California’s law, as written, contributes vastly to privacy and free speech. It is a fundamentally fair and democratic law, which additionally acts as a safeguard against fascism.
Point 1: Age-Verification is coming, whether you like it or not. Multiple states are pursuing such laws. Approaches adopted by Discord and others include techniques such as AI facial scanning with severe privacy concerns. California’s law will set the standard for an 100% robust solution that completely eliminates any pretense that facial scanning, uploading copies of identifying documents to every web service you use, etc. are necessary to implement age validation. This standard explicitly leaks the least possible amount of information about you as humanly possible to achieve this goal. This legislation preempts further attempts to invade user privacy to “protect the children”, by creating an actually effective and pragmatic privacy-preserving age verification scheme, which will undercut any future laws using “protect the children” as an excuse for privacy violations.
Point 2: Good legal standards are beneficial to everyone. Many complain this helps Meta, etc. This helps everyone creating websites, including federated social media like Lemmy. If there is a concern federating with epstein.ml, at least one less concern is threat of legal repercussions potentially affecting large parts of the community-run open internet. This law reduces the burden significantly, avoiding the need to adopt (paid, proprietary) age verification services. This standard absolutely obliterates such commercial offerings in favor of a non-commercial common standard. It even goes so far as to forbid third-party sharing of this data (e.g. for tracking and advertising) and collection of additional information beyond what is necessary to implement the law.
Point 3: You already leak more information that your age bracket through regular web browsing - IP determines approximate location, your cookies tell a whole bunch more, and sophisticated ad trackers have a whole profile on you. In terms of Shannon’s information theory, this new law is leaking less than 3 bits of information about you. Unless you are in the 0.1% of people deliberately avoiding such pervasive tracking, major corporations tracking you online already know your age bracket to fairly high accuracy (but not to sufficient standard to satisfy legal obligations).
Point 4: Fighting fascism has preventative and active measures. Making fascist-resistant technology is an important part of that. This technology has zero potential for fascist abuse. In fact, it undercuts the existence of other tech solutions crafted by your friends at Meta and the NSA. Ensuring quick, near-universal adoption of this standard will solidify an explicitly fascist-resistant piece of technology as a defacto standard.
Point 5: The harm this law aims to address is grave and real. For the 99% of the population who aren’t compiling their own kernels, the ability to “age-lock” a child account to prevent young children from accessing doomscroll brainrot on Instagram is an amazing and valuable feature. Lack of such protections is a compelling enough concern that it has time and time again had enough popular support for sway legislators to take up the issue. The principled “linux source code is free-speech, and no government mandates can compel changes” stance is quite divorced from reality. Are crypto-exchange founders likewise free to implement whatever fraudulent schemes they like, as their source code is their speech to freely dictate? People are sick of strangers shoving content down their children’s throats. In a democratic society, when the wise and ever-just “free market” fails to solve a pressing issue or exacerbates it beyond recognition, it is fair for the state to step in and solve it striking a fair balance, not trampling on anyone’s rights.
Point 6: “Slippery slope” does not apply here - maybe focus more of your attention on ICE, which appears to be slippery when it comes to constitutional rights like due process and privacy and equal protection. We should be proclaiming this law as a paragon, in the way it codifies a clear line beyond which privacy invasions are unjustified. It is a work of legal genius, and society and all of you will come to appreciate how prescient it really is next time an actual bullshit law to “protect children” comes to the table. This law itself is precendent-setting, but in a way that is quite favorable to both privacy and free-speech rights long-term.
The above considerations are not made lightly. I am someone who has put considerable thought into extricating corporate control of communication media, who cares deeply about the ecosystem which can support humanity or drive us into deadly peril and destruction. I honestly thought I would see more nuanced discussion here, but it seems I am alone as of this moment in my perspective.
< 3 bits of information is not meaningful surveillance.
No, they don’t. That’s the whole point. Self-attested age at account creation is sufficient. Requests for ID docs for age verification are OUTLAWED by this law.
They can do that today. Also, you are misusing the term “honeypot”.
It will be once California’s law goes into effect. California’s laws have historically set de facto national standards, e.g. on car emissions standards.
And fortunately, this law allows “objectionable content” to be shown to any user above 18. Online spaces for adults need not impose any objectionable content restrictions. A space where strangers can share videos with kids? Then there can be objectionable content restrictions. Now we have a nice clear line, saying 18+ spaces have no legal obligation to address objectionable content. That’s great!
It supports censorship only for children. Are you a child? If not, then your speech is not censored, and the speech of your fellow adults is likewise uncensored.
Are defi cryptocurrencies outside the jurisdiction of the SEC?
You do understand that California is not the centre of the universe, that states within the United States of America don’t agree on how to conduct voting, let alone agree on laws and finally, that there are 8.3 billion people on this planet, 96% of whom don’t live in, or are subject to laws made in the USA.
California is not the center of the universe, but in the US, a fair amount of companies have to tailor their practices to accommodate California law, because A) it’s so weird a lot of the time, and B) California is huge and rich, so there’s a lot of business to be had. It just makes sense to accommodate the outlier. What happens in California has knock-on effects for the rest of the country, and occasionally the rest of the world; case in point, the recent systemd debacle. It’s not certain that they added the age thing in response to the California law specifically, but it was certainly a factor.
By the way, as I said in my other comment, I don’t think your maths is correct. 3 bit is huge!
If you extend an browser fingerprint from an extimated 18.1 bits of information by 3 bit, to 21.1 bits: You’d catch 2^21.1 − 2^18.1 = roughly 2 million people. That means out of all the citizens in a state like Nebraska or Idaho, they can tell it’s you. That’s the scale of 3 (additional) bits, if my maths is correct.
You’re already uniquely identified: https://amiunique.org/. Privacy is a non-issue in this case.
I struggle a bit to agree with this. I mean you’re kinda right? But at the same time, we shouldn’t care for privacy because we don’t have privacy is kind of a circular argument. Which kinda makes it an invalid one.
I definitely agree the privacy thing is a red herring here. It is one of the many things to consider. But it’s far down the list compared to other more important matters. (Due to the specific approach taken.)
That is for this specfic law. It’s a very different situation with other approaches. Like Discord wanting to scan your ID and use it, and leak it to hackers and third parties. That one is concerned with privacy a lot. I mean a browser fingerprint can be used to manipulate me. A copy of my ID can be used for identity theft and all kinds of nefarious things. So it’s definitely part of the overall conversation.
Yes, that’s why I wrote ‘in this case’. Those two bits of information which are highly correlated with user’s behaviour on a website don’t meaningfully impact the privacy. And regarding Discord, having age attestation on OS level has a chance to reduce number of websites which ask for ID thus improving overall privacy.
Agreed. If we had some law like this (but consistent, and how computers work, and universal, but still mandating this is the pursuant source of this information) it’d be the one thing with potential to free us from these other nefarious child safety laws.
The amiunique.org is nice, by the way. I haven’t fooled around with these tools in a while. Thanks for the link. I wish it’d provide me with some form of actual fingerprint, though. I mean it kinda seems it has 100% precision on my regular browsers. And already me preferring German and then en-GB over other English rats me out 100%?! And then I do niche things like use Linux 🤣 But with all the green text, there is no information on it’s recall… So it’s a bit meaningless for tracking purposes?! Could be the case some of all of these many datapoints change with a new tab or new browser session and they lose me all the time, because they’re too specific/sensitive. Maybe I’ll look up browser fingerprinting again and how good it actually is. I mean achieving a 100% green score isn’t difficult. I could just hand out some increasing id number with every page load and that’d satisfy the requirements and be 100% unique as well. However, the interesting part would be whether they can track me somehow, and recall the same number on following page loads by me. That’s the way round it needs to be for tracking (in practice). But that’s not really a part of what’s displayed on amiunique.org
For tracking analysing the data is required. Even if user doesn’t do anything sophisticated, just upgrading the browser will change their fingerprint; services that track users need to be prepared for that. But consider that 34 bits is enough to uniquely identify every person on the planet. If you’re able to collect say 50 bits of information about a request, even if some information changes, you can cluster the requests and attribute to the same user.
Doing a more exact calculation of Shannon’s entropy with U.S. demographic information gives actually closer to 1 bit of information. The < 3 upper bound was just a rough upper bound.
It’s a fair concern. However, I would note that the law forbids third party transmission of this data. That is unike browser fingerprints, data brokers, ad servers, etc. are legally forbidden from capturing that information by this law.
Yeah, I’m just a bit pedantic about the maths so we know what privacy means. 1 bit is still a large number, I guess. We’re still adding 280.000 people we can distinguish, or a small city worth of people.
Yeah, I’m not so sure about that. First of all the groups OS provider and application developer aren’t mutually exclusive. For example if your OS has an app store, you could be required to do both at the same time. Share info with third-party app developers and not share info. That’s probably why there is an exception in there. But that exception looks like an easy exploit. If my app displays ads, of course the ad network can’t do non-kids-safe things to kids either. So I can forward that info to Google Ads. I can probably also forward the info to other services which do networking and user authentication or have some sort of internal state stored about my users. I bet if I had a legal department, I could come up with a good case to share that info with a lot of third parties.
In the end I kinda agree with your premise. I do think this is the single best approach I’ve ever read at regulating age-related stuff. I mean it’s not really an honest attempt. This wasn’t written to help kids and teenagers. It was written and lobbied for so Mark Zuckerberg’s company can shift responsibility on other people… But… I think the rough idea behind it is sound. The operating system and app store is the correct place for parental controls. We should be provided with parental controls. And they should look like what likely was the attempt here. Just an input field, attestation - no verification. And everything to stay local and not forward data to third parties or services.