20 comments

[ 2.7 ms ] story [ 54.3 ms ] thread
Hopefully companies take the approach of "we just won't collect any categories of data from anyone that we can't collect from children" approach, rather than the "Please scan your government issued ID so that we can surveil you, thanks" one.
You'll find the answer in this question: Which one makes people more money?
Given the risks involved in storing this type of data, it may make financial sense to go the "don't store data" route.
Many websites have taken such an adversarial relationship to the EU's GDPR that I suspect that those same websites will block access to Californians.

That said, I wonder if any VPNs will let me pretend to be inside California?

> Many websites have taken such an adversarial relationship to the EU's GDPR that I suspect that those same websites will block access to Californians.

That should be taken as an indicator that tech companies are acting in bad faith and they shouldn't be given the option to obtain consent. Turn it into a blanket ban IMO.

That's an ostensibly incorrect POV to take. This is government doing what it does best: legislating things they don't understand to score cheap votes, not to solve actual problems.
> While there's general agreement that children could be better protected online, the approach called for under AB 2273 would require that covered websites – those that could be used by minors – somehow verify the age of visitors. Despite Newsom's nod to ostensible tech industry support, technology rights advocates dislike the age-checking mandate, claiming it will expand surveillance in the name of privacy.

I wonder if that's all visitors or only visitors claiming to be over 18. If they give legal cover to businesses that want to ask for and store government id / confirmed identities of children, that's crazy.

I have a Microsoft account where my niece and nephew are kids in my family. It's totally fake names and ages. Why should children require real names with accurate info for birthdays, etc.? Give me decent moderation tools as the family organizer and piss off. You don't need my family tree and DNA to sell me stuff online.

> "The bill is so vaguely and broadly written that it will almost certainly lead to widespread use of invasive age verification techniques that subject children (and everyone else) to more surveillance while claiming to protect their privacy," said Fight the Future, in a statement.

It almost feels like the big tech companies are behind it. Now they can ask for a copy of your photo ID or passport and blame the government when people get upset.

Forbid all data collection for anyone claiming to be under 18 and forbid discrimination against those users if your service targets children. I would really like to see the age data for Roblox users before vs after they gated voice chat behind an age requirement that's provided via the honor system.

Pass a blanket law banning all data collection and social graph mapping. I don't care if Facebook and Google go bankrupt or if Microsoft shrinks to half it's current size. That's just more opportunity for people and businesses that don't want to treat the average person like a piece of livestock.

From an overview that was posted on HN few months ago, nobody is happy about this law except for political virtue signaling.

On one hand it creates ridiculous requirements on website owners, on the other it effectively mandates surveillance in name of age checking

> The Age-Appropriate Design Code (AADC) Act forbids online service providers that offer service to children from using the personal information of children in a way that's detrimental, from gathering, selling, or storing a child's geo-location, from profiling by default, and from soliciting children to provide their information.

If you don't do any of those things you aren't required to do age verification. This is only a problem for those websites that want to do things they shouldn't be doing anyway. What am I missing?

Unless they patched few things out recently, the bill was written so that:

a) you had to make complex design reviews to prove that you did everything right for the children - even if your site wasn't targeted at children, because what it amounted to was "can a child access the service"

b) The age verification requirements to properly disprove that the accessing party isn't a child were idiotically draconic (thus the surveillance part)

And IIRC, just having accounts could lead to "you're gathering data".

last moment edit: I found the original posting about it:

article: https://www.techdirt.com/2022/08/24/dear-california-law-make...

HN: https://news.ycombinator.com/item?id=32587592

I interpret that as any site that has access logs, given that IP addresses can be used for geo-location. Quality of geo-location is debatable but I do not wish to debate this in court. Profiling is by design part of most forums and chat servers. Forums ask for age for optional birthday announcements and allow the person to put in whatever personally identifiable information they wish to enter. Anything beyond a mininal chan board or a static blog is going to have information that can be used to profile the visitor.

So in this case, does this law clearly define "their information" or does this have vaguely worded wiggle room? I'm not even sure I want to go too far down this rabbit hole. People sometimes use a picture of their kid in their forum avatar.

Enhancing government surveillance while solving zero problems. Seems par for the course for "California Governor" (Gavin Newsom)
The article keeps using the phrase "likely to be accessed by minors". I'm hard pressed to think of things that aren't likely to be accessed by minors other than websites for medical complaints, life insurance, or Facebook.
Joking aside, this is what the law says on the subject:

> The working group shall take input from a broad range of stakeholders, including from academia, consumer advocacy groups, and small, medium, and large businesses affected by data privacy policies and shall make recommendations to the Legislature on best practices regarding, at minimum, all of the following:

> Identifying online services, products, or features likely to be accessed by children.

So a 10 member committee mostly appointed by politicians can decide your service is likely to be accessed by children and you become subject to these regulations. It will be interesting to see if sites adopt design or language choices that make them look less child-friendly in order to avoid being covered. I'm not really sure what that would actually look like.

Anyone under 18 could find one of my hobby sites. I'm not going to send people to some 3rd party to record their face as that is a violation of their privacy. Shall I password protect everything until the dust from the legal battles settles? Or maybe 302 redirect to a RickRoll for now? What are others here doing for their hobby sites, if anything?

I am half curious how many sites will implement a fake age validation to capture video of their visitors just for fun. What other unintended consequences might this law inspire?

What are you doing on your site that would trigger the need for age verification?
On forums and chat servers I accept any personally identifiable information that the member volunteers. They can also upload an image of themselves and input their birthday and real name. I also have access logs that can be used for geolocation. They can upload pictures and videos. My interpretation of the law as I have seen it would include most people running self hosted forums and chat servers. Members of forum and chat servers can say where they live. The best I could do to stop that would be to ban them and delete their messages if I suspect they are under 18.

I would never sell this information but I have no way to prove that I never have. And while I do not believe I could be hacked, what happens when I am and the attacker sells this information? Did I violate this specific law or did they? Who is liable?

How are Discord and Slack dealing with this? Discord have a massive population of minors and they collect a massive amount of information.

Have any tech-savvy lawyers on HN offered their interpretation yet?

I do not get it; to get an ISP to hookup to your house (like Comcast), you have to give them your SSN, among other things. If a child is "online" it really should be up to the parents/guardians to oversee what said child is doing online (because ultimately it is a service provided to said person with an SSN and a credit card).

Can't leave a kid unattended/un-watched, outside a locked house for multiple hours on end; why is it a normal that they are allowed to be online and unsupervised?

"to get an ISP to hookup to your house (like Comcast), you have to give them your SSN"

since when? i'm in SF, never had to give any ISP my SSN

since forever (mid 2000's from my experience with Comcast); that or they take your physical ID and credit card and still do a credit check on you.

Have you never called up comcast? one of the first things they ask you is SSN or account #; I try to refuse any SSN details as much as possible

Edit: search for comcast and credit checks; there is lots of info on it. Apparently it is somewhat possible to give them a big chunk of money to prevent said check, however I was also told that when the service tech shows up to ensure the wires are setup, they still take your ID and DOB and still run a check. It is really a loose-loose in my opinion