[dathinab]

> Age verification at the OS level makes no sense to me.

it's the only form of "age verification" which can be done in a somewhat privacy respecting way (as in at most leak the age)

the idea is to "bounce back" the "is old enough" decision to parent controls and let the parent choose (the Californian law doesn't quite do that perfectly, but goes into that direction)

and if you sell what is more or less a general purpose compute/internet access device with OS (which I do include phones into) I think it's very reasonable to either sell it to adults only (with a disclaimer it's "not for children") or include proper parent controls

> Most households aren't going to have a separate device for every family member

in current times in the west it is very very common for many devices to be for one person only. Especially phones, or at least have different (OS) accounts.

but again this comes back to "parent controls", weather that is for a child (OS) account or a way to switch from a child profile to a adult profile doesn't matter

but in the end, the point of such laws should be to give parents tools to parent. As well as handling the case of parent acting in neglect by inaction. But if a parent intentional decides to give their children a device with their profile because they think it's fine than that should be their choice and responsibility.

> Likewise, people generally won't create a separate account for every potential user.

where it was possible I have not seen it not used, weather it's on a switch, gaming console or PC. It is the most convenient way of automatically separates logins, browsing history, game safes etc.

and the law als isn't made for that shared computer in the living room (through it will apply there). It's more about the devices children might use unsupervised, e.g. their phone.

[lyu07282]

That's why Meta paid for these os-based age identification laws[1], shifting the responsibility from itself onto the app stores. I agree it's probably preferable to do it on device instead of every website implementing an id check through shady as fuck[2] third parties like Persona. This whole thing is just such a mess though, people rightfully distrust everybody involved, all these bought and paid-for politicians. All of a sudden we have the same laws popping up all over the place, US, UK, Australia, Brazil, ... Nobody, not a single person involved gives a fuck about child safety. It's different billion dollar lobbies fighting amongst each other, each with different monetary incentives.

You know what they should do? They should scrap it all, no more "child safety" laws until we kicked money out of politics. Western liberal democracy is in a corruption and legitimacy crisis, this is just it's latest symptom.

[1] https://www.yahoo.com/news/articles/reddit-user-uncovers-beh...

[2] https://cybernews.com/privacy/persona-leak-exposes-global-su...

[dathinab]

> They should scrap it all, no more "child safety" laws until we kicked money out of politics.

the current state has been close to that, and is co-associated to be a related to many existing issues wrt. to children/mental health/child safety (I very intentionally use co-associated instead of correlated, and definitely not root cause)

you could say law makers of many countries have given the industry ~30 years time to self regulate and come up with something acceptable by themself

The industry didn't. Now they have to regulate, it's their job and responsibility to do so :(

(but it's also their responsibility to not listen to highly malicious/biased lobbyist trying to hijack it into surveillance laws!)

honestly to some degree the industry still has a short time frame to fix it themself, provide an acceptable solution which can mostly work internationally (by having localization in it) and pitch that to the EU and US states not having yet decided on age verification laws, so that the few which already have some bad laws are pressured to change course

Through the problem is many non-cooperate entities instead insist it's all nonsense and there is no problem and companies like G, MS, Meta etc. have little interest fixing the situation. A misguided, hard to implement age verification law creates a legal moat to hinder smaller competing companies...

we have seen the same with the EU AI act, it's general outline is very reasonable especially if base that assessment on the corner comments. But thanks to big tech lobbyist hijacking it it became a economical/regulatory moat catastrophe (in the details and the parts which have not yet taking effect, not in every aspect).

[johnisgood]

Or just not have it at all? What is wrong with parental controls AND parenting? What real issue does this solve?

[Bender]

What is wrong with parental controls AND parenting?

Nothing. This has never been about protection of children. It is tracking real identity from every source to every destination otherwise known as user-tracking. If this was about protecting children they would require an RTA header on all adult and user-generated content sites and require the most common user agents to look for that header if parental controls are enabled. No tracking, no uploading anything. [1] Sufficient for small children which is more than we have now or will ever have thanks to corporate greed and lobbying.

[1] - https://news.ycombinator.com/item?id=46152074

[dathinab]

> It is tracking real identity from every source to every destination otherwise known as user-tracking.

except this is not true at all

yes there are people which try to systematically hijack child protection laws all the time for stuff like that

but e.g. the californium law is very clearly intended to avoid exactly that (that= tracking real identity)

> they would require an RTA header

they are politicians focused on law making, they have no idea what an "header" even is!

A politicians job is to identify issues consult people with expertise, propose a solution based on this people feedback and then listen to feedback, including from other groups. If they need to know what an HTTP header is and how that works something went really wrong.

But this is also where things often do go wrong, by a) dishonest and outright malicious consulting telling politicians bullshit, b) politicians having a over the top simplified understanding of a topic and think that it's still suited for extrapolating things from it leading them to nonsensical outcomes.

And if then large part of the industry which do care about non abusive solutions loudly refuses to provide any solution and denounce anyone trying to do so you are basically opening even more doors for anyone with malicious intentions. Which is pretty much the situation we have now.

Even worse not only do many people in the tech/hacker community not only not try to help with finding an acceptable solution they often outright reject that there is even a problem.

But there is a problem, a huge one even.

As just one dump example of many: it's currently harder for a teenager to get access to some wholesome soft porn then it is to watch potentially traumatizing and definitely not healthy content (weather it's violence, or certain forms of hard core porn(1)), or access sites/apps with gambling, prying on children, hate mongering, glorification of mobbing etc. etc.

And lets not forget most parents are non technical people, which means most of the reasonable usable and privacy protecting existing tools are not actually usable by them (and not available by default, and they can't reasonable evaluate which ones are okay either).

Also please don't say I grew up with a uncontrolled internet (~25-35y) and I am fine. Putting aside that the internet was very different back then. But also hardly anyone in that age range is truly mentally fine (for a lot of reasons, but that anyway makes it a pretty bad argument).

> RTA header

is insufficient, age isn't just 18+ or 13+. Through many media sites love to pretend that is the case

Furthermore this doesn't work for "feed" content as the server needs to know what to filter one before returning content.

But this is also the direction I have proposed in previous comments and not that far away from the direction the Californian law went to (but very much different to the UK law):

- provide a min. age category indicator for all content (most times by app, sometimes per-content in that app, sometimes per-origin per-content in that app (e.g. YT accessed through the browser). But this needs to be more complicated then 13+,18+ as categories differ by country and you should include tags and some other stuff.

- A parent control API which has a simple/naive default impl. but can be replaced with whatever parent think is right.

- A API to get the users age category (incl. localization, e.g. `us:13`). It needs explicit permissions and providers are not allowed to force it, every contents min-age-constraints still have to go through the parent control app. It's only for selecting content feed/preview. The specific content served might still be rejected by the parent controls! Using it for anything else should be made criminal illegal with personal liabilities for executives. (e.g. using it to try to sniff the exact age date of a person). A implementation which just serves `us:18` but then refused anything >13+ or similar must be treated as a legit possibility, the app must still work in general, but it might not have any further previews. Etc. Etc.

- The trust of age hints/evaluation is anchored solely in the parent controls, the setup of the parent controls is the parents responsibility. Any form of identification(2), AI face scans or similar as a requirement for setting up parent controls/not having a permanent 13+ account or similar _is strictly outlawed_.

- All sold products with preinstalled OS must have a default parent control app which is trivially to setup up in it's default setup and the default setup must only reqiore 1. localization (preset to current country if known, changeable), 2. age to auto adapt the age group where alternative the parent can set the age group, even through that means they have to change it in the future manually (needed for special care children). It also in it's default setup must not track/spy on everything the child does.

- Adult accounts still need compatibility with the APIs but will always provide 18+/yes content allowed.

- Products and e.g. downloadable OSes can decide to be "adult only", in which case their access must be guarded like any other adult only content (e.g. when you buy it) but in which case they don't need to support child accounts and can instead return hard coded 18+/yes content allowed.

(This is already the short(er) version :/, e.g. most countries have a 18-21 category, for many countries that category is only irrelevant for things anyway involving a identification (e.g. signing certain contracts, doing certain jobs), but e.g. the US relation to alcohol is an exception).)

---------

(1): And I don't mean just a bit of soft bondage, but things which will lead to serious health issues long term and/or involve violence, glorification of violence, suppression, misogyn, implications of torture, rape, child abuse or in case of drawn/generated content non-implications and even snuff.

(2): There can be some acceptable ways, e.g. a clerk checking your ID IRL, without recording anything except yes/no. Digital ID setups which only communicate adult yes/no without identification etc. But given that all relevant devices tend to be too expensive for children to buy them themself and you also should trust your child if it approaches adulthood (and might have the money) I don't think anything like that is really needed. In general this should focus on efficient solutions for age group <16. IMHO if you still need parent controls for 16+ you messed up parenting.

[Bender]

A API to get the users age category (incl. localization, e.g. `us:13`). It needs explicit permissions and providers are not allowed to force it,

An API actually means that more and more details about the user will inevitably be added with time. This is a user-trackers dream come true. No thanks. One static header, done and dusted.

But this needs to be more complicated then 13+,18+

I will never agree with this nor will most people. Content is either adult or not adult. That is how existing parental laws are structured in most countries. The parent must decide if the child is ready to view content that is rated anything other than "G". The parent decides, not some app, not some API.

A child account on a tablet, phone, laptop need only prevent tampering with browser settings and by default enable parental controls which in turn simply look for an RTA header or any other indicators that the site or content is adult or user-generated in nature. Keep it simple. If people wont enable looking for a header then the only reason they would go far further and screw with an API would be if it were to the benefit of evil. (marketing, sales, manipulation of the child, manipulation of the parent).

[dathinab]

> An API actually means that more and more details about the user will inevitably be added with time.

with that logic you could also argue a computer means more APIs will be added over time

especially if it's a law mandated API which doesn't allow any additional thing this really isn't a problem

> I will never agree with this nor will most people

except overall (at least outside no HN bubble) most people would disagree with you, actually the huge majority of parents and children affected by that would disagree

Treating a 16 year old like they are 13 is just completely absurd.

Expecting parent to make decisions about every single peace of content (website, YT, video) their child, even if older, watches without providing any guidance and defaults is not practical at all and due to that is guaranteed to fail.

To be frank you comment is completely quixotic, lacking any relation to the reality most parents live in today.

[KyleTheDev]

Random person jumping in to say, the original comment from 'Bender' is what is agreed with by almost every human I've spoken to. It is most definitely the take of every parent in my social circle, the vast majority of whom are outside of the tech space.

The issue you're describing is strictly one of parenting, and not one that can or should be handled via some government agency. Their (Bender's) suggestion is actually the best that I've seen for handling this issue, and the only one I believe those I know would all happily agree with.

On a side note, this entire comment of yours is very unhinged. I'd wager you're far far far from being aware of the 'reality most parents live in today', based off of what you've said here.

[weikju]

> Or just not have it at all? What is wrong with parental controls AND parenting?

It doesn't hand over control of computing to governments

[MintPaw]

It solves the problem of your kid borrowing a phone from another kid at school.

[fc417fc802]

Does it though? Unless all countries unify their laws regarding this matter it will fail in the same way that blacklist filtering does.

Also I'm not convinced that borrowing a device presents a new or different failure mode. Children could always obtain physical contraband from their friends so nothing has changed here.

[dathinab]

no it doesn't

also doesn't need to IMHO

it solves the problem of it being too trivial for a 12 year old to access content which at best is quite problematic and at worst outright traumatizing

as in, the same reason we have laws that a clerk glances at the age on you id if you look young and buy alcohol but your parent are still allowed to let you drink with them if they think its right (or what a 16+ movie with them etc. etc.)

this is also why it really shouldn't be anything much more fancy then parent controls checking min age of content locally / indication of age for feed fetching. Everything else is disproportional (unrelated from all the other issue it might have).

[ymolodtsov]

Ideally, they'd require OS (desktop and mobile) to have an adult mode and a restricted mode (set up by the adults when they buy the device), and then let third-party apps confirm the status (e.g., age) in the latter case. Then you have minimal privacy issues and many parents actually want something like this.

[dathinab]

yes pretty much

[hulitu]

> it's the only form of "age verification" which can be done in a somewhat privacy respecting way (as in at most leak the age)

could. But Google, Microsoft and Meta do not want to do it this way. They want to sell your personal data, the more, the better.