Sam Black

Yeah countries and states are relatively happy with the non-privacy systems as they “work”. My principle problem is I cannot see this system “working” to the satisfaction of the seemingly incessant voices who don’t want a child to see something that they shouldn’t, where “something” is nebulous and seems to change with who you ask and at regular intervals. I’m probably very jaded - I’d love to be proven wrong and this system works as a least worst option, but I’m in the UK and we recently seem hell bent on choosing the worst option offered.

I thought similarly that a minimally privacy invasive set up like sending a “I’m over/under 18” signal that didn’t require verifying government ID/live face scans/AI “age approximation” would be a good idea, but I now think that this system would fall over very quickly due to the client and server not being able to trust each other in this environment. The client app, be it browser, chat, game etc, can’t trust that the server it is communicating with isn’t acting nefariously, or is just collecting more data to be used for profiling. An example would be a phishing advert that required a user to “Verify their Discord account”, gets the username and age bracket signal and dumps it into a list that is made available to groomers [1]. Conversely, the server can’t trust that the client is sending accurate information. [2] Even in the proposal linked, it’s a DBUS service that “can be implemented by arbitrary applications as a distro sees fit” - there would be nothing to stop such a DBUS service returning differing age brackets based on the user’s preference or intention. This lack of trust would land us effectively back to “I’m over 18, honest” click throughs that “aren’t enough” for lawmakers currently, and I think there would be a requirement in short order to have “effective age verification at account creation for the age bracket signal” with all the privacy invasive steps we all hate, and securing these client apps to prevent tampering. At best, services wouldn’t trust the age bracket signal and still use those privacy invasive steps, joining the “Do Not Track” header and chocolate teapot for usefulness, and at worst “non verified clients/servers” (ie not Microsoft/Apple/Goolge/Meta/Amazon created) would be prevented from connecting. The allure of the simplicity and minimal impact of the laws is what’s giving this traction, and I think the proposals are just propelling us toward a massive patch of black ice, sloped or otherwise. Having said that, I can’t blame the devs for making an effort here, as it is a law, regardless of how lacking it is. [1] I realise “Won’t someone think of the children!” is massively overused by authoritarians, give me some slack with my example :) [2] Whilst the California/Colorado laws seem to make allowance for “people lie”, this is going to get re-implemented elsewhere without these exemptions.