logoalt Hacker News

mindslighttoday at 12:12 PM0 repliesview on HN

> All of the real proposals have various compromises baked in. Some people want to require device attestation, so you could only do this handshake from a government approved device running a government approved operating system. Forget using Linux or maybe even a general purpose computer at all.

SPOT ON! This needs to be plastered across the top of every single thread on "age verification" (really: identity verification).

Talk of "zero knowledge proofs" or other technical schemes are essentially just nerd sniping on this topic. These sound like really cool solutions where we can have our cake and eat it too, but the reality is that the cool technical bits are just the tip of the iceberg. For them to actually be secure (ie prevent the trivial proxying of credentials), there has to be another, much more draconian, part to the system.

Even if that part is missing to begin with, then calls to add it down the line will be inevitable once the idea that websites are responsible for verifying users "ages" (identities) has taken hold and those flaws become glaringly apparent.

I am a parent who will be staring down this issue in a few short years. The Internet is not the place we grew up. Faceboot and other engagement-farming companies are most certainly malevolent threats to the human psyche [0], and it's reasonable to assume that their effects are even stronger on developing minds.

The only approaches that are workable to protect kids as well as preserve Internet/computing freedom (which is actually an additional angle of protecting kids from continuing loss of freedom to roam) involve the client device being responsible for what to block/show, with information only ever flowing from the server to the client - for example tags that assert a site/app is suitable for people over a given age, and on-device parental control software that operates on those tags. If parental controls are enabled and a website has no tags, then the site does not display - failing closed and preserving compatibility with the open web.

Given that this is a dire problem that parents face that has reached a tipping point, it would be reasonable to create a legal mandate that mass market device manufacturers must include parental control software that can be enabled during setup process, and that websites over a certain size have to include tags stating their age appropriateness. That would bootstrap the ecosystem and lead to the development of more vibrant tags and blocking software, enabling parents to set their own policies independent of corporate attorneys decreeing what is acceptable for their kids.

[0] It is also worth keeping in mind that it is exactly Faceboot and its ilk that are pushing these identity verification laws in the first place! They are simply trying to remove their legal liability for harming kids, so they can otherwise continue business as usual