Mastodawn

David Chisnall (*Now with 50% more sarcasm!*)Mar 2

So, I have actually read the text of California law CA AB1043 and, honestly, I don't hate it. It requires operating systems to let you enter a date when you create a user account and requires a way for software to get a coarse-grained approximation of this that says either 'over 18' or one of three age ranges of under-18s. Importantly, it doesn't require:

Remote attestation.
Tamper-proof storage of the age.
Any validation in the age.

In short, it's a tool for parents: it allows you to set the age of a child's account so that apps (including web browsers, which can then expose via JavaScript or whatever) can ask questions about what features they should expose.

In a UNIX-like system, this is easy to do, with a tiny amount of new userspace things:

Define four groups for the four age ranges (ideally, standardise their names!).
Add a /etc/user_birthdays file (or whatever name it is) that stores pairs of username (or uid) and birthdays.
Add a daily cron job that checks the above file and updates group membership.
Modify user-add scripts / GUIs to create an entry in the above file.
Add a tool to create an entry in the above file for existing user accounts.

This doesn't require any kernel changes. Any process can query the set of groups that the user is in already.

If a parent wants to give their child root, they can update the file and bypass the check. And that's fine, that's a parent's choice. And that's what I want.

I like this approach far more than things that require users to provide scans of passports and other toxically personal information to be able to use services. If we had this feature, then the Online Safety Act could simply require that web browsers provide a JavaScript API to query the age bracket and didn't work unless it returned 'over 18'.

Ludwig Vielfrass

@david_chisnall And then another state or country passes a law that requires four age ranges, or another one that requires two, but they do not map nicely to the three CA requires.

You have now replicated another timezone mess.

@lerxst @david_chisnall Yeah, like 18 is not even standard across the globe.

@Arcaik @lerxst @david_chisnall true. But the important is the country of child and whether he or she is considered adult in his own country by his own device. Until they are adults, it should require parent's consent.

Riley S. Faelan Mar 3

@pemensik You forget that a typical Big Tech TOS includes a venue clause, specifying that the laws of wherever their headquarter is apply to the contract.

@Arcaik @lerxst @david_chisnall

@riley @Arcaik @lerxst @david_chisnall sure, but I think it is not, should not be, about vendor HQ legal entity. Child should follow law of theirs guardians, not device vendor. If they live in a country with full independence in 21, okay. That information is needed for localisation and wireless protocols. Those are the only relevant. I cannot influence MS, but can do something on open systems, Linux distributions. Let's focus on those.

@riley @pemensik @Arcaik @lerxst @david_chisnall and this will be abused to fingerprint users:
do some weird requests over 10 jurisdictions' respective age-bins (see: modern webistes loading dozens of frameworks), and now you can deduce the exact birthsdate, which will help exactly ID the user. You can now add this ID on top of the heap of pii you sell to data brokers.
Who will further sell it to marketeers, fascists states, etc.

@dryak @riley @Arcaik @lerxst @david_chisnall you are suggesting exact birthdate can be extracted, but California bill doesn't propose that. That might happen only when it is implemented very wrong way.

@pemensik @riley @Arcaik @lerxst @david_chisnall > "California bill doesn't propose that"

...but that won't multiple other jurisdiction each wanting their own 2-4 age bins. Or other "simple check to protect children".

Combining these will quickly become a "20 questions game".

Riley S. Faelan 3d ago

@pemensik Have you heard of cookies, a way to tie together repeated queries, potentially repeated over a whole year?

@dryak @Arcaik @lerxst @david_chisnall

@riley @dryak @Arcaik @lerxst @david_chisnall have you heard about ability of browsers to forget cookies on closing?

Riley S. Faelan 2d ago

@pemensik But only a child would be wise enough to configure their browser like that!

@dryak @Arcaik @lerxst @david_chisnall

@riley @dryak @Arcaik @lerxst @david_chisnall their parents might do that for them, if needed. Not sure what do you want to use cookies for.

Riley S. Faelan 2d ago

@pemensik Have you actually seen a parent? @dryak @Arcaik @lerxst @david_chisnall

@riley sure, Have a sister with two teenage children. Any other _relevant_ comments?
@dryak @Arcaik @lerxst @david_chisnall

@pemensik the difference is that while you can wipe cookies, providing age brackets is clearly going to be mandatory. You're not supposed to be able to shut it off trivially.

And again, if enough jurisdictions follow the footsteps of California and mandate their own different local weird brackets, querying multiple such bracket enables quite some tracking.

@dryak correct me if I am wrong. Those age groups are mandatory to be provided by the OS. They are not mandatory sent over network AFAIK. The difference is important. Am I wrong?

@pemensik "Naive" would be more appropriate.

The law mandates that these age brackets be queriable by apps over an API.

So technically yes: the law doesn't literally require your OS to broadcast the age automatically over the whole internet.

BUT: in the age of apps with dozens of trackers (see Exodus reports) and "We and our 293 partners" cookies warning, do you really trust that the age checking will happen exclusively client-side and no information will ever leak back to the mothership?

@dryak that is up to OS vendors to handle sufficiently. I think more precise access might need some permission like location access, for example.

@pemensik nope. Parents are welcome to manage their children. “It should require” remains a specious claim.

@Arcaik @lerxst @david_chisnall

David Chisnall (*Now with 50% more sarcasm!*)5d ago

@cascheranno @pemensik @Arcaik @lerxst

I don't have a problem with laws that say 'organisations interacting with children without parents present must provide tools that allow parental control'. There are lots of laws like this outside of the Internet context.

I do have a problem with laws that say 'you must give up privacy because OMG think of the children!'.

@david_chisnall @pemensik @Arcaik @lerxst there are vastly *more* circumstances without age checks. Between me and midday, I shall interact with coffee, appliances, vehicles, racks of hazardous materials, strangers, countless forms of media, high places I can fall from, low or confined places I can fall into, etc. None need or deserve digital nanny laws. If I take a walk three blocks in a city and into a park, or walk any half mile outside of cities, the breadth of risks soars.

See? This new reg category is Specious.

It also leaps toward a substantial imposition on other (legal) activity with scant need and questionable effectiveness.

As for “organizations”: The bulk of those hazards aren’t interactions with Organizations. It seems an artificial term given how we interact with our world, selected because it gives this misguided concept someone who’ll bear assignment of responsibility.

I’ve lived thru nanny tech initiatives, think-of-the-children lobbying, needed-to-fight-terrirism bills, etc. Through wiretap adaptations, DHS, Clipper chip and putting warning labels on adult stuff. The scary thing is the reg, not unfettered existence. Facial recognition and captured surveillance data, not ‘kid might get root’.

Flip the script and imagine use cases where you deserve to decide but are blocked. An abusive parent. Oppressive leaders (church or state or school).

Also, recall times you ‘colored outside of the lines’ in your learning, saw stuff not yet age appropriate, and (a) didn’t suffer or (b) learned adult lessons like safety or to recognize warning signs.

@david_chisnall @pemensik @Arcaik @lerxst

@cascheranno @david_chisnall @Arcaik @lerxst CA bill doesn't require any identification. Only the OS has to provide age group to apps for minor users. You are opposing things you've imagined, but nobody demands in this case.

@pemensik @david_chisnall @Arcaik @lerxst I’ve been a cypherpunk since Usenet was the hotness. Would you like a thousand examples where the shit imagined became reality?

Oppose ‘has to’. On principle. This time around, if Cali behaves, I fear the states that go further. And then they smooth out the wrinkles and Cali gets a bit more severe, or lack of impact (because, let’s face it, this nanny shit is either draconian or ineffectual or both, sought by folks who don’t deserve to be in the room when digital policy is written) … sorry, the parenthetical got away from me.. or lack of impact will yield a version 2, just a little more. Then a bit more.

Yeah, I’m opposed to it all, since it’s a terrible thing that strips a digital freedom, empowers the controlling, and has no chance of accomplishing the ostensible goals.

@cascheranno @david_chisnall @Arcaik @lerxst Then ensure things go correct direction, watch their good course. Request correct implementation of the bill by your OS vendor. The bill itself is good IMHO. Details can go wrong, but that doesn't have to be. See, we are not using Usenet for our posts. Some things have changed, I think to better things very often. Not always, but that is up to us. Improving the world for everyone is a very difficult task.

@pemensik @david_chisnall @Arcaik @lerxst how is this a good direction? I see an overboard infringement / reduction vs. no nanny in my gear.

@cascheranno @david_chisnall @Arcaik @lerxst I think the good solution for missing "has to" is marking the device/OS not recommended for children. If you have clear indication this device has no parental controls and you give it to your child as a parent, it becomes *your responsibility*. I think that should be okay and not punished by the law. But parents should have that choice when purchasing the device available under simple to understand terms. Not only for IT experts.

@david_chisnall @cascheranno @Arcaik @lerxst why do you think you must give up privacy, if the OS has to be able to report age *group* for underage minors? If the bill is implemented well, it allows protecting privacy, but reporting some actions should not be allowed to this child. I think that is good idea.

Riley S. Faelan Mar 3

@Arcaik 18 is the closest there is to a standard, due to the Convention on the Rights of the Child, which establishes 18 as the default age of majority (but stll allows it to be overridden by local laws). A curious example of another value leaking is how, because 16 used to be the age of majority in Netherlands for a long time, a lot of medical guidelines for trans youths, even in other countries, used to adopt 16 as an explicit age that a person would be able to consent to their gender (until the GOPnik bullies decided to start picking on trans women and children after the Oberge fell).

@lerxst @david_chisnall

joosteto 4d ago

@riley @Arcaik @lerxst @david_chisnall
Do you have a source for the 'age of majority in NL used to be 16'?

All I can find is that since the middle ages the age of majority in the Netherlands varied between 25 and 18.

And yes, children get gradually more rights/obligations between ages 12 and 21 in the Netherlands, it isn't black/white.

https://habsburg-legal-services.com/dutch-historical-age-of-majority-or-maturity/

Dutch Historical Age of Majority or Maturity

Dutch Historical Age of Majority versus Age of Maturity and Becoming an Adult Some of these terms can be confusing and are often used to mean the same. But t

Riley S. Faelan 4d ago

@joosteto Not off the top of my head, I'm afraid. My source was some medical treatment guide that I read years and years ago, and don't remember the precise details of it anymore. If that helps, my understanding (from other marginal sources) is, the changeover from 16 to 18 would probably have happened in late 90s or early noughties.

But I could be wrong; if you find a contrary source, I will stand corrected.

@Arcaik
@lerxst @david_chisnall

Riley S. Faelan 4d ago

@joosteto I believe the guidelines were some document published by the Dr Norman Spack's team, FWIW. I'm reasonably confident that they got it right, but, of course, they're doctors, not lawyers. @Arcaik @lerxst @david_chisnall

joosteto 3d ago

@riley @Arcaik @lerxst @david_chisnall
I turned 18 in 1988 (in the Netherlands) and I certainly remember that's when I was called an adult, so it must have been before that.

Riley S. Faelan 3d ago

@joosteto Curious. I'll be watching out for a better source, then.

@Arcaik @lerxst @david_chisnall

diana 🏳️‍⚧️🦋🌱3d ago

@lerxst @david_chisnall

Next thing we know, age verification across time zones to implement Daylight Savings Age and Leap Age, 32 bit age with the #year2038 problem...

Ludwig Vielfrass 3d ago

@dianea @david_chisnall hey, this is California, don’t forget there’s probably going to be an age restriction but only when Mercury is in retrograde! Hope you paid attention in classical mechanics! 😆