[idle_zealot]

> Instead, the service should be telling your device the nature of the content. Then, if the content is for adults and you're not one, your parents can configure your device not to display it.

That makes sense for purely offline media playback, but how could that work for a game or application or website? Ship several versions of the app for the different brackets and let the OS choose which to run? Then specifically design your telemetry to avoid logging which version is running?

You'd also not be reporting your age, you'd be sending a "please treat me like an adult" or "please treat me like a child" flag. That's hardly PII. More like a dark/light mode preference, or your language settings (which your browser does send).

[AnthonyMouse]

> That makes sense for purely offline media playback, but how could that work for a game or application or website? Ship several versions of the app for the different brackets and let the OS choose which to run?

Suppose you had an ID requirement instead. Are you going to make two different versions of your game or website, one for people who show ID and another for people who don't? If so, do the same thing. If not, then you have one version and it's either for adults only or it isn't.

> You'd also not be reporting your age, you'd be sending a "please treat me like an adult" or "please treat me like a child" flag.

Except that you essentially are reporting your age, because when you turn 18 the flag changes, which is a pretty strong signal that you just turned 18 and once they deduce your age they can calculate it going forward indefinitely.

This is even worse if it's an automated system because then the flag changes exactly when you turn 18, down to the day, which by itself is ~14 bits of entropy towards uniquely identifying you and in a city of a 100,000 people they only need ~17 bits in total.

[gzread]

The alternative wasn't an ID requirement, the alternative was the client/OS sending the flag to the server/app.

[AnthonyMouse]

The fear is that once you have devices sending services a flag, some asshats are going to start demanding that it be verified by the government.

But how does that do anything for you either way? Either you have two different versions based on whether the flag is present or not or you have one version and if it's adults only then you have to send the flag indicating you're an adult in order to use it.

[gzread]

Browsers send a language flag to servers but I don't see anyone asking for a certification that you actually know that language.

[AnthonyMouse]

I don't see anyone asking that browsers be legislatively required to send a language tag without certification either.

[gzread]

Why mandate something that already happens?

[lavela]

The shifts between flags will correlate with date of birth though, or do you think someone turning 16 or 18 will wait a year or two to switch to more adult content for privacy? Also I'd guess the tech industry would push for more specific age buckets.

Games already have PG ratings and similar in different countries, I don't see the issue there. Web content could set a age appropriateness header and let browsers deal with it, either for specific content or for the whole website if it relies on e.g. addictive mechanics.

Applications is a wide field, but I'd be interested in specific examples where you think it wouldn't work.

[idle_zealot]

> Applications is a wide field, but I'd be interested in specific examples where you think it wouldn't work.

Sure. Take a game with voice chat. Child mode disables voice chat. How does the game, which presumably uses a load of telemetry, avoid incidentally leaking which users are children via the lack of voice telemetry data coming from the client? It's probably possible, but the fact is we're talking about third party code running on a computer, and the computer running different code paths based on some value. The third party code knows that value, and if it has internet access can exfiltrate it. In that sense, if there's an internet connection, there's not a meaningful difference between "the OS tells the service/app your age rating preference" and "the OS changes what it displays based on your age rating preference."

Though while I'm throwing out fantasy policies we could solve this by banning pervasive surveillance outright.

[AnthonyMouse]

You're assuming that everything not mandatory is prohibited. If the device is required to provide every service with the flag, every service gets the flag, even if it contains no adult content or adult content that the user agent could display or not without the service having a way to know about it.

The service would then have to deduce the information instead of getting it explicitly and may be able to do that some of the time instead of all of the time, which is an improvement. And then people can work on anti-fingerprinting technologies with the premise that if they succeed it actually does something, instead of the information being required by law to leak to the service.

[l72]

Games already have ratings. Every app submitted to the App Store or Google Play is rated.

90% of an R rated movie might be ok for a 12 year old but those one or violent or sex scenes makes it R. Should we be rating every scene in movies?

Give parents general guidance and let them define the controls.