David Chisnall (*Now with 50% more sarcasm!*)Mar 2

So, I have actually read the text of California law CA AB1043 and, honestly, I don't hate it. It requires operating systems to let you enter a date when you create a user account and requires a way for software to get a coarse-grained approximation of this that says either 'over 18' or one of three age ranges of under-18s. Importantly, it doesn't require:

  • Remote attestation.
  • Tamper-proof storage of the age.
  • Any validation in the age.

In short, it's a tool for parents: it allows you to set the age of a child's account so that apps (including web browsers, which can then expose via JavaScript or whatever) can ask questions about what features they should expose.

In a UNIX-like system, this is easy to do, with a tiny amount of new userspace things:

  • Define four groups for the four age ranges (ideally, standardise their names!).
  • Add a /etc/user_birthdays file (or whatever name it is) that stores pairs of username (or uid) and birthdays.
  • Add a daily cron job that checks the above file and updates group membership.
  • Modify user-add scripts / GUIs to create an entry in the above file.
  • Add a tool to create an entry in the above file for existing user accounts.

This doesn't require any kernel changes. Any process can query the set of groups that the user is in already.

If a parent wants to give their child root, they can update the file and bypass the check. And that's fine, that's a parent's choice. And that's what I want.

I like this approach far more than things that require users to provide scans of passports and other toxically personal information to be able to use services. If we had this feature, then the Online Safety Act could simply require that web browsers provide a JavaScript API to query the age bracket and didn't work unless it returned 'over 18'.

Show threadLudwig VielfrassMar 2

@david_chisnall And then another state or country passes a law that requires four age ranges, or another one that requires two, but they do not map nicely to the three CA requires.

You have now replicated another timezone mess.

Show threadArcaikMar 2
@lerxst @david_chisnall Yeah, like 18 is not even standard across the globe.
Show threadPetr Menšík Mar 2
@Arcaik @lerxst @david_chisnall true. But the important is the country of child and whether he or she is considered adult in his own country by his own device. Until they are adults, it should require parent's consent.
Show threadRiley S. FaelanMar 3

@pemensik You forget that a typical Big Tech TOS includes a venue clause, specifying that the laws of wherever their headquarter is apply to the contract.

@Arcaik @lerxst @david_chisnall

Show threadDrYak4d ago
@riley @pemensik @Arcaik @lerxst @david_chisnall and this will be abused to fingerprint users:
do some weird requests over 10 jurisdictions' respective age-bins (see: modern webistes loading dozens of frameworks), and now you can deduce the exact birthsdate, which will help exactly ID the user. You can now add this ID on top of the heap of pii you sell to data brokers.
Who will further sell it to marketeers, fascists states, etc.
Show threadPetr Menšík 4d ago
@dryak @riley @Arcaik @lerxst @david_chisnall you are suggesting exact birthdate can be extracted, but California bill doesn't propose that. That might happen only when it is implemented very wrong way.
Show threadRiley S. Faelan3d ago

@pemensik Have you heard of cookies, a way to tie together repeated queries, potentially repeated over a whole year?

@dryak @Arcaik @lerxst @david_chisnall

Show threadPetr Menšík 2d ago
@riley @dryak @Arcaik @lerxst @david_chisnall have you heard about ability of browsers to forget cookies on closing?
Show threadDrYak

@pemensik the difference is that while you can wipe cookies, providing age brackets is clearly going to be mandatory. You're not supposed to be able to shut it off trivially.

And again, if enough jurisdictions follow the footsteps of California and mandate their own different local weird brackets, querying multiple such bracket enables quite some tracking.

Mar 21 at 9:50pmWeb
Show threadPetr Menšík 1d ago
@dryak correct me if I am wrong. Those age groups are mandatory to be provided by the OS. They are not mandatory sent over network AFAIK. The difference is important. Am I wrong?
Show threadDrYak21h ago

@pemensik "Naive" would be more appropriate.

The law mandates that these age brackets be queriable by apps over an API.

So technically yes: the law doesn't literally require your OS to broadcast the age automatically over the whole internet.

BUT: in the age of apps with dozens of trackers (see Exodus reports) and "We and our 293 partners" cookies warning, do you really trust that the age checking will happen exclusively client-side and no information will ever leak back to the mothership?

Show threadPetr Menšík 12h ago
@dryak that is up to OS vendors to handle sufficiently. I think more precise access might need some permission like location access, for example.