[sdrinf]

Counterpoint to peeps on this thread:

* This approach is the _most consistent_ with retaining anonymity on the internet, while actually helping parents with their issues. If any age-relevant gatekeeping needs to be made on the internet at all, this is the one I find acceptable.

* this is because the act very specifically does NOT require age _verification_ ie using third-parties to verify whether the claimed age is correct. Rather, it is piggybacking on the baked-in assumption, that parents will set up the device for their kids, indicating on first install what the age/DoB is, then handing over the device -a setting which can, presumably, only be modified with parental consent

* yes, there are edge cases, esp in OSS, and yes, it would be nice to iron those out -but the risk = probability x impact calculus on this is very very low.

* If retaining anonymity on the internet is of value to you, don't let the perfect be the enemy of good enough.

[Tyrubias]

I understand where you’re coming from, but I respectfully disagree with some of the points you made:

* It’s ambiguous how your proposed parental setup and control process would work for anything other than walled gardens like Apple’s ecosystem. On an OS like Debian, does that mean a child can’t have the root password in case they use to it change the age? Does that mean we need a second password that needs to be entered in addition to the root password to change the age? Will Arduinos and similar devices also need to be age gated?

* Those edge cases might seem small, but read broadly they would require substantial, invasive, and perhaps even impossible changes to how FOSS works. If the law isn’t changed and FOSS doesn’t adapt, this basically means the entire space will exist in a legal gray area where an overzealous prosecutor could easily kill everything.

* This is not a matter of “perfect vs good enough”, this is a major slippery slope to go down. Also, this doesn’t mean age _verification_ will simply go away.

[wtallis]

> On an OS like Debian, does that mean a child can’t have the root password in case they use to it change the age? Does that mean we need a second password that needs to be entered in addition to the root password to change the age?

No. You're still not quite internalizing that the California regulation does not mandate any verification or enforcement or protection of the accuracy of the age bracket data. It mandates that the question be asked, and the answer taken as-is.

Which means that many of the concerns about implementation disappear, because the setting really does not need to be anything more than a simple flag that apps can check.

> Will Arduinos and similar devices also need to be age gated?

Only to the extent that they are general purpose computing devices, have an operating system, are capable of downloading apps, and are actually used by children (since the enforcement mechanism requires a child to be affected by the non-compliance). And if an app fails to obtain age information but also doesn't do anything that is legally problematic for a user that is a child, then it's hard to argue that the app's ignorance affected the child.

> Also, this doesn’t mean age _verification_ will simply go away.

It will in California, until the law gets repealed or amended. Apps won't be allowed to ask for further age-related information or second-guess the user-reported age information, except when the app has clear and convincing information that the reported age is inaccurate.

[Okawari]

> No. You're still not quite internalizing that the California regulation does not mandate any verification or enforcement or protection of the accuracy of the age bracket data. It mandates that the question be asked, and the answer taken as-is.

That was my read of this as well. OS developers seems not not necessarilly need to make any effort here. Ask for an age as a number at account creation and let the user change it as they please at any given time.

This might be a dumb question, but what actually constitutes an "affected child for each intentional violation"? Violation of what? The text specifies that "A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched." Am I being negligent just for not checking the age, even if the application is unequivocally ok for all ages? And are children affected by my negligence in any way even though no one was hurt?

[cwillu]

That would seem to require that the act provide a shield against liabilities involving minors, which doesn't seem compatible with the notion that it's such a low-friction mechanism. A minor installs debian on a raspberry py, clicks “I am 23 years old and then an “adult dating” site isn't allowed to repeat the question?

If anything, this seems like a convenient path to mandating far more restrictive measures under the guise of “fixing an obvious loophole in the law”.

[packetlost]

There's clear liability put on the owner of the device, which cannot be a child, but the child's parent. The "Account Holder" definition and subsequent penalties make that pretty clear. The parent is ultimately responsible for locking down the child's account and inputting the correct information.

[hellojesus]

What happens when the child downloads a Linux iso and then live boots or overwrites the install? I have a hard time understanding how this law does not purposefully set the foundation from which they can push for actual ID verification.

[packetlost]

It's the parents responsibility regardless, they own the device and it's their child. This is exactly the correct way to do this, if you must.

[shakna]

> Only to the extent that they are general purpose computing devices, have an operating system, are capable of downloading apps, and are actually used by children

So my kid's micro:bit, running an OS she built, is eligible. As is half the esp-ecosystem.

[DarkmSparks]

Put that way sounds very sensible.

Hopefully it stays that way.

[kelvinjps10]

This will be as ineffective as current, are you 18 pop-ups

[pona-a]

Agreed. And if the same legislation was designed under the supervision of domain experts, it would be an HTTP header or envvar to indicate one of specified brackets, with recommended integration with applicable parental control system.

Instead it was drafted by people not understanding the difference between browser, app, and "OS", explaining the result.

[ocbyc]

What about servers inside AWS? Lamda instances are arguably operating systems. LOL. It's a mess!

[coaksford]

If they can get what they want from this, they will not stop after they get it. Even if the authors of the law want it to stop here, their successors will not, and will build upon this to erode privacy. When governments can change the deal effectively unilaterally, as is the case, you cannot make a deal with them that they cannot change, and you will have already surrendered the strongest argument against the next "deal" they want to unilaterally impose. Do not treat this as a deal to prevent further erosion, that is not what this is, treat this as an attack and attempt to advance against privacy and anonymity. Treating it as anything else is absolute gullibility.

[arcfour]

It's the software developers, it's the government's, it's anyone's responsibility but mine to parent my kids!

[bdangubic]

Bingo! Parents can be bothered with meaningless chores with all the other responsibilities they have

[kelseyfrog]

How many kids do you have?

[pibaker]

The average family size has never been smaller in the history of humanity, and yet only now do people feel so entitled to ask others not even in the same family to bear the responsibility of raising their children. I wonder why.

[hellojesus]

Two. It's trivial to set up mac-based allowlists on your router as well as domain allowlists. Use separate networks for devices kids have. Install root certs and log their activity to an llm to look for suspicious sites or content. Enroll their mobile devices in device management.

We have all the solutions necessary for this. Why implement something that gives away pii to everyone all the time for free?

[kelseyfrog]

The only problem? It's not trivial. The overwhelming majority of people don't have the technical literacy to do the same. That's why this idea is dead on arrival.

"They should" is not a viable response. This is a public health problem and people are legitimately saying the equivalent of, "just don't get sick."

[hellojesus]

I don't understand. Everything I mentioned one can learn with a little searching online in an evening. Do people really not have the self reflection necessary to ask themselves how they can go about solving a problem they have?

[kelseyfrog]

Yes. Regular everyday people are not capable of doing this due to tech illiteracy.

People are not saying to themselves, "I could figure this out and I'm choosing not to." They don't even know it exists.

Even if they did know local filtering exists, it wouldn't be effective. We have influenze vaccines and still, with their own lives on the line, hundreds of thousands of people die from the flu. The inconvenience is showing up at a Walgreens or CVS. They can't do it. We're expecting folks to understand mac and domain based allow lists?

Let me ask you this, if you asked your parents how they would secure their network for their grandchildren, that they would accomplish this solution on their own?

[themafia]

> while actually helping parents with their issues.

> that parents will set up the device for their kids

Are the devices parents are currently setting up lacking these controls? Is there no third party software which can achieve this?

Then why is it a crime with an associated fine for me to provide an OS which does not have one? How have I failed to "help parents with their issues?"

[wtallis]

> Are the devices parents are currently setting up lacking these controls?

It's an inconsistent mess.

> Is there no third party software which can achieve this?

No third-party software can force a standardized age reporting mechanism onto somebody else's platform and associated app ecosystem. A third-party unofficial age reporting mechanism is something that other apps are free to ignore. This law requires platforms to have a minimal but mandatory age reporting mechanism that apps cannot claim ignorance of and cannot decline to use in favor of an alternative age reporting mechanism.

> Then why is it a crime with an associated fine for me to provide an OS which does not have one?

Not a crime, just a civil penalty.

[iamnothere]

This is a bad law and needs to be repealed or struck down on 1A concerns. ASAP.

Repeat after me: you are never, ever, ever going to create an airtight system to force age attestation or verification. Your best opportunity (which will still have many gaps!) is to target only the largest consumer operating systems. This addresses 90% of cases and you have just three companies to deal with.

FOSS will never abide by this, because there will always be people writing and distributing it who are not in your jurisdiction. And, hobby devs will not accept having monetary liability thrust on them. They will move, go underground (pseudonymous), or quit and let devs from other jurisdictions take over.

Noncommercial FOSS must be exempted. Period.

[trinsic2]

So if it's an application that runs within the os that the parent enables and does not collect or send any personal info that sounds reasonable. But if has to be embedded into the OS that's going to present problems I can only imagine.

[chii]

> But if has to be embedded into the OS

that would be fine if the embedding means all applications can leverage this functionality - like how accessibility is embedded into the OS rather than per-app.

The only problem is if this embedding requires third-party verification (which i dont believe it is), or require some sort of hardware attestation to a remote server (so you cannot modify the OS to turn it off if you wish as a non-parent).

To me, flexibility and choice is paramount. The parents have the responsibility to monitor their child, and this tool should help when the parents opt-in for it. It should not be enforced on all computer users arbitrarily without a parental opt-in first.

[jollymonATX]

Impact calculus? Really?? OSS Maintainers do not have enough bs to deal with and now need to balance utter financial ruin to the state? No. Highly unserious take.