| ▲ | john_strinlai 4 hours ago |
| >Could you be more specific as to what you're imagining? sure, i'll put my favorite two. though you'll find much more detailed and thought-out versions of these (and others) in the dozens of other giant threads on the same topic. - buy a card with a UUID from anywhere that sells alcohol/tobacco that is valid for some period of time. most people are comfortable with flashing their ID at the clerk. the UUID card is non-identifying. - websites issue content tags, browsers consume them, you enter your age into the OS during setup. |
|
| ▲ | autoexec 2 minutes ago | parent | next [-] |
| > buy a card with a UUID from anywhere that sells alcohol/tobacco that is valid for some period of time. most people are comfortable with flashing their ID at the clerk. the UUID card is non-identifying. This could be a good system if it's set up right. There's still some risk of being tracked if it isn't though. IDs could be linked to the cards at the time of purchase if retailers scan the drivers license, then scan the card creating a record that card #XXXXX was purchased using driver's license # XXXXX Even if retailers aren't scanning the drivers licenses and collecting data that way, the cards and codes on those cards can be tracked and traceable to a retailer. That's how things like calling cards have been tracked. Say for example someone uses the code on a card to access a website, the police can match the code that was used to the serial number of the card, look up which retailer that card was sold at, and can then access security camera footage at that retailer to identify who bought the card from that location. This would also let them passively generate lists of IP addresses/device IDs matched to websites and specific retail locations over time. |
|
| ▲ | donmcronald 4 hours ago | parent | prev | next [-] |
| > buy a card with a UUID from anywhere that sells alcohol/tobacco that is valid for some period of time Why should I pay continuously to prove I'm an adult? And those cards will be getting sold to kids faster than you can blink. I bet a lot of parents would buy them for their kids. |
| |
| ▲ | john_strinlai 4 hours ago | parent | next [-] | | >And those cards will be getting sold to kids faster than you can blink. there's a reason i said 90% and not 100% effective. alcohol and tobacco get resold to kids, too. | | |
| ▲ | fl4regun 4 hours ago | parent [-] | | What makes you think this will be close to 90%? Unless these cards are expensive I don't see that happening. | | |
| ▲ | john_strinlai 4 hours ago | parent [-] | | >What makes you think this will be close to 90%? Unless these cards are expensive I don't see that happening. its obviously just an illustrative guess. but if the penalty of possessing the card is similar to underage possession of alcohol/tobacco, and larger penalties if a store/person is found providing a card to someone underage, i see no reason why it wouldnt have a similar success rate as alcohol/tobacco. | | |
| ▲ | inigyou 3 hours ago | parent [-] | | Why possess the card when you can just buy the UUID on the dark web | | |
| ▲ | bilkow 2 hours ago | parent | next [-] | | If they have access to the "dark web" they can already do anything that requires age verification there. In the same way you expect that the rule to "not sell UUIDs" wouldn't be respected there, I wouldn't expect other age-verification rules to be respected, no matter the verification method. | | |
| ▲ | inigyou 2 hours ago | parent [-] | | Well, it's rather harder to sell bottles of beer on the dark web than short text strings. | | |
| ▲ | bilkow an hour ago | parent [-] | | That is true, it is harder, although AFAIK people do sell all kinds of illegal things there. |
|
| |
| ▲ | john_strinlai 3 hours ago | parent | prev | next [-] | | sure? i feel like i need to reemphasize the "not going for 100% effectiveness" thing again. hopefully some parent steps in if their kid is on the dark web trying to make purchases with their parent's credit card. | |
| ▲ | anigbrowl an hour ago | parent | prev | next [-] | | Why buy a UUID when you can just get porn on the dark web | |
| ▲ | triceratops 2 hours ago | parent | prev [-] | | Kids can buy drugs on the dark web too. |
|
|
|
| |
| ▲ | sdeframond 3 hours ago | parent | prev | next [-] | | > I bet a lot of parents would buy them for their kids. That changes the default from "anyone can do anything" to "gotta ask parents". Defaults matter at scale. It adds friction. | |
| ▲ | drdexebtjl 2 hours ago | parent | prev | next [-] | | > I bet a lot of parents would buy them for their kids. Good. I should be able to make judgement calls about what my children can or can’t access outside of school. It’s better if they do it under my supervision than against my back, aided by a predator whose only moat is lending their ID, or their face. | |
| ▲ | CPLX 4 hours ago | parent | prev [-] | | Why should you pay for an internet connection, or a computing device with a screen? This isn't a serious counterargument. | | |
| ▲ | fluoridation 3 hours ago | parent [-] | | Because those things cost money to make and to maintain, whereas there's no intrinsic cost to prove one is an adult. | | |
| ▲ | CPLX 2 hours ago | parent [-] | | Yes there is. You need to pay for a drivers license or a passport and so on. So there is an intrinsic cost to prove who you are where you are from and what your birthday is already. You have to pay for all sorts of small things to participate in normal society. This isn't a serious criticism. By definition this is not a life critical thing, it's something that is procured in order to access specific services on the internet, which is not free. | | |
| ▲ | fluoridation 2 hours ago | parent [-] | | >You need to pay for a drivers license or a passport and so on. I have a government ID and I didn't pay for it. I can use it to travel to nearby countries in lieu of a passport. The assumption that IDs are necessarily non-free (to the issuee) is pretty funny to me. >it's something that is procured in order to access specific services on the internet, which is not free. The maintenance of the Internet is already paid for through ISP contracts. | | |
| ▲ | CPLX 2 hours ago | parent [-] | | I mean, if you really want to make the government subsidize an ID verification scheme or mandate that certain real-world locations provide age verification as a social service for everyone, that's fine. It's orthogonal to the discussion, though, which is about whether we should do it or not, because the costs here aren't significant and don't change the terms of the debate. | | |
| ▲ | fluoridation 2 hours ago | parent [-] | | I'm personally in favor of just banning children off the Internet, but I don't agree it's orthogonal to the discussion. What I replied to was the implication that someone should pay a recurring cost to prove they're an adult for the same reason that they pay to own a computer or to connect to the Internet. Don't disown the dumb thing you said. | | |
| ▲ | CPLX an hour ago | parent [-] | | I'm not disowning it at all. I think paying a recurring cost to prove you're an adult for purposes of accessing the internet is completely fine, trivial, and unimportant. You have to pay a cost to go out in public, since there are nudity laws. You have to pay a cost to use an airport or a train station. You have to pay a fee to prove that you own a car. And so on. It just doesn't matter. It's not important. It's consistent with how we organize our society in general, which makes focusing on it in this one particular instance more understandable as an attempt to distract from the substantive merits of these arguments about age verification. | | |
| ▲ | fluoridation 10 minutes ago | parent [-] | | >I think paying a recurring cost to prove you're an adult for purposes of accessing the internet is completely fine, trivial, and unimportant. Okay, but the person you replied to doesn't, and instead of providing an actual answer to their question, you posed a false equivalence between proving your age and buying a computer. >You have to pay a cost to go out in public, since there are nudity laws. You have to pay a cost to use an airport or a train station. You have to pay a fee to prove that you own a car. And so on. You are purposefully muddying the waters by being lax with your use of language. The "cost" you "pay" by wearing appropriate attire in public is fundamentally different from the actual cost you actually pay when you engage in commerce; one is a trade of freedoms and the other is a trade of goods and/or services. If your argument is that the freedom you have to trade in exchange for the freedom to access the Internet, is that of not having to show an ID, that's one thing. If you also have to add a recurring monetary cost then that's another. If you don't have an answer to the question of why someone should have to pay again to use the Internet beyond "*shrug* just 'cause, dude. Who cares?", then maybe you shouldn't have said anything. |
|
|
|
|
|
|
|
|
|
| ▲ | utopiah 4 hours ago | parent | prev | next [-] |
| > UUID card is non-identifying. Kids aren't going to trade Pokemon cards in the playground anymore... |
| |
| ▲ | choo-t 4 hours ago | parent [-] | | Well, they could trade identifying ones too or even stollen ID cards if you want to go this way. They could also trade porn-filled thumb drive or old-school glossy paper magazine. There no way to prevent kid's exposure to stuff at a 100% success rate. There no way to avoid exposure completely | | |
| ▲ | utopiah an hour ago | parent [-] | | Indeed but you are the one who claimed it was not a hard problem. I don't think any one of us pushing back here on those claims do so for the heck of NOT finding a "solution", rather genuinely asking because so far it seems nobody did find such a solution without compromises that is in the end not worth it due to the flaw in said solution. The point isn't to be critical of your process, only of the claim that it's a trivial problem. |
|
|
|
| ▲ | cogman10 4 hours ago | parent | prev | next [-] |
| And honestly, all these should ultimately just be done client side in the browser. After the browser has verified "User is x or user is over 21" there's no reason to then send that information to the website. Let websites issue a "window.isUserOver(16)" call once and then move forward based on the response to that query. |
| |
| ▲ | Wowfunhappy 3 hours ago | parent | next [-] | | This would require browser attestation, wouldn't it? Otherwise kids are just going to download a custom build of Chromium where `window.isUserOver(16)` is always `True`. | | |
| ▲ | cogman10 3 hours ago | parent | next [-] | | Some probably will. 99% of them don't even know what "Chromium" is. This doesn't have to be perfect. | | |
| ▲ | Wowfunhappy 3 hours ago | parent [-] | | Right now, they don't know. They're going to learn very quickly when they want to use some website and they can't. We agree it doesn't need to be 100% perfect. But it needs to be at least, like, 60% perfect, right? And unless you make it at least a bit hard to bypass, it will stop virtually no one. | | |
| ▲ | cogman10 2 hours ago | parent [-] | | Some undoubtedly will. Installing a new browser is already a bit hard for most people. I think you are a little skewed in your thinking being online on HN. You also aren't thinking about age. Certainly 16 and 18 year old probably can get a new browser installed. But a 14 year old? 12 year old? 10 year old? That barrier is a lot higher the younger a kid is. | | |
| ▲ | Wowfunhappy 2 hours ago | parent | next [-] | | I just finished my second year as a fifth grade teacher, so I have a lot of experience with ten year olds. I am confident a majority of my students would be able to install an alternative web browser if they needed to, and a majority of the remainder would ask a friend to do it. To give you an example of the workarounds kids will find: Youtube was blocked on school laptops, so the kids all started embedding Youtube videos inside of Google Sheets in order to watch stuff. This isn't, like, something a few savvy kids did, it was a widespread and common practice. | |
| ▲ | drnick1 36 minutes ago | parent | prev [-] | | Lol. I started building computers, installing operating systems and tinkering with Linux between ages 10-12. I also started watching porn not long after that, and guess what, I still became a more or less normal adult. There is absolutely no need to "protect the children." |
|
|
| |
| ▲ | mindslight 3 hours ago | parent | prev [-] | | No, it only "requires" browser attestation if we taken it as a given that the onus is on tech companies for verifying who they are talking to - ie identity verification that most of these schemes boil down to regardless of how cute they're dressed up. To effectively keep adult content away from kids, it merely requires secure boot and closed app stores, which are already widespread. And they are only required on the devices actually given to kids, rather than every single computing device. But this proposal has another problem: it's easy for a website to run isUserOver(n) in a loop to derive the exact age. And on a persistent account, it can be queried every day to derive an exact birthday! Which comes back to my main point that the only technical schemes we should be considering are ones where information strictly flows one way - the website/app supplies information to the browser/OS, which then [may] implement parental control policy. anything else fundamentally boils down to a mandate for identity verification. | | |
| ▲ | drnick1 33 minutes ago | parent | next [-] | | > To effectively keep adult content away from kids, it merely requires secure boot and closed app stores This is unacceptable. If I own a computer, I expect to be able to build and run any program, either written by myself or others, without asking anyone for permission. | | |
| ▲ | mindslight 23 minutes ago | parent [-] | | Maybe I needed to say "it merely requires the existence ...". Because I then do go on to say: > And they are only required on the devices actually given to kids My whole point is that this limits the blast radius, compared to any solution involving "age" (read: identity) verification which has a blast radius of every computing device! Perhaps my other comment will show you where I'm coming from better: https://news.ycombinator.com/item?id=48645646 |
| |
| ▲ | Wowfunhappy 2 hours ago | parent | prev [-] | | > To effectively keep adult content away from kids, it merely requires secure boot and closed app stores, which are already widespread. And they are only required on the devices actually given to kids, rather than every single computing device. ...I guess I don't really see the difference. Closed app stores are widespread on some platforms but certainly not others, and I for one would really like them to not spread any further. | | |
| ▲ | mindslight 2 hours ago | parent [-] | | For starters here, the difference is that only devices that parents give to kids need to have secure boot and controlled software sources. The point is that every other device remains completely unaffected. But in general there is a huge difference between the freedom-destroying properties of secure boot with closed app stores, and the next step of remote attestation. Remote attestation lets the server insist that you only run software fully of their choosing rather than your choosing, as a condition of interacting with them. This completely destroys the idea of protocols that mediate between two parties with diverging interests, and computationally disenfranchises users. Imagine the next generation of the Cloudflare nagwall that doesn't let you past unless you buy a new computer, and that new computer must be running MSWin/OSX and MSIE/Chrome. (also note that my use of "secure boot" here includes systems like on Pixels where you can straightforwardly unlock the bootloader (erasing the data on the device), install whatever you want, and then relock. I still find these systems philosophically objectionable, as there is still a privileged key baked in and retained by the manufacturer - similar security properties could be provided without the backdoor. But pragmatically they've been working okay) |
|
|
| |
| ▲ | mminer237 4 hours ago | parent | prev | next [-] | | This is how California is legislating it—requiring the OS to let an admin set the user's age, then let browsers and through them, websites, to query that setting. | |
| ▲ | inigyou 3 hours ago | parent | prev [-] | | You can get their exact age by binary search. | | |
| ▲ | ekr____ 2 hours ago | parent [-] | | Typically these APIs are designed so you can't make arbitrary queries, but rather there are fixed age brackets. | | |
|
|
|
| ▲ | dana-s 4 hours ago | parent | prev | next [-] |
| I'm just left wondering, how would that be different than buying a phone? Most kids also don't have money to spend on devices, that's all coming from adults, how would the UUID work any different? In my view it seems we'll just reach the current state as with phones. |
|
| ▲ | shevy-java an hour ago | parent | prev [-] |
| > - websites issue content tags, browsers consume them, you enter your age into the OS during setup. Why would that be acceptable though? What if a user does not trust the operating system? Even Linux may not be safe in the future, what with age sniffing coming by Red Hat integrating it into system already. And Red Hat plans more - xorg is abandoned on purpose, for instance. |
