The only device mandates that should be taking place is for the default installations of web clients should be checking to see if parental controls are enabled. This only impacts the major browsers. An intern at each browser company could add this check in minutes. If they are enabled and the person logged in is on a regular account (not admin or power user of sorts) then the base installation of web clients must check for an RTA header [1]. If present, prompt for a override password and also give the option for the admin to approve-list the domain at that time. That's it. Not perfect, nothing is or will be.
The only thing server, platform, website, service providers should be doing is setting an RTA header if the content could possibly be adult or user-contributed content that could dynamically become adult, moderation aside. This knocks out two issues with one fix. Small children don't see much if any adult content and they are kept off social media until the admin (parent or legal guardian) approves it.
If a site is not adding the RTA header then progressively fine them into oblivion. If they accept the fines as the cost of doing business then seize everything and put everyone in GenPop. An intern could enable the header in 5 minutes.
All legislation regarding age verification must revolve around this otherwise people must reject it as an abusive form of tracking and privacy invasion. The focus should be on small children as teen share porn, warez, movies and such within Rated-G games.
Bold of you to assume that lawmakers have any common sense when it comes to technology legislation. It could have taken 3 interns 3 hours at each browser company to implement a cookie consent standard 15 years ago, yet here we are in cookie banner hell.
I think the header/metatag is designed poorly. The RTA proposal is that every operator of every site must verify the content and add the header to mark the site as "safe" or "unsafe". This is unnecessary burden that they have to bear if this proposal is given a green light and this is wrong.
Instead, the default should be, that if there is no header or it cannot be parsed, then the content is unsafe. And if there is a header, it describes the page rating, like what kind of dangerous content it may contain. The header may be added to any displayable content like HTML, text, images, audio or videos, but not to machine-readable content like JS files or AJAX responses.
So only those who wants their site to be accessible by minors, have to add headers. For social networks, the user might have an option to mark his content as "safe".
This means that with my proposal existing site operators need not to do anything to mark their sites as "unsafe" - all sites are "unsafe" by default. This means that millions of site operators need to spend 0 dollars to adapt their sites. How great is that?
The browser on a device with parent mode, should not allow displaying any content which doesn't have a header or that is marked as unsafe, or that contains header with invalid value. The parents may whitelist some sites.
There should be a reponsibility for intentionally marking unsafe content as "safe". We should also think what to do with foreign operators, intentionally putting invalid headers for unsafe content. Maybe they should be added to some kind of blacklist that the browsers would periodically update.
Search engines like Google could work by default in "safe" mode, but add "unsafe" header if the user wants to turn off restrictions.
> If a site is not adding the RTA header then progressively fine them into oblivion.
I think my proposal is better because it requires only fining those who intentionally misrepresent content safety.
Yes, exactly, this should be really simple as a foundation: by default the Internet is for adults. All of it. Where it's desirable for things to be available for kids, create the economic incentive and easy tools for parents to use and run on a white list, not a black list.
I'd actually go somewhat further though and ask whether it's a good idea to even do this via web pages at all. We have a great potential system for this already: DNS. Do something useful amongst all the ridiculous vanity and spam TLDs for once and set up a ".kids" gTLD, or ccTLD for that matter so that different countries can set their own regulatory standards naturally (ie, .kids.us, .kids.uk etc). Domains could also be used for some broad buckets for people who don't want to drill in, ie, .1-6.kids, .7-12.kids, .13-17.kids, or whatever is deemed appropriate, but simple age brackets that would offer some sane defaults. 1-6 could simply not allow any ads, user generated content or algorithmic feeds whatsoever for example. There are a lot of knobs to turn. And then at the registry level it can be ensured from the get-go that anyone getting a .kids domain is fully identified, located in the country in question, has valid ID, has specific credentials or is an accredited organization, or whatever other criteria makes sense.
But ultimately the point would be to create something that is built right from the ground up, and in turn that doesn't interfere with what has already been built at all. Something that can also be worked with at the gateway and thus cover every device on a LAN, and for that matter can easily be plugged into the vast number of powerful tools we have for working with that stuff. It'd be easy to put a nice UI on all this, even to make it higly automated. For example, have a setup wizard where you enter children, put in date of birth for each, and it'll spit out a password for each one. This then auto-provisions the network such that each kid has their own VLAN (password for PPSK or even wired connection) and is automatically limited to the domain groups of their age bracket, which then changes as their age changes.
Parents should be able to dig further in and get more granular with content categories, metadata for which could be required for anyone hosting a site within that domain, but I think there is the potential to make something both pretty bullet proof and pretty accessible, using existing tech stacks, and without impinging on the present internet at all including privacy and anonymity.
For what its worth this header has been around for a very long time. It's actually the second iteration and much simpler than it's predecessor.
Parents today can accomplish what you are suggesting by installing parental control software and only allowing access to things they explicitly approve.
This can also be done via headers explicit blocking of all the things and was suggested in another thread. [1] Some people liked the idea.
The point is that it is unrealistic to expect millions of people to mark the content. Also, the header is better than the metatag because it can be added to images, videos and other non-HTML content as well.
I tend to agree - making folks intending to interact with minors comply makes more sense.
That said, outside of the merits of this approach, I am dubious of any actual implementation given 2 points.
1) Protecting the youths will always be a leaky bucket. With disadvantaged youths possibly more at risk. Those exposed to non-compliant parents ("cool" parents who are ok with sharing unsuitable content) or lacking strong parental involvement, likely won't benefit a great deal from any implementation.
2) Anti privacy social networks stand to gain the most from targeting ads utilizing signals from most child safety acts. They also might be able to reduce some costs from moderation if they can make it someone else's problem. I'd argue the net social impact from these social networks is likely both more normalized and strongly negative for our youths than any smut.
On the balance I'd say we are better off investing our energy in other places.
> "cool" parents who are ok with sharing unsuitable content
Or simply parents who won’t agree with whatever the government thinks is suitable for their children.
We already have parental control on all mainstream operating systems, why cannot this simply be the responsibility of the parent as are so many other things regarding what children do, watch, eat etc?
The header (for videos and other) was mentioned in [1]. I agree that is the way to go.
Adding a header to a web server or load balancer or app server if done globally can be done in a minute or two. Maybe 5 minutes for the intern not counting QA testing.
But you are right, the inverse is easier. I like that too. That was debated in the other recent thread.
This is correct. It is not the government's job to raise our children. The more we ask the gov't to do that we should do, the less power we actually have. Some will say this ship has sailed, well, I say it's not too late to sink it.
On the other hand, I know several "home-schooled" people [0] who literally can't even read and later married people more than twice their age or had other serious deficiencies in their life potential. The government can probably step in a little more here and there.
[0] I also know home-schooled people whose parents are far better than any teacher I've ever had and whose education and achievements reflect that obvious fact. Home-schooling itself isn't the issue, and I'd prefer that it remain possible.
Nobody here disagrees. What should be the case is that sites are broadly required to flag what kind of content they serve so parents can choose to exercise their own level of desired control.
I am sick of these "government bad" takes. They lack constructive suggestions, like your "sink it" nugget, they lack decent problem descriptions, as if anything after the sinking (likely private governance, aka feudalism) is immune to the ills of big-gov, and on top perpetuate reductivist arguments as if any kind of restrictions of freedom is by definition bad.
This broad rejection without good reasons is borderline sociopathic. ... and parental control is not the gov raising anyone.
Friend, we have a fair amount of suggestions ( including constructive ones! ). Do you know why? Because we mostly know how to make education decent for individual students like:
- keeping class sizes small
- keeping class within similar development range ( AP with AP. short bus with short bus )
None of it is a secret, but government can't (edit:or won't) make it happen. Hence regular people just doing the best they can within the system at their disposal.
And I am sick of people constantly wanting every single aspect of life regulated by the government. You guys need to understand that government isn't static and society changes. The rules you come up with today are going to get in the way in unexpected ways tomorrow. Regulations should only happen if you can demonstrate that it substantially improves things in a measurable way.
Eg "if you ban cellphones in schools then average test scores (on tests like PISA) will substantially improve". Or something else like that.
>This broad rejection without good reasons is borderline sociopathic.
It's sociopathic to not want the people in control to constantly make up new arbitrary rules? I guess we just need a few more Patriot Acts and Snoopers Charters.
"And I am sick of people constantly wanting every single aspect of life regulated by the government." We're carting that strawman out again? What folks mostly want is for private industry to collectively display something approximating business ethics and maybe self-regulate away from objectively harmful/predatory behavior. The last few decades have very clearly demonstrated that there is literally no bottom to private industry depravity unless one is literally forced in place by legislation.
What's really wild is 9 times out of 10 when you back a crypto-libertarian into a rhetorical corner far enough to get them to drop their pretenses what you're left with is "OMG YOU ARENT MY DAD" is, at least in their mind, a cogent political philosophy.
A lot of us who grew up pre-social-media agree in principle.
What it fails to account for is that today's internet is qualitatively different from the pre-social-media, pre-smartphone internet. The vast majority of the internet audience, too, is qualitatively different. Incentives are misaligned for an average parent who might want to keep a tight leash on smartphone internet access for their kids, when attempting to do so will generate fierce opposition from their kids and leave them socially out of the loop.
In some countries they scan you ID and likely keep it some database when you buy drugs or enter bars or clubs. In others they just look at your ID card if you don't look old enough.
The first example is bad, the second is tolerable.
But the reason most kids don't smoke is that the parents and the teachers instilled in them that it was bad. If a kid wants to smoke or drink, they can surely get an older friend or a friend of a friend to sell them the cigarettes or alcohol. Anyone can buy 20 bottles of hard liquor and 50 packs of cigarettes, sell them to a 15 year old who can then sell them to their friends. That doesn't happen often not because a surprise police raid will show up and bust the seller but because there isn't enough demand. If there is demand from the kids and the parents don't care, kids will get their hands on drugs. Maybe not 9 year olds but certainly the teens.
Well lack of age verification definitely isn't fixing anything either so what's they play here? We all just collectively as a society just shrug like oh well, no fixing any of that?
I agree fundamentally and ideologically but we are past that point. The toothpaste is already out of the tube as they say. There will be restrictions so all I can do is suggest more sensible restrictions that keep the control on the client side and do not share data. Any data shared can and will be abused, leaked, sold, stolen without consequence.
We are not past the point at all. Any democracy can ultimately decide on laws and regulation. Why would you wish to insinuate otherwise here? California could easily decide to not implement such laws, for instance.
That data leaks out is always a given. So, gather less data. Ideally none. But this is not a discussion about data. This is a discussion as to what state actors think they are allowed to do. It is an attack on private life of people. See the combined strike against VPNs.
I heard that lie about "sensible restrictions" so many times, now I am waiting for "sensible violence", "sensible beating to death" and so on. It is a false argument that "there will be restrictions so all I can do is suggest more sensible restrictions", what you can do is recognize that "no restrictions is an option".
It is like negotiating with a terrorist that wants to kill you and this is his starting position and then he wants to agree on some compromise, like seriously beating you. There is no negotiation.
I agree with you, as a longtime free speech believe.
but... I would also like to keep my kids from seeing the very worst of the internet before they're ready to handle it. I tried using a PiHole but Firefox DNS-over-HTTPS nullifies that now. It's not realistic for me to be watching over their shoulders 24/7; what can I do to keep them away from stuff 99% of people agree isn't for children to see, without something like this?
Unbound DNS if compiled with --with-libnghttp2 can listen for DoH and your Unbound/Pihole can forward to any destination you desire. This is what it looks like on my firewall:
# https://doh-int.mydomain.net/dns-query
interface: [ip of lan port]@443
interface: [ip of wifi port]@443
https-port: 443
http-max-streams: 220
tls-service-key: "/etc/unbound/keys.d/unbound_server.key"
tls-service-pem: "/etc/unbound/keys.d/unbound_server.pem"
Null routing the open DoH resolvers is just having a startup script that reads a list of all their IP addresses and
ip route add blackhole "${IP}" 2>/dev/null
People will argue that DoH can run on anything which is true but all the major resolvers will always use dedicated IP addresses as to not risk blocking CDN end points.
If the childs account is not able to gain admin privs then their ability to change settings can be disabled.
OK but we're talking about a general social problem (parents understandably don't want their kids corupte dby adult stuff, and some adult services vendors are unscrupulous but the internet makes it easy for them to hide.
I personally think this current version of the legislation is a good compromise. Tech workarounds are fine for the few of us that understand the relevant technology (though I have never bothered to compile DNS in my life and have no plans to do so in the future), but they are simply not practical for most people. Every time I hear someone suggesting this sort of thing I find myself tempted to say 'why worry about legislation? If you don't like what it mandates you can just write your own operating system.'
Of course this would not be helpful because writing your own OS is extremely hard beyond classroom/toy examples. And likewise, tech workarounds and even parental controls are hard for most consumers - partly by design. I have an xbox console and have been trying to figure out why it keeps freezing on certain apps for months now. I suspect a telemetry problem but it's just a guess, there isn't really any way to look at logs so it's a trial and error process because most consumer hardware/application vendors want their products to be black boxes.
> I personally think this current version of the legislation is a good compromise.
I don't think it is a good compromise. It seems to cover the wrong use cases.
My use cases have nothing to do with children on any level. Why would I want to submit to government restrictions? That makes zero sense.
It's as if the right-to-repair-movement would suddenly be undermined by a lobbyist advocating how restrictions are great. Or Jackie Chan suddenly praising the sinomarxist mono-party.
I'm sure than intelligent person like yourself understands that a lot of voters have kids and prioritize feeling that their kids are safe, even if those feelings are not always grounded in rationality. Most people shy away from complexity.
If one kid is able to bypass the system it means it's zero percent effective. Same thing with alcohol, and cigarettes. Especially if it means I have to show my ID to buy those things.
Some kids getting access to booze here and there with planning and coordination is different from kids walking into a liquor store or bar whenever they want.
Just like no past generation had so much information so readily available. One quick quip can always be rebutted by another quick quip, but it doesn't really move the conversation along in any meaningful manner.
Here we talk about use cases for EVERYONE. I don't see how your use case is fine for me, because I personally do not agree with it on any level at all whatsoever. You believe in restriction. I don't. There is no common ground here.
> It's not realistic for me to be watching over their shoulders 24/7
Is this your job? At which age will you stop monitoring them?
> what can I do to keep them away from stuff 99% of people agree isn't for children to see
99%? Where do you get those numbers from?
Besides, what stuff anyway? Even then the issue isn't about your kids. It is about laws for EVERYONE.
Teens for sure bypass all restrictions. Teens are young adults. My suggestions are for small children. Once a small child evolves and adapts to their surroundings, they too will one day bypass things. Reward them when they do this, it means they're smart and you did a good job.
How do you propose doing age restrictions for social media?
These are broadly popular. (And the evidence supports them.) They are happening. So the question is how to do it best. The project for reversing the consensus isn’t worthless. But it’s a long-term project that will have to bear fruit after these restrictions go into effect, if ever.
Voters are collectively deciding for all of our children. And there are absolutely group dynamics that require cooperation. It’s why rich communities ban phones in classrooms while in poor communities, the one family that tries doing it alone is probably going to be less successful.
Again, I’m not saying you’re fundamentally wrong. Just that this debate has been had and the polling is massively in favor of bans for under-14 year olds and strongly in favor for under-18s. (And to the degree I’ve connected with electeds, the folks calling in and writing were almost 100% one way. The civically-engaged electorate is practically at consensus.)
I've emailed politicians as have others but only received boilerplate thankyou's. I suspect the real reason is kick-backs but they will never admit it.
No harm in people reaching out to their politicians state and federal. The more people that bring it up the better. Let them know your childrens data will not be shared and when the data is leaked you will hold the politicians accountable.
Well, if the concern is they might miss out on revenue from a small child accessing their site and they are not a child specific site then perhaps they should be pushed out of the market one way or another.
I largely agree, but the RTA header doesn't seem to be good enough for most websites to use. When a website wants to block browsers with parental controls on, but it isn't porn and it shouldn't be blocked by SafeSearch, what do they do?
They stop trying to put everything in a different category and treat RTA as the person under the age of consent must get approval from their parent or legal guardian. Keep it simple.
I imagine Google wants to distinguish between websites that want to be blocked by SafeSearch, versus websites that want to be blocked when parental controls are on? There's no reason to leave that ambiguous. Plenty of adults have SafeSearch on.
Defining a new header isn't hard; the hard part is getting consensus and adoption.
For what it's worth this header has been around for a long time. It's predecessor (PICS ICRA) was too complicated and started using topics. After a while they added so many topics that even being an abbreviated header it was still massive and confusing. There were websites that people could select all the topics and what not but even then the adoption was low due to complexity and topics constantly changing on sites.
Are today's videos beheading's without blood, with blood, with or without anguish, with nudity, without nudity, etc... After a while it gets out of hand.
It turned out the internet was too dynamic so the RTA header was created to just say "adult".
Correct. Until parent or guardian puts in password next to the text that says "Approve this site, forever."
You gave me an idea. Maybe there could be categories similar in concept to those that exist in corporate firewalls today that say things like:
- News Category (Known to be SFW)
- News Category (That may be NSFW)
- Child friendly sites
- Social media sites
... and so on.
This could be crowd sourced, ideally in a way that can not be gamed. The masses could flag/report false claims. That, or just keep it simple. ad-hoc input of permitted sites by parent.
What is [N]SFW under your definition? I don't think anybody has a problem with children seeing an adult heterosexual couple kissing, but what about a teenage couple? A homosexual couple? A mixed-race couple? A couple with a 40 year age gap? Audible moaning? Groping under clothes? Implied but not explicit hands touching genitals? Dripping saliva and face licking?
The problem with defining categories is that artists will do their best to defy categorization. That has been the nature of art for as long as humans have been making art.
This is a terrible idea and your proposed society is terrible. It doesn’t matter if it’s safe for work; you asked to identify sites with content that can change. Either the parent has seen and approved the content or not.
> If they are enabled and the person logged in is on a regular account (not admin or power user of sorts) then the base installation of web clients must check for an RTA header [1].
Your cite is an earlier post of yours which says
> The one and only method I will participate in is server operators setting a RTA header [1]
and that cites a still earlier post of yours
> I stand by my repeated statements of how this could have been solved simply using an RTA header [1]
which finally actually cites¹ something that explains what the heck on RTA header is.
It would be quite a bit more reader friendly to cite https://www.rtalabel.org/page.php rather than make the reader traverse a linked list of comments to get there.
> The only device mandates that should be taking place is for the default installations of web clients should be checking to see if parental controls are enabled. This only impacts the major browsers. An intern at each browser company could add this check in minutes. If they are enabled and the person logged in is on a regular account (not admin or power user of sorts) then the base installation of web clients must check for an RTA header [1]. If present, prompt for a override password and also give the option for the admin to approve-list the domain at that time. That's it. Not perfect, nothing is or will be.
It's useful to contrast this with the various device-based mandates that have been created in order to get a sense of what legislators seem to be trying to do. With that in mind, a few points:
* What you are proposing allows parents to opt in via parental controls, but age assurance mandates (both device-side and server-side) tend to require positive action to enter unrestricted modes. In some cases (CA AB 1043, for instance), this is just a matter of entering your age. In others, you actually need to demonstrate your age via some technical mechanism.
* While many age assurance mandates focus on adult content, which is primarily consumed via the Web, others (e.g., Australia's Social Media Minimum Age) focus on social networking, which is primarily consumed via apps, so anything that is Web only will not be effective.
* Site-level granularity isn't really fine enough in some cases. For example, the New York SAFE for Kids act prohibits certain behaviors such as algorithmic recommendations when a user is a minor, but doesn't require blocking minor usage entirely. It's potentially possible to implement this with something like RTA, but it would have to at minimum be at much finer granularity.
None of this is an endorsement of age assurance techniques; I'm just trying to help flesh out the situation.
> All legislation regarding age verification must revolve around this otherwise people must reject it as an abusive form of tracking and privacy invasion.
It's a bit late for that, given that around half of US states already have some kind of age assurance mandate.
It's a bit late for that, given that around half of US states already have some kind of age assurance mandate.
Perhaps late to solve this globally but parents can still install parental control software if they so desire and can still intervene locally to prevent sharing data with 3rd parties. At worst this means small children might not get to visit social media and other assorted sites and I am fine with that. I think a number of parents would be fine with that as well.
Sites can voluntarily label as some do. It just means that parental controls would have to default to blocking everything until approved and while sub-optimal maybe that's what people will have to do in order to avoid the evil pattern of sharing data with all the websites that will ultimately leak, or "leak", be sold, stolen, etc... Good parents will not participate in the evil patterns of sharing their children's personally identifiable information.
When the PII of children is ultimately shared with evil people the children once adults will resent their parents for not protecting them.
- To all parents here, your children have no idea what risks are out there including devious companies that want their data. They will one day be adults if all goes well. Protect your children as corporations and governments will not. They will thank you when they find out all their friends data was shared, leaked or otherwise abused forever.
Certainly parents can install parental control software, but what does this have to do with children's PII being shared with sites?
Just so we're on the same page, the way AB1043 works is that the OS determines the user's age and then shares the age bracket with apps. No PII is shared with sites (this is not to say that the age isn't sensitive, but it's not PII as usually regarded). Is your concern here that sites get access to children's information because children visit certain sites regardless of legislation? That's a real thing, but it seems mostly orthogonal to age assurance.
Certainly parents can install parental control software, but what does this have to do with children's PII being shared with sites?
The parent can block or just never approve all the sites that require PII.
but it's not PII as usually regarded
We will never agree here. All the companies I worked for financial considered any attribute of the person to be PII, even their IP address. We were audited very strictly on this. If a users age was disclosed to a third party without their written consent that was a contract violation and came with severe monetary penalties. Parents should expect this to be the minimum standard. It's their children, not the corporation or governments children.
Thanks for your explanation. I understand what you're talking about, but this all just seems to be entirely orthogonal to age assurance mandates, which are largely about controlling which content and experiences minors engage with, in many cases regardless of what parents want.
Again, this isn't an endorsement of these mandates; I'm just saying that what you're proposing here doesn't address the objectives that policymakers who are in favor of these mandates are trying to achieve.
A) Aren't you targeting a completely different problem than this law? It's my understanding that this law targets the collection of the age from the user. What the user agent does with that signal is a different problem, and seems to already be solved, except for the definition of "actual knowledge" which they are trying to establish here.
B) How would your RTA header intersect with content rating in different jurisdictions? What if the content is illegal for children in Turkey but legal for children in Kentucky?
For topic (A) I am suggesting to negate this behavior all together. No more sharing personal data. That evil-pattern must be stopped.
For topic (B) companies can set or not set the header based on GeoIP. Not perfect but GeoIP is already used in load balancers, web servers and applications.
For (A) we have nothing to talk about. I think we fundamentally disagree about how society functions, and we aren't going to knock that out over hackernews.
For (B), your proposal requires the website have a database over current rules in every country they would be accessible from. Would a website then, in your opinion, be responsible for the accuracy of this database? We have to presuppose an official GeoIP source that would then be legally binding and under democratic control, but given such a database, would a website serving a wrong header to an IP associated with a specific country then be committing a crime in that country? What would the punishment be?
For (A) I guess you are right, we won't agree. I do like your username however.
For (B) this is already a thing. Porn sites and already doing this. Instead of blocking a region I am proposing to stop blocking and instead the law permit them to just add a header. The only people I can imagine apposing this are commercial VPN providers.
I think a better example might be places like polymarket (not allowed to operate in us) or usatoday (serves an EU only version with no cookies). The technical limitations on those systems are both GeoIP as far as I'm aware, and that seem sufficient for regulators.
What I find more interesting is that what you want is within the scope of this law. It's only required that the operating system takes in your age from an admin, from there the application (user agent/webbrowser) is supposed to handle the blocking, which it could do with a header as you suggest.
I will note that you are going to find a lot of libertarians that would oppose banning GeoIP circumvention.
> An intern at each browser company could add this check in minutes.
An intern could also just delete the product which would also "solve" this "issue". The fact that it's easy or cheap is not significant to the problem at hand.
> should be doing is setting an RTA header
Many sites will just set the header by default. Now you've created a problem.
> then progressively fine them into oblivion.
This does nothing. See: Ofcom vs 4chan.
> device mandates
Mandate that the device provide an API for child protection software. Then it's up to individual parents to decide to install that software or not. Then we also get competition in this market rather than relying on whatever solution an intern cooked up one day.
Many sites will just set the header by default. Now you've created a problem.
I am not seeing a problem. Kids need not access those sites unless the parent or legal guardian approves it. Sites meant for children would not be adding the header.
> Sites meant for children would not be adding the header.
Is Wikipedia "meant for children?" Should they be fully denied access to it? Should Wikimedia be fined if they make a mistake? If they get fined often enough do you think they'll just turn the header on everywhere in order to avoid risk?
Replace Wikipedia with any other mixed content site you prefer.
Child specific sites would not add the header. Anyone else could. I add it to my hobby sites. Some porn sites already add it to their sites [1]. Shodan can't reach my sites. I do not want small children on my blogs.
Add it to any site not specifically meant for children, that is totally fine.
- Site adds a header if they may potentially have adult content.
- Browser detects header. Prompts for local password to access site.
- Child does not know password, picks a different site or begs parent for access.
- This is now between small child and parent. No third parties, no tracking, no telling website the users age, no local or remote API's sharing data.
- At some point if all goes well the child will be an adult and will thank their parent for looking out for them when all their friends data was sold and abused.
Absolutely trivial and totally comprehensive solution, enabling adult content blocking at the account level, device level, network level, and the ISP level. Could even be expanded to any sort of content blocking, if you want to allow households to restrict access to vaccine critique or criticism of the king without violating the First Amendment or rooting everyone's devices.
The problem is that the point is to root everyone's devices. Anyone explaining how easy this is would be pushed out of the conversation as fast as if they were advocating for single-payer healthcare.
edit: I've been advocating the nearly identical but opposite solution - restricted access sites shouldn't respond to requests that lack an appropriate age/content restriction header. If they do, jail them.
They're literally going to have to do this anyway. Rooting people's devices to force them to lie about their age when they install their operating system is an absolutely fake pretendy solution; the only way it works is if you have to verify your age with some government agency when you install an operating system, in order to make that OS age official. The point is the identification.
No. That requires information disclosure to a third party. The point is enabling device admins better control over local device behavior. We're trying to keep conscientious parents able to do their thing. Not further enable the ability to manage the populace with official registries. If a kid can figure out how to install their own OS without their parent's help, odds are the kid is with it enough to start dipping their toes in the deep end. Or at least until they out themselves in front of their parents. In that case though it's a home problem, not a rest of the Internet problem.
It's still a stupid unconstitutional law, but I see what the aim is, even without strawmanning it.
Thats crazy talk, how are we gonna build a database of computers tied to physical identification of users by which we can monitor, control, and monetize… you’re saying parents should be responsible for their children? How is the state going to be able to exert more control if it doesn’t have ubiquitous surveillance of it’s population!?
/s
Meta has not spent $2 billion lobbying for this or on lobbying altogether.
It’s amazing how that one AI slop project that made this claim got so many people to believe this number.
Spreading this disproven AI slop around isn’t helping. It just makes opposition look like uninformed conspiracy theorists who can’t fact check anything.
There was an AI generated slop report posted to Reddit that went viral. It even got some news coverage before anyone stopped to read the files and discover that it was gibberish.
I still get downvoted for pointing it out and trying to ground the conversation in facts. As you noticed the story continues to thrive on bad news sites and social media.
If you go take a read through the CA bill text that "became law", you'll quickly realize that whomever did write it must live in a very narrow bubble where the only "computers" that exist in the world are tablet style cell phones, the only OS'es that exist in the world are Android and iOS, and the only way anyone installs any software on the only computers that exist is via an "app store".
Meanwhile, while the overall writing clearly indicates the author has a very narrow view of "computers", the definitions of the terms is so broad that every computer, even the tiny embedded CPU in your microwave oven, might just need to ask your age before it allows you to do anything.
The bill was written by Buffy Wicks, who represents me in the State Assembly, who is very good on housing, transportation, and climate, and who should absolutely stay in her lane and not try to legislate platform APIs.
The bill is written 'do good, stop bad stuff by establishing a committee or group to make sure fund good stuff, bad stuff doesn't happen' then the law passes and lobbyists write the details that fund the programs that tax the people that generate the income for companies that donate to the politicians that sell their votes to the lobbyists and interest groups.
California politicians start with the end goal "maintain power, secure revolt, obtain capital, deny failure".
It goes beyond lying to your face. They will be convincingly genuine, heartfelt, while finding a way to extract as much as possible for themselves, by extension their party, by extension the 'government' and do absolutely anything to keep the illusion that you have a choice, a vote, and a voice.
I lived here my whole life. These politicians are evil. Lie, cheat, and steal - deny if caught, punish if provoked.
So are kids not going to have access to llms? Seems trivial to get around this from a technical standpoint for frontier llms no matter how this is implemented.
A cynical person might suspect that the reason they are doing this is so that Linux developers don't have standing to challenge the law on 1st amendment grounds...
This is the classic "what we're trying to do is bullshit on a fundamental level so we're gonna just exempt random things until it becomes a niche issue and we can just do what we want and from there we'll just close all those exceptions over time" move.
Give it 5yr and you'll have idiots in the comments talking about how the "linux loophole" was a mistake and should be closed.
It is an admission from the writers that this law is unrelated to safety and people should very loudly and frequently point that out.
If OSes that don't verify the age of their users are a genuinely unsafe for children, why should they be allowed just because they are open source? That doesn't seem to mitigate dangers associated with age in any away I can identify.
Have you considered that the writers typically have legislative but not technical skills and are just trying to placate upset voters, without really understanding what the optimal solution could be? Reading this and other threads you can see therea re plenty of highly technical people who struggle to articulate what kind of policy they want or what kind of parental controls they want to set up themselves?
It's kind of a hard problem and legislators are inclined picking the lowest hanging fruit. Their primary concern is to not be smeared as child predators by their political opponents at the next election, eg "jwitthuhn voted to give gambling websites, pronographers, and pedophiles easy access to YOUR children - s/he OPPOSED age verification laws on internet sleaze!! Who's jwitthuhn really working for - you, or the people who want to exploit your kids?!!"
One can point out that such electoral pitches are dishonest bullshit until one is blue in the face, but the fact is they work on a lot of voters because most of them are not smart and don't have the energy or inclination to research every issue. And it is true that there are a lot of hustlers on the internet who are willing to either passively or actively exploit kids, and the anonymity, non-locality, and technical complexity of the internet makes that relatively easy to do and hard to prosecute. Legislators offer simplistic solutions because that's what a most of the public wants, and people often make their voting decisions based on emotional factors rather than cold rationality.
You don't need mustache-twirling villains saying 'let's impose burdensome techn regulations that perpetuate oligopolies and allow me to make another trillion dollars, a few million of which I'll send your way, mwhahahaha' to get shitty legislation (which is not to say they don't exist). It will emerge naturally by default if other conditions are right.
That’s exactly what it is. It removes standing, and that is a major flaw in our legal system. We need significant changes to defend constitutional rights properly.
This is the whole 'opt-in vs opt-out' at a high level. A better law would be crafted like 'some services have been determined to be harmful to minors and require age verification. Those -specific- services shall have these specific mitigations.....' Facebook and others should have a clear legal distinction of 'harmful to children' and then the law kicks in.
Not just Linux. More specifically: “Operating system provider” does not mean a person or entity that distributes an operating system or application under license terms that permit a recipient to copy, redistribute, and modify the software.
Steam itself does age verification, which when you first boot a steamdesk, afaik it forces you to log into steam before you can do much of anything without some initial hackery. That said, once in there's nothing stopping them from launching into desktop mode, launching firefox, and watching pr0n that way.
Sadly the solution is still for parents to do real parenting, but that's like saying stupid people shouldn't breed.
As a dad of two younger kids (7 and 10), I have been incredibly frustrated with the way age restrictions are handled across various services.
Really, my main complaint comes down to: I completely disagree with what these services choose to restrict for kids and what they allow.
They block my kids from doing things I have no problem with them doing and they allow things I would never want my kids to do in 1000 years. It is incredibly frustrating.
Often times, there is literally no way for me to bypass some stupid restriction they put on my kids, so the only way I can get it to work is to help my kids lie about their age… and at that point, I lose the ability to actually block things I care about.
These laws are just going to make it worse. I don’t want someone else choosing how I control what my kids do. Give me tools to control it myself, and you can choose some presets for parents to use, but don’t force me to use your definition of age appropriate.
> I don’t want someone else choosing how I control what my kids do. Give me tools to control it myself
I agree. Parental controls have been the norm for thirty years. The adult who owns the device should have control over it, not Microsoft or California.
Honestly, I don’t have a perfect answer. It really depends on what the service is.
My main thing is I want to be able to opt in or out of various filters. I don’t mind if my kids want to listen to music that has swear words, but I don’t want them watching videos where they give horribly sexist pickup artist advice.
This isn’t just about what I feel is age appropriate, either. It is also about what I know about my kids.
My 10 year old hates scary things, and she gets completely freaked out when they show scary movie previews. I would like to be able to block those for her. On the other hand, my 7 year old is obsessed with scary things and I don’t mind if he plays zombie video games.
> My 10 year old hates scary things, and she gets completely freaked out when they show scary movie previews. I would like to be able to block those for her.
The difference between this and the usual "parental control" mechanisms is that what you're describing here is something the child wants to cooperate with, voluntarily. In which case, you don't need a mechanism that makes it absolutely impossible; you need a mechanism for helping them not see things they don't want to see. That's something some adults also want (e.g. tools for preventing oneself going to Facebook, or going to TVTropes for too long).
I'm as a big of a horror movie fan as you can find, and I'm completely dumbfounded by the jump scares marketing is allowed to show in trailers nowadays. IMO (coming from someone who is basically unaffected by jump scares), they've gotten more shocking in the past couple years.
The internet is too dynamic to build a working filter around. Perhaps just tools which help parents quickly and efficiently monitor their child's device usage would be best.
Do you want to alter behaviors or lock children in a gilded cage?
We did it despite the naysayers who faught us saying it "wasn't a big deal" and that this is the "best version of the law we could get". Never listen to the naysayers and compromise your principles to appease them, stay true to what you believe.
The California law has no age verification, identity verification, or surveillance. It is just a pretty simple parental control system, which only applies to devices whose primary user is a child.
What are they defining as an operation system? It’s a term that has fuzzy edges as a technical term, and given laws are usually piss poor at defining technical terms, I can’t see it being well defined in CA law.
I think there's a lot of proprietary stuff, from Google Play Services to Pixel specific features. A very significant stack of "modern" software layers are proprietary, even on Android.
Parental controls should be a client side option set by the user.
Sure, make it easy for users to do so, but it's a users choice.
Kids don't buy phones or computers, their parents do, and during initial setup, parents could choose "this pc is used by a child" option, input some override password to disable this in the future, and the phone could block whatever needs to be blocked.
The reason is simple: the pattern I see hints that there is:
a) money spent, to push through age-sniffing, and
b) it is happening almost globally.
I am not necessarily saying that all this can be singularized down to one
bribe-using company, be it Meta, Google or what not, or state actors becoming
beyond Evil. But just as the butterfly effect is used as analogy how a strong
wind can be created further downstream, I see the situation here VERY similar.
To me it is not confined to age-sniffing. Remember the sudden declaration of
war by the UK against VPN. This is in my opinion connected here. The goal is
not "protect the children" but instead spy more on people than before. A
gradual extension of this. And some companies and private interests will
benefit. See also the recent Palantir claim made against London aka "the major
is responsible for more robberies when he refused to obey to our rule". These
companies are greedy - and insolent.
And I bet that Microsoft employee who was sending PRs to all the linux distros (and systemd) will not bother sending apologies to them for wasting their time.
He isn't. Also never was (unless the CV lies that is).
As for what drove him instead.. I suppose we will never know.
All we can know for certain is that the whole thing felt _very_ inorganic and not like something a reasonable human being would just start doing out of the blue.
(Corporate) politics love plausible deniability, so maybe it was just inherently human randomness. I'm sure it was.
Please move along.
> The proposed amendment specifically states: “Operating system provider” does not mean a person or entity that distributes an operating system or application under license terms that permit a recipient to copy, redistribute, and modify the software.
Why should Linux be exempt? Linux lobbyists seem to be against the public good. It takes an AI agent 5 minutes to add this feature and then they add be good forevermore. And given that the software is open source, everyone can use the same library to be compliant. Belly-aching snowflakes…
1st amendment. There's a long history of carve outs around commercial products. But, if Linux devs (who aren't selling anything) went to the mat against this law, the government of California would lose and (at least part of) their law would be struck down.
The state should handle personal records, authentication, and age verification. Compliance should be as simple as implementing dead simple state provided interfaces.
What's depressing to me is just how self-serving all this is. The original bill was AB 1043. Who supported that, breaking with other tech companies? Why Meta of course [1][2]! Meta likes this because it pushes liability onto the OS providers. Guess who doesn't have an OS? Google's support is a little stranger given Android. It seems like AB 1043 also shifted liability to third-party app developers instead of the app store so, conflicting goals?
Likewise, you'll have Microsoft and maybe Apple pushing for Linux to be included for, again, entirely self-serving reasons. Microsoft is never one to miss an opportunity to benefit Windows.
All that's going on here is competing corporate interests. Likely nobody in power actually cares the actual end users.
As much as libertarians chafe against it, I think we've demonstrated that something has to be done in relation to children online. Advertising to children, harmful impacts of social media, cyberbullying, addictive behavior and selling the data of minors needs to stop. How we get there is unclear. Meanwhile, everyone responsible is just trying to limit and shift their legal liability and that's it.
Young children should be supervised when they access the internet.
Adolescents are not going to be defeated by such easily bypassed technical measures.
These laws are a trojan horse for control of the adult population. The relative anonymity and freedom of the internet is a threat to those who spend their lives seeking power over others.
A better question - how do you imagine age verification is going to protect children from being groomed? Age verification will force services to assume everyone is a child until proven otherwise. Now it will be harder to tell adults and children apart online. Next, adult content will be harder for adults to acquire, pushing people into black markets, where illegal content will be easier to find.
I appreciate that people are concerned for their children, but we can't keep signing away basic rights and freedoms just to allay parents' anxiety for another few years.
There are so many low-hanging fruit to choose from if you want to protect children online, so it makes zero sense to start with the option that deprives every adult of their rights.
When I hear that people own cameras, what I hear is that people are okay with children being harmed for the sight convenience of the freedom to create photographs. Let's just be honest about how we're calculting things: You think living without a camera, which is how humanity has lived for 99% of its existence, is worse than children being groomed.
I have 7 grandchildren with the oldest being 10. My daughters are very strict about not providing their kids with devices that have internet access. The only one of the 7 who has a phone has a flip phone with no internet access. There simply is no reason to provide young children with access to the internet.
The only thing server, platform, website, service providers should be doing is setting an RTA header if the content could possibly be adult or user-contributed content that could dynamically become adult, moderation aside. This knocks out two issues with one fix. Small children don't see much if any adult content and they are kept off social media until the admin (parent or legal guardian) approves it.
If a site is not adding the RTA header then progressively fine them into oblivion. If they accept the fines as the cost of doing business then seize everything and put everyone in GenPop. An intern could enable the header in 5 minutes.
All legislation regarding age verification must revolve around this otherwise people must reject it as an abusive form of tracking and privacy invasion. The focus should be on small children as teen share porn, warez, movies and such within Rated-G games.
[1] - https://news.ycombinator.com/item?id=47950091
Instead, the default should be, that if there is no header or it cannot be parsed, then the content is unsafe. And if there is a header, it describes the page rating, like what kind of dangerous content it may contain. The header may be added to any displayable content like HTML, text, images, audio or videos, but not to machine-readable content like JS files or AJAX responses.
So only those who wants their site to be accessible by minors, have to add headers. For social networks, the user might have an option to mark his content as "safe".
This means that with my proposal existing site operators need not to do anything to mark their sites as "unsafe" - all sites are "unsafe" by default. This means that millions of site operators need to spend 0 dollars to adapt their sites. How great is that?
The browser on a device with parent mode, should not allow displaying any content which doesn't have a header or that is marked as unsafe, or that contains header with invalid value. The parents may whitelist some sites.
There should be a reponsibility for intentionally marking unsafe content as "safe". We should also think what to do with foreign operators, intentionally putting invalid headers for unsafe content. Maybe they should be added to some kind of blacklist that the browsers would periodically update.
Search engines like Google could work by default in "safe" mode, but add "unsafe" header if the user wants to turn off restrictions.
> If a site is not adding the RTA header then progressively fine them into oblivion.
I think my proposal is better because it requires only fining those who intentionally misrepresent content safety.
I'd actually go somewhat further though and ask whether it's a good idea to even do this via web pages at all. We have a great potential system for this already: DNS. Do something useful amongst all the ridiculous vanity and spam TLDs for once and set up a ".kids" gTLD, or ccTLD for that matter so that different countries can set their own regulatory standards naturally (ie, .kids.us, .kids.uk etc). Domains could also be used for some broad buckets for people who don't want to drill in, ie, .1-6.kids, .7-12.kids, .13-17.kids, or whatever is deemed appropriate, but simple age brackets that would offer some sane defaults. 1-6 could simply not allow any ads, user generated content or algorithmic feeds whatsoever for example. There are a lot of knobs to turn. And then at the registry level it can be ensured from the get-go that anyone getting a .kids domain is fully identified, located in the country in question, has valid ID, has specific credentials or is an accredited organization, or whatever other criteria makes sense.
But ultimately the point would be to create something that is built right from the ground up, and in turn that doesn't interfere with what has already been built at all. Something that can also be worked with at the gateway and thus cover every device on a LAN, and for that matter can easily be plugged into the vast number of powerful tools we have for working with that stuff. It'd be easy to put a nice UI on all this, even to make it higly automated. For example, have a setup wizard where you enter children, put in date of birth for each, and it'll spit out a password for each one. This then auto-provisions the network such that each kid has their own VLAN (password for PPSK or even wired connection) and is automatically limited to the domain groups of their age bracket, which then changes as their age changes.
Parents should be able to dig further in and get more granular with content categories, metadata for which could be required for anyone hosting a site within that domain, but I think there is the potential to make something both pretty bullet proof and pretty accessible, using existing tech stacks, and without impinging on the present internet at all including privacy and anonymity.
Parents today can accomplish what you are suggesting by installing parental control software and only allowing access to things they explicitly approve.
This can also be done via headers explicit blocking of all the things and was suggested in another thread. [1] Some people liked the idea.
[1] - https://news.ycombinator.com/item?id=47952999
That said, outside of the merits of this approach, I am dubious of any actual implementation given 2 points.
1) Protecting the youths will always be a leaky bucket. With disadvantaged youths possibly more at risk. Those exposed to non-compliant parents ("cool" parents who are ok with sharing unsuitable content) or lacking strong parental involvement, likely won't benefit a great deal from any implementation.
2) Anti privacy social networks stand to gain the most from targeting ads utilizing signals from most child safety acts. They also might be able to reduce some costs from moderation if they can make it someone else's problem. I'd argue the net social impact from these social networks is likely both more normalized and strongly negative for our youths than any smut.
On the balance I'd say we are better off investing our energy in other places.
Or simply parents who won’t agree with whatever the government thinks is suitable for their children.
We already have parental control on all mainstream operating systems, why cannot this simply be the responsibility of the parent as are so many other things regarding what children do, watch, eat etc?
Adding a header to a web server or load balancer or app server if done globally can be done in a minute or two. Maybe 5 minutes for the intern not counting QA testing.
But you are right, the inverse is easier. I like that too. That was debated in the other recent thread.
[1] - https://news.ycombinator.com/item?id=47950091
[0] I also know home-schooled people whose parents are far better than any teacher I've ever had and whose education and achievements reflect that obvious fact. Home-schooling itself isn't the issue, and I'd prefer that it remain possible.
The potentially all-powerful government shouldn't know:
- what vices a person has
- what religion a person has or doesn't have
- what porn you watch
- what alcohol and drugs you buy
PERIOD.
All of these things can be exploited. To control jobs, to control finances, to extort influence, etc.
The government shouldn't be able to catalog those things in a database for later misuse.
The government shouldn't be able to install friction or barriers that make it easy to cordon off and kill these things at a later time.
"Think of the kids" can go to hell. Nobody's having children anyway.
This is a very real (not logically fallacious) slippery slope right into the pages of 1984.
Would it be acceptable for a private company to own this information? Perhaps sell it to others?
This broad rejection without good reasons is borderline sociopathic. ... and parental control is not the gov raising anyone.
- keeping class sizes small - keeping class within similar development range ( AP with AP. short bus with short bus )
None of it is a secret, but government can't (edit:or won't) make it happen. Hence regular people just doing the best they can within the system at their disposal.
Eg "if you ban cellphones in schools then average test scores (on tests like PISA) will substantially improve". Or something else like that.
>This broad rejection without good reasons is borderline sociopathic.
It's sociopathic to not want the people in control to constantly make up new arbitrary rules? I guess we just need a few more Patriot Acts and Snoopers Charters.
What it fails to account for is that today's internet is qualitatively different from the pre-social-media, pre-smartphone internet. The vast majority of the internet audience, too, is qualitatively different. Incentives are misaligned for an average parent who might want to keep a tight leash on smartphone internet access for their kids, when attempting to do so will generate fierce opposition from their kids and leave them socially out of the loop.
Maybe we should teach parents how to be parents instead of imposing draconian age checks (read: mass surveillance).
The first example is bad, the second is tolerable.
But the reason most kids don't smoke is that the parents and the teachers instilled in them that it was bad. If a kid wants to smoke or drink, they can surely get an older friend or a friend of a friend to sell them the cigarettes or alcohol. Anyone can buy 20 bottles of hard liquor and 50 packs of cigarettes, sell them to a 15 year old who can then sell them to their friends. That doesn't happen often not because a surprise police raid will show up and bust the seller but because there isn't enough demand. If there is demand from the kids and the parents don't care, kids will get their hands on drugs. Maybe not 9 year olds but certainly the teens.
That data leaks out is always a given. So, gather less data. Ideally none. But this is not a discussion about data. This is a discussion as to what state actors think they are allowed to do. It is an attack on private life of people. See the combined strike against VPNs.
Obligatory XKCD: https://xkcd.com/2521/
It is like negotiating with a terrorist that wants to kill you and this is his starting position and then he wants to agree on some compromise, like seriously beating you. There is no negotiation.
but... I would also like to keep my kids from seeing the very worst of the internet before they're ready to handle it. I tried using a PiHole but Firefox DNS-over-HTTPS nullifies that now. It's not realistic for me to be watching over their shoulders 24/7; what can I do to keep them away from stuff 99% of people agree isn't for children to see, without something like this?
If the childs account is not able to gain admin privs then their ability to change settings can be disabled.
I personally think this current version of the legislation is a good compromise. Tech workarounds are fine for the few of us that understand the relevant technology (though I have never bothered to compile DNS in my life and have no plans to do so in the future), but they are simply not practical for most people. Every time I hear someone suggesting this sort of thing I find myself tempted to say 'why worry about legislation? If you don't like what it mandates you can just write your own operating system.'
Of course this would not be helpful because writing your own OS is extremely hard beyond classroom/toy examples. And likewise, tech workarounds and even parental controls are hard for most consumers - partly by design. I have an xbox console and have been trying to figure out why it keeps freezing on certain apps for months now. I suspect a telemetry problem but it's just a guess, there isn't really any way to look at logs so it's a trial and error process because most consumer hardware/application vendors want their products to be black boxes.
I don't think it is a good compromise. It seems to cover the wrong use cases.
My use cases have nothing to do with children on any level. Why would I want to submit to government restrictions? That makes zero sense.
It's as if the right-to-repair-movement would suddenly be undermined by a lobbyist advocating how restrictions are great. Or Jackie Chan suddenly praising the sinomarxist mono-party.
Like no past generation could stop their kids.
Past generations absolutely protected their kids from cigarettes and alcohol. A gate doesn’t have to be 100% effective to have net benefits.
Some kids getting access to booze here and there with planning and coordination is different from kids walking into a liquor store or bar whenever they want.
1. https://en.wikipedia.org/wiki/Splitting_(psychology)
Here we talk about use cases for EVERYONE. I don't see how your use case is fine for me, because I personally do not agree with it on any level at all whatsoever. You believe in restriction. I don't. There is no common ground here.
> It's not realistic for me to be watching over their shoulders 24/7
Is this your job? At which age will you stop monitoring them?
> what can I do to keep them away from stuff 99% of people agree isn't for children to see
99%? Where do you get those numbers from?
Besides, what stuff anyway? Even then the issue isn't about your kids. It is about laws for EVERYONE.
Nothing. VPNs exist (including free ones), some of classmates will have unlocked devices, etc.
Next question?
How do you propose doing age restrictions for social media?
These are broadly popular. (And the evidence supports them.) They are happening. So the question is how to do it best. The project for reversing the consensus isn’t worthless. But it’s a long-term project that will have to bear fruit after these restrictions go into effect, if ever.
Voters are collectively deciding for all of our children. And there are absolutely group dynamics that require cooperation. It’s why rich communities ban phones in classrooms while in poor communities, the one family that tries doing it alone is probably going to be less successful.
Again, I’m not saying you’re fundamentally wrong. Just that this debate has been had and the polling is massively in favor of bans for under-14 year olds and strongly in favor for under-18s. (And to the degree I’ve connected with electeds, the folks calling in and writing were almost 100% one way. The civically-engaged electorate is practically at consensus.)
No harm in people reaching out to their politicians state and federal. The more people that bring it up the better. Let them know your childrens data will not be shared and when the data is leaked you will hold the politicians accountable.
https://webmasters.stackexchange.com/questions/140733/how-to...
They stop trying to put everything in a different category and treat RTA as the person under the age of consent must get approval from their parent or legal guardian. Keep it simple.
Google's doing that for them though.
Defining a new header isn't hard; the hard part is getting consensus and adoption.
Are today's videos beheading's without blood, with blood, with or without anguish, with nudity, without nudity, etc... After a while it gets out of hand.
It turned out the internet was too dynamic so the RTA header was created to just say "adult".
Correct. Until parent or guardian puts in password next to the text that says "Approve this site, forever."
You gave me an idea. Maybe there could be categories similar in concept to those that exist in corporate firewalls today that say things like:
- News Category (Known to be SFW)
- News Category (That may be NSFW)
- Child friendly sites
- Social media sites
... and so on.
This could be crowd sourced, ideally in a way that can not be gamed. The masses could flag/report false claims. That, or just keep it simple. ad-hoc input of permitted sites by parent.
The problem with defining categories is that artists will do their best to defy categorization. That has been the nature of art for as long as humans have been making art.
I think I know what you meant and sure we can keep it simple. Site is approved by a parent or it isn't.
Your cite is an earlier post of yours which says
> The one and only method I will participate in is server operators setting a RTA header [1]
and that cites a still earlier post of yours
> I stand by my repeated statements of how this could have been solved simply using an RTA header [1]
which finally actually cites¹ something that explains what the heck on RTA header is.
It would be quite a bit more reader friendly to cite https://www.rtalabel.org/page.php rather than make the reader traverse a linked list of comments to get there.
¹https://www.rtalabel.org/page.php
It's useful to contrast this with the various device-based mandates that have been created in order to get a sense of what legislators seem to be trying to do. With that in mind, a few points:
* What you are proposing allows parents to opt in via parental controls, but age assurance mandates (both device-side and server-side) tend to require positive action to enter unrestricted modes. In some cases (CA AB 1043, for instance), this is just a matter of entering your age. In others, you actually need to demonstrate your age via some technical mechanism.
* While many age assurance mandates focus on adult content, which is primarily consumed via the Web, others (e.g., Australia's Social Media Minimum Age) focus on social networking, which is primarily consumed via apps, so anything that is Web only will not be effective.
* Site-level granularity isn't really fine enough in some cases. For example, the New York SAFE for Kids act prohibits certain behaviors such as algorithmic recommendations when a user is a minor, but doesn't require blocking minor usage entirely. It's potentially possible to implement this with something like RTA, but it would have to at minimum be at much finer granularity.
Section VI of https://kgi.georgetown.edu/wp-content/uploads/2026/01/Age_As... goes into quite a bit more detail about various architectures (disclaimer, I'm an author).
None of this is an endorsement of age assurance techniques; I'm just trying to help flesh out the situation.
> All legislation regarding age verification must revolve around this otherwise people must reject it as an abusive form of tracking and privacy invasion.
It's a bit late for that, given that around half of US states already have some kind of age assurance mandate.
Perhaps late to solve this globally but parents can still install parental control software if they so desire and can still intervene locally to prevent sharing data with 3rd parties. At worst this means small children might not get to visit social media and other assorted sites and I am fine with that. I think a number of parents would be fine with that as well.
Sites can voluntarily label as some do. It just means that parental controls would have to default to blocking everything until approved and while sub-optimal maybe that's what people will have to do in order to avoid the evil pattern of sharing data with all the websites that will ultimately leak, or "leak", be sold, stolen, etc... Good parents will not participate in the evil patterns of sharing their children's personally identifiable information.
When the PII of children is ultimately shared with evil people the children once adults will resent their parents for not protecting them.
- To all parents here, your children have no idea what risks are out there including devious companies that want their data. They will one day be adults if all goes well. Protect your children as corporations and governments will not. They will thank you when they find out all their friends data was shared, leaked or otherwise abused forever.
Certainly parents can install parental control software, but what does this have to do with children's PII being shared with sites?
Just so we're on the same page, the way AB1043 works is that the OS determines the user's age and then shares the age bracket with apps. No PII is shared with sites (this is not to say that the age isn't sensitive, but it's not PII as usually regarded). Is your concern here that sites get access to children's information because children visit certain sites regardless of legislation? That's a real thing, but it seems mostly orthogonal to age assurance.
The parent can block or just never approve all the sites that require PII.
but it's not PII as usually regarded
We will never agree here. All the companies I worked for financial considered any attribute of the person to be PII, even their IP address. We were audited very strictly on this. If a users age was disclosed to a third party without their written consent that was a contract violation and came with severe monetary penalties. Parents should expect this to be the minimum standard. It's their children, not the corporation or governments children.
Again, this isn't an endorsement of these mandates; I'm just saying that what you're proposing here doesn't address the objectives that policymakers who are in favor of these mandates are trying to achieve.
B) How would your RTA header intersect with content rating in different jurisdictions? What if the content is illegal for children in Turkey but legal for children in Kentucky?
For topic (B) companies can set or not set the header based on GeoIP. Not perfect but GeoIP is already used in load balancers, web servers and applications.
For (B), your proposal requires the website have a database over current rules in every country they would be accessible from. Would a website then, in your opinion, be responsible for the accuracy of this database? We have to presuppose an official GeoIP source that would then be legally binding and under democratic control, but given such a database, would a website serving a wrong header to an IP associated with a specific country then be committing a crime in that country? What would the punishment be?
For (B) this is already a thing. Porn sites and already doing this. Instead of blocking a region I am proposing to stop blocking and instead the law permit them to just add a header. The only people I can imagine apposing this are commercial VPN providers.
I think a better example might be places like polymarket (not allowed to operate in us) or usatoday (serves an EU only version with no cookies). The technical limitations on those systems are both GeoIP as far as I'm aware, and that seem sufficient for regulators.
What I find more interesting is that what you want is within the scope of this law. It's only required that the operating system takes in your age from an admin, from there the application (user agent/webbrowser) is supposed to handle the blocking, which it could do with a header as you suggest.
I will note that you are going to find a lot of libertarians that would oppose banning GeoIP circumvention.
An intern could also just delete the product which would also "solve" this "issue". The fact that it's easy or cheap is not significant to the problem at hand.
> should be doing is setting an RTA header
Many sites will just set the header by default. Now you've created a problem.
> then progressively fine them into oblivion.
This does nothing. See: Ofcom vs 4chan.
> device mandates
Mandate that the device provide an API for child protection software. Then it's up to individual parents to decide to install that software or not. Then we also get competition in this market rather than relying on whatever solution an intern cooked up one day.
Many sites will just set the header by default. Now you've created a problem.
I am not seeing a problem. Kids need not access those sites unless the parent or legal guardian approves it. Sites meant for children would not be adding the header.
[1] - https://news.ycombinator.com/item?id=47953096
Is Wikipedia "meant for children?" Should they be fully denied access to it? Should Wikimedia be fined if they make a mistake? If they get fined often enough do you think they'll just turn the header on everywhere in order to avoid risk?
Replace Wikipedia with any other mixed content site you prefer.
Add it to any site not specifically meant for children, that is totally fine.
[1] - https://www.shodan.io/search?query=RTA-5042-1996-1400-1577-R... [ Follow Links At Your Own Peril ]
- Browser detects header. Prompts for local password to access site.
- Child does not know password, picks a different site or begs parent for access.
- This is now between small child and parent. No third parties, no tracking, no telling website the users age, no local or remote API's sharing data.
- At some point if all goes well the child will be an adult and will thank their parent for looking out for them when all their friends data was sold and abused.
The problem is that the point is to root everyone's devices. Anyone explaining how easy this is would be pushed out of the conversation as fast as if they were advocating for single-payer healthcare.
edit: I've been advocating the nearly identical but opposite solution - restricted access sites shouldn't respond to requests that lack an appropriate age/content restriction header. If they do, jail them.
They're literally going to have to do this anyway. Rooting people's devices to force them to lie about their age when they install their operating system is an absolutely fake pretendy solution; the only way it works is if you have to verify your age with some government agency when you install an operating system, in order to make that OS age official. The point is the identification.
It's still a stupid unconstitutional law, but I see what the aim is, even without strawmanning it.
Did someone write California Internet legislation without consulting any California Internet companies?
Did some California Internet companies write California Internet legislation?
Did some other party write California Internet legislation?
It’s amazing how that one AI slop project that made this claim got so many people to believe this number.
Spreading this disproven AI slop around isn’t helping. It just makes opposition look like uninformed conspiracy theorists who can’t fact check anything.
https://captaincompliance.com/education/meta-is-spending-2-b...
I still get downvoted for pointing it out and trying to ground the conversation in facts. As you noticed the story continues to thrive on bad news sites and social media.
Meanwhile, while the overall writing clearly indicates the author has a very narrow view of "computers", the definitions of the terms is so broad that every computer, even the tiny embedded CPU in your microwave oven, might just need to ask your age before it allows you to do anything.
The bill is written 'do good, stop bad stuff by establishing a committee or group to make sure fund good stuff, bad stuff doesn't happen' then the law passes and lobbyists write the details that fund the programs that tax the people that generate the income for companies that donate to the politicians that sell their votes to the lobbyists and interest groups.
California politicians start with the end goal "maintain power, secure revolt, obtain capital, deny failure".
It goes beyond lying to your face. They will be convincingly genuine, heartfelt, while finding a way to extract as much as possible for themselves, by extension their party, by extension the 'government' and do absolutely anything to keep the illusion that you have a choice, a vote, and a voice.
I lived here my whole life. These politicians are evil. Lie, cheat, and steal - deny if caught, punish if provoked.
This is the classic "what we're trying to do is bullshit on a fundamental level so we're gonna just exempt random things until it becomes a niche issue and we can just do what we want and from there we'll just close all those exceptions over time" move.
Give it 5yr and you'll have idiots in the comments talking about how the "linux loophole" was a mistake and should be closed.
Source: history
If OSes that don't verify the age of their users are a genuinely unsafe for children, why should they be allowed just because they are open source? That doesn't seem to mitigate dangers associated with age in any away I can identify.
It's kind of a hard problem and legislators are inclined picking the lowest hanging fruit. Their primary concern is to not be smeared as child predators by their political opponents at the next election, eg "jwitthuhn voted to give gambling websites, pronographers, and pedophiles easy access to YOUR children - s/he OPPOSED age verification laws on internet sleaze!! Who's jwitthuhn really working for - you, or the people who want to exploit your kids?!!"
One can point out that such electoral pitches are dishonest bullshit until one is blue in the face, but the fact is they work on a lot of voters because most of them are not smart and don't have the energy or inclination to research every issue. And it is true that there are a lot of hustlers on the internet who are willing to either passively or actively exploit kids, and the anonymity, non-locality, and technical complexity of the internet makes that relatively easy to do and hard to prosecute. Legislators offer simplistic solutions because that's what a most of the public wants, and people often make their voting decisions based on emotional factors rather than cold rationality.
You don't need mustache-twirling villains saying 'let's impose burdensome techn regulations that perpetuate oligopolies and allow me to make another trillion dollars, a few million of which I'll send your way, mwhahahaha' to get shitty legislation (which is not to say they don't exist). It will emerge naturally by default if other conditions are right.
Steam itself does age verification, which when you first boot a steamdesk, afaik it forces you to log into steam before you can do much of anything without some initial hackery. That said, once in there's nothing stopping them from launching into desktop mode, launching firefox, and watching pr0n that way.
Sadly the solution is still for parents to do real parenting, but that's like saying stupid people shouldn't breed.
Really, my main complaint comes down to: I completely disagree with what these services choose to restrict for kids and what they allow.
They block my kids from doing things I have no problem with them doing and they allow things I would never want my kids to do in 1000 years. It is incredibly frustrating.
Often times, there is literally no way for me to bypass some stupid restriction they put on my kids, so the only way I can get it to work is to help my kids lie about their age… and at that point, I lose the ability to actually block things I care about.
These laws are just going to make it worse. I don’t want someone else choosing how I control what my kids do. Give me tools to control it myself, and you can choose some presets for parents to use, but don’t force me to use your definition of age appropriate.
I agree. Parental controls have been the norm for thirty years. The adult who owns the device should have control over it, not Microsoft or California.
My main thing is I want to be able to opt in or out of various filters. I don’t mind if my kids want to listen to music that has swear words, but I don’t want them watching videos where they give horribly sexist pickup artist advice.
This isn’t just about what I feel is age appropriate, either. It is also about what I know about my kids.
My 10 year old hates scary things, and she gets completely freaked out when they show scary movie previews. I would like to be able to block those for her. On the other hand, my 7 year old is obsessed with scary things and I don’t mind if he plays zombie video games.
The difference between this and the usual "parental control" mechanisms is that what you're describing here is something the child wants to cooperate with, voluntarily. In which case, you don't need a mechanism that makes it absolutely impossible; you need a mechanism for helping them not see things they don't want to see. That's something some adults also want (e.g. tools for preventing oneself going to Facebook, or going to TVTropes for too long).
Do you want to alter behaviors or lock children in a gilded cage?
… doesn’t that excuse Android and possibly XNU, too?
I think we have our answer.
Sure, make it easy for users to do so, but it's a users choice.
Kids don't buy phones or computers, their parents do, and during initial setup, parents could choose "this pc is used by a child" option, input some override password to disable this in the future, and the phone could block whatever needs to be blocked.
The reason is simple: the pattern I see hints that there is:
a) money spent, to push through age-sniffing, and b) it is happening almost globally.
I am not necessarily saying that all this can be singularized down to one bribe-using company, be it Meta, Google or what not, or state actors becoming beyond Evil. But just as the butterfly effect is used as analogy how a strong wind can be created further downstream, I see the situation here VERY similar. To me it is not confined to age-sniffing. Remember the sudden declaration of war by the UK against VPN. This is in my opinion connected here. The goal is not "protect the children" but instead spy more on people than before. A gradual extension of this. And some companies and private interests will benefit. See also the recent Palantir claim made against London aka "the major is responsible for more robberies when he refused to obey to our rule". These companies are greedy - and insolent.
As for what drove him instead.. I suppose we will never know.
All we can know for certain is that the whole thing felt _very_ inorganic and not like something a reasonable human being would just start doing out of the blue.
(Corporate) politics love plausible deniability, so maybe it was just inherently human randomness. I'm sure it was. Please move along.
Likewise, you'll have Microsoft and maybe Apple pushing for Linux to be included for, again, entirely self-serving reasons. Microsoft is never one to miss an opportunity to benefit Windows.
All that's going on here is competing corporate interests. Likely nobody in power actually cares the actual end users.
As much as libertarians chafe against it, I think we've demonstrated that something has to be done in relation to children online. Advertising to children, harmful impacts of social media, cyberbullying, addictive behavior and selling the data of minors needs to stop. How we get there is unclear. Meanwhile, everyone responsible is just trying to limit and shift their legal liability and that's it.
[1]: https://www.politico.com/news/2025/09/13/california-advances...
[2]: https://www.reddit.com/r/linux/comments/1rshc1f/i_traced_2_b...
Adolescents are not going to be defeated by such easily bypassed technical measures.
These laws are a trojan horse for control of the adult population. The relative anonymity and freedom of the internet is a threat to those who spend their lives seeking power over others.
I appreciate that people are concerned for their children, but we can't keep signing away basic rights and freedoms just to allay parents' anxiety for another few years.
I hope you are never, ever in a position to set any kind of societal policy.
I repudiate your statement that "We certainly need surveillance".
If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful. Note this one:
"Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith."