Mastodawn

@Em0nM4stodon There are technical solutions without mass surveillance.

But I am not optimistic enough to believe those will be demanded.

Specifically because of the lack of surveillance, and the lack of monopoly protection for big tech.

Pretty sure big tech lobbyists are making sure the worst approaches possible get put into law. Not because they are evil per se, but because it strengthens their monopolies.

Mercutio Feb 22

@divVerent

Any technology is generally insufficient when it comes to resolve social deficits.

@Em0nM4stodon

@divVerent @Em0nM4stodon No there are not. This is a fundamental fact of mathematical logic. Given a proposed age verification system you can prove that it's either trivially bypassed (doesn't actually verify age) or violates key privacy properties.

Em's point is spot-on. If you think of this as a problem to be solved, you are going to be wrong and you are going to be a useful fool for fascists.

@dalias @Em0nM4stodon My approach is actually one of the former category - "trivially" bypassable.

By making the parents responsible. They can set up youth protection software on the device on their children's devices if they feel they need to. Just like now.

The only technical thing I'd ask for is that social networks describe themselves in some form of XML file, and that they respect a Do-Not-Track-like header.

All else is on the client software. Which the parents may or may not install. And if the kids are old enough to have the kind of money to buy their own phone and pay for their own internet connection, they can of course trivially bypass it and I don't care.

And sorry for being a fascist. I don't want platforms like Roblox, TikTok and X to keep harming children. Honestly, I'd rather have them banned entirely (and also every single short video platform or platform feature). But as that's not gonna happen, let's keep at least children out of there. Or else we'll be raising more fascists.

@divVerent You said the solution to your actual problem right there: ban these abusive platforms entirely. Or at least regulate them into not being able to do the really harmful things they do - to people of all ages. None of that has anything to do with policing children or policing whether users are adults.

@dalias But that's not gonna happen.

So next I at least don't want children to be confronted with this abuse.

The absolute minimum demand for technical changes to the internet I have is getting Do-Not-Track back. When set, platforms still must operate to its full extent but not perform any user behavior analysis for purposes such as content recommendation or targeted advertisement (they still should be allowed to track for abuse prevention but they must take and disclosure measures that such data is not used for any other purpose, not even used as training data for future AI models).

@divVerent If you don't want them confronted with this, but it still exists, all you're doing is setting them up not to be equipped to deal with it once they do. And either way they're still stuck living in a world ruled by adults whose brains are rotted on this stuff. I get that this is all very unpleasant and people want an easy solution, but there is none short of attacking the root problem.

If you think hiding it from children (not with trojan internet passport schemes, which are a non starter, but as a parent or whatever) is best, you do you. I think educating and conveying values to them so that they can see the rot for what it is and be ready to protect themselves and fight it is probably better.

@divVerent @[email protected]

always tired Feb 22

The children will be confronted with so much if we don't solve issues with tech bros at the source.

And soon enough everything will seem small compared to the climate catastrophe, which those tech bros have a big part in.

always tired Feb 22

@divVerent And first results from Australia are in. Guess what. A net negative for kids.

It's not actually about kids in the first place.

Epic Null Feb 22

@divVerent @dalias why isn't it going to happen?

We are in a bad spot now, but... the bubble is popping. A bubble that pretty much all of survailence capitalism is involved in.

Politically things are heating up.

The USA's control is also breaking across the world.

Pretty much all the major companies are involved with a single scandal that is shaking up leadership in several places.

People are actively pushing back against Ring and tearing down Flock cameras in a push agaiinst survailence capitalism.

With such a turbulant time, why couldn't we successfullly land in a space where abusive platforms are banned and a minimum standard of behavior is established?

@dalias @divVerent @Em0nM4stodon Knowing how old someone is does not limit their speech nor their ability to vote (we verify age for that already, and for many other reasons). Age verification isn’t state censorship. I suppose it could be a way to limit anonymous speech. That isn’t a Right where I am from (nor is ‘free’ speech). I doubt anonymous speech is a Right anywhere.

I have no doubt it’s absolutely technically feasible in a way that infringes on no one’s privacy. Ultimately though, yes, it could be abused by bad actors. Like everything else in civilisation we need some balance of enforcement to deal with those people.

@edwiebe @dalias @Em0nM4stodon From what I understand, active verification does necessarily invade privacy.

But active verification is not necessary.

A mere social media ban under age X, if necessary, could simply be passed as a law, making the parents responsible for ensuring their children follow it. There already are existing laws of this kind for other areas of life. And as parents are responsible for supervising their children, they definitively can also be responsible here.

The opposite is true as well - while the child is supervised by their parents, such restrictions should not apply.

To support the ban, I still think it'd be useful to have an (optional at parents' discretion) software solution. Sure one could go all allowlist using e.g. Google Family Link, but I'd prefer if sites specified their purpose (and also some other properties, e.g. the severity of various kinds of NSFW content, potentially even at multiple levels of which the client can then pick one and specify in a header) for such software to use. That's trivial to do, it's just one file to be placed in the web server's root and it'll work. Could store it in DNS instead, whatever, don't care.

Furthermore, while at it, we could combine this with a technical solution for COPPA and other regulations that ban tracking and surveilling children online. Namely, revive Do-Not-Track, and have aforementioned software automatically set the header for minors.

But, I hear Big Tech say, then what if adults set the header too?

Then you don't effing track them either.

But... what if everyone sets it?

Then the people have spoken.

@divVerent

Age verification doesn't take away anyone's Rights.

Maybe we don't need it. Maybe we do. That's a different discussion.

@Em0nM4stodon @dalias

Random Damage 🌻Feb 22

@edwiebe @divVerent @Em0nM4stodon @dalias It takes away all kinds of rights that you don't even realize you depend on

Like the right to live an unmonitored life

Maybe you *think* you don't have anything to hide.

Maybe you *think* you don't have anything that somebody with power over you wants

If you value anything in your life, you absolutely are relying on a right to privacy to protect it

@divVerent @Em0nM4stodon @dalias

@RandomDamage

Age verification doesn't take away anyone's Rights. That's nonsense. No one on Earth has a Right to Use the Internet Anonymously.

@edwiebe @RandomDamage @divVerent @Em0nM4stodon Um, yes we do. 🖕

@dalias @RandomDamage @divVerent @Em0nM4stodon

You don't understand what a "Right" is.

@edwiebe @dalias @RandomDamage @Em0nM4stodon There is no right to use the internet at all, and as such there is no right to use it in any specific way either, sure.

However there is a right to participate in political discourse. It is the right to free speech. And this right must be ensured.

The safest way to ensure this right actually can be enjoyed by the people is to permit anonymity.

@divVerent @RandomDamage @Em0nM4stodon @edwiebe There is a right to participate in public life and discourse, to speech and assembly in the venues that exist in the society you live in. To movement within the spaces that life happens in.

@dalias These rights and freedoms (where I live) depend on verification of my identity. They don't apply, for example, to non-citizens.

@edwiebe Um, that's a fucked up taked and probably wrong. Even in the US, none of those rights are tied to citizenship or identity, but guaranteed to all persons. Even moreso in a UN sense of rights. But in any case we live in a world where the rule of law has broken down and trying to appeal to "rights" rather than what's right is just going to be surrendering to fascists who think they get to redefine those rights and who has them.

@dalias There is a Universal Declaration of Human Rights but not everyone agrees to uphold them or all of them. Canada recognises them but does little to nothing to provide housing, for example. Other Rights come with the accident of your Birth. No where is there a Right to be Anonymous, or a Right to Withhold your age.

I'm just repeating myself so I think I have no more to add.

@edwiebe @RandomDamage @divVerent @Em0nM4stodon "No one on Earth has a Right to Use the Internet Anonymously" is a manipulative, pro-fascist way of saying "no one who can't safely identity themselves has the right to use the internet".

@dalias @RandomDamage @divVerent @Em0nM4stodon

There's no reasonable way to respond to that.

@edwiebe @RandomDamage @divVerent @Em0nM4stodon Sure there is. By apologizing and admitting you've been posed on the wrong side of this by people who don't have yours, my, or any vulnerable people's best wishes at heart.

@dalias We're not talking about my best wishes. We're talking about Rights.

@edwiebe @divVerent @Em0nM4stodon @dalias

Random Damage 🌻Feb 22

The right to privacy precedes the Internet and is not superceded by technology

Do you *really* want to die on this hill?

Epic Null Feb 22

@RandomDamage @edwiebe @divVerent @Em0nM4stodon @dalias People think they have nothing to hide

Till they realize who they're hiding it from.

@RandomDamage @edwiebe @divVerent @Em0nM4stodon @dalias

ray Feb 27

Only property and prisoners are monitored 24/7. I am neither.

@edwiebe @Em0nM4stodon @dalias So who do you trust enough to present your ID to online?

@divVerent
My Government(s).

@Em0nM4stodon @dalias

@edwiebe @divVerent @Em0nM4stodon There is no way to know how old someone is without attestation by some authority who knows their identity. This precludes participation by anyone not known to such an authority (undocumented, outside of jurisdiction, etc.) or for whom it is not safe to let that authority know they are participating. And this is only the tip of the iceberg.

You are dangerously wrong, and you should stop advocating about things you're dangerously wrong about.

@dalias @divVerent @Em0nM4stodon

If you're suggesting every jurisdiction should allow unrestricted access to everything because some jurisdictions are authoritarian then I disagree.

Feb 22

@edwiebe @dalias @divVerent I recommend watching this short video to understand better how the data we collect now can have a great impact on a government that turns authoritarian later: https://infosec.exchange/@Em0nM4stodon/116031435192287968

Em :official_verified: (@[email protected])

I wish I could force every legislator in favor of Age Verification to watch this amazing talk by Carissa Véliz, So that they understand the dangers of the surveillance infrastructure they are currently putting in place. You should watch it too: https://www.youtube.com/watch?v=xSPRouBvgFE #Privacy #Democracy #HumanRights #AgeVerification #MassSurveillance #Fascism

Infosec Exchange

@edwiebe @dalias @Em0nM4stodon You don't need rights until you do.

su_liam Feb 23

@edwiebe @dalias @divVerent @Em0nM4stodon Yeah, it would be a real shame if a free state was unable to restrict what it’s free citizens could hear or say. Well worth the power that state can retain when it decides to be less free. 🙄

Ed Wiebe Feb 23

@su_liam There are many reasonable limits to what 'free' people can be allowed to do and say to each other.

su_liam Feb 24

@edwiebe Are you setting those limits or am I?

Talya (she/her) 🏳️‍⚧️✡️Feb 22

@dalias @edwiebe @divVerent @Em0nM4stodon
while that's true, it is possible to make such an attestation without destroying privacy (see https://soatok.blog/2025/07/31/age-verification-doesnt-need-to-be-a-privacy-footgun/).
however, even if you do that, it'll still be morally wrong in most cases.

and also, corporations are deliberately not going for the private solution, and governments are shifting the blame to users. the Czech government recently admitted social media is already illegal for teens (due to privacy laws), but they want new laws anyway.

Age Verification Doesn’t Need to Be a Privacy Footgun - Dhole Moments

“Won’t someone think of the poor children?” they say, clutching their pearls as they enact another stupid law that will harm the privacy of every adult on Earth and create Prior R…

Dhole Moments

@Yuvalne @edwiebe @divVerent @Em0nM4stodon No, it is not possible. The ZPK bs is privacy-washing designed to bamboozle policy makers and privacy activists who don't understand math. Either it doesn't actually verify age (I can setup a proxy to hand out age proof verification tokens to anyone who wants them using my identity; I would absolutely do that if it were cryptographically safe) or something exposes to the token providing authority that I'm doing this and allows detection that someone else used my identity (thereby violating my privacy).

@dalias @Yuvalne @edwiebe @Em0nM4stodon Precisely - also as I described.

The one way around that would be storing the secret for the ZKP in a TPM.

Yeah, right, with that you can still run your own proxy and provide the ZKP for someone else.

But it is possible to then also use some forms of remote attestation so this doesn't work. Like, yeah, you can forward the ZKP, but then only you can decrypt the connection and not your "customer", as the decryption key is in your TPM and can't get out.

Despite all that, in worst case you can run a web browser in a VNC session for others to use, with your age claim. Nothing can prevent that - other than the ZKP not being actually ZK.

And that, indeed, is why ZKP aren't gonna happen for this. Even if they're cryptographically ZK, they'll end up signing more than just the age - at which point it's a privacy violation again and also no stronger than merely claiming your age in the first place.

Talya (she/her) 🏳️‍⚧️✡️Feb 22

@divVerent @Em0nM4stodon @dalias @edwiebe the crypto discussion misses the point.

no corporation has went down this way, and that's a deliberate choice of them. countries introduce ID requirements for social media instead of going after corpos for collecting kids' data, and that's a deliberate choice of them.

and they all treat a flat age limit as a solution, as if when someone's 16 and a day it's suddenly okay to hook them up on this digital drug, and that's a deliberate choice of them.

@Yuvalne @divVerent @Em0nM4stodon @edwiebe There are multiple points here, all important.

Abstinence-only approach to addictive shit.

Privacy and anonymity.

Right of people without identity (including children!) to participate in society & access information.

Capitalist platforms being abusive.

Etc.

None of these point to the awful "solutions" industry & government & normie simps for those two are pushing.

@Yuvalne @Em0nM4stodon @dalias @edwiebe Well, Google does provide a "ZKP" solution.

But one that verifies that you are holding an ID document. While revealing its content.

Which isn't ZK in the sense that we would need here.

As said, I want a solution that works twofold:

- Legal requirement for parents to not let their children use certain social media platforms except while supervised. Think of this as comparable to movie ratings. If a platform doesn't like its age rating, it can change its feature set (e.g. remove ML-"curated" feeds).

- Voluntary supervision software for use by parents that can block inappropriate social media sites. Minor mandatory support by sites for such software (like a small file indicating what type of service this is, kinda like the old age-de.xml we once had). If parents want to supervise by other means, they can do that as well instead.

- Mandatory support by social media sites to disable tracking when requested by the clients. Said supervision software then shall set that flag, but users can also do that without such software. Sites must never be allowed to pressure users into removing this disablement request and to opt into tracking, which means, they must keep providing service even to users who opt out.

Of course, this solution allows anyone, regardless of age, to opt out of tracking. So it's already totally against anything Big Tech wants. And it's quite possible this solution will lead to the vast majority turning off tracking, which, you know, they really won't like.

And even with my solution care has to be taken to not accidentally reveal the entire birth date, e.g. by a user moving from one age bracket to another on a given day. I thus propose merely using the birth year and to live with some amount of inaccuracy (interpreting it in favor of allowing access, but also in favor of not tracking).

@divVerent @Yuvalne @Em0nM4stodon @edwiebe "Legal requirement for parents to not let their children use certain social media platforms except while supervised"

This is absolutely evil and immensely harmful to LGBTQ and NNT kids and you should feel bad for even suggesting it. I can't imagine what you'd want done to enforce such a law.

@dalias @Yuvalne @Em0nM4stodon @edwiebe And yet this requirement is already law in many countries.

E.g. in Germany, see § 832 BGB and § 171 StGB.

Parents are literally not allowed to let children do anything unsupervised. Just what supervision means is up to them, and can definitely also include methods such as "talking after the fact".

@divVerent @Yuvalne @Em0nM4stodon @edwiebe Yes because our society at large does not respect personhood of children but treats them as property. But at least that definition of "supervision" is a lot less harmful. Still, it would be a lot less odious to impose liability for bad outcomes than policing relationship dynamic.

@dalias @divVerent @Yuvalne @Em0nM4stodon

Children are not treated as property. That's just not true. In Canada, we can't buy or sell a child. We can't dispose of a child. In fact, though anyone biologically capable can grow one, once born they have the same human rights as everyone else, much to the dismay of some parents. Maybe none of this is true where you come from. That would be terrible.

@dalias @Yuvalne @Em0nM4stodon @edwiebe I did not define "supervision" in any particular way but am intentionally leaving it open. I am for providing tools, not for depanding any particular way of using them.

@dalias @Yuvalne @Em0nM4stodon @edwiebe Precisely. Liability for bad outcomes is also how the cited German laws work.

su_liam Feb 23

@Yuvalne @divVerent @Em0nM4stodon @dalias @edwiebe We will make sure your private information isn’t intercepted. Trust us.
We will discard your private information and not resell it. Trust us.
We will protect your private information while we have it. Trust us.
We will never use your private information to track or manipulate you. Trust us.
We have a long history of what “trust us” is worth.

⊥ᵒᵚ Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️Feb 22

@dalias @Yuvalne @edwiebe @divVerent @Em0nM4stodon I think the idea would be to only trust some 3rd parties to respond with ZKP on users' behalfs

@dalias @edwiebe @Em0nM4stodon In theory one could do this with a "trusted" third party and blind signatures.

Let every country on the world run a CA for age verification. CA generates a certificate for your age that reveals nothing about your identity.

Present these certificates. Extra cryptography to be used so the certificate cannot be used as an user ID (i.e. each time you present it, the data sent has to be different). E.g. a "zero knowledge protocol". Not even the government that ran the CA should be able to find out which person is presenting their certificate.

All this is solvable, but:

- Nothing stops you from copying someone else's certificate. Even if this were TPM-backed and it were actually secure, nothing stops you from using someone else's computer.

- Websites need to trust _every single country's_ CA. Even if this were feasible, it'd quickly run into issues like "which CA to use for people in Taiwan", and e.g. recognizing one could get you into trouble with the other.

- If only one country hands out certificates for people who haven't reached the proper age yet, the entire system breaks down. And some country sure will do that - at least for people paying enough.

- None of the major companies would ever implement a privacy protecting scheme anyway, if they can instead do mass surveillance.

At that point, it basically gains nothing vs my approach of the ban simply implemented client-side and voluntarily. Parents either block social media for their children, or they don't (and supervision necessarily ends once children can afford their own phone and internet connection). I have ideas to simplify that, but solutions for that already exist right now.

always tired Feb 22

@divVerent @Em0nM4stodon

You are missing the point.

Gatekeeping access is also a problem. It's the end of free speech and free access to information and the freedom to associate.

Ada

Feb 22

@Em0nM4stodon it's kind of (also) a parenting problem?

Having a proper dialogue and clear rules for all technology usage, whether TV, Tablets, Games or Social media isn't a goal to aspire to, it's the minimum bar required for responsible usage.

Paul Sutton (zleap)Feb 22

@iamada @Em0nM4stodon

Parents, should also be expected to lead by example.

G1N&T Feb 22

@Em0nM4stodon And it's also a workaround for governments that are too coward to face platform owners and demand them not to use addictive and exploitative algorithms as their main business model.

Ben Feb 22

@Em0nM4stodon It is big tech that's pushing for age verification, not governments. It already knows everything about the adult population, all of the time. But digital IDs will allow it to harvest all of our children's data too, from birth. The digital safety of our children is the responsibility of their parents, not big tech or government. Parents need look up from their own phones occasionally and look deeply at what their children are doing.