[mindslight]

> A ZKP will work as a base, but the proof mechanism will have to be combined with anti-user measures like device attestation to prevent things like me offering an API to continually sign requests for strangers

Spot on! The "technical" proposal from Google of a ZKP system is best seen as technically-disingenuous marketing meant to encourage governments to mandate the use of Google's locked down devices and user-hostile ecosystem.

The only sane way to implement this is to confine the locked-down computing blast radius to the specific devices that need child protection, rather than forcing the restrictions onto everyone.

[digiown]

I'm not sure what I feel about depriving teens of general purpose computing devices, either, which is the logical consequence of both the pseudo-ZKP scheme and parent's "underage signal". I believe most of us here learned programming through being able to run arbitrary programs, and that would never have happened if we only had access to locked down devices. And that habit of viewing computers as appliances controlled by other people isn't going to go away on their 18th birthday either.

Overall I think while there is a reasonable argument in favor of age verification for some types of sites, the harms of implementing it would drastically outweigh any benefits that it should not be done.

[mindslight]

Sure, I'm sympathetic to that idea. The point is that it leaves such a decision up to parents, putting non-locked-down computers in the same position as any other potentially-harmful thing you might want to keep away from your kids.

Keeping parents in control also lets them make decisions contrary to what the corporate surveillance industry can legally get away with. For example we can easily imagine an equivalent of Facebook jumping through whatever hoops it needs to do to target minors, perhaps outright banned various places but not generally in the US. If age restrictions are going to be the responsibility of websites, then parents will still have been given no additional tools to prevent their kids from becoming addicted to crap like that.

Shooting from the hip about the situation you describe, I'd be tempted to give a kid a locked-down phone with heavy filtering (or perhaps without even a web browser so they can't use Facebook and its ilk), and then an unrestricted desktop computer which carries more "social accountability".

[digiown]

I think banning facebook/instagram/etc is one of the special cases where it makes more sense to be enforced by the site, because people use these out of mainly peer pressure and network effect. If a majority is kept off, the rest have little use for it regardless of their personal wishes. Heck, I'd reckon most kids don't actually want to use them all that much. Regardless of technical details, giving parents this control will also cause a lot of resentment if most parents don't go along.

As opposed to censoring internet content in general, which does not work because there will always be sites not under your jurisdiction and things like VPNs. I don't support any such censorship measures as a result.

[mindslight]

But why not both? I'm coming from a USian perspective here where I don't see much possibility of actual widespread bans of these types of products, rather just a retrenching to what can be supported by regulatory capture.

Also, we're getting the locked down computing devices anyway - mobile phones as they are right now are a sufficient root of trust for parental purposes. So it seems pointless to avoid using that capability (which corpos are happy to continue embracing regardless) but instead put an additional system of control front and center.

[digiown]

> don't see much possibility of actual widespread bans

Why do you think there would be regulation to honor the "underage signal", but not explicitly ban social media sites for "unverified" users?

> seems pointless to avoid using that capability

It's not pointless, because relying on it will soon make these locked down devices mandatory for everyone under 18, and they will keep using it past 18. Everyone will lose general purpose computing, along with adblocking and other mitigations that protect you from various harms. It also leads to widespread surveillance being possible as parents will want to be able to "audit" their teen's usage.

> put an additional system of control front and center

The problem should be controlled at the source, not the destination, if feasible.

[mindslight]

> Why do you think there would be regulation to honor the "underage signal"

Our ancestor comment still has the direction backwards. This is the specific dynamic that makes sense to me: https://news.ycombinator.com/item?id=47027738 .

This means any legislation should be aimed at directing device manufacturers to implement software that can respect content assertions sent by websites.

> relying on it will soon make these locked down devices mandatory for everyone under 18, and they will keep using it past 18

Okay, but in 2026 we're basically at this point. Show me a mobile phone that doesn't have a bootloader locked down with "secure boot." For this particular threat that we had worried about for a long time, we've already lost. Not in the total-sweeping way that analysis from first principles leads you to, but in the day to day practical way. It's everywhere.

The next control we're staring down is remote attestation, which is already being implemented for niches like banking. The scaffolding is there for it to be implemented on every website - "verifying your device's security" - I get that on basically everywhere these days. As soon as 80% of browsers can be assumed to have remote attestation capabilities, we can be sure they will start demanding these signals and slowly clamping down on libre browsers (as has been done with browser/IP fingerprinting over the past decade)

Any of these talks of getting the server involved intrinsically rely on shoring up "device security" through remote attestation. That is exactly what can end ad-blocking and every other client-represents-the-user freedom.

> The problem should be controlled at the source, not the destination, if feasible.

You've already acknowledged VPNs and foreign jurisdictions, which means "at the source" implies a national firewall, right?

Unless your goal is to undermine any solution on this topic? I'm sympathetic to this, I just don't see that being realistic in today's environment!