California age verification bill backed by Google, Meta, OpenAI heads to Newsom

79 pointsposted 5 months ago
by heavyset_go
(politico.com)

90 Comments

LorenPechtel

5 months ago

Age gate means identification of the individual. Of course big tech loves that.

You can have age gating or you can have privacy. Same as you can have porn filtering or you can have privacy.

tzs

5 months ago

The privacy implications for this bill for adults seem to be about the same as the privacy implications for the "Click if you are 18+" button on many websites.

If you are under 18 there is no checking to stop you from saying you are are 18+

The only people it seems might have their privacy slightly reduced are people under 18 who are using a computer or smartphone/tablet that had parental controls set up by presumably a parent or guardian before giving the minor access.

The bill requires that the parent be able to enter the minor's birthday or age in one place, and then provide a way that the age range (under 5, 5-10, 10-13, 13-16, 16-18, 18+) can be given to apps/sites if they ask for it.

Thus, if you are a minor using a device that was set up with parental controls and you try to use an app or site that is restricted, that app or site will find out your age range.

recursivegirth

5 months ago

This is actually a level headed way to deal with it. Provide a way for the device to inform the website / app of their age status (it can be bucketed for increased privacy/compatibility with existing rating systems). Then legislate that it is on the website to inform the device of the type of content being served. Then the device/browser can be responsible for implementing the privacy controls (page blocking, notifications, overrides, etc.), and the parents are responsible for ensuring their children's devices are configured with their ages.

zelse

5 months ago

In practice, 100%. In theory we could likely design "good enough" anonymous systems that work like buying alcohol or tobacco in most countries (buy a scratch token in cash at a corner store after showing ID, picked at random from a box of them - contains a number, possession of which is theoretical proof that you had your ID verified at purchase)...but of course, the real purpose of age-gating is exerting a chilling effect, so we'll never hear about privacy-preserving methods.

(NB: I am firmly opposed to any of this. The solution for parents concerned about their kids is parenting and parental controls, not giving authoritarians of all stripes the means to snoop and ban whatever they decide is obscene or troubling.)

dh2022

5 months ago

This approach could create a black market where,say, high school seniors would buy these tokens and resell to high school sophomores/juniors.

Eddy_Viscosity2

5 months ago

Is there irony in the fact that Americans will pass privacy invading laws to protect kids from porn, but not gun laws to protect them from being shot at in school? How many kids die from porn exposure every year?

LorenPechtel

5 months ago

The thing is gun laws won't protect against school shootings unless you basically completely disarm the population--which is not realistically possible as there would be too much non-compliance. And note two things about the data:

1) Many sources seek to inflate the number of school shootings by counting incidents in which the school is only incidental, not the target. Think drug deal in the parking lot when school is out etc. And note that counting firearm deaths to minors counts mostly gang vs gang stuff.

2) It is almost certain that guns save more people in self defense situations than they take in all mass shootings (using the realistic test of public and indiscriminate targets--again, the numbers are inflated by things like gang fights), let alone just school shootings. (And, no, I do not believe Lott's numbers. He's way high and an awful lot of what he does count is deterred robbers and the like, where death was unlikely in the first place.)

stogot

5 months ago

Gun laws stop school shootings? Where in the US does that work?

Eddy_Viscosity2

5 months ago

The US has never tried this. For an example of efficacy we have to look at other wealthy western nations that have strict gun laws and see how many school shootings they have. The data overwhelmingly indicates this works.

As a counter-point, where in the US has any law stopped teenagers looking at naughty things on the internet?

LorenPechtel

5 months ago

Don't look at school shootings, they don't matter. What matters is how many, not by what means. Note that the most deadly such attack was with a truck, not a gun.

The data proves nothing about whether it works because it's a cultural problem far more than it is a means problem. They choose to go out in a blaze of infamy rather than be a nobody. They generally are planned long in advance, there's plenty of lethal things they can get their hands on.

stogot

5 months ago

What kind of state or federal law do you propose, with the unlikelihood that the 2A won’t be repealed?

Eddy_Viscosity2

5 months ago

Easy, just do the same thing as other western countries. If the 2A is an obstacle, then change it. The unlikelihood of and changing the 2A is the heart of the problem, not an constraint to be worked around. The question is why are gun rights sacrosanct, but other rights can taken away just by saying 'think of the children'.

heavyset_go

5 months ago

If you think the 2nd Amendment is bad now, just wait to you see what happens if we're unlucky enough to ever have a Constitutional Convention in our lifetime.

stogot

5 months ago

That’s not how amendments work

nicce

5 months ago

Porn sites have been there almost 20 years. Why it is problem right now? Is there extensive recent research about it? Or now we just have the capability?

user

5 months ago

[deleted]

LorenPechtel

5 months ago

It's a "problem" because we are becoming a theocracy.

There's no reasonable demonstration of harm and a very strong correlation between availability of pornography and a big reduction in sex crimes. The purported harms are due to blocking reasonable sex education, leaving teens with the equivalent of Hollywood being the only model of sex they see. The original study that was created to show the harms concluded they couldn't find any to anyone, even minors.

nick__m

5 months ago

I remember pop-up porn adds started to appears around 1995 or so and 1995 is 30 years away...

privatelypublic

5 months ago

I ember them showing up and then being limited to super shady sites PDQ.

Which makes sense- since exposing minors to pornography was a crime, and got even more illegal somewhere in that time frame, along with the web becoming "professional" (whitehouse top level domain mixup stories anyone?), the honest pornography sites all started self-regulating and asking if somebody is an adult before anything naughty gets shown.

betaby

5 months ago

> Why it is problem right now?

Push from the different generation? Late boomers got very puritan with age, also see themselves as more moral, again with age.

burnt-resistor

5 months ago

Nope, not here. Perhaps you live in some totalitarian shithole where you lack privacy or haven't figured out how VPNs work.

kristopolous

5 months ago

My favorite is Montana where you have to provide more identification to view a naughty jpeg then buy a firearm.

readams

5 months ago

Big tech has generally not loved this because they know that adding friction like id checks massively reduces attach rates. This is watered down enough that it's likely seen as a lesser evil.

BoredPositron

5 months ago

A new account on Facebook, Instagram or Google/YouTube will usually instantly get restricted and triggers either ID or Phone verification anyways.

fortran77

5 months ago

I think they love it to because it will be another barrier for a little small start up from entering the market. You'll need to spend so much on regulatory issues and compliance that only the biggest, established companies can have a business.

ranger_danger

5 months ago

The text of this bill would be satisfied by a website simply having a "Yes, I'm over 18" button on the front.

tmaly

5 months ago

This is just going to create a regulatory moat where only the incumbents can survive.

jart

5 months ago

No one ever explains why it's so important that everyone always conceal their identity on the web, as though it were some global red light district. The most successful tech platforms all succeeded by getting people to be trusting enough to say who they are, like Twitter, Facebook, etc. It's worth billions of dollars to create any online space that isn't anonymous.

filchermcurr

5 months ago

It's important to conceal your identity because the internet is forever. Your comments, opinions, beliefs, embarrassing moments... all recorded (essentially) for life. This happens through administration changes, different jobs, life changes, belief shifts, different friends and partners, etc. Without anonymity, anybody can comb through your entire history to make any point they want. To justify any accusation about you they want using 'evidence' from years past. To stalk or harass. To fire you for daring have an opinion about something. Depending on your government, to arrest you for what you've said in the past.

A huge issue with the modern web is that everything is seen as a profit motive. I don't care how many billions of dollars tracking everything we do and tying it to our person is worth. I don't want it.

burnt-resistor

5 months ago

And hostile regimes can surveil, harvest, and buy up data to murder their opponents. "It can't happen here" is always naive "logic".

jart

5 months ago

That's a good thing since it means we have the opportunity to be remembered for eternity. Information is permanent. Also don't think that just because the system doesn't reveal who you are to other users today that your identity and life activities won't be decloaked later on should culture or policies ever change. If you're open, trusting, and use your real name today, you'll at least get the benefits and glory of eternal fame while you're alive.

burnt-resistor

5 months ago

Except the right to be forgotten and not doxxed.

serf

5 months ago

OK.

Here's an easy explanation.

Someone you don't like somehow gets voted into power and begins trying to enact changes towards a social group you belong to.

Building anonymous systems is one way to avoid Bad Actor X from having Big List Y, leading to Atrocity Z.

Having a really successful social network isn't a goal post, it's just a result.

Great -- it made a zillion dollars, meanwhile we've built the biggest leakiest information trove on individuals, for individuals to be exploited, ever imagined.

jart

5 months ago

Already happened with USG. You know who doesn't discriminate against my group? Big tech companies. If they can step up and take on more responsibility for identity verification in our society, then my social group will be less oppressed. The California Republic must lead the way.

16bitvoid

5 months ago

They may not themselves, but they'll happily sell your info or give it up to avoid losing money to someone who would.

user

5 months ago

[deleted]

heavyset_go

5 months ago

> You know who doesn't discriminate against my group? Big tech companies.

Yes, they just give megaphones to, and make bank on, the propagandists that are responsible for the current moral panic that's resulted in the US government discriminating against LGBT people.

These are the same companies that facilitated propaganda that led to hate and violence like this[1]. A deeper look with plentiful citations is here[2] from the Harvard Systemic Justice Project.

To give you an example that happened here in the US, a friend recently moved back to the city because his neighbors felt emboldened to constantly call him slurs on Facebook when they disagreed with him. He couldn't use local Facebook groups without bigots following him around and calling him slurs. They felt emboldened after this[3], knowing Facebook would do nothing about it. Discriminatory harassment over Facebook after their policy shift drove him from his own home. Facebook's policies allowed a community to successfully rid itself of a minority it didn't want to see or hear.

[1] https://www.pbs.org/newshour/world/amnesty-report-finds-face...

[2] https://systemicjustice.org/article/facebook-and-genocide-ho...

[3] https://www.nbcnews.com/tech/social-media/meta-new-hate-spee...

jart

5 months ago

The first amendment protects free speech. The people must have their say.

heavyset_go

5 months ago

We both know that the First Amendment binds the government and doesn't bind private entities.

jart

5 months ago

What do you want tech to do? Use agents to deploy an apparatchik to every man woman and child? Wouldn't that leave people like you out of a job? What would you do all day? Tech platforms should take no part in the social disagreements of the people. They should be neutral unbiased providers of digital space.

heavyset_go

5 months ago

Yes and yes, why shouldn't they?

I'll be just fine, I don't suck at the teat of tech companies like some do.

The real question is what will you do when they come for you? Note that writing code and posting on the internet will get you nowhere.

jart

5 months ago

What's stopping you from doing that? They tried to come for my passport but missed. Our heroes in the civil service saw to that. Just got a new one in the mail today and I'm so happy.

_heimdall

5 months ago

You may be combining or missing a few factors.

Tech platforms are valued at billions of dollars because they found ways of convincing their users to give up anonymity. That has nothing to do with whether the anonymity was important.

corytheboyd

5 months ago

> No one ever explains why it's so important that everyone always conceal their identity on the web.

I live next to idiots with gigabit and guns, that’s why.

no_wizard

5 months ago

Reddit stands out against this wave. I reckon that Reddit is worth at least a billion

ranger_danger

5 months ago

The bill doesn’t actually require any real age verification... it just asks people to provide a (any) birthdate for the purposes of categorizing their access by age bracket. It doesn’t say anything about the information having to be accurate, and gives no penalties if you lie.

I'm still against age verification in general, but I don't think this particular bill warrants the massive outrage similarly being made lately about more serious age verification laws, as it does not require any facilities for actually verifying, well, anything.

https://trackbill.com/bill/california-assembly-bill-1043-age...

sigmar

5 months ago

>to provide a developer, as defined, who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface regarding whether a user is in any of several age brackets, as prescribed.

Summary reads to me as this bill requiring calls to an API to verify the user's age.

ranger_danger

5 months ago

> requiring calls to an API to verify the user's age

By simply asking for their age. There's nothing about requiring that the age is actually attempted to be verified as accurate at all. And the "age bracket" is specifically defined as nonpersonally identifiable information.

And it still gives no consequences for wrong/fake information.

Interestingly, they also define a "developer" simply as "a person that owns, maintains, or controls an application".

Wouldn't that inherently include all users of a computer in general?

nl

5 months ago

> There's nothing about requiring that the age is actually attempted to be verified as accurate at all.

To quote: requires a business that provides an online service, product, or feature likely to be accessed by children to do certain things, including estimate the age of child users with a reasonable level of certainty appropriate to the risks

"Reasonable level of certainty" requires some kind of attempt at verification. In Australia for example they allow facial estimation software (which I agree is not good, but it provides some kind of estimate the government is happy with)

> And it still gives no consequences for wrong/fake information.

Where are you seeing that?

To quote the bill:

> This bill would punish noncompliance with a civil penalty to be enforced by the Attorney General, as prescribed.

And:

  line 17 A person that violates this title shall be subject
  line 18 to an injunction and liable for a civil penalty of not more than two
  line 19 thousand five hundred dollars ($2,500) per affected child for each
  line 20 negligent violation or not more than seven thousand five hundred
  line 21 dollars ($7,500) per affected child for each intentional violation,
  line 22 which shall be assessed and recovered only in a civil action brought
  line 23 in the name of the people of the State of California by the Attorney
  line 24 General.

tzs

5 months ago

From the bill section 1798.501(b):

> (2)(A) A developer that receives a signal pursuant to this title shall be deemed to have actual knowledge of the age range of the user to whom that signal pertains across all platforms of the application and points of access of the application even if the developer willfully disregards the signal.

> (B) A developer shall not willfully disregard internal clear and convincing information otherwise available to the developer that indicates that a user’s age is different than the age bracket data indicated by a signal provided by an operating system provider or a covered application store.

> (3)(A) Except as provided in subparagraph (B), a developer shall treat a signal received pursuant to this title as the primary indicator of a user’s age range for purposes of determining the user’s age.

> (B) If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.

https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...

nl

5 months ago

I think you are agreeing with my interpretation, right?

tzs

5 months ago

Nope. The bill says that a developer that receives the age signal is deemed to have actual knowledge of the user's age range.

As long as they don't willfully disregard clear and convincing contradictory information from somewhere else the signal is good enough.

ranger_danger

5 months ago

They don't actually define what "likely to be accessed by children" or "a reasonable level of certainty" really is.

I could say "some kind of attempt" is merely asking the user if they are over 18. I see no language that says that's not good enough, especially appropriate to the "risks" of 98% of websites.

> Where are you seeing that?

The noncompliance is on the part of the site owner, not the user. It just means you must ask their age (bracket), it doesn't mean the user has to tell the truth.

polyomino

5 months ago

The MPAA's argument against this bill is a complete joke:

>MPA urged state lawmakers to reject Wicks’ bill this week in a letter, obtained by POLITICO, claiming device-based age checks may sow confusion; for example, if parents and kids had separate Netflix profiles under one account that’s logged in on multiple devices.

To the point where I'm asking if someone needs some token opposition to frame this obvious bill a political win?

_heimdall

5 months ago

There are legitimate arguments that can be made against this bill...that is not one of them.

avarun

5 months ago

This bill is a strictly better version of the age gating initiatives that have been passed in other states and countries like the UK and Australia. If age gating is inevitable, and it seems as though it is, this is the least bad way to do it — enforcing the onus on device manufacturers, who can do verification one time and then throw away the information.

_heimdall

5 months ago

> If age gating is inevitable

What could possibly make it inevitable? We are either okay with those with authority forcing us to ID ourselves in some form or we aren't.

userbinator

5 months ago

and it seems as though it is

Only with that attitude will it be.

g-b-r

5 months ago

It would easily mean that you're required to have an unmodified device, running a locked down system, to be able to access any service that uses age verification.

Although, a much more sensible alternative, would be to have parents (that do want the control) give their sons devices that send the "minor alert" signal, and have the services detect that.

g-b-r

5 months ago

Of course all these measures risk making identifying minors trivial for any website and app, which is... not really ideal

g-b-r

5 months ago

And this specific proposal seems to let anyone know if your kid is:

(A) Under five years of age.

(B) At least 5 years of age and under 10 years of age.

(C) At least 10 years of age and under 13 years of age.

(D) At least 13 years of age and under 16 years of age.

It seems a menu, I wonder what could go wrong....

GeneralMayhem

5 months ago

Bill text: https://legiscan.com/CA/text/AB1043/id/3193837

This seems... not terrible? The typical counter-argument to any "think of the children!" hand-wringing is that parents should instead install parental controls or generally monitor what their own kids are up to. Having a standardized way to actually do that, without getting into the weirdness of third-party content controls (which are themselves a privacy/security nightmare), is not an awful idea. It's also limited to installed applications, so doesn't break the web.

This is basically just going to require all smartphones to have a "don't let this device download rated-M apps" mode. There's no actual data being provided - and the bill explicitly says so; it just wants a box to enter a birth date or age, not link it to an actual ID. I'm not clear on how you stop the kid from just flipping the switch back to the other mode; maybe the big manufacturers would have a lock such that changing the user's birthdate when they're a minor requires approval from a parent's linked account?

That said, on things like this I'm never certain whether to consider it a win that a reasonable step was taken instead of an extreme step, or to be worried that it's the first toe in the door that will lead to insanity.

ndriscoll

5 months ago

The language suggests to me that GitHub would be a covered app store and a FOSS Linux distribution without an age gate API would be illegal in California (along with all programs that don't check the age API, e.g. `grep`), so it seems quite a bit worse in terms of killing free speech and culture than requiring adult sites to check id to me.

Notably, a "covered app store" doesn't seem to need to be... a store. Any website or application that allows users to download software is covered. There's no exemption for non-commercial activity. So every FOSS repo and programs like apt are covered? The requirement is also that developers will request the signal. No scoping to developers that have a reason to care? So vim is covered? Sort? Uniq?

Honestly I can't believe big tech would go along with it. Most of their infrastructure seems like it would clearly be illegal under this bill. Either there's something extremely obvious I'm missing or every lawyer looking at this bill is completely asleep at the wheel.

GeneralMayhem

5 months ago

I hadn't thought about GitHub -I'm guessing the authors of the bill didn't either - but you're right, that is somewhat concerning. Still, I don't think it's the end of the world...

> The requirement is also that developers will request the signal. No scoping to developers that have a reason to care?

I don't see that requirement. Here's the sum total of the developer's responsibilities (emphasis added):

> A developer with actual knowledge that a user is a child via receipt of a signal regarding a user’s age shall, to the extent technically feasible, provide readily available features for parents to support a child user with respect to the child user’s use of the service and as appropriate given the risks that arise from use of the application, including features to do all of the following:

> (A) Help manage which accounts are affirmatively linked to the user under 18 years of age.

> (B) Manage the delivery of age-appropriate content.

> (C) Limit the amount of time that the user who is 18 years of age spends daily on application.

It would be nice if it had specific carve outs for things that aren't expected to interact with this system, but it seems like they're leaving it up to court judgment instead, with just enough wiggle room in the phrasing to make that possible.

If your application doesn't have a concept of "accounts", then A is obviously moot. If you don't deliver age-inappropriate content, then B is moot. The only thing that can matter is C, but I'd expect that (a) nobody is going to complain about the amount of time their kids are spending on Vim and (b) the OS would just provide that control at a higher level.

ndriscoll

5 months ago

You missed these requirements for developers

> (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.

> (b) If an application last updated with updates on or after January 1, 2026, was downloaded to a device before January 1, 2027, and the developer has not requested a signal with respect to the user of the device on which the application was downloaded, the developer shall request a signal from a covered application store with respect to that user before July 1, 2027.

Application developers are required to request an age signal from the operating system.

> (c) “Application” means a software application that may be run or directed by a user on a computer, a mobile device, or any other general purpose computing device that can access a covered application store or download an application.

So applications are any program that runs on any computer with the capability to install software from an online source. Ergo, a program like `sort` must request an age signal when it runs.

The bill is clearly thinking in terms of the two big phone monopolists while ignoring computers that are meant to act as useful tools (which contain thousands of programs from tens of thousands of authors and which have no business caring about what "store" they came from or what date they were installed on or anything about the user running them), but it explicitly says it applies to general purpose computers.

A massive improvement would be to say this only applies when there is an actual commercial store involved, and only place requirements on developers to do something if they would have some other requirement they need to comply with. And also realize that lots of applications are not meant to have the user there the whole time. How are batch jobs or interpreters like `python ` that you might leave running overnight on a job supposed to deal with the time limit? This bill is entirely focused on toys at the expense of computers. It should just place requirements on the actual companies that are causing the issues (social media/adtech, porn, gambling games, etc.)

Your store doesn't distribute social media apps, gambling, porn, etc. and just has things like text editors, music players, PDF readers, etc? No requirements should be needed. You develop a workout tracker? No requirement should be needed.

derbOac

5 months ago

This is what worries me a bit, that this will be used as an excuse for walled gardens and so forth.

"We can't allow side loading because that would be illegal in terms of age verification".

I would love to be wrong about this though.

GeneralMayhem

5 months ago

It's always possible that they'll say it, but it would be a lie based on my reading of this bill. Sideloaded apps can choose whether or not to respect the OS's advice about the age of the user, it's not on the OS or device to enforce them being honest.

g-b-r

5 months ago

It's beyond obvious that it will, and it's why Google and Apple support it

samrus

5 months ago

Article says apple hasnt said anything about it yet, neither for nor against

samrus

5 months ago

So the proposal is that parents just input the age on their kid's device, and apps pull the age range to limit content.

Thats actually reasonable. Does not personally identify anyone, can be opted out of as easily as those "i am over 18" buttons. The only freedom being lost is by minors to their parents, which is already how things work. I like this

anenefan

5 months ago

The bill is a bad idea. Of course big tech likes it, more id equals higher value data they can scrape. When (if?) it arrives it'll be two seconds before some places on the web will need more to be sure the person who set up the entire phone or app is actually not under age, thus the person setting it up will have to provide id ... the bill is a anonyphobes wet dream come true.

klysm

5 months ago

It’s also regulatory capture. Harder for competitors to meet regulatory barriers

syntaxing

5 months ago

This bill seems reasonable according to the article? It allows the device to state the user is underage and the site must act accordingly rather than gating users to a site and must prove their age. But then again “the road to hell is paved with good intentions" so no clue how it’ll play out in reality.

yepitwas

5 months ago

This is almost an amazing thing. Some common top-level way to set parental controls across systems would be a godsend. That’s all a giant pile of time-wasting shit right now.

However, any system that just uses age is useless. They’re always excessively cautious, so you may as well just not provide access at all for kids between the ages of 6 and 12 or so, if that’s all you have.

No, block all + allow lists are still where it’s at. Please make those work better.

(If anyone knows the magic to make Minecraft [java] work with macOS allowlist-only network access, I’d love to know what it is. The fucking launcher wants to talk to a half-dozen bare IP addresses to work, and the addresses change seemingly every single launch, from a pool of what must be many hundreds, at least, it’s completely unusable)

akersten

5 months ago

How does the government mandating the way an operating system works seem reasonable?

theossuary

5 months ago

It seems very reasonable to require a feature in an OS, like requiring seatbelts in a car. Of course, it depends on the feature though.

nicce

5 months ago

I could also mean that if you don’t have TPM on your computer and the OS is not in the ”allowed” list, you can’t access anything. I hope that this is not the path we will see.

theossuary

5 months ago

Agreed. But talking in generalities like "the government should be allowed to mandate a feature" leads to silly arguments like "government can't mandate airbags." We should be having the discussion about what the goal is, what the mandate would be, and what the side effects could be. Otherwise the conversation is too high level to mean anything.

nicce

5 months ago

How to verify that device is not faking the age? I bet here comes the remote attestation…

syntaxing

5 months ago

I think this is more of a liability thing. If the parent set the age as underage and the kid does a bunch of stuff to circumvent that, it’s on the kid and parent and not the website.

user

5 months ago

[deleted]

user

5 months ago

[deleted]

burnt-resistor

5 months ago

Technofeudal Big Mother is here to deanonymize you and steal your personal identifiers to sell to data brokers because "Think Of The Children™!" Fuck age verification with 240 VAC.

mouse_

5 months ago

Regulatory monopolists.