In Russia there is a plan to make special SIM cards for children, that would not allow registration in social networks. Isn't it better than UK legislation?
The whole idea that every site or app must do verification is stupid. It would be much easier and better to do verification at the store when buying a laptop, a phone or a SIM card. The verification status can be burned in firmware memory, and the device would allow only using sites and apps from the white list. In this case website operators and app developers wouldn't need to do anything and carry no expenses. This approach is simpler and superior to what UK does. If Apple or Microsoft refuse to implement restricted functionality for non-verified devices, they can be banned and replaced by alternative vendors complying with this proposal. It is much easier to force Apple and Microsoft - two rich companies - to implement children protection measures than thousands of website operators and app developers.
Rare case of Russian doing something more honestly. Implementing it as a device flag sent to websites, and making it easy to set for the device of any minor, is an elegant and unintrusive solution.
If you get w3.org and major browser and os vendors in on it, it simply becomes a legally enforced an universal parental control without much drawbacks.
But that would not permit the complete tracking of identity of all individuals in a country with their ptivate Internet activity and political stance.
And that's a massive loss to the true purpose of any law pretending to protect children; Just like the multiple attempts to outlaw encryption or scan all private or messages.
In case with Windows laptop, the verification proof might be for example, a digitally signed serial number of the motherboard (and the OS is itself signed to prevent tampering). While it's possible to work around this, an average kid or adult is unlikely to do it. And in case with a phone there is almost zero chance to hack it.
I don't understand your comment, the government knows which sites you visit anyway because it can see the SNI field in HTTPS traffic.
The main point is that the verification is done on the device. The device has a digitally signed flag, saying whether it is owned by an adult user or not. And the OS on the device without the flag allows using only safe apps and websites sending a "Safe: yes" HTTP header. User doesn't need to send your ID to random companies, doesn't need to verify at every website, and website operators and app developers do not need do anything and do not need to do verification - they are banned from unverified devices by default. It is better for everyone.
Also, as I understand the main point of the Act is to allow removing the content the government doesn't like in a prompt manner, for which my proposal is not helpful at all.
> because it can see the SNI field in HTTPS traffic
ECH (the successor to eSNI) is becoming more and more common and with Let's Encrypt soon offering IP certificates, any website will be able to hide their SNI.
Digital verification exclusively on-device doesn't work because addons and alternative applications make it possible to bypass those checks. There's no credible reason to trust local software to protect the kids.
The point of the Act is that the UK government no longer pretends to believe that the "I am 18 or older" checkbox is actually stopping anyone, and that there are no better alternatives. The public (in most democratic countries, not just the UK) doesn't want kids to be able to freely access porn the way you can now and the government is acting in the interests of the public here. If the tech industry had felt any responsibility, they would've been working on a solution to this problem somewhere in the last thirty or so years of internet pornography, but so far they've done nothing and are all out of ideas.
The EU's reference digital wallet representation seems to be the best solution so far (though it's not finished yet and has some downsides as well), hopefully the UK will set up a similar (compatible?) programme so UK citizens can skip the stupid face scans and ID uploads.
> Digital verification exclusively on-device doesn't work because addons and alternative applications make it possible to bypass those checks.
The OS on device with "isAdult == false" would allow only to install apps from app store, which are marked by developers as "safe". Alternative apps which do not respect isAdult bit won't be marked as safe and cannot be installed from an app store. And sideloading or bootloader unlocking, of course, will be disabled if the phone has "isAdult == false". There is no simple way to bypass this protection, even for a skilled adult, because modern OSes are closed-source and digitally signed and you don't have the source code or private key.
> The point of the Act is that the UK government no longer pretends to believe that the "I am 18 or older" checkbox is actually stopping anyone, and that there are no better alternatives.
The better alternative is "isAdult" bit that is stored on device, cannot be changed by the user, and respected by an OS and white-listed apps. It doesn't require sending one's IDs or photos of one's face anywhere. It is better in every aspect and requires ZERO costs from website operators and app developers for compliance. The only ones who will bear the costs would be OS developers, like Apple or Microsoft who have a lot of money and engineers to implement this.
> The point of the Act
I glanced through the overview of the Act and it seems that the main point is in letting the government (Ofcom) to remove online content promptly without long procedures.
> If the tech industry had felt any responsibility, they would've been working on a solution to this problem somewhere in the last thirty or so years of internet pornography, but so far they've done nothing and are all out of ideas.
OS developers like Apple and Microsoft, and hardware vendors simply don't want to spend money on what gives them no returns.
Also, current UK Act divides websites into categories and has different content moderation requirements for them. With my approach, all websites that do not mark content as "safe" would be blocked by default, which is much safer and leaves no loopholes.
>Digital verification exclusively on-device doesn't work because addons and alternative applications make it possible to bypass those checks. There's no credible reason to trust local software to protect the kids.
Then nothing will protect the kids.
I don't mean this tongue in cheek or implying that no protection should exist. I literally mean what I wrote. Children can always acquire hardware that will let them bypass any controls.
What pisses me off the most is people like you who pretend to care about things they don't care about. If only perfect solutions are acceptable, but perfect solutions don't exist, but good enough solutions are insufficient because of some theoretical bypass, then you essentially argue for no protection at all, but you do this under the pretense of advocating for protection. That is your stance, not mine.
Children who actively seek out blocked content are simply unstoppable. There is nothing you can do about that, so instead of going on and on about your nirvana fallacy, you should be happy with protecting the children who aren't adversaries to your protection scheme. After all, protecting children is good, so protecting millions of children should be better than protecting no children. The fact that there is a hypothetical fascist police state in which it is possible to protect every single child on the planet through world domination (in the name of protecting children) should play no role in making that decision.
In case with a smartphone, you will be able to install only white-listed apps from an app store on an unverified device, so you won't be able to install such browser. As for PCs, Windows might also prevent sideloading on unverified devices.
One more reason to not use windows i guess. Also, you're handing a lot of control to the smartphone vendors here (the two major ones have demonstrated that they don't have your best interests at heart...) https://news.ycombinator.com/item?id=44875961
No, the header should mark content as safe (for example: "Content-Safety: US-14; GB-0"), and lack of header should mark the content "unsafe". In this case, existing websites do not need to change anything.
Every website is required by law to do phone verification or use other method that confirms real identity (for example, auth through government services website or biometric data). As for social networks like Vk, they require a phone number since long ago before the law changed.
Also a phone number verification is needed if you want to connect to free WiFi in a subway or a bus or a train. Foreign phone numbers are often not supported in this case.
No, "digital credentials" is an awful idea because it requires to store your ID on your phone and thus make it accessible to Apple and Google and secret courts. What I suggest is simply to store a single "isAdult" bit on device, without revealing any identity, and make apps like browser do the censorship on device, without sending any data to a webite. The algorithm is as follows:
if isAdult == 0 and website doesn't send a "safe-content" header, then:
browser refuses to display content
if isAdult == 0 and photo in a messenger doesn't contain a "safe-content" metadata, then
photo viewer refuses to display content
if isAdult == 0 and the app is not marked as safe, then
app store refuses to download the app and OS refuses to launch it
With my approach, you don't need to store your ID on your device, you don't need to send your ID anywhere, and website operators and app developers do not need to do anything because by default they will be considered not safe. So my solution's cost is ZERO for website operators and app developers. As a website operator you don't need to change anything and to verify the age.
I think you misunderstood how the digital credentials api works. It keeps it in your phone’s secure element and lets you share just a “yes/no” proof like “over 18” without revealing anything else. It’s basically the cryptographically secure version of the isAdult bit you’re describing. It also has trust by cryptographically signing the proof and it can handle different jurisdictions.
Not keeping the ID in a phone is better than keeping it in a "secure element" and having to upload it there using closed-sourced software with unclear functionality.
I’m not sure it has to keep the id on the device, it keeps the signed digital credentials not the original id document. The government would sign the “facts” like isAdult etc and they currently issue and sign all current ids anyway.
Their parents. The alternative is complete government surveillance of literally everything and I mean literally everything, starting from resource extraction and knowledge needed to manufacture electronics and the policing of every planet in the universe that is capable of giving rise to sentient intelligent life.
The whole idea that every site or app must do verification is stupid. It would be much easier and better to do verification at the store when buying a laptop, a phone or a SIM card. The verification status can be burned in firmware memory, and the device would allow only using sites and apps from the white list. In this case website operators and app developers wouldn't need to do anything and carry no expenses. This approach is simpler and superior to what UK does. If Apple or Microsoft refuse to implement restricted functionality for non-verified devices, they can be banned and replaced by alternative vendors complying with this proposal. It is much easier to force Apple and Microsoft - two rich companies - to implement children protection measures than thousands of website operators and app developers.