This means any legislation should be aimed at directing device manufacturers to implement software that can respect content assertions sent by websites.
> relying on it will soon make these locked down devices mandatory for everyone under 18, and they will keep using it past 18
Okay, but in 2026 we're basically at this point. Show me a mobile phone that doesn't have a bootloader locked down with "secure boot." For this particular threat that we had worried about for a long time, we've already lost. Not in the total-sweeping way that analysis from first principles leads you to, but in the day to day practical way. It's everywhere.
The next control we're staring down is remote attestation, which is already being implemented for niches like banking. The scaffolding is there for it to be implemented on every website - "verifying your device's security" - I get that on basically everywhere these days. As soon as 80% of browsers can be assumed to have remote attestation capabilities, we can be sure they will start demanding these signals and slowly clamping down on libre browsers (as has been done with browser/IP fingerprinting over the past decade)
Any of these talks of getting the server involved intrinsically rely on shoring up "device security" through remote attestation. That is exactly what can end ad-blocking and every other client-represents-the-user freedom.
> The problem should be controlled at the source, not the destination, if feasible.
You've already acknowledged VPNs and foreign jurisdictions, which means "at the source" implies a national firewall, right?
Unless your goal is to undermine any solution on this topic? I'm sympathetic to this, I just don't see that being realistic in today's environment!
I agree with controls on addictive/exploitative platforms like Facebook or Instagram. These can be feasibly controlled at the source.
In principle I agree with keeping some content away from children, but I don't think any of the implementations will work without causing worse problems, so I disagree with implementing those.
> in the day to day practical way
There's a world of difference between practically required and it being illegal to use anything else, even if initially for a small set of population. You still have a choice to avoid those now. Moreover there is a fairly large subculture of gamers etc opposed to these movements, and open computing platforms will take a long time to fizzle out without intervention.
If you mandate locked down devices for kids, it will very quickly become locked down devices for everyone except for "licensed developers", because no one gets a bunch of new computers upon becoming an adult, and a new campaign from big tech will try to associate open computers with criminals.
> Moreover there is a fairly large subculture of gamers etc opposed to these movements, and open computing platforms will take a long time to fizzle out without intervention.
You kind of skipped over the distinction I made between "secure boot" and "remote attestation". Based on what you wrote here I'm not quite sure if you understand the difference between them. And in the context of locked down computing, the difference between them, and their specific implications, is highly important.
I'm not pointing this out to shoot down your point or something, rather I think you'd benefit from learning about this outside of this comment. But I'll be a little more explicit here to get you started:
The worry with secure boot was based around the possibility that all manufacturers would stop making non-locked-down devices. This has not really panned out - all phones basically have secure boot, there are many you can install your own OS image onto, and there are many escape hatches.
The worry with remote attestation is that website owners will be able to insist that you run specific software environment and/or hardware, and deny you access otherwise. On desktop web browsers, this is the WEI proposal that seems to have stalled. But on mobile, this is still going full speed ahead, both web and apps (SafetyNet).
The thing about remote attestation is that its restrictions take the same shape as current CAPTCHA nags, IP block based hassling, etc. When websites see that more and more visitors are compliant, they can crank up the pain. First it's invisible, then it's a warning, then it's a big hassle (eg lots of CAPTCHAs), and then finally it's a hard lockout. This can happen, led by specific industries (eg banking), regardless of any communities working to resist it. What you should picture is all of our old computers working just fine, but being able to access modern websites in a way that cannot be technically worked around.
Our ancestor comment still has the direction backwards. This is the specific dynamic that makes sense to me: https://news.ycombinator.com/item?id=47027738 .
This means any legislation should be aimed at directing device manufacturers to implement software that can respect content assertions sent by websites.
> relying on it will soon make these locked down devices mandatory for everyone under 18, and they will keep using it past 18
Okay, but in 2026 we're basically at this point. Show me a mobile phone that doesn't have a bootloader locked down with "secure boot." For this particular threat that we had worried about for a long time, we've already lost. Not in the total-sweeping way that analysis from first principles leads you to, but in the day to day practical way. It's everywhere.
The next control we're staring down is remote attestation, which is already being implemented for niches like banking. The scaffolding is there for it to be implemented on every website - "verifying your device's security" - I get that on basically everywhere these days. As soon as 80% of browsers can be assumed to have remote attestation capabilities, we can be sure they will start demanding these signals and slowly clamping down on libre browsers (as has been done with browser/IP fingerprinting over the past decade)
Any of these talks of getting the server involved intrinsically rely on shoring up "device security" through remote attestation. That is exactly what can end ad-blocking and every other client-represents-the-user freedom.
> The problem should be controlled at the source, not the destination, if feasible.
You've already acknowledged VPNs and foreign jurisdictions, which means "at the source" implies a national firewall, right?
Unless your goal is to undermine any solution on this topic? I'm sympathetic to this, I just don't see that being realistic in today's environment!