Once you force OS to communicate data about the user, here we’re talking age, is it a slippery slope? Once the architecture is created, why not put other things about you in there?
You might think you can keep 16 year olds from looking at porn, if they want to. You can't. You have never been able to. All you can do is teach them that the law is stupid and pointless, and they should treat rules with contempt. But they'll still be able to look at porn.
What you can do is allow the government and private companies to track everyone, everywhere, all the time. And you can create more gatekeepers that hold personal identity data, misuse it, and leak it.
Yeah, I agree with this. I think age-related content moderation is a losing fight and one that will create more contempt for laws, more surveillance, and much more PII surface area that will be exploited.
There are really two "core" issues at play:
1. The prudish nature of US society
2. The fact that we don't have data privacy laws and restrictions on digital surveillance by private companies
Sixteen year olds? Sure, mysterious Forest Porn and the older brother who'd give you skin mags have always existed. And Cinemax at night, catching the odd frame that somehow gets thought the scrambler. Whatever.
But we can't realize all the supposed glorious promise of all this tech bullcrap for education and free exploration of younger kids if we can't at least come pretty damn close to guaranteeing that an eight-year-old won't stumble on Rotten.com or hardcore porn if an adult isn't looking over their shoulder constantly. And whatever that solution is needs to work for parents who don't have the know-how or time to be sysadmins for their household.
I'm not overly concerned with 16 year olds. But the tools for protecting younger children suck. A consistent account setting and header would do a lot to improve parental controls.
> What you can do is allow the government and private companies to track everyone, everywhere, all the time. And you can create more gatekeepers that hold personal identity data, misuse it, and leak it.
This is already happening. A central setting would improve privacy over the way things are right now.
> A central setting would improve privacy over the way things are right now.
What? How? What improvement are you seeing that I'm not?
Putting all our PII into one huge repository and then letting corps and govts access it sounds like a dystopian nightmare. This is why we don't like Palantir.
What happens if a bad guy steals that data and your identity? They go and look at CSAM using your ID? The police turn up at your door and cart you off to prison? Are you really going to be able to argue that it wasn't you? If so, what is the point of the system? If we're relying on IP addresses and other evidence for access (so you can fight these charges) can't we just use them in the first place?
I don't know what you're talking about, but it's not what this kind of bill is about.
This kind of bill is about the OS telling things whether you're: 0-12, 13-15, 16-17, 18+
No databases, no stealable identity, only the barest sliver of 2 bits of PII.
As for how it's an improvement, we already have sites asking to see your driver's license or pictures of your face for much worse age verification paradigms. If most of those changed to a local age setting, privacy would go up.
How does the OS know that you moved from the "13-15" bracket to the "16-17" bracket without knowing your DoB?
And this is the thin edge. Because in a few years there'll be a bill saying something like "too many children are lying about their age online. We need to verify their age" and then we're capturing IDs and storing them somewhere.
> The OS could require the parent to manually update it.
How is their age verified?
At some point one of two things is required:
1) A promise that the user is a certain age
- Which puts us exactly where we are
2) Official identification is used to verify age
- Which creates a PII nightmare
That's it. There's only those two options. You may not believe #2 is going to be a privacy nightmare but we're already seeing it happen with Discord/OpenAI/LinkedIn and everyone else that uses Persona[1]. They aren't doing the minimal security things and already aren't doing what they claimed (processed on device, then deleted). This "hack" couldn't happen if that was true
The difference here is it can be set by the parent on the OS and locked. Requiring sudo equivalent to change.
The way it is now, there's nothing stopping a (18-) user from logging out of a 'parental control enabled' account and making a new account without those controls on any service from Facebook to Steam. So the only effective option at that point is to entirely block that app or service.
This gives more power to parental control software. And yeah moves the responsibility from the service to the parents, which is what the services want cuz COPPA and other similar laws.
But you do bring up another issue people aren't discussing. That the default setting is under 18.
So we protect the children from adults by... having no way to actually verify someone is a child?
The problem is less kids getting access to porn and more pedos getting accounts to spaces designed for children. Places like Club Penguin or very famously Roblox.
Here's the problem, you can't verify children. They don't have identification in the same way adults do. And worse, if we gave them that then it only makes them more vulnerable!
Then we have the whole problem of a global internet. VPN usage is already skyrocketing to circumvent these policies.
So the only real "solution" to this is global identification systems where essentially everyone is carrying around some dystopian FIDO key (definitely your phone) that has all your personal information on it and you sign every device you touch. Because everything from your fridge to your car is connected to the Internet.
But that's a cure worse than the poison. I mean what the fuck happens to IOT devices? Do we just not allow them on the internet? That they're assumed 18+? So all kids need to do is get a raspberry pi? All they need to do is install a VM on their phone? On their computer? You might think that kids won't do this but when I was in high school 20 years ago we all knew how to set up proxies. That information spread like wildfire and you bet it got easier as the smarter kids put in the legwork.
This is a losing battle. It's not a cat and mouse game it's While E Coyote vs Road Runner.
We're on HN FFS. If there's anywhere on the Internet that the average user is going to understand how impossible this is it should be here. We haven't even talked about hacking! And yes, teenage script kiddies do exist.
These policies don't protect kids, they endanger them. On top of that they endanger the rest of us. Seriously, just try to work it out. Try to create a solution and then actually try to defeat your solution. Don't be fucking Don Quixote.
> But you do bring up another issue people aren't discussing. That the default setting is under 18.
Some things do that. This law doesn't have a default. If the admin sets all the user accounts to 18+, then the users are stuck with the setting being 18+.
> I mean what the fuck happens to IOT devices? Do we just not allow them on the internet?
Sounds pretty good to me.
But yeah they need a different handling of some manner. Maybe a "give no access to anything age-gated" category, though is that really different from under-13 in practice?
> So all kids need to do is get a raspberry pi? All they need to do is install a VM on their phone? On their computer? You might think that kids won't do this but when I was in high school 20 years ago we all knew how to set up proxies.
Just delaying unrestricted access to high school would already solve most of the problem.
> These policies don't protect kids, they endanger them. On top of that they endanger the rest of us.
They do not. Some totally different system could endanger people, but this one doesn't.
Really? Be a bit more serious now. There are a lot of things that connect to the internet, and not just for stupid data harvesting reasons. I gave other examples. I think you can understand that this gets pretty hairy pretty quickly. If you don't, then dig in deeper to how the networking is done. You're an older account so I'm assuming you actually understand computers.
> They do not.
They definitely do. I explicitly stated how that happens too. If you want me to take you seriously you have to respond with something better than "trust me bro".
There is no evidence that these companies are actually handling that data properly. There is a lot of evidence that they are handling it improperly. That data being leaked does in fact, endanger kids.
I'm also unconvinced these things even achieve the goals they claim to be after. Which is keeping pedos away from kids. i.e. the reason I said you're missing the point. So either it is not achieving that goal, or lulling people into a false sense of security. Imagine if Roblox was saying "we don't allow adults on the platform" and so now all the tech illiterate parents and kids think their kids are exclusively talking to other kids. That's just a worse situation than now.
> They definitely do. I explicitly stated how that happens too. [...] data being leaked
Again "Some totally different system could endanger people, but this one doesn't."
Any system that has companies handling personal data and able to leak it is not the system this kind of law talks about.
> false sense of security. Imagine if Roblox was saying
In that situation, Roblox is the problem, not the law.
> So what do these laws even solve?! I'm serious
If widely implemented, a parent can set a single toggle and then the accounts their kids make will all be appropriately restricted.
It wouldn't replace direct checks from the parent on what their kids are doing, but it would greatly reduce the risk profile. And making it simple and built-in means that non-tech-expert parents can set it.
>> Be a bit more serious now.
> The serious answer is in the next line.
> ...
> Again "Some totally different system could endanger people, but this one doesn't."
>> If you want me to take you seriously you have to respond with something better than "trust me bro".
I do have a hard time taking you seriously
> If widely implemented, a parent can set a single toggle and then the accounts their kids make will all be appropriately restricted.
People keep telling you option 1 is the correct one, and that it's not actually useless.
You keep describing privacy problems that only exist with option 2.
This law is not option 2. Stop interpreting people as if they're badly defending option 2. They're not.
> HOW
They take an OS where only admins can change the age setting. They set the age on a non-admin account, which they give their child access to. The OS passes the age setting along to programs, which pass it along to services that need to restrict behavior.
This is not the same as how it works today. It's impossible for a parent to do this today. The best they can do is try to keep track of every account their child has and dig through the settings manually.
Heard exactly the same thing about VPN use (kids won't know how to set up a VPN). Then Australia age verification kicked in, and VPN use went through the roof [0]
And, of course, the response so far has included similar thoughts as the UK about banning VPNs [1]
> How does the OS know that you moved from the "13-15" bracket to the "16-17" bracket without knowing your DoB?
The OS has the birth date. Of probably 1-5 people.
> And this is the thin edge. Because in a few years there'll be a bill saying something like "too many children are lying about their age online. We need to verify their age" and then we're capturing IDs and storing them somewhere.
Those things are already happening. I see this kind of mechanism as significantly more of an alternative to privacy invasion than an enabler of privacy invasion.
The political establishment used to be able to control what you read, through control of the media. Then 1995 happened and everyone got access to anything they wanted. The establishment have wanted to put that genie back in the bottle ever since. This is part of that effort.
> Requiring the central database is the scary part.
Yes, agreed.
And this type of proposal has no central database, so it removes the scary part.
(Unless you're talking about the local accounts on each computer storing dates of birth for a single household as a "central database" in which case you're being ridiculous and please stop doing that.)
A), which is the status quo. I don't see any other option as realistic.
B) makes things worse in several ways, but primarily by stifling innovation. Only large incumbents will have no trouble paying for the measures required to ensure compliance.
There's also the cost of enforcement, which will likely have to be borne by the taxpayers. I don't think this is a good thing to spend money on.
C) cannot be enforced, and any good faith attempts will cost more than the damage from harm they're supposed to prevent.
Option A isn't really the status quo. The status quo has a bunch of sites doing invasive checks and other sites region blocking users.
> Only large incumbents will have no trouble paying for the measures required to ensure compliance.
Oh my gawwwwwd. People trot this out any time any regulation is mentioned. Option B is a single easily accessible age category value. It's simpler than the status quo.
I'm not really focused on the exact wording of this bill. But mandating distros have a useradd and glibc with an extra couple functions is not a significant burden.
I mean, how is the OS going to actually verify the age of the operator?
I see how this helps Facebook - if you lie to the OS, and the OS tells Facebook that you're over 18, then it's not Facebook's fault if they provide you an 18+ service.
It's set by the administrator of the computer, so a parent can set it for their child instead of hoping their child is honest to every single individual site.
That's the difference between a parental control and a pinky swear.
The thing we want (well, that other people want, I have other views) is that large tech companies are not able to brainwash kids.
The thing this creates is liability on parents, or schools, or anyone who provides computer access to children. And access to PII for bad guys (who can ask your computer for your date of birth in this proposal, right?)
> The thing we want (well, that other people want, I have other views) is that large tech companies are not able to brainwash kids.
That has little connection with this law.
And having no age settings at all is where you'll have the most brainwashing.
> The thing this creates is liability on parents, or schools, or anyone who provides computer access to children. And access to PII for bad guys (who can ask your computer for your date of birth in this proposal, right?)
They're already responsible for controlling that. I think they should have more tools to help.
> And access to PII for bad guys (who can ask your computer for your date of birth in this proposal, right?)
Did you look at the law(s)? They get one of four age ranges.
> It's set by the administrator of the computer, so a parent can set it for their child instead of hoping their child is honest to every single individual site.
You are assuming the parent is the administrator of the computer.
I hope the number of downvotes you’re receiving makes you consider the absurdity of your suggestion.
Have you seen distrowatch? Are you going to go track down maintainers from every distro - many of whom live outside of the U.S. - and demand they implement this? The smaller ones would probably ignore you or tell you to get fucked, the larger ones with funding might decide to drag you into court.
Does "the government doesn't get to decide what people can look at on the internet" count as C or D to you? It is the situation we've been in technically for 20 years now anyway; the world hasn't ended and it generally seems to be pretty workable. The status quo isn't an especially radical one.
20 years ago was only 2006. The internet has been around for much longer. The first consumer focused ISPs launched in the early 90’s, 35 years ago, but CompuServe and others were providing access to chat and BBS’s in the 80s.
I’d say nearly 50 years is precedent enough that government intervention is unnecessary.
What about every other system where we rely on parents to parent?
Kids can turn apple juice into wine in their closet
they can drive their bicycle to a drug dealer
they can rub a butter knife against the sidewalk until it's pointy
Do we need govt AI cameras in kids closets and on their bicycles? How do we verify they're cycling somewhere safe? How do we make sure they're not getting shitfaced on bootleg hooch they made with bakers yeast and a latex glove?
This is more like a store being able to see their age just by looking at them, and make restrictions because of that. We don't rely on parents to prevent a 10 year old from going into a bar.
Which, unlike this, does not create issues, since the bar is a place staffed by people, employed to serve drinks, who can reasonably be required to look at their customers, while an operating system is some software, perhaps written by an enthusiast, which cannot reasonably be required to inspect its users.
C and D, combined. New internet for kids-only. This internet would be WHITELIST only. We would not be wack-a-mole trying to catch porn sites (sigh...)
Rather, companies would have to submit a formal proposal to get their website listed on Kid Internet. This inverts the responsibility. It's not my cost, or your cost, it's their cost now. If they want kids, they better prove it.
Then, you can trivially configure your router or any computer, with any operating system, to use the Kid Internet DNS. It's now completely operating system and device agnostic. It can be organizational wide with the flick of a switch. It can be global, if we want.
The proposal we're seeing here is bad, bad, bad. Not just for privacy reasons, but because it will not work. Not might, will. This will not work. For many reasons:
1. Most operating systems are not going to implement some stupid ass bullshit.
2. Most websites do not give a single fuck. Porn websites will not care. Trying to play wack-a-mole is ALWAYS a losing game, no exceptions.
3. This is trivial to bypass.
4. If it's not trivial to bypass, it still will not work, but it will now be the end of computing as we know it.
So we have some kind of control to stop your router from connecting to Adult Internet DNS? Because the difficult bit here is not allowing connections to the Kid Internet, but stopping connections to the Adult Internet.
How do we decide what sites resolve as part of the Kid Internet? Is there some process where a site submits itself for approval to be part of the Adult Internet?
How do we stop the government from using this to stop access to parts of the internet it doesn't like?
> So we have some kind of control to stop your router from connecting to Adult Internet DNS?
Yes, all routers currently have this built-in. Most software outside of routers does, too.
Will it be perfect? No. But, for example, this is how content filters work at schools and just about every workplace. And it seems to be good enough for them.
And, this will work better than that. Because the key point is we're not blacklisting anything. Nobody has to maintain a list of banned websites.
> How do we decide what sites resolve as part of the Kid Internet?
Companies or people send an application. The website is reviewed by a human, and they get approved or denied. If you don't care to target kids, which most people don't, you do nothing.
So I don't have to do anything, nor do you. But Meta does. Google does. I'm fine with that.
And, this "board" or whatever who hands out Kid-Friendly certificates can also take complaints. Why not?
> Is there some process where a site submits itself for approval to be part of the Adult Internet?
No, this it the beauty of it. If you want to be a part of adult internet, you do nothing. You already are.
Every website is implicitly adult internet, and it naturally completely subsumes kid internet. So, if you're just making a blog or whatever, nothing changes. In fact, you don't have to update anything from right now. It will all still work. Because Kid Internet is new thing, and it's whitelist only.
> How do we stop the government from using this to stop access to parts of the internet it doesn't like?
Related to above, adult internet is what we currently have. Nothing changes. You and I won't notice, and we can't notice. There will be the free-range internet, and then the subset of the internet approved for kids.
Yes, they are more sophisticated, or at least I'm assuming from how pi-hole and my workplace blocking works. Meaning, it works.
But those are not the best solutions, because of blacklisting. There are basically infinite porn websites. So, if you're going to try to block every porn website, you will lose, point blank.
So, even considering that, they do quite good. So if we just take the principle and invert it, it will be very good.
I mean, whitelisting vs blacklisting is why I am able to open my computer up to the internet via SSH. I'm not out here blocking 1 billion sites. No, I'm just allowing my laptop. And that gives me a lot of confidence, and it works.
And, I agree with culture change. But, culture change is very hard and I don't think it's something we can rely on.
So, you whitelist Kid Internet sites, and you have a DNS server that handles Kid Internet.
And everything else is Adult Internet, and there are many DNS servers that serve Adult Internet.
You sign your household router up for Kid Internet, and it ignores Adult DNS servers, and only routes according to Kid DNS, is that right?
I can think of about 50 ways around this already, but let's assume we're not talking about anyone with any knowledge of how the internet works. So the entire household is signed up for Kid Internet, and there's no way an adult can view an Adult Internet site from this household, is that right?
Well most DNS can be done per-device, just like in an IT setting. For example look at iOS. The device controls DNS, so set up little Timmy's iPhone to do Kid DNS.
That sounds an awful lot like this proposal, right? Well yes and no. No because this would actually work. Just letting the iPhone say "im a kid" does fuck all, because all the websites we're targeting with that will just ignore it.
And of course there are ways around this. Wanting a solution with no ways around it is dystopian. But is it a better solution than this? I think yes, it is.
If Little Timmy signs in then OS chooses the Kids DNS, but if Uncle Bob signs in then it chooses the Adult DNS?
As you say, I can see a few ways around this ;)
Again, this feels like it just moves the responsibility for everything onto the parents, without meaningfully giving them any control. If something screws up and Little Timmy gets to see some boobies, who gets blamed? Is it the OS provider, the hardware provider, or the parents? Did the parents actually configure this themselves? If so, who taught them how to do that? Or did they buy the machine pre-configured? So does the vendor take responsibility?
Sure, or per-device, or per-network, or per-organization. It depends on how each particular person wants to implement it.
> As you say, I can see a few ways around this ;)
Yes, notably less than the current proposal. Which, again, will just straight-up not work.
> f something screws up and Little Timmy gets to see some boobies, who gets blamed?
I think this really hit the nail on the head. None of this is about solving problems or helping little Timmy. It's about accountability management.
If we implement the OS syscall, then Meta gets to point their grimey finger at someone else while they continue to fuel genocide in Myanmar.
> Did the parents actually configure this themselves? If so, who taught them how to do that? Or did they buy the machine pre-configured? So does the vendor take responsibility?
Well, um, both. You can configure your router, sure, or your Linux computer. But I imagine a new iPhone would just come with a checkbox you can check at account creation time. Again, very similar to this proposal, except it works.
Yes, parental controls already exist. You’re up and down this thread advocating for this particular bill, but what does the technical solution actually look like to you beyond the controls already available? And with regards to account creation specifically, what do you see as a workable solution that isn’t defeated by a “pinky swear”?
Can you name a piece of parental control software that tells relevant apps and sites whether I'm above 13/18?
I'm sure there's plenty of software that can block sites entirely, but that's a lot less useful.
And how much should I trust the popular products on a scale of 1-10? An OS setting doesn't need much trust.
> And with regards to account creation specifically, what do you see as a workable solution that isn’t defeated by a “pinky swear”?
I'll copy a different reply: "It's set by the administrator of the computer, so a parent can set it for their child instead of hoping their child is honest to every single individual site. That's the difference between a parental control and a pinky swear."
The idea of something like this isn't to replace parents, it's to give them a simple centralized tool. The parent has the admin account.
E. Platforms that want to serve violent, sexual, predatory, scammy, snake oil content in the most addictive way possible to exploit minors and other vulnerable populations for profit should save some of their revenue for lawsuits when they hurt people. Hold products that cause harm responsible.
The Illinois bill is not about 18+ content. It's about controlling who your children can talk to on social media. The OS age check is just a means to that end. The end is blatantly unconstitutional. The bill of rights doesn't mention age limits. Freedom of assosiation applies to kids just as much as it does to adults. If the bill passes, then any racist parent could block all comms from kids of a different color for example.
I get what you’re saying but it’s a false premise. In today’s era, racist parents already block their children from even attending school with someone of a different color. Merely blocking comms would be a step before that in severity of control.
Parents have always had the ability (though maybe not explicitly the right to) control their children’s environment for the purposes of teaching personal beliefs. So long as the belief itself wasn’t deemed harmful to the child, society would allow it to continue propagate that way. Racism unfortunately has never been seen as innately harmful. It’s looked down on, yes, but not to the point of making it illegal to enforce in family life.
To be fair, as a parent I don’t want my under age children hooking up with literal nazis on social platforms, whoever that might be. The current tools and controls are lacking. A lot.
The spin control on this story is intense. Saying that it's "just parental controls" when we've had fscking parental controls since the 1990s is disingenuous as hell. Obviously it's something new, but that's really all they have got to try to spin it back into their favor.
I'm reminded of a video essay I watched about AI once, which took a side tangent into surveillance capitalism:
"Google's data harvesting operation became a load bearing piece of the Internet before the public understood digital privacy. And now we can't get rid of it."
The public has been conditioned to expect web services free at point of use. Legitimately it's hard to monetize things like YouTube without ads, and I get that. But turning our entire ecosystem of tech into a massive surveillance mini-state seems like an astonishingly shitty idea compared to just... finding a way to do advertising that DOESN'T involve 30 shadowy ad companies knowing your resting blood pressure. My otherwise creative and amazing industry seems utterly unwilling to confront this.
Edit: Like, I don't know, am I crazy for thinking that simply because we can target ads this granularity, that it simply must be that? I get that the ad-tech companies do not want to go back to blind-firing ads into the digital ether on the hope that they'll be seen, but that's also plus or minus the entirety of the history of advertising as an industry, with the last 20 or so years being a weird blip where you could show your add to INCREDIBLY specific demographics. And I wouldn't give a shit except the tech permitting those functions seems to be socially corrosive and is requiring even further erosion of already pretty porous user privacy to keep being legally tenable.
Society won’t delay reward now for future good on its own. Even if one person will, there’s a line of people who will step in to pollute the lake or kill the whales for a bag of money.
It will just decay until it’s a short squeeze into oligarchy or worse (the corrupt will be forced into an arms race of accelerating corruption as opportunity becomes scarce). Then some other country who isn’t leaving it up to their society to do the right thing will be in charge. Until the same happens to them.
This is the value of religion historically, one of the few ways of coercing a population into doing the right thing for their own good. But every group can be spoiled or hijacked by a small handful of bad actors who are willing to do what others are not.
