Hah, 30 years old: https://en.wikipedia.org/wiki/Platform_for_Internet_Content_...
It uses meta HTML tags and correct configuration of the browser to block/allow different ratings. I suppose one could use wget, curl, or lynx to bypass that stuff and download the HTML files, and then find the links to the the JPEGs in them...
I don't think it's that simple. Since the header mechanism is easy to bypass, there would be:
1) software that makes it easy to do for the layman (browser extensions etc.), and
2) scams and malware that target children offering a "bypass" to access adult websites
Then parents, teachers, and administrators need to be aware of the latest bypass mechanism thus sending them on a wild goose chase. I think this would end up similar to the Do Not Track header which ultimately no one cared about or took seriously.
In a case like this, perfect is the enemy of good.
A locked down iPhone or Chromebook is going to thwart everyone but the most determined without compromising any privacy.
sure, but plenty of software already exists for those devices to block adult content and social media. it works just fine without a header. its actually even better, because that software can even block nefarious websites that would never comply with adding a header
Blocklists are useful, but a hint from the website that, actually, they don't want to cater to children would be useful when those blocklists aren't up to date.
Yeah, DNS blocking and browser lists are simple too. Sure. So why problem are the politicians trying to solution for?
> 1) software that makes it easy to do for the layman (browser extensions etc.), and
It's already a given that this only works on a locked-down device. Making it a simple binary "is this device owned by a minor" switch means parents will actually be able to understand it.
> 2) scams and malware that target children offering a "bypass" to access adult websites
And advertising to children should also be banned, so they won't be exposed to such scams, among other things. Thankfully this header lets the site know if they're breaking the law by showing scam ads, which makes prosecution super easy.
> I think this would end up similar to the Do Not Track header which ultimately no one cared about or took seriously.
Oh, of course none of this works unless it has the teeth of law to back it up.
The Do Not Track header didn't die because of an arms race, it died because there wasn't any legislation making it criminal to track people who had explicitly indicated to you that they did not wish to be tracked.
Kids (especially ones close to the age of legal access anyway) will try (and succeed) in bypassing any sort of restriction on adult content including any of the digital ID garbage. There are any number of software scams targeting everybody, and your hypothetical just be another one; I doubt that it would increase the total number of such scams.
But requiring sites with adult content by law to require what would sort of be the opposite of Do Not Track flag (Let Me In?) would at least mean that kids would have to do something illicit on the client side to access adult websites that they would have to hide from their parents. If you made sure their phone or Chromebook was nerfed, you could make sure they couldn't install extensions or software that added the flag, you could strip it from their network requests; you could even strip it at the router. [edit: you could even opt-in with your phone company to strip it from your kid's phone's network requests.] You as a parent, and people who have nothing to do with kids, could trivially opt-in.
> The Do Not Track header didn't die because of an arms race, it died because there wasn't any legislation making it criminal to track people who had explicitly indicated to you that they did not wish to be tracked.
That was the first big problem. The second was that some versions of MSIE set the header by default, without the user having taken any action to request it. This made it infeasible for any major web sites to honor the header - by doing so, they'd break functionality for most MSIE users. (MSIE was, at the time, still the dominant desktop web browser.)
Also it already exists. It's called the RTA header; and it was invented by the porn industry decades ago to try and appear as a responsible self-regulating industry. (Total failure at that.)
RTA seems reasonable to me, on a technical level. But the porn industry can't force anyone to implement the client side of it. Legislators itching to "do something" should've focused on that.
The problem isn’t adults only websites. Those are easy to handle - just as you described.
The problem is social media. Reddit isn’t adults only, nor is instagram. They’re just people putting stuff up for their friends.
Some of the nastiest stuff I ever seen was in the comments of YouTube.
If we're requiring a locked-down client, why not have the server advertise the age rating in a header and let the client decide whether it'll display the response or not? That way the server doesn't get to see any age information whatsoever.
It's not that simple, and it touches on a bunch of things that are at a nexus right now, that may end the anonymous internet.
(a) an identity provider needs to verify who is using the browser. If that can be strongly tied, then the identify provider could simply provide the "adult: yes" flag, on a need to know basis, but:
(b) the site consuming that header needs to trust that it came from a reliable source. So that flag needs to be signed/verified somehow, and the consuming site needs to trust that the identity provider doesn't lie. But also, the site consuming the header, by law, needs to do everything in can to ensure that it's not a child, so, it will need to ensure that the content is served ONLY to the web browser, and it trusts the web browser. Which means ....
(c) The browser will confirm to the site that it's real, it's trusted, it is not operated by some kind of relay/bot and won't send the content to anything other than the operator authenticated to the browser. So it's going to start signing it's requests with a secret key, but that key will need to be on the user's machine, which will need to be trusted, so ....
(d) the signing will have to happen in the secure element, and the key will have to be stored on the machine that the operator cannot access. So some kind of TPM/Measured computing will have to be in place so all parties can trust that nothing was tampered with, or relayed to something else that was not authenticated.
All these things exist today. So the simple law mandating "A site has to ensure that sensitive content is never served to a minor using the strongest technical means available" means anonymous access, untrusted computers on the network will no longer be allowed to work.
So don't pass a law that says that? This is letting the perfect get in the way of the barely adequate.
Do they really need a standard or should they make sites liable for allowing children on?
There is no standard ID check protocol at liquor stores. If you're old they can just look at ya, some just look at your ID, others scan the ID. The govt didn't need to provide a standard. Just don't sell to kids. Figure it out! It's not on the govt to figure it out for you!
Pretty sure it’s a federal law in the US to card 100% of people actually, which I would call a standard ID check.
Not complying is a different point.
> If there were a store selling cigarettes to children, then naturally you'd want the store to stop doing it.
No, I would want children to know better than to buy cigarettes.