This article is written by someone who either doesn't know about the multitude of services that have been vierfying identity easily and effectively online for decades. Or someone who doesn't want...
Exemplary
The reality of the internet is that it is worldwide.
This article is written by someone who either doesn't know about the multitude of services that have been vierfying identity easily and effectively online for decades. Or someone who doesn't want to engage with how there are working services that do this already. On scales of millions and millions of users, pervasively though entire countries.
There are also some glaringly incorrect assumptions made about how these existing systems work (phrased as if they would work this way in the future).
And there are some conceptual arguments made that have consequences that render society unable to function.
I've been verifying my age on the internet for the last 20 years without issue. Here's how.
I have a Norwegian bank ID. It's directly connected to my social security number. It has used two-factor-identification for more than two decades. When the government sends me documents, when health care providers send me test results, when i log in to change my insurance, when i pay by credit card online, for all these things, I log in using my bank ID.
My bank uniquely identifies me. They can do this by providing positive ID I'm me, which is accepted just like showing a physical passport. Or BankID can be used simply to verify to a third party that I'm 18. Or when I make any online payment with a credit card, BankID verifies to my bank that I'm me though a third-party integration not accessible to the service. They just get confirmation that the payment has been approved like normal once I've verified myself to my bank. BankID can be used to verify me without even identifying what bank I use as it's a service that
BankId in Sweden has over 8 million users old and young. BankID in Norway has 4 million users. We're talking almost every adult ( and most 13+ persons) in each country.
The internet is part of society. It is and should be regulated as such.
This article is underpinned by the idea that it's unacceptable to demand identification to a government or third party. That is nonsense. Society requires trust to function.
Society can't work if I can't trust my bank with my financial information. Or if I can't trust the government with handling my basic personal information, information required for government to deliver basic services to me, like taxing me, health care, schooling etc.
To make these arguments that basic functions of society can't be trusted to perform their most basic functions is paranoid, reductive, an argument that society is inherently impossible although we provably live in extremely complex societies.
The internet is not separate from the rest of society. To the contrary, it's an extremely important pervasively integrated part of modern society. The rule of law applies to the internet. The internet must be fashioned and regulated in ways that it is not an effective hub for going around the rule of law. A surprising amount of people online seem to argue that this "free internet" not just isn't the wanted state of affairs, but somehow a natural state of the internet.
A well-regulated internet is necessary to ensure basic functions of society and prevent forces for undoing the rule of law: to hinder money-laundering, sexual exploitation, fraud, information theft, sale of illegal items, and on and on.
But equally importantly: With verification systems online, we could get at some of the major challenges of our time. Like disinformation campaigns trying to undermine the sovereignty and legitimacy of our societies, just to mention one of many areas in passing.
famously uncontroversial:
Everyone has duties to the community in which alone the free and full development of his personality is possible.
Countries must be allowed to employ their own laws, also online
The UN Declaration of Human Rights ensures everyone has the right to self-determination without undue interference in their country.
The will of the people shall be the basis of the authority of government; this will shall be expressed in periodic and genuine elections which shall be by universal and equal suffrage and shall be held by secret vote or by equivalent free voting procedures.
This means that countries are and should be allowed to regulate the internet (and rest of society) as they see fit, the prerequisite being genuine elections.
The implication of this is that a majority has the right to enact legislation after winning elections, which we do not like and do not agree with, so long as these laws don't break universal human rights, or rights set down constitutionally.
If I live in a theocracy where a party wants to ban adult content, wins an election and enacts that law, that's their prerogative as long as such a new law is legally enacted.
Companies are also allowed to regulate and limit access to their tools, products and services in line with relevant laws. Many online seem not to like this fact. Where regulation is lacking, that's a matter for lawmakers.
Further incorrect assumptions made in the article
This comment is already long. Here are some very short comments on other major flaws in the piece:
An ID verification system doesn't require or normalize "uploading Personally Identifying Information (PII) to every site which requires verification"
We don't have to trust the Adult industry with PII at all to verify age.
Lawmakers aren't expecting random websites to secure the ID of their users. They're expecting them to employ decades old online identity standards.
Zero-knowledge systems are the standard, not a theoretical possibility that "feels" like it has a "fairy low" likelihood, as the article claims.
Countries used their pervasive digital ID-systems for Covid-tracking (like Norway with BankID), These had options of zero-knowledge verification available.
No, ID verification solutions don't make Big Tech the "gatekeepers of the internet once and for all", quite the contrary: We'd be giving much less information about ourselves to these companies as they'd have zero-knowledge in the age/identity verification process as a third party.
No matter which way you slice it, a device-based solution to this problem would be the ultimate DRM. Not serving to “protect” copyrighted content from users in the traditional sense, but to “protect” users from content deemed inappropriate, creating a digital walled garden in which only the big players have the government approval and integration with browsers and websites to participate.
Quite the opposite: With ID verification, the threshold for having age/location restricted content all disappears, as implementations are easy to make. Any tiny website can safely and securely deliver 18+ content and compete with the juggernauts.
The slippery slope-argument that "if we have an ID system, it'll be used everywhere, and groups will be able to enforce unreasonable ID-reqs by passing legislation" is just that. An unfounded slippery slope-argument. In 20 years in Norway and Sweden, Bankid and BankID (two separate systems, confusingly named). None of this has come to pass. (Yes, these are two of the soundest democracies and most well-functioning countries in the world, so specific mileage will vary)
Governments can begin to demand sites require verification of details other than age, because the system is already built. Streaming services might begin to verify your location based on the address on your digital ID, locking people out of using a VPN to bypass geo-restrictions for example.
Yes, verification systems can be used to manage access to content in legal ways. Don't think those uses should be legal? Outlaw them. Societies need to elect lawmakers who do their jobs. Again, these are basic prerequisites of society that online products and services are not exempt from.
Despite the obvious free speech implications, politicians in the United States and other western countries are increasingly looking towards systems like this as a model to further consolidate their power over their citizens.
The internet has been objectively under-regulated, and has consequently been a haven for criminal activity. Regulation (and as importantly potential legal enforcement) of internet-based activity is reaching the same standards as the rest of society, which isn't just natural, but objectively good for a society of jurisprudence.
I agree very strongly with the concluding paragraph, but it has nothing to do with the substance of online ID verification
Finally:
Instead of continuing to delegate parental responsibilities to the government, perhaps the vocal minority of parents who wish to do so should take the time to educate themselves on technology, educate their children on what is and isn’t appropriate, and bear some responsibility themselves. We’ll all be better off.
I completely agree. That's not what this is about. Online verification of various parts of identity is about enforcing laws online in the same way they're enforced offline.
It's extremely damaging to views of sexuality and sex that 8-year olds are being randomly subjected to hardcore pornography as they browse legitimately online.
In many digitized countries, there are epidemics of teenagers committing crimes of violence during sex, because they've learned that slapping, spitting, choking and the like are "normal" parts of sex through pornography they should not have been subjected to.
Those are failures of parenting. But it's almost impossible to be a responsible parent on these online issues without completely invading the privacy of your children.
Personal responsibilities should not be delegated to the government. But the government needs to render society functioning. Also online.
The vocal minority of parents who wish government to do their parenting for them (banning books and a host of other issues come to mind) should take the time to educate themselves on technology, educate their children on what is and isn’t appropriate, and bear some responsibility themselves.
We'd all be better off for that. Just like we'd all be better off with a properly regulated internet.
Thats great that Sweden has this wonderful system. The US, by and large, does not. The closest we have is validating with a credit card payment, but that is trivial to bypass. We can get closer by...
Thats great that Sweden has this wonderful system. The US, by and large, does not.
The closest we have is validating with a credit card payment, but that is trivial to bypass.
We can get closer by handing over our federally-issued Social Security number.... but the USA is stupid and uses it as a password and not an identifier. Anybody who knows your legal name and SSN can impersonate you, easily signing up for credit cards that you are legally responsible for.
Nope. They're a hodpodge of inconsistency and more easily faked. ReadID on state license is better, but not every state has it fully implemented yet. Oh, and if people sub out the photo on your...
Nope. They're a hodpodge of inconsistency and more easily faked. ReadID on state license is better, but not every state has it fully implemented yet.
Oh, and if people sub out the photo on your uploaded ID they can further use that as a tool of impersonation.
Hence why the articles idea of having the government itself provide an age-validation scheme is less-bad than most other options. I like the idea of using raw OpenSSH keyservers for validation, signed by government when age-verified in person.
Maybe I missed something, but it seems that you're suggesting the government or your bank should be able to see which sites you access that require age verification? It sounded like the...
Maybe I missed something, but it seems that you're suggesting the government or your bank should be able to see which sites you access that require age verification? It sounded like the verification would come from that third party to whatever site you're attempting to access so that the porn site isn't directly getting your information? I'm confused on how it would work while respecting privacy.
BankID is a separate identity to my bank. Neither the government nor the bank knows anything more about my log-ins to any service than other third party services do. Again: We have to trust the...
BankID is a separate identity to my bank. Neither the government nor the bank knows anything more about my log-ins to any service than other third party services do.
Again: We have to trust the government to responsibly handle information about us as citizens for services and society to function. We also have to trust our banks to have our interests at heart for our financial lives to function. My bank knows who I pay money to. We have to trust the payment processors and clearing houses. We have to trust internet service providers or phone companies with our data to use these services.
Privacy is not and cannot be absolute. Can I trust BankID to handle my verification data responsibly? It's the only thing they do and risking that trust would risk the entire company. It's run, owned and audited by extremely serious people. There are competing services I can swap to in a matter of minutes if they lose my trust.
In my view, the risks to me and my privacy from this service are minimal, compared to all sorts of other services I trust with different kinds of data.
Age verification is not the hill to die on for organizing and regulating the internet.
I don't see how the fact that we need to trust the government to handle information that's relevant to social services has anything to do with age verification to watch porn. I also don't think a...
I don't see how the fact that we need to trust the government to handle information that's relevant to social services has anything to do with age verification to watch porn. I also don't think a corporation which provides a PKI that gives it the capability to see which porn sites you're looking at and when is going to be very well received in countries with less social trust than the Nordic countries (which is literally every country because the Nordic countries have the highest social trust in the world12).
BankID is a separate company owned and operated by the financial companies collectively. I have the same BankID everywhere, linked to my personal ID number. I don't need to do anything when I...
BankID is a separate company owned and operated by the financial companies collectively. I have the same BankID everywhere, linked to my personal ID number.
I don't need to do anything when I change banks, passports or whatever. I can use BankID for thousands and thousands of different services online. From everything identifying me to Norwegian government, to ensuring I'm me using my credit card if I buy something in a Zimbabwean online store.
I don’t think so, they were giving a conceptual example of what currently exists in Norway and Sweden for digital verification and how something similar could be set up.
I don’t think so, they were giving a conceptual example of what currently exists in Norway and Sweden for digital verification and how something similar could be set up.
I'd also like to add that the internet isn't one homogeneous entity, and age verification can't only be applied to users: some sites do (and could) require upload verification and these can be...
I'd also like to add that the internet isn't one homogeneous entity, and age verification can't only be applied to users: some sites do (and could) require upload verification and these can be grouped by the products they sell or provide; much as we regulate the non-online economy.
Many of the proposals I've seen so far use blunt instruments which place a large burden on the user to verify their identity rather than to ensure what they access is appropriate to their circumstance (i.e. age-related material) or is legally sourced on upload.
If I live in a theocracy where a party wants to ban adult content, wins an election and enacts that law, that's their prerogative as long as such a new law is legally enacted.
I'd like to highlight the last part of the sentence you quoted. It has huge implications. A legally enacted law has to be constitutional and comply with all sorts of other binding international...
I'd like to highlight the last part of the sentence you quoted. It has huge implications.
A legally enacted law has to be constitutional and comply with all sorts of other binding international agreements on human rights (depending on where you're located).
Those regulations include variations of rights to freedom of expression, personal choice and so forth.
In many areas, blanket bans on adult content would simply be unconstitutional. If the will of the people wishes it otherwise, within the limits of other universal rights, that's the will of the people and their society is entitled to it.
Again, this statement of national autonomy without interference is stating the obvious. It's so uncontroversial it's in the UNs Declaration of Universal Human Rights (to be read in context with the limitations imposed by the other rights):
The will of the people shall be the basis of the authority of government; this will shall be expressed in periodic and genuine elections which shall be by universal and equal suffrage and shall be held by secret vote or by equivalent free voting procedures.
You have an interesting idea of how governance works. Like I’m glad Sweden isn’t on the Fashy train and all, but all this stuff about “the will of the people” is well, crap. If Putin tomorrow...
You have an interesting idea of how governance works. Like I’m glad Sweden isn’t on the Fashy train and all, but all this stuff about “the will of the people” is well, crap.
If Putin tomorrow says, “Being LGBT in Russia is sentencable by death”, (I know, I know, a wild stretch) guess what: that shit will get legally enacted. Doesn’t make it less evil
So yeah, I’m not gonna engage much deeper with this giant wall of text.
And that is why law is not equivalent to morality, and never will be. Subsequently why breaking the law is not inheritly immoral, it's all about context, harm, and reason.
And that is why law is not equivalent to morality, and never will be.
Subsequently why breaking the law is not inheritly immoral, it's all about context, harm, and reason.
I think you're right not to engage. I have expressed a very basic, mainstream idea of how governance works that by and large is an uncontroversial representation of the basic principles that...
So yeah, I’m not gonna engage much deeper with this giant wall of text.
I think you're right not to engage. I have expressed a very basic, mainstream idea of how governance works that by and large is an uncontroversial representation of the basic principles that underpin modern liberal societies.
No-one can legally enact the type of law you suggest without breaking not one, not two, but all three of the first three articles of the Universal Declaration of Human Rights:
Article 1: All human beings are born free and equal in dignity and rights. They are endowed with reason and conscience and should act towards one another in a spirit of brotherhood.
Article 2: Everyone is entitled to all the rights and freedoms set forth in this Declaration, without distinction of any kind, such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status. Furthermore, no distinction shall be made on the basis of the political, jurisdictional or international status of the country or territory to which a person belongs, whether it be independent, trust, non-self-governing or under any other limitation of sovereignty.
Article 3: Everyone has the right to life, liberty and security of person.
I understand what you’re saying, but I doubt people like the gay couple arrested for posting to TikTok would much care if the law was “legal” or not. This is a bad faith effort driven by bad...
This is a bad faith effort driven by bad actors who want to ‘protect the children’. Not reckoning with that is giving them cover to pursue their goals, like e.g., moving basic contraceptive health information behind a “ID check”
I feel like people in Nordic countries have a lot of trouble relating to citizens of countries with "dysfunctional political regimes" like the US. We don't trust the government to do many things,...
I feel like people in Nordic countries have a lot of trouble relating to citizens of countries with "dysfunctional political regimes" like the US. We don't trust the government to do many things, and for the very good reason that it can't be trusted!
I'm a US citizen. I've lived extensively in the US. I have family living in the US. There are absurdities in the US psyche that mean Americans collectively don't trust the government with data it...
I'm a US citizen. I've lived extensively in the US. I have family living in the US.
There are absurdities in the US psyche that mean Americans collectively don't trust the government with data it needs to have or already has. Like that we don't get prefilled tax returns.
It's privacy theater: the government intelligence agencies can get all this information. It's all about a feel-good view that I'm safe from Uncle Sam.
People also willingly hand this information over to huge corporations that have a documented history of misusing the data, where the government often does not have nearly as poor a record. Just because it's government, doesn't mean I can't trust it.
One political party clearly wants to tear down functioning society and play into this fear so they can render public services less and less useful to dismantle even basic services.
Yes, the US government handles my information worse than the Norwegian government does, but that's not an excuse for paranoia. I shouldn't feed this paranoia by taking a default stance that I can't trust government.
We should be channeling our energy to demanding proper funding and running of public services so they will handle all our data better.
UN resolutions aren't legally binding. Countries can and do run roughshod over what the UN says, and routinely ignore even treaties they are signatories to, or walk back on their word depending on...
UN resolutions aren't legally binding. Countries can and do run roughshod over what the UN says, and routinely ignore even treaties they are signatories to, or walk back on their word depending on which way the political winds blow. It's not that your view of how governance works is controversial; the problem seems to be more that in practice that's not how it ends up working. Notably the US will sometimes act in a way that's inconsistent with those views, too.
A number of large, powerful countries are run by de facto or de jure dictators whose decisions are legally binding in the only way that matters. It doesn't matter if you think they shouldn't be; as long as we're engaging with those countries through diplomacy and trade, because our governments or our corporations judge that there is value in doing so (and they always do - there is no democracy in the world that's principled enough to do otherwise) we're validating that legality. We're accepting that that's how things work.
I'm talking about Peremptory norms. These fundamental principles of international laws (also called jus cogens) void national laws or practices as they defy basic standards of international...
These fundamental principles of international laws (also called jus cogens) void national laws or practices as they defy basic standards of international criminal law.
Core crimes that apply here are things like genocide, war crimes, and crimes against humanity.
It's the last part that's important here: laws that enact or underpin crimes against humanity cannot be legal. All human rights abuses that are systematically widespread or systemic (including discrimination based on sexual orientation) may reach the threshold of crimes against humanity and render laws illegal.
Now I completely agree that the enforcement mechanisms have been weak and the International Court of Justice rarely intervenes, but over 100 countries have ratified the International Covenant on Civil and Political Rights (ICCPR) and its First Optional Protocol-system
These foundational values have bene enshrined in a number of constitutions and are legally binding elsewhere.
What are stronger peremptory norms than universal human values over 190 countries have ratified? These are legally binding in international law in a host of ways, courts and interpretations.
Any death-sentence law based on basic personal characteristics clearly and obviously is illegal by international law and cannot be legally enacted.
Sometimes? The USA doesn't give a damn about the UN. It will do whatever it wants regardless of UN resolutions/treaties. It's the epitome of "rules for thee but not for me." Or, the more relevant...
Notably the US will sometimes act in a way that's inconsistent with those views, too.
Sometimes? The USA doesn't give a damn about the UN. It will do whatever it wants regardless of UN resolutions/treaties. It's the epitome of "rules for thee but not for me."
Or, the more relevant version: "Who's gonna stop me? You and what army?"
It's the basic principle underpinning democracy: A framework to ensure that the majority gets to decide within reasonable limits. I don't know of a better system that works in practice.
It's the basic principle underpinning democracy: A framework to ensure that the majority gets to decide within reasonable limits.
I don't know of a better system that works in practice.
I've majorly soured on 50%+1 democracy. For anything important, I would only consider it a binding decision if the vote is at least 55%. The winning option needs to have some hope of becoming a...
I've majorly soured on 50%+1 democracy. For anything important, I would only consider it a binding decision if the vote is at least 55%. The winning option needs to have some hope of becoming a consensus. 50%+1 works for choosing a speed limit or filling elected offices, not for policy changes (see: Brexit).
There are a number of issues where more than 50% is required, or where special procedures must be followed to change the law. Those are outlined in constitutions and other foundational documents...
There are a number of issues where more than 50% is required, or where special procedures must be followed to change the law. Those are outlined in constitutions and other foundational documents of states.
To me, many places have issues with their constitutions being too hard to update to be in line with the values of those living today. Some enshrine a status quo of the 1800s and are essentially impossible to change.
The system is broken, but that's not because the core tenets of representative democracies are flawed.
I'm not sure there's any age verification system with the internet I'd be comfortable with. Private options raise all sorts of basic security concerns, and government-issued solutions feel like...
I'm not sure there's any age verification system with the internet I'd be comfortable with. Private options raise all sorts of basic security concerns, and government-issued solutions feel like too much of a slippery slope for corruption to take root. The article went into my exact concerns with how some countries have already used such restrictions to expand censorship. I'd assume there would be some record of sites visited by each verified ID, and that alone would raise a lot of concerns for abuse.
It's deeply frustrating and concerning to me, with no easy solutions. The one thing people need to remember is that the internet is international. No singular country owns or runs the internet, which makes regulating it very difficult. I really don't think a lot of lawmakers fully understand how complex internet regulation really is—and those who do, I'm wary of why they're pushing for age verification so harshly. I doubt it's "for the children" as they so often claim.
Zero-knowledge proofs would be an interesting solution to this, however, spending the two hours enabling parental controls and like, doing your damn job as a parent is also a simple and great...
Zero-knowledge proofs would be an interesting solution to this, however, spending the two hours enabling parental controls and like, doing your damn job as a parent is also a simple and great solution to this
This requires constant scrutiny and presence and as soon as parents try that they get insulted as helicopter parents. This isn't a simple thing that we're trying to fix.
doing your damn job as a parent
This requires constant scrutiny and presence and as soon as parents try that they get insulted as helicopter parents.
This isn't a simple thing that we're trying to fix.
Parental controls are also often buggy, inconsistent afterthoughts of software. I use implementations by Microsoft, Google, and Nintendo on my kids' devices and they all have different settings...
Parental controls are also often buggy, inconsistent afterthoughts of software. I use implementations by Microsoft, Google, and Nintendo on my kids' devices and they all have different settings and idiosyncrasies. Also kids are clever. They find ways around limits anyway. It's a moving target for sure.
Don't get me wrong. We should be exercising what controls we have to try to reign in the wild Internet, but the solutions currently out there are far from perfect.
My kids aren't quite old enough yet for this to be an issue, but I am thinking of using a DNS service like NextDNS for their devices. Seems to not be trivial to circumvent that. Though of course...
My kids aren't quite old enough yet for this to be an issue, but I am thinking of using a DNS service like NextDNS for their devices. Seems to not be trivial to circumvent that. Though of course one can never fully control everything and the most important thing is to make it so they trust you enough to come to you if they encounter some disturbing stuff.
A technical solution doesn't have to be perfect to be better than nothing.
Yeah I agree completely and I've come to the same conclusion that the first line of defense is an open dialog. Still frustrating that there is so much variation in all the software solutions. I've...
Yeah I agree completely and I've come to the same conclusion that the first line of defense is an open dialog. Still frustrating that there is so much variation in all the software solutions. I've also looked into DNS options and it seems pretty fiddly too. Disclaimer though, I don't have a lot of money to throw at this problem, so I've been mostly limited to what my current hardware supports. If I had the cash I'd love to set up multiple vlans for the different classes of devices in my house.
it is trivial, I figured out how to get around those in ~5min as a kid :) if you set up DNS blocking but go on the client device and edit the DNS servers there it’ll bypass it all. You’d need to...
it is trivial, I figured out how to get around those in ~5min as a kid :)
if you set up DNS blocking but go on the client device and edit the DNS servers there it’ll bypass it all. You’d need to block clients from using their own DNS servers on your router which I’m not sure is an option on consumer hardware.
I don’t think constant scrutiny and running spyware on your kids is necessary to do one’s job as a parent. I think talking to your kids and engaging with them about difficult issues to provide...
I don’t think constant scrutiny and running spyware on your kids is necessary to do one’s job as a parent. I think talking to your kids and engaging with them about difficult issues to provide them with the tools they need to make good decisions is the job I do as a parent. I don’t require the government to be involved in this process at all.
Particularly because parental controls are not going to stop kids from seeing content, they only prevent them from seeing content on a particular device, possibly in a particular location.
I'm not saying parents shouldn't use parental controls, but I grew up with strict techy parents who used parental controls amongst other techniques (such as no devices in bedrooms, devices facing...
I'm not saying parents shouldn't use parental controls, but I grew up with strict techy parents who used parental controls amongst other techniques (such as no devices in bedrooms, devices facing away from the wall etc.), and I still often found content that wasn't age appropriate, whether intentionally or unintentionally. I'm not even just talking about sexually explicit content either, I often accidentally stumbled into violent or otherwise inappropriate content. I remember one time I had (accidentally) started reading a 4chan incel page on archive.org of all places.
All of that to say, despite my parents best efforts, I often ran into content that was not at all age appropriate, more often than not by accident. The internet is a really really wild place and (at least when I grew up) there's not really that much you can do about it. It's far more important to educate your children on how to use the internet, and allow them to feel comfortable talking with you about things. I didn't become an incel, but another child could have dodged that parental firewall and got sucked into that kind of content online easily, especially if parents think there's no way to access that content anyway.
On one hand, I think the concerns raised about age validation are good ones. But I dislike the perpetual and continuing assumption that one must have a smartphone in order to participate online....
On one hand, I think the concerns raised about age validation are good ones.
But I dislike the perpetual and continuing assumption that one must have a smartphone in order to participate online. Especially since there are serious problems with both major smartphone providers.
I think a government-signed, age-verified passkey would be reasonable. But that passkey must not be tied to a device or specific implementation, definitely not a closed one.
Heck, even current deployments of phomes and passkeys are problematic, if only because biometrics do not have the legal protections against law enforcement that passwords do. That's another issue that needs proper ironing out.
Phone vendors make it easy to use biometrics to unlock your phone (and increasingly for laptops), but there's no requirement that you use it. You can change your settings to use a pin instead. I...
Phone vendors make it easy to use biometrics to unlock your phone (and increasingly for laptops), but there's no requirement that you use it. You can change your settings to use a pin instead. I don't think most people will do that because they're not worried about law enforcement most of the time. It might be a good idea to do it when traveling internationally, but a better idea would be to use a burner phone with nothing on it.
I expect that Google and Apple would both be more likely to implement a zero-knowledge age verification system than most governments, particularly if it were designed into an open standard (like passkeys). Perhaps some regulators like the EU could make sure they do it right. But others would likely want to require backdoors to be built-in.
As with passkeys, I expect desktop systems would still be supported. There are still plenty of laptops and desktops out there.
(A "yes, I am at least 18" flag would also be a useful signal for selling ads.)
I largely agree, except for the word "just." Making this happen would be a big project that a lot of people would have to collaborate on. Getting an age verification system in place would be hard...
I largely agree, except for the word "just." Making this happen would be a big project that a lot of people would have to collaborate on.
Getting an age verification system in place would be hard enough in itself. It would be of course be gamed in all sorts of ways, since it gets in the way of people who want to look at porn.
It wouldn't be nearly as big a lift if they just properly implemented the already-existing 'Do Not Track' flag instead of using it as yet another user-tracking tool.
It wouldn't be nearly as big a lift if they just properly implemented the already-existing 'Do Not Track' flag instead of using it as yet another user-tracking tool.
Google and Apple are implementing mdl, mobile drivers-license, which will have an ability to send a verified “yes/no” signal to “I am at least 18” and “I am at least 21”. I don’t think we should...
Google and Apple are implementing mdl, mobile drivers-license, which will have an ability to send a verified “yes/no” signal to “I am at least 18” and “I am at least 21”. I don’t think we should use this but sites almost certainly will once a majority of people have it on their phones.
Fake ID has always been possible. Devices and accounts can be shared. Less-determined people who are under age won't bother, so that should help keep websites out of legal trouble? "Someone got in...
Fake ID has always been possible. Devices and accounts can be shared. Less-determined people who are under age won't bother, so that should help keep websites out of legal trouble? "Someone got in with a fake ID" means it's not really your fault, unless it happens often enough that it looks like you're not trying.
Defaults are the most powerful thing. So when phone vendors prompt to setup biometrics and insecure PINs, that's defacto what will get used, every time. Only security concious people will do...
Defaults are the most powerful thing. So when phone vendors prompt to setup biometrics and insecure PINs, that's defacto what will get used, every time. Only security concious people will do otherwise, so that's about 0.01% of the population. And thus, because of bad laws, 99.99% of the population gets stripped of yet another right, without even knowing it. Maybe there should be a big warning "You can be forced by law enforcement to use biometrics to log in to devices and services, but you cannot be forced to disclose a password."
Proper passwords, 12 or more characters, should be mandated to unlock devices, unless the laws change to provide proper legal protections for stuff secured with it.
Even then, biometrics should only be used as part of MFA only after device is unlocked.
Something you know (password), something you have (phone), something you are (biometrics). Those are the three most important factors to implement a proper MFA scheme. Only the first has legal protections that you cannot be forced to unlock by law enforcement.
Yea, the USA actually used to be pretty great compared to the alternatives...at least in terms of using logic and writing laws....we're seeing a massive regression there. If only we didn't rule...
Yea, the USA actually used to be pretty great compared to the alternatives...at least in terms of using logic and writing laws....we're seeing a massive regression there.
If only we didn't rule that computer files are not "papers". That one hurt.
I suspect that the legal protections you care about aren't what most people care about. I suspect that defaults are important but people will override them in this case to turn locking off rather...
I suspect that the legal protections you care about aren't what most people care about. I suspect that defaults are important but people will override them in this case to turn locking off rather than use a pin. If required to pick a pin they'll use "1234." After all, it's their phone. You're not the admin of them.
Fingerprint locks and Apple's Face ID are intended to get people to lock their phones at all.
Oh I don't doubt it. As with most things, people don't care about rights until they realize they don't have them. In a police state such as the USA, where corruption runs deep, and planting...
Oh I don't doubt it. As with most things, people don't care about rights until they realize they don't have them.
In a police state such as the USA, where corruption runs deep, and planting evidence is a fairly common tactic, it is a prudent decision to insure you have every tool at your disposal...you never know when you'll make an accidental enemy.
Heck, I made one from wearing a Bernie shirt to a Wawa in 2022.
Related, but very tangential, I record every phone call. Thank goodness for 1-party consent. Not only does it give me legal ammunition if I need it, it's useful when you forget a small detail.
It should be baked in to every phone app...not blocked as hard as possible by the OS.
Oh no. Because of Federal law, which is also 1 party consent. They can't sue me because it's legal for me to record, as crossing state lines makes it federal jurisdiction. This can vary state by...
Oh no. Because of Federal law, which is also 1 party consent.
They can't sue me because it's legal for me to record, as crossing state lines makes it federal jurisdiction. This can vary state by state, and often relies on where the suit would be filed.
From that document: This seems to say that federal law doesn't preempt state laws about making recordings? But I'm not a lawyer and this is beyond my expertise.
From that document:
In most cases, both state and federal laws may apply.
This seems to say that federal law doesn't preempt state laws about making recordings? But I'm not a lawyer and this is beyond my expertise.
This article is written by someone who either doesn't know about the multitude of services that have been vierfying identity easily and effectively online for decades. Or someone who doesn't want to engage with how there are working services that do this already. On scales of millions and millions of users, pervasively though entire countries.
There are also some glaringly incorrect assumptions made about how these existing systems work (phrased as if they would work this way in the future).
And there are some conceptual arguments made that have consequences that render society unable to function.
I've been verifying my age on the internet for the last 20 years without issue. Here's how.
I have a Norwegian bank ID. It's directly connected to my social security number. It has used two-factor-identification for more than two decades. When the government sends me documents, when health care providers send me test results, when i log in to change my insurance, when i pay by credit card online, for all these things, I log in using my bank ID.
My bank uniquely identifies me. They can do this by providing positive ID I'm me, which is accepted just like showing a physical passport. Or BankID can be used simply to verify to a third party that I'm 18. Or when I make any online payment with a credit card, BankID verifies to my bank that I'm me though a third-party integration not accessible to the service. They just get confirmation that the payment has been approved like normal once I've verified myself to my bank. BankID can be used to verify me without even identifying what bank I use as it's a service that
BankId in Sweden has over 8 million users old and young. BankID in Norway has 4 million users. We're talking almost every adult ( and most 13+ persons) in each country.
The internet is part of society. It is and should be regulated as such.
Society can't work if I can't trust my bank with my financial information. Or if I can't trust the government with handling my basic personal information, information required for government to deliver basic services to me, like taxing me, health care, schooling etc.
To make these arguments that basic functions of society can't be trusted to perform their most basic functions is paranoid, reductive, an argument that society is inherently impossible although we provably live in extremely complex societies.
The internet is not separate from the rest of society. To the contrary, it's an extremely important pervasively integrated part of modern society. The rule of law applies to the internet. The internet must be fashioned and regulated in ways that it is not an effective hub for going around the rule of law. A surprising amount of people online seem to argue that this "free internet" not just isn't the wanted state of affairs, but somehow a natural state of the internet.
A well-regulated internet is necessary to ensure basic functions of society and prevent forces for undoing the rule of law: to hinder money-laundering, sexual exploitation, fraud, information theft, sale of illegal items, and on and on.
But equally importantly: With verification systems online, we could get at some of the major challenges of our time. Like disinformation campaigns trying to undermine the sovereignty and legitimacy of our societies, just to mention one of many areas in passing.
famously uncontroversial:
Countries must be allowed to employ their own laws, also online
The UN Declaration of Human Rights ensures everyone has the right to self-determination without undue interference in their country.
This means that countries are and should be allowed to regulate the internet (and rest of society) as they see fit, the prerequisite being genuine elections.
The implication of this is that a majority has the right to enact legislation after winning elections, which we do not like and do not agree with, so long as these laws don't break universal human rights, or rights set down constitutionally.
If I live in a theocracy where a party wants to ban adult content, wins an election and enacts that law, that's their prerogative as long as such a new law is legally enacted.
Companies are also allowed to regulate and limit access to their tools, products and services in line with relevant laws. Many online seem not to like this fact. Where regulation is lacking, that's a matter for lawmakers.
Further incorrect assumptions made in the article
This comment is already long. Here are some very short comments on other major flaws in the piece:
An ID verification system doesn't require or normalize "uploading Personally Identifying Information (PII) to every site which requires verification"
We don't have to trust the Adult industry with PII at all to verify age.
Lawmakers aren't expecting random websites to secure the ID of their users. They're expecting them to employ decades old online identity standards.
Zero-knowledge systems are the standard, not a theoretical possibility that "feels" like it has a "fairy low" likelihood, as the article claims.
Countries used their pervasive digital ID-systems for Covid-tracking (like Norway with BankID), These had options of zero-knowledge verification available.
No, ID verification solutions don't make Big Tech the "gatekeepers of the internet once and for all", quite the contrary: We'd be giving much less information about ourselves to these companies as they'd have zero-knowledge in the age/identity verification process as a third party.
Quite the opposite: With ID verification, the threshold for having age/location restricted content all disappears, as implementations are easy to make. Any tiny website can safely and securely deliver 18+ content and compete with the juggernauts.
The slippery slope-argument that "if we have an ID system, it'll be used everywhere, and groups will be able to enforce unreasonable ID-reqs by passing legislation" is just that. An unfounded slippery slope-argument. In 20 years in Norway and Sweden, Bankid and BankID (two separate systems, confusingly named). None of this has come to pass. (Yes, these are two of the soundest democracies and most well-functioning countries in the world, so specific mileage will vary)
I agree very strongly with the concluding paragraph, but it has nothing to do with the substance of online ID verification
Finally:
I completely agree. That's not what this is about. Online verification of various parts of identity is about enforcing laws online in the same way they're enforced offline.
It's extremely damaging to views of sexuality and sex that 8-year olds are being randomly subjected to hardcore pornography as they browse legitimately online.
In many digitized countries, there are epidemics of teenagers committing crimes of violence during sex, because they've learned that slapping, spitting, choking and the like are "normal" parts of sex through pornography they should not have been subjected to.
Those are failures of parenting. But it's almost impossible to be a responsible parent on these online issues without completely invading the privacy of your children.
Personal responsibilities should not be delegated to the government. But the government needs to render society functioning. Also online.
The vocal minority of parents who wish government to do their parenting for them (banning books and a host of other issues come to mind) should take the time to educate themselves on technology, educate their children on what is and isn’t appropriate, and bear some responsibility themselves.
We'd all be better off for that. Just like we'd all be better off with a properly regulated internet.
Thats great that Sweden has this wonderful system. The US, by and large, does not.
The closest we have is validating with a credit card payment, but that is trivial to bypass.
We can get closer by handing over our federally-issued Social Security number.... but the USA is stupid and uses it as a password and not an identifier. Anybody who knows your legal name and SSN can impersonate you, easily signing up for credit cards that you are legally responsible for.
Aren't driver's licenses/state ID cards the obvious US option?
Nope. They're a hodpodge of inconsistency and more easily faked. ReadID on state license is better, but not every state has it fully implemented yet.
Oh, and if people sub out the photo on your uploaded ID they can further use that as a tool of impersonation.
Hence why the articles idea of having the government itself provide an age-validation scheme is less-bad than most other options. I like the idea of using raw OpenSSH keyservers for validation, signed by government when age-verified in person.
Maybe I missed something, but it seems that you're suggesting the government or your bank should be able to see which sites you access that require age verification? It sounded like the verification would come from that third party to whatever site you're attempting to access so that the porn site isn't directly getting your information? I'm confused on how it would work while respecting privacy.
BankID is a separate identity to my bank. Neither the government nor the bank knows anything more about my log-ins to any service than other third party services do.
Again: We have to trust the government to responsibly handle information about us as citizens for services and society to function. We also have to trust our banks to have our interests at heart for our financial lives to function. My bank knows who I pay money to. We have to trust the payment processors and clearing houses. We have to trust internet service providers or phone companies with our data to use these services.
Privacy is not and cannot be absolute. Can I trust BankID to handle my verification data responsibly? It's the only thing they do and risking that trust would risk the entire company. It's run, owned and audited by extremely serious people. There are competing services I can swap to in a matter of minutes if they lose my trust.
In my view, the risks to me and my privacy from this service are minimal, compared to all sorts of other services I trust with different kinds of data.
Age verification is not the hill to die on for organizing and regulating the internet.
I don't see how the fact that we need to trust the government to handle information that's relevant to social services has anything to do with age verification to watch porn. I also don't think a corporation which provides a PKI that gives it the capability to see which porn sites you're looking at and when is going to be very well received in countries with less social trust than the Nordic countries (which is literally every country because the Nordic countries have the highest social trust in the world1 2).
If you don’t mind me asking, how is BankID handled for people who have multiple bank accounts? Which at least in Germany is not atypical, at all.
BankID is a separate company owned and operated by the financial companies collectively. I have the same BankID everywhere, linked to my personal ID number.
I don't need to do anything when I change banks, passports or whatever. I can use BankID for thousands and thousands of different services online. From everything identifying me to Norwegian government, to ensuring I'm me using my credit card if I buy something in a Zimbabwean online store.
I don’t think so, they were giving a conceptual example of what currently exists in Norway and Sweden for digital verification and how something similar could be set up.
I'd also like to add that the internet isn't one homogeneous entity, and age verification can't only be applied to users: some sites do (and could) require upload verification and these can be grouped by the products they sell or provide; much as we regulate the non-online economy.
Many of the proposals I've seen so far use blunt instruments which place a large burden on the user to verify their identity rather than to ensure what they access is appropriate to their circumstance (i.e. age-related material) or is legally sourced on upload.
Ummm, k.
I'd like to highlight the last part of the sentence you quoted. It has huge implications.
A legally enacted law has to be constitutional and comply with all sorts of other binding international agreements on human rights (depending on where you're located).
Those regulations include variations of rights to freedom of expression, personal choice and so forth.
In many areas, blanket bans on adult content would simply be unconstitutional. If the will of the people wishes it otherwise, within the limits of other universal rights, that's the will of the people and their society is entitled to it.
Again, this statement of national autonomy without interference is stating the obvious. It's so uncontroversial it's in the UNs Declaration of Universal Human Rights (to be read in context with the limitations imposed by the other rights):
You have an interesting idea of how governance works. Like I’m glad Sweden isn’t on the Fashy train and all, but all this stuff about “the will of the people” is well, crap.
If Putin tomorrow says, “Being LGBT in Russia is sentencable by death”, (I know, I know, a wild stretch) guess what: that shit will get legally enacted. Doesn’t make it less evil
So yeah, I’m not gonna engage much deeper with this giant wall of text.
And that is why law is not equivalent to morality, and never will be.
Subsequently why breaking the law is not inheritly immoral, it's all about context, harm, and reason.
I think you're right not to engage. I have expressed a very basic, mainstream idea of how governance works that by and large is an uncontroversial representation of the basic principles that underpin modern liberal societies.
No-one can legally enact the type of law you suggest without breaking not one, not two, but all three of the first three articles of the Universal Declaration of Human Rights:
Article 1: All human beings are born free and equal in dignity and rights. They are endowed with reason and conscience and should act towards one another in a spirit of brotherhood.
Article 2: Everyone is entitled to all the rights and freedoms set forth in this Declaration, without distinction of any kind, such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status. Furthermore, no distinction shall be made on the basis of the political, jurisdictional or international status of the country or territory to which a person belongs, whether it be independent, trust, non-self-governing or under any other limitation of sovereignty.
Article 3: Everyone has the right to life, liberty and security of person.
I understand what you’re saying, but I doubt people like the gay couple arrested for posting to TikTok would much care if the law was “legal” or not.
This is a bad faith effort driven by bad actors who want to ‘protect the children’. Not reckoning with that is giving them cover to pursue their goals, like e.g., moving basic contraceptive health information behind a “ID check”
I feel like people in Nordic countries have a lot of trouble relating to citizens of countries with "dysfunctional political regimes" like the US. We don't trust the government to do many things, and for the very good reason that it can't be trusted!
I'm a US citizen. I've lived extensively in the US. I have family living in the US.
There are absurdities in the US psyche that mean Americans collectively don't trust the government with data it needs to have or already has. Like that we don't get prefilled tax returns.
It's privacy theater: the government intelligence agencies can get all this information. It's all about a feel-good view that I'm safe from Uncle Sam.
People also willingly hand this information over to huge corporations that have a documented history of misusing the data, where the government often does not have nearly as poor a record. Just because it's government, doesn't mean I can't trust it.
One political party clearly wants to tear down functioning society and play into this fear so they can render public services less and less useful to dismantle even basic services.
Yes, the US government handles my information worse than the Norwegian government does, but that's not an excuse for paranoia. I shouldn't feed this paranoia by taking a default stance that I can't trust government.
We should be channeling our energy to demanding proper funding and running of public services so they will handle all our data better.
I mean, TurboTax is that reason. The IRS wanted to do that and they lobbied to shut that down.
IIRC the IRS has a program in place for 2023. I haven’t looked into it just yet, but I probably will be very soon.
Let us all know. The less money going to Intuit the better.
The reason Americans don't get prefilled tax returns isn't because of data privacy concerns, it's because Turbotax lobbies against it.
UN resolutions aren't legally binding. Countries can and do run roughshod over what the UN says, and routinely ignore even treaties they are signatories to, or walk back on their word depending on which way the political winds blow. It's not that your view of how governance works is controversial; the problem seems to be more that in practice that's not how it ends up working. Notably the US will sometimes act in a way that's inconsistent with those views, too.
A number of large, powerful countries are run by de facto or de jure dictators whose decisions are legally binding in the only way that matters. It doesn't matter if you think they shouldn't be; as long as we're engaging with those countries through diplomacy and trade, because our governments or our corporations judge that there is value in doing so (and they always do - there is no democracy in the world that's principled enough to do otherwise) we're validating that legality. We're accepting that that's how things work.
I'm talking about Peremptory norms.
These fundamental principles of international laws (also called jus cogens) void national laws or practices as they defy basic standards of international criminal law.
Customary international law, which peremptory norms are part of, is legally binding and punishable.
Core crimes that apply here are things like genocide, war crimes, and crimes against humanity.
It's the last part that's important here: laws that enact or underpin crimes against humanity cannot be legal. All human rights abuses that are systematically widespread or systemic (including discrimination based on sexual orientation) may reach the threshold of crimes against humanity and render laws illegal.
Now I completely agree that the enforcement mechanisms have been weak and the International Court of Justice rarely intervenes, but over 100 countries have ratified the International Covenant on Civil and Political Rights (ICCPR) and its First Optional Protocol-system
These foundational values have bene enshrined in a number of constitutions and are legally binding elsewhere.
What are stronger peremptory norms than universal human values over 190 countries have ratified? These are legally binding in international law in a host of ways, courts and interpretations.
Any death-sentence law based on basic personal characteristics clearly and obviously is illegal by international law and cannot be legally enacted.
Sometimes? The USA doesn't give a damn about the UN. It will do whatever it wants regardless of UN resolutions/treaties. It's the epitome of "rules for thee but not for me."
Or, the more relevant version: "Who's gonna stop me? You and what army?"
I was trying to be delicate about it!
…and why should those people who disagree with a ban be bound by the will of a mere majority? That’s mob rule wearing the cloak of legalism.
It's the basic principle underpinning democracy: A framework to ensure that the majority gets to decide within reasonable limits.
I don't know of a better system that works in practice.
I've majorly soured on 50%+1 democracy. For anything important, I would only consider it a binding decision if the vote is at least 55%. The winning option needs to have some hope of becoming a consensus. 50%+1 works for choosing a speed limit or filling elected offices, not for policy changes (see: Brexit).
There are a number of issues where more than 50% is required, or where special procedures must be followed to change the law. Those are outlined in constitutions and other foundational documents of states.
To me, many places have issues with their constitutions being too hard to update to be in line with the values of those living today. Some enshrine a status quo of the 1800s and are essentially impossible to change.
The system is broken, but that's not because the core tenets of representative democracies are flawed.
I'm not sure there's any age verification system with the internet I'd be comfortable with. Private options raise all sorts of basic security concerns, and government-issued solutions feel like too much of a slippery slope for corruption to take root. The article went into my exact concerns with how some countries have already used such restrictions to expand censorship. I'd assume there would be some record of sites visited by each verified ID, and that alone would raise a lot of concerns for abuse.
It's deeply frustrating and concerning to me, with no easy solutions. The one thing people need to remember is that the internet is international. No singular country owns or runs the internet, which makes regulating it very difficult. I really don't think a lot of lawmakers fully understand how complex internet regulation really is—and those who do, I'm wary of why they're pushing for age verification so harshly. I doubt it's "for the children" as they so often claim.
Zero-knowledge proofs would be an interesting solution to this, however, spending the two hours enabling parental controls and like, doing your damn job as a parent is also a simple and great solution to this
This requires constant scrutiny and presence and as soon as parents try that they get insulted as helicopter parents.
This isn't a simple thing that we're trying to fix.
Parental controls are also often buggy, inconsistent afterthoughts of software. I use implementations by Microsoft, Google, and Nintendo on my kids' devices and they all have different settings and idiosyncrasies. Also kids are clever. They find ways around limits anyway. It's a moving target for sure.
Don't get me wrong. We should be exercising what controls we have to try to reign in the wild Internet, but the solutions currently out there are far from perfect.
My kids aren't quite old enough yet for this to be an issue, but I am thinking of using a DNS service like NextDNS for their devices. Seems to not be trivial to circumvent that. Though of course one can never fully control everything and the most important thing is to make it so they trust you enough to come to you if they encounter some disturbing stuff.
A technical solution doesn't have to be perfect to be better than nothing.
Yeah I agree completely and I've come to the same conclusion that the first line of defense is an open dialog. Still frustrating that there is so much variation in all the software solutions. I've also looked into DNS options and it seems pretty fiddly too. Disclaimer though, I don't have a lot of money to throw at this problem, so I've been mostly limited to what my current hardware supports. If I had the cash I'd love to set up multiple vlans for the different classes of devices in my house.
it is trivial, I figured out how to get around those in ~5min as a kid :)
if you set up DNS blocking but go on the client device and edit the DNS servers there it’ll bypass it all. You’d need to block clients from using their own DNS servers on your router which I’m not sure is an option on consumer hardware.
You can just block port 53 traffic not bound for your home DNS server.
Well if your kids have admin rights on their devices then most things are game over of course.
I don’t think this can be restricted on iOS at all, but the comment about :53 would likely work.
I don’t think constant scrutiny and running spyware on your kids is necessary to do one’s job as a parent. I think talking to your kids and engaging with them about difficult issues to provide them with the tools they need to make good decisions is the job I do as a parent. I don’t require the government to be involved in this process at all.
Particularly because parental controls are not going to stop kids from seeing content, they only prevent them from seeing content on a particular device, possibly in a particular location.
I'm not saying parents shouldn't use parental controls, but I grew up with strict techy parents who used parental controls amongst other techniques (such as no devices in bedrooms, devices facing away from the wall etc.), and I still often found content that wasn't age appropriate, whether intentionally or unintentionally. I'm not even just talking about sexually explicit content either, I often accidentally stumbled into violent or otherwise inappropriate content. I remember one time I had (accidentally) started reading a 4chan incel page on archive.org of all places.
All of that to say, despite my parents best efforts, I often ran into content that was not at all age appropriate, more often than not by accident. The internet is a really really wild place and (at least when I grew up) there's not really that much you can do about it. It's far more important to educate your children on how to use the internet, and allow them to feel comfortable talking with you about things. I didn't become an incel, but another child could have dodged that parental firewall and got sucked into that kind of content online easily, especially if parents think there's no way to access that content anyway.
On one hand, I think the concerns raised about age validation are good ones.
But I dislike the perpetual and continuing assumption that one must have a smartphone in order to participate online. Especially since there are serious problems with both major smartphone providers.
I think a government-signed, age-verified passkey would be reasonable. But that passkey must not be tied to a device or specific implementation, definitely not a closed one.
Heck, even current deployments of phomes and passkeys are problematic, if only because biometrics do not have the legal protections against law enforcement that passwords do. That's another issue that needs proper ironing out.
Phone vendors make it easy to use biometrics to unlock your phone (and increasingly for laptops), but there's no requirement that you use it. You can change your settings to use a pin instead. I don't think most people will do that because they're not worried about law enforcement most of the time. It might be a good idea to do it when traveling internationally, but a better idea would be to use a burner phone with nothing on it.
I expect that Google and Apple would both be more likely to implement a zero-knowledge age verification system than most governments, particularly if it were designed into an open standard (like passkeys). Perhaps some regulators like the EU could make sure they do it right. But others would likely want to require backdoors to be built-in.
As with passkeys, I expect desktop systems would still be supported. There are still plenty of laptops and desktops out there.
(A "yes, I am at least 18" flag would also be a useful signal for selling ads.)
Really we should just make it illegal to data mine/use targeted ads against users where this flag is false.
I largely agree, except for the word "just." Making this happen would be a big project that a lot of people would have to collaborate on.
Getting an age verification system in place would be hard enough in itself. It would be of course be gamed in all sorts of ways, since it gets in the way of people who want to look at porn.
It wouldn't be nearly as big a lift if they just properly implemented the already-existing 'Do Not Track' flag instead of using it as yet another user-tracking tool.
Google and Apple are implementing mdl, mobile drivers-license, which will have an ability to send a verified “yes/no” signal to “I am at least 18” and “I am at least 21”. I don’t think we should use this but sites almost certainly will once a majority of people have it on their phones.
Fake ID has always been possible. Devices and accounts can be shared. Less-determined people who are under age won't bother, so that should help keep websites out of legal trouble? "Someone got in with a fake ID" means it's not really your fault, unless it happens often enough that it looks like you're not trying.
Presumably this could be tied to biometrics. But you're right, it's no fool proof system.
Defaults are the most powerful thing. So when phone vendors prompt to setup biometrics and insecure PINs, that's defacto what will get used, every time. Only security concious people will do otherwise, so that's about 0.01% of the population. And thus, because of bad laws, 99.99% of the population gets stripped of yet another right, without even knowing it. Maybe there should be a big warning "You can be forced by law enforcement to use biometrics to log in to devices and services, but you cannot be forced to disclose a password."
Proper passwords, 12 or more characters, should be mandated to unlock devices, unless the laws change to provide proper legal protections for stuff secured with it.
Even then, biometrics should only be used as part of MFA only after device is unlocked.
Something you know (password), something you have (phone), something you are (biometrics). Those are the three most important factors to implement a proper MFA scheme. Only the first has legal protections that you cannot be forced to unlock by law enforcement.
Yea, the USA actually used to be pretty great compared to the alternatives...at least in terms of using logic and writing laws....we're seeing a massive regression there.
If only we didn't rule that computer files are not "papers". That one hurt.
I suspect that the legal protections you care about aren't what most people care about. I suspect that defaults are important but people will override them in this case to turn locking off rather than use a pin. If required to pick a pin they'll use "1234." After all, it's their phone. You're not the admin of them.
Fingerprint locks and Apple's Face ID are intended to get people to lock their phones at all.
Oh I don't doubt it. As with most things, people don't care about rights until they realize they don't have them.
In a police state such as the USA, where corruption runs deep, and planting evidence is a fairly common tactic, it is a prudent decision to insure you have every tool at your disposal...you never know when you'll make an accidental enemy.
Heck, I made one from wearing a Bernie shirt to a Wawa in 2022.
Related, but very tangential, I record every phone call. Thank goodness for 1-party consent. Not only does it give me legal ammunition if I need it, it's useful when you forget a small detail.
It should be baked in to every phone app...not blocked as hard as possible by the OS.
Do you somehow avoid talking to anyone in the US states that require two-party consent?
Oh no. Because of Federal law, which is also 1 party consent.
They can't sue me because it's legal for me to record, as crossing state lines makes it federal jurisdiction. This can vary state by state, and often relies on where the suit would be filed.
Here's a source.
From that document:
This seems to say that federal law doesn't preempt state laws about making recordings? But I'm not a lawyer and this is beyond my expertise.