Update on age requirements for apps distributed in Texas
developer.apple.com33 points by Austin_Conlon 13 hours ago
33 points by Austin_Conlon 13 hours ago
Meanwhile I actually started college at 16 which is illegal in some locales.
> illegal in some locales.
In the US or elsewhere? I've known a lot of people who attended college at 16, and through friends with teenage children know even more these days. They attended (or are attending) schools in a variety of states.
I think "illegal" is a strong word. Some states don't allow it in public universities. I suspect they're fine with it at private universities.
> Some states don't allow it in public universities.
But which states? I haven't been able to find anything about states barring minors from attending universities.
Not clear in the US. Some countries, such as Canada may have stricter requirements even if some wiggle room.
I don't think Canada has a minimum age - just an educational requirement. If you've completed year 11 early, it looks like you'd be fine.
If the hammer ever comes down on this issue, ie hardcore requirement for age verification, there are ways to do this while protecting privacy.
We are experimenting with bootstraping a PKI certificate trust chain for facilitating trust projection and information verification online. Think of it as the ability to do things like age verification at scale via a peer-2-peer ish mechanism instead of sending your government id to a service provider.
One experiment is with PGP key holders (for now Keybase key holders) as CAs:
https://news.ycombinator.com/item?id=46576590
And also .gov email holders:
https://blog.certisfy.com/2025/12/using-gov-email-addresses-...
It's all self-service and requires no sign-up or download of anything, the app (https://certisfy.com/app) is an in-browser app and all the cryptography happens in the browser.
Google and Apple already have private age verification so I think the time for experiments is past.
I read, from a semi-reliable source, Lousiana has pretty good system for verifying age and protecting ID. But's focused on in-person ID for gambling.
The system was that they hired a company to make the cards, and assume civil liability for any privacy violations. They also required to the company to hold insurance in case of a claim.
So it fell to the insurance company to sign off on the standards, and allowed investors to make money by avoiding claims.
I might be half-remembering it but that seemed like a very good system.
I find claims of any technology being able to simultaneously validate your age while "respecting privacy" to be suspect at best. Even if the technology could work in theory, it would be built on top of an ecosystem designed around an ecosystem hell-bent on monetizing info about you.
Zero knowledge proofs can perform expressions that check values within a JSON tree without exposing any of those values to the requesting party, for instance "year of birth < 2005" can return true or false without returning the person's numeric birth year. Essentially the requesting party has the holder of the credential perform a computation, the result is guaranteed to be the result of each and every instruction over a target data structure (only knowing the hash and signature chain of the credential, so for instance your government issued id can be signed by your secretary of states public key)
Estonia has a really interesting government issued public key infrastructure where users can validate their identity with their physical ID card and a USB reader (maybe it's NFC by now?) but I don't think I've heard of the above scheme used in practice, just sat through a presentation at the internet identity workshop.
But the verifying party can still track you because they can (and absolutely will) log who the requester was and when it was requested. The site might not know who you are, but the government will now have a record of all your 'adult web activity'.
In the ZKP system Europe will be using and I believe in the one Google has developed when you verify your age to a site the communication is only between your device and the site.
The only information the site gets that they don't get when you login now without any kind of age verification (other than something like clicking "I am 18+") is that you have a government issued ID that says you are 18+.
If their logs without age verification are insufficient to reveal who you are if they get turned over to the government then the logs with age verification will also be insufficient.
Zero knowledge proofs based on too little information are trivial to abuse.
To combat this, you need to have it based off of more and more personal info....which is at odds with the privacy-preservation goal.
Sadly when it comes to age assurance, Zero knowledge proofs are little better than marketing.
In this case the ZKPs are tied to a private key stored in a secure element in the phone, so effectively they are tied to control of the device where the original credential was enrolled.
That's nice and all for the cryptography but now think about what's needed to associate it with the physical attribute (such as the age) of the user of the device which may or may not change hands over time.
I'm not quite sure what you're getting at here.
The Google system is tied to a mobile driver's license, and there is an identity check at enrollment that is intended to tie the credential to the device. It's true that if you give someone access to your phone without erasing it, then they can potentially use this mechanism to circumvent age assurance. This is true for a number of other age assurance mechanisms (e.g., credit card-based validation).
In any case, I'm not really interested in getting into an argument with you about the level of assurance provided by this system and whether it's "trivial to abuse" or not. I was merely describing the way the system worked in case people were interested.
The suitability of the remedy (ZKP) for the purpose of age assurance is the entire problem. The non-cryptographic aspects cannot be handwaved away as something not worth discussing when they're the primary area of concern here.
You're arguing with something I'm not saying. I didn't handwave anything away or say it wasn't worth discussing. I simply described how the system was designed.
My concern with this is how far it goes and whether it has unintended side-effects.
There are a lot of situations in history where in retrospect being able to evade government oversight and restrictions turned out to be a good thing. During the Holocaust a number of Jews and other targeted populations were able to escape hostile territory because they were able to get forged passports and other documents, something that strong cryptography would make impossible (even in a perfectly privacy-preserving way).
I'm not sure how old you are or when you started in tech, but in my case I started as a kid and was able to build the skills that now gave me my career thanks to unrestricted Internet access (and sure, I saw pornography a few years earlier than I should have - didn't seem to have any measurable detrimental effect on me, especially not compared to the cigarettes and alcohol).
This wouldn't have been possible if age verification was properly implemented, since a lot of the resources that might be useful for someone to learn programming/sysadmin could also be used to circumvent age verification and thus would've been blocked, and I would probably be working a minimum wage job and/or engaging in crime to sustain myself as a result. If I had to choose whatever harmful effects from pornography versus having a min-wage job, I'll take the porn side-effects any day, at least I have a roof over my head.
Can age assurance be done privately and anonymously? Absolutely.
But the entire point of age laws is to stifle free speech and ruin privacy. Thus why every age law requires uploading an ID.
If it was just age, just require a credit charge of a $1 through an intermediary. Good for a year or whatever.
> the entire point of age laws is to stifle free speech and ruin privacy
Does it? I mean sure, it's a side-effect that some (most?) politicians might find desirable, but there's also people who just want to restrict access to adult material (not taking a position on whether it's a good or bad thing here). Most parents would probably agree with the latter even if they don't with the former.
https://bsky.app/profile/tupped.bsky.social/post/3lwgcmswmy2...
> The U.K. Online Safety Act was (avowedly, as revealed in a recent High Court case) “not primarily aimed at protecting children” but at regulating “services that have a significant influence over public discourse.”
Yes. Look at the UK - in the best case the laws here (OSA) are absolutely trivially bypassable by apps that are openly advertised on the App Store (VPN apps). In the worst case it pushes people onto sites that refuse to comply which are likely holding _actually_ harmful material.
> there’s also people who want to restrict access to adult material
First of all - we’ve been down this path so many times. Won’t someone think of the children is a plea to emotion not to reason. Secondly, there are many ways that people can opt in to those controls already, and for the most part _they work_. Anyone who can bypass those will be able to bypass what’s being rolled out around the world. Lastly; they’re trivially bypassable because a grown up can validate and then just hand the device back to a child.
The UK is pretty good at digital services and had a solid opportunity to make an anonymous, privacy first based age verification system. I designed one (not without flaws) in about 15 minutes, so we definitely could have had something decent. Instead our first move was to make something that basically required a liability shift, and we ended up sending face scans and passport photos to US tech giants - meanwhile the kids were just pointing their cameras at YouTube videos of adults and bypassing the filters.
Is there anyone who can't do this today? Adult websites self label, and both your router and ISP offer removing adult websites as an option.
If your kid is going to get around that by clever vpn use, age gates don't help.
I don't have any children myself, but as I understand it in the modern age:
Your kid's smartphone can connect to home wifi, mobile data, public wifi, and friends' home wifi - so network filtering alone won't cut it. And 'Encrypted SNI', 'DNS over HTTPS' and Cloudflare makes network filtering much harder than it was 15 years ago.
On top of that, there's loads of porn posted on Reddit, Twitter, Twitch and suchlike. So any effective block is going to have a lot of collateral damage.
Use a DNS that has porn filtering along with any custom sites you don't want them accessing via the browser. You can even create your own MDM profile to prevent a kid from disabling the private DNS. There are sites that will set this up for you too. Furthermore, use parental controls to prevent installing apps without your permission, use the built-in features to limit screen time, and use tools offered by social media apps to limit usage. A super smart IT wizz kid may eventually figure it out but this will keep most kids from accessing inappropriate stuff.
> Adult websites self label
Not social media sites. Sites like Reddit are everything. Some also go out of their way to hide certain information from parents.
Reddit (not to be too picky) does some weird things when a logger is in place, essentially making it impossible to know which subreddit is being accessed.
And that's really where the bad stuff lurks - it's peer to peer interactions.
> If your kid is going to get around that by clever vpn use, age gates don't help.
I think politicians and their supporters believe they do help. Of course from their perspective the only way to know for sure is to implement the restrictions (regardless of whether they succeed, at least they fulfill their campaign promises to their electors of "doing something").
While some people may want that, everyone who has the technical know-how to restrict access can name probably a dozen different ways to do it without violating privacy via ID Upload. The only reason to push for ID Upload instead of the other methods is because policy makers are lazy and information resellers want as much information about us all as they can get. Its lazy because it just recreates the liquor store "Can I see your ID please?" experience everyone is so familiar with and takes no explanation, so lazy policy makers find it easy to push for, without accounting for how that data is handled after use. Meanwhile information clearing houses and anti-privacy wanks are salivating at how this can be leveraged so they too push the "ID Upload is the only way!" messaging.
>and information resellers want as much information about us all as they can get.
That seems implausible given that most sites requiring age verification outsource it to some third party, which means they're not getting all the juicy biometrics.
You've identified the group that would be incentivized to lobby for this architecture.
That's an unhelpful way of analyzing stuff because you can cynically retort "You've identified the group that would be incentivized to lobby for this" regardless of what happens. No age verification whatsoever? I bet social media companies would like that! Age verification by the government? I bet it's because the government wants to know what porn sites you visit! Maybe verification by the OS instead? Must be the Google/Android OS duopoly! So complicated PKI or zero knowledge proofs solution? There's probably some consultancy that would benefit, not to mention there's still going to be companies that would handle the outsourcing. There's a whole industry for handling user account management/SSO, for instance, and that's entirely open source.
I didn't look at it that way, but there is unfortunately a bit of truth in that analysis. Such is life in a captured state.
Honestly, I wasn't being quite that cynical. Just pointing out that there are actors who have business interests in applying a worse architecture.
But IIRC this was made manifest in Alabama, where a tech company lobbied for their age law and then captured the sole source contract for doing the verification.
> But the entire point of age laws is to stifle free speech and ruin privacy. Thus why every age law requires uploading an ID.
The age verification system currently undergoing large scale field trials in the EU does not require uploading ID. Every member of the EU is required to support that system, and any online age verification laws any member passes are required to allow its use.
Why so complex. ID cards could solve that issue, every European ID card has a powerful and programmable crypto processor / secure element inside and so do all ICAO compliant passports.
Have the website emit a random nonce (to guide against replay attacks / reuse) plus an information what is requested (name, DOB, address, some like the Croatian ID card even store photographs), the card prepares a response with that data, signs that using its private key (with a 2FA being possible as well by using a PIN/password) and returns it to the website.
The Croatian ID card doesn't even need a middleware because it doesn't do 2FA, you can ask it all of that by pure NFC communication. The German ID card requires a middleware ("AusweisApp", open source) for added protection though.
Age verification could indeed be implemented in other ways. The approach outlined above is for information verification and trust projection in general, meaning you can put just about any verified information on a certificate and it can be used online.
Here is a concrete example of how trustworthy certificates can be used online, this is my personal profile on bluesky with verification that is independent of the Blue sky service: https://bsky.app/profile/bitlooter.bsky.social
If you click on the profile image you can enter that code into https://certisfy.com/app to verify the identity of the profile. That sticker could be on any online profile to prove high quality authenticity, it could for instance be on an e-commerce site to prove that the site isn't a scam.
The problem with this specific design is that it reveals your identity to the site, which is obviously undesirable from a privacy perspective.
For those who are interested one of my recent newsletter posts goes into a fair amount of detail about the various technical options here for using digital IDs in this context: https://educatedguesswork.org/posts/age-verification-id/
In 2005, we decided that we were going to have Real ID by 2008. We're now looking at a 2027 completion date.
At the airport they said I wouldn't be able to travel unless I had a real ID by 2019.
(Not in Texas)
Did this apply to X (Twitter) at all?
It is interesting to me that we are running a giant social experiment with people's childhoods- something we know can only be done once.
Meanwhile the silicon valley elite admitted that they don't let their 12 year old daughter on Instagram...
Society has always been running giant social experiments on the next generation. That's what a culture is.
What are some key examples prior to the Internet?
TV, radio, public school, computers, video games, rock & roll, rap, desegregation, etc.
I guess I was really looking for concrete examples and examples prior to the invention of or not related to the use of electronic technology.
For your non-technological items in your list, I don't see how public school, rock and roll, and desegregation are or were remotely related to experiments being ran on children by society.
Public school -- new concept that caused massive changes to social behaviors and patterns of association. Nobody knew ahead of time what the results of this would be, so it was as much an experiment as letting kids access Instagram.
Rock & roll -- millions of people thought that letting children listen to this African American music would corrupt their children and prove ruinous to children. Some parents demanded controls on access to this music, much as some parents are doing with Instagram today.
Desegregation -- it's well worth an hour of reading if you haven't spent the time so far. Here I will just say that it was obviously a profound change in social patterns, changes to the US's legal caste system, and had to be enforced at gunpoint. Nobody knew how it would play out, like nobody really knows how using Instagram at age 15 will impact people in midlife. This led to (white) parental outcry over the prospective changes, as many (white) parents did not want to participate in this social experiment.
Big changes, no real control groups, unpredictable outcomes. Experiments in a very real sense.
You don’t see them as experiments because they succeeded and are now just seen as “normal”.
I would not let my (hypothetical) 12 year old on Instagram. I also don't want to give Instagram (or any other site, since I don't use Instagram) my ID to view content on it.
It’s more interesting to me why nobody except sv elites can come to the same conclusion themselves regarding <12 year olds on instagram and instead seem to need the government to parent their kids
I hate this law and those like it, mostly because it shouldn’t be necessary for government to overstep like this. But when I look around… maybe it is
It's a collective action problem.
I don't think it is just that. Look at an HN thread on privacy and you will find a lot of people that do not see any issues.
The problem really comes down to complexity and trust. The truth is that there never is a problem if we operate under the assumption that all actors are honest and good natured. But the reality of the world is that this is a naive assumption. All citizens should be concerned about changing objectives from their authorities. A democracy can vote in dictators and a benevolent dictator can quickly change to a malicious one (which has happened frequently historically). We also need to be concerned with non-authority threat actors, from criminals to nation-state actors competing states (and even allies for the same aforementioned reason).
That's the problem. The realistic conditions we need to solve for are far more complex than the ones people operate under and we have a difficult time talking to one another about it. For a privacy conscious person it does not matter if the holder of the data is the most benevolent entity that could exist, it is if there is the opportunity for the data to be held by anyone else. Thus, no one should hold it. No matter how "worthy".
Even on HN there are a large number of users who think they are not the target of hackers, and especially nation-state hackers. Of all places on the internet this should be one of the most informed on the matter and best suited to understand that being "normal" is what makes them a target, to be incorporated into bot-nets or other reasons like being used for lateral movement. It is the exact same problem: the reality is far more complex. The assumption of not being a target is based on the understanding that they are not the end target but the complexity of reality is that this is not the condition for being /a/ target.
I do agree that collective action matters. But it is hard to form collective action when people do not have the motivation for action. And they don't have the motivation because they have a naive approximation of the problems at hand.
Just let the parents be responsible. Jesus.
Attach minor accounts to the account of the parent, make the parent say yes.
Ok, but you're saying two different things. You can't know a minor account is a minor account unless you require age verification.
Don't get me wrong - I support your proposal. But it requires massive state intervention.