
But the companies want to spin it as an attack on subscribers
The truth is the companies have been attacking subscriber privacy and attempting to gatekeep internet publication^1 for over a decade, in the name of advertising and obscene profits
1. Discourage subscribers from publishing websites and encourage them to create pages on the company's website instead. Centralise internet publication, collect data, perform surveillance and serve advertisements
Silicon valley uses that information to sell adds, and sometimes votes. Not great, but I can imagine much worse from a State.
We have the technology to do age verification without revealing any more information to the site and without the verification authority finding out what sites we are browsing. However, most people are ignorant of it.
If we don't push for the use of privacy preserving technology we wont get it and we will get more tracking. You cannot defeat age verification on the internet, age verification is already a feature of our culture. The only way out is to ensure that privacy preserving technologies are mandated.
Google even open-sourced technology to enable it: https://blog.google/technology/safety-security/opening-up-ze...
The politicians don't want Zero Knowledge Proof because it prevents the mass-surveillance of internet users. This is all deliberate.
The CNIL gave up 3 years ago, and gave guidelines, you can read about it here [0]. At the time it read like "How well, we tried, we said it is incompatible with privacy and the GDPR multiple times, we insist one more time that giving tools to parents is the only privacy-safe solution despite obvious problems, but since your fucking law will pass, so the best we can do is to draw guidelines, and present solutions and how to implement them correctly".
I think the EFF should do the same. That's just how it is. Define solutions you'll agree with. Fight the fight on chat control and other stuff where the public opinion can be changed, this is too late, and honestly, if it's done well,it might be fine.
If the first implementation is correct, we will have to fight to maintain the statu quo, which in a conservative society, is the easiest, especially when no other solution have been tested. If it's not, we will have to fight to make it correct, then fight to maintain it, and both are harder. the EFF should reluctantly agree and draft the technical solution themselves.
[0] https://www.cnil.fr/en/online-age-verification-balancing-pri...
there's a great game being played out by these users of force against the advocates of desire. everything about the bureaucracies pushing digital ID is unwanted. this isnt about age verification tech, its about illegitimate power for unwanted people who are actuated by forcing their will on others.
we should treat these actions with the open disgust they deserve.
Either we create the fix, or the feds take it over. we need to sever the idea of a global internet. per-country and allied nations only. anonymous cert-chain verified ID stored on device. problem fixed.
[1] https://www.gva.ch/Site/Passagers/Shopping/Services/Business...
If people care enough, they will build a new internet.
Equally, I think insisting that there must be no controls to internet access whatsoever is not right either. There is now plenty of evidence that eg. social media are very harmful to teenagers - and frankly, before I noticed, going on FB got me depressed each time I did it at one point. And as a parent, you realise how little control you have over your children's tech access. Case in point - my kids seem to have access to very poorly locked down iPads at school. I complained, but they frankly don't understand.
We all accept kids can't buy alcohol and cigarettes, even if that encroaches on their freedom. But or course flashing an ID when you're over 18 is not very privacy-invading.
Likewise, I think it is much better to discuss better means of effecting these access controls. As some comments here mention, there are e.g. zero knowledge proofs.
I'm sure I'll be told it's all a sham to collect data and it's not about kids. And maybe. But I care about kids not having access to TikTok and Pornhub. So I'd rather make the laws better than moan about how terrible it is to limit access to porn and dopamine shots.