The main problem with the "report your age to the website" proposals is that they're backwards. You shouldn't be leaking your age to the service.

Instead, the service should be telling your device the nature of the content. Then, if the content is for adults and you're not one, your parents can configure your device not to display it.

> if we don't do something, the trajectory is that ~every website and app is going to either voluntarily or compulsorily do face scans, AI behavior analysis, and ID checks for their users

You're going to get that, anyway. Platforms want to sell their userbases as real monetizable humans. Governments want to know who says and reads what online. AI companies want your face to train their systems they sell to the government, and they want to the be the gatekeepers that rank internet content for age appropriateness and use that content as free training material.

Age verification across platforms is already implemented as AI face and ID scans. This is where we're already at.

My objection to all this stuff is the requirement to share government ID / biometrics / credit card info etc with arbitrary third party sites, their 228 partners who value my privacy and need all my data for legitimate interest, and whatever criminals any of those leak everything to, and also give the government an easily searchable history of what I read when those sites propagate the info back.

Any scheme that doesn’t require this won’t get pushback from me.

As an alternative: I already have government-issued ID and that branch of government already has my private info; have it give me a cryptographic token I can use to prove my age bracket to the root of trust module in my computer; then allow the OS to state my age to third parties when it needs to with a protocol that proves it has seen the appropriate government token but reveals nothing else about my identity.

Other alternatives are possible.

I think a better approach would be incentives versus punishments.

Like - you don't make it illegal to not do age attestations, but you provide a mechanism to encourage it.

You get a certification you can slap on your website and devices stating you meet the requirements of a California Family-Friendly Operating System or whatever. Maybe that comes with some kind of tax break, maybe it provides absolution in the case of some law being broken while using your OS, maybe it just means you get listed on a website of state-recommended operating systems.

That certification wouldn't necessarily have to deal with age attestation at all. It could just mean the device/OS has features for parents - built-in website filtering, whatever restrictions they need. Parents could see the label and go "great, this label tells me I can set this up in a kid-safe way."

Hell, maybe it is all about age certification/attestation. Part of that certification could be when setting it up, you do have to tell it a birthdate and the OS auto-applies some restrictions. Tells app stores your age, whatever.

The point is an OS doesn't want to participate they don't have to. Linux distros etc would just not be California Family-Friendly Certified™.

I wouldn't have to really care if California Family-Friendly Certified™ operating systems are scanning faces, IDs, birth certificates, collecting DNA, whatever. I'd have the choice to use a different operating system that suits my needs.

>I ask because I feel like if we don't do something, the trajectory is that ~every website and app is going to either voluntarily or compulsorily do face scans, AI behavior analysis, and ID checks for their users, and I really don't want to live in that world.

The only reason they'd _have_ to do that is government laws making them do so. When the law is vague around what age verification is, if one company decided to do ID verification, now any site that doesn't might not be doing 'enough' in the eyes of the law (it'd come down to a court case if not specifically defined).

Though it may seem more convenient to just do it at the os level (though really the browser level would make more sense with a required header/cookie no?), I'd be shocked if you don't see it expanded in the future to be more than a checkbox.

Exactly the same way as i do now for such laws.

It's pointless, does not increase security, does increase complexity of every interaction, and introduces a lot of weird edge cases.

What i want is full anonymity enshrined in law, while at the same time giving parents, not governments, but parents, options to limit what their children can do on the internet.

The push to do biometric data collection is entirely the result of entrepreneurs trying to get ahead before laws are passed. Their behavior is the result of the push to restrict the open internet. If we don't do anything, they will stop. You don't always have to do "something". Sometimes the harm comes by trying to do something.

> I also agree with S76 that some laws regarding how an operating system intended for wide use should function are acceptable.

The only laws the government should pass regulating software running on someones computer are laws protecting those consumers from the companies writing that software. For example, anti-malware/anti-spyware.

The government has no business telling a random company that their software needs to report my age, whether it's unverified and self-reported or not.

What makes you think this is going to stave off that world? More likely you'll get both, since I doubt this API is going to satisfy other states' age verification requirements.

> I agree. I also agree with S76 that some laws regarding how an operating system intended for wide use should function are acceptable. How would you react to this law if the requirement was only that the operating system had to ask the user what age bracket it should report to sites? You get to pick it, it isn't mandatory that it be checked, and it doesn't need to be a date, just the bucket. Is that still too onerous?

What's the point in doing any of this if it doesn't result in materially better outcomes?

> You get to pick it, it isn't mandatory that it be checked, and it doesn't need to be a date, just the bucket. Is that still too onerous?

Yes, because (a) it wouldn't do anything, and (b) it would take about 5 seconds for the morons who push this stuff to start whining about that fact, and using the fact that "Society(TM) has mandated this and people are avoiding it" to demand effective verification, which would be a huge disaster.

They won't be placated by anything short of total victory, and if you give them anything, you're just enouraging them.

> How would you react to this law if the requirement was only that the operating system had to ask the user what age bracket it should report to sites? You get to pick it, it isn't mandatory that it be checked, and it doesn't need to be a date, just the bucket. Is that still too onerous?

Isn't that what the CA law is?

> Is that still too onerous?

Isn't it just pointless?

I'm getting upset by face scan creep too. I do not like it. No sir. But mandating a self-reporting mechanism feels about as useful as DNT cookies, or those "are you 18? yes/no" gates on beer sites.

Sadly, the only real response here is non-compliance. Recently, credit card company wanted me to provide ID upon login ( I was amused -- while my setup may not be common, it has not changed for years now ). So I didn't and just ignored it. I checked on it this month and it suddenly was fine. But then.. one has to be willing to take a hit to their credit and whatnot.

The point remains though. They have zero way to enforce it if we choose to not comply. Just saying.

Totally agree, but I think we are heading to a full intrusion system in every aspect. And this is just the beginning. Even decentralized identity systems are not that decentralized, of course.

A cornerstone philosophy behind the American legal system is that we must view every single increase in State power as a potential slippery slope, and must prove that it isn't.

In this case, it's a slippery slope; if we're normalized to this, what other incursions into our 1A rights to free speech, religious freedom and public gathering will we allow?

And I say religious freedom, because these kinds of laws are largely peddled by religious folk or people who otherwise have been deeply influenced by early American Puritan religious culture.

I, nor my children, should be forced to subject to such religiously-motivated laws. I can decide for myself and for my child what is appropriate.

I, nor my children, cannot be compelled to enter personal information into a machine created by someone who is also illegally compelled to require it.

I, nor my children, can be compelled to avoid publicly gathering on the internet just because we don't want to show identification and normalize chilling surveillance capitalism.

I thought this was fucking America.