Posted by smartmic 18 hours ago
1) If you're a platform like Discord or Gmail, give users the option to create an extra password lock for modifying their profile information (which includes age). This could also be implemented at the app level rather than at the account level. Parents can take their child's phone, set the age, and set these passwords for each of their child's apps/accounts.
2) If you're an OS developer, add a password-protected toggle in the OS settings that gates app installation/updates, like sudo on Linux. Parents can take their child's phone and set this password, so they can control what software runs on their child's phone. If we have this, then 1) isn't even strictly needed because parents can simply choose to only install apps that are suitable for their child.
3) If you're a device manufacturer, you should open-source your drivers and firmware and give device owners the ability to lock/unlock the bootloader at will with a custom password. Parents should be able to develop and install an open-source child-friendly OS. Companies like Apple and Samsung have worked against this for years by introducing all kinds of artificial roadblocks to developing an alternative OS for their hardware.
I don't know how long their specific proposal would take, but on a Unix or Unix-like system the California bill could be done in a week.
0. Make a directory somewhere, say /etc/age_check, and in that directory create four files: 0-13, 13-16, 16-18, 18+, owned by some system account with permissions 000.
1. This would be the hardest part. Modify whatever is used to interactively create new user accounts to ask for the user age if the account is a child's account, and than add an ACL entry for the appropriate /etc/age_check file that allows the child's account to read that file.
The California bill says you have to ask for and age or birthdate but the API you provide for apps to ask for age information just requires giving an age bracket, so I'm taking that as meaning I am not required to actually store the age. I only have to make the API work.
2. The API for checking age is to try to open the files in /etc/age_check. Whichever open succeeds gives you the user's age bracket.
That's pretty similar to the California bill. Parents set an age when creating a child's account. The OS provides an API to get the user's age bracket from that, which apps that need to know the age bracket of the user can call.
edit: on second thought, realistically, the API solution is too brittle regardless of which way it goes. Because the API requires every service to implement it and that's not happening, whereas an app installation lock only requires one child-friendly OS to implement it, then parents can choose that OS.
So the app requests a signal (like, calling an API), and the OS returns the signal (returning the age group).
Regarding API vs installation lock, TBH I don't think the law concerns that level of details. An OS or app-store installation lock that checks app ratings can be considered as a valid implementation.
The password-based app installation lock I proposed in my original comment doesn't require any kind of age checking at all, so it naturally doesn't fit the California law. The device owner (in this case, the parent who buys the device for their child) gets to decide what apps can be installed on their child's phone on an app-by-app basis using a password set by the parent. The app store doesn't need to know, and the apps don't need to know.
I do want to note that this California law alone doesn't say anything about content restriction. I won't be surprised if there was/will be another bill to assign the responsibility (which may be more controversial). But the current law is only about the age gating mechanism. And on the positive side it removes the need for actual age verification (like using ID) which other regions still insist on.
Since tracking children is generally illegal, you can also voluntarily lie and label yourself as a child when you don't want to access such content.
A more reasonable approach would be for parents to keep tabs on (or for stricter parents, control) who their child is associating with and where they're going, and advise their child on who/what to stay away from if they're out alone. And of course that takes parenting effort. The digital equivalent of this are things like password-gating app installation in the OS and website-blocking in the WiFi router. But I will say, I don't think these kinds of analogies are good because the Internet is too different from the physical world.
And let's not underestimate the tracking power of a legally mandated data point: the age contains about 6 bits of information that can be used to identify your user account on the Internet across apps and websites, even if your inputted age is fake.
But yeah I get the point, API based solutions are complicated and brittle because they require all services to implement it properly. In contrast a user-set app installation password in the OS settings is more effective and easier to implement.
No it doesn't. A browser/appinstaller with parental/age controls enabled would fail as unavailable if there was no age rating on the website/app. This is exactly the solution we should be aiming for, as it keeps the incentives lined up instead of turning them upside down.
One big problem with the laws currently being pushed is that it leaves the decision for what sites are "appropriate" for kids completely in the lands of corporate attorneys. For example, Facebook will happily make an "under 18" site that uses LLMs to censor posts, but still contains all of the same dopamine drip mechanics. Whereas keeping the decision process of appropriate under the control of the end-device means parents could straightforwardly go beyond what corporate attorneys decide, and block Facebook regardless of the age rating.
I'm responding to another comment of yours here since HN loves the rate limit. In that comment you were talking about locked down bootloaders. But bootloaders are already thoroughly locked down, and most devices are still essentially usable. The current looming threat is remote attestation, which makes it so that websites (and other services) are able to prevent you from running software of your choice when interacting with them! The backwards legislation being currently pushed is all but guaranteed to end up in more demands for remote attestation, whereas the correct direction of information flow (sites/apps publish headers saying they're suitable for <18 etc) would not necessitate remote attestation.
I stand by my original comment. No new laws are needed. All of the features outlined in 1), 2), and 3) should be user-controlled, and there's no need to send info over the air.
The unlocking process zaps the userdata partition. This security model would totally suffice for locking down a child's phone. If the child zaps their phone and erases everything on it, then the parent can handle that out of band.
For the general problem, I would say that there has been a longstanding market failure here, in that parental control software isn't widespread or straightforwardly usable across different websites. Your 3 points don't really address that. (2) has been doable on standard desktops forever, and (3) just pushes mobile devices back towards the capability of desktops (which on its own is laudable!). But standard desktops have had these capabilities for decades and still haven't evolved the kind of straightforward parental controls that most parents are demanding.
edit: on second thought, there is a trap here. If hardware manufacturers lock down the bootloader, then we're basically still handing over parental authority to governments and companies in the long run. So I think for a start, we just implement a app-install password lock like sudo. It will be easier to implement than the API. The convenience API can come later when hardware manufacturers are banned from locking bootloaders.
[0] https://en.wikipedia.org/wiki/Association_of_Sites_Advocatin...
seems like a good plan to me.
But let's be honest, governments want a dragnet they can use to monitor/control all internet communication. The people running western democracies are equally as power hungry and zealously authoritarian (my ideas will bring utopia!) as the people running the CCP.
The only difference is, the CCP has permissionless authority, so they ended internet freedom in China decades ago. They didn't have to ask.
Western authoritarians on the other hand, have to fight a slow battle to cleverly grind you down over time, so that you get tricked into allowing them to gatekeep the internet. It hasn't worked so far. The next step (this one) is "okay, so you don't want to have to ask us permission before you visit a website...but won't anybody think of the poor beautiful innocent children???"
Emotions activated. Rational thought deactivated.
They'll get what they want because they always get what they want. And you'll be convinced it's good for you over time, because most people just follow whatever the mainstream "vibes" are, and the elite sets the vibes. It's amazing a free internet existed this long. Great while it lasted.
the bigger issue is that lawmakers are thinking in terms of smartphones, tablets and commercial pcs as shrink wrapped media consumption devices with a setup step... not protocol level support that preserves parts of computing and the internet they don't even really know exists. seems like the ietf should have lobbyists or something.
It's too late in any case, the Internet as we know it will eat itself. It will be destroyed by AI, and AI agents from without. And it will be destroyed from within by stupid laws such as the ones under "discussion" in this AI-edited and AI-illustrated nothingpiece.
By which I not mean the infrastructure. I mean the current crop of social media websites. The infrastructure will remain, and perhaps something better will come along to use that infrastructure.
Lets do it again!
Coincidently, that system was provided by IBM.
Actually, this sentiment is a 'litmus test' for common sense.
We use age discrimination universally in all affairs, across the globe, across all cultures.
Of course the same thing is going to apply to 'content', it's just a lot harder and creates ugly externalizations.
It's a real problem, with no real solutions, at least not yet.
The situation is more like we set up a new system of checkpoint booths on every highway at city limits, and anyone entering the city gets their ID checked, and that is justified by claiming that it’s so children can’t buy guns.