When I moved from Sweden to Ireland and realized the Swedish central address registry makes moving fantastically easy, I started dreaming of a central registry where consumers and producers could meet. I can give my supplier access to exactly the information they need, and nothing else. I can revoke access when I feel like it. Like OAuth2 for personal data. They can subscribe to updates. It could be a federated protocol.
Not saying I think it's a good idea to provide the year of birth to all sites, but (session ID, year of birth) is the only information they would need. The problem is proving who's behind the keyboard at the time of asking, which would require challenge-response, and is why I think this should be an online platform, not a hardware PKI gadget with keys inevitably tied to individuals.
I am now waiting for Gruber (daringfireball.net) to post another rant about how terrible EU regulation is.
Zero-knowledge proofs are the way to go for this type of thing, I find it mind-boggling that the US lets itself be bamboozled into complete lack of privacy.
I am from EU, and contrary to age verification laws in general.
My stance is that if somebody is a minor, his/her/their parents/tutors/legal guardian are responsible for what they can/cannot do online, and that the mechanism to enforce that is parental control on devices.
Having said that, open-source zero-knowledge proofs are infinitely less evil (I refuse to say "better") than commercial cloud-based age monitoring baked into every OS
> Having said that, open-source zero-knowledge proofs are infinitely less evil (I refuse to say "better") than commercial cloud-based age monitoring baked into every OS
To be honest, I worry that the framing of this legislation and ZKP generally presents a false dichotomy, where second-option bias[1] prevails because of the draconian first option.
There's always another option: don't implement age verification laws at all.
App and website developers shouldn't be burdened with extra costly liability to make sure someone's kids don't read a curse word, parents can use the plethora of parental controls on the market if they're that worried.
Yes! This is the way, give parents the ABILITY to advertise the users age to browsers, apps and everything in between. Only target cooperations, do not target open source projects. Fine websites for not using this API (ex: porn sites). Assume an adult if not present.
This is what I think. I saw someone else on HN suggested provide an `X-User-Age` header to these sites, and provide parents with a password protected page to set that in the browser/OS.
Responsibility should be on the website to not provide the content if the header is sent with an inappropriate age, and for the parent to set it up on the device, or to not provide a child a device without child-safe restrictions.
It seems very obviously simple to me, and I don't see why any of these other systems have gained steam everywhere all of a sudden (apart from a desire to enhance tracking).
> Fine websites for not using this API (ex: porn sites).
Recent posters here are clear that porn sites are setting every available signal that they are serving adult-only content.
According to them, you are targeting the wrong audience.
Facebook/Instagram studying how to get young users addicted should be of greater concern. I have my doubts about the effectiveness of age-based blocking there, though.
Both are problems, porn sites have also targeted children and any non-enforced age “verification” on these sites is simply plausible deniability that isn’t plausible at all
> give parents the ABILITY to advertise the users age to browsers, apps and everything in between.
Accounts and Applications to services that provide countent are set to a country-specific age rating restrictions (PG, 12+, 18+, whatever). That's it.
None of the things you mentioned have any point to concern themself with the age or age-bracket of the user in front of the device. This can and will be abused. This is very obvious. Think about it.
This is a great solution to the stated problem. The issue is that nobody is actually trying to solve the stated problem. This is a terrible solution to the real 'problem' which is the lack of surveillance power and information control.
>This is a great solution to the stated problem. The issue is that nobody is actually trying to solve the stated problem. This is a terrible solution to the real 'problem' which is the lack of surveillance power and information control.
So on the Sony consoles I created an account for my child and guess what they have implemented some stuff to block children from adult content on some stuff.
So if Big Tech would actually want to prevent laws to be created could make it easy for a parent to setup the account for a child (most children this days have mobile stuff and consoles so they could start with those), we just need the browsers to read the age flag from the OS and put it in a header, then the websites owners can respect that flag.
I know that someone would say that some clever teen would crack their locked down windows/linux to change the flag but this is a super rare case, we should start with the 99% cases, mobile phones and consoles are already locked down so an OS API that tells the browser if this is an child account and a browser header would solve the issue, most porn websites or similar adult sites would have no reason not to respect this header , it would make their job easier then say Steam having to always popup a birth date thing when a game is mature.
That's why I suggested kernel enforced security (simple syscall) that applications could implement and are incredibly hard to spoof / create tools and workarounds for, but I got downvoted to hell.
Permission restricted registry entry (already exists) and a syscall that reads it (already exists) for windows and a file that requires sudo to edit (already exists) and a syscall to read it (already exists). Works on every distro automatically as well including android phones since they run the linux kernel anyway. Apple can figure it out and they already have appleid.
"mechanism to enforce that is parental control on devices."
Meh, I use it, but it's super annoying and I think that with my Daughter I'll take a different approach (but it will be some years before that is relevant).
On Android: The kid can easily go on Snapchat (after approval of install of course, and then you can just see their "friends") before Pokemon Go (just a pain to get working, it keeps presenting some borked version which led to a lot of confusion at first). I just lied about his age in a bunch of places at some point. Snapchat is horrible and sick from our experiences in the first week.
On Windows: It's a curated set of websites (and no FireFox) or access to everything. It's not even workable for just school. Granting kids access to our own minercraft servers: My god, I felt dirty about what the other parents had to go through to enable that.
The steelman argument is that parents are not necessarily up to date on the technology, and cannot reasonably be expected to supervise teenagers 24/7 up to the age of 18. Compare movie ratings or alcohol laws, for example: there's a non-parental obligation on third parties not to provide alcohol to children or let them in to R18 showings.
But the implementation matters, and almost all of these bills internationally are being done in bad faith by coordinated big-money groups against technologically illiterate and reactionary populist governments.
(if we really want to get into an argument, there's what the UK calls "Gillick competence": the ability of children to seek medical treatment without the knowledge and against the will of their parents)
The other stance is that most parents are not capable of winning a battle against tech giants for the mind of their children, just as parents were not capable of winning this fight with tobacco and alcohol companies.
I have personally worked with parents trying to prevent their children from using social media and it’s nearly impossible. Kids are almost always more tech savvy than their parents and unlike smoking it’s nearly impossible to tell a child is doing so without watching them 100% of the time.
Disingenuous, but I'm sure you know that and were being intentionally so. The government is not using alcohol age laws as a justification to place a camera in your bedroom to make sure you aren't sneaking booze, but it is using internet age laws as a justification to surveil your entire life in a world which is becoming increasingly digital-mandatory to participate in government services or the economy. Nobody had a problem with internet age laws when "are you over 13? yes/no" was legally sufficient.
> Having said that, open-source zero-knowledge proofs are infinitely less evil (I refuse to say "better") than commercial cloud-based age monitoring baked into every OS
Parent prefers more control by parents over zero-knowledge proof
If that was your point, I don't think your previous comment did a very good job of making it at all.
I do think parental controls can be and are abused for evil, but they're still better than the alternative. Zero-knowledge proof is not an alternative, and to suggest that it is is misunderstanding the situation. These laws are proposed and funded by people who want complete surveillance of the population. Zero-knowledge proof is, therefore, explicitly contrary to the goal and will never be implemented under any circumstances. Suggesting that it can be muddies the issue and tricks people into supporting legislation that exists only to be used against them.
In a benevolent dictatorship, sure, go for a zero-knowledge proof verification as your solution. In the reality of democracy, where politicians are corporate puppets who cloak surveillance laws in "think of the children" to rally support from the masses, we need to convince people to see through the lie and reject the proposals outright while reassuring them that they can protect the children themselves via parental controls. You will never be able to sufficiently inform 50.1% of the population of any country of what zero-knowledge proof even means, let alone convince them to support age verification laws but only if it is mandated.
Same here, EU citizen who thinks parents should do some parenting, after all. However, try to confront "modern" parents with your position. Many of them will fight you immediately, because they think the state is supposed to do their work... Its a very concerning development.
Seeming as this affect everyone .. Is there anything like and Open Collective .. grassroots consortium, to put together strong sensible zero-knowledge proof based policy examples that could be given to law-makers instead of this shadowy surveillance Trojan horse nonsense?
Even with ZKP this is still highly problematic, it create difficulty for undocumented people to access the web, create ton of phishing opportunity, reinforce censorship on most site (as they will now all need to be minor compliant or need age verification), reinforce the chilling effect and make the web even less crawlable/archivable (or you need to give a valid citizen ID to your crawler/archiver).
With no proof it will protect anyone from proven harm.
No, the way to go is the California way. The device owner (root user) can enter the age of the user. Restrictions are applied based on that. Nothing is verified.
Though the EU is at large keeping it's composure with this. My only criticism towards the EU as an EU citizen is how slow and bureaucratic the EU is and that decisions that should be made on the fly are dragged on forever.
That said, government agencies have been doing a terrible job at keeping the private information of citizens safe. But it is nowhere nearly as bad as the US. My best childhood friend died in very questionable circumstances in 2009 in the US in very questionable circumstances. He had a US citizenship and we never really found out what had happened(to the point where we never really got any definitive proof that he had died). But that didn't stop me from trying and I was blown away by the fact that I could log into a US government website, register with a burner mail, pay 2 bucks with an anonymous gift credit/debit card and get a scanned copy of his death certificate in my email. And I didn't even have to provide his passport/id/anything. Just his name.
Point is, the US has been terrible at privacy for as long as I can remember. It is probably worse now with Facebook and Ellison holding TikTok.
The critical thing is not so much "Americans" as "big money". Big Russian money is also a threat. Big Chinese money .. well, there's a bit of that about, but it doesn't seem to have shown up at the legislation influencing layer.
Oh, that's a different topic: as someone from and living in eastern Europe, there's not a single doubt in my mind that the biggest threat to any civilization is russia by a long shot. The alarming part is that the current US administration hasn't got a single clue of history, suffers from chronic incompetence and the whole superiority complex and fanboying russia as a consequence - those pose a threat. In the context of the conversation, the incompetence is arguably the biggest facepalm moment.
Most civilization is not in Eastern Europe though, Russia is not a threat outside of its immediate proximity and its relative strength has only lessened over the decades
At this point the US is arguably a much larger threat to random small countries. "We will make so much money if we find a reason to attack <your country>" is the real threat, if any. Of course, far behind other existential threats.
Experience is no good reason to make a blanket statement about a country and all its people, especially not when it's made with such an assertive voice.
Is it not? Have you heard about a TV program called the news? They have caused more death to eastern Europe than Hitler did in WW2 and is continuing to do so, has infiltrated countries and governments for generations, actively threatens everyone on daily basis and the entirety of their social media (domestically and expats/immigrants/spies) is nothing but endless wishes for death of anyone that is not russian. Westerners see that through the prism of "out of sight, out of mind" + language barrier, but the threat is neither out of sight, nor out of mind. Spend a few hours on bellingcat and you'll quickly change your mind.
> Experience is no good reason to make a blanket statement about a country and all its people
> Is it not?
No, and no part of your comment really seems to argue otherwise? I know about current world events. Your argument was that "experience" is a good enough reason to make a blanket statement about a country and all its people, and you doubled down on it, so it's not even like I'm constructing a strawman here or anything.
It's just wild to me how far this kind of blind hate goes. If "experience" is enough to say that a country is a bigger threat to civilization(!) than, lets say, pandemics, natural disasters, global nuclear war, etc., then there really remains no basis for any kind of healthy discussion. At that point it's just blind hatred.
I've never been subtle about how I feel about russians: Private properties confiscated. Several instances of terminal diseases in my family as a direct consequence of their actions. Several instances of people spending their entire lives in concentration camps, several instances of people being thrown out of hospitals and let to die in the streets. To the point where I barely have any living relatives. And in recent years, death of a number of close friends. And I am supposed to have a different feelings? Come back to me when you go through the same.
I think this is entirely reasonable given the history of Russia vs Eastern Europe, but especially the invasion of Ukraine. Russia is currently being held at the Dnipro river, but Putin has stated his intention to "recapture" most of the former USSR.
> Putin has stated his intention to "recapture" most of the former USSR.
I keep hearing this but I struggle to find any sources, beyond articles like [1] which are... not particularly good sources, even a reddit comment would be a better primary source than that.
I'm not trying to be combative, I just genuinely struggle to find primary sources, probably because I'm using the wrong keywords or something.
I understand the reasoning, but I would love to actually see/read/hear/whatever where Putin "states" this desire explicitly!
That's a book by Aleksandr Dugin, not Putin. I was asking specifically if there are ANY sources for the recurring statement that Putin wants to conquer back former USSR states. I see why its concerning, and how Dugin's close ties to the government are interesting, but I do not see a quote, or any other source, where Putin explicitly STATES this intent. I don't see it.
Surely I'm missing something here. Putin's 2023 "The Concept of the Foreign Policy of the Russian Federation" also does not state conquering back former USSR states. Where is it? If he states it so clearly that people keep quoting it, surely there must be a source for it? Sorry if I'm a PITA.
The same argument could be said for other age verification methods. Nothing stops a kid from getting their older cousin to verify their identity for something and it will never be possible to prevent this.
These bills also need to be opposed on a legal/political level.
Something I realized last night is that people who lie about their age to send false signals may inadvertently open themselves up to CFAA liability (a felony). So this is a serious matter for users who want to maintain anonymity.
Every single Linux kernel currently operating within the borders of any of these states should turn itself off and refuse to boot until an update is installed after these bills are rolled back.
We should also update all FOSS license terms to explicitly exclude Meta or any affilites from using any software licensed under them.
I probably don't have all the info on the various laws across the US and EU that are being pushed, but I'm confused why Linux distros don't just update their licensing and add a notice on the installation screen that it is illegal to run their OS in places where these laws exist?
Heck, Linus Torvalds should just add an amendment to the next release of the Linux Kernel that makes it illegal to use in any jurisdiction that requires age verification laws.
This would obviously cause such a massive disruption (especially in California) that the age laws would have to be rolled back immediately.
This seems like a no-brainer to me but I am admittedly ignorant on this situation. I'm sure there's a good reason why this isn't happening if anyone cares to explain.
Honestly, like the Left-pad incident [1], getting things to go suddenly dark is extremely effective at getting people to drop everything else to fix an issue.
Ideally, getting these servers to auto turn off the day this goes into effect ("In compliance with this new law, Linux is now temporarily unusable. Please <call to action>.") would be glorious for getting the bill staved off, or killed.
It would hurt some productivity, but that is a risk these lawmakers taking donations are probably willing to make.
"some"? It would hurt a lot of productivity lol. If all linux boxes turned themselves off suddenly, I think the internet would fall over pretty fast. I dont know how much of the internet runs on windows or apple (or others), but I cant imagine it's very much
AI companies are also donating tens of millions to these PACs and others that are promoting age verification laws, it lets them sell AI content rating systems using their models.
I’m curious why Meta would benefit. Meta seems wholly unnecessary, the verification can be done at the OS level, completely in the hands of Apple/Alphabet and maybe Microsoft.
If anything, Meta’s utility would seem to shrink if the OS handles proof of being a real person.
Regulatory capture through a higher barrier to entry. Any social media platform that wants to compete with Meta's portfolio will now also need to have an age-verification system in place (which is guaranteed to introduce higher costs). Meta can likely afford to eat the costs here as a tradeoff for the higher impact on smaller players.
It also gives them more information on users as a bonus. Further, verification with a real ID is also a quite effective barrier against excessive bots.
Look beyond the CA law, states have already passed laws that put the liability on app and website developers to ensure users aren't kids, there's no passing the buck to Apple or Google.
Meta's entire business model lives on ad deals that are not on the frontend. They are in the data business and this campaign is to get access to more data without an option to opt out. Who takes the data doesn't really matter.
The same sort of thing is happening for the 3d printer laws. Some company is trying to legislate its own software into ubiquity (guns first, then copyright enforcement) and then double-dip by charging both IP holders and printer manufacturers for their "services".
I don't understand why nobody in the comments is freaked out about this. This isn't just "oh Google knows my age", or "oh politicians being corrupt again!" This is "the government made a law that every computer in the world must track every person's identity and send it to the cloud".
No offline devices. Commercial vendors get your biometric data (and the equivalent of your driver's license / SSN). Every application on the OS can query your data.
If you think it stops with one bill, after they get all the infrastructure for this in place? You're fooling yourself. The whole point of this is to identify you, on every web page you visit, every app you open, on every device you own. Once bills are passed, it's very hard to get them revoked or nullified.
This is the most aggregious, authoritarian, Big Brother government surveillance system ever devised, and it's already law. I am fucking terrified.
(Yes, the EU has a less horrifying version of this. But Google, Apple, and Microsoft still control most of the devices in the world, and they are US companies.)
TLDR: Meta want to push all the age verification requirements onto the OS makers (Apple, Google, everyone else gets caught in the crossfire) so that they don’t have to do anything AND they want it done in such a way that they can use it to profile people to push them targeted ads.
Its like they want to keep being seen as the bad guys.
I think this is also a way of getting ahead of any “ban social media for teens and preteens” bills that might pop up in the US. They do not want repeats of Australia! By adding age verification into the operating system they can deflect responsibility but also respond to legislators with a scalpel rather than getting sledge-hammered.
That is the most serious thing you can do, and the most effective.
Do you know how democracy works? There are these people called representatives. They are hired by you. They pass laws. They only get to continue having a job if people like you vote for them. When you tell them "I don't like the law you are passing", they are hearing "the people who hire me are angry with me". The more people that are angry at what they're doing, the more their job is at risk.
They do what the lobbyists say because somebody else is doing the work, and they get paid (by the lobbyist). But they won't have a job to get paid for if the voters don't vote for them again. So your entire defense against tyranny and bad laws is you speaking out. If you never talk to your reps (or vote), you're telling them you don't care what kind of government it is, and they really will do whatever they want.
You have to tell them how you feel, along with all the rest of us. That's the only power we have.
In addition to that, tell everyone you know. Your friends, family, coworkers, the dude running the local gas station. Explain to them why government-mandated surveillance of everything they do on a computer is a bad idea. Ask them to talk to their reps.
Compare this to what the EU built. The EU Digital Identity Wallet under eIDAS 2.0 is open-source, self-hostable, and uses zero-knowledge proofs. You can prove you're over 18 without revealing your birth date, your name, or anything else. No per-check fees, no proprietary SDKs, no data going to a vendor's cloud. The EU's Digital Services Act puts age verification obligations on Very Large Online Platforms (45M+ monthly users), not on operating systems. FOSS projects that don't act as intermediary services are explicitly outside scope. Micro and small enterprises get additional exemptions.
The US bills assume every operating system is built by a corporation with the infrastructure and revenue to absorb these costs. The EU started from the opposite assumption and built accordingly.
Just another reminder of how we need to protect what we have in the EU (not a guarantee, but at least a chance of fair dealing and a sustained commitment to civic values). Now that the mask has fully fallen, we have to take every step possible to root out American influence.
QWACs exist to provide a more stringent and user-accessible way to assert a website's identity, mostly to foil phishing and other exploits that regular certificate systems don't address well. Where does this cross into censorship at all?
Oh, stop. Tinfoil-hatting like this is how privacy and internet freedom activism gets a bad rap.
QWAC certs are only for "high value" sites: banks, government services, etc. They can only be issued by "Qualified Trust Service Providers" (e.g. digisign, D-TRUST, etc -- not governments), and cost many hundreds of euros. Your blog and mastodon instance and 98% of businesses just aren't affected.
People operating in "high risk" sectors that need access to payment infra (porn, drugs, etc) are, as always, going to have a hard time. That's a worthy conversation, but nothing about QWAC or eIDAS is about "the government not issuing certs to people they don't like".
This is how total control of a platform always starts. Google starts with Android and just does digital signing for applications through their store. Until they achieve control of the platform, then suddenly you can't load your own applications without them signing it either.
Secure Boot is just a technology for those that need it, until Microsoft decides it's mandatory for everyone.
How much do you want to bet that Amutable, via its founder's control of the systemd codebase and ability to drive change, will be first-in-line to force a switch to its variant of systemd, along with a module for age verification?
I don't see it as coincidence that with all these laws passing, suddenly he announces a secure, "controlled", "locked down" version of systemd. Why, RedHat and Ubuntu can simply drop in this new variant, pay a small fee, and be done with compliance.
Oh look, the Heritage Foundation, the ones who wrote up the "Project 2025" agenda for most of the corruption and authoritarianism that has plagued America in the last year.
The very last people you should trust when it comes to "protecting the children."
To me it feels that the age verfication (adult de-anonymisation) push, at least in Europe, is coming more from the increasingly-authoritarian left as a reaction to the rise of the online right and Musk's Twitter.
(Maybe some unspoken element of concern over social media bots, too - as they evolve from spamming copy+pasted comments to being near-indistinguisable from actual human accounts?)
Heritage has been laying waste to America my whole life. They basically planned all of Reagan's legislative agenda, too, just like Project 2025 is doing today. In very real ways, they and their vision are America (a system is what it does, not what it says it does).
America will just get behind even more as years pass behind Europe in terms of proper regulation of the digital economy, which benefits citizens instead of companies and rich billionaries.
The reason is that europeans have nothing to win from those "winner-take-all" platforms the US has built in the past decades. Europe has built zero of them.
It contributes very little to Europe's GDP or the overall being of the european. And in some cases, it eats Europe's GDP, moving economic activity back to the US. This is different than for Americans which big tech is a net-positive contributor to society in my POV, mainly because how much economic activity $ it generates.
Big techs provide huge paychecks and made a lot of people rich in the US, and most of its GDP growth in the last decade. But it's a double-edged sword.
They will make laws in favor of them in detriment of the average American, while minting more billionaries than Europe could ever dream of.
Europe will take a long time to get the digital revolution the US already did, but it'll mostly come from regulations and government initiatives. And will be net-positive for humans living in Euope, not for owners of corporations.
This truly is the best democracy money can buy. As long as money and/or favors change hands in exchange for getting favorable laws passed, it's just legalized bribery and buying off your own "democracy".
And it snowballs, the more favorable laws someone buys, the more favorable their position, and the more they can buy in the future. The transition from "democratic facade" to "outright oligarchy" will be swift and seamless.
When I moved from Sweden to Ireland and realized the Swedish central address registry makes moving fantastically easy, I started dreaming of a central registry where consumers and producers could meet. I can give my supplier access to exactly the information they need, and nothing else. I can revoke access when I feel like it. Like OAuth2 for personal data. They can subscribe to updates. It could be a federated protocol.
Not saying I think it's a good idea to provide the year of birth to all sites, but (session ID, year of birth) is the only information they would need. The problem is proving who's behind the keyboard at the time of asking, which would require challenge-response, and is why I think this should be an online platform, not a hardware PKI gadget with keys inevitably tied to individuals.
I am now waiting for Gruber (daringfireball.net) to post another rant about how terrible EU regulation is.
Zero-knowledge proofs are the way to go for this type of thing, I find it mind-boggling that the US lets itself be bamboozled into complete lack of privacy.
I am from EU, and contrary to age verification laws in general.
My stance is that if somebody is a minor, his/her/their parents/tutors/legal guardian are responsible for what they can/cannot do online, and that the mechanism to enforce that is parental control on devices.
Having said that, open-source zero-knowledge proofs are infinitely less evil (I refuse to say "better") than commercial cloud-based age monitoring baked into every OS
> Having said that, open-source zero-knowledge proofs are infinitely less evil (I refuse to say "better") than commercial cloud-based age monitoring baked into every OS
To be honest, I worry that the framing of this legislation and ZKP generally presents a false dichotomy, where second-option bias[1] prevails because of the draconian first option.
There's always another option: don't implement age verification laws at all.
App and website developers shouldn't be burdened with extra costly liability to make sure someone's kids don't read a curse word, parents can use the plethora of parental controls on the market if they're that worried.
[1] https://rationalwiki.org/wiki/Appeal_to_the_minority#Second-...
> There's always another option: don't implement age verification laws at all.
Where do you go to vote for this option?
Yes! This is the way, give parents the ABILITY to advertise the users age to browsers, apps and everything in between. Only target cooperations, do not target open source projects. Fine websites for not using this API (ex: porn sites). Assume an adult if not present.
This is what I think. I saw someone else on HN suggested provide an `X-User-Age` header to these sites, and provide parents with a password protected page to set that in the browser/OS.
Responsibility should be on the website to not provide the content if the header is sent with an inappropriate age, and for the parent to set it up on the device, or to not provide a child a device without child-safe restrictions.
It seems very obviously simple to me, and I don't see why any of these other systems have gained steam everywhere all of a sudden (apart from a desire to enhance tracking).
> Fine websites for not using this API (ex: porn sites).
Recent posters here are clear that porn sites are setting every available signal that they are serving adult-only content.
According to them, you are targeting the wrong audience.
Facebook/Instagram studying how to get young users addicted should be of greater concern. I have my doubts about the effectiveness of age-based blocking there, though.
Both are problems, porn sites have also targeted children and any non-enforced age “verification” on these sites is simply plausible deniability that isn’t plausible at all
No. This is not the way.
> give parents the ABILITY to advertise the users age to browsers, apps and everything in between.
Accounts and Applications to services that provide countent are set to a country-specific age rating restrictions (PG, 12+, 18+, whatever). That's it.
None of the things you mentioned have any point to concern themself with the age or age-bracket of the user in front of the device. This can and will be abused. This is very obvious. Think about it.
This is a great solution to the stated problem. The issue is that nobody is actually trying to solve the stated problem. This is a terrible solution to the real 'problem' which is the lack of surveillance power and information control.
Three states now implement this solution that you just called a good solution, and most of HN still hates it. https://news.ycombinator.com/item?id=47357294
>This is a great solution to the stated problem. The issue is that nobody is actually trying to solve the stated problem. This is a terrible solution to the real 'problem' which is the lack of surveillance power and information control.
So on the Sony consoles I created an account for my child and guess what they have implemented some stuff to block children from adult content on some stuff.
So if Big Tech would actually want to prevent laws to be created could make it easy for a parent to setup the account for a child (most children this days have mobile stuff and consoles so they could start with those), we just need the browsers to read the age flag from the OS and put it in a header, then the websites owners can respect that flag.
I know that someone would say that some clever teen would crack their locked down windows/linux to change the flag but this is a super rare case, we should start with the 99% cases, mobile phones and consoles are already locked down so an OS API that tells the browser if this is an child account and a browser header would solve the issue, most porn websites or similar adult sites would have no reason not to respect this header , it would make their job easier then say Steam having to always popup a birth date thing when a game is mature.
That's why I suggested kernel enforced security (simple syscall) that applications could implement and are incredibly hard to spoof / create tools and workarounds for, but I got downvoted to hell.
Permission restricted registry entry (already exists) and a syscall that reads it (already exists) for windows and a file that requires sudo to edit (already exists) and a syscall to read it (already exists). Works on every distro automatically as well including android phones since they run the linux kernel anyway. Apple can figure it out and they already have appleid.
"mechanism to enforce that is parental control on devices."
Meh, I use it, but it's super annoying and I think that with my Daughter I'll take a different approach (but it will be some years before that is relevant).
On Android: The kid can easily go on Snapchat (after approval of install of course, and then you can just see their "friends") before Pokemon Go (just a pain to get working, it keeps presenting some borked version which led to a lot of confusion at first). I just lied about his age in a bunch of places at some point. Snapchat is horrible and sick from our experiences in the first week.
On Windows: It's a curated set of websites (and no FireFox) or access to everything. It's not even workable for just school. Granting kids access to our own minercraft servers: My god, I felt dirty about what the other parents had to go through to enable that.
> My stance is that if somebody is a minor, his/her/their parents/tutors/legal guardian are responsible for what they can/cannot do online
As a parent, sure, that is my stance as well. What... what other stances are there even? How would they work?
The steelman argument is that parents are not necessarily up to date on the technology, and cannot reasonably be expected to supervise teenagers 24/7 up to the age of 18. Compare movie ratings or alcohol laws, for example: there's a non-parental obligation on third parties not to provide alcohol to children or let them in to R18 showings.
But the implementation matters, and almost all of these bills internationally are being done in bad faith by coordinated big-money groups against technologically illiterate and reactionary populist governments.
(if we really want to get into an argument, there's what the UK calls "Gillick competence": the ability of children to seek medical treatment without the knowledge and against the will of their parents)
That steelman still stands on a core assumption that its both the state's responsibility and right to step in and parent on everyone's behalf.
Maybe a majority of people today agree with that, but I know I don't and I never hear that assumption debated directly.
Then frankly you haven’t seen many debates around age verification as it’s the main thing discussed every time it’s brought up
The other stance is that most parents are not capable of winning a battle against tech giants for the mind of their children, just as parents were not capable of winning this fight with tobacco and alcohol companies.
The tech giants want this. They drafted the bill. They paid tens of millions of dollars to promote it. Think about that for a minute.
ignore parent, outsource parenting to gov verification authority
TBH many parents done exactly that by giving phones/tablet already to kids in strollers
You could make the same case for parental control as evil.
"You‘re reading about evolution! Not in my house"
Parents already have a lot of control on children' education.
Examples: most children believe in the same religion as their parents, and can visit friends and places only if/when allowed by their parents.
This is simply extending the same level of control to the internet.
Government-mandated restrictions are completely another level.
I have personally worked with parents trying to prevent their children from using social media and it’s nearly impossible. Kids are almost always more tech savvy than their parents and unlike smoking it’s nearly impossible to tell a child is doing so without watching them 100% of the time.
Who controls your age if you try to buy alcohol.
Who controls your age if you want to see an R-rated movie?
This is simply extending the same level of control to the internet.
More control for parents is a completely different level.
There are no laws preventing children from seeing R-rated movies with or without their parents, theaters implement that policy by choice.
Welcome to the world where many countries aren’t the US
The OP is about legislation and companies in the US
Disingenuous, but I'm sure you know that and were being intentionally so. The government is not using alcohol age laws as a justification to place a camera in your bedroom to make sure you aren't sneaking booze, but it is using internet age laws as a justification to surveil your entire life in a world which is becoming increasingly digital-mandatory to participate in government services or the economy. Nobody had a problem with internet age laws when "are you over 13? yes/no" was legally sufficient.
You‘re missing the point
> Having said that, open-source zero-knowledge proofs are infinitely less evil (I refuse to say "better") than commercial cloud-based age monitoring baked into every OS
Parent prefers more control by parents over zero-knowledge proof
If that was your point, I don't think your previous comment did a very good job of making it at all.
I do think parental controls can be and are abused for evil, but they're still better than the alternative. Zero-knowledge proof is not an alternative, and to suggest that it is is misunderstanding the situation. These laws are proposed and funded by people who want complete surveillance of the population. Zero-knowledge proof is, therefore, explicitly contrary to the goal and will never be implemented under any circumstances. Suggesting that it can be muddies the issue and tricks people into supporting legislation that exists only to be used against them.
In a benevolent dictatorship, sure, go for a zero-knowledge proof verification as your solution. In the reality of democracy, where politicians are corporate puppets who cloak surveillance laws in "think of the children" to rally support from the masses, we need to convince people to see through the lie and reject the proposals outright while reassuring them that they can protect the children themselves via parental controls. You will never be able to sufficiently inform 50.1% of the population of any country of what zero-knowledge proof even means, let alone convince them to support age verification laws but only if it is mandated.
Same here, EU citizen who thinks parents should do some parenting, after all. However, try to confront "modern" parents with your position. Many of them will fight you immediately, because they think the state is supposed to do their work... Its a very concerning development.
Seeming as this affect everyone .. Is there anything like and Open Collective .. grassroots consortium, to put together strong sensible zero-knowledge proof based policy examples that could be given to law-makers instead of this shadowy surveillance Trojan horse nonsense?
Even with ZKP this is still highly problematic, it create difficulty for undocumented people to access the web, create ton of phishing opportunity, reinforce censorship on most site (as they will now all need to be minor compliant or need age verification), reinforce the chilling effect and make the web even less crawlable/archivable (or you need to give a valid citizen ID to your crawler/archiver).
With no proof it will protect anyone from proven harm.
No, the way to go is the California way. The device owner (root user) can enter the age of the user. Restrictions are applied based on that. Nothing is verified.
Though the EU is at large keeping it's composure with this. My only criticism towards the EU as an EU citizen is how slow and bureaucratic the EU is and that decisions that should be made on the fly are dragged on forever.
That said, government agencies have been doing a terrible job at keeping the private information of citizens safe. But it is nowhere nearly as bad as the US. My best childhood friend died in very questionable circumstances in 2009 in the US in very questionable circumstances. He had a US citizenship and we never really found out what had happened(to the point where we never really got any definitive proof that he had died). But that didn't stop me from trying and I was blown away by the fact that I could log into a US government website, register with a burner mail, pay 2 bucks with an anonymous gift credit/debit card and get a scanned copy of his death certificate in my email. And I didn't even have to provide his passport/id/anything. Just his name.
Point is, the US has been terrible at privacy for as long as I can remember. It is probably worse now with Facebook and Ellison holding TikTok.
The critical thing is not so much "Americans" as "big money". Big Russian money is also a threat. Big Chinese money .. well, there's a bit of that about, but it doesn't seem to have shown up at the legislation influencing layer.
Oh, that's a different topic: as someone from and living in eastern Europe, there's not a single doubt in my mind that the biggest threat to any civilization is russia by a long shot. The alarming part is that the current US administration hasn't got a single clue of history, suffers from chronic incompetence and the whole superiority complex and fanboying russia as a consequence - those pose a threat. In the context of the conversation, the incompetence is arguably the biggest facepalm moment.
> the biggest threat to any civilization is russia
Surely you meant this as hyperbole, right? If not, I would love your reasoning as to why its a bigger threat than literally anything and anyone else.
> someone from and living in eastern Europe
Reasoning: experience.
Most civilization is not in Eastern Europe though, Russia is not a threat outside of its immediate proximity and its relative strength has only lessened over the decades
At this point the US is arguably a much larger threat to random small countries. "We will make so much money if we find a reason to attack <your country>" is the real threat, if any. Of course, far behind other existential threats.
Experience is no good reason to make a blanket statement about a country and all its people, especially not when it's made with such an assertive voice.
Is it not? Have you heard about a TV program called the news? They have caused more death to eastern Europe than Hitler did in WW2 and is continuing to do so, has infiltrated countries and governments for generations, actively threatens everyone on daily basis and the entirety of their social media (domestically and expats/immigrants/spies) is nothing but endless wishes for death of anyone that is not russian. Westerners see that through the prism of "out of sight, out of mind" + language barrier, but the threat is neither out of sight, nor out of mind. Spend a few hours on bellingcat and you'll quickly change your mind.
> Experience is no good reason to make a blanket statement about a country and all its people
> Is it not?
No, and no part of your comment really seems to argue otherwise? I know about current world events. Your argument was that "experience" is a good enough reason to make a blanket statement about a country and all its people, and you doubled down on it, so it's not even like I'm constructing a strawman here or anything.
It's just wild to me how far this kind of blind hate goes. If "experience" is enough to say that a country is a bigger threat to civilization(!) than, lets say, pandemics, natural disasters, global nuclear war, etc., then there really remains no basis for any kind of healthy discussion. At that point it's just blind hatred.
I've never been subtle about how I feel about russians: Private properties confiscated. Several instances of terminal diseases in my family as a direct consequence of their actions. Several instances of people spending their entire lives in concentration camps, several instances of people being thrown out of hospitals and let to die in the streets. To the point where I barely have any living relatives. And in recent years, death of a number of close friends. And I am supposed to have a different feelings? Come back to me when you go through the same.
I think this is entirely reasonable given the history of Russia vs Eastern Europe, but especially the invasion of Ukraine. Russia is currently being held at the Dnipro river, but Putin has stated his intention to "recapture" most of the former USSR.
> Putin has stated his intention to "recapture" most of the former USSR.
I keep hearing this but I struggle to find any sources, beyond articles like [1] which are... not particularly good sources, even a reddit comment would be a better primary source than that.
I'm not trying to be combative, I just genuinely struggle to find primary sources, probably because I'm using the wrong keywords or something.
I understand the reasoning, but I would love to actually see/read/hear/whatever where Putin "states" this desire explicitly!
[1] https://gppreview.com/2015/02/12/putins-dream-reborn-ussr-un...
See here: https://en.wikipedia.org/wiki/Foundations_of_Geopolitics#In_...
That's a book by Aleksandr Dugin, not Putin. I was asking specifically if there are ANY sources for the recurring statement that Putin wants to conquer back former USSR states. I see why its concerning, and how Dugin's close ties to the government are interesting, but I do not see a quote, or any other source, where Putin explicitly STATES this intent. I don't see it.
Surely I'm missing something here. Putin's 2023 "The Concept of the Foreign Policy of the Russian Federation" also does not state conquering back former USSR states. Where is it? If he states it so clearly that people keep quoting it, surely there must be a source for it? Sorry if I'm a PITA.
Zero-knowledge proofs are unworkable for age verification because they can't prevent use of somebody else's credentials.
The same argument could be said for other age verification methods. Nothing stops a kid from getting their older cousin to verify their identity for something and it will never be possible to prevent this.
Two billion in lobbying. And the conclusion is that regulation is the problem?
it's not about protecting children. that's only the PR.
once you get this you stop asking why the tech details are the way they are.
Counterpoint: yes it is
For a project attempting to track these and coordinate technical resistance, see: https://github.com/AntiSurv/oss-anti-surveillance
These bills also need to be opposed on a legal/political level.
Something I realized last night is that people who lie about their age to send false signals may inadvertently open themselves up to CFAA liability (a felony). So this is a serious matter for users who want to maintain anonymity.
Every single Linux kernel currently operating within the borders of any of these states should turn itself off and refuse to boot until an update is installed after these bills are rolled back.
We should also update all FOSS license terms to explicitly exclude Meta or any affilites from using any software licensed under them.
I probably don't have all the info on the various laws across the US and EU that are being pushed, but I'm confused why Linux distros don't just update their licensing and add a notice on the installation screen that it is illegal to run their OS in places where these laws exist?
Heck, Linus Torvalds should just add an amendment to the next release of the Linux Kernel that makes it illegal to use in any jurisdiction that requires age verification laws.
This would obviously cause such a massive disruption (especially in California) that the age laws would have to be rolled back immediately.
This seems like a no-brainer to me but I am admittedly ignorant on this situation. I'm sure there's a good reason why this isn't happening if anyone cares to explain.
Honestly, like the Left-pad incident [1], getting things to go suddenly dark is extremely effective at getting people to drop everything else to fix an issue.
Ideally, getting these servers to auto turn off the day this goes into effect ("In compliance with this new law, Linux is now temporarily unusable. Please <call to action>.") would be glorious for getting the bill staved off, or killed.
It would hurt some productivity, but that is a risk these lawmakers taking donations are probably willing to make.
1 - https://en.wikipedia.org/wiki/Npm_left-pad_incident
"some"? It would hurt a lot of productivity lol. If all linux boxes turned themselves off suddenly, I think the internet would fall over pretty fast. I dont know how much of the internet runs on windows or apple (or others), but I cant imagine it's very much
It would make people move quickly to use a forked version of the kernel and would be an all around blunder by the Linux foundation
Someone would just submit a patch overriding this
Not surprisingly, Meta is possibly the worst "offender" behind funding of these campaigns.
AI companies are also donating tens of millions to these PACs and others that are promoting age verification laws, it lets them sell AI content rating systems using their models.
I’m curious why Meta would benefit. Meta seems wholly unnecessary, the verification can be done at the OS level, completely in the hands of Apple/Alphabet and maybe Microsoft.
If anything, Meta’s utility would seem to shrink if the OS handles proof of being a real person.
Regulatory capture through a higher barrier to entry. Any social media platform that wants to compete with Meta's portfolio will now also need to have an age-verification system in place (which is guaranteed to introduce higher costs). Meta can likely afford to eat the costs here as a tradeoff for the higher impact on smaller players.
It also gives them more information on users as a bonus. Further, verification with a real ID is also a quite effective barrier against excessive bots.
I would think the barrier to entry gets lower because Apple/Alphabet handle age verification, and they let apps/websites use that verification.
Look beyond the CA law, states have already passed laws that put the liability on app and website developers to ensure users aren't kids, there's no passing the buck to Apple or Google.
https://www.eff.org/deeplinks/2025/12/congresss-crusade-age-...
Meta get to impose verified ID on everyone and link it to their advertisers, AND kill competing networks.
Meta's entire business model lives on ad deals that are not on the frontend. They are in the data business and this campaign is to get access to more data without an option to opt out. Who takes the data doesn't really matter.
Liability and they probably want whatever blob of bits they use to identify you from the OS.
because upstart competitors cant afford the verification process / lobbying efforts next instagram wont be bought out, it cant even begin to exist
The same sort of thing is happening for the 3d printer laws. Some company is trying to legislate its own software into ubiquity (guns first, then copyright enforcement) and then double-dip by charging both IP holders and printer manufacturers for their "services".
I don't understand why nobody in the comments is freaked out about this. This isn't just "oh Google knows my age", or "oh politicians being corrupt again!" This is "the government made a law that every computer in the world must track every person's identity and send it to the cloud".
No offline devices. Commercial vendors get your biometric data (and the equivalent of your driver's license / SSN). Every application on the OS can query your data.
If you think it stops with one bill, after they get all the infrastructure for this in place? You're fooling yourself. The whole point of this is to identify you, on every web page you visit, every app you open, on every device you own. Once bills are passed, it's very hard to get them revoked or nullified.
This is the most aggregious, authoritarian, Big Brother government surveillance system ever devised, and it's already law. I am fucking terrified.
(Yes, the EU has a less horrifying version of this. But Google, Apple, and Microsoft still control most of the devices in the world, and they are US companies.)
TLDR: Meta want to push all the age verification requirements onto the OS makers (Apple, Google, everyone else gets caught in the crossfire) so that they don’t have to do anything AND they want it done in such a way that they can use it to profile people to push them targeted ads.
Its like they want to keep being seen as the bad guys.
I think this is also a way of getting ahead of any “ban social media for teens and preteens” bills that might pop up in the US. They do not want repeats of Australia! By adding age verification into the operating system they can deflect responsibility but also respond to legislators with a scalpel rather than getting sledge-hammered.
…Honestly this seems something very likely, more than the other suggestions.
I want age verification but not at the OS level.
O great more big money warping our lives for the worse.
I’d write my senator but they won’t do shit. Is there anything that can seriously be done?
That is the most serious thing you can do, and the most effective.
Do you know how democracy works? There are these people called representatives. They are hired by you. They pass laws. They only get to continue having a job if people like you vote for them. When you tell them "I don't like the law you are passing", they are hearing "the people who hire me are angry with me". The more people that are angry at what they're doing, the more their job is at risk.
They do what the lobbyists say because somebody else is doing the work, and they get paid (by the lobbyist). But they won't have a job to get paid for if the voters don't vote for them again. So your entire defense against tyranny and bad laws is you speaking out. If you never talk to your reps (or vote), you're telling them you don't care what kind of government it is, and they really will do whatever they want.
You have to tell them how you feel, along with all the rest of us. That's the only power we have.
In addition to that, tell everyone you know. Your friends, family, coworkers, the dude running the local gas station. Explain to them why government-mandated surveillance of everything they do on a computer is a bad idea. Ask them to talk to their reps.
The hard part is writing in a way that these legislators and their help can instantly understand.
Ideas? Time to spin up a local LLM for some editing advice.
Jesus. As an American I can do my part, but it’s not much.
$70 million is chump change for Meta, yet is far more money than I’ll ever have and does so much to influence state legislation.
Isn't eIDAS the same technology stack that would put the government in total control of what websites you can view & what ones you can't?
https://en.wikipedia.org/wiki/Qualified_website_authenticati...
QWACs exist to provide a more stringent and user-accessible way to assert a website's identity, mostly to foil phishing and other exploits that regular certificate systems don't address well. Where does this cross into censorship at all?
When the government decides not to issue certificates to websites they don't like.
Oh, stop. Tinfoil-hatting like this is how privacy and internet freedom activism gets a bad rap.
QWAC certs are only for "high value" sites: banks, government services, etc. They can only be issued by "Qualified Trust Service Providers" (e.g. digisign, D-TRUST, etc -- not governments), and cost many hundreds of euros. Your blog and mastodon instance and 98% of businesses just aren't affected.
People operating in "high risk" sectors that need access to payment infra (porn, drugs, etc) are, as always, going to have a hard time. That's a worthy conversation, but nothing about QWAC or eIDAS is about "the government not issuing certs to people they don't like".
This is how total control of a platform always starts. Google starts with Android and just does digital signing for applications through their store. Until they achieve control of the platform, then suddenly you can't load your own applications without them signing it either.
Secure Boot is just a technology for those that need it, until Microsoft decides it's mandatory for everyone.
See? It was never about children. Never fails.
Corporations literally buy the laws they want and Silicon Valley is the newest lobbying monster. Genuinely terrifying.
How much do you want to bet that Amutable, via its founder's control of the systemd codebase and ability to drive change, will be first-in-line to force a switch to its variant of systemd, along with a module for age verification?
I don't see it as coincidence that with all these laws passing, suddenly he announces a secure, "controlled", "locked down" version of systemd. Why, RedHat and Ubuntu can simply drop in this new variant, pay a small fee, and be done with compliance.
Oh look, the Heritage Foundation, the ones who wrote up the "Project 2025" agenda for most of the corruption and authoritarianism that has plagued America in the last year.
The very last people you should trust when it comes to "protecting the children."
To me it feels that the age verfication (adult de-anonymisation) push, at least in Europe, is coming more from the increasingly-authoritarian left as a reaction to the rise of the online right and Musk's Twitter.
(Maybe some unspoken element of concern over social media bots, too - as they evolve from spamming copy+pasted comments to being near-indistinguisable from actual human accounts?)
Heritage has been laying waste to America my whole life. They basically planned all of Reagan's legislative agenda, too, just like Project 2025 is doing today. In very real ways, they and their vision are America (a system is what it does, not what it says it does).
America will just get behind even more as years pass behind Europe in terms of proper regulation of the digital economy, which benefits citizens instead of companies and rich billionaries.
The reason is that europeans have nothing to win from those "winner-take-all" platforms the US has built in the past decades. Europe has built zero of them.
It contributes very little to Europe's GDP or the overall being of the european. And in some cases, it eats Europe's GDP, moving economic activity back to the US. This is different than for Americans which big tech is a net-positive contributor to society in my POV, mainly because how much economic activity $ it generates.
Big techs provide huge paychecks and made a lot of people rich in the US, and most of its GDP growth in the last decade. But it's a double-edged sword.
They will make laws in favor of them in detriment of the average American, while minting more billionaries than Europe could ever dream of.
Europe will take a long time to get the digital revolution the US already did, but it'll mostly come from regulations and government initiatives. And will be net-positive for humans living in Euope, not for owners of corporations.
The guy posted a Ask HN there:
https://news.ycombinator.com/item?id=47361235
https://github.com/upper-up/meta-lobbying-and-other-findings...
This truly is the best democracy money can buy. As long as money and/or favors change hands in exchange for getting favorable laws passed, it's just legalized bribery and buying off your own "democracy".
And it snowballs, the more favorable laws someone buys, the more favorable their position, and the more they can buy in the future. The transition from "democratic facade" to "outright oligarchy" will be swift and seamless.