If I’m not mistaken, Meta has been lobbying heavily for all of these age-verification bills lately.
It seems their strategy is to externalize their responsibility to verify age themselves, and thus reduce their exposure to liabilities when child protection acts like COPPA are violated.
It should be externalized to a degree. Facebook shouldn't be the ones verifying age, but there should be a trusted 3rd party service that does that, which just tells facebook "yes this user is old enough to use your service" or "no they're not old enough".
It abso-fucking-lutely should not be at the OS level though, for so many reasons. Even the implementation alone would be a nightmare. Do I need to input my ID to use a fridge or toaster oven? Ridiculous.
We don't externalize age verification when buying alcohol or visiting the strip club. It's on the responsibility of those establishments to verify age.
I'm surprised that people think this is some new 'save-the-children' thing ? Didn't Zuck say like 10 years ago, you should not be allowed to be anonymous on the internet ? This just seems on-brand at this point.
A different approach that would keep incentives properly aligned is for Facebook (et al) to publish labels in website headers asserting the age (and other) suitability of content on various sections of the site. It would then be up to client software (eg a browser) to refuse to display sites that are unsuitable for kids on devices that have been configured for kid use.
As there has been a market failure for decades at this point, it would be reasonable to give this a legislative nudge - spelling out the specific labels, requiring large websites to publish the appropriate labels, and requiring large device manufacturers to include parental controls functionality. The labels would be defined such that a website not declaring labels (small, foreign, configuration mistake, etc) would simply not be shown by software configured with parental controls, preserving the basic permissionless nature of the Internet we take for granted.
But as it stands, this mandate being pushed is horribly broken - both for subjecting all users to the age verification regime, and also for being highly inflexible for parents who have opinions about what their kids should be seeing that differ from corporate attorneys!
Except none of these bills (California or the one in question) as currently written require an ID to actually be verified, merely that the user provide an age. This seems intentional as it's seems to solve the user journey where a parent is able to set a reasonable default by simply setting up an associated account age at account creation. It's effectively just standardizing parental controls.
I think this is a reasonable balance without being invasive as there's now a defined path to do reasonable parenting without being a sysadmin and operators cannot claim ignorance because the user input a random birthday. The information leaked is also fairly minimal so even assuming ads are using that as signal, it doesn't add too many bits to tracking compared to everything else. I think the California bill needs a bit of work to clarify what exactly this applies to (e.g. exclude servers) but I also think this is a reasonable framework to satisfy this debate.
I've seen the argument that this could lead to actual age verification but I think that's a line that's clearly definable and could be fought separately.
I want to be able to hire a licensed Identity Service Provider that gets all of my verified identity data in an encrypted token and let me register it with the OS, and control what amount of the data I expose to apps, with age verification being one of the lower levels of access.
I pay the company to verify me, I am their customer. They take on the liability of the OS makers and app makers of age verification.
If you have a valid token signed by a licensed IDS that verified your age in your OS, that's all anyone needs to know.
So we have to pay some 3rd party service to hoard information about Children? Why we want to set that up? Why would we want to take that power from the parents and give it to some company?
So, they want to profit off children, but do nothing to protect them?
> but there should be a trusted 3rd party service that does that
Gee, if only Facebook would use their incredible might to create this, rather than trying to rob our representative government from underneath us.
> It abso-fucking-lutely should not be at the OS level though
It's not my problem. It shouldn't involve me at all. I don't use social media and I think if you let your kids on there unsupervised you have a screw loose.
If social media, alcohol, drugs, gambling, phones are so, so, so bad for children. Just ban them from children.
We were completely fine 30 years ago without any phone. They will survive. They will probably thrive because now they have to learn how to hack the system.
Instead, we just give them everything they need and all the thinking they do is scrolling.
Sometimes even things that are good for Meta are good for the rest of us. This law, and the one in California, mean that liability is disclaimed as long as the parent selects an age above 18 for the child. It's like a section 230 for age protection. Meta supports this because they won't be liable for wrong age inputs, and we should also support this because it doesn't verify age in any other way.
He doesn't want to have to stand up, turn around and apologize to parents on behalf of an asleep at the wheel Congress again.
At some level I don't blame him. It is also a bit strange how in that act alone he showed more accountability than most of the politicians that were questioning him, never mind most executives. I suppose Josh Hawley wants to be liable for personal lawsuits for his acts of Congress too... people cringe at his "robotic" demeanor but I can't remember the last time someone turned and faced people and apologized like this. Most people asked to do the same (even in front of the same body) never do.
Facebook has always been there for only one reason; for people who don't value privacy.
Nothing less, nothing more.
Most things that are not suitable for children were recognized so long ago that it was decades, centuries, or millennia before anybody living was ever born.
Like porn, when it got on the web it has always been instinctively gatekept as traditionally as possible, and complaints which do arise over the decades are addressed by the websites in ways that measure up to how you expect a company to act. Consistent with the way they truly don't want underage visitors to their websites at all.
Those complaints are now dwarfed by what parents are saying about Facebook in particular.
Facebook, and now Meta, is just not something that previous generations had to deal with, so it didn't get handled in a very adult way as it should have been from the beginning. And it only got worse as it got bigger.
If it wasn't worse for their kids than porn, parents wouldn't be screaming so much louder than ever.
I guess it turns out the combination of fundamentally devaluing privacy across-the-board including minors is the main problem, and then the idea of hooking them early, like cigarette companies would do with as much habit-forming reinforcement as possible, is what leverages the lack of overall privacy through the roof.
What's really needed is bold gatekeeping on Meta's digressions alone, they should be the ones to aggressively keep everyone underage off their site. Like they really mean it, which has not existed before. That's what's been wrong the whole time, the internet was so much better before Facebook came along with their anti-privacy mission, and it got put on steroids.
Reining in Meta alone should be big enough to be noticeable, no-one else has a shred of responsibility by comparison.
Facebook has invested $billions in these underage crowds and they want to know exactly when everyone else on the internet turns a certain age even if they are not on Facebook.
Don't give it to them no matter how much they pay.
It would be the complete opposite of an advanced thinker who wants to respond by compromising more people's privacy across the regular internet, when Meta is the primary source of the problem, and they're who stand to benefit the more privacy is compromised in any way, child or adult.
Like my 19th century grandmother would say, "what's wrong with some people?"
It's amazing how many things We The People want our government to do that go ignored year after year, but the moment corporations want something laws get pushed through at lightning speeds. Does anyone actually think that masses of regular people in Illinois were begging their government to force operating systems to tell every website and advertiser how old their children are? They weren't. A small number of corporations with lots of money wanted that though. Bribing matters a lot more than voting.
How should they do it? Surely they don't have a responsibility to do something that nobody knows how to do?
There have been numerous cases in history where governments have attempted to legislate the outcome they want without regard to how that might be done or if it was possible in the first place. Obviously it can never deliver the results they want.
It would be like passing a law to say every company must operate an office on the moon, and then saying that companies lobbying for an advanced NASA space program is them externalising their responsibility.
With all the LLM bots they need a new way to sort out the people from the machines to not lose ad revenue and to help their spook friends.
It's better for them if this "responsibility" rests with another organisation, they don't get blamed as much when the information leaks and it is replaceable.
That's the correct strategy, if anyone sues meta, meta can bring their age verifier into the lawsuit and blame them. It makes sense from a business perspective, insurance perspective. etc...
Meta is definitely helping to push this, but they aren't having to push very hard because its already in the zeitgeist. It's a classic moral panic. Millennials are raising kids and turning into their boomer parents.
Millennials had their hippie era in their 20s (same stuff their parents did rebranded as "hipster" instead of "hippie," where instead of building a lifestyle of free love and bong hits in the Haight-Ashbury, they built a lifestyle of free love and bong hits in Williamsburg Brooklyn).
Now in their 30s-40s they've moved to the suburbs, they're voting Reagan, and are falling for hysterical media-driven moral panics about "what kids these days are up to" just like their Boomer parents did in the 80s-90s.
What's even more funny about all these "social media is evil" legislative proposals, they're motivated by the idea of what social media used to be when millennials were in college...which doesn't even exist anymore.
The classic narrative that teens are depressed because they're seeing what parties they didn't get invited to is wildly outdated now. Social media isn't social anymore (see Tiktok), it's just algorithmic short form TV. Nobody is seeing content from their peers anymore.
In reality, most modern research on social media finds little to no affect on teen mental health. But of course, if you have ulterior motives to undermine privacy or shirk corporate responsibility under the cover of "saving the kids," this moral panic is an already burning flame waiting to be stoked.
What does this bill have to do with age verification?
It legally mandates the existence of a required "age" field in user account records, a user interface to populate it during account setup, a mechanism for service providers to read this field, and that providers act as if it has been populated accurately.
As someone who has been the de facto "system administrator" for my family's computer systems since kindergarten, this has to be one of the stupidest policies I've ever seen gain traction.
This coordinated state level attack on the legislative process is crazy. These people can't seem to be bothered to do the basics of governing, but they always find time to do this cross-state nightmare fuel.
It's kinda convenient because every service needs to ask you for the age now because they can't serve under 13s in a lot of cases. Having it be a simple API would be a decent convenience, no?
If you connect it with a permission system where you can choose whether to provide this information (e.g. >13 as a bool or age as an integer or the birthday as a date) that can't be too bad I guess?
The law as is written mainly targets social media platforms. For an OS to comply, all it needs to do is provide a field during account creation that records the user's date of birth as supplied by the user. There is no onus on the operator to confirm the veracity of this information, or even record it anywhere other than the local OS install itself. I think we're safe.
I don't like this whole thing, but compared to what I was fearing would happen, this idea is nowhere near as bad.
What I expected was that we'd end up with the OS vendors actually being mandated to really do age verification, and then submitting that using Web Credentials and Secure Attestation so that the far end could trust the whole thing, locking open-source OS's out of the mix and creating more of a walled garden online than we already have. I was guessing it would become a simple checkbox on e.g. Cloudflare - "[ ] allow adult users only" or whatever - and that it would end up with vast swathes of the internet going off limits for anyone not on closed-source systems.
Now, it looks like this is just a way for parents to tell the OS "this is a kid account" and have it flow through to websites so they can easily proactively block kids from connecting without having to implement any of that crap. Yes, it's much potentially easier for a child to circumvent; but any kid who can get around that sort of thing from within an OS could probably just wipe/reinstall anyway, so who cares?
As a parent whose kids are continually trying to see what trouble they can get into, I appreciate that I will get one more potential weapon in the fight.
Can someone tell me whether I am being a fool by actually being a bit relieved it's going this way?
People here seem very against this, but I don't really see it. This only require to have a form asking about your age and provide an API to read it, right?
Surely I'm missing something? Is the backlash due to fear of a slippery slope?
The "one weird trick" that all government hates? Stop forcing OSes to function with accounts. "User account" is an artifact of UNIX. You don't need an account to start a car, send and email, nor boot an operating system. I know it's hard to grasp, but it's true.
> the Children's Social Media Safety Act
>
> provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both
Thank goodness kids can't lie about their age!
> provide an operator who has requested a signal with respect to a particular user a signal that identifies the user's age by category
Wait - if this is just to pass a signal to an operator ("social media site"), why can't the "operator" just ask for the age themselves?
This is why Meta is forcing this legislation through nation-wide. They are forcing Google/Apple to take the liability, despite it not actually being Google or Apple that's providing the "harmful" social media. Meta are doing this state-by-state so nobody can track that it's them. Easier than pushing at a federal level, and raises fewer red flags from news media.
Since Google and Apple won't want to accept this liability either, the next step is requiring digital IDs and third-party verification to prove the user is of age. This will enable tracking of all users, whatever app or website they go to. Bills requiring this are already being passed at state and federal level.
I wonder how this will mix wit federal laws saying you aren't allowed to track users under the age of 13yo? Will this then be forced as a browser API/header passed to every server/request?
Even if open source operating systems comply and add such a feature, what's to stop individual people from removing this and blocking the API requests before they install the OS? Or providing dummy responses? They're open source, after all.
Is the government going to require some sort of automated checks that verify every person who connects to the internet has this API on their OS and go after individuals that aren't in compliance?
In a perfect world the right way to protect children from digital dangers is by proper parenting. In the real world the government steps in so that the next generation doesn't come up crippled. The solution is imperfect and might be a privacy nightmare but is better than nothing. There is a lot of bad parenting in preventing digital-related problems in children.
I didn't know a single company could just pay politicians state-by-state to pass a given law - in my country that would be a crime, but it seems in the US this is how the legislation process works :)
There's something I've never seen a good answer to: why is this being mandated in the OS vs requiring it for apps - or classes of apps? There's plenty of parental controls already available for browsers - after verifying the user's age on startup, why not add a header field that the browser inserts along with AgentID (for example) and call it a day?
What are they going to do to enforce this? Take down open source projects that "operate" in Illinois because a user downloaded the software there? Absolute joke and everyone should treat it that way; advanced compliance here means implicit support for the surveillance state.
If allowing children access to social media is dangerous, then why aren't they enforcing existing child abuse and child endangerment laws? Throw the parents in prison for failing to control their children.
453 comments
It seems their strategy is to externalize their responsibility to verify age themselves, and thus reduce their exposure to liabilities when child protection acts like COPPA are violated.
It abso-fucking-lutely should not be at the OS level though, for so many reasons. Even the implementation alone would be a nightmare. Do I need to input my ID to use a fridge or toaster oven? Ridiculous.
>
It should be externalized to a degree.Why?
We don't externalize age verification when buying alcohol or visiting the strip club. It's on the responsibility of those establishments to verify age.
As there has been a market failure for decades at this point, it would be reasonable to give this a legislative nudge - spelling out the specific labels, requiring large websites to publish the appropriate labels, and requiring large device manufacturers to include parental controls functionality. The labels would be defined such that a website not declaring labels (small, foreign, configuration mistake, etc) would simply not be shown by software configured with parental controls, preserving the basic permissionless nature of the Internet we take for granted.
But as it stands, this mandate being pushed is horribly broken - both for subjecting all users to the age verification regime, and also for being highly inflexible for parents who have opinions about what their kids should be seeing that differ from corporate attorneys!
I think this is a reasonable balance without being invasive as there's now a defined path to do reasonable parenting without being a sysadmin and operators cannot claim ignorance because the user input a random birthday. The information leaked is also fairly minimal so even assuming ads are using that as signal, it doesn't add too many bits to tracking compared to everything else. I think the California bill needs a bit of work to clarify what exactly this applies to (e.g. exclude servers) but I also think this is a reasonable framework to satisfy this debate.
I've seen the argument that this could lead to actual age verification but I think that's a line that's clearly definable and could be fought separately.
I pay the company to verify me, I am their customer. They take on the liability of the OS makers and app makers of age verification.
If you have a valid token signed by a licensed IDS that verified your age in your OS, that's all anyone needs to know.
> trusted 3rd party service
So we have to pay some 3rd party service to hoard information about Children? Why we want to set that up? Why would we want to take that power from the parents and give it to some company?
> Facebook shouldn't be the ones verifying age
So, they want to profit off children, but do nothing to protect them?
> but there should be a trusted 3rd party service that does that
Gee, if only Facebook would use their incredible might to create this, rather than trying to rob our representative government from underneath us.
> It abso-fucking-lutely should not be at the OS level though
It's not my problem. It shouldn't involve me at all. I don't use social media and I think if you let your kids on there unsupervised you have a screw loose.
We were completely fine 30 years ago without any phone. They will survive. They will probably thrive because now they have to learn how to hack the system.
Instead, we just give them everything they need and all the thinking they do is scrolling.
https://www.rtalabel.org/index.html
At some level I don't blame him. It is also a bit strange how in that act alone he showed more accountability than most of the politicians that were questioning him, never mind most executives. I suppose Josh Hawley wants to be liable for personal lawsuits for his acts of Congress too... people cringe at his "robotic" demeanor but I can't remember the last time someone turned and faced people and apologized like this. Most people asked to do the same (even in front of the same body) never do.
https://youtu.be/yUAfRod2xgI
Nothing less, nothing more.
Most things that are not suitable for children were recognized so long ago that it was decades, centuries, or millennia before anybody living was ever born.
Like porn, when it got on the web it has always been instinctively gatekept as traditionally as possible, and complaints which do arise over the decades are addressed by the websites in ways that measure up to how you expect a company to act. Consistent with the way they truly don't want underage visitors to their websites at all.
Those complaints are now dwarfed by what parents are saying about Facebook in particular.
Facebook, and now Meta, is just not something that previous generations had to deal with, so it didn't get handled in a very adult way as it should have been from the beginning. And it only got worse as it got bigger.
If it wasn't worse for their kids than porn, parents wouldn't be screaming so much louder than ever.
I guess it turns out the combination of fundamentally devaluing privacy across-the-board including minors is the main problem, and then the idea of hooking them early, like cigarette companies would do with as much habit-forming reinforcement as possible, is what leverages the lack of overall privacy through the roof.
What's really needed is bold gatekeeping on Meta's digressions alone, they should be the ones to aggressively keep everyone underage off their site. Like they really mean it, which has not existed before. That's what's been wrong the whole time, the internet was so much better before Facebook came along with their anti-privacy mission, and it got put on steroids.
Reining in Meta alone should be big enough to be noticeable, no-one else has a shred of responsibility by comparison.
Facebook has invested $billions in these underage crowds and they want to know exactly when everyone else on the internet turns a certain age even if they are not on Facebook.
Don't give it to them no matter how much they pay.
It would be the complete opposite of an advanced thinker who wants to respond by compromising more people's privacy across the regular internet, when Meta is the primary source of the problem, and they're who stand to benefit the more privacy is compromised in any way, child or adult.
Like my 19th century grandmother would say, "what's wrong with some people?"
There have been numerous cases in history where governments have attempted to legislate the outcome they want without regard to how that might be done or if it was possible in the first place. Obviously it can never deliver the results they want.
It would be like passing a law to say every company must operate an office on the moon, and then saying that companies lobbying for an advanced NASA space program is them externalising their responsibility.
It's better for them if this "responsibility" rests with another organisation, they don't get blamed as much when the information leaks and it is replaceable.
https://www.reddit.com/r/LinusTechTips/comments/1rsn1tm/it_a...
Millennials had their hippie era in their 20s (same stuff their parents did rebranded as "hipster" instead of "hippie," where instead of building a lifestyle of free love and bong hits in the Haight-Ashbury, they built a lifestyle of free love and bong hits in Williamsburg Brooklyn).
Now in their 30s-40s they've moved to the suburbs, they're voting Reagan, and are falling for hysterical media-driven moral panics about "what kids these days are up to" just like their Boomer parents did in the 80s-90s.
What's even more funny about all these "social media is evil" legislative proposals, they're motivated by the idea of what social media used to be when millennials were in college...which doesn't even exist anymore.
The classic narrative that teens are depressed because they're seeing what parties they didn't get invited to is wildly outdated now. Social media isn't social anymore (see Tiktok), it's just algorithmic short form TV. Nobody is seeing content from their peers anymore.
In reality, most modern research on social media finds little to no affect on teen mental health. But of course, if you have ulterior motives to undermine privacy or shirk corporate responsibility under the cover of "saving the kids," this moral panic is an already burning flame waiting to be stoked.
It legally mandates the existence of a required "age" field in user account records, a user interface to populate it during account setup, a mechanism for service providers to read this field, and that providers act as if it has been populated accurately.
As someone who has been the de facto "system administrator" for my family's computer systems since kindergarten, this has to be one of the stupidest policies I've ever seen gain traction.
If you connect it with a permission system where you can choose whether to provide this information (e.g. >13 as a bool or age as an integer or the birthday as a date) that can't be too bad I guess?
I haven't read the whole thing of course.
What I expected was that we'd end up with the OS vendors actually being mandated to really do age verification, and then submitting that using Web Credentials and Secure Attestation so that the far end could trust the whole thing, locking open-source OS's out of the mix and creating more of a walled garden online than we already have. I was guessing it would become a simple checkbox on e.g. Cloudflare - "[ ] allow adult users only" or whatever - and that it would end up with vast swathes of the internet going off limits for anyone not on closed-source systems.
Now, it looks like this is just a way for parents to tell the OS "this is a kid account" and have it flow through to websites so they can easily proactively block kids from connecting without having to implement any of that crap. Yes, it's much potentially easier for a child to circumvent; but any kid who can get around that sort of thing from within an OS could probably just wipe/reinstall anyway, so who cares?
As a parent whose kids are continually trying to see what trouble they can get into, I appreciate that I will get one more potential weapon in the fight.
Can someone tell me whether I am being a fool by actually being a bit relieved it's going this way?
Surely I'm missing something? Is the backlash due to fear of a slippery slope?
Answer: they don't want to be liable and get fined $400 Million, like Meta got fined, for letting kids on social media. (https://www.nytimes.com/2022/09/05/business/meta-children-da...)
This is why Meta is forcing this legislation through nation-wide. They are forcing Google/Apple to take the liability, despite it not actually being Google or Apple that's providing the "harmful" social media. Meta are doing this state-by-state so nobody can track that it's them. Easier than pushing at a federal level, and raises fewer red flags from news media.
Since Google and Apple won't want to accept this liability either, the next step is requiring digital IDs and third-party verification to prove the user is of age. This will enable tracking of all users, whatever app or website they go to. Bills requiring this are already being passed at state and federal level.
Is the government going to require some sort of automated checks that verify every person who connects to the internet has this API on their OS and go after individuals that aren't in compliance?