EFF launches Age Verification Hub

I'm sure those people exist, I just never happen to see anything they write online nor meet any of them in real life.

For the folks in the back row:

Age Verification is about Kids and Censorship: to track them and censor them

Age Verification is about Kids: giving it to companies who will keep it as safe as they've kept your identity, email, and other information.

Age Verification is about Kids and Censorship: taking control from you and giving it to corporations and government.

Age Verification is about Kids and Censorship: to keep them on their platforms so they can profit from them

Age Verification isn't just about Kids: it's also about tracking you

I don't know why we want to put children's data online. I don't want cameras in the kids rooms to verify their face, that camera will be used by others. That camera will be used to do the very thing they claim it is to protect against. I don't want the kids online, easily meeting with pedos, pretending to be kids or otherwise. I don't want kids data online for those people to use it to harm them. I don't want kid's data being leaked and exposed forever. To create lasting damage that will follow then the rest of their lives.

The road to hell is paved with good intentions. The devil uses this to fool you. Seriously, y'all gonna trust your kids' data with the people in the Epstein list? Why would you let a fox guard the chicken coop?

And now compare this comment with another comment (https://news.ycombinator.com/item?id=46228900) I got in yet another "let's save children from the Internet" thread:

> Your sci-fi distopia flash fiction is compelling, but not actually on topic in this discussion.

> "Think of the children" is weaponized for censorious purposes, but also the harms of social media are well documented (unlike many of the other moral panics fuelled by this phrase).

> I'm not sure a blanket under-16s ban on all social media is the right answer, but there are really good reasons why people support this that you need to engage with to have a useful discussion here.

So basically for everyone with even modest pattern recognition abilities the template used here should be crystal clear, which goes along the lines of

- I'm kinda with you (even though you are stupid and emotion-driven);

- But your point is totally invalid because you should be humiliated by the sheer number of your opponents, which renders you small and negligible;

- Your opponents have very good reasons to support any fascism that is able to address their reaction to prefabricated problems with prefabricated solutions, and you've got to support that too if you want to be heard.

I'm pretty sure these threads are chock full of shills, because one can't rob people of freedom without significant narraive steering efforts.

"group of people pushing age verification for kids disappear."

Parents need to parent then, but the amount that will are still larger than the people who want mass surveillance because they can't be arsed to raise their kids.

If they are too lazy to raise their kids, they don't have the energy to push the nanny state forward.

[delayed]

And really, a locally running AI could make that assessment pretty easily even if it isn't declared. No need to destroy the whole world's privacy. Unless that was the goal to begin with, obviously.

Are you aware of any age verification systems that do not have this property?

(This includes being robust against law enforcement action, legal or otherwise.)

> There are far too many politicians trying to pass laws like these, in very different countries across the world, for some kind of giant global conspiracy to stay undetected.

This is today's top agrument! "There are far too many gangsters each operating in their own district for some kind of notion of organized crime to be credible".

It's been illegal to sell porn to minors since approximately forever. If that is constitutional (not saying it is, but I'd be surprised if it wasn't since it's such an established practice), then I don't see how requiring age verification on porn sites wouldn't be. Requiring health warnings might be another matter, though. Not sure about that.

I wonder how it relates to the health warnings on tobacco products?

> In real life, we think age verification is a good thing. Kids shouldn't buy porn. Teenagers shouldn't get into bars. etc...

These are not equivalent, I don't have to scan my face, upload my ID and share my personal biometric data with various 3rd parties, who will sell and leak my data, every time I want to look at porn or sip a beer.

Also, there are countries where teenagers can drink and go to pubs, and society hasn't crumbled. We also have several generations of young adults with access to porn, and the sky didn't fall.

Maybe we shouldn't use the government to implement a "papers, please" process just to use and post on the internet, maybe we should instead legislate the root cause of the problem: algorithmic optimization and manipulation. That way everyone benefits, not just kids, and we won't have to scan our faces to look at memes on Reddit.

In the online world you can’t make sure of anything. Florida for instance requires age verification for porn sites. Guess how many mainstream sites not based in the US are completely ignoring the law and guess how many others are easily accessible via a VPN? If you guessed the sum total of both is less than 100%, you would be wrong - and even that is tilted toward sites that just ignored it.

The one thing you can control is your childs access through their device using parental controls.

I can absolutely guarantee you that any teenager can easily get access to weed, cigarettes and alcohol despite the laws and definitely can use a VPN. It only takes one smart kid to show them how.

In real life the situation is different. When I buy alcohol, someone looks at my drivers licence, does not make a copy of it, forgets it quickly, and cannot tie it to other information about me. As soon as it's online and it's copies, I can't tell what happens on anyone else's servers. I don't want any company knowing my actual name and location, then that can be tied to more data, which is what Google etc have been trying to do for years but this would just completely fast track that. I would in theory be fine with something where it never leaves my computer, but that is obviously impossible.

I'm not dismissing that idea. It is a perfectly reasonable thing to think about, part of why we have age verification techniques that already work well in critical places like online vape shops.

I'm even willing to talk about the possibility that we could use more robust systems deployed more broadly. A lot of folks here are talking about ZKPs in this regard, and that's not a bad idea at all.

The issue I'm trying to sound the horn on is that the current push for AF in the US and EU has nothing to do with kids. I think you could put together a working group on ZKPs and Age Verification, write up a paper and run experiments, and when you bring it to the lawmakers they're gonna say something to the tune of:

"yeah but that's not trustworthy enough and too technical for people to understand so we're just going to serve legal notices to VPN providers instead to tell them that they can't anymore"

...or something to that tune. I'm not a mind reader, I've just read the reports (by lawmakers) mentioning VPNs as an "area of concern".

This is a political gambit and not a new one. The more we treat the current issue as having anything to do with protecting kids the more we legitimize what is an obvious grift.

I think the equivocation of online and real life is a massive mistake. When you go into a grocery store you are constantly on CCTV. Does that mean when you shop on Amazon them recording you via webcam should be considered? Obviously not. The restrictions in real life are temporary. If you try to buy port, go into a bar, etc you are asked for ID and they look at it and hand it back. They don't take your ID, your picture and store it forever and then sell information about you to other people.

The concern about children is aimed at the wrong target. Instead of targeting everyone it would make far more sense to target the platforms. With Roblox having a pedo problem the company should face punishment. That will actually get them to change their ways. However all these massive platforms are major donors to politicians so the chance of that happening is low to none.

Hate to break it to you, you're on social media right now.

> In real life, we think age verification is a good thing.

Ok. In real life, do we think having agents from the government and corporations following you everywhere, writing down your every move and word, is a good thing? Or rather, what kind of crime would one have to have committed, so that they would only be allowed out in public with surveillance agents trailing them everywhere?

Parental control software has existed for decades. It hasn't worked.

Over 70% of teenagers <18 today have watched porn [1]. We all know (many from experience) that kids easily get around whatever restrictions adults put on their computers. We all know the memes about "click here if you're 18" being far less effective than "click here if you're not a robot."

Yes, there were other ways of trying to solve the problem. Governments could've mandated explicit websites (which includes a lot of mainstream social media these days) include the RTA rating tag instead of it being a voluntary thing, which social media companies still would've fought; and governments could've also mandated all devices come with parental control software to actually enforce that tag, which still would've been decried as overreach and possibly would've been easily circumventable for anyone who knows what they're doing (including kids).

But at the end of the day, there was a legitimate problem, and governments are trying to solve the problem, ulterior motives aside. It's not legal for people to have sex on the street in broad daylight (and even that would arguably be healthier for society than growing up on staged porn is). This argument is much more about whether it's healthy for generations to be raised on porn than many detractors want to admit.

[1] https://www.psychologytoday.com/us/blog/raising-kind-kids/20...

People are ignoring reality and thinking that kids and teenagers won't be smart enough to type "XXX" into piratebay and download a torrent client.

As many others have mentioned in this thread and others, there are ways - effective and straightforward ways - that we could be protecting our kids from the harms that come with the www.

The harms are real. The solution is a Surveillance Wolf wearing a dead Save The Kids Sheep(tm).

Solutions that might work - RTA headers [0]. More robust parental controls. Not this reimagining of the rules of the internet in service of a fairly vague and ineffective goal. It's like the whole AV concept was designed not to work in the current context at all - almost as if that was the point.

Perhaps I'm going a little out on a limb. I don't think I am - but quick, tell me you need to know where I'm dialing from without asking me where I'm dialing in from.

0 - https://www.rtalabel.org/index.php

The thing is that when it starts being about the kids it means the bottom 90% has entered the internet and you should be away because it is already lost.

I wonder if there's something like internet accelerationism - push things like having friends or watching movies online off the cliff as soon as possible.

Yet another comment following the template described in https://news.ycombinator.com/item?id=46242184

Unfortunately The Anxious Generation is a very well-written house of cards built on questionable studies [1] and its success is simply a reflection of the fact it capitalizes on the trendiest moral panic of our times.

Social media is akin to violent video games in the 2000s, tv addiction in the 90s, santanic heavy metal in 80s, and even 'bicycle face' in the 1890s bicycle craze.

Jonathan Haidt seems extremely earnest and thoughtful, but unfortunately being lovingly catapulted to fame for being the guy who affirms everyones gut reaction to change (moral panic)...makes it extremely difficult financially, emotionally and socially for him to steelman the opposite side of that thing.

Even if he hadn't compiled a bunch of suspect research from pre-2010 to make his claims, the field of Psychology is at the center of the replication crisis and is objectively its worst offender. Pyschology studies published in prestigious academic journals have been found to replicate only 36% of the time. [2]

1. https://reason.com/video/2024/04/02/the-bad-science-behind-j...

2. https://en.wikipedia.org/wiki/Reproducibility_Project

I like the first part of the idea, which is the header. Heck, even enable it by default. As long as the tracking of the toggle isn't a thing its a perfect compromise. While we're at it, respecting do not track headers would also be nice.

This completely leaves it up to the families / parents to control and gives some level of compliance to make the effort worth while.

There may even be a way to generate enough noise with the request to prevent any forms of tracking. This sort of thing should really be isolated in that way to prevent potential abuses via data brokers by way of sale of the information

Such sites would be illegal if not sharing the header back from the source website and be banned as much as adult websites incorrectly setting this header. It’s not a real problem.

This exists: https://en.wikipedia.org/wiki/Platform_for_Internet_Content_...

It was derided as a "system for mass censorship", and got shot down. In hindsight a mistake, and it should have been implemented - it was completely voluntary by the user.

I think the idea is that the manufacturers are culpable for making a parental restriction mode that's set-and-forget and not easily thwarted from inside the mode and parents are culpable for declining to set it.

Which I still don't love, but is at least more fair.

It could be added at the router? The child's computer could be identified and this header added, in a MITM situation... but, maybe that would be easy to defeat, by replacing the cert on the client? Not my area of expertise... really just asking...

There's no reason to hold the parents culpable. It would be up to the device manufacturer to ensure that this isn't possible on a system that has parental controls enabled. This is already a solved problem - see how MDM solutions do it, and see Apple's ban on alternative browsers.

It's not even necessary to block parents from giving their children Linux desktops or whatever. It'll largely solve the problem if parents are merely expected to enable parental controls on devices that have the capability.

The presumption that it's not a matter of the parents' prerogative whether to decide whether the child's access should be restricted or not -- and treating the parents as accountable to someone else's standards of what is or is not appropriate for their own children -- is itself objectionable.

What content is appropriate for children is properly up to their parents themselves, not to the government or to some nebulous concept of "society". If parent's choose not to set such a flag on their children's devices, then that means that they're choosing to allow their children to access content without restriction, and that's what defines what is OK for their children to access.

Add to that, clearly those "bad parents" are the result of bad parenting in the first place, so really it's the grand parents that are to blame...

Wait, those grand parents also had bad models to work with, so really it's the great grandparents that were to blame...

No, wait, it was the society that they grew up in that encouraged poor behaviour toward them, and forced them to react by taking on toxic behaviours. We all should pay because we all actively contribute to the world around us, and that includes being silent when we see bad things happening.

>Worse, it leads to situations where society seems to want to flat out be kid free in many ways. With families reportedly afraid to let their kids walk to and from school unsupervised.

I'm not seeing the correlation / causation here.

> Even the idea of prosecuting parents for allowing their child to access 'information,' no matter what that information is, just sounds like asking for 1984-style insanity.

This assumes an absolutist approach to enforcement, which I did not advocate and is not a fundamental part of my proposed solution. In any case, the law already has to make a subjective decision in non-technology areas. It would be no different here. Courts would be able to consider the surrounding context, and over time set precedents for what does and does not cross the bar in a way that society considers acceptable.

> I am a Russian proxy site, I make requests for you without the header. I serve you the content because I don't care about following American laws.

That's no different to a law mandating identification-based age verification though. A site in a different jurisdiction can ignore that just the same.

> 1) Given that it just says you're a "child", how does that work across jurisdictions where the adult age may not be 18?

It's a client-side flag saying "treat this request as coming from a child (whatever that means to you)". I don't follow what the jurisdiction concern is.

[EDIT] Oooooh you mean if a child is legally 18 where the server is, but 16 where the client is. But the header could be un-set for a 5-year-old, too, so I don't think that much matters. The idea would be to empower parents to set a policy that flags requests from their kids as coming from a child. If they fail to do that, I suppose that'd be on them.

> 1) Given that it just says you're a "child", how does that work across jurisdictions where the adult age may not be 18?

So namespace it then. "I'm a child as defined by the $country_code government". It's no more of a challenge than what identity-based age verification already needs to do.

> 2) It seems like it could be abused by fingerprinters, ad services, and even hostile websites that want to show inappropriate content to children.

This is still strictly better than identify-based age verification. Hostile or illegal sites can already do this anyway. Adding a single boolean flag which a large proportion of users are expected to have set isn't adding any significant fingerprinting information.

> Meanwhile in the world of smartphone data providers, social media networks, and the meta/googles of the world: they all know your personal information and identity up to the wazoo - and have far more information on every one of you than what is possessed by your own governments (well except for the governments that are also buying up that data.)

This is where I'm concerned too. We are seeing a proliferation of third party verification services that I have to interact with and that have no real obligations to citizens, because their customer is the website.

I'd like to see governments step in as semi-trusted third parties to provide primitives that allow us to bootstrap some sort of anonymous verification system. By semi-trusted, I mean trusted to provide attestations like "This person is a US citizen over the age of 18" but not necessarily trusted with an access log of all our websites.

If they voluntarily collude then yes, you can't avoid that. It's like third party cookies - once two parties collude it's game over. But that just outlines a situation where the user's chosen trusted service is hostile to their interests and they need to find one that isn't.

If Big Brother starts mandating the collusion - then yes, there's a hill to die on. But in some ways that's the point here. There are hills to die on - this just isn't it. And if you pick the wrong hill then you already died so you are losing the ones that really mattered. If the EFF pointed out to everyone that there is a privacy preserving answer to the core issue that is driving this, they could then mount a strong defense for the part that is truly problematic, since it isn't actually required to solve the problem.

This is only hypothetical for government ID's, but in theory government IDs could provide pairwise pseudonymous identifiers with services. Your ID with a single service is stable, but it is different with each service.

> My view is that there's no reason why we can't come together and come up with a rating system for websites

There's no way everybody will agree what constitutes "adult only content," therefore there's no way to come up with a rating for websites.

The internet, with verifiable identities, is the greatest system to collect kompromat that one could ask for.

Parents? Children? Schools?

I'd argue that this is negligible for data collectors and governments. Governments already know who you are and what sites you vist for 99.99% of the population. Data collectors already know who you are and have a pretty good idea of the sites you vist.

What unique information is this going to give the government and data collectors to abuse? Lets establish one case that both affects average people and is "bad" and not waste time discussing things that only affect a tiny minority of privacy minded people.

Keep in mind the law states a platform must provide multiple ways to reasonably verify a user is older than 16. No mention of giving the specific user age or requiring govt id

Well, you just answered brilliantly to your own question. You nailed it.

That’s not the argument you think it is

https://www.consumermedsafety.org/safety-articles/how-childr...

You're conflating protecting children with "protect the children!".

Required reading: https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalyp...

> Because it's not about age verification, it's about setting up infrastructure to enable incremental enchroachment on privacy.

Yes. You are emphasizing a reason it would be a good idea.

Sideline the ulterior/hidden motive. Or at a minimum, force it into the open, where it has less of a chance. (Ulterior motives are kept quiet for a reason.)

> Fun fact: many ZK identity solutions run centralized provers and can be subpoenaed. Need to use something that generates proofs client-side.

Subpoenas are one of the many privacy problems solved by this.

If there is no log of your real identity tied to visiting a site, there is nothing to hack or subpoena.

A verifier can report you got keys validated. But they don't know what sites they were for.

Sites can ensure users are vetted for age. Without knowing who they are.

This is such a classic cryptography scenario, I don't know how it isn't being pushed to the center of this debate. Anything that reduces the practical tension between divisive goal posts is going to have practical benefit, and make worst case legislation much less likely.

There could be several verifiers. You pick the one you trust the most.

Or you pick three verifiers of your choice who you coordinate between to get verified, without knowing who each other are.

The idea is that e.g. the government would give you an app that lives on your phone. When you apply for the app you provide some documents to prove your age, but you don't say anything about what sites you plan to visit. When you want to visit an age-restricted site you use the app to generate a proof that you have it, but the site doesn't learn anything more than that, and the government doesn't learn that you used the app.

It's funny because the same "perfect is the enemy of good" argument is used both to criticize age verification in the first place (why bother if it isn't perfect) but then also to dismiss proprosals to implement it better (why bother if they don't perfectly fix the problem).

Age verification in general is not intended to defend against people lying or using stolen credentials. If you’re 13 but know the password to your dead grandpa’s account and the website in question has no idea he’s dead, there’s no way to defend against that, with or without a ZKP.

What the ZKP does is let you limit the information the site collects to the fact that you are under 18, and nothing else. It’s an application of the principle of least privilege. It lets you give the website that one fact without revealing your name, birthdate, address, browsing history, and all your other private data.

> "MPAA ratings for movies"

(IANAL) That demonstrates the opposite: that's a voluntary system with no force of law behind it—the private sector "self-regulating" itself, if you will.

The film rating systems were created under threat of legislation in the first half of the 20th century (so, in lieu of actual legislation). The transformative 1st Amendment rulings of the Warren Court would have made such laws unconstitutional after the 1960's, but the dynamic that created these codes predates that—predates the modern judicial interpretation of the 1st Amendment.

https://en.wikipedia.org/wiki/Hays_Code (history background)

https://en.wikipedia.org/wiki/Motion_Picture_Association_fil... ("The MPA rating system is a voluntary scheme that is not enforced by law")

There is only a limit of curse words on over the air TV under the theory that the airwaves belong to the public.

> Onlyfans is legal prostitution

No, its legal (in some jurisdictions) pornography. Prostitution on the platform, as well as whatever the legal status is in the set of jurisdictions involved, is also, from what I understand, explicitly against the platform ToS.

And yet this has been the system for the last 35 years and somehow the sky didn't fall.

Either you're old enough to understand what porn is and have desires to consume it in which case you won't be scarred by it and don't need protection from it, or your not in which case you won't seek it out. You need id checks for alcohol because people too young to consume it want it, and given how much teens drink and how not a problem lower drinking ages are in other countries even that claim is somewhat dubious.

To explain it like budgeting. You can forward plan what you will spend money on. But you also need to be able to see where all of your money went. This is nigh impossible with data flow, nowadays.

I'd be comfortable with it having large segments of "uncategorized." But right now, if I scan over to my ISP to see how much data I have used for the month, I have little to no help in saying how much of that was what.

"Involuntary organ harvesting[3][4][5] was once legal on criminals, but outlawed in 2015"

https://en.wikipedia.org/wiki/Organ_transplantation_in_China

LSL4 was my favorite.

The parts where traffic generates money for the kind of people who would think putting an advertisement on a screen on someone's home refrigerator is an acceptable thing to do (morally, not legally or whatever).

Extrapolate that how you will.

There already are, and have been for a while. And, yes, of course, they've been involved in lobbying for the requirements.

In Switzerland you are forced to receive an SMS code to your phone on every portal in every public space everywhere to establish your identity on every network. No SMS = No public wifi anywhere in Switzerland.

I believe cyber cafes in India must verify identity via ID before allowing internet access and maintain logs, browsing history, etc. for at least one year.