[Aurornis]

The only way to force sites to exclude children is to have them ID everyone.

This is why forcing each site to restrict access is a terrible idea. It’s a backdoor to destroying everyone’s privacy.

What we really need is for each of these sites to advertise its category or age targets, similar to how TV shows have a rating. Then end user devices like phones and browsers should have the option of setting parental controls to lock out those sites. Countries could mandate that parents set age controls on their kids devices if they way. No privacy violations needed.

The problem is we seem to be entering an era where politicians (and many individuals, evidenced by the comments on Hacker News) want much more extreme control over other people’s and parent’s activity. They don’t care if this requires we all surrender our rights to privacy and turn over identification to megacorps to talk to each other on the internet. They’re hell bent on controlling what other people can do or see on the internet and they think these laws will surgically do that in their favor, often with the assumption that their own websites and services will be kindly exempted.

Yet we’re already seeing these laws or individual companies trying to get ahead of laws extend beyond what people thought the targets were going to be (TikTok, Facebook, Instagram) and into services most people use like YouTube, Reddit, and Discord. Everyone hates when this starts happening to them. It’s really scary that so many people are welcoming these heavy laws without stopping to think that they might be a bad solution because they never imagine it applying to themself, only to other people they want to control.

[padjo]

Is that the only way? It seems conceivable to me that you could have some sort of publicly run infrastructure that asserts your age is above some threshold without sharing your identity. So long as that system recorded no log of who asked it for assertions about whom then I can't see an objection to age verification.

[Aurornis]

> long as that system recorded no log of who asked it

Two problems with this:

1. Any system which is anonymous becomes trivially abusable. A true anonymous system with no records kept means a single stolen or leaked ID could be used by everyone, defeating the system. You can try to search for and block leaked IDs but that doesn’t stop one kid from copying their 19 year old brother’s ID and using it to authorize the entire school. So these systems gain logging facilities to try to rate limit requests and the politicians don’t like it because it’s too easy to circumvent. They really want ID attached to accounts so there can be some consequences for ID fraud.

2. Routing every request through a government entity will not be anonymous or log-free, no matter how much you want it to be. With everything we know about government intrusion into services in the name of national security, you can’t expect a centralized service that gets access to people’s ID, IP address, and sites they visit to be kept as a special zone for privacy. It would be a top target.

[padjo]

For 1. Can't the attestation result function as an identifier that the service uniquely associates with an account?

For 2. I have sufficient trust in my society that this would be the case or would have significant negative ramifications for the parties involved. Probably not true for all countries.

[28304283409234]

I agree that the sollution is terrible. That does not make the actual problem go away though. There are real world, actual problems caused by social media used by children. And individual parents, and children, are no match for the Googles of this world.

So what better option can we think of, us smart people here?

[inigyou]

Sounds very similar to the California bill that passed a few months ago - the one HN absolutely hated. The person who does device initial setup says whether the account is a child or adult, and transmits this to websites so they can block the content appropriately. (The site transmitting a rating doesn't work because most sites that aren't porn sites have mixed content )https://news.ycombinator.com/item?id=47181208

[Aurornis]

Not the same. I’m suggesting the site is required to transmit a category or rating and then end user devices have the option of filtering.

The word “option” is a key difference. I don’t think we should be forcing everyone to go through these age checks or thinking we can actual ban under-16s or other age groups from sites. There’s no way to do this without forcing everyone through an ID process, which is where a lot of these laws are heading.

Make it a parental controls thing and spread information about how parental controls work.

[inigyou]

But sites don't have categories, they almost all have mixed content. Twitter is social media, but is it also a porn site? Well that depends which account you're viewing. And whether your feed is a porn site can vary every single time you view it.

[wizzwizz4]

Then tag each <section>, rather than each site. To make auditing easier, don't have websites as large as Twitter.

[inigyou]

If your proposal is to make twitter illegal to protect the children, you're as bad as everyone else who is saying to do dumb things to protect the children

[pibaker]

GP's proposal does content filtering on the user's machine. Your age info never leaves your own device. The Californian proposal requires telling the service your age. I can see why HN absolutely hates the later given the HN crowd's general attitude towards data collection.