While I understand the frustrations of the author, their proposed solution is extremely short-sighted and comes with a huge list of potential pitfalls that would be extremely damaging to...
While I understand the frustrations of the author, their proposed solution is extremely short-sighted and comes with a huge list of potential pitfalls that would be extremely damaging to individual freedoms - Frankly, 'server-side' in-depth age verification should not be a requirement for anything.
Almost any age verification can easily be bypassed (I mean, people can get scannable fake IDs for like $40)
We should not trust any company to use or store any validation information responsibly. We already know they abuse and poorly protect personal info as it stands. There's no reason that would change.
It's a huge blow to privacy. For example - say you're an adult and frequent some LQBTQ sites. Now, you need to verify your age, which means there's a written record of you visiting these sites. Given the political climate in the US today, there's a genuine risk that record could harm you if the wrong people get their hands on it.
As a parent myself, this is definitely a huge problem. But there are better ways to solve it. Better device-side parental controls, working on improving parental knowledge (not many parents know you can easily set filters on your home wifi network), strict smartphone bans during school hours, educating your children about the potential dangers of social media, etc.
There will never be a 'one-size-fits-all' solution. As with anything, we just need to stay educated and adaptive.
Fully agree on your points about age verification. There just isn't a foolproof way to implement it that can't be bypassed somehow. Hell, even the examples of kids with alcohol and driving doesn't...
Fully agree on your points about age verification. There just isn't a foolproof way to implement it that can't be bypassed somehow. Hell, even the examples of kids with alcohol and driving doesn't hold up because plenty of teens still get their hands on alcohol. Kids find ways around rules, some will even see them as a challenge. It's a fact of life.
It's also an undue burden for people who run smaller or independent sites to enforce such a check. I'd also be worried about those sites getting hacked, or someone setting up such a site with malicious intent depending on how the age verification is implemented. If it's via scans of a driver's license, and the owner of a site has the power to view them... Yeah, that's really bad.
We can't expect anything to be 100% kid-proof, so we need to work with that expectation in mind. To that end, I think educating kids about the dangers of social media is a HUGE factor that needs more emphasis. If they can understand why it's dangerous and bad, they'll be less likely to dive into talking to strangers as part of an act of rebellion than just being told "it's forbidden".
My parents drilled stranger danger into me hard. I used the internet largely unsupervised (thankfully I mostly just wanted to play Neopets or hang out on gaming forums that were fairly strict about keeping things appropriate), but I knew to never give out personal info as a kid. To this day I'm pretty sure a fair number of people still think my name is Kristen.
I want to echo this. As a kid, little upset me as much as a flat-faced “no” without explanation or even worse, appeal to authority (“because I said so”). Kids aren’t fully formed and lack...
We can't expect anything to be 100% kid-proof, so we need to work with that expectation in mind. To that end, I think educating kids about the dangers of social media is a HUGE factor that needs more emphasis. If they can understand why it's dangerous and bad, they'll be less likely to dive into talking to strangers as part of an act of rebellion than just being told "it's forbidden".
I want to echo this. As a kid, little upset me as much as a flat-faced “no” without explanation or even worse, appeal to authority (“because I said so”).
Kids aren’t fully formed and lack experience, but they’re still people and have the intelligence to understand and internalize almost anything given that the logic behind it is explained carefully. It’s worth the time and care to give them solid, grounded reasons whenever practical.
Education is incredibly important. All these measures only add an illusion of safety, there is still plenty of danger online that these measures won't address but make people more complacent....
Education is incredibly important. All these measures only add an illusion of safety, there is still plenty of danger online that these measures won't address but make people more complacent. Social media has been terrible for this, with people sharing a lot of information about themselves publicly without knowing how easy that makes it for bad actors to find even more sensitive information.
I'm reminded of the experience of designing garbage cans for national parks: it's not possible to make a garbage can so hard for all bears that it doesn't also become too hard for some humans....
There will never be a 'one-size-fits-all' solution. As with anything, we just need to stay educated and adaptive.
I'm reminded of the experience of designing garbage cans for national parks: it's not possible to make a garbage can so hard for all bears that it doesn't also become too hard for some humans. There's an overlap between the dumber humans and the smarter raccoons: you can't have a tech solution that's easy enough for parents that's too hard for highly motivated and bored/horny/defiant kids.
Completely agree about server side verification. While there are zero knowledge ways to handle age verification, they’re all complicated and difficult to manage. They’re not really suitable for...
Completely agree about server side verification. While there are zero knowledge ways to handle age verification, they’re all complicated and difficult to manage. They’re not really suitable for non-techies. And as you said, the list of downsides and potential to expose people is far too great. One hack or zero day would be all it took to expose everyone’s private lives.
I understand the sentiment, but all alternatives are worse. The Swiss are voting about introducing e-ID now, and the proposed law is... decent. Completely voluntary, the system includes zero...
I wouldn’t trust any government to run this ever.
I understand the sentiment, but all alternatives are worse.
The Swiss are voting about introducing e-ID now, and the proposed law is... decent. Completely voluntary, the system includes zero knowledge proofs of things like age (where only the binary information "is above or below age x" is transmitted, cryptographically signed and anonymized so even the same provider can't trace back multiple age verification calls to the same e-ID to build a profile).
You might not trust a government to do something like that, but you cannot possible trust a private corporation o take over that responsibility either. And you don't want to send photos/videos of your ID and face to private corporations, ever.
You can debate whether anyone would want e-ID in the first place, and whether the existence of a well-designed and voluntary e-ID system would be a slippery slope towards mandatory e-ID everywhere in 5 years... but if you want age verification to protect kids on the internet, you really can't do it any other way.
The risk of any government having that responsibility is too great. It’s not worth it to keep some kids from looking at porn (I know that’s not really why they want it).
You can debate whether anyone would want e-ID in the first place, and whether the existence of a well-designed and voluntary e-ID system would be a slippery slope towards mandatory e-ID everywhere in 5 years... but if you want age verification to protect kids on the internet, you really can't do it any other way.
The risk of any government having that responsibility is too great. It’s not worth it to keep some kids from looking at porn (I know that’s not really why they want it).
I tend to agree. But then I'd like to have a ban on private corporations demanding you send them your face and ID electronically. Because this is worse. The only good thing about it is that today,...
I tend to agree. But then I'd like to have a ban on private corporations demanding you send them your face and ID electronically. Because this is worse. The only good thing about it is that today, the entire process introduces so much friction and costs that it's not very common yet (only banks and mobile phone providers have asked me to do that until now).
I mean, we need stricter data privacy laws all around. In the US, it’s particularly bad now. Unless it’s health or other sensitive data, companies can do whatever the hell they want with your data...
I mean, we need stricter data privacy laws all around. In the US, it’s particularly bad now. Unless it’s health or other sensitive data, companies can do whatever the hell they want with your data - often using it for new things after the fact (cough cough training AI).
I don’t think it’s a given that all alternatives are worse. It depends on the government and the alternative. For example, I think it’s good that LetsEncrypt and Signal are not government...
I don’t think it’s a given that all alternatives are worse. It depends on the government and the alternative. For example, I think it’s good that LetsEncrypt and Signal are not government organizations.
Also, as should be obvious these days, governments vary widely in how much they can be trusted and this can change. Maybe Estonia or the Swiss do a good job, for now, but this doesn’t generalize.
The question is, who could do age verification well? Trusted organizations don’t come along every day. New organizations will take a long time to earn trust.
My personal answer to who could do it well is, "no one, ever". Any authority will have too much data, too many bad incentives, too much risk when compromised, and horrible effects when governments...
My personal answer to who could do it well is, "no one, ever". Any authority will have too much data, too many bad incentives, too much risk when compromised, and horrible effects when governments come along and force disclosures and backdoors.
And all for a system I believe unlikely to work. People will just use ones outside their jurisdiction, VPNs, piracy, unmoderated channels, or stolen credentials. Even if we believe in a true zero trust implemention with no connecting data we now have the problem that proper zero trust would make it rather trivial to abuse a small amount of compromised accounts (ex. if a porn site just gets an attestation that the user is an adult how do they know that there aren't 1000 signups that came from one kid that grabbed his dad's phone and sold access? Or even worse predators explicitly using access to these to gain contact with minors? In true zero trust no one knows.), so how long does it even stay zero trust before these centralized authorities are regulated into collecting all the data anyway (maybe even due to their own lobbying)?
If anything, I think the actual result would be that minors seeking such content end up in much more dangerous places that lack the checks. Like discord and telegram channels that are knowingly sharing porn to minors as part of grooming efforts.
I imagine kids vary quite a bit in how hard they’re willing to try? Particularly kids of different ages. And the goal isn’t to make it leak-proof, it’s to change the culture: how common is it?...
I imagine kids vary quite a bit in how hard they’re willing to try? Particularly kids of different ages. And the goal isn’t to make it leak-proof, it’s to change the culture: how common is it?
Some kids smoke, drink alcohol, and do drugs, but this doesn’t mean every kid is going to spend a lot of effort on these things or do it all the time. It doesn’t mean you just give up and tell all the stores it’s okay to sell cigarettes and beer to kids now.
This is quite a strawman. Localized entities carrying physical goods, especially ones like liquor stores that that don't have real incentive for a malicious government to misuse (politicians don't...
This is quite a strawman. Localized entities carrying physical goods, especially ones like liquor stores that that don't have real incentive for a malicious government to misuse (politicians don't care which individuals drink or smoke) aren't really comparable to the digital content of the internet in this way.
I'm also not trying to say nothing should be done. As a concrete example, Roblox is in desperate need of serious regulatory intervention. But I don't think the answer is that there should be some "trusted" gatekeepers to the internet because there are no options that are trustworthy, nor will there ever be because they'd be so easy to corrupt. This administration would happily state anything related to transgenderism needs to be age gated and force Google and Apple to collect and disclose who tries to access those age gates even if it meant breaking their zero trust protocol. And to top it off age verification doesn't even help with poorly moderated platforms like Roblox anyway.
And that would only be the start of it. Little by little anything that is disapproved of will be age-gated and thus tracked.
This administration would happily state anything related to transgenderism needs to be age gated and force Google and Apple to collect and disclose who tries to access those age gates even if it meant breaking their zero trust protocol.
And that would only be the start of it. Little by little anything that is disapproved of will be age-gated and thus tracked.
If you’re assuming a government can lean on Apple and Google to add back doors to web browsers, it’s game over already - they could log URL’s and credit card numbers. Or they can figure out who...
If you’re assuming a government can lean on Apple and Google to add back doors to web browsers, it’s game over already - they could log URL’s and credit card numbers. Or they can figure out who you are when you log into your bank.
I don’t think adding a new protocol for age verification changes the risks very much? What additional information do they have?
It is different in a variety of ways that makes that kind of regulation idea impractical: Browsers are applications, not services. So all someone has to do to bypass such a thing is use a...
It is different in a variety of ways that makes that kind of regulation idea impractical:
Browsers are applications, not services. So all someone has to do to bypass such a thing is use a different application, which is easy. There may not be any other wallet services that ever made and even if others get made then if regulators don't like it it's easy to prevent it from operating in the US (blocking a company vs trying to block every person from downloading a different browser).
A lot of web traffic isn't in the browser anyway. See: seemingly every website on the internet begging you to install their apps.
Attempts to do that are generally easier to do at the ISP level. Famously what you do can and does get tracked to some extent already. For example, go torrent some Disney movies without a VPN and wait for your copyright infringement letter.
These businesses, such as Google and Apple, would likely lobby hard against making applications used by enterprises, such as browsers, be turned into this kind of spyware because the security teams of tons of organizations, probably including the US government itself, would ban them immediately. This isn't a problem for personal identity verification though.
This is very different than an application that has your complete identity in their wallet apps being gatekeepers to the web. To me it's kind of like asking why BitTorrent clients aren't regulated to require blocking copyrighted content when the answer is that obviously people would just install different ones that don't comply.
And what additional information do they have? Literally my whole identity! Sure my ISP can figure out what banks I use and a compromised browser could get my identity, but I could easily just not use their potentially spyware browsers. I already don't use either of them, although for unrelated reasons.
A lot of people seem to think if they pass a law the entire internet will line up to follow it. Creating a law like that drives kids to places that are easier to access, which encourages companies...
A lot of people seem to think if they pass a law the entire internet will line up to follow it. Creating a law like that drives kids to places that are easier to access, which encourages companies in places without those laws to attract the kids. It doesn’t accomplish anything, just makes people feel like they’ve done something good.
My usually repeated solution is user side codes. Site is deemed to require age verification for all or portions of its data. When serving that data it sees if you have some encoded flag flipped to...
My usually repeated solution is user side codes.
Site is deemed to require age verification for all or portions of its data.
When serving that data it sees if you have some encoded flag flipped to a valid value.
That value is determined by the user. Basically 'sudo' but 'amAdult'.
Now it's on the user to protect that account/pw/permission and they could even parcel it out possibly with whitelists. UserA with PW B can pass the amAdult check for Y sites.
This puts the onus on the family, which is how it's always been, doesn't have corporations badly keeping a zillion different credentials that suck, and gives the parents the tools to actually use this. Corporations then either opt into the flag, or are told to by local governments if they need the flag.
The problem is i'm not exactly sure how feasible this all is from a cookie/sesssion/browser/client/server perspective. I know very little on that end and feel like I could mock up a poc pretty quickly, but of course making something remotely reliable would be kinda hard.
I do think the status quo of "don't lie when you click on this box" is garbage, and agree that the "proposed solutions" are "lets have people who've fucked everything up fuck up a bit more".
I hate speaking so far outside of something I know though, so as good as it might sound, I have no idea how miserable this would ACTUALLY be.
EVen if it's "trivial" to bypass, by say editing with the browser, at least that's less trivial than "click yes"
Every time I see an article like this, I feel like it's in complete denial of the fact that minors actively will find ways to circumvent things, and that no solution is, or could be, perfect. In...
Every time I see an article like this, I feel like it's in complete denial of the fact that minors actively will find ways to circumvent things, and that no solution is, or could be, perfect. In contemporary times, children routinely have had access to plenty of NSFW material and social media online for the last 20 years, if not the last 30. What I see here is another fearful, controlling parent seeking to preemptively police their child.
I think the reality is, static pornography and social media are certainly not an excessive threat to children. Or, at the very least, not as threatening as Dr. Twenge feels. I think that anyone born since roughly 1995 has statistically had the ability to view these materials, and the vast majority of people who consumed these materials has not been negatively affected to a substantial amount.
I think the taboo nature of pornographic material, motivates unnecessary levels of concern from parents. In the past, these materials were simply obtained/consumed through other means. Adult content is still available on news racks across the country, and was more readily available in the past. It used to be common that it was 'found in the woods' or was lifted from an older family member. Since the advent of the availability of mass printed media, pornographic material is has always been far more commonly available than any parent wants to consider.
I will concede that there are arguments to be made about how specific media can create the wrong ideas of how the world works for young people. However, there's an entire slew of topics related to the birds and the bees that probably need to be explained to children that aren't, and issues often arise from society leaving young people to simply search out adult material to learn it themselves.
Simultaneously, "pornographic" is often thrown around to denigrate transgender and other queer people. I don't trust that parental controls aren't going to be immediately used to closet and restrict access to media that could help trans kids learn to understand themselves.
Additionally, while I do think that social media is an awful, dangerous thing to our society, I also think that social media is uniquely incorrectly framed when discussing children. Genuinely, I can't determine if the author has an issue with social media, or with the ability to send images via digital device. These are fundamentally two separate issues, and the author would rather fume about the matter, than elaborate.
Is SnapChat social media? Yes, for some people, but it's also an app where people can send messages back and forth. The entire 'self deleting' aspect is just an automatic version of manually erasing conversation messages via SMS. While I can see the issue private messaging raises, it's still disingenuous to lump children having age inappropriate conversations via encrypted messaging in with participating in online social media.
While having social media is absolutely a thing parents should restrict for their children, one really shouldn't expect to their kids to naturally understand why it's being restricted. Simply blocking the content leads to efforts to circumvent it.
Another time, I noticed Instagram had appeared on the list of allowed websites. I blocked it again and asked my daughter about this mysterious development. She eventually admitted that she’d sneaked into my home office, pulled up the Qustodio website and changed the control settings.
I feel like the author, a person with a doctorate, is embarrassed that their child figured out how to 'hack' the parental controls. I digress.
Finally, children are regularly groomed on roblox, which is explicitly for kids. Most CSA cases involve a trusted family member / adult. Most child abductions are custodial.
I think that there's a lot more to be said about what's dangerous for kids online. Elsagate comes to mind, as does AI slop created for a child audience, or mobile games that kids can spend money on. However, these are fundamentally different issues than the ones the author brings up.
Unfortunately, the fact is, while some online content is really dangerous for kids, it's probably more the fact that it exists at all, rather than specific, controllable aspects of the web. Maybe parents should just not let their children have unfettered access to devices until it's age appropriate? Or just log what they consume, and be ready to discuss some really, really uncomfortable things.
We have a phrase in Cantonese for this: 雞仔唔管,管麻鷹 -- without trying to be a custodian over your own chicks, trying to be a custodian over the eagles. While I am a big fan of (some) big government...
Exemplary
We have a phrase in Cantonese for this: 雞仔唔管,管麻鷹 -- without trying to be a custodian over your own chicks, trying to be a custodian over the eagles.
While I am a big fan of (some) big government and regulations, I don't agree with many of the opinions from this piece.
In the U.S., you must be at least 16 to drive alone and 21 to buy alcohol, and age is verified. We don’t expect parents to bear the entire burden for keeping younger kids from driving or drinking, yet we have that expectation for online safety. If adult content and social media sites were required to verify age (say, 18 for pornography and 16 for social media), many of these problems would go away.
If the regulation says one account is generated by the government and login/pin granted upon a child's 16th birthday, sure. If we have a way of knowing these companies will never keep a copy of ID verified, sure. But we would never allow the corner store to take a photocopy of ID when buying smokes, and we wouldn't tolerate the liquor store selling copies of our IDs. For that reason I don't agree the burden should be on social media.
She eventually admitted that she’d sneaked into my home office, pulled up the Qustodio website and changed the control settings.
This one is 100% on the parents. Why was their computer unlocked. No regulation and tech would have survived the parents here being the weakest chain.
To be clear we should absolutely prosecute companies that target children and aim harmful algorithm at them. I don't mind age restriction so much either. But I absolutely dislike this parental attitude of passing parenting responsibilities off.
Teach your kids not to access iffy stuff, exercise self control, value honesty and integrity, these are your jobs.
Ok, so, this is very funny to me. Aside from continuous, realtime, biometric monitoring, there is no technical solution that would have prevented this child from accessing the content she wanted...
She eventually admitted that she’d sneaked into my home office, pulled up the Qustodio website and changed the control settings.
Ok, so, this is very funny to me. Aside from continuous, realtime, biometric monitoring, there is no technical solution that would have prevented this child from accessing the content she wanted to access, because she had access to her parents’ credentials. This is precisely the problem — even if a company is legally required to verify every user’s age, they will only do so at the time the account is created. Which means that such a requirement will immediately create a thriving black market of age-verified accounts, sold to minors. And then we’re exactly back where we started, except now a bunch of untrustworthy, insecure tech companies have verified records of the real name and address of every single one of their users.
Without self-doxxing, I work in a field that deals with the fallout of unchecked social media and its harmful effects on children. It's a real threat. Children as young as 4 and 5, and as old as...
Exemplary
Without self-doxxing, I work in a field that deals with the fallout of unchecked social media and its harmful effects on children. It's a real threat. Children as young as 4 and 5, and as old as 16 and 17 are all falling prey to unregulated social media. Examples of what I've seen: drug dealers using Snapchat/FB/Insta to sell HARD drugs to pre-teens; pedophiles hanging out on Discord/Reddit/Roblox grooming kids to send them explicit pictures or meet up for sex. I've worked with kids who were kidnapped and raped, families who were burying their kids that OD'd from drugs they bought off of social media, not to mention kids financially extorted with no real recourse. And I've seen it happen across the racial/class spectrum. Sometimes kids are actively looking for a transgressive outlet and get too deep into trouble. Sometimes kids don't know any better or are targeted by sophisticated predators. But the common thread is that social media lowers the barrier for bad actors to target and exploit children in a way that we've NEVER dealt with before.
In this thread, I see a lot of FUD from the comments in here about regulating private companies. A lot of commenters admit they either (1) aren't parents, or (2) have a fairly sophisticated tech background. I think it's easy to sit in the "ivory tower" of technologically literate adults and say that parents need to do better to regulate, but that's simply unrealistic for a large plurality of people.
For a layman, the tech is difficult to navigate, and more importantly, for the parent, regulation is a game of whack-a-mole. Block Snapchat and the child will go to Instagram. Block Discord and the child will go to Roblox (I've seen both of those examples in real life). And the companies know it's a problem because they deal with me and people like me on a weekly basis discussing these issues. Companies hide behind laws like Section 230 and feign ignorance and helplessness when pressed to do anything voluntarily. It's candidly sickening.
Is regulation perfect? No. But it's a hell of a lot better than burden shifting an increasingly complex maze of devices, apps and websites to parents who usually don't even know what their kids are doing. Worried about a "list" of people on porn sites? There are ways to sanitize the data and prevent the government from using it -- we already do that with cell phone data. For example, your location is triangulated thousands of times daily, but the data is anonymized and sanitized and the government can't (both legally and practicably) use it to track you indiscriminately. Basic age verification is the minimum of what we as a society should be doing to hold social media companies accountable.
Big Tech has done an amazing job of selling fear mongering about big brother and the futility of any such regulation. Don't buy into it, we can do both: You as a consenting adult can still consume porn without the government looking over your shoulder, and we as a society can put basic guardrails up for the sake of our kids.
When you mentioned that the technology is there for annoymous age verification, it made me remember that it was mentioned on the Security Now podcast that the founder of Yubico (which makes the...
When you mentioned that the technology is there for annoymous age verification, it made me remember that it was mentioned on the Security Now podcast that the founder of Yubico (which makes the hardware security keys called YubiKeys), Stina Ehrensvärd, has been working on a solution for this: https://siros.org/
The idea Steve Gibson (from the Security Now podcast) had would be for individuals to essentially go to a sort of notary/public service where they would be able to give you a digital token that you use with your biometric to unlock on your decide that provides an assertion that you are above x years of age. The token wouldn't disclose any other information about you beyond that you are above x years of age and that Y government (or private) body has confirmed this.
I had more I wanted to add to the conversation but only have a few minutes so I wanted to share this in case anyone else wanted to look in to it as well.
This sounds like a good idea. There's a middle layer that isn't part of the government and isn't part of the benefitting businesses. The notary isn't keep a record of the ID, just that on a...
This sounds like a good idea. There's a middle layer that isn't part of the government and isn't part of the benefitting businesses.
The notary isn't keep a record of the ID, just that on a particular day they saw it. Human memory is great for self erasing data. And the Notory doesn't get to know what you're using the ID for, whether it's to qualify for child seats on a plane, enrollment into university, liquor, or porn. In fact this is even better than having to show your full ID to a bartender or bouncer or the teen working at a convenience store.
One possible idea (not mentioned on the website) relates to how people may track you using your ID. The Yubico devices are hardware devices and I assume that they can be made to hold whatever is...
One possible idea (not mentioned on the website) relates to how people may track you using your ID. The Yubico devices are hardware devices and I assume that they can be made to hold whatever is required to make things work. As such, why have one ID? You have some measure of anonymity with IPv6 because your network adapter has many temporary addresses which it can use. Along that same line, it would help if your ID hardware device had many randomly generated identities on it (like 64?) which you can choose to use as you see fit (but they are usually randomly selected). That way it can be more difficult to track your activity since you can come in as many different IDs.
The goal is to make it less likely (and more difficult) to try to uniquely identify anyone and track what they are specifically doing. It is a bit harder to try to rope in many identities (64?) as one person with any reasonable certainty.
If the hardware device, with 1 ID, was "cloned" then it would not be all that easy to notice that (unless it was massively cloned). So having a device with more than 1 ID won't be that huge of an issue I would think... (admittedly, an assumption being made so as to favor the idea of increased anonymity).
To help mitigate issues, I would imagine all IDs would expire and need to be periodically updated (which I imagine would have to happen with 1 ID devices as well). There would likely be revocation lists too just in case they are needed (for IDs that would still be in date valid but were compromised in some other way).
I don’t understand what Siros is proposing. Google has announced something using zero-knowledge proofs. This is at least the right technology for protecting privacy if the concern is that websites...
I don’t understand what Siros is proposing. Google has announced something using zero-knowledge proofs. This is at least the right technology for protecting privacy if the concern is that websites will learn too much.
There are a lot easier ways to track people involving browser fingerprinting.
Can you elaborate on your reasoning behind this statement? My impression, as a person with a degree in data science (that is admittedly gathering dust), is that it's easy to deanonymize this...
Exemplary
There are ways to sanitize the data and prevent the government from using it -- we already do that with cell phone data. For example, your location is triangulated thousands of times daily, but the data is anonymized and sanitized and the government can't (both legally and practicably) use it to track you indiscriminately.
Can you elaborate on your reasoning behind this statement? My impression, as a person with a degree in data science (that is admittedly gathering dust), is that it's easy to deanonymize this specific type of data, maybe even trivially so. In fact, I believe cell location data was the exact example we discussed in the ethics course in that degree program.
Edit: wording
Edit 2: sources
Yeah, I'm sorry, but unless we're talking about two different things somehow, the statement "There are ways to sanitize the data and prevent the government from using it -- we already do that with cell phone data" is simply not accurate.
Only removing a person's identity from location data will not remove identifiable patterns such as commuting rhythms, sleeping places, or work places. By mapping coordinates onto addresses, location data is easily re-identified or correlated with a person's private life contexts. Streams of location information play an important role in the reconstruction of personal identifiers from smartphone data accessed by apps.
to extract the complete location information for a single person from an “anonymized” data set of more than a million people, all you would need to do is place [them] within a couple of hundred yards of a cellphone transmitter, sometime over the course of an hour, four times in one year.
We study fifteen months of human mobility data for one and a half million individuals and find that human mobility traces are highly unique. In fact, in a dataset where the location of an individual is specified hourly and with a spatial resolution equal to that given by the carrier's antennas, four spatio-temporal points are enough to uniquely identify 95% of the individuals. (...) even coarse datasets provide little anonymity. These findings represent fundamental constraints to an individual's privacy and have important implications for the design of frameworks and institutions dedicated to protect the privacy of individuals.
Consider this example: An attacker obtains access to an anonymized mobile phone trace dataset which contains the antenna a mobile phone is connected to at certain time intervals. Would it be hard for the attacker to re-identify [their] neighbor in the dataset, if the attacker knows where the neighbor works or where [they've] been during the weekend? Simple SQL queries to the dataset containing the location of an antenna and time of connection would most probably suffice.
Among other revelations, analysts from the FTC were able to obtain a free sample of cellphone location data and use that information to track someone who visited an abortion clinic all the way back to their home. This data, like all data from data brokers, was supposed to be anonymous – instead, it revealed a person’s private health care practices and real identity.
I apologize if this comes off as me dunking on you specifically; that is not my intent. I believe that "exemplary" tags tend to carry a lot of weight around here, so I felt the need to speak up about that detail in your remarks.
No offense taken, just as I hope you don't take offense at me saying that "dunking" is a bit... generous for what was clearly you doing a cursory search on the subject and pasting snippets. If...
No offense taken, just as I hope you don't take offense at me saying that "dunking" is a bit... generous for what was clearly you doing a cursory search on the subject and pasting snippets.
If we're really comparing apples to apples, then you surely already know (with your data science degree) that your ISP knows what websites you're browsing and if "big brother" really was so inclined, it could pull that data to use against you. There's a reason people aren't already being prosecuted (or persecuted as is the apparent fear) for their website browsing habits: laws preclude dragnet monitoring, which are actually quite effective at curbing government surveillance, and anonymizing features do a reasonably good job making mass surveillance difficult. That doesn't mean either are impossible to overcome, but it does mean that for the majority of cell phone users, they'll never be the subject of targeting in their lives. Both of those hurdles would continue to serve against the unfounded fears of the government broadly targeting individuals for doing something lawful like consuming pornography or visiting websites that support marginalized groups.
The frustrations I have with comments like yours are that you let perfect be the enemy of good. There is a real harm happening in the world and there is a real solution that could be implemented today to mitigate the harm. The costs associated with age verification are dramatically outweighed by the benefits, even if it isn't perfect.
Put differently, if you can't explain to me why you're comfortable with your ISP and DNS provider tracking your browsing history but aren't comfortable with the same amount of data being used to verify a user's age, then I have to respectfully discount your resistance to it. Because it's the same. The difference is that your ISP isn't spending literal hundreds of millions in lobbying and dark advocacy suggesting that there's a huge difference when it applies to FAANG.
Many people, including myself, aren't cool with their ISP or DNS provider having all their info either. Giving yet another party, especially some of the least trustable parties in businesses that...
Many people, including myself, aren't cool with their ISP or DNS provider having all their info either. Giving yet another party, especially some of the least trustable parties in businesses that make a ton from data harvesting and ads, even more in the name of a "protect the children" campaign that is unlikely to do anything except further strip any semblance of privacy just does not feel like an answer.
I find your last paragraph in particular to read almost like the "well if you've got nothing to hide..." falacy. Maybe you're cool with a more deeply entrenched surveillance state, but we still haven't recovered the privacy lost under the Patriot Act and many of us respectfully discount your support for further erosion.
I'm also not sure how much you know about the data gathered, who has what, and how they get it. Your DNS provider has, at best, the domains you accessed. With TLS your ISP has, at best, the IPs of the servers you connect to and maybe the domain names. Obviously they can also get some times and amount of traffic, but it is deliberately minimal because anything your ISP can get through these methods is available to any possible man-in-the-middle attacker. If you use masking tools you can change which party gets those to not even be your ISP. The fact that hiding info from your ISP is possible is why torrenting is normally done on a VPN. And work is being done to further reduce who sees what, such as DNS over HTTPS hiding the domain name from more parties (such as the ISP).
De-anonymizing data is also surprisingly easy and the more data you have the easier it is to do so. It is also wrong to state the government can't do it. They can and do. A fun fact about the US government is that they can get third parties to do stuff they themselves aren't technically allowed to. The US government does buy data from data brokers, including things they can't collect themselves. For example, there are data brokers that the police can use to virtually follow people around with no warrant or cause by paying data brokers to tell them when and where the target's car passes in front of privately-owned cameras placed all over the place, which surprise surprise has been horrifically misused by the police.
Definitely none taken - I agree. That's what I was trying to communicate by saying it wasn't my intent, but I can see how the specific wording I used could read that way, sorry. Probably an old...
I hope you don't take offense at me saying that "dunking" is a bit... generous
Definitely none taken - I agree. That's what I was trying to communicate by saying it wasn't my intent, but I can see how the specific wording I used could read that way, sorry. Probably an old Reddit habit to be preemptively a little defensive.
I started to respond point-by-point to your reply, but that felt unnecessarily confrontational, so I'll refrain. To be honest, there's also just too many points to address, and @zestier has already hit several of them. I guess I'll just speak to two things:
if you can't explain to me why you're comfortable with your ISP and DNS provider tracking your browsing history but aren't comfortable with the same amount of data being used to verify a user's age, then I have to respectfully discount your resistance to it. Because it's the same.
I am not comfortable with my ISP and DNS provider being aware (to the extent that they are able) of my browsing history. I agree that it's the same (generally). It's bad in both cases.
you let perfect be the enemy of good . . . The costs associated with age verification are dramatically outweighed by the benefits, even if it isn't perfect.
Keeping in mind the unquestionably incredibly painful experiences you described in your top-level comment, I respectfully completely disagree. It's not that the proposed solutions aren't quite perfect enough for my taste, it's that they're utterly awful, regardless of any theoretical benefits, and represent a huge risk to anyone that is forced to use them. To paraphrase the second sentence in the above quote, "The benefits associated with age verification are dramatically outweighed by the costs." The state of privacy in the modern world is already bad, and the proposed solutions would only make it worse.
Source? From what I can see it's more like tens of millions. Also what is "dark advocacy"? Just sounds like fearmongering to me rather than a meaningful term Also btw DNS over HTTPS has been a...
hundreds of millions in lobbying and dark advocacy
Source? From what I can see it's more like tens of millions. Also what is "dark advocacy"? Just sounds like fearmongering to me rather than a meaningful term
Also btw DNS over HTTPS has been a default in chrome and firefox since 2020, "ISP knows what websites you're browsing" has not been true for at least 5 years for most people
The last piece of this is "encrypted client hello" which is still in progress. Looks like Cloudflare started supporting it two years ago. Firefox supports it Not sure about the others.
The last piece of this is "encrypted client hello" which is still in progress. Looks like Cloudflare started supporting it two years ago. Firefox supports it
Not sure about the others.
This all sounds like a moderation problem, not an age verification problem. Already you're shifting the conversation from the supposedly harmful content age regulation is to block (porn) to social...
This all sounds like a moderation problem, not an age verification problem. Already you're shifting the conversation from the supposedly harmful content age regulation is to block (porn) to social media in general. I don't mean that with any hostility, it serves to illustrate the onus has been shifted to the wrong party even among the most fervent supporters of regulation. Companies are shifting the blame to the government, parents, and the children. Everyone but their own responsibility.
If you want to hold companies accountable for their uncontrolled social media you should force them to moderate properly. Regulate that.
Selling drugs on Facebook? That's a Facebook problem, not a government verifying to see if someone is the right age to buy or sell drugs online. This particular problem is age agnostic, what would age verification even do? On top of that, the perpetrator is the dealer/groomer/predator and not the kid. Facebook providing the criminals a platform is the issue.
Companies have been stripping customer service and site moderation to their bare metals for a decade or two now, shifting the onus onto the consumer or volunteers to do the work for them. Most Reddit mods are volunteers, they're also stopping CP at the gates, I'd argue this should be on Reddit itself.
The examples you provided are horrifying, but realistically speaking, how many of those are solved by age verification? How many of those could we reduce or prevent if we regulated the companies hosting the platforms the criminal activity happens on? I'd argue we'd have a better result with the latter, where you'd go after the root of the problem instead of the symptom.
And then we can have the argument over privacy and data security. Neither particularly FUD'y, the world thus far is showing a mediocre track record at best when it comes to protecting people's privacy and data.
One of the arguments I've seen (and generally agree with) is that if someone, especially a determined teenager, is blocked from accessing a site, they will find another one with similar material....
Block Snapchat and the child will go to Instagram. Block Discord and the child will go to Roblox (I've seen both of those examples in real life).
One of the arguments I've seen (and generally agree with) is that if someone, especially a determined teenager, is blocked from accessing a site, they will find another one with similar material. But if lawfully operating sites comply with this, that means the ones who ignore the law will gain more visits, and the material there will likely be less regulated as well.
I can imagine this could easily extend to social media sites. If a child is able to access Wikipedia, they can pull up a list of active social networking services. And word-of-mouth among peers at school, etc will likely be sharing the "next big thing" that will be used for outside of school communication. And I've heard that predators are typically able to convince children to move to other chat platforms with relative ease.
With that context, do you believe that making individual websites implement age verification would be a net positive? I feel like that would just be another variety of whack a mole.
Rambling that is more adjacent and opinionated
That being said, I don't think that the solution is to "do nothing" or fully expect parents to be tech wizards. While the author of the post expresses frustration at the state of parental controls, I think education can help. There's several free options to block DNS resolution of websites, such as this offering from Cloudflare. While Cloudflare only includes two categories - "malware" and "adult content" - I've seen more granular options as well. Doing this on each device shouldn't take more than 20 minutes of time from someone with no experience following a step-by-step guide.
Is this foolproof? Not even close. But nothing is, especially when the op-ed author mentions her daughter changing the parental control software settings from a parent's unattended device.
That's why the other portion of education is parent-to-child. Explain to them why some material is blocked. Be prepared to answer questions in an age-appropriate way. Inform them that others on the internet could be the equivalent of strangers offering candy from vans, regardless of who they claim to be. But don't lie and say that everyone on the internet is a predator. Have regular check-ins. Encourage and reward open communication. Employ "safe words" and get-out-of-jail free policies so they know you will come help them if they get into something over their heads.
Parenting is tough, and the concept of invisible avenues of communication is an evolving concern. But all you can do is prepare your child the best you can, and seek resources to educate yourself further if you feel lost.
Personally, I intend to heavily restrict private device usage. I have the technical background to lock down devices well, but the best thing any parent can do (imo) is to refuse to provide a cellphone until a certain age/maturity, and scale it up so you don't even start with a smartphone, but a "dumb phone" instead.
I have to be honest that I completely disagree with you and think being anonymous on the internet is more important than any possible perceived or real harms from children using that anonymous...
I have to be honest that I completely disagree with you and think being anonymous on the internet is more important than any possible perceived or real harms from children using that anonymous internet. The internet is the only place we are truly free, and it is being slowly eroded. We must fight to keep it free at any cost.
I agree that we can do more then where currently doing and that it could involve government regulation, but I'd say its a capital H Hard problem. Obviously the current version of just ask if your...
I agree that we can do more then where currently doing and that it could involve government regulation, but I'd say its a capital H Hard problem. Obviously the current version of just ask if your 18 is literally nothing, but getting to something that is a meaningful constraint is a massive jump up. If its based of government IDs, well kids can steal their parent's IDs and use them; fake ids have also existed forever. The technical expertise to run a more robust system is also outside of the ability of most governments; a lot of governments have already been out-sourcing their digital infrastructure to Big Tech. Any technical solution can only increase the difficulty and maybe that's enough or maybe its not.
Personally, I think the only long-term solution requires kids' to actually trust their caregivers, so that if/when something sketchy starts happening the kid feels safe checking with them. I get that's hard, especially given how much time most parents have, but I don't see any technical solutions being more then a moderate improvement.
This is something I wish there was a good solution for. I am involved with a queer community that involves adult content, including sexual content, and as a result of a schism involving...
This is something I wish there was a good solution for. I am involved with a queer community that involves adult content, including sexual content, and as a result of a schism involving transphobia I ended up briefly moderating a discord server that was basically the equivalent of a lesbian bar. People would flirt there, discuss sexual topics frankly, and some folks even lived close enough to each other to meet in person.
We had an age verification system but there was at least one incident where someone who was under eighteen successfully lied about their age to get in, and I heard stories from other folks talking about how when they were kids, they’d do the same thing. They’d admit to lying about their age online as young as thirteen or fourteen, pretending to be eighteen, engaging in adult oriented spaces with adults. This is so scary!
I think children don’t understand how awful it is to do this. They’re curious, and defiant, and they believe that if these systems are for their protection then they should have the freedom to opt out of being protected. But in my situation, I understood that adults needed to be protected too. Especially at a time where queer people are already demonized unfairly and accused of harmful deviancy, and where surveillance is getting more extreme, having a minor in an adult queer space is an awful look and a huge potential risk for every adult there. Of course the child is also at risk, but it really is a terrible and uncomfortable situation for literally anyone who isn’t a creep.
Of course any age verification system that isn’t privacy focused is also a huge risk, and no government or company in the world right now would pass up the opportunity to collect a huge amount of private data because we exist under surveillance capitalism. Between the two options I think it’s better for society to fight against any system that has such a massive potential for the abuse of freedoms. But I wish there was something.
My opinion and strategy with my own kids is to protect them from the things that are relatively easy to protect against via client-side controls. Once they start trying to break through that,...
My opinion and strategy with my own kids is to protect them from the things that are relatively easy to protect against via client-side controls. Once they start trying to break through that, we'll have an in-depth discussion about what they are likely to find, and what the law says. They already know that they must have clothes on in front of a camera, and generally the reasons why that is (in an age-appropriate way).
I think it is the parents' responsibility, and shouldn't be the companies'. Free speech is more important than your need for family protection, and setting up laws that require certain protective censorship conduct essentially always chills free speech in the short to medium term. I hear that setting up these client-side systems is hard to do, but that hasn't been my experience, in either the Apple, Google, or Microsoft stack (which we have some of each). I don't expect the systems to be perfect, I expect them to protect against unintended access to things that aren't meant for kids.
Maybe I'll feel different as they get older, I don't know.
I'm of the school of parenting to encourage teaching remediation over that of prohibition or consequences. In the example of child luring, sexual exploitation and trafficking, I teach that I...
Exemplary
I'm of the school of parenting to encourage teaching remediation over that of prohibition or consequences.
In the example of child luring, sexual exploitation and trafficking, I teach that I myself wasn't a very well behaved child. When I broke certain rules, such as accepting private chat from an unknown person, and was met with some natural consequences (eg they were a pedophile), I had nowhere to turn because if I told my parents they would just be furious and enact further restrictions. So, with my own child, I always teach that whatever consequences you might see from us will always be more loving, less harsh, and safer than trying to hide or deal with it on your own. Say someone made a sexual deepfake of you from a perfectly innocent photo: it's okay we'll get law enforcement involved, you're not in trouble, even if the person tries to convince you you are, you're not. It doesn't matter "what you were wearing", if you know what I mean, we got your back.
Now, it does mean I am entrusted to do some very awkward things, like having to find manga / light novels that make me blush. But I am happy to provide this semi filtering service in exchange for them not trying to find it on the open web themselves.
I really appreciate this post, and it makes me appreciate my mom being willing to get a Playboy subscription for me, back when I was a lad and that was still a thing. Your kid is being set up to...
I really appreciate this post, and it makes me appreciate my mom being willing to get a Playboy subscription for me, back when I was a lad and that was still a thing. Your kid is being set up to have a better relationship with you and their own sexuality than most, and I wanted to give you kudos for that.
Thanks, MimicSquid. Did you, in fact, read the articles? :) just kidding. I very much enjoyed my Maxim subscription for the jokes, and good art reference.
Thanks, MimicSquid.
Did you, in fact, read the articles? :) just kidding. I very much enjoyed my Maxim subscription for the jokes, and good art reference.
Honestly? I think there's a place for it. Though I'd already seen goatse and many other things on the internet prior to having that subscription, Playboy was something that provided a consistent...
Honestly? I think there's a place for it. Though I'd already seen goatse and many other things on the internet prior to having that subscription, Playboy was something that provided a consistent product that my mom could use to talk to me about consent, sex work, the kinds of sexual and emotional relationships that exist in the world, a bunch of stuff. And because it was monthly, it was at a pace where we could have a conversation about one thing at a time. There would be worse tools for parents to use as a backdrop for the more challenging conversations that need to happen during the teenage years.
I'm hoping to do something similar with my own kids, they deserve love and support and understanding. My struggle is that I didn't receive that when I was a child. I won't go in to details, but I...
I'm hoping to do something similar with my own kids, they deserve love and support and understanding.
My struggle is that I didn't receive that when I was a child. I won't go in to details, but I suffered through abuse as a child and was exposed to pornography at a very young age on purpose. With it being frictionless to access online meant that I was able to keep coming back to it snd developed an addiction to pornography at a young age that I've had to fight and pray to overcome. It's also sadly impacted relationships I've had, including my marriage.
I personally believe the current state of pornography in its current free and digital form is a huge detriment to society. Others may disagree, but I know when I was a kid it was joked about, and I'm guessing that most kids and teenagers under 18 I know were looking at it. Pornography online is nothing pornography in the pre internet days. Finding an adult magazine or video meant that the child who found it could access that one video. Now a child who figures out how where porn is online can access it at all times from their internet connected device and hiding it is as easy as closing their private browser tab instead of needing to stash the physical evidence.
I hate the privacy implications and don't want the world to devolve into a pure nanny state where it's impossible for adults to make these kinds of choices for themselves. But I do hope for a zero trust security implementation of the ID verification. Some kids don't have parents who can be trusted to do "proper" parenting to talk them through the dangers of things on the internet. I used to laugh at the "think of the children" argument, but aftering taking the time to address my own addiction and abuse, and becoming a father, I get it. I would never let my children go through what I did and I hope that something can be done for the children who don't have parents who care enough or have them time/know how to make decisions about these things. Workarounds will always exist, but the scout's honor system in place on these sites now don't work.
Yeah, I hear you on the overall social responsibility side of it for kids whose parents are not helping them / hurting them. I don't know what would help, because it's not like liquor, cigarettes...
Yeah, I hear you on the overall social responsibility side of it for kids whose parents are not helping them / hurting them. I don't know what would help, because it's not like liquor, cigarettes and gambling "hey this is bad for you here's a phone line to call for help" really helps does it? Or maybe it does, very little, but it's worth it to make the money makers pay? I hope we as a society move away from shaming, but at the same time I don't want to see normalising addictions and going into extremes without safety guardrails either.
It's a fine line to balance, for sure. I think the digital experience poses unique challenges, that society hadn't addressed until now because it was a newer medium, but as things have become...
It's a fine line to balance, for sure. I think the digital experience poses unique challenges, that society hadn't addressed until now because it was a newer medium, but as things have become increasingly digital the need to address them has come. Since unlike with a physical place that is an adults only establishment like a bar, strip club, etc. there has been no way to confirm that only adults are present.
I don't pretend to know what is the correct way to address this, but I'm glad it's being looked at. I think having a zero knowledge age verification system would have been helpful to a younger me, even if I tried to get around it like a lot of teens who attempt to circumvent parental/whatever restrictions. I just hope that I'm able to walk through the contents of the internet with my kids and help them to make wise choices and always be there for them.
I’m far from the only parent who has run into these issues. Online forums like Reddit are full of parents complaining that parental controls, especially Apple device controls, aren’t meeting their needs or that their kids are finding new work-arounds faster than they can keep up. When Louisiana state representative Kim Carver (R) tried to pass a law requiring Apple and other phone software providers to enforce age restrictions on apps, the company’s lobbyists told him that Apple devices already included parental control tools. When Carver later tried to set them up on his 14-year-old’s new iPhone, though, he concluded they “aren’t the panacea they’re promised to be,” he told the Wall Street Journal, echoing the experience of countless others I’ve spoken with at school parent nights on kids and technology.
They're often expensive, some of them don't work well across devices, they may not include things that seem obvious (like Snapchat as social media vs messaging), your kid can sneak onto your...
They're often expensive, some of them don't work well across devices, they may not include things that seem obvious (like Snapchat as social media vs messaging), your kid can sneak onto your computer and grant themselves access, and you have to know the tools exist to find them, buy them and then find out they don't work on a laptop.
Essentially parents who are non-experts are being expected to be and that's just not realistic.
I've never visited pornhub, but surely that's an exaggeration for affect? Perhaps you mean a curated experience of PornHub. I would imagine that like YouTube, there's content for humour and silly...
I've never visited pornhub, but surely that's an exaggeration for affect? Perhaps you mean a curated experience of PornHub. I would imagine that like YouTube, there's content for humour and silly fun, there's a lot content for sensory experience like ASMR or street food or traditional snack making, some content that follow particular personalities, and maybe some instructional types like "how it's made" or "how to". And then there's probably a bunch of scary "not safe for life" stuff like those vore for kids videos and illegal snuff content not yet reported to admins or somehow snuck past, or staged depictions of shock/violent/non-consent/horror content that isn't age appropriate or normalizes them before they have the maturity to process it.
Roblox is dangerous and exploitative sure, but it can also be played safely. So, are you comparing apples to oranges, that with curating content and some oversight, you'd rather your child view pornography than for them to have no oversight time on Roblox?
Or do I owe PornHub an apology because its content is much safer than YouTube?
I see people criticizing bad solutions that they imagined in the first place, which seems like a bad way to predict what's going to happen. There's not a lot of information about it yet, but...
I see people criticizing bad solutions that they imagined in the first place, which seems like a bad way to predict what's going to happen.
There's not a lot of information about it yet, but Google and Apple seem to be doing something different. Example link:
This is a less bad solution than “every individual company gets a photograph of your goverment ID”, but it has its own downsides. I don't know that much about how mobile operating system wallets...
This is a less bad solution than “every individual company gets a photograph of your goverment ID”, but it has its own downsides. I don't know that much about how mobile operating system wallets are implemented (I assume it has at least something to do with secure enclaves), but my Android phone is running iodeOS, and so it doesn’t have Google Wallet.
I’m sure Apple and Google are pretty jazzed about the idea of a future where their devices are essentially required to access necessary internet services, but… I’m not haha.
Yes, we will need more than two alternatives. Someone needs to implement them. It seems to be an open standard, though, so at least it should be clearer what needs to be done? Compare with...
Yes, we will need more than two alternatives. Someone needs to implement them. It seems to be an open standard, though, so at least it should be clearer what needs to be done?
Compare with passkeys, which are further along and available for some mainstream purposes like some banks, but still has a way to go.
I'll be blunt: at this specific moment in time, I wouldn't personally trust any solution developed right now unless it's by an undeniably good nonprofit. The current state of... everything,...
I'll be blunt: at this specific moment in time, I wouldn't personally trust any solution developed right now unless it's by an undeniably good nonprofit. The current state of... everything, really, makes me wary of any system that could go into age verification, because I can't think of an implementation that wouldn't involve a database somewhere recording each time it's used. Not even purely because of necessity, but because companies like having data on people. And from that data, they can put together a terrifyingly detailed portrait of a person.
I don't trust corporations like Apple or Google to not use that data for advertising or other purposes with how greedy they all are. I don't trust governments to put in place effective regulations in a timely fashion that would guarantees people's privacy either, because let's be real, most politicians barely understand anything about how the internet works.
And on that note: I'm an American. I can imagine how gleeful the current admin would be to have some database that tracks people's internet usage and figure out who to add to watch lists. If such a system already existed they'd be fighting viciously for access to those records if the government didn't already have it, or else starting a new version and banning the old one in the US. I can see them also using it to censor various topics such as, oh, anything LGBTQ+.
Just... I know there are good reasons for an age verification system. But right now, at least in the USA, I do not trust anyone with the power to make such a system to NOT abuse it in some way, either due to greed or a lust for power. And I don't think I'm alone in that.
If that standard is implementable on desktop computers, and by arbitrary operating systems (I'm ok with requiring a secure enclave of some kind), I will feel ok about it. I truly cannot find any...
If that standard is implementable on desktop computers, and by arbitrary operating systems (I'm ok with requiring a secure enclave of some kind), I will feel ok about it. I truly cannot find any information after a cursory search about how mobile wallets work, and I am definitely worried that this will be an "open spec" the way RCS is an "open spec" — publicly documented, but functionally impossible to implement by any entities other than Apple and Google.
Passkeys, by contrast, had other major contributors (Yubico, 1Password, etc) during their development, and so are actually an open standard, and have been implemented by a number of providers.
Yes, it's pretty obscure and not really launched yet, and the standards might turn out not to be well-designed. (I haven't looked closely enough to say.) I think this is in part due to neglect -...
Yes, it's pretty obscure and not really launched yet, and the standards might turn out not to be well-designed. (I haven't looked closely enough to say.) I think this is in part due to neglect - the standards would probably be better if there were other organizations that cared enough to get involved.
I think it's technologically neglected because it's politically controversial. Parents have needed age verification for a long time and it could have been built a decade ago, long before governments started pushing for it. But most people and organizations don't want to touch it. Either they're too busy making money or they're against the whole idea.
It's a similar story with passkeys. Phishing has been a problem for decades, but it's only recently that Google and Apple decided that it needed to happen and threw their weight behind it. It looks like it will succeed and become an example of what could happen if there were an industry effort to make it happen.
I don't have any kids, but if I had, I'd probably set up white lists for them. Every domain (and IP) is blocked until they come to me and ask permission to use it. Additionally, they could use the...
I don't have any kids, but if I had, I'd probably set up white lists for them. Every domain (and IP) is blocked until they come to me and ask permission to use it. Additionally, they could use the unfiltered web while I'm around, for example I'm cooking and they're at the kitchen table watching YouTube.
Are there any parents around that can explain why this wouldn't work?
But it shouldn't be very hard to implement a user friendly white list in home routers. If governments can force websites to implement age verification systems, they can force router manufacturers...
But it shouldn't be very hard to implement a user friendly white list in home routers. If governments can force websites to implement age verification systems, they can force router manufacturers to implemented white lists that you can manage from your phone.
Both solutions will always be flawed, so having both would probably be best.
Works on your network only. I've dealt with it for years and even with the best intentions it still is a cat and mouse game. iOS vs Android vs Windows vs Chromebook. It is all stuff you have to...
Works on your network only. I've dealt with it for years and even with the best intentions it still is a cat and mouse game. iOS vs Android vs Windows vs Chromebook. It is all stuff you have to manage independently and I am very tech savvy. I don't blame parents who don't bother, it is a huge pain in the ass.
Devices with their own internet connection (I.e. Smart phones) you have to manage separately, but for home computers/lan this can be done at the router. You set the default outbound policy to...
Devices with their own internet connection (I.e. Smart phones) you have to manage separately, but for home computers/lan this can be done at the router.
You set the default outbound policy to deny, hole punch for a specific upstream dns resolver, set dnsmasq to populate a ipset which will be used for whitelisting with query responses (allow rule if dest in ipset).
Not required, but it makes the whole thing more seamless, setup DNS hijacking transparently pass all normal dns queries through the router's dnsmasq instance. You can also throw in a transparent intercepting proxy to protect against cases were good domains and bad domains share the same IPs because they're hosted by the same provider/reverse proxy (e.g. Cloudflare).
I do this to my various IoT devices, mostly as a learning exercise but it has some perks like ad blocking, update blocking, etc.
On my network yeah I have full control. Devices can travel and as such won't be constrained to your network. What happens when your kid needs to study with their Chromebook at school or at a...
On my network yeah I have full control. Devices can travel and as such won't be constrained to your network. What happens when your kid needs to study with their Chromebook at school or at a grandparents house? Locking down the network is valid and has its place, but is only part of the overall strategy. It also is a much higher barrier for non-technical parents.
Once it's outside the network, it's game over. If you threat model it, the adversary has physical access on unsecured networks. Even still, I don't know the age children get chromebooks at school,...
Once it's outside the network, it's game over. If you threat model it, the adversary has physical access on unsecured networks. Even still, I don't know the age children get chromebooks at school, but that's probably an age where you can't realistically protect them from the internet. They'll have access at friends houses, their friends phones, libraries, etc etc.
My comment is mostly a thought experiment, geared towards younger children that don't have their own devices, but perhaps you want to give them some autonomy to safely interact with the web.
At a certain age, it can't be helped, it's a matter of trust and having conversations, like most parenting.
Edit: I suppose, to more directly answer your question, I'd setup wireguard to route all traffic through the home router + firewall. This makes the per device configuration minimal, you just need to figure out how to install wireguard as an always on VPN and lock it down so the user can't disable it.
Actually, what you say is true for network level controls, some cell phone providers augment that, you canalso whitelist on a macbook or windows machine directly (but that can be bypassed,) yet...
Actually, what you say is true for network level controls, some cell phone providers augment that, you canalso whitelist on a macbook or windows machine directly (but that can be bypassed,) yet iOS offers full locked down control via Apple Configurator.
Why not put the white list on your home router or a RaspberryPi-like device? Then you only have to force each device to only connect via your internet at home. If the home WiFi is out of reach,...
Why not put the white list on your home router or a RaspberryPi-like device? Then you only have to force each device to only connect via your internet at home. If the home WiFi is out of reach, use a VPN.
Here's what I do for an < 10: Use the linux computer in the dining room with no hard restrictions whatsoever. No tablet or phone garbage. Kagi is set to default search with safesearch enabled....
Here's what I do for an < 10: Use the linux computer in the dining room with no hard restrictions whatsoever. No tablet or phone garbage. Kagi is set to default search with safesearch enabled.
Turns out it's pretty easy to reduce exposure by not giving them access to an always-connected pocket computer.
When they start venturing out on their own, they're not getting some fancy smartwatch or old phone with attempts at lockdowns. They're gonna get a $10 prepaid dumbphone that can call and sms with as little mobile data as possible. Press 1 for parents. press 2/3 for aunts. Rest of numbers for friends.
Challenge accepted: I call my friend and friend puts their phone against speaker playing sexy podcast? Hahahaha or friend sends me kaomoji boobs, as is tradition.
Challenge accepted: I call my friend and friend puts their phone against speaker playing sexy podcast?
Hahahaha or friend sends me kaomoji boobs, as is tradition.
This is the answer. My fever dream is that I'm going to get my son and a small group of friends LoRA Meshtastic radios and they think it's cool and just use those.
This is the answer. My fever dream is that I'm going to get my son and a small group of friends LoRA Meshtastic radios and they think it's cool and just use those.
From a technical point of view, there are a few reasons it won't work, most notably that they can go to a friend's house and access the internet there, or at school, or they can connect their own...
From a technical point of view, there are a few reasons it won't work, most notably that they can go to a friend's house and access the internet there, or at school, or they can connect their own device to another wireless network in range.
From a parenting point of view, there are a few reasons it won't work. It mostly comes back to not giving your kids the tools to deal with the internet, so when you take off those training wheels they will have loads of problems. This is like an "only abstinence" approach to the internet, and it doesn't work for sex, it doesn't work for alcohol, and it won't work for the internet. You have to actually talk about and educate your kids on each of these things so that they have the tools to survive once they are not under your constant supervision.
I've got 3 kids, and one of them is almost 20. When she went to University, I was pretty comfortable with her usage of social media and her ability to interface safely with the internet, just as I am confident about her ability to be around alcohol (legal drinking age here is 19) and have relationships. A big part of that is that we gave her the tools and knowledge to grow in those areas while we were constantly there to help out when needed (and we are still nearby to help when needed). Notably different was her first-year roommate in University, who was a valedictorian with overbearing parents... who drank constantly, did no work, and eventually flunked out because it was her first taste of freedom.
If you limit your kids from all the things, then the second they get all the things, they will have no self control over them.
No system is perfect. Even if every website had age verification, some kids would still be able to find ways around it. Many parents aren't very creative with their passwords, for example. I think...
No system is perfect. Even if every website had age verification, some kids would still be able to find ways around it. Many parents aren't very creative with their passwords, for example. I think white lists are a better technical solution than age verification.
But I mostly agree that the best protection for kids is a family and community that cares about them. If they have that, they probably don't need technical solutions to protect them from the funky parts of the internet. But not every kid is so lucky. If you are a single parent working two jobs, a technical solution could at least make it harder for your kid to join the incel community.
And even if you found the perfect parenting system you wouldn't get a 100 % success rate for every kid out there. You are lucky because you got good kids and your kids are lucky because they got good parents. Some kids are raised well and still end up in prison or worse while other kids are raised in hell and somehow turn out to be good people with lovely families of their own.
While I understand the frustrations of the author, their proposed solution is extremely short-sighted and comes with a huge list of potential pitfalls that would be extremely damaging to individual freedoms - Frankly, 'server-side' in-depth age verification should not be a requirement for anything.
As a parent myself, this is definitely a huge problem. But there are better ways to solve it. Better device-side parental controls, working on improving parental knowledge (not many parents know you can easily set filters on your home wifi network), strict smartphone bans during school hours, educating your children about the potential dangers of social media, etc.
There will never be a 'one-size-fits-all' solution. As with anything, we just need to stay educated and adaptive.
Fully agree on your points about age verification. There just isn't a foolproof way to implement it that can't be bypassed somehow. Hell, even the examples of kids with alcohol and driving doesn't hold up because plenty of teens still get their hands on alcohol. Kids find ways around rules, some will even see them as a challenge. It's a fact of life.
It's also an undue burden for people who run smaller or independent sites to enforce such a check. I'd also be worried about those sites getting hacked, or someone setting up such a site with malicious intent depending on how the age verification is implemented. If it's via scans of a driver's license, and the owner of a site has the power to view them... Yeah, that's really bad.
We can't expect anything to be 100% kid-proof, so we need to work with that expectation in mind. To that end, I think educating kids about the dangers of social media is a HUGE factor that needs more emphasis. If they can understand why it's dangerous and bad, they'll be less likely to dive into talking to strangers as part of an act of rebellion than just being told "it's forbidden".
My parents drilled stranger danger into me hard. I used the internet largely unsupervised (thankfully I mostly just wanted to play Neopets or hang out on gaming forums that were fairly strict about keeping things appropriate), but I knew to never give out personal info as a kid. To this day I'm pretty sure a fair number of people still think my name is Kristen.
I want to echo this. As a kid, little upset me as much as a flat-faced “no” without explanation or even worse, appeal to authority (“because I said so”).
Kids aren’t fully formed and lack experience, but they’re still people and have the intelligence to understand and internalize almost anything given that the logic behind it is explained carefully. It’s worth the time and care to give them solid, grounded reasons whenever practical.
Education is incredibly important. All these measures only add an illusion of safety, there is still plenty of danger online that these measures won't address but make people more complacent. Social media has been terrible for this, with people sharing a lot of information about themselves publicly without knowing how easy that makes it for bad actors to find even more sensitive information.
I'm reminded of the experience of designing garbage cans for national parks: it's not possible to make a garbage can so hard for all bears that it doesn't also become too hard for some humans. There's an overlap between the dumber humans and the smarter raccoons: you can't have a tech solution that's easy enough for parents that's too hard for highly motivated and bored/horny/defiant kids.
Completely agree about server side verification. While there are zero knowledge ways to handle age verification, they’re all complicated and difficult to manage. They’re not really suitable for non-techies. And as you said, the list of downsides and potential to expose people is far too great. One hack or zero day would be all it took to expose everyone’s private lives.
I wouldn’t trust any government to run this ever.
I understand the sentiment, but all alternatives are worse.
The Swiss are voting about introducing e-ID now, and the proposed law is... decent. Completely voluntary, the system includes zero knowledge proofs of things like age (where only the binary information "is above or below age x" is transmitted, cryptographically signed and anonymized so even the same provider can't trace back multiple age verification calls to the same e-ID to build a profile).
You might not trust a government to do something like that, but you cannot possible trust a private corporation o take over that responsibility either. And you don't want to send photos/videos of your ID and face to private corporations, ever.
You can debate whether anyone would want e-ID in the first place, and whether the existence of a well-designed and voluntary e-ID system would be a slippery slope towards mandatory e-ID everywhere in 5 years... but if you want age verification to protect kids on the internet, you really can't do it any other way.
The risk of any government having that responsibility is too great. It’s not worth it to keep some kids from looking at porn (I know that’s not really why they want it).
I tend to agree. But then I'd like to have a ban on private corporations demanding you send them your face and ID electronically. Because this is worse. The only good thing about it is that today, the entire process introduces so much friction and costs that it's not very common yet (only banks and mobile phone providers have asked me to do that until now).
I mean, we need stricter data privacy laws all around. In the US, it’s particularly bad now. Unless it’s health or other sensitive data, companies can do whatever the hell they want with your data - often using it for new things after the fact (cough cough training AI).
I don’t think it’s a given that all alternatives are worse. It depends on the government and the alternative. For example, I think it’s good that LetsEncrypt and Signal are not government organizations.
Also, as should be obvious these days, governments vary widely in how much they can be trusted and this can change. Maybe Estonia or the Swiss do a good job, for now, but this doesn’t generalize.
The question is, who could do age verification well? Trusted organizations don’t come along every day. New organizations will take a long time to earn trust.
My personal answer to who could do it well is, "no one, ever". Any authority will have too much data, too many bad incentives, too much risk when compromised, and horrible effects when governments come along and force disclosures and backdoors.
And all for a system I believe unlikely to work. People will just use ones outside their jurisdiction, VPNs, piracy, unmoderated channels, or stolen credentials. Even if we believe in a true zero trust implemention with no connecting data we now have the problem that proper zero trust would make it rather trivial to abuse a small amount of compromised accounts (ex. if a porn site just gets an attestation that the user is an adult how do they know that there aren't 1000 signups that came from one kid that grabbed his dad's phone and sold access? Or even worse predators explicitly using access to these to gain contact with minors? In true zero trust no one knows.), so how long does it even stay zero trust before these centralized authorities are regulated into collecting all the data anyway (maybe even due to their own lobbying)?
If anything, I think the actual result would be that minors seeking such content end up in much more dangerous places that lack the checks. Like discord and telegram channels that are knowingly sharing porn to minors as part of grooming efforts.
I imagine kids vary quite a bit in how hard they’re willing to try? Particularly kids of different ages. And the goal isn’t to make it leak-proof, it’s to change the culture: how common is it?
Some kids smoke, drink alcohol, and do drugs, but this doesn’t mean every kid is going to spend a lot of effort on these things or do it all the time. It doesn’t mean you just give up and tell all the stores it’s okay to sell cigarettes and beer to kids now.
This is quite a strawman. Localized entities carrying physical goods, especially ones like liquor stores that that don't have real incentive for a malicious government to misuse (politicians don't care which individuals drink or smoke) aren't really comparable to the digital content of the internet in this way.
I'm also not trying to say nothing should be done. As a concrete example, Roblox is in desperate need of serious regulatory intervention. But I don't think the answer is that there should be some "trusted" gatekeepers to the internet because there are no options that are trustworthy, nor will there ever be because they'd be so easy to corrupt. This administration would happily state anything related to transgenderism needs to be age gated and force Google and Apple to collect and disclose who tries to access those age gates even if it meant breaking their zero trust protocol. And to top it off age verification doesn't even help with poorly moderated platforms like Roblox anyway.
And that would only be the start of it. Little by little anything that is disapproved of will be age-gated and thus tracked.
If you’re assuming a government can lean on Apple and Google to add back doors to web browsers, it’s game over already - they could log URL’s and credit card numbers. Or they can figure out who you are when you log into your bank.
I don’t think adding a new protocol for age verification changes the risks very much? What additional information do they have?
It is different in a variety of ways that makes that kind of regulation idea impractical:
This is very different than an application that has your complete identity in their wallet apps being gatekeepers to the web. To me it's kind of like asking why BitTorrent clients aren't regulated to require blocking copyrighted content when the answer is that obviously people would just install different ones that don't comply.
And what additional information do they have? Literally my whole identity! Sure my ISP can figure out what banks I use and a compromised browser could get my identity, but I could easily just not use their potentially spyware browsers. I already don't use either of them, although for unrelated reasons.
A lot of people seem to think if they pass a law the entire internet will line up to follow it. Creating a law like that drives kids to places that are easier to access, which encourages companies in places without those laws to attract the kids. It doesn’t accomplish anything, just makes people feel like they’ve done something good.
My usually repeated solution is user side codes.
Site is deemed to require age verification for all or portions of its data.
When serving that data it sees if you have some encoded flag flipped to a valid value.
That value is determined by the user. Basically 'sudo' but 'amAdult'.
Now it's on the user to protect that account/pw/permission and they could even parcel it out possibly with whitelists. UserA with PW B can pass the amAdult check for Y sites.
This puts the onus on the family, which is how it's always been, doesn't have corporations badly keeping a zillion different credentials that suck, and gives the parents the tools to actually use this. Corporations then either opt into the flag, or are told to by local governments if they need the flag.
The problem is i'm not exactly sure how feasible this all is from a cookie/sesssion/browser/client/server perspective. I know very little on that end and feel like I could mock up a poc pretty quickly, but of course making something remotely reliable would be kinda hard.
I do think the status quo of "don't lie when you click on this box" is garbage, and agree that the "proposed solutions" are "lets have people who've fucked everything up fuck up a bit more".
I hate speaking so far outside of something I know though, so as good as it might sound, I have no idea how miserable this would ACTUALLY be.
EVen if it's "trivial" to bypass, by say editing with the browser, at least that's less trivial than "click yes"
Every time I see an article like this, I feel like it's in complete denial of the fact that minors actively will find ways to circumvent things, and that no solution is, or could be, perfect. In contemporary times, children routinely have had access to plenty of NSFW material and social media online for the last 20 years, if not the last 30. What I see here is another fearful, controlling parent seeking to preemptively police their child.
I think the reality is, static pornography and social media are certainly not an excessive threat to children. Or, at the very least, not as threatening as Dr. Twenge feels. I think that anyone born since roughly 1995 has statistically had the ability to view these materials, and the vast majority of people who consumed these materials has not been negatively affected to a substantial amount.
I think the taboo nature of pornographic material, motivates unnecessary levels of concern from parents. In the past, these materials were simply obtained/consumed through other means. Adult content is still available on news racks across the country, and was more readily available in the past. It used to be common that it was 'found in the woods' or was lifted from an older family member. Since the advent of the availability of mass printed media, pornographic material is has always been far more commonly available than any parent wants to consider.
I will concede that there are arguments to be made about how specific media can create the wrong ideas of how the world works for young people. However, there's an entire slew of topics related to the birds and the bees that probably need to be explained to children that aren't, and issues often arise from society leaving young people to simply search out adult material to learn it themselves.
Simultaneously, "pornographic" is often thrown around to denigrate transgender and other queer people. I don't trust that parental controls aren't going to be immediately used to closet and restrict access to media that could help trans kids learn to understand themselves.
Additionally, while I do think that social media is an awful, dangerous thing to our society, I also think that social media is uniquely incorrectly framed when discussing children. Genuinely, I can't determine if the author has an issue with social media, or with the ability to send images via digital device. These are fundamentally two separate issues, and the author would rather fume about the matter, than elaborate.
Is SnapChat social media? Yes, for some people, but it's also an app where people can send messages back and forth. The entire 'self deleting' aspect is just an automatic version of manually erasing conversation messages via SMS. While I can see the issue private messaging raises, it's still disingenuous to lump children having age inappropriate conversations via encrypted messaging in with participating in online social media.
While having social media is absolutely a thing parents should restrict for their children, one really shouldn't expect to their kids to naturally understand why it's being restricted. Simply blocking the content leads to efforts to circumvent it.
I feel like the author, a person with a doctorate, is embarrassed that their child figured out how to 'hack' the parental controls. I digress.
Finally, children are regularly groomed on roblox, which is explicitly for kids. Most CSA cases involve a trusted family member / adult. Most child abductions are custodial.
I think that there's a lot more to be said about what's dangerous for kids online. Elsagate comes to mind, as does AI slop created for a child audience, or mobile games that kids can spend money on. However, these are fundamentally different issues than the ones the author brings up.
Unfortunately, the fact is, while some online content is really dangerous for kids, it's probably more the fact that it exists at all, rather than specific, controllable aspects of the web. Maybe parents should just not let their children have unfettered access to devices until it's age appropriate? Or just log what they consume, and be ready to discuss some really, really uncomfortable things.
We have a phrase in Cantonese for this: 雞仔唔管,管麻鷹 -- without trying to be a custodian over your own chicks, trying to be a custodian over the eagles.
While I am a big fan of (some) big government and regulations, I don't agree with many of the opinions from this piece.
If the regulation says one account is generated by the government and login/pin granted upon a child's 16th birthday, sure. If we have a way of knowing these companies will never keep a copy of ID verified, sure. But we would never allow the corner store to take a photocopy of ID when buying smokes, and we wouldn't tolerate the liquor store selling copies of our IDs. For that reason I don't agree the burden should be on social media.
This one is 100% on the parents. Why was their computer unlocked. No regulation and tech would have survived the parents here being the weakest chain.
To be clear we should absolutely prosecute companies that target children and aim harmful algorithm at them. I don't mind age restriction so much either. But I absolutely dislike this parental attitude of passing parenting responsibilities off.
Teach your kids not to access iffy stuff, exercise self control, value honesty and integrity, these are your jobs.
Ok, so, this is very funny to me. Aside from continuous, realtime, biometric monitoring, there is no technical solution that would have prevented this child from accessing the content she wanted to access, because she had access to her parents’ credentials. This is precisely the problem — even if a company is legally required to verify every user’s age, they will only do so at the time the account is created. Which means that such a requirement will immediately create a thriving black market of age-verified accounts, sold to minors. And then we’re exactly back where we started, except now a bunch of untrustworthy, insecure tech companies have verified records of the real name and address of every single one of their users.
Without self-doxxing, I work in a field that deals with the fallout of unchecked social media and its harmful effects on children. It's a real threat. Children as young as 4 and 5, and as old as 16 and 17 are all falling prey to unregulated social media. Examples of what I've seen: drug dealers using Snapchat/FB/Insta to sell HARD drugs to pre-teens; pedophiles hanging out on Discord/Reddit/Roblox grooming kids to send them explicit pictures or meet up for sex. I've worked with kids who were kidnapped and raped, families who were burying their kids that OD'd from drugs they bought off of social media, not to mention kids financially extorted with no real recourse. And I've seen it happen across the racial/class spectrum. Sometimes kids are actively looking for a transgressive outlet and get too deep into trouble. Sometimes kids don't know any better or are targeted by sophisticated predators. But the common thread is that social media lowers the barrier for bad actors to target and exploit children in a way that we've NEVER dealt with before.
In this thread, I see a lot of FUD from the comments in here about regulating private companies. A lot of commenters admit they either (1) aren't parents, or (2) have a fairly sophisticated tech background. I think it's easy to sit in the "ivory tower" of technologically literate adults and say that parents need to do better to regulate, but that's simply unrealistic for a large plurality of people.
For a layman, the tech is difficult to navigate, and more importantly, for the parent, regulation is a game of whack-a-mole. Block Snapchat and the child will go to Instagram. Block Discord and the child will go to Roblox (I've seen both of those examples in real life). And the companies know it's a problem because they deal with me and people like me on a weekly basis discussing these issues. Companies hide behind laws like Section 230 and feign ignorance and helplessness when pressed to do anything voluntarily. It's candidly sickening.
Is regulation perfect? No. But it's a hell of a lot better than burden shifting an increasingly complex maze of devices, apps and websites to parents who usually don't even know what their kids are doing. Worried about a "list" of people on porn sites? There are ways to sanitize the data and prevent the government from using it -- we already do that with cell phone data. For example, your location is triangulated thousands of times daily, but the data is anonymized and sanitized and the government can't (both legally and practicably) use it to track you indiscriminately. Basic age verification is the minimum of what we as a society should be doing to hold social media companies accountable.
Big Tech has done an amazing job of selling fear mongering about big brother and the futility of any such regulation. Don't buy into it, we can do both: You as a consenting adult can still consume porn without the government looking over your shoulder, and we as a society can put basic guardrails up for the sake of our kids.
When you mentioned that the technology is there for annoymous age verification, it made me remember that it was mentioned on the Security Now podcast that the founder of Yubico (which makes the hardware security keys called YubiKeys), Stina Ehrensvärd, has been working on a solution for this: https://siros.org/
The idea Steve Gibson (from the Security Now podcast) had would be for individuals to essentially go to a sort of notary/public service where they would be able to give you a digital token that you use with your biometric to unlock on your decide that provides an assertion that you are above x years of age. The token wouldn't disclose any other information about you beyond that you are above x years of age and that Y government (or private) body has confirmed this.
I had more I wanted to add to the conversation but only have a few minutes so I wanted to share this in case anyone else wanted to look in to it as well.
This sounds like a good idea. There's a middle layer that isn't part of the government and isn't part of the benefitting businesses.
The notary isn't keep a record of the ID, just that on a particular day they saw it. Human memory is great for self erasing data. And the Notory doesn't get to know what you're using the ID for, whether it's to qualify for child seats on a plane, enrollment into university, liquor, or porn. In fact this is even better than having to show your full ID to a bartender or bouncer or the teen working at a convenience store.
One possible idea (not mentioned on the website) relates to how people may track you using your ID. The Yubico devices are hardware devices and I assume that they can be made to hold whatever is required to make things work. As such, why have one ID? You have some measure of anonymity with IPv6 because your network adapter has many temporary addresses which it can use. Along that same line, it would help if your ID hardware device had many randomly generated identities on it (like 64?) which you can choose to use as you see fit (but they are usually randomly selected). That way it can be more difficult to track your activity since you can come in as many different IDs.
The goal is to make it less likely (and more difficult) to try to uniquely identify anyone and track what they are specifically doing. It is a bit harder to try to rope in many identities (64?) as one person with any reasonable certainty.
If the hardware device, with 1 ID, was "cloned" then it would not be all that easy to notice that (unless it was massively cloned). So having a device with more than 1 ID won't be that huge of an issue I would think... (admittedly, an assumption being made so as to favor the idea of increased anonymity).
To help mitigate issues, I would imagine all IDs would expire and need to be periodically updated (which I imagine would have to happen with 1 ID devices as well). There would likely be revocation lists too just in case they are needed (for IDs that would still be in date valid but were compromised in some other way).
I don’t understand what Siros is proposing. Google has announced something using zero-knowledge proofs. This is at least the right technology for protecting privacy if the concern is that websites will learn too much.
There are a lot easier ways to track people involving browser fingerprinting.
Can you elaborate on your reasoning behind this statement? My impression, as a person with a degree in data science (that is admittedly gathering dust), is that it's easy to deanonymize this specific type of data, maybe even trivially so. In fact, I believe cell location data was the exact example we discussed in the ethics course in that degree program.
Edit: wording
Edit 2: sources
Yeah, I'm sorry, but unless we're talking about two different things somehow, the statement "There are ways to sanitize the data and prevent the government from using it -- we already do that with cell phone data" is simply not accurate.
(1) Wikipedia has a whole article on "Data Re-identification", subtitled "Identifying an anonymized person from [deanonymized] data":
(2) MIT News, 2013:
(3) Paper referred to in (2):
(4) Short paper giving an overview of the situation, 2019:
(5) ACLU of Massachusetts, 2024:
I apologize if this comes off as me dunking on you specifically; that is not my intent. I believe that "exemplary" tags tend to carry a lot of weight around here, so I felt the need to speak up about that detail in your remarks.
No offense taken, just as I hope you don't take offense at me saying that "dunking" is a bit... generous for what was clearly you doing a cursory search on the subject and pasting snippets.
If we're really comparing apples to apples, then you surely already know (with your data science degree) that your ISP knows what websites you're browsing and if "big brother" really was so inclined, it could pull that data to use against you. There's a reason people aren't already being prosecuted (or persecuted as is the apparent fear) for their website browsing habits: laws preclude dragnet monitoring, which are actually quite effective at curbing government surveillance, and anonymizing features do a reasonably good job making mass surveillance difficult. That doesn't mean either are impossible to overcome, but it does mean that for the majority of cell phone users, they'll never be the subject of targeting in their lives. Both of those hurdles would continue to serve against the unfounded fears of the government broadly targeting individuals for doing something lawful like consuming pornography or visiting websites that support marginalized groups.
The frustrations I have with comments like yours are that you let perfect be the enemy of good. There is a real harm happening in the world and there is a real solution that could be implemented today to mitigate the harm. The costs associated with age verification are dramatically outweighed by the benefits, even if it isn't perfect.
Put differently, if you can't explain to me why you're comfortable with your ISP and DNS provider tracking your browsing history but aren't comfortable with the same amount of data being used to verify a user's age, then I have to respectfully discount your resistance to it. Because it's the same. The difference is that your ISP isn't spending literal hundreds of millions in lobbying and dark advocacy suggesting that there's a huge difference when it applies to FAANG.
Many people, including myself, aren't cool with their ISP or DNS provider having all their info either. Giving yet another party, especially some of the least trustable parties in businesses that make a ton from data harvesting and ads, even more in the name of a "protect the children" campaign that is unlikely to do anything except further strip any semblance of privacy just does not feel like an answer.
I find your last paragraph in particular to read almost like the "well if you've got nothing to hide..." falacy. Maybe you're cool with a more deeply entrenched surveillance state, but we still haven't recovered the privacy lost under the Patriot Act and many of us respectfully discount your support for further erosion.
I'm also not sure how much you know about the data gathered, who has what, and how they get it. Your DNS provider has, at best, the domains you accessed. With TLS your ISP has, at best, the IPs of the servers you connect to and maybe the domain names. Obviously they can also get some times and amount of traffic, but it is deliberately minimal because anything your ISP can get through these methods is available to any possible man-in-the-middle attacker. If you use masking tools you can change which party gets those to not even be your ISP. The fact that hiding info from your ISP is possible is why torrenting is normally done on a VPN. And work is being done to further reduce who sees what, such as DNS over HTTPS hiding the domain name from more parties (such as the ISP).
De-anonymizing data is also surprisingly easy and the more data you have the easier it is to do so. It is also wrong to state the government can't do it. They can and do. A fun fact about the US government is that they can get third parties to do stuff they themselves aren't technically allowed to. The US government does buy data from data brokers, including things they can't collect themselves. For example, there are data brokers that the police can use to virtually follow people around with no warrant or cause by paying data brokers to tell them when and where the target's car passes in front of privately-owned cameras placed all over the place, which surprise surprise has been horrifically misused by the police.
Definitely none taken - I agree. That's what I was trying to communicate by saying it wasn't my intent, but I can see how the specific wording I used could read that way, sorry. Probably an old Reddit habit to be preemptively a little defensive.
I started to respond point-by-point to your reply, but that felt unnecessarily confrontational, so I'll refrain. To be honest, there's also just too many points to address, and @zestier has already hit several of them. I guess I'll just speak to two things:
I am not comfortable with my ISP and DNS provider being aware (to the extent that they are able) of my browsing history. I agree that it's the same (generally). It's bad in both cases.
Keeping in mind the unquestionably incredibly painful experiences you described in your top-level comment, I respectfully completely disagree. It's not that the proposed solutions aren't quite perfect enough for my taste, it's that they're utterly awful, regardless of any theoretical benefits, and represent a huge risk to anyone that is forced to use them. To paraphrase the second sentence in the above quote, "The benefits associated with age verification are dramatically outweighed by the costs." The state of privacy in the modern world is already bad, and the proposed solutions would only make it worse.
Source? From what I can see it's more like tens of millions. Also what is "dark advocacy"? Just sounds like fearmongering to me rather than a meaningful term
Also btw DNS over HTTPS has been a default in chrome and firefox since 2020, "ISP knows what websites you're browsing" has not been true for at least 5 years for most people
The last piece of this is "encrypted client hello" which is still in progress. Looks like Cloudflare started supporting it two years ago. Firefox supports it
Not sure about the others.
This all sounds like a moderation problem, not an age verification problem. Already you're shifting the conversation from the supposedly harmful content age regulation is to block (porn) to social media in general. I don't mean that with any hostility, it serves to illustrate the onus has been shifted to the wrong party even among the most fervent supporters of regulation. Companies are shifting the blame to the government, parents, and the children. Everyone but their own responsibility.
If you want to hold companies accountable for their uncontrolled social media you should force them to moderate properly. Regulate that.
Selling drugs on Facebook? That's a Facebook problem, not a government verifying to see if someone is the right age to buy or sell drugs online. This particular problem is age agnostic, what would age verification even do? On top of that, the perpetrator is the dealer/groomer/predator and not the kid. Facebook providing the criminals a platform is the issue.
Companies have been stripping customer service and site moderation to their bare metals for a decade or two now, shifting the onus onto the consumer or volunteers to do the work for them. Most Reddit mods are volunteers, they're also stopping CP at the gates, I'd argue this should be on Reddit itself.
The examples you provided are horrifying, but realistically speaking, how many of those are solved by age verification? How many of those could we reduce or prevent if we regulated the companies hosting the platforms the criminal activity happens on? I'd argue we'd have a better result with the latter, where you'd go after the root of the problem instead of the symptom.
And then we can have the argument over privacy and data security. Neither particularly FUD'y, the world thus far is showing a mediocre track record at best when it comes to protecting people's privacy and data.
One of the arguments I've seen (and generally agree with) is that if someone, especially a determined teenager, is blocked from accessing a site, they will find another one with similar material. But if lawfully operating sites comply with this, that means the ones who ignore the law will gain more visits, and the material there will likely be less regulated as well.
I can imagine this could easily extend to social media sites. If a child is able to access Wikipedia, they can pull up a list of active social networking services. And word-of-mouth among peers at school, etc will likely be sharing the "next big thing" that will be used for outside of school communication. And I've heard that predators are typically able to convince children to move to other chat platforms with relative ease.
With that context, do you believe that making individual websites implement age verification would be a net positive? I feel like that would just be another variety of whack a mole.
Rambling that is more adjacent and opinionated
That being said, I don't think that the solution is to "do nothing" or fully expect parents to be tech wizards. While the author of the post expresses frustration at the state of parental controls, I think education can help. There's several free options to block DNS resolution of websites, such as this offering from Cloudflare. While Cloudflare only includes two categories - "malware" and "adult content" - I've seen more granular options as well. Doing this on each device shouldn't take more than 20 minutes of time from someone with no experience following a step-by-step guide.
Is this foolproof? Not even close. But nothing is, especially when the op-ed author mentions her daughter changing the parental control software settings from a parent's unattended device.
That's why the other portion of education is parent-to-child. Explain to them why some material is blocked. Be prepared to answer questions in an age-appropriate way. Inform them that others on the internet could be the equivalent of strangers offering candy from vans, regardless of who they claim to be. But don't lie and say that everyone on the internet is a predator. Have regular check-ins. Encourage and reward open communication. Employ "safe words" and get-out-of-jail free policies so they know you will come help them if they get into something over their heads.
Parenting is tough, and the concept of invisible avenues of communication is an evolving concern. But all you can do is prepare your child the best you can, and seek resources to educate yourself further if you feel lost.
Personally, I intend to heavily restrict private device usage. I have the technical background to lock down devices well, but the best thing any parent can do (imo) is to refuse to provide a cellphone until a certain age/maturity, and scale it up so you don't even start with a smartphone, but a "dumb phone" instead.
I have to be honest that I completely disagree with you and think being anonymous on the internet is more important than any possible perceived or real harms from children using that anonymous internet. The internet is the only place we are truly free, and it is being slowly eroded. We must fight to keep it free at any cost.
I agree that we can do more then where currently doing and that it could involve government regulation, but I'd say its a capital H Hard problem. Obviously the current version of just ask if your 18 is literally nothing, but getting to something that is a meaningful constraint is a massive jump up. If its based of government IDs, well kids can steal their parent's IDs and use them; fake ids have also existed forever. The technical expertise to run a more robust system is also outside of the ability of most governments; a lot of governments have already been out-sourcing their digital infrastructure to Big Tech. Any technical solution can only increase the difficulty and maybe that's enough or maybe its not.
Personally, I think the only long-term solution requires kids' to actually trust their caregivers, so that if/when something sketchy starts happening the kid feels safe checking with them. I get that's hard, especially given how much time most parents have, but I don't see any technical solutions being more then a moderate improvement.
This is something I wish there was a good solution for. I am involved with a queer community that involves adult content, including sexual content, and as a result of a schism involving transphobia I ended up briefly moderating a discord server that was basically the equivalent of a lesbian bar. People would flirt there, discuss sexual topics frankly, and some folks even lived close enough to each other to meet in person.
We had an age verification system but there was at least one incident where someone who was under eighteen successfully lied about their age to get in, and I heard stories from other folks talking about how when they were kids, they’d do the same thing. They’d admit to lying about their age online as young as thirteen or fourteen, pretending to be eighteen, engaging in adult oriented spaces with adults. This is so scary!
I think children don’t understand how awful it is to do this. They’re curious, and defiant, and they believe that if these systems are for their protection then they should have the freedom to opt out of being protected. But in my situation, I understood that adults needed to be protected too. Especially at a time where queer people are already demonized unfairly and accused of harmful deviancy, and where surveillance is getting more extreme, having a minor in an adult queer space is an awful look and a huge potential risk for every adult there. Of course the child is also at risk, but it really is a terrible and uncomfortable situation for literally anyone who isn’t a creep.
Of course any age verification system that isn’t privacy focused is also a huge risk, and no government or company in the world right now would pass up the opportunity to collect a huge amount of private data because we exist under surveillance capitalism. Between the two options I think it’s better for society to fight against any system that has such a massive potential for the abuse of freedoms. But I wish there was something.
My opinion and strategy with my own kids is to protect them from the things that are relatively easy to protect against via client-side controls. Once they start trying to break through that, we'll have an in-depth discussion about what they are likely to find, and what the law says. They already know that they must have clothes on in front of a camera, and generally the reasons why that is (in an age-appropriate way).
I think it is the parents' responsibility, and shouldn't be the companies'. Free speech is more important than your need for family protection, and setting up laws that require certain protective censorship conduct essentially always chills free speech in the short to medium term. I hear that setting up these client-side systems is hard to do, but that hasn't been my experience, in either the Apple, Google, or Microsoft stack (which we have some of each). I don't expect the systems to be perfect, I expect them to protect against unintended access to things that aren't meant for kids.
Maybe I'll feel different as they get older, I don't know.
I'm of the school of parenting to encourage teaching remediation over that of prohibition or consequences.
In the example of child luring, sexual exploitation and trafficking, I teach that I myself wasn't a very well behaved child. When I broke certain rules, such as accepting private chat from an unknown person, and was met with some natural consequences (eg they were a pedophile), I had nowhere to turn because if I told my parents they would just be furious and enact further restrictions. So, with my own child, I always teach that whatever consequences you might see from us will always be more loving, less harsh, and safer than trying to hide or deal with it on your own. Say someone made a sexual deepfake of you from a perfectly innocent photo: it's okay we'll get law enforcement involved, you're not in trouble, even if the person tries to convince you you are, you're not. It doesn't matter "what you were wearing", if you know what I mean, we got your back.
Now, it does mean I am entrusted to do some very awkward things, like having to find manga / light novels that make me blush. But I am happy to provide this semi filtering service in exchange for them not trying to find it on the open web themselves.
I really appreciate this post, and it makes me appreciate my mom being willing to get a Playboy subscription for me, back when I was a lad and that was still a thing. Your kid is being set up to have a better relationship with you and their own sexuality than most, and I wanted to give you kudos for that.
Thanks, MimicSquid.
Did you, in fact, read the articles? :) just kidding. I very much enjoyed my Maxim subscription for the jokes, and good art reference.
I did read the articles. It was a perspective into a world very different from my own teenage life, and I think that was helpful.
Hey maybe printed, non-interactive teen/lads/young adult media will make a come back :)
Honestly? I think there's a place for it. Though I'd already seen goatse and many other things on the internet prior to having that subscription, Playboy was something that provided a consistent product that my mom could use to talk to me about consent, sex work, the kinds of sexual and emotional relationships that exist in the world, a bunch of stuff. And because it was monthly, it was at a pace where we could have a conversation about one thing at a time. There would be worse tools for parents to use as a backdrop for the more challenging conversations that need to happen during the teenage years.
I'll keep that in mind when that's a bridge I need to cross. The monthly and static nature of it is valuable for sure.
I love this and will try and remember it as my kid gets older.
I'm hoping to do something similar with my own kids, they deserve love and support and understanding.
My struggle is that I didn't receive that when I was a child. I won't go in to details, but I suffered through abuse as a child and was exposed to pornography at a very young age on purpose. With it being frictionless to access online meant that I was able to keep coming back to it snd developed an addiction to pornography at a young age that I've had to fight and pray to overcome. It's also sadly impacted relationships I've had, including my marriage.
I personally believe the current state of pornography in its current free and digital form is a huge detriment to society. Others may disagree, but I know when I was a kid it was joked about, and I'm guessing that most kids and teenagers under 18 I know were looking at it. Pornography online is nothing pornography in the pre internet days. Finding an adult magazine or video meant that the child who found it could access that one video. Now a child who figures out how where porn is online can access it at all times from their internet connected device and hiding it is as easy as closing their private browser tab instead of needing to stash the physical evidence.
I hate the privacy implications and don't want the world to devolve into a pure nanny state where it's impossible for adults to make these kinds of choices for themselves. But I do hope for a zero trust security implementation of the ID verification. Some kids don't have parents who can be trusted to do "proper" parenting to talk them through the dangers of things on the internet. I used to laugh at the "think of the children" argument, but aftering taking the time to address my own addiction and abuse, and becoming a father, I get it. I would never let my children go through what I did and I hope that something can be done for the children who don't have parents who care enough or have them time/know how to make decisions about these things. Workarounds will always exist, but the scout's honor system in place on these sites now don't work.
Yeah, I hear you on the overall social responsibility side of it for kids whose parents are not helping them / hurting them. I don't know what would help, because it's not like liquor, cigarettes and gambling "hey this is bad for you here's a phone line to call for help" really helps does it? Or maybe it does, very little, but it's worth it to make the money makers pay? I hope we as a society move away from shaming, but at the same time I don't want to see normalising addictions and going into extremes without safety guardrails either.
It's a fine line to balance, for sure. I think the digital experience poses unique challenges, that society hadn't addressed until now because it was a newer medium, but as things have become increasingly digital the need to address them has come. Since unlike with a physical place that is an adults only establishment like a bar, strip club, etc. there has been no way to confirm that only adults are present.
I don't pretend to know what is the correct way to address this, but I'm glad it's being looked at. I think having a zero knowledge age verification system would have been helpful to a younger me, even if I tried to get around it like a lot of teens who attempt to circumvent parental/whatever restrictions. I just hope that I'm able to walk through the contents of the internet with my kids and help them to make wise choices and always be there for them.
Mirror: https://archive.is/MNnAa
From the article:
Can’t read the article. Does it go into specifics why the parental controls don’t work or what they don’t cover?
They're often expensive, some of them don't work well across devices, they may not include things that seem obvious (like Snapchat as social media vs messaging), your kid can sneak onto your computer and grant themselves access, and you have to know the tools exist to find them, buy them and then find out they don't work on a laptop.
Essentially parents who are non-experts are being expected to be and that's just not realistic.
I think I hit the summary alright.
This is an archive link.
If that doesn't work for folks try this https://archive.is/MNnAa
I've never visited pornhub, but surely that's an exaggeration for affect? Perhaps you mean a curated experience of PornHub. I would imagine that like YouTube, there's content for humour and silly fun, there's a lot content for sensory experience like ASMR or street food or traditional snack making, some content that follow particular personalities, and maybe some instructional types like "how it's made" or "how to". And then there's probably a bunch of scary "not safe for life" stuff like those vore for kids videos and illegal snuff content not yet reported to admins or somehow snuck past, or staged depictions of shock/violent/non-consent/horror content that isn't age appropriate or normalizes them before they have the maturity to process it.
Roblox is dangerous and exploitative sure, but it can also be played safely. So, are you comparing apples to oranges, that with curating content and some oversight, you'd rather your child view pornography than for them to have no oversight time on Roblox?
Or do I owe PornHub an apology because its content is much safer than YouTube?
I see people criticizing bad solutions that they imagined in the first place, which seems like a bad way to predict what's going to happen.
There's not a lot of information about it yet, but Google and Apple seem to be doing something different. Example link:
Introducing the Digital Credentials API origin trial
There are probably more, if someone wants to search.
This is a less bad solution than “every individual company gets a photograph of your goverment ID”, but it has its own downsides. I don't know that much about how mobile operating system wallets are implemented (I assume it has at least something to do with secure enclaves), but my Android phone is running iodeOS, and so it doesn’t have Google Wallet.
I’m sure Apple and Google are pretty jazzed about the idea of a future where their devices are essentially required to access necessary internet services, but… I’m not haha.
Yes, we will need more than two alternatives. Someone needs to implement them. It seems to be an open standard, though, so at least it should be clearer what needs to be done?
Compare with passkeys, which are further along and available for some mainstream purposes like some banks, but still has a way to go.
I'll be blunt: at this specific moment in time, I wouldn't personally trust any solution developed right now unless it's by an undeniably good nonprofit. The current state of... everything, really, makes me wary of any system that could go into age verification, because I can't think of an implementation that wouldn't involve a database somewhere recording each time it's used. Not even purely because of necessity, but because companies like having data on people. And from that data, they can put together a terrifyingly detailed portrait of a person.
I don't trust corporations like Apple or Google to not use that data for advertising or other purposes with how greedy they all are. I don't trust governments to put in place effective regulations in a timely fashion that would guarantees people's privacy either, because let's be real, most politicians barely understand anything about how the internet works.
And on that note: I'm an American. I can imagine how gleeful the current admin would be to have some database that tracks people's internet usage and figure out who to add to watch lists. If such a system already existed they'd be fighting viciously for access to those records if the government didn't already have it, or else starting a new version and banning the old one in the US. I can see them also using it to censor various topics such as, oh, anything LGBTQ+.
Just... I know there are good reasons for an age verification system. But right now, at least in the USA, I do not trust anyone with the power to make such a system to NOT abuse it in some way, either due to greed or a lust for power. And I don't think I'm alone in that.
If that standard is implementable on desktop computers, and by arbitrary operating systems (I'm ok with requiring a secure enclave of some kind), I will feel ok about it. I truly cannot find any information after a cursory search about how mobile wallets work, and I am definitely worried that this will be an "open spec" the way RCS is an "open spec" — publicly documented, but functionally impossible to implement by any entities other than Apple and Google.
Passkeys, by contrast, had other major contributors (Yubico, 1Password, etc) during their development, and so are actually an open standard, and have been implemented by a number of providers.
Yes, it's pretty obscure and not really launched yet, and the standards might turn out not to be well-designed. (I haven't looked closely enough to say.) I think this is in part due to neglect - the standards would probably be better if there were other organizations that cared enough to get involved.
I think it's technologically neglected because it's politically controversial. Parents have needed age verification for a long time and it could have been built a decade ago, long before governments started pushing for it. But most people and organizations don't want to touch it. Either they're too busy making money or they're against the whole idea.
It's a similar story with passkeys. Phishing has been a problem for decades, but it's only recently that Google and Apple decided that it needed to happen and threw their weight behind it. It looks like it will succeed and become an example of what could happen if there were an industry effort to make it happen.
I don't have any kids, but if I had, I'd probably set up white lists for them. Every domain (and IP) is blocked until they come to me and ask permission to use it. Additionally, they could use the unfiltered web while I'm around, for example I'm cooking and they're at the kitchen table watching YouTube.
Are there any parents around that can explain why this wouldn't work?
Knowledge of how to set up a whitelist and protect it from a kid with more time than sense?
But it shouldn't be very hard to implement a user friendly white list in home routers. If governments can force websites to implement age verification systems, they can force router manufacturers to implemented white lists that you can manage from your phone.
Both solutions will always be flawed, so having both would probably be best.
Works on your network only. I've dealt with it for years and even with the best intentions it still is a cat and mouse game. iOS vs Android vs Windows vs Chromebook. It is all stuff you have to manage independently and I am very tech savvy. I don't blame parents who don't bother, it is a huge pain in the ass.
Devices with their own internet connection (I.e. Smart phones) you have to manage separately, but for home computers/lan this can be done at the router.
You set the default outbound policy to deny, hole punch for a specific upstream dns resolver, set dnsmasq to populate a ipset which will be used for whitelisting with query responses (allow rule if dest in ipset).
Not required, but it makes the whole thing more seamless, setup DNS hijacking transparently pass all normal dns queries through the router's dnsmasq instance. You can also throw in a transparent intercepting proxy to protect against cases were good domains and bad domains share the same IPs because they're hosted by the same provider/reverse proxy (e.g. Cloudflare).
I do this to my various IoT devices, mostly as a learning exercise but it has some perks like ad blocking, update blocking, etc.
On my network yeah I have full control. Devices can travel and as such won't be constrained to your network. What happens when your kid needs to study with their Chromebook at school or at a grandparents house? Locking down the network is valid and has its place, but is only part of the overall strategy. It also is a much higher barrier for non-technical parents.
Once it's outside the network, it's game over. If you threat model it, the adversary has physical access on unsecured networks. Even still, I don't know the age children get chromebooks at school, but that's probably an age where you can't realistically protect them from the internet. They'll have access at friends houses, their friends phones, libraries, etc etc.
My comment is mostly a thought experiment, geared towards younger children that don't have their own devices, but perhaps you want to give them some autonomy to safely interact with the web.
At a certain age, it can't be helped, it's a matter of trust and having conversations, like most parenting.
Edit: I suppose, to more directly answer your question, I'd setup wireguard to route all traffic through the home router + firewall. This makes the per device configuration minimal, you just need to figure out how to install wireguard as an always on VPN and lock it down so the user can't disable it.
Actually, what you say is true for network level controls, some cell phone providers augment that, you canalso whitelist on a macbook or windows machine directly (but that can be bypassed,) yet iOS offers full locked down control via Apple Configurator.
Why not put the white list on your home router or a RaspberryPi-like device? Then you only have to force each device to only connect via your internet at home. If the home WiFi is out of reach, use a VPN.
Here's what I do for an < 10: Use the linux computer in the dining room with no hard restrictions whatsoever. No tablet or phone garbage. Kagi is set to default search with safesearch enabled.
Turns out it's pretty easy to reduce exposure by not giving them access to an always-connected pocket computer.
When they start venturing out on their own, they're not getting some fancy smartwatch or old phone with attempts at lockdowns. They're gonna get a $10 prepaid dumbphone that can call and sms with as little mobile data as possible. Press 1 for parents. press 2/3 for aunts. Rest of numbers for friends.
Challenge accepted: I call my friend and friend puts their phone against speaker playing sexy podcast?
Hahahaha or friend sends me kaomoji boobs, as is tradition.
This is the answer. My fever dream is that I'm going to get my son and a small group of friends LoRA Meshtastic radios and they think it's cool and just use those.
From a technical point of view, there are a few reasons it won't work, most notably that they can go to a friend's house and access the internet there, or at school, or they can connect their own device to another wireless network in range.
From a parenting point of view, there are a few reasons it won't work. It mostly comes back to not giving your kids the tools to deal with the internet, so when you take off those training wheels they will have loads of problems. This is like an "only abstinence" approach to the internet, and it doesn't work for sex, it doesn't work for alcohol, and it won't work for the internet. You have to actually talk about and educate your kids on each of these things so that they have the tools to survive once they are not under your constant supervision.
I've got 3 kids, and one of them is almost 20. When she went to University, I was pretty comfortable with her usage of social media and her ability to interface safely with the internet, just as I am confident about her ability to be around alcohol (legal drinking age here is 19) and have relationships. A big part of that is that we gave her the tools and knowledge to grow in those areas while we were constantly there to help out when needed (and we are still nearby to help when needed). Notably different was her first-year roommate in University, who was a valedictorian with overbearing parents... who drank constantly, did no work, and eventually flunked out because it was her first taste of freedom.
If you limit your kids from all the things, then the second they get all the things, they will have no self control over them.
No system is perfect. Even if every website had age verification, some kids would still be able to find ways around it. Many parents aren't very creative with their passwords, for example. I think white lists are a better technical solution than age verification.
But I mostly agree that the best protection for kids is a family and community that cares about them. If they have that, they probably don't need technical solutions to protect them from the funky parts of the internet. But not every kid is so lucky. If you are a single parent working two jobs, a technical solution could at least make it harder for your kid to join the incel community.
And even if you found the perfect parenting system you wouldn't get a 100 % success rate for every kid out there. You are lucky because you got good kids and your kids are lucky because they got good parents. Some kids are raised well and still end up in prison or worse while other kids are raised in hell and somehow turn out to be good people with lovely families of their own.