This is perhaps a controversial statement from someone who is fed up with all this age verification stuff, but having the user age be set on account creation (without providing ID or anything dumb like that) doesn’t seem that bad.
It just feels like a way to standardise parental controls. Instead of having to roll their own age verification stuff, software like Discord can rely on the UserAccountStorage value.
If it were possible to plug into a browser in a standard, privacy conscious way, it also reduces the need for third party parental control browser extensions, which I imagine can be a bit sketchy.
OSes collect and expose language and locale information anyway. What harm is age bands in addition to that?
What’s bad though is that it’s meaningless. Sure the OS can say you are 10 years old or 100 years old and you can’t change it… but then you open a page in your browser which runs a virtual machine and that VM now says you are, arbitrarily 50 years old. The VM is just another piece of software but put it in fullscreen (if you want) and voila, you are back to declaring whatever age you want to any application or Web page within that VM. If that’s feasible (and I fail to see how it wouldn’t, see countless examples in https://archive.org/details/software or https://docs.linuxserver.io/images/docker-webtop/ even though that’s running on another machine, so imagine that was a SaaS) then only people who aren’t aware of this might provide a meaningful information on the actual age but that’s temporary, the same way more and more people now learn to use a VPN.
I mean, ultimately it can always be worked around… even if you were to add stronger forms of identification, a kid can take the parents card / ID / DNA sample / whatever when they are distracted and verify themselves. If a kid is smart enough to set up a VM like that they are smart enough to deceive adults. Teenagers have been finding easy ways to get to forbidden stuff for centuries.
I’d much prefer if the source of trust is in the local device, in the OS, that is responsibility of the family to control, and not on some remote third party service offered by some organization in who knows where with connections with who knows who. If parents don’t properly limit the local user account of their kids, or restrict access to the places they don’t want, it’s their responsibility. Set up proxies, blockers and lock the OS locally, but don’t mess up the internet for the rest of us.
If a kid is smart enough to set up a VM like that they are smart enough to deceive adults.
That’s my point of Internet Archive software and emulation section : no need to be smart, open a Web page that provides a VM and voila. You don’t have to do anything hard, only understand the concept and know where to find a VM.
Also if it’s properly all in the browser (no backend setup, no tailscale, which I’m not sure it can be done due to networking, but maybe) then any static host can have it, heck even download a .html and open it would do. In such a situation I can’t imagine it can be blocked/limited at all.
Yes I also would much prefer everything to be done locally and have no 3rd party that ultimately I won’t trust (one just has to look at leaks from large companies to understand why) still “it’s their responsibility” when I tried to demonstrate it’s fundamentally impossible when emulation exists is a fundamental problem.
only understand the concept and know where to find a VM.
That’s already smarter than most of my relatives.
I’d argue that controlling / monitoring where a kid goes should already be responsibility of the parent.
If it’s all in the browser then the unprivileged user is at the mercy of whatever rules the installed browser establishes for allowing them access to. So it’s a battle between the parent (helped by the OS) being smarter at setting up local restrictions / monitoring history and the kid being smart enough to break them / act undetected.
I think the idea here would be that the OS would be able to tell the browser (or any app) that the user is only allowed content of a particular target age group, and then the browser (or whichever app) would apply any appropriate restrictions (which could include restricting virtualization primitives like WebVM, other js APIs or even network-level filtering if that’s what it takes).
You can also advocate for making use of the “guest wifi AP” many routers already provide to ensure the access to the internet for their kids is done in an allowlist basis. To the point that the kid would have to be “smart enough” to break through the WPA encryption of the main wifi access point (or find out some other social engineering way to get access to that wifi) in order to have fully free access to the internet and visit websites that allow them to circumvent age restrictions.
It just feels like a way to standardise parental controls.
Then focus on that instead of pushing age laws.
And we all know this “Think of the children” is never about the children.
Next will be compliance through secureboot and TPM.
Parental controls means the control is done by the parents… not by the companies. I don’t need to tell any company what age bracket my kid might be, all I need is for them to tell me how can I block / restrict access to their services in my parent-controlled network (or how to allow them, if using allowlist).
Standardization of parental controls would be if routers and/or the OS of the devices came with standardized proxy settings that allowed privoxy-style blocking of sites in a customizable way so we can decide which services to allow… with perhaps blocklists / allowlists circulating in a similar way as adblockers do.
If a web service wants to offer a highly restricted and actively moderated kid-friendly version of their service, they are the ones who need to provide facilities to us so WE can make the filtering (say… they can use a separate subdomain… or make use of special http headers that signal for kid-friendliness), not ask personal information from us just so THEY can take the decision on our behalf…
Someone else had brought up in the past few days that parents either don’t know that parental controls like this exist. Or they don’t care.
This law puts that age setting front and center and allows apps, like Discord, so say “no <13 year olds”. I think where this maybe gets tricky is if an app says “only <13 year olds”. As like people have said there is nothing stopping people from lying, and that is a two-way street.
No. All this law does it promote more data collection and impose more restrictions.
They don’t care about the children and, even if they did, it’s the parents’ job to parent them.
By “this mess” are you referring to Ch. trafficking? I’d say the responsible people for that are the ones running the criminal rings… but the responsibility for prevention (beyond just plain law enforcement) should still ultimately be with the parent, imho. Since they are the ones with the most power and control over the environment the child is exposed to (I mean, it does not matter how many authentication layers you add, ultimately a child can pass it if they use the parent’s ID…).
If by “this mess” you mean the risk of leaking private information that everyone is concerned about, I don’t think that’s really caused by the “leave it to parents” mentality… if anything, that’s caused by the “parents shouldn’t have the responsibility” mentality, which is pretty much the opposite…
No. I am more referring to how we left parents to let their children have free reign of the internet and they got injured. It is exactly because we cannot trust parents to moderate what their children do online that these laws are coming up. Do you think we would still get these laws if there were no children on the internet (maybe still for pron but that is because people are prudes).
I see that you edited your comment to take this part out but I do want to talk about it anyways.
You compared this to having automatic roads that shift risky drivers to their own space and how that would be ridiculous. Which it would be. But comparing a law like this to driving is an awful comparison.
Until recently there were very few laws regulating what a child is allowed to access online. But that is just not the same as driving. States require that you get a license, take a test, follow road rules, get your vehicle inspected, and many more requirements. We have these requirements because we know that we should not let an untrained driver on the road.
This is perhaps a controversial statement from someone who is fed up with all this age verification stuff, but having the user age be set on account creation (without providing ID or anything dumb like that) doesn’t seem that bad.
It just feels like a way to standardise parental controls. Instead of having to roll their own age verification stuff, software like Discord can rely on the UserAccountStorage value.
If it were possible to plug into a browser in a standard, privacy conscious way, it also reduces the need for third party parental control browser extensions, which I imagine can be a bit sketchy.
OSes collect and expose language and locale information anyway. What harm is age bands in addition to that?
In theory yes.
What’s bad though is that it’s meaningless. Sure the OS can say you are 10 years old or 100 years old and you can’t change it… but then you open a page in your browser which runs a virtual machine and that VM now says you are, arbitrarily 50 years old. The VM is just another piece of software but put it in fullscreen (if you want) and voila, you are back to declaring whatever age you want to any application or Web page within that VM. If that’s feasible (and I fail to see how it wouldn’t, see countless examples in https://archive.org/details/software or https://docs.linuxserver.io/images/docker-webtop/ even though that’s running on another machine, so imagine that was a SaaS) then only people who aren’t aware of this might provide a meaningful information on the actual age but that’s temporary, the same way more and more people now learn to use a VPN.
I mean, ultimately it can always be worked around… even if you were to add stronger forms of identification, a kid can take the parents card / ID / DNA sample / whatever when they are distracted and verify themselves. If a kid is smart enough to set up a VM like that they are smart enough to deceive adults. Teenagers have been finding easy ways to get to forbidden stuff for centuries.
I’d much prefer if the source of trust is in the local device, in the OS, that is responsibility of the family to control, and not on some remote third party service offered by some organization in who knows where with connections with who knows who. If parents don’t properly limit the local user account of their kids, or restrict access to the places they don’t want, it’s their responsibility. Set up proxies, blockers and lock the OS locally, but don’t mess up the internet for the rest of us.
That’s my point of Internet Archive software and emulation section : no need to be smart, open a Web page that provides a VM and voila. You don’t have to do anything hard, only understand the concept and know where to find a VM.
Also if it’s properly all in the browser (no backend setup, no tailscale, which I’m not sure it can be done due to networking, but maybe) then any static host can have it, heck even download a .html and open it would do. In such a situation I can’t imagine it can be blocked/limited at all.
Yes I also would much prefer everything to be done locally and have no 3rd party that ultimately I won’t trust (one just has to look at leaks from large companies to understand why) still “it’s their responsibility” when I tried to demonstrate it’s fundamentally impossible when emulation exists is a fundamental problem.
PS: FWIW https://ktock.github.io/qemu-demo/
That’s already smarter than most of my relatives.
I’d argue that controlling / monitoring where a kid goes should already be responsibility of the parent.
If it’s all in the browser then the unprivileged user is at the mercy of whatever rules the installed browser establishes for allowing them access to. So it’s a battle between the parent (helped by the OS) being smarter at setting up local restrictions / monitoring history and the kid being smart enough to break them / act undetected.
I think the idea here would be that the OS would be able to tell the browser (or any app) that the user is only allowed content of a particular target age group, and then the browser (or whichever app) would apply any appropriate restrictions (which could include restricting virtualization primitives like WebVM, other js APIs or even network-level filtering if that’s what it takes).
You can also advocate for making use of the “guest wifi AP” many routers already provide to ensure the access to the internet for their kids is done in an allowlist basis. To the point that the kid would have to be “smart enough” to break through the WPA encryption of the main wifi access point (or find out some other social engineering way to get access to that wifi) in order to have fully free access to the internet and visit websites that allow them to circumvent age restrictions.
Then focus on that instead of pushing age laws.
And we all know this “Think of the children” is never about the children.
Next will be compliance through secureboot and TPM.
Isn’t this an example of pushing for standardisation of parental controls?
Parental controls means the control is done by the parents… not by the companies. I don’t need to tell any company what age bracket my kid might be, all I need is for them to tell me how can I block / restrict access to their services in my parent-controlled network (or how to allow them, if using allowlist).
Standardization of parental controls would be if routers and/or the OS of the devices came with standardized proxy settings that allowed privoxy-style blocking of sites in a customizable way so we can decide which services to allow… with perhaps blocklists / allowlists circulating in a similar way as adblockers do.
If a web service wants to offer a highly restricted and actively moderated kid-friendly version of their service, they are the ones who need to provide facilities to us so WE can make the filtering (say… they can use a separate subdomain… or make use of special http headers that signal for kid-friendliness), not ask personal information from us just so THEY can take the decision on our behalf…
Standardization of optional parental controls (and accessibility while we’re at it) would benefit most linux distros imho.
Someone else had brought up in the past few days that parents either don’t know that parental controls like this exist. Or they don’t care.
This law puts that age setting front and center and allows apps, like Discord, so say “no <13 year olds”. I think where this maybe gets tricky is if an app says “only <13 year olds”. As like people have said there is nothing stopping people from lying, and that is a two-way street.
No. All this law does it promote more data collection and impose more restrictions.
They don’t care about the children and, even if they did, it’s the parents’ job to parent them.
Leaving it to parents is the reason why we are in this mess.
By “this mess” are you referring to Ch. trafficking? I’d say the responsible people for that are the ones running the criminal rings… but the responsibility for prevention (beyond just plain law enforcement) should still ultimately be with the parent, imho. Since they are the ones with the most power and control over the environment the child is exposed to (I mean, it does not matter how many authentication layers you add, ultimately a child can pass it if they use the parent’s ID…).
If by “this mess” you mean the risk of leaking private information that everyone is concerned about, I don’t think that’s really caused by the “leave it to parents” mentality… if anything, that’s caused by the “parents shouldn’t have the responsibility” mentality, which is pretty much the opposite…
No. I am more referring to how we left parents to let their children have free reign of the internet and they got injured. It is exactly because we cannot trust parents to moderate what their children do online that these laws are coming up. Do you think we would still get these laws if there were no children on the internet (maybe still for pron but that is because people are prudes).
I see that you edited your comment to take this part out but I do want to talk about it anyways.
You compared this to having automatic roads that shift risky drivers to their own space and how that would be ridiculous. Which it would be. But comparing a law like this to driving is an awful comparison.
Until recently there were very few laws regulating what a child is allowed to access online. But that is just not the same as driving. States require that you get a license, take a test, follow road rules, get your vehicle inspected, and many more requirements. We have these requirements because we know that we should not let an untrained driver on the road.
What reason is that? What mess? I don’t give a shit what other people’s kids do on the Internet.