The 'papers, please' era of the internet will decimate your privacy
expression.fire.org1009 points by bilsbie 21 hours ago
1009 points by bilsbie 21 hours ago
There are at least some technological solutions here, such as anonymous credentials. [1] Modern versions of this technique allow one to associate metadata (like a proof of age exceeding a threshold) in such a way that the verifier can't even correlate repeated requests across users.
Governments that are serious about age verification and individual privacy (which, doubtful they truly are) should agree on a protocol and set up certificate issuers that are associated with a digital ID. Then age verification will not be an invasive procedure or risk data leaks or insider threats.
[1]: https://blog.cryptographyengineering.com/2026/03/02/anonymou...
The article talks about the possibilities of malicious cloning of these tokens by third parties, but fails to identify the much more common use case, and one that makes this scheme useless for age verification.
It's one thing to be concerned about someone stealing my credential, but another to prevent the transfer of these credentials, especially if they are limited use credentials.
The entire point of age verification systems is to prevent minors from accessing certain resources. I think we all know that this is basically impossible; but what these various governments and social media companies want to do is to make it high friction to do so.
The highest friction version of this is that the credential ties to a real world identity somehow; maybe locked behind legal barriers, etc., but if a minor is caught using someone's credential, then the person whose credential they are using can be investigated, and, if necessary, charged with a crime roughly equivalent to providing alcohol to a minor. Without the possibility of real world enforcement, none of these identity solutions can possibly work.
Keep dreaming of a technological solution -- there is none that does not lead to the world that FIRE is warning about, except to accept that we can only make a solution "good enough" and leave it at that, without expanding into full on identity verification. The solution here is likely to just try to provide better abilities for parents to monitor and limit their children's use of the internet. Let individual parents decide on the level of harm that they are willing to accept, and accept that there will be ways to work around this even if parents are vigilant, but just try to reduce it on the margins.
Yes, this is the part of the issue that is so frequently ignored: Anonymous age verification schemes are easily defeated through proxying because there wouldn't be any consequences for selling your tokens. "Install this app on your phone and we'll pay you $1 per day" and it will mint your anonymous identity tokens and send them off to kids who want to buy them. If there's no way to track the tokens, there is no possibility of negative consequences.
So the schemes always start introducing features to reduce the anonymity of the tokens or make them more trackable in some way:
> The highest friction version of this is that the credential ties to a real world identity somehow; maybe locked behind legal barriers, etc., but if a minor is caught using someone's credential, then the person whose credential they are using can be investigated, and, if necessary, charged with a crime
Which requires that these identity tokens not be anonymous age-verification credentials. They become a traceable identity token tied to your government-issued ID.
But could you not set up a system where you need to go get (for free) a limited use token at a physical location, or have them mailed to your home, and they have a rough geographical lock? If a bunch of those tokens start appearing in random locations, it is a good indication that someone is reselling them to minors? I'm not saying this is idiot proof, but what could go wrong?
> They become a traceable identity token
Not if you use a challenge-response protocol where the client returns a zero-knowledge proof of age, where the proof incorporates a random string sent by the website.
The traceable stuff is private information that the website never sees. If a minor is caught with it, then law enforcement has local access to the minor's hardware and can probably view the private data.
At that point, the private key can be put on a public revocation list. The zero-knowledge proof can include a proof that you're not on the revocation list. Once you've been revoked, you have to go through the hassle of setting this all up again, which might be enough incentive to keep it reasonably secure.
This doesn’t stop the scheme the parent proposes, where adults install some proxy on their device and challenges are responded to on the parent device. Then the private key never leaves the parent device and all the child device has is the proxy software, which could be set up to not log any identifier of the key that it used
I agree, but this is also clearly a increased barrier. Going back to OPs comment that perfection is impossible, the goal is to raise the bar, I would say that this is more than good enough.
> but this is also clearly a increased barrier.
If there's a simple piece of software that can be installed, it's not meaningfully increasing the barrier. Also, there are negative consequences to introducing "rules that you're expected to break" like this. It makes the law unserious.
Sure, but then you're partnering with someone you probably don't know to take payment for doing something illegal, and that partner knows your device and where to send the money.
And if it's a phone app, it's not going to be on app stores and you already know the person giving you the app is a criminal.
So you're installing an untrustworthy app to risk criminal charges, and the customers of this scheme are kids who mostly don't have a lot of money.
You’re missing the point. If the tokens are truly anonymous then none of this matters. There’s no way to discover or prove where the tokens came from. It could be someone in another country with stolen IDs, which are now a goldmine for minting tokens and selling on the internet.
So the schemes inherently add some traceability, which makes the tokens no longer actually anonymous.
This is the back door used to make the tokens double as ID tokens.
Trusted computing fixes this up to the analog hole. Which is as much as you can expect.
Trusted computing fixes this.
Trusted computing is the biggest threat to privacy and liberty of them all!
No, you can reliably attest public source builds of critical software for the ultimate in transparency. That even includes models running on GPUs. Combine that with blind tokens and you get trusted, anonymous identity verification.
What you also get is mobile devices that can't run unblessed code, make it impossible to remove legally-mandated spyware or backdoors, as well as websites that you can't use anonymously, even when you have very valid reasons to do so.
How so?
They are implying the use of trusted computing with proprietary software to ensure that only users on fully “trusted” (locked down) devices are allowed to access network resources.
Presumably, if you have a trusted application on a trusted device, the identifier was installed in a trusted way, the device is in trusted possession and the device won't be given to anyone else, trusted computing may be able, in certain cases, to make it more difficult for a remote minor to use the identifier.
> in certain cases, to make it more difficult for a remote minor to use the identifier
Just offer the user some money if he installs some "trusted" app for age verification token sharing.
> If a minor is caught with it, then law enforcement has local access to the minor's hardware and can probably view the private data.
And then what? You think the police are going to make a case out of getting a token blacklisted or start an investigation into the person who the token came from? Also confiscate their devices as part of the investigation? I guarantee that the token source will be someone in another state or another country or just a stolen ID being used to sell their tokens.
I can’t believe we’re getting to the point where we’re talking about sending the police to deal with cases where a minor is suspected of, what, accessing social media? To confiscate their device and do forensic analysis of the tokens on it?
Do you realize how insane this is getting? How does anyone think this is feasible, let alone a good idea?
I'm saying a system like this is preferable to attaching our real identities to everything we do online, as countries are attempting right now. We can verify age without losing privacy or anonymous speech.
It's still my preference to have no verification at all. On the internet, nobody should know you're a dog.
> I'm saying a system like this is preferable to attaching our real identities to everything we do online, as countries are attempting right now. We can verify age without losing privacy or anonymous speech.
The problem with your hypothetical was that you casually introduced the police as an enforcement mechanism for cases of a minor accessing an over-18 website. The implication is that the physical police are now involved in our access of websites, and you’re saying the tokens involved in us accessing websites will have some evidence that they can use in the investigation of that access.
This is why we keep saying that the anonymous token schemes don’t preserve privacy. It always turns into a slippery slope of adding escape hatches to the anonymity to enforce violations. The very implication that the police are going to be tasked with going out and confiscating devices to investigate suspected age token violations is an indicator of how far the window has shifted on Internet privacy.
> Not if you use a challenge-response protocol where the client returns a zero-knowledge proof of age, where the proof incorporates a random string sent by the website.
Obviously it does. These $1 per-day apps are 24/7 online and so challenges can simply be proxied just the same as tokens.
> ... law enforcement has local access to the minor's hardware ...
This is a large part of what people, in practice, want to prevent using this scheme.
> Once you've been revoked, you have to go through the hassle of setting this all up again, which might be enough incentive to keep it reasonably secure ...
States want to know who to punish when this happens. Which also details how this is defeated: you can't revoke the token, because that makes getting a conviction near-impossible and it exposes the states to counterclaims.
The people who install such forwarding apps don't have money for the court to charge, and they can't take away their identification apps (which these will be, obviously) because that's the cheapest way for states to communicate with them.
Unless you build this into the base layer of the internet (which European networks like minitel did, by the way, with France telecom graciously checking it for free. Free for the state, of course. YOU paid per packet)
> ... to keep it reasonably secure ...
Oh and "reasonably secure" won't cut it. Someone committed suicide after a message was posted, and they're "reasonably secure" who it came from? You see the problem, I hope.
Are you saying such proxying apps exist now? Can you link a source for me?
Regarding my scheme:
The only way law enforcement should have access is if they show up and get the phone in their possession, with a warrant. Which could happen any time some teenager posts something without realizing it identifies them.
If the teenager has your full credentials, that's when law enforcement sees who you are, and can take whatever action we deem appropriate. I would think just revocation if you might have been hacked, more severe if it's clear you shared on purpose. Revoking credentials doesn't interfere with the person using the app for other purposes, or with any prosecution, and criminal prosecution doesn't rely on the perp having money; quite the opposite in fact.
If you install a proxying app for the challenge-response, you're installing an untrustworthy app from a criminal to take payment for a criminal scheme, with risk of prosecution if that criminal gets caught.
Nothing in society is perfectly secure. There are all sorts of ways that we allow some crimes and tragedies to happen because we know that preventing them would be even worse. There are good reasons that courts have long protected privacy and anonymous speech, even though we could solve more crimes without those protections.
> The only way law enforcement should have access is if they show up and get the phone in their possession, with a warrant. Which could happen any time some teenager posts something without realizing it identifies them.
It’s beyond crazy that we’re actually talking about police showing up at someone’s house because they suspect a social media post came from an under-18.
This is one step away from your local government unmasking their Internet critics and sending police to their house by “suspecting” that they might actually be a minor.
> If the teenager has your full credentials, that's when law enforcement sees who you are, and can take whatever action we deem appropriate. I would think just revocation if you might have been hacked, more severe if it's clear you shared on purpose.
Why would you assume the person giving out the token is in the same jurisdiction? The tokens would almost certainly be coming from another country.
The police aren’t going to be tracking down teens, confiscating their phones, running forensic analyses, and then doing the work of getting tokens revoked through a possibly international process. They barely have enough time to show up and take a report when someone does minor physical proper damage.
All this does is open up the process for targeted abuse when governments or police need an excuse to go after someone posting on social media.
But ... you were arguing method X prevents this from "They become a traceable identity token". And what are you going to do with the anonymous tokens? You'll identify whose credentials they are ...
If you can identify physical hardware from a request or post, obviously it's not anonymous. In fact, if you can identify the owner of credentials from the credentials, they're not anonymous. Obviously in an actual anonymous system it is utterly impossible to do this, whoever you are.
So you've just proven your own argument wrong. Anonymous age verification online is impossible. You don't agree?
There is a way to prevent this (or at least slow it down), but that way requires device integrity protection.
With integrity protection, tokens can only be minted with a government app, driven by both biometrics and physical human hands touching the physical screen. There's no way to do it in the background. Without it, you can indeed have a single activist mint 10 billion tokens and give them out for free, defeating the entire scheme.
There's a CAP-style triangle here. You can have age assurance and anonymity but lose the ability to run your own software, have age assurance and device control but lose anonymity (via traditional ID checks, which don't require IP in theory), or have anonymity and device control but lose age assurance.
What you conveniently forgot to mention is this means the death of open general purpose computing. No more rooted devices, no more self built PCs. You go buy a government approved device and run the government approved OS preinstalled and the moment you deviate from the government approved happy path you are booted off the internet.
I'm a fan of separating the trusted compute levels for commercial and non-commercial uses/sides of the internet. I think we have to move in this direction.
As it stands today, doing business on ebay/craigslist/etc isn't that much different than doing it in a back alley in the bad part of town. Generally a bad idea but YMMV if you keep your wits about you. Of course it's your right to do business that way, but no one in their right mind thinks it's acceptable to do global commerce that way.
Commerce relies on legally enforceable contracts (both paper and EULAs), which ultimately rely on identity to be enforced. It's a bug, not a feature, that someone on the internet can steal my identity to purchase a product in my name and have it shipped wherever they want. It's a feature, not a bug, that my bank asks me for photo ID before I empty my account in person.
I'm not allowed to access banking computers, except occasionally and from within in a sandbox with proper credentials (ATM card for example). If, in the future my bank needs to do their compute inside my house on my phone, then it seems fair that there should be walls that keep me outside of their trusted compute.
That said, I am 100% behind keeping open purpose general computing free and available. Rooted devices, self built PCs etc all of it. I love it, saying this as a person who grew up building their own PCs and programming from a young age. I think that we all should be able to access the non-commercial side of the internet in any way we want, a true public square, warts, gutters and all. Hobbyists can do whatever they like as long as it doesn't touch commercial systems.
As I see it, the problem for most of us is that the social/fun side of the internet has largely been captured by commercial interests. Anything with a EULA should be considered a commercial site, since you're legally bound by a contract using it. As it stands today all the fun things on the internet would require enforced identity.
Maybe having a separate walled off "commercial internet with identity enforcement" will finally open the public's eyes as to the ramifications of the digital world we've built. And also allow us to individually take a stand and push back against the commercial interests through our daily choices of what sites we visit. Basically voting with your ID chip instead of your pocketbook. You can still do business in the gutter if you want to, but for the normies it will be easier for them to spot when they're in a back alley. And it gives parents options for keeping kids off of the anonymous side as as well.
I do think a Reddit with identity would be a much less toxic place. As long as the brave adventurers among us can still access the digital gutters like 4chan and other message boards.
> I do think a Reddit with identity would be a much less toxic place.
Do you remember the days of "Real name" requirements on YouTube and "Google+"? The experiment was tried, it didn't change things. (Also, see Facebook for an ongoing version of the same experiment).
The tokens could be tied to the device and Apple account by a provider like Apple, in fact you don’t need to issue tokens, only provide a web api that Apple and other browser providers support, which attests age.
This is certainly something that can be solved technically if we want.
It sounds like your scheme would only allow browsing the "adult web" on locked-down, unmodified devices running government-approved software. Frankly, that's worse than even requiring ID.
I’m just pointing out that it is in fact technically possible to lock things down. Whether we should or not is a separate discussion.
what you say which is the real thing, is the total institutionalisation of everything, the very wet dream of beurocrats everywhere, and of course done because "they have no choice", and are free to claim a pure lack of any motive or underlying agenda, and the vicious cycle of "just doing there job" enters our world, again.
I thought a solution to this would be to use a physical smartcard to store the certificate(perhaps on your government ID). if the protocol is a challenge/response and the private key never leaves the card it would make proxying without the physical card more difficult.
Yeah great idea, having to get out your government ID every time you want to use a website.
A certificate could be anonymous and the website would only need to verify it against the born_before_2008_root_cert in 2026. You could issue has many certs as you want and all would have a validity of 1 year so that websites only have to install at the maximum 2 root certs.
I know but what I mean is it's a lot of hassle just to visit something. And many devices I have like my VR headset don't have an NFC reader to validate some govt ID.
If the smart cards required some human input to perform a signature maybe this could work. Otherwise there is nothing stopping someone from selling use of their card via some proxy software
We are talking about porn here. And the internet will be always full of it - and that can only be prevented by controlling all of it, or have each state have a golden firewall.
All of these solutions seem very complicated, for little benefit. So a anonymous age verification scheme, fine with me. But making it more complicatdd, because dark entities could capture and resell tokens .. seems a step in the direction of madness.
Crusades against sexually explicit material are certainly popular in some places.
But these days I see a lot more talk about the developmental effects of parasocial media on kids. There’s a whole segment of buy-in there that didn’t exist before.
I don't see where I should sacrifice my freedoms to remain anonymous on the internet or MUCH more importantly, have control over my hardware and software just because parents can't do their job
> but if a minor is caught using someone's credential, then the person whose credential they are using can be investigated, and, if necessary, charged with a crime roughly equivalent to providing alcohol to a minor. Without the possibility of real world enforcement, none of these identity solutions can possibly work.
They don't work even then.
Suppose you completely eliminate privacy on the internet and require every domestic site to collect the name and social security number of everyone who visits. Then a child uses an adult's ID, regardless of whether it's with or without their knowledge. Is the child going to inform on themselves? No. Is the adult, when they don't even know about it? No. Is the adult, when they provided it on purpose? No.
That constitutes the entire set of people who would typically know that the person using the device isn't the person on the ID.
On top of that, we can punch an even bigger hole in it. Search engines, among other things, index other sites. Google is obviously the biggest but there are many others -- Bing, Marginalia, Brave, Swisscows, Yandex, Perplexity, Baidu, etc. They're run by adults and most of their users are adults, who reasonably expect to be able to turn off "safe search" if they want to. So some adult at each search engine would have to provide their ID to the crawler so it can index things inappropriate for children and show them to adult users. It would therefore be a fairly unremarkable and recurring thing to see the same ID make a zillion gigatons of requests.
But then you can't use "why is this person downloading 100 things from 100 computers at once" as an indication of anything nefarious happening, and anyone can still set up a service hosted on a foreign server that will serve adult content to anyone without an ID by serving it out of a cache. (And in the case where you're invading everyone's privacy, that service would also be very popular with adults.)
> Is the child going to inform on themselves? No. Is the adult, when they don't even know about it?
In the context of social media, if they want to actively participate they have to given that it's the entire point. It's true that even with a government ID scheme people could borrow someone's ID to get passive access with their consent. But a kid couldn't share an account with a parent without that parent knowing because you see their activity, and they also couldn't post.
Kids shred these schemes. The designers of them seem to forget that the social dynamics of the adult world are completely different - just one kid needs to figure out how to bypass the system, and the knowledge spreads like wildfire.
Example: schools banned phones, so kids switched to talking over Google docs:
https://www.theatlantic.com/technology/archive/2019/03/hotte...
If we give parents better tools to limit and monitor internet access, kids will just buy a used phone which is unregulated. If their parents even bother to use the tools in the first place (it is my impression most parents do not). There is also a lot of loopholes parents do not even think of (like a web browser on a game console).
having kids fiddle around with alternative means and schemes of communication might well turn out to be an intellectual and academic net positive.
This is where social media and other sites' endless datamining and profiling will come back to bite them. These sites already know the age range of users to a very high degree of certainty, and can continue to obtain such in an ongoing fashion. If an underage person is using these sites, it's likely going to be because the store clerk just nodded and winked, instead of because they were genuinely fooled by a borrowed or fraudulent ID. And in that case, the clerk is the one facing the penalties.
Put the burden of responsibility on the sites themselves and the number of people that will be able to successfully bypass such restrictions is going to be negligible and largely depend upon ongoing inorganic behavior or being an outlier in terms of behavior/interests.
the article also mentions; <But the government puts much of the onus on social media platforms to ensure users understand the verification process and on users to read up to make sure they aren’t being scammed.>
Unfortunately, the said-government doesn't seem to worry about the fact that their own systems have been breached over the years
> The entire point of age verification systems is to prevent minors from accessing certain resources.
Then why are they forbidding VPNs?
This is clearly NOT a use case that is solely referring to minors.
The whole cake is a lie and so is your assumption that age sniffing is "to protect children".
> Keep dreaming of a technological solution
We don't "dream" - we know what is possible and what is not.
Mass surveillance of everyone is simply not an option.
> Let individual parents decide on the level of harm that they are willing to accep
Nobody has an issue IF it were about individual parents, but it clearly is not. Governments try to criminalize and restrict everyone - and that is the true agenda.
> The entire point of age verification systems is to prevent minors from accessing certain resources. I think we all know that this is basically impossible; but what these various governments and social media companies want to do is to make it high friction to do so.
The problem is, this is wrong. What these governments want to do is get a grip on online behavior, through actions against individuals, who can't/won't defend themselves, rather than through actions against gigantic corporations that may choose litigation and take years to change their behavior, if they do at all.
Governments want to declare something illegal, say downloading a movie, putting racist comments online, ... then catch everyone who engages in that behavior online through mandatory identification, and actually have an effect.
To do this, breaking privacy is, of course, a core requirement. This can be introduced into these systems afterwards ("judge X wants to know who authenticated with token <token>, please provide the information"). Without this, government rules will remain totally ineffective online like they have been in the last 40 years.
I personally much prefer government rules remaining totally ineffective online.
> What these governments want to do
I feel strongly that this conspiratorial mind-reading approach to this sort of issue is just counterproductive.
What all the governments (and non-governments, frankly, there are many supporters of these things) are asking for is excluding minors from certain websites and services.
The problem is that this translates to age verification, which translates to identify verification, which incidentally gives states and other actors a variety of other tools they can use for anti-civil-liberties purposes.
In the end their motives are just irrelevant unless there is a clear way to exclude minors from certain services without going down the chain towards identity verification. Such a way does not exist, so we have to fight it here, at the point where the basic ask emerges.
Why can’t you just sell single use codes at gas stations/liquor stores/etc and they just check your ID before sale? Of course shady places can still sell them without ID check, but we have this problem already for liquor and tobacco.
> The highest friction version of this is that the credential ties to a real world identity somehow; maybe locked behind legal barriers, etc., but if a minor is caught using someone's credential, then the person whose credential they are using can be investigated, and, if necessary, charged with a crime roughly equivalent to providing alcohol to a minor. Without the possibility of real world enforcement, none of these identity solutions can possibly work.
Buying alcohol for a minor implies knowledge and intent.
Getting the tokens out of a phone doesn't require the user to do any of that, the user just has to be frugal and keep the phone longer than it's supported by the manufacturer, until some local exploit is found again, and that token will be extracted and available online for everyone to use.
Parents buy those phones, phones could easily have a "user is a minor" setting (and a flag sent to all the sites that want one) with a password for parents to unlock stuff if needed. This would be set during the phones first set up, and it's done. But nope, the plan is for everyone to install a form if a digital ID on their phones, and once it's there, requiring full-name identification when registering is just one step away.
>charged with a crime roughly equivalent to providing alcohol to a minor
In most countries it's perfectly legal to provide alcohol to your kids.
There is a much easier solution that already exists - parental controls on children's devices. I honestly don't understand why is it not solving the problem?
Yes, parents are responsible to set this up. But parents are also responsible to lock their alcohol, drugs or guns, condoms, etc., and many other things.
Perhaps parental controls are not good enough? That's where the regulation could genuinely help - require child-certified devices to implement minimum set of parental controls, and make them easy to use.
That's not the problem governments are solving. They're solving the problem of convincing the public it's a good idea to end the anonymity of internet use.
I know! What puzzles me is responses every such article gets even on HN - let's build some cool tech that 95% of the general population and 100% of politicians won't even understand not to mention agree to.
Yes, government want to end anonymity and that's clear to some. But governments enjoy on a pretty broad support for this and many people supporting this believe it's a real problem. Suggesting to leave it unsolved or solve it in a way they can't trust or understand is only going to alienate them, making the government job easier.
I think suggesting a simple, cheap and effective solution to this problem that has no impact on privacy is a way better way to counter that. I think local parental controls fits the bill.
People on average aren't very smart and will happily support programs objectively harmful to them and everyone else because the government and a nice lady from the breakfast TV says it's necessary to think of someone's else's children watching porn (this soundbite is gross. I don't understand how it's okay for the serious people to repeat it).
Of course it's accurate to say a lot of people aren't smart.
A lot of people also may or may not be smart but have limited knowledge of this area and limited time/effort to expend thinking about it.
I don't think you should rail against those things because they will always be true for every topic.
Instead, people who have understood the deeper implications of this, for instance the typical HN reader, need to connect with the average person, engage with rather than dismiss their child protection fears, while explaining the downsides.
Taking a high handed dismissive attitude will not help to shift public opinion.
But I'm expressing my opinion on HN, not for the general public?
I thought that stating this, I believe, fact as a contributing factor in the creeping authoritarian climate would be understood without having to attach a handful of caveats and papers?
(you're contradicting yourself)
Once again blaming the tv which barely anyone watches rather than the algorithmic feed in their pocket 24 hours a day.
It’s not 1980 any more.
Naah, "nice lady from the breakfast TV" is mostly[1] an allegory of the traditional media narrative, but you can't seriously deny the impact and importance of it?
If you deny for example Murdoch-owned media impact on the society, or the extent of the damage for example BBC did in the UK to the human rights or the discourse, I'd suggest reading more :)
[1] one TV programme I remember (I don't watch it): "Good Morning Britain is the UK's most talked about breakfast television show with a weekly audience reach of 4 million people." that's 10% of the age group 16-64 here, not too shabby-- and that's ONE tv.
> But governments enjoy on a pretty broad support for this
No they do not. They do an enormous amount of PR trying to convince people that they have it, though.
In the real world when there is a ton of support behind a position, you see representatives of it all over the place and they are pushing the agenda and the coverage. In the world of online age verification, you just see a bunch of lame duck politicians using procedure to sneak policy changes in and keep objections from being heard, and a few government contractor-surrogates writing op-eds (that they haven't read.)
When puritans go on the march, they're actually pretty loud. Most of the anti-social media people are hippy-dippy upper-middle class liberals who curse "screens," completely believed Cambridge Analytica's PR and think that Trump rules through mind control - who will be bothered by the end of anonymity; and the remainder are angry online right-wingers who think that they were censored by and as a result of social media. They're not marching together, they're not marching to have people identified when they're using the internet, neither of them are even prioritizing social media right now and they aren't putting pressure on anyone.
The fact that it's so unpopular is why there are lame ducks doing it. They're just assuring their fortunes on the way out, and the person on the way in will pretend like they had nothing to do with it even though it will be will be passed and implemented on their watch.
> No they do not. They do an enormous amount of PR trying to convince people that they have it, though.
Ok who is paying for that PR though? its not free.
its not like all the UK kids charities are for it.
> Most of the anti-social media people are hippy-dippy upper-middle class
My kids school is very much not in the posh area of london (although they are trying to make it posh) they hate what social media feeds their kids _indirectly_ As in clips and trends sent to their kids via chat or DMs.
It appears that what they want for their kids is basically a walled garden where the advert-content can't bombard their kids, along with the racist/violent stuff.
The bills are being raised and passing in more countries than just America though.
> That's not the problem governments are solving. They're solving the problem of convincing the public it's a good idea to end the anonymity of internet use.
I'm really sorry, but that's giving politicians far to much credit for being able to plan ahead.
Look at both the UK and the USA. The UK's just yeeted its PM because he had the personality of a block of cheese. The USA is currently inches away from shooting people if they mention the word green and water in DC. None of that screams "I am a master at planning ahead and manipulating public opinion in to doing x"
The politicians have no idea about how this all works, they see that "social media" is causing harm (its not the only source, we might get to that) The public, especially in the UK really do not like americanised media being forced in their faces and want "something to be done"
Again for the UK specifically the OSA specifically didn't layout a government mechanism for age verification. they left it to the end company to avoid the suggestion of tracking. Despite it being ripe for uberfraud and blackmail.
it would be much more private if ofcom had published an opensource gateway to anonymously authenticate against. (assuming the thing was built properly and verified)
But to the point you are hinting at
Google, meta, apple and $OS makers already track you. This is not an issue of privacy persay, its about who can track you and why. I'd much rather a list of times I access a site that required age verification being stored by the government, than every single fucking page I looked at tracked by google/meta.
The latter is already here.
Formally politicians may be in charge, but at this point most political power derives from within the administrative state.
> its about who can track you and why. I'd much rather a list of times I access a site that required age verification being stored by the government, than every single fucking page I looked at tracked by google/meta.
It is about what abuses can happen from that info. Google could sell your data. The government can imprison you. You don't think Trump wouldn't try to collect info on his opponents and weaponize the DOJ against them?
That's why they are still appealing to sentiment rather than established research (which actively refutes the arguments they are making).
which begs the question, In preparation for what?
Alien disclosure.
In 1953, Eisenhower signed a pact with the Zeta Reticulans (grey aliens) at Holloman Air Force Base. This pact set in motion a century-long program of preparing humanity for the alien disclosure. Communication must be controlled at a global scale, to avoid mass panic and the collapse of society when the disclosure is announced.
Precisely. The people in power would love nothing more than to stop “disinformation” (facts that cause social unrest).
Yeah. Didn't you find your dad's dirty VHS tapes when you were young? I'm sure most of us did. And we turned out fine.
And no, porn isn't more extreme these days either. I remember seeing bukkake, golden showers etc on borrowed tapes and hacked pay TV. BDSM existed back then too. And I had some pics of a girls face surrounded by male members and their output. Never once did I think this would be a normal thing to do with my girlfriend once I got one.
And these things are still gonna happen. Teens are going to go through their dad's phone when he's sleeping, find his stack of Blu-ray's or vids on this computer. Even with all this age verification stuff. I don't understand why we suddenly think that's the end of civilization.
> Yeah. Didn't you find your dad's dirty VHS tapes when you were young? I'm sure most of us did. And we turned out fine.
Were they delivered to you in truckload volumes every day, including tapes recording executions, child molestation, foreign political propaganda, domestic political propaganda and misleading advertisements?
Every day, any day, unlimited quantities? Including giving your phone number to any strangers anywhere in the world so they can talk to you without limits, supervision or even parental knowledge?
No?
Then let's perhaps stop pretending that millenial internet free childhood is a thing that exists and let's talk about actual modern issues.
> I don't understand why we suddenly think that's the end of civilization.
Because they've been told to think it by the combined forces of Meta and the Heritage Project. They spelled it all out in Project 2025, a check list which has been followed nearly to the letter. They're also rampaging through libraries and trying to keep books of the shelves.
Conservatives don't like porn, because controlling sexuality is part of the cult playbook to control people. (Addendum: they don't like other people having it. They're hypocrites, of course.) They also want to, while instituting a backdoor ban on porn, define everything else they don't like as pornography. Project 2025 repeatedly uses the term "pornographic" as a synonym for for LGBT issues and other things.
The goal, after de-anonymizing the Internet, is specifically to control access to information and entrench their fascist Overton window shift.
They're really sore that many Millennials and Gen Z had the internet as an escape hatch from local, abusive churchy bubbles and want that locked down going forward.
Haha a backdoor ban, I see what you did there ;)
And yes that usage of the law by linking LGBT content to porn is something I've seen in Europe like in Hungary too. But even in the Netherlands, one of my friends is always foaming at the mouth about schools mentioning lgbt in sex ed class. When it's the most important time to prevent people needlessly struggling with their orientation.
Luckily where I live this isn't a thing and it's still very pro lgbt. The city always makes a huge deal about pride month with posters and events everywhere.
I do worry about the control over the internet too. And I've seen it coming for a while. When I was younger there was this WAN movement where people connected their WiFi networks together with parabolic dishes and the government was always trying to prevent and discredit that saying it was used for illegal file sharing (which it was but so is/was the internet).
I'm not so worried for myself because I'm so technical, whatever restrictions they come up with I can work around them. But most people aren't that lucky.
I was thinking that some kind of permanent physical attachment with passive electronics could be given to children, like an ankle bracelet used for home curfew, monkey's headband, a dogs shock collar, or just a nice bracelet, call it MoB, which couldn't be removed until they are of age. Devices they are given could be associated with those devices and not usable without them, if they disappear from passive scanning then they have been tin-foiled, etc etc. I've not seen any discussion of this type of approach which gives children something to aim for - freedom, and tallies with human historical culture as well.
They very much aren't good enough yet. I'm a highly technical user and have had to move to using MDM tools to actually have something that works reliably.
I think their point is to protect kids who have parents so tech illiterate they do not know how to manage parental controls.
Having seen some parents I kind of believe it but not to the point of wanting to implement ID tracking on everything.
Have decent defaults. “Is this phone for a child” and “scan this wr from parents phone”. 90% of problems solved.
That said while Apple does a good job at parental controls, Microsoft is altered. Trying to have controls on Minecraft across a windows laptop and a switch involved a multi hour odyssey, creating tons of accounts for parent and child.
Or, just incentivize or mandate stores to sell "child-certified" phones with parental controls pre-configured (along with a physical plug-and-play usb key for parents disable them when the child is old enough).
People aggressively attacked the proposal of California to add parental controls into OSes, so I'm not sure if that would fly.
You've got to be really on the margin of society to not be able to set it up when every grandma and her dog use smartphones. There're about 1000 different ways to improve the lives of such people without making everyone use their government ID when scrolling Instagram.
I consider myself fairly tech literate and parental controls are incredibly hard to use correctly. I ended up just setting up an android phone with an MDM, because as someone with a sysadmin background it was far easier for me than anything I could find targeted at parents.
The local school district has been issuing iPads to kids for about a decade, and they still haven't figured out how to block exactly what they want blocked. The system they give parents for monitoring the iPads is a joke (Apparently my kid spent 75% of his iPad time the last week of school on sites categorized as "web").
I am a member of FIRE, I am extremely opposed to the mandatory ID laws, but the state of parental controls is phenomenally bad and saying you have to be "on the margin of society" to not be able to set it up is so far from my experience that I couldn't help but to respond to this comment.
I'm not sure what the solution is; a lot of people have suggested requiring sites to send categories (e.g. if every social media site was self-tagged, then blocking social media could be just a single check box in parental controls), but that probably isn't constitutional in the US (Compelled speech is usually banned under 1A grounds), and is subject to too much interpretation (seems unlikely that all 50 states would agree on a definition of "social media" much less "pornography").
Having devices send the age out to sites seems strictly better than ID checks to me, but is still a "one size fits all" approach to parental controls, I worry that if that became the norm the already mediocre controls that exist would atrophy, and it certainly would make it easier for malicious actors to setup a website to target minors.
I don't understand why the act of buying internet access isn't considered a parental control. I doubt very many kids are doing it or can.
Ok, but parents buy internet access and then let their kids use it, because the kids need it for school. So? The parents job is to keep their kids out of trouble. Learning how to keep track of what their kids access shouldn't be difficult, and maybe should be part of the obligation parents have, kind of like their obligated to teach their kids to drive before giving them the keys to a car. Its analogious to saying "kids shouldn't walk home from school or be let out of the house at all because they might wander into a nude beach or join a drug smuggling satanic cult". Most of us don't hold that view because we trust that kids can be taught to be vaguely responsible.
What's more: tools to shield the kids have been around for longer than most of the parents have been alive at this point. The problem is pretty much solved in multiple ways, and wouldn't even be a problem if parents only followed their basic responsiblities. Also it isn't a problem in the first place, I haven't seen any clear, undisputed evidence that shows that kids are degenerating into fiends because of looking at adult stuff on the internet.
> The parents job is to keep their kids out of trouble. Learning how to keep track of what their kids access shouldn't be difficult
Unfortunately it is, but we could fix that with only minimally invasive legislation. Right now you either whitelist which breaks half the internet on a recurring basis (things are constantly changing) or you blacklist which is swiss cheese. Either way you're relying on third parties.
I think it would be much better to legally mandate a certain minimum level of self classification for website operators along with a simple and extensible scheme for communicating such. It might also be useful to mandate that devices ship from the OEM with parental control software supporting that standard but honestly I doubt that's necessary - if their were a standardized and above all reliable signal available I think browsers and operating systems would rapidly adopt support for it.
Exactly! We already have content tags on TV/Movies, just extend it to the web and make mandatory.
I imagine it could be not trivial to enforce (esp. for offshore web) - but definitely easier than enforcing the same sites to implement much more complicated identity verification (while preferably also not leaking this data).
But that might not even be necessary. A small on-device AI can probably do a decent job classifying pretty much everything we don't want children to see - with and option for parents to override it when needed.
> I imagine it could be not trivial to enforce (esp. for offshore web)
It's quite trivial, actually - the parental control software is designed so that if there are no content tags, then the site does not display. The mandate for websites to tag their content would only need to apply to websites over a certain size, to bootstrap the network effects.
The other option is for the major browsers to refuse to load pages that don't include the tag. I don't think it's a good thing that they can unilaterally dictate web standards but that's the reality so might as well take advantage of it for the better I guess.
I think that's the same option? I'm imagining "parental controls software" as something built into browsers (/ app stores) that can be enabled when you're setting up a new device. Or it can be disabled, meaning no tags would be required, leaving the open web unaffected.
Given that we're at the point where big tech is pushing its regulatory capture legislation aimed at demanding mandatory identification ("age verification" fundamentally boils down to identity verification), I don't think it would be unreasonable for a legislative mandate for every site over a certain size to have to publish tags, and every mobile device manufacturer over a certain marketshare to have to include a parental control solution in the device setup.
Although I'm also left wondering what the state of the art really does look like here, and whether a mandate for tags is even what is needed. The real problems would seem to be twofold - parental controls software isn't included with most devices, and most parents won't go out of their way to seek out a third party option. And second, very few websites aim to serve people under 18, 13, etc to begin with. Rather they like the fiction that their services are "18+" regardless of who is using them. (Mandating tags would serve that last one, but perhaps there is a more direct approach?)
> I think that's the same option?
Not quite. I'm suggesting that adoption could be forced if the major browsers refused to load sites that didn't include the tags regardless of whether or not parental controls were enabled. The end result would be that either your site included the tags or else it would not load without some sort of manual user intervention on every visit on windows, ios, etc.
> leaving the open web unaffected
But the entire point here is that there would be a legal mandate for all sites to carry such tags. The goal is to fix the problem that parental controls are spotty and unreliable at best.
> The real problems would seem to be twofold
It's as I previously explained. None of the current options are particularly good even if you are a parent that cares and is willing to invest time and effort.
> they like the fiction that their services are "18+" regardless of who is using them.
That's due to not wanting the liability of a mishmash of laws from different jurisdictions. Nearly all of them treat an 18 year old as an adult so problem solved.
That's entirely separate from these tags BTW. The idea isn't for the site to communicate some arbitrary age appropriateness signal that they as a third party to the family couldn't possibly know. Rather it's to communicate classes of content such as porn, gambling, violence, social media, user generated content, games, that sort of thing.