In essence, while the bill doesn’t seem to require the most egregious forms of age verification (face scans or similar), it does require OS providers to collect age verification of some form at the account/user creation stage—and to be able to pass a segmented version of that information to outside developers upon request.
As much as I hate this, just filling in a drop down on OS install is fine with me. This is the ideal solution. Tell your kid’s device it’s for a kid, then use the default age restrictions correctly. That’s perfectly fine to me.
Anything to avoid evil age verification services that force deanonymization through every app and service.
I do still hold a strong reservation against these age locks — how long until the US deems LGBTQ and teaching about slavery as “mature” topics?
I disagree. This is a first step towards something far worse.
It sets up the infrastructure for getting user ages and allowing services and websites to get an attestation from the operating system. Once that system is widely used and becomes ingrained, they can create a follow-up bill that demands the attestation be cryptographically verifiable by a trusted party.
In that scenario, the only way the operating system’s promise that you’re not a minor would be trusted is if it was signed by whoever holds the private keys—and that’s definitely not going to be you, the device owner.
It would either be the government, or more likely, the operating system vendor. In the former case, now services can cryptographically prove that you’re a resident of $state in $country, which is amazing for fingerprinting and terrible for anonymity. In the latter case, you can guarantee that only the corporations will be holding the key (like with Microsoft and secure boot), and you can kiss goodbye to your ability to access services on FOSS operating systems like Linux or custom Android ROMs.
This proposal is just a way to get their foot in the door with something palatable. If you’ve ever come across banking apps on Android using Google Play Services’ SafetyNet feature to restrict access to only “secure” devices, you’ll know exactly how this turns out: either you use the phone you own the “approved” way with a stock ROM where Google has more permissions than you do, or you’re not doing your banking on your phone.
Agree with everything you say, I don’t like that it has to happen but having the device report whether you’re a child or adult makes more sense than having every service do it poorly themselves.
As much as I hate this, just filling in a drop down on OS install is fine with me. This is the ideal solution. Tell your kid’s device it’s for a kid, then use the default age restrictions correctly. That’s perfectly fine to me.
Anything to avoid evil age verification services that force deanonymization through every app and service.
I do still hold a strong reservation against these age locks — how long until the US deems LGBTQ and teaching about slavery as “mature” topics?
I disagree. This is a first step towards something far worse.
It sets up the infrastructure for getting user ages and allowing services and websites to get an attestation from the operating system. Once that system is widely used and becomes ingrained, they can create a follow-up bill that demands the attestation be cryptographically verifiable by a trusted party.
In that scenario, the only way the operating system’s promise that you’re not a minor would be trusted is if it was signed by whoever holds the private keys—and that’s definitely not going to be you, the device owner.
It would either be the government, or more likely, the operating system vendor. In the former case, now services can cryptographically prove that you’re a resident of $state in $country, which is amazing for fingerprinting and terrible for anonymity. In the latter case, you can guarantee that only the corporations will be holding the key (like with Microsoft and secure boot), and you can kiss goodbye to your ability to access services on FOSS operating systems like Linux or custom Android ROMs.
This proposal is just a way to get their foot in the door with something palatable. If you’ve ever come across banking apps on Android using Google Play Services’ SafetyNet feature to restrict access to only “secure” devices, you’ll know exactly how this turns out: either you use the phone you own the “approved” way with a stock ROM where Google has more permissions than you do, or you’re not doing your banking on your phone.
Agree with everything you say, I don’t like that it has to happen but having the device report whether you’re a child or adult makes more sense than having every service do it poorly themselves.