Today, March 17th, the ECA Digital (read: mandatory age verification online) takes effect in Brazil.

Sad day.

#brazil #eff #privacy #ageCheck #ageAttestation #digitalrights #surveillance

What I want from the modern web is to be treated like a kid 13 or under.

Don't ask me to agree to one-sided terms of service, don't send me marketing spam, don't track me, don't make me constantly hypervigilant against attempts to appropriate my money/identity/attention by pickpocketing my consent.

My working assumption is that any app that wants to know my age means to do me harm.

#AgeVerification #AgeAttestation #Age

#Age #ageAttestation 4 🌧️a 🌤️ #weathers app  🤦🏼

#weather

"I pulled the actual bill text from 5 state age verification laws. They're copy-pasted from two templates. Meta is funding one to dodge ~$50B in COPPA fines — and the other one covers Linux."

#AgeVerification #AgeAttestation #ThinkOfTheChildren #Privacy #CA_AB1043 #AB1043 #SB3977 #IL_SB3977 #COPPA #FaceBook #Linux #OpenSource

https://www.reddit.com/r/linux/comments/1rmhxk1/i_pulled_the_actual_bill_text_from_5_state_age/

Journalists! Why you should not bother wasting your/everyone’s time covering “Age Verification” on Linux: The “Tug of War” Theory of Open Source

tl;dr: the “project” of open source age verification will inevitably implode — probably messily — and waste everyone’s time whilst also reifying narrative of “support” for an approach to user safety that will not deliver its purported benefits.

Here I explain why it will fail from the perspective of ~40 years of free software and open-source coding.

And it’s not “because the user will switch it off”

If you strew a metaphorical rope in front of a bunch of geeks, they will rapidly group together, split into two or more factions, and engage in tugs of war with each other whilst arguing importantly over architectural and strategic errors that the other team is making.

You can go browse the sorry husk of StackOverflow for evidence, but this has also always been the case; for any given software niche there are mutually-hostile solutions:

• System V vs BSD
• 386 BSD vs Minix vs Linux vs Hurd
• ( FreeBSD vs NetBSD vs OpenBSD (each other)) all vs Linux
• Subversion vs Git vs Mercurial vs …
• OpenOffice vs LibreOffice
• MIT License vs GPL vs Apache License vs …
• Emacs vs XEmacs vs Lucid vs …
• MySQL vs MariaDB
• X11 vs XFree86 vs Wayland (… vs CLI)
• Jenkins vs Hudson
• Motif/CDE vs OPENLOOK
• KDE vs Gnome
• CORBA vs SOAP vs REST
• Applets vs ActiveX
• Java vs C#
• MSPassport vs Project Liberty
• XML vs Protobus vs JSON vs …
• JavaScript vs ECMAScript
• HTML5 vs everyone
• Systemd vs System V Init
• Twitter vs Mastodon
• [insert any number of Linux distributions]
• …the list continues indefinitely; this is not free-market competition so much as it is rap-artists both working and dissing each other’s work

Software Development in general and Open Source in particular institutionalises “exit” and “competition”, and it is in the nature of the open-source community for people to become sufficiently angry or otherwise motivated to rage-quit an existing project and attempt to set up “differently” for any number of reasons, from project governance to solution architecture to implementation language to personal/corporate conflict to complete ignorance or hatred of existing approaches.

This does not always happen, but long-term consistency of a project usually is a result of a combination of two or more of:

Why Age Verification (AV) will Fail in Open Source

Basically: AV is not a governed visionary ecosystem, it’s a tickbox compliance requirement.

It’s a free-for-all.

Subsequent to announcement that the State of California will demand AV, any number of junior devs now want to make names for themselves by being “first to ship this important feature” and so they will come up with half-assed solutions that fit within their preferred ecosystem (e.g.: DBus/Ubuntu) and nowhere else.

This is fine. Think of it as your five year old kid at the beach making a sandcastle. That’s what they do. They will demand applause, but it’s still an imaginary thing. And there will be dozens of sandcastles on the beach in short order, and they will all prosecute war amongst themselves.

The thing is: Age Verification is literally a gatekeeping solution. If it is to be effective at all, it must be deployed in situations where gatekeeping makes sense — and general purpose operating systems are not those places.

This is a point we’ve already learned from the likes of Digital Rights Management and different methods of copy-prevention for Floppy Disks, CDs and DVDs. To be effective the scope of the gatekeeping needs to be beyond user control, which is not the case in operating systems. Various workarounds such as Trusted Platform Modules have been proposed in-past, and (surprise!) they don’t work well (often: not at all) in Open Source operating systems where the intent is to exclude the user.

If you want to understand the background some more, go read The Coming War On General Purpose Computing — because we’ve seen this coming for more than a decade.

So: to wrap this up really briefly:

• Age Verification for Linux will create a bazaar of diverse non-solutions — lacking common foundations, visions, intentions
• …also utterly lacking the technical means to exclude the user from their own computer
• …and these competing “solutions” will aim, primarily, to get a few cheap headlines and ideally a puff-piece in the Guardian before they either fade naturally from lack of adoption, or are slashed-to-death by infosec practitioners; one or two might make it into a big distribution, and circumventions will rapidly arrive

Gatekeeping and Age Attestation

Privacy Wonks will hate it, but Mark Zuckerberg is correct that the proper place for prescriptive Age Verification is in the App Store of a mobile device; yes, that means Google and Apple will “find out more about you” but that can be minimised if they choose to implement a privacy-preserving protocol a-la what happened over COVID tracking.

The reason people are angry about this is that they don’t understand that the App-Store-and-Google/Apple-Account approach to AV is a degenerate form of what we should have been doing all along: age attestation, not age verification.

The user should be signed up with their own preferred provider of private age-attestation services which they can enmesh into whatever transactions they require an age test for; this puts the user in control of provider choice and information protection, and the reliant parties — vendors, porn sites, forums, whatever — should be obliged to accept attestation tokens.

But we don’t do that, probably because (a) it makes less money for the industry and (b) because Governments get more ID tracking metadata with the age verification approach.

RE: https://infosec.exchange/@patrickcmiller/116162934900485808

#Colorado is running a bill this session, titled SB26-051 (leg.colorado.gov/bills/SB26-051), which will require "general computing platforms" (laptops and phones) to build a form of locally-stored age attestation into the onboarding process for a new user on the device. The data about the user would then be categorized into one of three age brackets, stored locally, and then passed to various apps/platforms/social media at registration time.

In the bill's committee hearing last week, I and several other people told the bill sponsors that we understand the problem you're trying to solve, but that this is a terrible way to solve it. Many speakers offered to help advise the bill authors on implementing a less fragile, more secure, less susceptible system, but they wouldn't budge. Not a single committee member voted no on a motion to advance the bill to the "committee of the whole" - i.e., the full legislature for a final vote.

The only hope now is for people to reach out to legislators to ask them to vote no on the final bill draft. Otherwise, we're going to get stuck with a really dumb bill that gets signed into law on a "but...think of the children!" appeal, with no hope of being implemented properly.

It's notable that this Apple system would not satisfy the requirements the bill sets up.

#COpolitics #ElectMoreHackers #ageAttestation #childsafety #onlinesafety

Bluesky, Britain, Age-Verification, Age-Attestation, and Railway Trains | …what child-protection measures British Civil Society *ought* to be demanding

A friend/peer asked me “What are you going to do about Bluesky’s announcement of Age Verification?” as recently described in the Verge — and this is my response:

At the moment I am going with “point and laugh, loudly” because if you pick a side then various self-righteous twerps will either chide you for not protecting children, or they will chide you for not being sympathetic to Bluesky being at the mercy of draconian law (“but what can we do, mustn’t grumble, etc etc…”)

I feel that we should take a different approach.

I believe that [British Civil Society] severely mishandled the online safety act, in many respects caving to the child protection and age verification lobbies in a manner which I presume was meant to keep us with a seat at the table but which has in the process sold-out the privacy of the internet user. 

What we should have been doing on this matter is fighting a similar fight to that which we saw during COVID – demanding (once we worked out / it was announced that it was possible) that platforms solve the problem in a privacy-preserving manner, rather than each and every nation-state being free to (in that case) squirt its own infected-person-tracking code into each and every Android and iOS device in the world. 

With respect to age verification, we should have led with three observations: 

It’s interesting to see that both Google and the W3C are starting to stick their nose into the latter [kinds of] solutions, so Britain – by “leading the way” – may have backed itself into a corner from which it will not readily emerge. Much like the railways we will lay down this [legal and regulatory infrastructure] early and come to regret it later.

[Basically: much like what happened to the original GCHQ/UK-Homebrew COVID-tracing app, but where the cost is smeared over everyone rather than coming exclusively from NHS coffers.]

So that’s why I’m going to “point and laugh” – because it’s not polite to criticise Bluesky for fulfilling its obligations under British law, however they will serve as a tragic example re: how precipitously user engagement will drop off under the “vendor-initiated” age verification regime, because we are all following Baroness Kidron’s illiberal march towards a safer world for our children, informed by the rent-seeking instincts of the age verification industry – as I first documented in 2016

Instead we need a world of “user-initiated” bearer-type tokens to fulfil age-verification obligations [- which themselves, in turn, should be minimised -] and we will also need civil society like ourselves to hold our noses re: the likely fact that this would (short term) put incrementally more information and power into the hands of Apple and Google – although in the ideal circumstance users should be enabled to purchase “age-attestation” services from whomever they like.

#ageAttestation #ageVerification #bluesky #censorship #google #onlineSafety #privacy #w3c