The only device mandates that should be taking place is for the default installations of web clients should be checking to see if parental controls are enabled. This only impacts the major browsers. An intern at each browser company could add this check in minutes. If they are enabled and the person logged in is on a regular account (not admin or power user of sorts) then the base installation of web clients must check for an RTA header [1]. If present, prompt for a override password and also give the option for the admin to approve-list the domain at that time. That's it. Not perfect, nothing is or will be.
The only thing server, platform, website, service providers should be doing is setting an RTA header if the content could possibly be adult or user-contributed content that could dynamically become adult, moderation aside. This knocks out two issues with one fix. Small children don't see much if any adult content and they are kept off social media until the admin (parent or legal guardian) approves it.
If a site is not adding the RTA header then progressively fine them into oblivion. If they accept the fines as the cost of doing business then seize everything and put everyone in GenPop. An intern could enable the header in 5 minutes.
All legislation regarding age verification must revolve around this otherwise people must reject it as an abusive form of tracking and privacy invasion. The focus should be on small children as teen share porn, warez, movies and such within Rated-G games.
> The only device mandates that should be taking place is for the default installations of web clients should be checking to see if parental controls are enabled. This only impacts the major browsers. An intern at each browser company could add this check in minutes. If they are enabled and the person logged in is on a regular account (not admin or power user of sorts) then the base installation of web clients must check for an RTA header [1]. If present, prompt for a override password and also give the option for the admin to approve-list the domain at that time. That's it. Not perfect, nothing is or will be.
It's useful to contrast this with the various device-based mandates that have been created in order to get a sense of what legislators seem to be trying to do. With that in mind, a few points:
* What you are proposing allows parents to opt in via parental controls, but age assurance mandates (both device-side and server-side) tend to require positive action to enter unrestricted modes. In some cases (CA AB 1043, for instance), this is just a matter of entering your age. In others, you actually need to demonstrate your age via some technical mechanism.
* While many age assurance mandates focus on adult content, which is primarily consumed via the Web, others (e.g., Australia's Social Media Minimum Age) focus on social networking, which is primarily consumed via apps, so anything that is Web only will not be effective.
* Site-level granularity isn't really fine enough in some cases. For example, the New York SAFE for Kids act prohibits certain behaviors such as algorithmic recommendations when a user is a minor, but doesn't require blocking minor usage entirely. It's potentially possible to implement this with something like RTA, but it would have to at minimum be at much finer granularity.
None of this is an endorsement of age assurance techniques; I'm just trying to help flesh out the situation.
> All legislation regarding age verification must revolve around this otherwise people must reject it as an abusive form of tracking and privacy invasion.
It's a bit late for that, given that around half of US states already have some kind of age assurance mandate.
I think the header/metatag is designed poorly. The RTA proposal is that every operator of every site must verify the content and add the header to mark the site as "safe" or "unsafe". This is unnecessary burden that they have to bear if this proposal is given a green light and this is wrong.
Instead, the default should be, that if there is no header or it cannot be parsed, then the content is unsafe. And if there is a header, it describes the page rating, like what kind of dangerous content it may contain. The header may be added to any displayable content like HTML, text, images, audio or videos, but not to machine-readable content like JS files or AJAX responses.
So only those who wants their site to be accessible by minors, have to add headers. For social networks, the user might have an option to mark his content as "safe".
This means that with my proposal existing site operators need not to do anything to mark their sites as "unsafe" - all sites are "unsafe" by default. This means that millions of site operators need to spend 0 dollars to adapt their sites. How great is that?
The browser on a device with parent mode, should not allow displaying any content which doesn't have a header or that is marked as unsafe, or that contains header with invalid value. The parents may whitelist some sites.
There should be a reponsibility for intentionally marking unsafe content as "safe". We should also think what to do with foreign operators, intentionally putting invalid headers for unsafe content. Maybe they should be added to some kind of blacklist that the browsers would periodically update.
Search engines like Google could work by default in "safe" mode, but add "unsafe" header if the user wants to turn off restrictions.
> If a site is not adding the RTA header then progressively fine them into oblivion.
I think my proposal is better because it requires only fining those who intentionally misrepresent content safety.
> If they are enabled and the person logged in is on a regular account (not admin or power user of sorts) then the base installation of web clients must check for an RTA header [1].
Your cite is an earlier post of yours which says
> The one and only method I will participate in is server operators setting a RTA header [1]
and that cites a still earlier post of yours
> I stand by my repeated statements of how this could have been solved simply using an RTA header [1]
which finally actually cites¹ something that explains what the heck on RTA header is.
It would be quite a bit more reader friendly to cite https://www.rtalabel.org/page.php rather than make the reader traverse a linked list of comments to get there.
Bold of you to assume that lawmakers have any common sense when it comes to technology legislation. It could have taken 3 interns 3 hours at each browser company to implement a cookie consent standard 15 years ago, yet here we are in cookie banner hell.
There actually is/was a "Do not Track" header in browsers, but due to failing or toothless legislation, websites and ad-tech companies never honored it.
It's our duty as informed persons to educate the general population to exert pressure on policy makers to act in the common good - otherwise indeed nothing will change but increasing corruption.
How does this work for mixed-content sites? Like say a minor visits a video sharing or social media site and the default feed/recommendations list includes stuff that should be age-restricted, but is mostly stuff that shouldn't be.
The entire site shouldn't be blocked; the browser needs a way to tell the website "my parental controls are enabled and I need to you to filter out age-restricted content".
Alternatively, the RTA header/meta could include a parameter/attribute for an "alternate URL" to load when parental controls are enabled. This could be useful to allow sites to present a custom error-type response, but could also be used to automatically redirect the user to similar, but age-appropriate, content.
Anyway, this all ignores the fact that "protect the children" isn't really the goal here: it's to slowly eat away at our ability to be anonymous (even read-only anonymous) on the internet. Age verification is just a watered-down way of saying they require positive identification, and eventually our hardware will have to cryptographically attest we are who we say we are. I really hope this isn't inevitable, but it's starting to feel that way.
Once you have a content label header it's pretty easy to build more complicated systems on top of that. Like the site could send "compliant with x regulation" in the content labeling header, and then that would tell the kid's browser it doesn't have to completely block the page but can instead reload the page with a request header saying "filter out a, b, and c content" and expect that to be complied with.
That could be a fingerprinting vector though so maybe depending on privacy settings it just blocks the page. Really these are all solvable problems that web standards orgs have dealt with before; you just need to create the incentive for such systems to exist.
You make the mistake of solving the stated problem, and not the actual problem. This was never about children, or a solution like what you describe would be trivial.
However, this is not about age verification or protecting children. That is just the excuse they are using.
If Meta, Google etc could easily have algorithms in place for determining the age of the person seeing the video - apart from having the override capability via a parental login as you have stated.. but these platforms have consistently refused to limit the type of content they are showing to children.
That is the only real solution. It removes the lobbyists with their bad verification schemes and untrustworthy software. You don't need untrusty flaggers or untrustworthy official authorities. In no way can nations be responsible enough to not attempt constant sniffing attempts. My nation couldn't keep itself from spying of corona app users.
This can also be broadly implemented, any other technical solution won't be widely spread anyway.
I don't think authorities care about child protection though. They could have legislated malicious advertising practices and a lot of similar bad influences, but didn't.
> The only thing server, platform, website, service providers should be doing is setting an RTA header if the content could possibly be adult or user-contributed content that could dynamically become adult, moderation aside....If a site is not adding the RTA header then progressively fine them into oblivion.
Seems like this would incentivize just all sites to have the header regardless of if it meets the definition since you get fined if you dont but no fine if you have the header unneccesarily.
Especially if your definition is contains user contributed content. That is all sites with a comment field. What really is left? I'm not sure i have even visited a site in the last month that wouldn't fall under this.
1. This assumes that websites are under your jurisdiction and can be fined. This is not a valid assumption on the internet. If you want to do this, you need a framework to block noncompliant websites via ISP-side null-routing, putting pressure on payment processors and hosting companies which do operate in your country etc.
2. HTML tags and not HTTP headers. If just a small part of the site contains content which shouldn't be displayed, the web browser should just hide that part.
3. Sometimes, it is genuinely useful to know the user's restrictions ahead of time. Imagine you're a movie streaming site or game store. You have some content which is suitable for the user, no matter their age, but you need to know which bracket they're in to decide what to show them. Without that info, you either default-adult (which sucks for children) or default-child (which sucks for adults).
They are regulating the companies. Apple, Google, and Microsoft are companies.
Desktop and mobile Linux is an extreme niche and alternatives to Linux are practically nonexistent. I'm not surprised law makers might not have known that there are operating systems not made by for-profit companies.
As a dad of two younger kids (7 and 10), I have been incredibly frustrated with the way age restrictions are handled across various services.
Really, my main complaint comes down to: I completely disagree with what these services choose to restrict for kids and what they allow.
They block my kids from doing things I have no problem with them doing and they allow things I would never want my kids to do in 1000 years. It is incredibly frustrating.
Often times, there is literally no way for me to bypass some stupid restriction they put on my kids, so the only way I can get it to work is to help my kids lie about their age… and at that point, I lose the ability to actually block things I care about.
These laws are just going to make it worse. I don’t want someone else choosing how I control what my kids do. Give me tools to control it myself, and you can choose some presets for parents to use, but don’t force me to use your definition of age appropriate.
The California law has no age verification, identity verification, or surveillance. It is just a pretty simple parental control system, which only applies to devices whose primary user is a child.
We did it despite the naysayers who faught us saying it "wasn't a big deal" and that this is the "best version of the law we could get". Never listen to the naysayers and compromise your principles to appease them, stay true to what you believe.
A cynical person might suspect that the reason they are doing this is so that Linux developers don't have standing to challenge the law on 1st amendment grounds...
The bill is written 'do good, stop bad stuff by establishing a committee or group to make sure fund good stuff, bad stuff doesn't happen' then the law passes and lobbyists write the details that fund the programs that tax the people that generate the income for companies that donate to the politicians that sell their votes to the lobbyists and interest groups.
California politicians start with the end goal "maintain power, secure revolt, obtain capital, deny failure".
It goes beyond lying to your face. They will be convincingly genuine, heartfelt, while finding a way to extract as much as possible for themselves, by extension their party, by extension the 'government' and do absolutely anything to keep the illusion that you have a choice, a vote, and a voice.
I lived here my whole life. These politicians are evil. Lie, cheat, and steal - deny if caught, punish if provoked.
The bill was written by Buffy Wicks, who represents me in the State Assembly, who is very good on housing, transportation, and climate, and who should absolutely stay in her lane and not try to legislate platform APIs.
> Who is actually writing this very concerning California Internet legislation, which will ultimately affect the entire nation and world?
Why would it affect the entire world?
One technological backwater is Having A Massive Sad over people using rude words on the internet, so they think they can tell everyone else what do to?
Hypothetically, preemptive market recapture? This could theoretically make foss OSs non-kosher for any suitably large market (websites, games, chat platforms, etc), and serve to force foss OSs into a niche where theyre technically capable of being personal desktop software, but practically unusable because of lockout.
This is part of a large movement to end personal computing as we know it, and give all control over our digital lives to the mega corporations. It is already impossible to use some national ID or banking apps on non-Apple and non-Google phones. (say GrapheneOS), giving them an immense edge in the market, and they're using that domination to add more restrictions like installing non-play store apps on Android. This goes bit by bit, try to add a restriction, go back enough to quiet the backlash, try again. This new law is a foot in the door to achieve the same restrictions on PCs. PCs are the last open computing platform and bastions of personal digital freedom and thus they must be destroyed by capitalists and governments. Once the technical means have been put in place to restrict access to some services, the system can be hardened : impose that the age checks can't be tampered with by using a TPU module, impose a link to the individual's identity so that all online activity can be traced to anyone. Pretenses are easy to find : protect children, block sex offenders from accessing dating sites, and so on. At this point I'm pretty convinced we're geared towards a global totalitarian regime, and there's a lot of evidence.
It's a classic case of regulatory capture. Only the biggest players can get away with fully implementing age verification — if Microsoft requires age verification to use its OS, most people will oblige. If HN starts doing that most people will probably just log off forever.
What is maddening is how often people think such laws are about limiting the influence of "big tech." Big tech isn't going anywhere because of these laws, you are.
And I bet that Microsoft employee who was sending PRs to all the linux distros (and systemd) will not bother sending apologies to them for wasting their time.
Steam itself does age verification, which when you first boot a steamdesk, afaik it forces you to log into steam before you can do much of anything without some initial hackery. That said, once in there's nothing stopping them from launching into desktop mode, launching firefox, and watching pr0n that way.
Sadly the solution is still for parents to do real parenting, but that's like saying stupid people shouldn't breed.
Why should Linux be exempt? Linux lobbyists seem to be against the public good. It takes an AI agent 5 minutes to add this feature and then they add be good forevermore. And given that the software is open source, everyone can use the same library to be compliant. Belly-aching snowflakes…
This is the whole 'opt-in vs opt-out' at a high level. A better law would be crafted like 'some services have been determined to be harmful to minors and require age verification. Those -specific- services shall have these specific mitigations.....' Facebook and others should have a clear legal distinction of 'harmful to children' and then the law kicks in.
Parental controls should be a client side option set by the user.
Sure, make it easy for users to do so, but it's a users choice.
Kids don't buy phones or computers, their parents do, and during initial setup, parents could choose "this pc is used by a child" option, input some override password to disable this in the future, and the phone could block whatever needs to be blocked.
Not just Linux. More specifically: “Operating system provider” does not mean a person or entity that distributes an operating system or application under license terms that permit a recipient to copy, redistribute, and modify the software.
92 comments
[ 0.28 ms ] story [ 60.0 ms ] threadThe only thing server, platform, website, service providers should be doing is setting an RTA header if the content could possibly be adult or user-contributed content that could dynamically become adult, moderation aside. This knocks out two issues with one fix. Small children don't see much if any adult content and they are kept off social media until the admin (parent or legal guardian) approves it.
If a site is not adding the RTA header then progressively fine them into oblivion. If they accept the fines as the cost of doing business then seize everything and put everyone in GenPop. An intern could enable the header in 5 minutes.
All legislation regarding age verification must revolve around this otherwise people must reject it as an abusive form of tracking and privacy invasion. The focus should be on small children as teen share porn, warez, movies and such within Rated-G games.
[1] - https://news.ycombinator.com/item?id=47950091
It's useful to contrast this with the various device-based mandates that have been created in order to get a sense of what legislators seem to be trying to do. With that in mind, a few points:
* What you are proposing allows parents to opt in via parental controls, but age assurance mandates (both device-side and server-side) tend to require positive action to enter unrestricted modes. In some cases (CA AB 1043, for instance), this is just a matter of entering your age. In others, you actually need to demonstrate your age via some technical mechanism.
* While many age assurance mandates focus on adult content, which is primarily consumed via the Web, others (e.g., Australia's Social Media Minimum Age) focus on social networking, which is primarily consumed via apps, so anything that is Web only will not be effective.
* Site-level granularity isn't really fine enough in some cases. For example, the New York SAFE for Kids act prohibits certain behaviors such as algorithmic recommendations when a user is a minor, but doesn't require blocking minor usage entirely. It's potentially possible to implement this with something like RTA, but it would have to at minimum be at much finer granularity.
Section VI of https://kgi.georgetown.edu/wp-content/uploads/2026/01/Age_As... goes into quite a bit more detail about various architectures (disclaimer, I'm an author).
None of this is an endorsement of age assurance techniques; I'm just trying to help flesh out the situation.
> All legislation regarding age verification must revolve around this otherwise people must reject it as an abusive form of tracking and privacy invasion.
It's a bit late for that, given that around half of US states already have some kind of age assurance mandate.
Instead, the default should be, that if there is no header or it cannot be parsed, then the content is unsafe. And if there is a header, it describes the page rating, like what kind of dangerous content it may contain. The header may be added to any displayable content like HTML, text, images, audio or videos, but not to machine-readable content like JS files or AJAX responses.
So only those who wants their site to be accessible by minors, have to add headers. For social networks, the user might have an option to mark his content as "safe".
This means that with my proposal existing site operators need not to do anything to mark their sites as "unsafe" - all sites are "unsafe" by default. This means that millions of site operators need to spend 0 dollars to adapt their sites. How great is that?
The browser on a device with parent mode, should not allow displaying any content which doesn't have a header or that is marked as unsafe, or that contains header with invalid value. The parents may whitelist some sites.
There should be a reponsibility for intentionally marking unsafe content as "safe". We should also think what to do with foreign operators, intentionally putting invalid headers for unsafe content. Maybe they should be added to some kind of blacklist that the browsers would periodically update.
Search engines like Google could work by default in "safe" mode, but add "unsafe" header if the user wants to turn off restrictions.
> If a site is not adding the RTA header then progressively fine them into oblivion.
I think my proposal is better because it requires only fining those who intentionally misrepresent content safety.
Your cite is an earlier post of yours which says
> The one and only method I will participate in is server operators setting a RTA header [1]
and that cites a still earlier post of yours
> I stand by my repeated statements of how this could have been solved simply using an RTA header [1]
which finally actually cites¹ something that explains what the heck on RTA header is.
It would be quite a bit more reader friendly to cite https://www.rtalabel.org/page.php rather than make the reader traverse a linked list of comments to get there.
¹https://www.rtalabel.org/page.php
It's our duty as informed persons to educate the general population to exert pressure on policy makers to act in the common good - otherwise indeed nothing will change but increasing corruption.
The entire site shouldn't be blocked; the browser needs a way to tell the website "my parental controls are enabled and I need to you to filter out age-restricted content".
Alternatively, the RTA header/meta could include a parameter/attribute for an "alternate URL" to load when parental controls are enabled. This could be useful to allow sites to present a custom error-type response, but could also be used to automatically redirect the user to similar, but age-appropriate, content.
Anyway, this all ignores the fact that "protect the children" isn't really the goal here: it's to slowly eat away at our ability to be anonymous (even read-only anonymous) on the internet. Age verification is just a watered-down way of saying they require positive identification, and eventually our hardware will have to cryptographically attest we are who we say we are. I really hope this isn't inevitable, but it's starting to feel that way.
That could be a fingerprinting vector though so maybe depending on privacy settings it just blocks the page. Really these are all solvable problems that web standards orgs have dealt with before; you just need to create the incentive for such systems to exist.
If Meta, Google etc could easily have algorithms in place for determining the age of the person seeing the video - apart from having the override capability via a parental login as you have stated.. but these platforms have consistently refused to limit the type of content they are showing to children.
This can also be broadly implemented, any other technical solution won't be widely spread anyway.
I don't think authorities care about child protection though. They could have legislated malicious advertising practices and a lot of similar bad influences, but didn't.
Seems like this would incentivize just all sites to have the header regardless of if it meets the definition since you get fined if you dont but no fine if you have the header unneccesarily.
Especially if your definition is contains user contributed content. That is all sites with a comment field. What really is left? I'm not sure i have even visited a site in the last month that wouldn't fall under this.
1. This assumes that websites are under your jurisdiction and can be fined. This is not a valid assumption on the internet. If you want to do this, you need a framework to block noncompliant websites via ISP-side null-routing, putting pressure on payment processors and hosting companies which do operate in your country etc.
2. HTML tags and not HTTP headers. If just a small part of the site contains content which shouldn't be displayed, the web browser should just hide that part.
3. Sometimes, it is genuinely useful to know the user's restrictions ahead of time. Imagine you're a movie streaming site or game store. You have some content which is suitable for the user, no matter their age, but you need to know which bracket they're in to decide what to show them. Without that info, you either default-adult (which sucks for children) or default-child (which sucks for adults).
Desktop and mobile Linux is an extreme niche and alternatives to Linux are practically nonexistent. I'm not surprised law makers might not have known that there are operating systems not made by for-profit companies.
Really, my main complaint comes down to: I completely disagree with what these services choose to restrict for kids and what they allow.
They block my kids from doing things I have no problem with them doing and they allow things I would never want my kids to do in 1000 years. It is incredibly frustrating.
Often times, there is literally no way for me to bypass some stupid restriction they put on my kids, so the only way I can get it to work is to help my kids lie about their age… and at that point, I lose the ability to actually block things I care about.
These laws are just going to make it worse. I don’t want someone else choosing how I control what my kids do. Give me tools to control it myself, and you can choose some presets for parents to use, but don’t force me to use your definition of age appropriate.
Did someone write California Internet legislation without consulting any California Internet companies?
Did some California Internet companies write California Internet legislation?
Did some other party write California Internet legislation?
The bill is written 'do good, stop bad stuff by establishing a committee or group to make sure fund good stuff, bad stuff doesn't happen' then the law passes and lobbyists write the details that fund the programs that tax the people that generate the income for companies that donate to the politicians that sell their votes to the lobbyists and interest groups.
California politicians start with the end goal "maintain power, secure revolt, obtain capital, deny failure".
It goes beyond lying to your face. They will be convincingly genuine, heartfelt, while finding a way to extract as much as possible for themselves, by extension their party, by extension the 'government' and do absolutely anything to keep the illusion that you have a choice, a vote, and a voice.
I lived here my whole life. These politicians are evil. Lie, cheat, and steal - deny if caught, punish if provoked.
Why would it affect the entire world?
One technological backwater is Having A Massive Sad over people using rude words on the internet, so they think they can tell everyone else what do to?
What is maddening is how often people think such laws are about limiting the influence of "big tech." Big tech isn't going anywhere because of these laws, you are.
Steam itself does age verification, which when you first boot a steamdesk, afaik it forces you to log into steam before you can do much of anything without some initial hackery. That said, once in there's nothing stopping them from launching into desktop mode, launching firefox, and watching pr0n that way.
Sadly the solution is still for parents to do real parenting, but that's like saying stupid people shouldn't breed.
Sure, make it easy for users to do so, but it's a users choice.
Kids don't buy phones or computers, their parents do, and during initial setup, parents could choose "this pc is used by a child" option, input some override password to disable this in the future, and the phone could block whatever needs to be blocked.