> To me it seems like Cory Doctorow is demanding perfection, and saying that because we can't achieve perfection in age verification, we can't do age verification at all.

Not we can't, but we shouldn't. All the current solutions are terrible, and are either trivial to fool or mass surveillance machines. We shouldn't be stupid enough to go for either option because it'll either cost a fortune while giving us nothing, or cause immeasurable harm when the National Porn Viewing Database inevitably gets used to blackmail everyone.

We're trying to (poorly) use technology to solve a social problem. If we can't figure out a way to do so using technology without significant downsides, then perhaps we shouldn't be using technology to solve the problem at all.

> Not we can't, but we shouldn't. All the current solutions are terrible, and are either trivial to fool or mass surveillance machines. We shouldn't be stupid enough to go for either option because it'll either cost a fortune while giving us nothing, or cause immeasurable harm when the National Porn Viewing Database inevitably gets used to blackmail everyone.

It seems like we could get "good enough" solutions that would reduce the amount of explicit material we show to kids, as well as push back the age where children are first exposed. I don't think a good technical implementation will require a "National Porn Viewing Database", but that's what we will end up if engineers and technologists dig in their heels and say "no". It is already happening in places like France and Texas.

> We're trying to (poorly) use technology to solve a social problem. If we can't figure out a way to do so using technology without significant downsides, then perhaps we shouldn't be using technology to solve the problem at all.

Technology created this social problem; its given us unprecedented access to explicit material. These aren't playboy's under the bed. Technology can help remediate.

The MDL standard does not do what you think it does.

My understanding is that it supports selective disclosure of attributes such as "over 18". Is this not true?

It is not. It claims it but the underlying cryptography doesn't support it.

I was surprised to read this.

I don't have access to the standard for the mDL's being discussed, that is ISO/IEC 18103-5 [1] but I have found a number of accessible resources [2][3] which suggest selective disclosure is supported.

I would be interested to learn more about the gap you suggest exists between what is claimed and what is, due to the underlying cryptography, possible.

Can you provide more details ?

[1] https://www.iso.org/standard/69084.html

[2] https://www.youtube.com/watch?v=sR5b7uuMiKk

[3] https://www.youtube.com/watch?v=AX2TdIlakNs (at 0:26 mentions selective disclosure as being "key" to the standard)

People are just telling lies. Each mDL has a unique signature that is always revealed even if other information isn't.

They also get who actually passed the bill wrong - it was the last Conservative government.

All the govt needs to do is send fines to offenders and the industry will be forced to implement one or more solutions.

The govt doesn't care how you verify age only that you don't sell to minors.

And how well has this worked in practice? How would you even identify violations, if you're not requiring websites to store the user's real-world identity?

Large websites do not care even the slightest bit about how accurate the verification method is. They have zero incentive to genuinely get rid of underage users. If anything, they want to keep them - they are prime advertising real estate! Websites have every incentive to implement the age check in the cheapest and most half-baked way possible. As long as they are able to prove on paper that they are doing some form of age verification, they have met their requirements. Got a 90% false positive rate? Working as intended!

The only people getting fines are the small websites who can't afford to pay a 3rd party verification service. This'll shut down your local hobbyist communities, which only drives more visitors to the large megacorp websites.

Experience with GDPR and DSA shows that the fines lag years behind the abuses.

Yeah, it seems like Doctorow presents arguments that a good IDP system is complicated, but begins and concludes by saying it's impossible.

It kinda seems the internet has real, longstanding problems stemming from the inability to verify anything about anything online. For the most blatant example, a website admin can never permanently ban a troll or criminal (they just sign up under a new name).

It makes one wonder how Doctorow reconciles the internet as it is with his stand against adopting some kind of IDP system.

A lot of the big players have enacted nearly permanent bans. I'd have to look up the specifics, but generally the process is:

1. Require an approved phone number upon signup or instant account "permanent suspension"

2. Require video of face and you holding id card

3. Associate "forever identifiers" in android with past accounts and ban your new, functional account if it shows up on a device that was previously associated with a banned account. I'm not sure if Apple has similar hard-reset-surviving identifies.

4. Ban accounts that somehow got passed your prior checks but you have reason to suspect they aren't conforming to normal behavior.

I think all these practices are bad, bad, bad, so I don't use any sites that require them, but that is mostly how Meta and other large social networks operate these days. I assume they do it for surveillance reasons, associating an account with the correct person to get more money out of their data, but since the precedence exists, it makes it that much easier for other sites to follow.

> common pitfall of techno-idealists

Common pitfall? It’s why these techno-idealists are loudmouthed on the internet, but don’t get respect anywhere politically. If you want to gain ground politically, you need to at least acknowledge what the problem is, or is perceived to be, and offer a real solution. “Nope we can’t do that because of this 0.1% edge case” doesn’t qualify. “Apple should just dump all schematics online regardless of what China might do” doesn’t qualify. “The internet is great at it is, and your political concerns are invalid” doesn’t qualify.

> If you want to gain ground politically, you need to at least acknowledge what the problem is, or is perceived to be, and offer a real solution.

Why? If you do not believe it is a problem that's just like apologizing when you haven't done anything wrong.

I think all members of your ethnic group are inferior and dangerous (if you identify with more than one ethnic group, pick one). I'm calling for legislation mandating that you all be rounded up and put in camps.

If you want to argue against my proposal, please remember to stay within my frame of reference.

That’s an example where there’s not much point in arguing against your proposal precisely because of the impossibility of establishing any kind of shared frame of reference. If people are trying to put you in concentration camps then the time for reasoned argument has most likely passed. On the other hand, people who support and oppose these sorts of age verification laws might actually have a lot of common ground, if they’d take the time to find it.

>If you want to argue against my proposal,

I don't need to which was my point. You're trying to advance a position so extreme that you'd make a terrible aspiring bigot in US politics. The ones that have some political brains never advance positions so maximalist they turn 80% of the country away.

Let’s take the pornography argument for example.

Regardless of whether pornography is, or should be legal, average exposure is now 11 years old. That’s average, many kids are even younger.

If this even prevents 95% of kids from accessing pornography until they’re 15 and get a debit card to buy a VPN, that’s a win in the eyes of most parents and legislators. It doesn’t need to be perfect, or even perfectly force you to be 18, to get the primary job done. Pointing to “a 16 year old can get around it with a VPN” is missing the point. It’s not a surprise why that argument falls on deaf ears.

Or, another one, “just use parental controls,” have you even tried this? Almost all parental controls are horrifically buggy, full of loopholes, and these kids can just borrow each other’s technology. Apple’s parental controls predate HTML5 (literally, HTML 4.01) and regularly don’t work, sometimes even by their own admission. It also forces the parent to be in the role of a tech expert fluent in Microsoft, Apple, Google, Nintendo, and other products all at once. You might as well get CompTIA certified. That argument also falls on deaf ears.

> Apple’s parental controls predate HTML5 (literally, XHTML 4.01) and regularly don’t work, sometimes even by their own admission. It also forces the parent to be in the role of a tech expert. That argument also falls on deaf ears.

The solution, then, ought to be to pass a law requiring some sort of standardized parental controls that allow trivial set-and-forget management. Require device manufacturers/software distributors to sort out a "child mode" switch you can flip upon device initialization, in-your-face and unmissable, and then have apps/webpages be able to see whether the device reports it's in child mode. Does this not solve the "prevents 95% of kids from accessing pornography" threshold of effectiveness while being infinitely less invasive?

> Require device manufacturers/software distributors to sort out a "child mode" switch you can flip upon device initialization, in-your-face and unmissable, and then have apps/webpages be able to see whether the device reports it's in child mode.

Wouldn't even need to develop anything new for this outside of a simplified UI over an MDM. Devices already support an incredible amount of monitoring and control, even iDevices, via MDMs.

But MDMs are for now only business/enterprise products, and are priced as such.

Makes me wonder if there's a market there for someone to just package up a consumer-focused, dead simple to use MDM. Enroll with QR code, set up some default policies, etc.

> The solution, then, ought to be to pass a law requiring some sort of standardized parental controls that allow trivial set-and-forget management. Require device manufacturers/software distributors to sort out a "child mode" switch you can flip upon device initialization, in-your-face and unmissable, and then have apps/webpages be able to see whether the device reports it's in child mode. Does this not solve the "prevents 95% of kids from accessing pornography" threshold of effectiveness while being infinitely less invasive?

This feels like an idea out of a previous era; where a lone family computer sat in the living room. There are so many devices now, we can't assume we control or know about all devices our children may have access to.

> There are so many devices now, we can't assume we control or know about all devices our children may have access to.

This is specifically a solution for a world with many personal devices. The devices a child has access to are their own (in child mode), someone else's being lent to them (the analog loophole, not solved by child mode or proof-of-age), and public devices at schools, libraries and the like, which are typically locked down.

Not at all, it's extremely forward-looking, due to its distributed nature, clean separation of responsibilities among sites, manufacturers, and parents, each doing their part to influence the end result to the appropriate extent. Sites should inform clients about the nature of the content, clients should be configurable to accept or reject various kinds of content, and parents should enforce configurations on devices their children use.

Parents cannot abdicate responsibility for what their children are exposed to.

That's not a major problem. Also, how does age verification fix things in that scenario if a child is using their parents device?

If a parent can't be bothered to pin-lock their device or flip it into child mode then there is no technological solution. Now you're the one looking for the perfect solution that doesn't exist.

> Also, how does age verification fix things in that scenario if a child is using their parents device

Because the age is verified at the time of access; instead of once during initial setup. Odds are that the former will catch far more flies than the latter.

Your employer probably does the same. Do they have you log in once when you set up your laptop, then comfortably happily say it’s you for the next three years; or do they have you sign in every morning?

> Because the age is verified at the time of access; instead of once during initial setup.

Is that really how it works? Every single time you visit any website on the Internet or launch any app it's going to age ID you? I don't think that's right. You validate your account and then you login and you're good. If someone else uses your account, they are you.

And as you said, people share devices but it's also usually one account per app per device. You have to go out of your way to sign out of each individual app or website.

> You validate your account and then you login and you're good.

... which doesn't work, because it'll quickly lead to an enterprising 18-year-old highschooler selling pre-verified porn website accounts for $10.

> Regardless of whether pornography is, or should be legal, average exposure is now 11 years old.

You make it sound like historically it was much later but actually even in the 1980s 11 years old was common. In fact, that matches my own personal experience from that era.

> Or, another one, “just use parental controls,” have you even tried this?

Parental Controls is the right answer but absolutely agree that parental controls suck. As a parent, I'd love just any level of better control. I don't even care if I have different controls per manufacturer as long they're pretty complete and capable.

If the EU can mandate USB-C, they can mandate all technologies include powerful and capable parental controls.

There is no need for age verification -- parents know how old their children are. Parents are providing children with the devices and often the means of connectivity as well. This is and has always been a parenting problem. If the government wants to assist parents, I'm all for that. But age verification is not the answer.

> Parental Controls is the right answer but absolutely agree that parental controls suck. As a parent, I'd love just any level of better control. I don't even care if I have different controls per manufacturer as long they're pretty complete and capable.

> If the EU can mandate USB-C, they can mandate all technologies include powerful and capable parental controls.

> There is no need for age verification -- parents know how old their children are. Parents are providing children with the devices and often the means of connectivity as well. This is and has always been a parenting problem. If the government wants to assist parents, I'm all for that. But age verification is not the answer.

We no longer live in the era of a single family computer. Parents don't know about all devices their children will use to access the internet, so filters aren't going to cut it.

A good implementation of age verification would assist parents, as you suggest, while denying control to the government. IMO parents should always be able to bypass the block for their children. If the government wants to "block" Wikipedia, the parents should be able to give it back to their kid.

> Parents don't know about all devices their children will use to access the internet, so filters aren't going to cut it.

Parents own their network. They can easily issue root certs to devices on their network or deny access to non allowlisted sites. They can require a proxy to hit anything outside the allowlist too.

Then they can not only see what sites their kids visit, but they can also set up some models to check all media for naughty content. It's not a hard thing to solve as a parent and prevents mass surveillance outside your local network.

> We no longer live in the era of a single family computer.

In that era, there were always other family's computers.

> Parents don't know about all devices their children will use to access the internet

That's why we need the parental controls! That's the entire purpose. All devices that all children have everywhere were given to them by an adult. If they have Internet access, some adult somewhere is paying for that service. We simply want more control over those things that is easier to manage.

It's not at all complicated.

Age verification is a parental control. Parents can always bypass it for their children.

It's not parental control; it's governmental control. Yes, parents can bypass it for their children but that doesn't mean it's parental control. When you have to provide your own ID to access a site your parents are not involved.

> That is, until Linux is also forced to come into compliance with said parental control standard, complete with all centralized reporting and remote restriction capabilities.

Linux is fine. Someone can build the ultimately perfect parental control software for Linux and I'll use it. The same cannot be said for Windows, Android, or iOS -- third party system cannot exist for those platforms that are sufficient unless they're made by Microsoft, Google, or Apple respectively. Perhaps we just have to mandate an open standard. In fact, I would prefer that.

> What do governments do when everyone has the same parenting problem?

The wrong thing. Always.

> Linux is fine. Someone can build the ultimately perfect parental control software for Linux and I'll use it.

You can't build a perfectly secure system and still respect the user's freedom. The perfect parental control system is by definition also going to be the ultimate rootkit - or else you'd just boot your own kernel which perfectly fakes the parental controls.

In such a world you wouldn't be allowed to build your own OS, only boot a pre-approved image. The Linux community is not exactly likely to participate in this.

No solution is perfect but we already have secure boot. It doesn't even have to mandate some pre-approved image; it just has to be an image that I approve and lock. This is already a well solved problem for corporate environments.

You miss the point. I want all the power. Let me install and configure a Linux image of any sort and then lock it down. I am root. My kid is a mere user.

There is nothing terribly difficult or even controversial about that.

Agreed. Plus think how great the infosec candidates of the future will be as kids all across the world constantly red team against their parents.

This is no lie: My son brute-forced the parental control pin on his iPhone. For over 6 months, he would just try random combinations while in bed at night. One night, I don't know when, he found the right pin.

I'm not sure how long he had it bypassed before we figured it out.

> Almost all parental controls are horrifically buggy, full of loopholes, and these kids can just borrow each other’s technology.

... and the centrally imposed, one-size-fits-all, politics-first age verification system you want will of course be free of bugs, loopholes, opportunities to borrow devices, or whatever.

That's good, since you want to apply it to every single person on the Internet.

> Regardless of whether pornography is, or should be legal, average exposure is now 11 years old. That’s average, many kids are even younger.

Okay, then don't give your kids access to the internet if you're so concerned, in the same way you wouldn't leave the liquor cabinet unlocked.

People did it for millenia. It worked fine. We don't need any solutions, the solutions already exist.

The problem is that you're not happy with parents not caring. You want to repress parents rights, and do it yourself, because you are greedy and have delusions of grandeur.

To me, if the parents of the actual fucking children don't care, then why should I? They're not my kids. They're your kids. Do something about it. If you do nothing, then I'm going to assume it's not a real problem at all and this is just some sort of society wide delusion.