Open Menu
AllLocalCommunitiesAbout
lotide
AllLocalCommunitiesAbout
Login

Colorado proposing Bill to move age verification to Operating System rather than web site

⁨433⁩ ⁨likes⁩

Submitted ⁨⁨2⁩ ⁨months⁩ ago⁩ by ⁨Beep@lemmus.org⁩ to ⁨technology@lemmy.world⁩

https://www.biometricupdate.com/202602/colorado-moves-age-checks-from-websites-to-operating-systems

source

Comments

Sort:hotnewtop
  • chunes@lemmy.world ⁨2⁩ ⁨months⁩ ago

    Hey Colorado. GFY and get your damn politicians under control.

    source
    • rc__buggy@sh.itjust.works ⁨2⁩ ⁨months⁩ ago

      First I’ve heard of it, dude. Don’t get your knickers in a twist.

      source
  • fubarx@lemmy.world ⁨2⁩ ⁨months⁩ ago

    I’ve been a longtime mobile and web developer, have a teenage kid with a phone, and am a big privacy advocate (card-carrying member of ACLU and EFF). As a parent, I don’t want my kid exposed to cyber-bullying, toxic social media, or algorithmic bullshit.

    And I will tell you this: the operating system is 100% where you want to do age verification.

    I don’t want individual social media sites, dodgy third-party orgs, or government agencies scanning our faces or IDs. Under a family sharing plan, the OS already knows how old the kid is. Any site wanting to gate access can privately ask the OS if age > X without spilling their PII. Same concept as OAuth. An opaque, encrypted token indicating GO or NO-GO.

    Raging that they shouldn’t do any of this is just idiotic. Unfettered access got us CSAM, kids getting radicalized, or bullied to the point of self-harm. Fuck that.

    From a technical point of view, having OS-level verification is the least worst, and in my technical opinion, the best option.

    source
    • undu@discuss.tchncs.de ⁨2⁩ ⁨months⁩ ago

      As a software engineer that works on virtualization and is interested in software freedom, this law terrifies me because it’s a trojan horse for something much much worse than the already shitty status quo: remote attestation.

      And I will tell you this: the operating system is 100% where you want to do age verification

      No, it’s the last place you want to do this check. Let me explain: because users control the PCs they buy right now, meaning they can install any OS and programa the so wish to install; governments at some point will decide that they cannot trust the results given by any OS.

      The only way for governments will be to actually trust third parties (again) that will check properties in your computer through a module that controls the whole computer and users don’t have access to.

      This is called remote attestation: eff.org/…/your-computer-should-say-what-you-tell-…

      With this technology, users don’t decide what programa they can install and run, they can’t even decide what websites can they visit.

      It’s a brutal encroachment on the computer freedom you have enjoyed up to now, and the perfect tool for an authoritarian government to enforce what can you watch and in general, can do with your computer.

      If this law is approved, I guarantee you it will spread and will have expanded versions requiring remote attestation. (Don’t worry, lobbyists will find a way to sell remote attestation preserves privacy to make it go down easier)

      The end result is a nightmare-fueling scenario where someone like Peter Thiel through Persona not only has your information because it needed to verify to create the account in your computer, but Microsoft also has it, and governments through Microsoft may decide to limit which platforms you can access (X or something worse), if also if you’ve been a bad citizen, if you can run programs in any computer that can be legally sold.

      All in all, this law is incredibly dangerous in the current political climate where even supposedly democratic governments are pushing for more authoritarian controls to digital life. And I’m surprised organisations like EFF haven’t seen this yet

      source
      • fubarx@lemmy.world ⁨2⁩ ⁨months⁩ ago

        I’ll caveat this by saying IANAL. But the way I read Bill 26-051 is that it’s looking to implement “user age attestation” not “device or application” (WEI). Two separate things.

        Age Attestation requires the OS (or really, the cloud service that implements account-level authorization) and come up with an “age signal.” It prohibits using third-party non-public data, and puts the burden on the OS for managing the Go/No Go process. No PII leaves the device.

        The alternative is dystopian, poorly managed KYC/AML over-reaches. Under the guise of anti-fraud/anti-gambling, these will reach deep into our communal shorts. They could well soon require individual biometric verification (iris scans, face contour maps, fingerprints, etc). No, thanks.

        WEI is a separate story. It’s trying to cut down on malicious apps and maybe stop individual sites doing browser fingerprinting. It can only work on systems with single-points of app installation (without side-loading) and devices already locked down with hardware TPMs. So far, that only covers iOS. All the other systems (Linux, Mac, Windows, and Android) let you install your own system-level code without having to go through the One Official appstore. And with WASM, the browser makes it all moot.

        Personally, I think WEI is a total waste of time. Trying to squeeze the toothpaste back into the tube. But it’s solving a different problem than age verification.

        Not to say the Colorado bill is perfect. There is a truck-sized app vs. website loophole in it, so kids can still access social media sites from the browser vs their phones. But the OS can offer an API that browsers can vend to websites without every site rolling their own crappy system. It also doesn’t account for a clever kid figuring out how to create a separate adult-appearing user account. Because of course, they will.

        Saying it’s parental responsibility is unrealistic. I’ve helped folks set up Screentime, router-level filters, and even Circle (in-home ARP spoofing box, and mobile VPN + fine-grain URL filtering). There are ways around all of it. Besides, the kids can still get exposed to utter bilge via school-approved sites like Zoom, YouTube, or Google Drive. Let’s not even bother with messaging apps or in-game chat. This is all assuming parents have the time or knowledge to set things up and manage the filters.

        We’re not trying to be over-controlling, stop the kids from dancing too close at the prom, or yuck their yum. But as parents, we do want to have some sort of say in what they’re exposed to online before their brains have the capacity to process them. The risk to their mental health is real, and just YOLOing it hasn’t worked out too well.

        I’m sure there’s a lot of subtle behind-the-scenes stuff in the Colorado bill. I’ll wait to hear what EFF or Mike Masnick have to say about it. But as a techie, app developer, and parent, it reads like the least-worst way to keep a minor away from nasty crap without requiring every one of us to scan our faces and provide IDs to every rando website.

        source
    • CeeBee_Eh@lemmy.world ⁨2⁩ ⁨months⁩ ago

      And I will tell you this: the operating system is 100% where you want to do age verification.

      Oh, what’s that you’re using? It’s Linux? Sure that’s fine, just make sure the age verification check works on it.

      Wait, what do you mean you have “root access”? Why do you keep repeating “it’s my hardware and I own it”? You removed the age check system? You can do that! Hey, he’s not supposed to be able to do that!

      Colorado proposes bill to ban open source operating systems

      As a parent, systems and web developer of both open source and proprietary software. This would single-handedly be one of the most damaging things to ever happen to the world of personal computing.

      From a technical point of view, having OS-level verification is the least worst, and in my technical opinion, the best option.

      It’s a horribly bad opinion. It’s the same old problem with client-side anti-chest. You can’t trust the hardware. If the user has full access to the computer, then they can do whatever they want with it. This is a core issue in security modelling. So what’s the answer? Try to lock down the system. This is why anti-cheat software, to play a video game, has more access to your computer’s hardware than you do as a user. Full access to every single file, data in memory, webcams, things on screen, etc.

      What’s going to happen if it becomes mandated that age checks must happen in the OS? We’re going to get computers so locked down that you won’t be able to open a .txt file without some kind of authentication check.

      No thanks. I’m happy to avoid every single age-check required service.

      source
      • fubarx@lemmy.world ⁨2⁩ ⁨months⁩ ago

        I won’t repeat what I said in the sibling thread.

        But I don’t see anywhere in this specific Colorado bill trying to restrict OS level features or go anywhere near open-source. As a parent, if I put little Timmy on Arch and give him root access, I don’t get to bitch about what they do online.

        This is about a single signal (kid/no kid) at the user-auth level, without slurping up PII and shipping it off into the ether.

        source
        • -> View More Comments
    • Lfrith@lemmy.ca ⁨1⁩ ⁨month⁩ ago

      What you are more likely to see is having to create and log into a Microsoft account on Windows or Apple account on MacOS to gain unrestricted access with IDs for verified accounts to be used on the OS.

      With recent attempts at ID collection, subpoenas to reddit demanding user information of those critical of the US admin, and Palantir’s involvement your proposal is coming from a position assuming those groups aren’t the ones pushing for it.

      source
  • thatonecoder@lemmy.ca ⁨2⁩ ⁨months⁩ ago

    GOTEM! THIS IS ALL ABOUT POWER & CONTROL, AND THESE PEOPLE WANT TO COVER THEIR ASSES TOO!

    source
  • 11111one11111@lemmy.world ⁨2⁩ ⁨months⁩ ago

    Maybe our goverments should spend more effort to determine if it’s citizens are even just alive or dead to put a dent in the half a trillion dollars the fed govt pays out to dead citizens they dont know are dead. Then we can maybe talk about how the fuck these idionts are guna conrirm th3 age of their living citizens.

    Or hey heres another thought, use this effort to design a better consumer price index which is currently a huge guess of economic status based on the most minimal of factors based on the tiniest sample sizes of data.

    source
    • Shdwdrgn@mander.xyz ⁨2⁩ ⁨months⁩ ago

      Where did you get this from? Sounds like more of the crap from DOGE where Musk had no clue how computers work so he just assumed that everyone listed in SSI was getting automatically paid.

      source
  • db2@lemmy.world ⁨2⁩ ⁨months⁩ ago

    Image

    source
  • billwashere@lemmy.world ⁨1⁩ ⁨month⁩ ago

    Yeah this will end well.

    source
  • GutterRat42@lemmy.world ⁨2⁩ ⁨months⁩ ago

    Google already allows you to save your ID in Google Wallet and share specific details via NFC. Why can’t I just use it to provide my year of birth?

    source
    • kamikazerusher@lemmy.world ⁨2⁩ ⁨months⁩ ago

      Seriously. There are better ways to ensure privacy with identity verification.

      source
  • ParadoxSeahorse@lemmy.world ⁨2⁩ ⁨months⁩ ago

    Ok but isn’t that just this?

    Declared Age Range / AgeRangeService - iOS

    Use Play Age Signals API - Android

    source
  • arcine@jlai.lu ⁨1⁩ ⁨month⁩ ago

    You know what ? If this law is only imposed on commercial operating systems, and I can make my free OS lie and say I’m 100+ ; then maybe this could work.

    source
    • Matty_r@programming.dev ⁨1⁩ ⁨month⁩ ago

      No, you’ll only be able to access the internet on approved devices. Anything that isn’t under their full control will be disallowed.

      source
  • mrnngglry@sh.itjust.works ⁨1⁩ ⁨month⁩ ago

    As a parent, I wish someone would develop a cross platform, open source, parental control tool that preserves privacy while allowing for strong controls that are simple to use. The best I could come up with is a separate instance of Pihole that any device my kids use is linked to. It would be nice if there was a software option or something implemented in hardware that allowed parents to register the device with the user’s age (no identifying info). Laws could then be passed forcing certain websites and apps to reject any users under a certain age. The restrictions could automatically lift when the user reaches a predetermined age. I’m not an expert so there are probably aspects of this I haven’t thought through but it seems better than what has been implemented so far.

    source
    • SnotFlickerman@lemmy.blahaj.zone ⁨1⁩ ⁨month⁩ ago

      The best I could come up with is a separate instance of Pihole that any device my kids use is linked to.

      It’s a little clunky, but you can do this with one Pi-Hole instance by using the Groups feature. In the “Groups” tab take a group for your default Pi-Hole settings (or just use the already included Default group), and then make a separate group for the additional blocked domains for your children’s devices (for purposes here we’ll refer to this group as “Child”). In your Lists tab, choose which Group each list should be applied to (or choose the group it should be applied to while adding the entry). In your Clients tab use the drop down menu to choose and assign devices to Groups, put all your devices in the Default group and put all your children’s devices in both the Default Group and the Child Group. This way your devices will have the default blocklists and your children’s will have the default plus the additional blocklists aimed to protect them specifically.

      source
      • mrnngglry@sh.itjust.works ⁨1⁩ ⁨month⁩ ago

        Thanks for this! I’m still relatively new to Pi-Hole. I’ll give it a look.

        source
        • -> View More Comments
    • XeroxCool@lemmy.world ⁨1⁩ ⁨month⁩ ago

      I’m not in IT and only have tangential knowledge, but I would think something like corporate internet control would work for this. I know my company has blanket access restrictions with the ability to modify them on an individual basis. But I haven’t the slightest idea how to implement that. I think all of my company device data goes through a tunnel.

      source
      • KairuByte@lemmy.dbzer0.com ⁨1⁩ ⁨month⁩ ago

        You’d think so, but I promise you that a teenager will work their way around most internet based blocks eventually. The thing that gets you in a corpo environment is that they fully log your browsing, so yeah you managed to find fuckmyfacesilly.com that wasn’t blocked, but you’re going to have a little talk with management as soon as someone checks the logs.

        source
        • -> View More Comments
    • one_knight_scripting@lemmy.world ⁨1⁩ ⁨month⁩ ago

      Have you checked your modem/Wi-Fi router?

      source
      • mrnngglry@sh.itjust.works ⁨1⁩ ⁨month⁩ ago

        I did. My router runs a version of OpenWRT and while I can blacklist certain domains, I can’t add lists of domains. They have to be added one by one. The pi-hole solution is much easier. I can add an entire list for social media. I can add a list that forces search engines to use safe search.

        source
  • Safetyshaft@lemmy.world ⁨2⁩ ⁨months⁩ ago

    Apple already has iCloud age settings

    source
  • khannie@lemmy.world ⁨2⁩ ⁨months⁩ ago

    Year of the Linux desktop inbound.

    source
  • paraphrand@lemmy.world ⁨2⁩ ⁨months⁩ ago

    The keep trying to make Linux more appealing.

    source
  • RodgeGrabTheCat@sh.itjust.works ⁨2⁩ ⁨months⁩ ago

    Sounds good. Might even encourage more people to move to a privacy respecting OSs.

    source