You're framing this as some desirable thing that could be good except that a bad implementation erodes privacy. That's wrong at every step. These bills originate from big tech such as Meta that literally profit from collecting as much personal info from you as possible. https://old.reddit.com/r/LinusTechTips/comments/1rsn1tm/it_a...
But even beyond their tainted origins, you can't implement your way out of something badly formed in the first place. You handwave "zero knowledge" but that doesn't do for your privacy what you're hoping it will. That id card will still have a serial number and CCTV of you purchasing it and you will de facto end up trusting some government binary blob to implement this cryptography correctly without backdoors. Snowden was a decade ago. This will have a backdoor. This will be used for surveillance, tomorrow even if by some miracle not today.
And finally, this makes the internet worse. There will be a section of people who are, for one reason or another, not able to pass this bar. Much of the goodness of the internet comes from being able to interact with anyone on it.
The facts listed also match the actions of a firm aiming to ensure that the burden of verification does not fall on it, for a legislative process that they know is coming.
Red flag after red flag has been raised on child outcomes and social media, for a decade.
The internet is great for people here on HN, who know enough to avoid getting screwed.
The internet is a grotesque horror show for anyone who is stuck on the wrong side of a customer support system. Plus, most people here are thinking from the perspective of someone in the US or EU. They actually get better support than the rest of the world gets.
Let me be clear - I hate that we are at this juncture. However willful ignorance of the harms being inflicted on users is palliative care for our feelings. It means that one day, there is going to be a confrontation between a techie advocating for privacy and the people whose lives are being upended by tech.
Privacy has to be protected effectively, which means acknowledging the hurt and providing solutions for that.
There is no “win” here, which doesn’t have the issue coming back.
Dismissing the harms only makes privacy advocacy irrelevant to voters.
Defending privacy effectively means plugging the root cause it is being encroached.
This is being articulated as a defense of privacy when it originates from social media harms to kids.
If that's a "fact", where is the proof? What harms are there that can only be addressed with age verification and not in any other way?
> Dismissing the harms [...]
This is a strawman you've created.
> Defending privacy effectively means plugging the root cause it is being encroached.
Defending privacy means defending privacy, not submitting to nefarious interests and well-meaning but misled followers.
> This is being articulated as a defense of privacy when it originates from social media harms to kids.
Social media can be dangerous to kids, I don't see anyone disputing that. The dispute is around the solution to this issue.
> Social media can be dangerous to kids, I don't see anyone disputing that. The dispute is around the solution to this issue.
It may not be what you intend, but that is how the dispute is going to be rendered.
I have no dispute with you over the conclusion of your comment. The meat and potatoes is in the shape of the solution.
Also age verification is still a problem in itself. Given your idea of a physical card, kids will find a way to use the card of their parents. Even if the card couldn't be misused by others - you give platforms the knowledge of whom is a minor, which means they can be targeted better.
All kinds of tools and software would need to be locked down or criminalized. Otherwise, some smart kid is guaranteed to get around the restriction and give that method to others, and if it's at school on a USB stick.
This is just an argument against any regulation whatsoever. Yes, some people will find ways to do illegal stuff, but that doesn't mean forbidding stuff is useless. For instance gangs members always find a way to get access to weapons even in countries where firearms is regulated, but there are still pretty much zero mass slaughter in schools in these countries.
> To make age verification useful for protecting kids, you'd need to lock down every software on every operating system and put it under tight government control.
No! This should never be implemented at the software or OS level in the first place. You should be handed a chip card that you can use for that purpose, like how the bank rent you a credit card. Any other implementation is a bad one, and should be fought.
But by fighting the very idea of age verification instead, an idea that pretty much nobody else in the society has issues with when it comes to voting rights, driving rights, or alcohol consumption, you are just favoring these poor implementations by moving the debate on a ground you can't win.
> Otherwise, some smart kid is guaranteed to get around the restriction and give that method to others,
You should really read that “The optimal amount of fraud is non zero” blog post I linked above.
You don't need government ID to talk to people and share info. You don't need government ID to take a dump.
Also the criticism of the article is just ignored while it is a very likely development and lack of imagination isn't an excuse.
Even today government in the EU are already implementing mass surveillance, even by third parties.
Verification wasn't needed in the past, it won't be needed in the future.
Requiring an internet ID is the the opinion of a marginalised minority that has difficulties with technology. Aside from those that are advertisers of course.
Parents are speaking for their kids in a group and against the status quo. The status quo is not working for them.
I have been beating on this drum to avoid this situation for far longer than it has been the topic of interest on HN for the past few months.
We are here, because difficult conversations were avoided and action which could be taken to stop this from metastizing came in the way of growth.
The “parents” win just by having the laws passed, because it makes it clear what guard rails society expects to have in place for internet use.
If you want, I could give you stories of how KYC rules are not followed in India, enabling fraud. How certain rules in the DSA are toothless, resulting in reduced compliance.
Privacy is going to lose. Correction, it is losing, because the people who think they are defending it don’t understand that the forces at play have changed.
Second, if you hand over a chip card, you still need to lock down and tightly control every executable on every machine. How else would you guarantee that kids cannot access content the government deems unsuitable for them?
Third, I still haven't seen a coherent argument why parents shouldn't be in charge of what content their children are allowed to consume. I'm not at all against governments providing free parental control software, for example, or voluntary industry standards similar to the movie ratings.
Finally, "protecting the children" is obviously a pretense. The sole purpose of the push for this is for governments to get the foot in the door of operating systems they currently can't control well. It's the starting point for a surveillance infrastructure: age verification -> digital ID verification -> tracking who said what and handing the data over to intelligence and law enforcement.
Businesses are always going to favor the cheapest options, but that's why regulation exist.
> Second, if you hand over a chip card, you still need to lock down and tightly control every executable on every machine. How else would you guarantee that kids cannot access content the government deems unsuitable for them?
You don't need to guarantee that. It's like saying you can't have an alcohol consumption ban on teenagers without spying on them all the time. It's technically true but it doesn't matter: having teenagers consume way less booze due to the rules than they would without it, and that's fine for most people, societies don't need to enforce an absolute 100% ban of things for bans to deliver the expected outcome.
> Third, I still haven't seen a coherent argument why parents shouldn't be in charge of what content their children are allowed to consume.
It's much less about what their children are allowed to consume, but what are businesses allowed to sell to their children. It's exactly like alcohol restrictions: the government don't raid houses to check if parents are letting child drink whine and beer at home, but it aggressively enforces that bars don't sell booze to teenagers.
> Finally, "protecting the children" is obviously a pretense.
Not from the electors. Most people are favorable to these things, and that's why these laws are voted. Obviously intelligence agencies are always trying to get access to more data whenever they can, but that's not the reason why these laws are voted, and the representatives routinely could vote for a version of that which doesn't serve any intelligence purpose.
At the very least, you will need to make sure that no child can install Linux. Otherwise, why wouldn't they? Most kids aren't stupid and want to know what their braindead parents are doing on the internet.
I really believe it's dangerously naive to believe this is about the children. It's quite obvious why suddenly ominous entities are shilling for age verification, digital IDs, digital wallets, and so on (more is to come). Countries in the EU used to get valuable SIGINT from the US that prevented many serious crimes. They still get it but now they've realized that the US might not always remain aligned with them and panic because they have almost no access to modern operating systems except for buying 0-day exploits on shady black markets. They desperately need to get their foot in the door to get the right surveillance infrastructure going. At the same time, politicians are rightly worried about the influence of bots on elections.
These are the principal reason why governments are suddenly pushing for this. If this was about the children, they'd have done it 30 years earlier. Until very recently, this discussion didn't even exist. It's manufactured.
Not if they use a credit-card-like ID that embed a side-channel-resistant cryptographic chip like your credit card does. Your average teenager can't crack a credit card no matter how hard they try.
> I really believe it's dangerously naive to believe this is about the children. It's quite obvious why suddenly ominous entities are shilling for age verification, digital IDs, digital wallets, and so on (more is to come). Countries in the EU used to get valuable SIGINT from the US that prevented many serious crimes. They still get it but now they've realized that the US might not always remain aligned with them and panic because they have almost no access to modern operating systems except for buying 0-day exploits on shady black markets. They desperately need to get their foot in the door to get the right surveillance infrastructure going. At the same time, politicians are rightly worried about the influence of bots on elections.
I'm very disappointed to read this kind of tinfoil hat conspiracy theory here on HN.
“Never attribute to malice that which is adequately explained by stupidity.”
> Given your idea of a physical card, kids will find a way to use the card of their parents.
Sure there are kids who have access to their parents credit card with the PIN, but how frequent is that? In every system, fraud will exist, but that doesn't mean the system is worthless. “The optimal amount of fraud is non-zero”: https://www.bitsaboutmoney.com/archive/optimal-amount-of-fra...
This is not an argument, it's just a stupid quip. And I would sooner suggest that you "never attribute to stupidity that which is adequately explained by malice". Humans are overwhelmingly selfish and more than willing to harm others to serve themselves.
The traditional quip works well on small-scale stuff, but if there's loads of money or power to be gained, malice and greed tends to be fairly prevalent.
In person that falls to a human being, and it's an easy and intuitive task that takes seconds.
On the internet this involves some kind of video recording being sent to some agency somewhere being paid a fee, who may later be asked to prove the efficacy of their service. This agency needs a digital copy of the photo from your ID for matching purposes. They'll be tempted to store this for auditing purposes... they'll also be tempted to store correlation IDs etc if the architecture allows.
The issue is trust. You just can't trust these first and third parties not to collaborate for commercial gain or at government demand or request.
And ultimately you're still exchanging verification at registration for a shareable credentials: I could use my ID to sign up to pornhub premium and then sell the username and password to a 16 year old if I wished, just like those buying alcohol can go and give it to the underage. A black market for digital credentials is even easier to establish than material goods
That's why I'm talking about an “Id card” using Zero-knowledge proofs in a cryptographic chip, not using a paper ID with your picture on top…
You still need to send a digital image from the id, signed by an authority, saying "this person is 18"
You then still need a trusted ID service or algorithm to capture an image of the user _at the time of use_ to compare that to.
Just having access to your digital ID credentials proves nothing
The zero knowledge proof only helps prevent tracking between the ID service and the website you're logging into. This is valuable but requires standardisation and client side support, which doesn't exist.
All the time the client side is implemented by JavaScript served from the server side you're just trusting these parties to behave and not snoop
> You then still need a trusted ID service or algorithm to capture an image of the user _at the time of use_ to compare that to.
> Just having access to your digital ID credentials proves nothing
If I have access to your digital ID I shouldn't be able to impersonate you anymore than I should be able to fly using your passport.
Your passport is useful not just because it's difficult to forge, but because border control is a thing.
What's next? Your US legal status as determined by your ethnicity? Scan your face to prove you're white? Yeah, that sounds absolutely ridiculous but so did the age verification with KYC just a few years ago.
We allow bars and car companies to verify age before conducting business. Does that in itself lead to racial discrimination? I think not.
But saying “we must abandon the idea of age verification in bar” is never going to work in any democratic setting.
Voters genuinely want to protect the children, without second thoughts.
A second order effect of this is that a small number of parents have the ability to manage their kids use of tech.
A side effect of that is kids seeing their peers use tech. I’ve seen 9 month babies getting hypnotized by screens.
This is excluding situations with an antagonist preying on the child, such as grooming or bullying.
Yes, in an ideal world, it would all go down to parenting. Since we live in reality, some of that work is shifting to ensuring defaults are in place.
I thought it was a great question. I wish I remembered more details and had the links ready.
No, they aren't in place at all. It's the parents' job and vast majority of parents do it fine. Nobody wants the Nanny state you propagate.
Unless a tiny chance exists that some system in the middle is not secure. Then you have the problem of those who orient their acceptance to the "oh well" shrug, and then systemic faults get downplayed by default. (Edit: I re-read and notice 'half-baked systems': seemingly, we agree.)
> as a political posture
Which is the core problem of masses accepting pseudo-heartly and not-brainy unacceptable figures. And again, systemic faults incarnated as administrations get downplayed by default.
But instead of inserting controls around email addresses (as with paid services) or devices (as with contraband), the requirement is pushed to the application layer. It really makes no sense from a technical POV.