The privacy implications for this bill for adults seem to be about the same as the privacy implications for the "Click if you are 18+" button on many websites.
If you are under 18 there is no checking to stop you from saying you are are 18+
The only people it seems might have their privacy slightly reduced are people under 18 who are using a computer or smartphone/tablet that had parental controls set up by presumably a parent or guardian before giving the minor access.
The bill requires that the parent be able to enter the minor's birthday or age in one place, and then provide a way that the age range (under 5, 5-10, 10-13, 13-16, 16-18, 18+) can be given to apps/sites if they ask for it.
Thus, if you are a minor using a device that was set up with parental controls and you try to use an app or site that is restricted, that app or site will find out your age range.
This is actually a level headed way to deal with it. Provide a way for the device to inform the website / app of their age status (it can be bucketed for increased privacy/compatibility with existing rating systems). Then legislate that it is on the website to inform the device of the type of content being served. Then the device/browser can be responsible for implementing the privacy controls (page blocking, notifications, overrides, etc.), and the parents are responsible for ensuring their children's devices are configured with their ages.
In practice, 100%. In theory we could likely design "good enough" anonymous systems that work like buying alcohol or tobacco in most countries (buy a scratch token in cash at a corner store after showing ID, picked at random from a box of them - contains a number, possession of which is theoretical proof that you had your ID verified at purchase)...but of course, the real purpose of age-gating is exerting a chilling effect, so we'll never hear about privacy-preserving methods.
(NB: I am firmly opposed to any of this. The solution for parents concerned about their kids is parenting and parental controls, not giving authoritarians of all stripes the means to snoop and ban whatever they decide is obscene or troubling.)
Is there irony in the fact that Americans will pass privacy invading laws to protect kids from porn, but not gun laws to protect them from being shot at in school? How many kids die from porn exposure every year?
The thing is gun laws won't protect against school shootings unless you basically completely disarm the population--which is not realistically possible as there would be too much non-compliance. And note two things about the data:
1) Many sources seek to inflate the number of school shootings by counting incidents in which the school is only incidental, not the target. Think drug deal in the parking lot when school is out etc. And note that counting firearm deaths to minors counts mostly gang vs gang stuff.
2) It is almost certain that guns save more people in self defense situations than they take in all mass shootings (using the realistic test of public and indiscriminate targets--again, the numbers are inflated by things like gang fights), let alone just school shootings. (And, no, I do not believe Lott's numbers. He's way high and an awful lot of what he does count is deterred robbers and the like, where death was unlikely in the first place.)
The US has never tried this. For an example of efficacy we have to look at other wealthy western nations that have strict gun laws and see how many school shootings they have. The data overwhelmingly indicates this works.
As a counter-point, where in the US has any law stopped teenagers looking at naughty things on the internet?
Don't look at school shootings, they don't matter. What matters is how many, not by what means. Note that the most deadly such attack was with a truck, not a gun.
The data proves nothing about whether it works because it's a cultural problem far more than it is a means problem. They choose to go out in a blaze of infamy rather than be a nobody. They generally are planned long in advance, there's plenty of lethal things they can get their hands on.
Easy, just do the same thing as other western countries. If the 2A is an obstacle, then change it. The unlikelihood of and changing the 2A is the heart of the problem, not an constraint to be worked around. The question is why are gun rights sacrosanct, but other rights can taken away just by saying 'think of the children'.
If you think the 2nd Amendment is bad now, just wait to you see what happens if we're unlucky enough to ever have a Constitutional Convention in our lifetime.
Porn sites have been there almost 20 years. Why it is problem right now? Is there extensive recent research about it? Or now we just have the capability?
It's a "problem" because we are becoming a theocracy.
There's no reasonable demonstration of harm and a very strong correlation between availability of pornography and a big reduction in sex crimes. The purported harms are due to blocking reasonable sex education, leaving teens with the equivalent of Hollywood being the only model of sex they see. The original study that was created to show the harms concluded they couldn't find any to anyone, even minors.
I ember them showing up and then being limited to super shady sites PDQ.
Which makes sense- since exposing minors to pornography was a crime, and got even more illegal somewhere in that time frame, along with the web becoming "professional" (whitehouse top level domain mixup stories anyone?), the honest pornography sites all started self-regulating and asking if somebody is an adult before anything naughty gets shown.
Big tech has generally not loved this because they know that adding friction like id checks massively reduces attach rates. This is watered down enough that it's likely seen as a lesser evil.
I think they love it to because it will be another barrier for a little small start up from entering the market. You'll need to spend so much on regulatory issues and compliance that only the biggest, established companies can have a business.
No one ever explains why it's so important that everyone always conceal their identity on the web, as though it were some global red light district. The most successful tech platforms all succeeded by getting people to be trusting enough to say who they are, like Twitter, Facebook, etc. It's worth billions of dollars to create any online space that isn't anonymous.
It's important to conceal your identity because the internet is forever. Your comments, opinions, beliefs, embarrassing moments... all recorded (essentially) for life. This happens through administration changes, different jobs, life changes, belief shifts, different friends and partners, etc. Without anonymity, anybody can comb through your entire history to make any point they want. To justify any accusation about you they want using 'evidence' from years past. To stalk or harass. To fire you for daring have an opinion about something. Depending on your government, to arrest you for what you've said in the past.
A huge issue with the modern web is that everything is seen as a profit motive. I don't care how many billions of dollars tracking everything we do and tying it to our person is worth. I don't want it.
That's a good thing since it means we have the opportunity to be remembered for eternity. Information is permanent. Also don't think that just because the system doesn't reveal who you are to other users today that your identity and life activities won't be decloaked later on should culture or policies ever change. If you're open, trusting, and use your real name today, you'll at least get the benefits and glory of eternal fame while you're alive.
Someone you don't like somehow gets voted into power and begins trying to enact changes towards a social group you belong to.
Building anonymous systems is one way to avoid Bad Actor X from having Big List Y, leading to Atrocity Z.
Having a really successful social network isn't a goal post, it's just a result.
Great -- it made a zillion dollars, meanwhile we've built the biggest leakiest information trove on individuals, for individuals to be exploited, ever imagined.
Already happened with USG. You know who doesn't discriminate against my group? Big tech companies. If they can step up and take on more responsibility for identity verification in our society, then my social group will be less oppressed. The California Republic must lead the way.
> You know who doesn't discriminate against my group? Big tech companies.
Yes, they just give megaphones to, and make bank on, the propagandists that are responsible for the current moral panic that's resulted in the US government discriminating against LGBT people.
These are the same companies that facilitated propaganda that led to hate and violence like this[1]. A deeper look with plentiful citations is here[2] from the Harvard Systemic Justice Project.
To give you an example that happened here in the US, a friend recently moved back to the city because his neighbors felt emboldened to constantly call him slurs on Facebook when they disagreed with him. He couldn't use local Facebook groups without bigots following him around and calling him slurs. They felt emboldened after this[3], knowing Facebook would do nothing about it. Discriminatory harassment over Facebook after their policy shift drove him from his own home. Facebook's policies allowed a community to successfully rid itself of a minority it didn't want to see or hear.
What do you want tech to do? Use agents to deploy an apparatchik to every man woman and child? Wouldn't that leave people like you out of a job? What would you do all day? Tech platforms should take no part in the social disagreements of the people. They should be neutral unbiased providers of digital space.
What's stopping you from doing that? They tried to come for my passport but missed. Our heroes in the civil service saw to that. Just got a new one in the mail today and I'm so happy.
Tech platforms are valued at billions of dollars because they found ways of convincing their users to give up anonymity. That has nothing to do with whether the anonymity was important.
The bill doesn’t actually require any real age verification... it just asks people to provide a (any) birthdate for the purposes of categorizing their access by age bracket. It doesn’t say anything about the information having to be accurate, and gives no penalties if you lie.
I'm still against age verification in general, but I don't think this particular bill warrants the massive outrage similarly being made lately about more serious age verification laws, as it does not require any facilities for actually verifying, well, anything.
>to provide a developer, as defined, who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface regarding whether a user is in any of several age brackets, as prescribed.
Summary reads to me as this bill requiring calls to an API to verify the user's age.
> requiring calls to an API to verify the user's age
By simply asking for their age. There's nothing about requiring that the age is actually attempted to be verified as accurate at all. And the "age bracket" is specifically defined as nonpersonally identifiable information.
And it still gives no consequences for wrong/fake information.
Interestingly, they also define a "developer" simply as "a person that owns, maintains, or controls an application".
Wouldn't that inherently include all users of a computer in general?
> There's nothing about requiring that the age is actually attempted to be verified as accurate at all.
To quote: requires a business that provides an online service, product,
or feature likely to be accessed by children to do certain things, including
estimate the age of child users with a reasonable level of certainty
appropriate to the risks
"Reasonable level of certainty" requires some kind of attempt at verification. In Australia for example they allow facial estimation software (which I agree is not good, but it provides some kind of estimate the government is happy with)
> And it still gives no consequences for wrong/fake information.
Where are you seeing that?
To quote the bill:
> This bill would punish noncompliance with a civil penalty to be
enforced by the Attorney General, as prescribed.
And:
line 17 A person that violates this title shall be subject
line 18 to an injunction and liable for a civil penalty of not more than two
line 19 thousand five hundred dollars ($2,500) per affected child for each
line 20 negligent violation or not more than seven thousand five hundred
line 21 dollars ($7,500) per affected child for each intentional violation,
line 22 which shall be assessed and recovered only in a civil action brought
line 23 in the name of the people of the State of California by the Attorney
line 24 General.
> (2)(A) A developer that receives a signal pursuant to this title shall be deemed to have actual knowledge of the age range of the user to whom that signal pertains across all platforms of the application and points of access of the application even if the developer willfully disregards the signal.
> (B) A developer shall not willfully disregard internal clear and convincing information otherwise available to the developer that indicates that a user’s age is different than the age bracket data indicated by a signal provided by an operating system provider or a covered application store.
> (3)(A) Except as provided in subparagraph (B), a developer shall treat a signal received pursuant to this title as the primary indicator of a user’s age range for purposes of determining the user’s age.
> (B) If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.
They don't actually define what "likely to be accessed by children" or "a reasonable level of certainty" really is.
I could say "some kind of attempt" is merely asking the user if they are over 18. I see no language that says that's not good enough, especially appropriate to the "risks" of 98% of websites.
> Where are you seeing that?
The noncompliance is on the part of the site owner, not the user. It just means you must ask their age (bracket), it doesn't mean the user has to tell the truth.
The MPAA's argument against this bill is a complete joke:
>MPA urged state lawmakers to reject Wicks’ bill this week in a letter, obtained by POLITICO, claiming device-based age checks may sow confusion; for example, if parents and kids had separate Netflix profiles under one account that’s logged in on multiple devices.
To the point where I'm asking if someone needs some token opposition to frame this obvious bill a political win?
This bill is a strictly better version of the age gating initiatives that have been passed in other states and countries like the UK and Australia. If age gating is inevitable, and it seems as though it is, this is the least bad way to do it — enforcing the onus on device manufacturers, who can do verification one time and then throw away the information.
It would easily mean that you're required to have an unmodified device, running a locked down system, to be able to access any service that uses age verification.
Although, a much more sensible alternative, would be to have parents (that do want the control) give their sons devices that send the "minor alert" signal, and have the services detect that.
This seems... not terrible? The typical counter-argument to any "think of the children!" hand-wringing is that parents should instead install parental controls or generally monitor what their own kids are up to. Having a standardized way to actually do that, without getting into the weirdness of third-party content controls (which are themselves a privacy/security nightmare), is not an awful idea. It's also limited to installed applications, so doesn't break the web.
This is basically just going to require all smartphones to have a "don't let this device download rated-M apps" mode. There's no actual data being provided - and the bill explicitly says so; it just wants a box to enter a birth date or age, not link it to an actual ID. I'm not clear on how you stop the kid from just flipping the switch back to the other mode; maybe the big manufacturers would have a lock such that changing the user's birthdate when they're a minor requires approval from a parent's linked account?
That said, on things like this I'm never certain whether to consider it a win that a reasonable step was taken instead of an extreme step, or to be worried that it's the first toe in the door that will lead to insanity.
The language suggests to me that GitHub would be a covered app store and a FOSS Linux distribution without an age gate API would be illegal in California (along with all programs that don't check the age API, e.g. `grep`), so it seems quite a bit worse in terms of killing free speech and culture than requiring adult sites to check id to me.
Notably, a "covered app store" doesn't seem to need to be... a store. Any website or application that allows users to download software is covered. There's no exemption for non-commercial activity. So every FOSS repo and programs like apt are covered? The requirement is also that developers will request the signal. No scoping to developers that have a reason to care? So vim is covered? Sort? Uniq?
Honestly I can't believe big tech would go along with it. Most of their infrastructure seems like it would clearly be illegal under this bill. Either there's something extremely obvious I'm missing or every lawyer looking at this bill is completely asleep at the wheel.
I hadn't thought about GitHub -I'm guessing the authors of the bill didn't either - but you're right, that is somewhat concerning. Still, I don't think it's the end of the world...
> The requirement is also that developers will request the signal. No scoping to developers that have a reason to care?
I don't see that requirement. Here's the sum total of the developer's responsibilities (emphasis added):
> A developer with actual knowledge that a user is a child via receipt of a signal regarding a user’s age shall, to the extent technically feasible, provide readily available features for parents to support a child user with respect to the child user’s use of the service and as appropriate given the risks that arise from use of the application, including features to do all of the following:
> (A) Help manage which accounts are affirmatively linked to the user under 18 years of age.
> (B) Manage the delivery of age-appropriate content.
> (C) Limit the amount of time that the user who is 18 years of age spends daily on application.
It would be nice if it had specific carve outs for things that aren't expected to interact with this system, but it seems like they're leaving it up to court judgment instead, with just enough wiggle room in the phrasing to make that possible.
If your application doesn't have a concept of "accounts", then A is obviously moot. If you don't deliver age-inappropriate content, then B is moot. The only thing that can matter is C, but I'd expect that (a) nobody is going to complain about the amount of time their kids are spending on Vim and (b) the OS would just provide that control at a higher level.
> (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
> (b) If an application last updated with updates on or after January 1, 2026, was downloaded to a device before January 1, 2027, and the developer has not requested a signal with respect to the user of the device on which the application was downloaded, the developer shall request a signal from a covered application store with respect to that user before July 1, 2027.
Application developers are required to request an age signal from the operating system.
> (c) “Application” means a software application that may be run or directed by a user on a computer, a mobile device, or any other general purpose computing device that can access a covered application store or download an application.
So applications are any program that runs on any computer with the capability to install software from an online source. Ergo, a program like `sort` must request an age signal when it runs.
The bill is clearly thinking in terms of the two big phone monopolists while ignoring computers that are meant to act as useful tools (which contain thousands of programs from tens of thousands of authors and which have no business caring about what "store" they came from or what date they were installed on or anything about the user running them), but it explicitly says it applies to general purpose computers.
A massive improvement would be to say this only applies when there is an actual commercial store involved, and only place requirements on developers to do something if they would have some other requirement they need to comply with. And also realize that lots of applications are not meant to have the user there the whole time. How are batch jobs or interpreters like `python ` that you might leave running overnight on a job supposed to deal with the time limit? This bill is entirely focused on toys at the expense of computers. It should just place requirements on the actual companies that are causing the issues (social media/adtech, porn, gambling games, etc.)
Your store doesn't distribute social media apps, gambling, porn, etc. and just has things like text editors, music players, PDF readers, etc? No requirements should be needed. You develop a workout tracker? No requirement should be needed.
It's always possible that they'll say it, but it would be a lie based on my reading of this bill. Sideloaded apps can choose whether or not to respect the OS's advice about the age of the user, it's not on the OS or device to enforce them being honest.
So the proposal is that parents just input the age on their kid's device, and apps pull the age range to limit content.
Thats actually reasonable. Does not personally identify anyone, can be opted out of as easily as those "i am over 18" buttons. The only freedom being lost is by minors to their parents, which is already how things work. I like this
The bill is a bad idea. Of course big tech likes it, more id equals higher value data they can scrape. When (if?) it arrives it'll be two seconds before some places on the web will need more to be sure the person who set up the entire phone or app is actually not under age, thus the person setting it up will have to provide id ... the bill is a anonyphobes wet dream come true.
This bill seems reasonable according to the article? It allows the device to state the user is underage and the site must act accordingly rather than gating users to a site and must prove their age. But then again “the road to hell is paved with good intentions" so no clue how it’ll play out in reality.
This is almost an amazing thing. Some common top-level way to set parental controls across systems would be a godsend. That’s all a giant pile of time-wasting shit right now.
However, any system that just uses age is useless. They’re always excessively cautious, so you may as well just not provide access at all for kids between the ages of 6 and 12 or so, if that’s all you have.
No, block all + allow lists are still where it’s at. Please make those work better.
(If anyone knows the magic to make Minecraft [java] work with macOS allowlist-only network access, I’d love to know what it is. The fucking launcher wants to talk to a half-dozen bare IP addresses to work, and the addresses change seemingly every single launch, from a pool of what must be many hundreds, at least, it’s completely unusable)
I could also mean that if you don’t have TPM on your computer and the OS is not in the ”allowed” list, you can’t access anything. I hope that this is not the path we will see.
Agreed. But talking in generalities like "the government should be allowed to mandate a feature" leads to silly arguments like "government can't mandate airbags." We should be having the discussion about what the goal is, what the mandate would be, and what the side effects could be. Otherwise the conversation is too high level to mean anything.
I think this is more of a liability thing. If the parent set the age as underage and the kid does a bunch of stuff to circumvent that, it’s on the kid and parent and not the website.
Technofeudal Big Mother is here to deanonymize you and steal your personal identifiers to sell to data brokers because "Think Of The Children™!" Fuck age verification with 240 VAC.
You can have age gating or you can have privacy. Same as you can have porn filtering or you can have privacy.