I'm still on the fence about government doing a parent's job here, especially for kids under 13, but I can't stand that no one pushing these bills has come up with an actually reasonable age verification method.
The problem here is that it's pretty much out of the hands of the parents. If your kids' friends have social media, your kids will absolutely need it too in order to not be left out. I've witnessed the pressure, and it's not pretty. Add to that the expectation from society that children shall have access to social media.
Regulation is pretty much the only way to send the right signals to parents, schools, media companies (e.g. Swedish public service TV has a kids app that until recently was called "Bolibompa Baby", but it's now renamed to "Bolibompa Mini"), app designers, and so on.
We're barreling towards an internet that requires an id before you can use it.
It's a bit upsetting but I don't harbor the early 2000s naiveté about the free internet where regulation doesn't exist, the data exchange happens over open formats and connecting people from across the world is viewed as an absolute positive.
Govt meddling on social media platforms, the filter bubble, platforms locking data in, teenage depression stats post Instagram, doom scrolling on tiktok have flipped me the other way.
Internet Anonymity is going to die - let's see if that makes this place any better.
And the government having unfettered knowledge of every site you visit - in particular the more salacious ones - is how we solve that? Surely that won't be used as a political cudgel to secure power at any point, nor will it ever be used to target specific demographics or accidentally get leaked.
I'm still on the fence about government doing a parent's job here, especially for kids under 13, but I can't stand that no one pushing these bills has come up with an actually reasonable age verification method.
That sounds nightmarish. I don't want the verifier to know what porn sites I visit.
Someone else proposed the following system to me: a third party authority issues a certificate which I can then use to prove I'm 18. The CA cannot see where I use the certificate, though.
Er... The CA needs to be used to verify the certificate by the third party, ergo it will know the websites.
It's virtually impossible to make a verification system that's anonymous. Somewhere the third party and authenticator will need to share a secret that you cannot touch.
Furthermore, you would need the government to agree to this system and mandate this system universally and pay for the authentication services to exist. That's not what Florida is doing.
I can show my government-issued ID to any third party without the government knowing about whom I've shown this ID to. The third party needs to trust the government and the authenticity of the ID.
The problem is that my ID contains too much information; I would prefer a document (i.e. digital certificate) that only certifies my age, not my name, address etc.
Any such ID would need to be validated by the service. Therefore the service and the authenticator would need to speak. And in doing so, the authenticator will be able to see that an ID issued to you is being used for that service.
You cannot get around this. The service must confirm with the authenticator. The authenticator must know you are authenticated, and be extension, who you are.
Anonymous credentials. A central authority with verified age information of each person grants credentials that verify the age to third parties, but the authentication tokens used with the third party can't be used by the third party nor the central authority to identify anything else about the credential holder.
This is technically possible but politically impossible. Any system you make like this will get special government peaking exceptions added making it non-anonymous and probably rank corruption from industry lobbying will add some sort of user tracking for sale with data that is poorly anonymized. Once the sham system is in place they'll probably expand the requirement to other things.
The central authority should be someplace that already has your non-anonymous ID data, so using your ID for age verification doesn't give them any new ID information. The only new thing that them doing age verification adds is that they might keep a list of verification tokens they have issued.
Someone who obtained copies of the verification tokens you requested might go to various social media sites and ask them who used those tokens, allowing matching up your social media identities with your real identity.
That's fixed by making it so the token that is given to the social media site is not the token that came from site that checked your ID. You give the social media site a transformed token that you transform in such a way that the social media site can recognize that it was made from a legitimate token from the ID checker but does not match anything on the list of tokens that the ID checker has for you.
> The central authority should be someplace that already has your non-anonymous ID data, so using your ID for age verification doesn't give them any new ID information. The only new thing that them doing age verification adds is that they might keep a list of verification tokens they have issued.
But the central authority, a third party, will get a heads-up every time someone - whether child or adult - logs into the social media site. That's a privacy violation. Even if the verification system were set up in such a way that the third party wouldn't be able to know which exact website I'm trying to visit, the third party would be able to track how frequently I visit websites that require age verification. With just this law, it would be "you visited social media during X, Y, and Z times." With extensions of this law to other kinds of websites, it would be "you visited social media or porn or violent video games or alcohol sites during X, Y, and Z times", which obfuscates the kind of website I visit but also makes the internet into something I have to whip out an ID for just to use.
> That's fixed by making it so the token that is given to the social media site is not the token that came from site that checked your ID. You give the social media site a transformed token that you transform in such a way that the social media site can recognize that it was made from a legitimate token from the ID checker but does not match anything on the list of tokens that the ID checker has for you.
Is it possible to transform the token such that the social media site would be able to link it to your identity but an attacker who gains access to the social media site's data wouldn't? If so, I'd appreciate an example of a transformation for such a purpose. But it doesn't wipe out my privacy concern, that I - or anyone else - wouldn't be able to log in to a social media site without letting a third party know against my will.
> But the central authority, a third party, will get a heads-up every time someone - whether child or adult - logs into the social media site. That's a privacy violation. Even if the verification system were set up in such a way that the third party wouldn't be able to know which exact website I'm trying to visit, the third party would be able to track how frequently I visit websites that require age verification.
It doesn't have to work like this.
It's technically possible to do verification such that the authority (probably the government which already has a database with your age), doesn't get any communication when verification takes place. They'd have no idea which sites you visit or join, or how often.
And the site which receives the verification token doesn't learn anything about you other than your age is enough. They don't even learn your age or birthday. They couldn't tell the government about you even if subpoenaed.
(But if you tell them on your birthday that you are now old enough, having been unable to the day before, they'll be able to guess of course so it's not perfect in that way.)
Using modern cryptography, you don't send the authority-issued ID to anyone, as that would reveal too much. Instead, on your own device you generate unique, encrypted proofs that say you possess an ID meeting the age requirement. You generate these as often as you like for different sites, and they cannot be correlated among sites. These are called zero-knowledge proofs.
They work for other things than age too. For example, to show you are an approved investor, or have had specific healthcare or chemical safety training, or possess a certain amount of credit without revealing how much, or are citizen with voting rights, or are a shareholder with voting rights, without revealing anything else about who you are.
Do you mean that I can get a permanent age-verification key from the third-party authority, then never have to contact the authority again (unless I want a new key)? If so (and assuming that zero knowledge proofs, which I'm not very familiar with, work), then my privacy concerns are resolved. (Well, I don't want the authority to keep a copy of my verification key, but FOSS code and client-side key generation should be feasible.)
An example of the kind of token transformation I'm thinking of follows.
Assume RSA signatures from the site that looks at your ID having public key (e,m) where e is the exponent and m is the modules, and private key d. The signature s of a blob of data, b, that you give them is b^d mod m.
To verify the signature one computes s^e mod m and checks if that matches b.
Here's the transformation. You generate a random r from 1 to m-1 such that r is relatively prime to m. Compute r' such that r r' = 1 mod m.
Instead of sending b to be signed, send b r^e mod m.
The signature s of b r^e is (b r^e)^d mod m = b^d r mod m.
You take that signature and multiply by r'. That gives you b^d mod m. Note that this is the signature you would have gotten had you sent them b to sign instead of b r^e.
Net result: you've obtained the signature of b, but the signing site never saw b. They just saw b r^e mod m.
That gives them no useful information about b, due to r being a random number that you picked (assuming you used a good random number generator!).
For any possible b, as long as it is relatively prime to m, there is some r that would result in b r^e having the same signature as your b, so the signing site has no way to tell which is really yours.
b is unlikely to not be relatively prime to m. If m is the product of two large primes, as is common, b is relatively prime to it unless one of those primes divides b. We can ensure that b is relatively prime to m by simply limiting b to be smaller than either of the prime factors of m. Since those factors are likely to each be over a thousand bits this is not hard. In practice b would probably be something like a random 128 bits.
> But the central authority, a third-party, will get a heads-up every time someone - whether child or adult - logs into the social media site. That's a privacy violation.
Why would you do age verification on login? It only needs to happen once on account creation.
> Why would you do age verification on login? It only needs to happen once on account creation.
Oops. That slipped my mind. For sites that require log-in, my previous comment is wrong.
I had unconsciously assumed that at least one site would implement the age verification system without requiring users to make accounts to browse the site. In this comment, I will make explicitly make that assumption. For sites without log-in walls but with government-mandated age verification, the concerns in my previous comment would apply. But sites with log-in walls have their own privacy problems independent of age verification, chief being that having to log in means letting the first party site track how often I use the site. A different problem (not necessarily privacy-related, but can be) of log-in walls is that I would be forced to create accounts. If I don't wish to deal with the burden of making accounts, then I won't browse the website. If the website made a log-in wall in response to an age verification mandate from a government, then my First Amendment right to access the speech the website wished to provide will have been chilled.
I think you’d want to also reverify now and then. People only rarely create accounts, which I think would make de-anonymizing someone from simultaneous breaches of site and verifier logs easier.
If you have to verify often enough, and age verification is required on enough sites that are widely used by the general public so that the mere fact that you are using sites that require age verification is not something you might need to hide, I think it would make it much harder to get useful information from log comparisons.
Say you have a user U who wishes to demonstrate to site S that they are at least 16, and we have a site G that already has a copy of U's government ID information.
Here's one way to do it, with an important security measure omitted for now for simplicity.
• S gives U a token.
• U gives G that token and shows G their ID.
• G verifies that U is at least 16, and then signs the token with a key that they only use for "over 16" age verifications. The signed token is given back to U.
• U gives the signed token back to S.
If G saves a list of tokens it signs and who it signed them for, and S saves a list of tokens it issues and what accounts it issued them for, then someone who gets both of those lists could look for tokens that appear on both in order to match up S accounts with real IDs.
To prevent that we have to make an adjustment. G has to sign the token using a blind signature. A blind signature is similar to a normal digital signature, except the the signer does not see the thing they are signing. All they see is an encrypted copy of the thing.
With that change a breach of G just reveals that you had your age verified and gives the encrypted token associated with that verification. These no longer match what is in the records of the sites you proved your age to since they only have the non-encrypted tokens.
Someone with both breaches might be able to match up timestamps, so even though they can't match the tokens from S directly with the encrypted tokens from G they might note that you had your age verified at time T, and so infer that you might be the owner of one of the S accounts that had a token created before T and returned after T.
This would be something people trying to stay anonymous would have to be careful with. Don't go through the full signup as fast as possible--wait a while before getting the token signed, and wait a while before returning the signed token. Then someone who is looking at a particular anonymous S account will have a much larger list of items in the G breach that have a consistent timestamp.
Also note that to G it is just being asked to sign opaque blobs. Occasionally have G sign random blobs. If your G data shows that you are getting your age verified a few times a month, then it is even more likely that if one of those verifies is at about the same time as a particular social media signup it is just a coincidence.
Private State Tokens enable trust in a user's authenticity to be conveyed from one context to another, to help sites combat fraud and distinguish bots from real humans—without passive tracking.
An issuer website can issue tokens to the web browser of a user who shows that they're trustworthy, for example through continued account usage, by completing a transaction, or by getting an acceptable reCAPTCHA score.
A redeemer website can confirm that a user is not fake by checking if they have tokens from an issuer the redeemer trusts, and then redeeming tokens as necessary.
Private State Tokens are encrypted, so it isn't possible to identify an individual or connect trusted and untrusted instances to discover user identity.
This system clearly and trivially deanonymizes the internet. Even worse than a centralized system, it uses a simple "just trust me bro" mentality that issuers would never injure users for personal gain and would never keep logs or have data leaks, which would expose the Internet traffic of a real person.
> I'm still on the fence about government doing a parent's job here
The issue is, as a parent who is not very technical, how do they _safely_ audit their child's social media use?
I am reasonably confident that I could control my kid's social media habit, but only up to a point. there isn't anything really stopping them getting their own cheap phone/signing in on another person's machine.
The problem is, to safely stop kids getting access requires either strong authentication methods to the ISP. ie, to get an IP you need 2fa to sign in. But thats also how censorship/de-anonymisation happens.
Let's assume oposition to the law is a "progressive" position:
If there is a constitutional right to absolutely 100% friction free access to information then what happens to all the barriers the government has erected to access covid, Trump, Russia and other "disinformation" progressive pushed for?
(You can invert this example for a right wing if you want)
Not everyone has a credit card. Some people cannot obtain a credit card. People under the age of 18 can also have a credit card. I do not trust random sites with my credit card.
How about this: I don't want every little thing I do on the internet tracked and tied to my real identity?
Is the CCP conducting a psyops on HN right now or something? Since when were we all for every tiny interaction you have on the internet requiring you to look in the scanner and say "My name is X and I love my government and McDonalds"?
> If there is a constitutional right to absolutely 100% friction free access to information then what happens to all the barriers the government has erected to access covid, Trump, Russia and other "disinformation" progressive pushed for?
...those barriers go away. They never really existed in the first place in any real way. Like the Great Firewall, they were a polite fiction defining what people are allowed to know, but were trivially circumvented from minute zero.
This is one of the most reliable and desirable features of the internet in the first place.
While people are on the fence about it, our children are having their youth, innocence and brains destroyed by tiktok et al. Those platforms are cancer to adults even, let alone impressionable kids... yet here we are still debating it and faffing around about "1st amendment yaddi yadda".
>children are having their youth, innocence and brains destroyed by tiktok
For one, ease up on the hyperbole if you want to be taken seriously. I'll give you the benefit of the doubt because the news is nothing but hyperbole these days, so it's easy to pick up the habit. Second, most kids aren't having "their youth, innocence and brains destroyed." The news takes the edge cases, amplifies them and presents it as the norm to peddle fear because fear sells. Nothing ever is bad as the news makes it out to be, but they gotta make a dollar, you see how bad the news business is since the internet?
FWIW, my kid uses social media and just connects with her friends. Nothing overly malicious goes on, they just goof off. I've checked.
You really wanna protect the kids from anxiety and whatnot, block the news and all the talking heads trying to manipulate the next generation to their political opinions.
Your comment would be fine without that sentence and the one after it.
(I'm not saying the GP comment is particularly good—it was pretty fulminatey—but it wasn't quite over the line, whereas yours was, primarily because yours got personal.)
There's a massive rise in depression in young children. The teen suicide rate has almost doubled.
The idea that you know what's going on, on their social media is pretty funny. Certainly what every adult always assumed about me. And now that I have kids, I can see how easily other kids fool their parents all the time.
And what's overly malicious? It may be social media itself without anything bad driving this. Merely seeing a sanitized version of people's lives over and over again, without anyone bullying you, that leads to depression because your life isn't as good.
I think if you wanted to reduce teen suicide a significant amount, banning social media isn't going to do it. It certainly isn't responsible for half. Of course banning it doesn't cost the government any money, so it's top of the list as opposed to any real solutions.
You also cherry picked your stats. If you open a larger window, the current teen suicide rate is not as abnormal as you are making it out to be.
Umm, that chart is 10 years out of date - it ends in 2015; the beginning of the social media era.
The current teen suicide rate is ~62 / 100K, which is just about double (or triple!) the last value in that chart. And is also an anomaly over the last 40 years.
I stand corrected on the current stats. I went with what the CDC had on a google search. It's aggravating that most sources don't show the entire picture.
Here's a chart showing that this trend is mostly in the mountain states and Native Americans are the largest demographic affected by this trend by nearly triple. Both these stats disprove the theory that social media has much of an impact on teen suicide across the entire nation, otherwise why wouldn't states like California and Florida have a higher rate? Residents of those states obviously use social media too.
The social media area had been in full swing for 10 years by 2015. Facebook was established in 2004 and blew up by 2006. Twitter blew up a few years later.
The narrative that social media is the cause in the rise of teen suicide across the country is simply false. Native Americans in mountain states are bearing the brunt of it and causing the national average to spike. Instead of "tilting" to social media, we should try to understand why Native American teens are having such a difficult time and solve that problem. That doesn't draw headlines though, does it?
Teachers have ALWAYS made those screams. My mother, a french teacher always complained that before she could teach kids french, she had to teach them how to read a clock, how to do math, and how the days of the week work (these were fifth graders mind you). She blamed education policy, but this is nothing more than what happens when 30% of your students are in poverty.
The reality is that some percentage of students will always fall through the cracks, and the human brain loves to blame whatever is "new" for problems that are "new" to you. This has been a problem for teachers since at least the No Child Left Behind policy, and even goes as far back as Socrates bemoaning his students being terrible because books meant they didn't have to have perfect memories.
Students suffered because covid was both a huge disruption to their education, and parents freaked out instead of trying to handle it (and plenty of people literally could not handle it anyway). It doesn't help that half the country openly cries that education is nothing more than liberal indoctrination, and openly downplay the value of even basic education, like the three Rs, and claims that anything higher than a high school education is also liberal indoctrination, is "woke", and is valueless.
I 100% hate tiktok, but I don't think it is (currently) being used to mentally attack the US. Maybe someday if we are ever at war with China, but right now they are content believing that inclusivity is toxic on it's own. I don't think tiktok changes people's brain significantly. I do think it is extremely low value way to spend time, and that it is addictive, two serious issues when taken together, but then again I spent my life watching several hours of TV a day. I especially don't like how tiktok seems to purposely direct new male users to what is basically softcore porn.
