this post was submitted on 15 Jun 2023
10 points (100.0% liked)

Technology

1083 readers
11 users here now

This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.


Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.


Rules:

1: All Lemmy rules apply

2: Do not post low effort posts

3: NEVER post naziped*gore stuff

4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.

5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)

6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist

7: crypto related posts, unless essential, are disallowed

founded 5 years ago
MODERATORS
 

US States enforcing new age verification for adult content—how could this be done properly?

@technology

Seeing the news about Utah and Virginia over in the US, there's been a lot of discourse about how unsafe it is to submit government ID online. Even the states that have their own age-verification portals are likely to introduce a lot of risk of leaks, phishing, and identity theft.

My interest, however, focused on this as an interesting technical and legislative problem. How _could_ a government impose age-verification control in a better way?

My first thought would be to legislate the inclusion of some sort of ISP-level middleware. Any time a user tried to access a site on the government provided list of adult content, they'd need to simply authenticate with their ISP web credentials.

Parents could give their children access to the internet at home or via cellular networks knowing this would block access to adult content and adults without children could login to their ISP portal and opt-out of this feature.

As much as I think these types of blocks aren't particularly effective—kids will pretty quickly figure out how to use a VPN—I think a scheme like mine would be at least _as effective_ as the one the governments have mandated without adding any new risk to users.

What do you all think? Are any of you from these states or other regions where some sort of age-restriction is enforced? How does this work where you are from?

Edit:

Using a simple captive portal—just like the ones on public wifi—would probably be the simplest way to accomplish this. It's relatively low friction to the end-user, most web browsers will deal with the redirect cleanly despite the TLS cert issues, and it requires no collection of any new PII.

Also, I don't think these types of filters are useful or worth legislating, I'm just looking at ways to implement them without harming security or privacy.

top 18 comments
sorted by: hot top controversial new old
[–] BlameThePeacock@lemmy.ca 7 points 1 year ago

There's no good way to do this without that information being available somewhere we don't want it for privacy reasons. You shouldn't trust a company with your information any more(or less) than the government.

Stop trying to be a nanny state, if people want to view porn, let them. If kids try to view porn, that's up to the parents to manage.

[–] TheCuriousCoder87@lemmy.ml 3 points 1 year ago (3 children)

I don't really like all these anti-porn laws. If kids want porn, there are too many leaky buckets they can drink from. Hell, they could just messages pics and videos to each other.

That said, if we are forced to do strong verification, the best I can think of is some sort of mix of the ideas we use for certificate authorities and oauth.

Certificate authorities are really just trusted identity providers. In my solution, you would choose from a list of trusted identity providers. You provide them with all the private information necessary for them to validate your identity. From there a third party can validate information about you with your permission.

The way this workflow would work is similar to oauth workflows people are familiar with for Google, Facebook, and other single sign-on solutions. You go to a adult site, select your provider from a list of trusted identity providers, the adult site redirects you to the provider site, you log in and give the adult site the privilege to verify you are over 18. The browser redirects to the adult site. The adult site would get nothing else about you besides what identify provider you use and if you are over 18.

Now ultimately, you have to give your private details to someone but at least you don't have to give it to everyone. Unfortunately, your provider could potentially keep track of what sites you are allowing to verify your information. We would need strict laws on these providers on what records they are allowed to keep.

I definitely agree that these types of blocking are ineffective and generally do more harm than good, but if governments are going to push for this stuff, it would be good to have a solution that doesn't harm people's security and privacy.

[–] TheCuriousCoder87@lemmy.ml 2 points 1 year ago

On the plus side, we could repurposed this system to prevent a lot of types of online fraud. You could use a provider to create a online bank account, sign documents, and other things that require identity.

On the negative side, a lot of sites might start requiring it just because they want to know who you are for advertising purposes.

[–] TheCuriousCoder87@lemmy.ml 1 points 1 year ago* (last edited 1 year ago)

Another idea is to actually use mutual TLS. Your browser provides your certificate. That certificate has nothing else in it but your status as an adult. Still have to give a certificate authority your information though.

[–] Senseibu@feddit.uk 2 points 1 year ago* (last edited 1 year ago) (2 children)

It will probably just kill off porn companies, have you seen how much porn is on telegram? People would just use that instead. ___

Porn is basically completely free nowadays anyway

[–] jeffalyanak@social.rights.ninja 1 points 1 year ago (2 children)

I don't think there's any risk of _any_ of these schemes killing off internet porn.

The current government schemes all rely on porn companies opting in and on the government/ISPs to catalog all porn sites on the internet.

[–] Senseibu@feddit.uk 1 points 1 year ago

Didn’t say internet porn, I said porn companies. Like pornhub. At the moment they rely on premium subscriptions and advertising as their source of income.

Age verification by ID is stored by a 3rd party. Straight away you’ve cut off a large portion of pornhubs users so eventually they go bankrupt. People will want to retain anonymity when watching porn, so will migrate to services like telegram where it’s basically impossible for governments to control, short of banning the app that is like they are discussing with tiktok

[–] Senseibu@feddit.uk 1 points 1 year ago (1 children)

Did you literally downvote me because I pointed out that 1. you misread my first answer 2. That age verification will fail as hardly anyone would use it

What’s the point in having a conversation if you are going to behave like that 🤣

[–] jeffalyanak@social.rights.ninja 1 points 1 year ago (1 children)

I'm on mastodon, so I can't downvote (only "like", which translates to an upvote).

[–] Senseibu@feddit.uk 1 points 1 year ago

Ah ok my apologies then

@Senseibu

It might hurt their bottom line, but the big companies operate in so many different markets and I don't think there's any risk of _all_ of them enacting these types of restrictions.

There's already an answer to that. My state (and several others) have digital IDs that exist. I have an app on my phone called mID ( Mobile ID). I can present proof of just my age to a bartender using the app. They don't see my address, birthday, DLnumber... nothing... Just that I'm indeed 21+.

I can present a qr barcode that will grant someone the ability to see my ID... I can choose what information to send by default... and if someone is requesting more information I can view/approve if I choose to.

There's no reason why a simple request to this platform couldn't do it. I have the other side of the app that let's me read other people's qr codes and validate whatever information I "need" to validate. If I can do it as an individual... I don't see why website's couldn't.

Now... Do I want the state to particularly know that "BustySluts.com" wants to view my id? I can see this being intrusive... but there's already answers like charging 1 penny to a credit card as well.

I would wholeheartedly be against my ISP doing anything other than being a carrier for my data. The ISP wouldn't be able to tell if I'm on my computer or if my child is anyway. Middleware or not.

[–] drspod@lemmy.ml 1 points 1 year ago (1 children)

This problem is always approached from the wrong angle (requiring verification of adults to view adult material) instead of the more freedom- and privacy-preserving method of requiring child-friendly sites to advertise to the browser that they are suitable for child web browsers.

What I mean by this, and the way that I would solve this problem, is to introduce an HTTP header such as X-Child-Friendly: true or X-Content-Rating: E and to put the onus on parents to set the child's web browser to only allow browsing sites which return this header. Every browser would need to have a "Parental Control" mode that restricts browsing to sites that return this header, but this could easily become a standard. Instead of having every adult site implement your legislative controls, now you just need child-friendly sites to add a header to their responses.

The whitelist approach is less likely to allow adult sites to slip through the net, compared to the blacklist approach.

For those who say that children would find a way around this by installing a different browser or unlocking the parental controls: it should be the responsibility of parents to monitor their child's access to the internet and installation of software. The current approach of trying to enforce age-verification on adult sites just shifts the problem to other adult sites that are not under the jurisdiction of the legislation.

Forcing age-verification for adults also has a huge bureaucratic cost and potential for abuse and loss of privacy. I think we know why legislators prefer this approach, and it isn't to protect the children.

[–] Tak@lemmy.ml 1 points 1 year ago

Couldn't this be done theoretically with a Pihole and an updated DNS list?

Seems like the issue is that people aren't parenting their kids and expecting the government to parent for them.

[–] werewolf_nr@fig.systems 1 points 1 year ago (1 children)

The ISP middleware is an interesting idea, basically an SSO (think the "Sign in with Google" you see everywhere). However, this would require some level of integration between every ISP and adult site, which would get seriously tedious as such things roll out all over the country. This doesn't even get into the fact that each law would vary somewhat in the specific requirements and that it just kicks the job to verifying IDs and ages to the ISP instead of the downstream site.

[–] jeffalyanak@social.rights.ninja 0 points 1 year ago (1 children)

There are lots of ways around doing a full SSO integration, though.

In the simplest form, the ISP could simply use a captive portal of some sort directing the user to authenticate first.

While captive portals can't serve the correct certificate most browsers these days are smart enough to detect a captive portal redirect and give the user a smoother experience.

[–] werewolf_nr@fig.systems 1 points 1 year ago* (last edited 1 year ago)

That solution puts the burden on the ISP to do the filtering. While it is the technologically easiest solution, it would require overturning the laws protecting ISPs from the content they serve.

load more comments
view more: next ›