Bold of you to assume that lawmakers have any common sense when it comes to technology legislation. It could have taken 3 interns 3 hours at each browser company to implement a cookie consent standard 15 years ago, yet here we are in cookie banner hell.

I think the header/metatag is designed poorly. The RTA proposal is that every operator of every site must verify the content and add the header to mark the site as "safe" or "unsafe". This is unnecessary burden that they have to bear if this proposal is given a green light and this is wrong.

Instead, the default should be, that if there is no header or it cannot be parsed, then the content is unsafe. And if there is a header, it describes the page rating, like what kind of dangerous content it may contain. The header may be added to any displayable content like HTML, text, images, audio or videos, but not to machine-readable content like JS files or AJAX responses.

So only those who wants their site to be accessible by minors, have to add headers. For social networks, the user might have an option to mark his content as "safe".

This means that with my proposal existing site operators need not to do anything to mark their sites as "unsafe" - all sites are "unsafe" by default. This means that millions of site operators need to spend 0 dollars to adapt their sites. How great is that?

The browser on a device with parent mode, should not allow displaying any content which doesn't have a header or that is marked as unsafe, or that contains header with invalid value. The parents may whitelist some sites.

There should be a reponsibility for intentionally marking unsafe content as "safe". We should also think what to do with foreign operators, intentionally putting invalid headers for unsafe content. Maybe they should be added to some kind of blacklist that the browsers would periodically update.

Search engines like Google could work by default in "safe" mode, but add "unsafe" header if the user wants to turn off restrictions.

> If a site is not adding the RTA header then progressively fine them into oblivion.

I think my proposal is better because it requires only fining those who intentionally misrepresent content safety.

No such mandates should take place at all.

Three things:

1. This assumes that websites are under your jurisdiction and can be fined. This is not a valid assumption on the internet. If you want to do this, you need a framework to block noncompliant websites via ISP-side null-routing, putting pressure on payment processors and hosting companies which do operate in your country etc.

2. HTML tags and not HTTP headers. If just a small part of the site contains content which shouldn't be displayed, the web browser should just hide that part.

3. Sometimes, it is genuinely useful to know the user's restrictions ahead of time. Imagine you're a movie streaming site or game store. You have some content which is suitable for the user, no matter their age, but you need to know which bracket they're in to decide what to show them. Without that info, you either default-adult (which sucks for children) or default-child (which sucks for adults).

However, this is not about age verification or protecting children. That is just the excuse they are using.

If Meta, Google etc could easily have algorithms in place for determining the age of the person seeing the video - apart from having the override capability via a parental login as you have stated.. but these platforms have consistently refused to limit the type of content they are showing to children.

How does this work for mixed-content sites? Like say a minor visits a video sharing or social media site and the default feed/recommendations list includes stuff that should be age-restricted, but is mostly stuff that shouldn't be.

The entire site shouldn't be blocked; the browser needs a way to tell the website "my parental controls are enabled and I need to you to filter out age-restricted content".

Alternatively, the RTA header/meta could include a parameter/attribute for an "alternate URL" to load when parental controls are enabled. This could be useful to allow sites to present a custom error-type response, but could also be used to automatically redirect the user to similar, but age-appropriate, content.

Anyway, this all ignores the fact that "protect the children" isn't really the goal here: it's to slowly eat away at our ability to be anonymous (even read-only anonymous) on the internet. Age verification is just a watered-down way of saying they require positive identification, and eventually our hardware will have to cryptographically attest we are who we say we are. I really hope this isn't inevitable, but it's starting to feel that way.

> The only thing server, platform, website, service providers should be doing is setting an RTA header if the content could possibly be adult or user-contributed content that could dynamically become adult, moderation aside....If a site is not adding the RTA header then progressively fine them into oblivion.

Seems like this would incentivize just all sites to have the header regardless of if it meets the definition since you get fined if you dont but no fine if you have the header unneccesarily.

Especially if your definition is contains user contributed content. That is all sites with a comment field. What really is left? I'm not sure i have even visited a site in the last month that wouldn't fall under this.

That is the only real solution. It removes the lobbyists with their bad verification schemes and untrustworthy software. You don't need untrusty flaggers or untrustworthy official authorities. In no way can nations be responsible enough to not attempt constant sniffing attempts. My nation couldn't keep itself from spying of corona app users.

This can also be broadly implemented, any other technical solution won't be widely spread anyway.

I don't think authorities care about child protection though. They could have legislated malicious advertising practices and a lot of similar bad influences, but didn't.

Has this idea been discussed when drafting legislation? I mean are they aware of it but dismissed it for any reason or no stated reasons?

I largely agree, but the RTA header doesn't seem to be good enough for most websites to use. When a website wants to block browsers with parental controls on, but it isn't porn and it shouldn't be blocked by SafeSearch, what do they do?

https://webmasters.stackexchange.com/questions/140733/how-to...

That's basically what this law was though. Are you cheering for them removing the law that said exactly what you wanted?

This assumes that the goal is child protection, while the actual goal is user profiling and ad revenue.

Well sure, such a solution may solve age verification elegantly, but does it serve the interests of the companies that pushed this bill?

> The only device mandates that should be taking place is for the default installations of web clients should be checking to see if parental controls are enabled. This only impacts the major browsers. An intern at each browser company could add this check in minutes. If they are enabled and the person logged in is on a regular account (not admin or power user of sorts) then the base installation of web clients must check for an RTA header [1]. If present, prompt for a override password and also give the option for the admin to approve-list the domain at that time. That's it. Not perfect, nothing is or will be.

It's useful to contrast this with the various device-based mandates that have been created in order to get a sense of what legislators seem to be trying to do. With that in mind, a few points:

* What you are proposing allows parents to opt in via parental controls, but age assurance mandates (both device-side and server-side) tend to require positive action to enter unrestricted modes. In some cases (CA AB 1043, for instance), this is just a matter of entering your age. In others, you actually need to demonstrate your age via some technical mechanism.

* While many age assurance mandates focus on adult content, which is primarily consumed via the Web, others (e.g., Australia's Social Media Minimum Age) focus on social networking, which is primarily consumed via apps, so anything that is Web only will not be effective.

* Site-level granularity isn't really fine enough in some cases. For example, the New York SAFE for Kids act prohibits certain behaviors such as algorithmic recommendations when a user is a minor, but doesn't require blocking minor usage entirely. It's potentially possible to implement this with something like RTA, but it would have to at minimum be at much finer granularity.

Section VI of https://kgi.georgetown.edu/wp-content/uploads/2026/01/Age_As... goes into quite a bit more detail about various architectures (disclaimer, I'm an author).

None of this is an endorsement of age assurance techniques; I'm just trying to help flesh out the situation.

> All legislation regarding age verification must revolve around this otherwise people must reject it as an abusive form of tracking and privacy invasion.

It's a bit late for that, given that around half of US states already have some kind of age assurance mandate.

> If they are enabled and the person logged in is on a regular account (not admin or power user of sorts) then the base installation of web clients must check for an RTA header [1].

Your cite is an earlier post of yours which says

> The one and only method I will participate in is server operators setting a RTA header [1]

and that cites a still earlier post of yours

> I stand by my repeated statements of how this could have been solved simply using an RTA header [1]

which finally actually cites¹ something that explains what the heck on RTA header is.

It would be quite a bit more reader friendly to cite https://www.rtalabel.org/page.php rather than make the reader traverse a linked list of comments to get there.

¹https://www.rtalabel.org/page.php

A) Aren't you targeting a completely different problem than this law? It's my understanding that this law targets the collection of the age from the user. What the user agent does with that signal is a different problem, and seems to already be solved, except for the definition of "actual knowledge" which they are trying to establish here.

B) How would your RTA header intersect with content rating in different jurisdictions? What if the content is illegal for children in Turkey but legal for children in Kentucky?

You make the mistake of solving the stated problem, and not the actual problem. This was never about children, or a solution like what you describe would be trivial.

> An intern at each browser company could add this check in minutes.

An intern could also just delete the product which would also "solve" this "issue". The fact that it's easy or cheap is not significant to the problem at hand.

> should be doing is setting an RTA header

Many sites will just set the header by default. Now you've created a problem.

> then progressively fine them into oblivion.

This does nothing. See: Ofcom vs 4chan.

> device mandates

Mandate that the device provide an API for child protection software. Then it's up to individual parents to decide to install that software or not. Then we also get competition in this market rather than relying on whatever solution an intern cooked up one day.

Absolutely trivial and totally comprehensive solution, enabling adult content blocking at the account level, device level, network level, and the ISP level. Could even be expanded to any sort of content blocking, if you want to allow households to restrict access to vaccine critique or criticism of the king without violating the First Amendment or rooting everyone's devices.

The problem is that the point is to root everyone's devices. Anyone explaining how easy this is would be pushed out of the conversation as fast as if they were advocating for single-payer healthcare.

edit: I've been advocating the nearly identical but opposite solution - restricted access sites shouldn't respond to requests that lack an appropriate age/content restriction header. If they do, jail them.

They're literally going to have to do this anyway. Rooting people's devices to force them to lie about their age when they install their operating system is an absolutely fake pretendy solution; the only way it works is if you have to verify your age with some government agency when you install an operating system, in order to make that OS age official. The point is the identification.

Thats crazy talk, how are we gonna build a database of computers tied to physical identification of users by which we can monitor, control, and monetize… you’re saying parents should be responsible for their children? How is the state going to be able to exert more control if it doesn’t have ubiquitous surveillance of it’s population!? /s