floofloofUS state laws push age checks into the operating system
ZagorathIn the OS is where it belongs. But not like this.
Parental controls is the answer. The OS should be required to support robust APIs that allow parents to set the age of their child and prevent children from accessing apps or sites (via browser APIs that hook into the OS APIs) that are out of the age range. The only actual “verification” should be parents choosing to type in the number.
There should be no mechanism broadcasting age information. Flip it, name websites contain content tags, browsers/OS would then block based on opted out content. Parents get controls, we get to keep our privacy.
Honestly, that is how I would prefer it be done. But it isn’t what OP asked for.
It would have to be set at an operating system level, with the OS providing an API for the browser to use, while the os itself restricts installation of unapproved apps (and to work, installation of apps would have to use an allow-list or a similar age-tagging system, where any app that includes general web access has to be 18+ unless it also implements age-gating correctly).
But yes, this would be the best system. Parental controls have never been very successful in the past, but I think part of the reason for this is that they’ve never been properly supported up and down the stack. The government should mandate that it is supported the whole way, so that parents really have the tools they need to enforce parental controls.
Edit: I thought this was a comment in another thread. My reply here only makes sense in that context.
Is private age verification technically possible and if so how? - Aussie Zone
With many jurisdictions introducing age verification laws for various things on the internet, a lot of questions have come up about implementation and privacy. I haven’t seen anyone come up with a real working example of how to implement it technically/cryptographically that don’t have any major flaws. Setting aside the ethics of age verification and whether or not it’s a good idea - is it technically possible to accurately verify someone’s age while respecting their privacy and if so how? For an implementation to work, it should: * Let the service know that the user is an adult by providing a verifiable proof of adulthood (eg. A proof that’s signed by a trusted authority/government) * Not let the service know any other information about the user besides what they already learn through http or TCP/IP * Not let a government or age verification authority know whenever a user is accessing 18+ content * Make it difficult or impossible for a child to fake a proof of adulthood, eg. By downloading an already verified anonymous signing key shared by an adult, etc. * Be simple enough to implement that non-technical people can do it without difficulty and without purchasing bespoke hardware * Ideally not requiring any long term storage of personal information by a government or verification authority that could be compromised in a data breach I think the first two points are fairly simple (lots of possible implementations with zero-knowledge proofs and anonymous signing keys, credentials with partial disclosure, authenticating with a trusted age verification system, etc. etc.) The rest of the points are the difficult ones. Some children will circumvent any system (eg. By getting an adult to log in for them) but a working system should deter most children and require more than a quick download or a web search for instructions on how to circumvent. The last point might already be a lost cause depending on your government, so unfortunately it’s probably not as important.
Regardless, we should not be pre settling for a terrible policy just because it’s better than an even worse policy. It’s not up to us to solve how to do something that is indefensible