back to article California's attempt to protect kids online could end adults' internet anonymity

California lawmakers met in Sacramento today to discuss, among other things, proposed legislation to protect children online. The bill, AB2273, known as The California Age-Appropriate Design Code Act, would require websites to verify the ages of visitors. Critics of the legislation contend this requirement threatens the …

  1. Anonymous Coward
    FAIL

    No

    What is needed is a GDPR-like law that is always on by default - no information captured and stored - and then add a mechanism to allow GDPR to be switched off via verification, including age, of one's identity.

    Unfortunately it's a pipedream. FAANG would never allow it and their money talks louder than anybody else.

    1. The Man Who Fell To Earth Silver badge
      FAIL

      Re: No

      What California really needs to do is write legislation making it illegal for California HQ'd companies to comply with subpoenas from other States investigating "crimes" that are not crimes in California. So for example, make it so a California based fertility app company for Period data of someone Texas thinks terminated a pregnancy at home via medication can't comply under California Law. Or make is so Google can't be subpoenaed by Texas for location tracking data of someone Texas thinks went to another State to have a pregnancy terminated legally in that other State. (The DOJ says States can't prosecute a person who traveled to another State where abortion is legal, but AG's change with President's, so that protection isn't real.)

  2. Boris the Cockroach Silver badge
    Facepalm

    I can see this working

    Log into a website... lets call it "The register .com " supply your credit card number, name and address to prove you are an adult.

    Now you're free to post whatever comment you like..

    Right upto the point where the PFY misconfigures the database holding all our details and the hackers make off with a copy of all of it... new credit cards all round plus time+expense of canceling etc etc.

    Now rinse and repeat for every site you goto.. and now its a great tracking device for anyone..... looked up abortion websites, registered with one... went to California on a pre booked appointment... now law enforcement in your 19th century state can go "Ohhhhhhh lets throw her in prison too" after they issue a warrent because after all planned parenthood works in their state too......

    "Lets protect the children" should be banned as a phrase because it means nothing of the sort...

    Anyway little 13 yr old Johnny borrowed his dad's credit card to make an account on pr0nhub.

    1. Infused

      Re: I can see this working

      Exact same thing in the UK is being proposed. Indeed, I believe this is the inspiration for the Californian legislation. The internet is going to become unusable.

      1. Phil O'Sophical Silver badge

        Re: I can see this working

        The internet will be fine, the Web may become unusable.

      2. Anonymous Coward
        Anonymous Coward

        Re: I can see this working

        Thing is this was proposed many times before but was delayed over and over again until it was quietly scraped and is likely to happen again.

        This is likely to be a huge unenforceable mess that may collapse under its own weight.

      3. The Man Who Fell To Earth Silver badge
    2. John Brown (no body) Silver badge

      Re: I can see this working

      "Right upto the point where the PFY misconfigures the database holding all our details and the hackers make off with a copy of all of it... new credit cards all round plus time+expense of canceling etc etc."

      Alternatively, make the law state that age must be verified then a token marked against the username and then any/all verification must be deleted on pain of £enormous_fine. Verification could even be outsourced to a service such as Verified by Visa, who already know who you are, so the site doesn't even have to know who you are, just that a "trusted source" confirms you are over 18. I'm sure it could be arranged so that "Verified by Visa" don't actually know who the site is requesting the verification, thus keeping it all anonymous. This does, of course, require a level of trust and a proper level of security, but only the verifier will ever know the details of the person being verified, and their business is based entirely on trust and security.

      (Oh, and for anyone asking, the sky is pink on the planet I live on and all is good with the world)

      1. Neil Barnes Silver badge

        Re: I can see this working

        A website might not need external verification: if you've been logging on for a number of years, the site probably knows how long (e.g. Vulture Central knows I've been posting here since 2007, possibly earlier) and if a client has been posting for a significant length of time, they're probably all grown up...

        1. Phil O'Sophical Silver badge
          Joke

          Re: I can see this working

          they're probably all grown up

          As is clearly obvious from many of the comments around here...

          1. MrDamage Silver badge

            Re: I can see this working

            Growing old is mandatory. Growing up is optional.

      2. yetanotheraoc Silver badge

        Re: I can see this working

        "... and then any/all verification must be deleted ..."

        Don't the service providers need that to prove they are/were in compliance?

    3. Blank Reg

      Re: I can see this working

      It's certainly possible to only have to provide proof of identity once when you create an account with the information never being saved and the account not retaining any personally identifying information.

      There is no need to ever check age again, none of us getting younger.

      1. Anonymous Coward
        Anonymous Coward

        I can't see this working

        The process here is bassackwards. Build and mandate external identity providers, then make the sites and service operators use them. And by that I mean the OpenID/OAuth type systems not the shady give us a credit card and all of your personal information type.

        The sites shouldn't be getting anything other than an anonymized token without user consent. Letting the sites collect and check detailed personal info is just going to lead to leaks and identity theft, as well as places breaking the rules and using it for targeting/resale knowing how likely they are to be caught.

        While I think there should be range of trusted identity providers, I expect my own government should be one of them. The seem to think they are the final authority on who I say I am, and I pay them taxes. Running an OAuth+TOPT server wouldn't break the bank.

        1. doublelayer Silver badge

          Re: I can't see this working

          "While I think there should be range of trusted identity providers, I expect my own government should be one of them."

          Don't give them ideas. Do you think the legislators will understand the requirements to identify without recording details or knowing the service requesting the identity? Let them start down that path, and they'll create a government account that you have to link with every site you use.

          1. Anonymous Coward
            Anonymous Coward

            Re: I can't see this working

            Or do what the UK Gov were intending to do... outsource the 'verification' to a pron merchant to do the checking.

            (they already know your filthy habits, so what harm can they do?)

            1. Anonymous Coward
              Anonymous Coward

              Re: I can't see this working

              And that caused the last age verification law to be delayed over and over again until it was quietly scraped.

      2. brotherelf

        Re: I can see this working

        > There is no need to ever check age again, none of us getting younger.

        You wish… They'll say the mechanism has to be robust against lost/stolen credentials.

    4. Anonymous Coward
      Anonymous Coward

      Re: I can see this working

      Recaptcha: "Select all the images containing top shelf liquors" and of course throw some rot-gut stuff in there too. - There solved it.

    5. yetanotheraoc Silver badge

      Re: I can see this working

      "Right upto the point where the PFY misconfigures the database holding all our details and the hackers make off with a copy of all of it..."

      Assuming the age verification has any real meaning, the hackers (sic) also get details of who is a child online. Presumably leaking this information has the opposite effect to that stated by the lawmakers.

  3. Infused

    The Real Web 3.0

    Reading things like Quora you'd think the internet will just keep getting better & better. This doesn't reckon with the approaching tsunami of government legislation. The idea that the internet is evil & that freedom to say or read or interact with others is dangerous seems to have taken root amongst ruling elites. So, in response, just about every western country is introducing similar laws revolving around age verification, screening of content before it's uploaded, the profiling of users, undermining encryption, etc. When Eric Goldman says it'll finish casual browsing, I believe that's the point of these laws, to make using the internet a lot less inconvenient. In the UK, it's the Online Safety Bill. The worst case scenario here I've seen suggested is that the Britnet becomes a Teletext-style information service (if anyone remembers that) with minimal interaction between users. While I doubt the internet will disappear, I do think the online freedoms we've all gotten used to are going to disappear in the next five to ten years. You can probably say goodbye to all those creative communities based around anime & fan fiction; they'll be no more viral videos of sea shanties on Tik Tok or ice bucket challenges. I don't think this is hyperbole.

    1. John Brown (no body) Silver badge

      Re: The Real Web 3.0

      "The idea that the internet is evil & that freedom to say or read or interact with others is dangerous seems to have taken root amongst ruling elites."

      Back in the day, every village had it's own idiot. Now that the world is one big village, all the idiots have joined forces and formed their own army.

    2. Anonymous Coward
      Anonymous Coward

      Not a forgone conclusion to the era, but

      If you don't want it to end up that day, start TELLING your government the laws they should be enacting to PROTECT you. Otherwise you will be stuck fighting every bad law someone with a predatory interest ties to slip by.

      We tried "light touch" while predatory monopolies formed, we tried unregulated internet, we tried mass censorship. We never took the lessons learned and passed laws guaranteeing those mistakes didn't get repeated endlessly. So a couple times a year the same ghouls crawl up and try to pass laws doing the same terrible things. We need to stop playing whack-a-mole. If your house is full of flies, more flyswatters isn't the answer.

      Take out the trash, and put screens on the doors and windows. Then swat whatever is left.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not a forgone conclusion to the era, but

        Tho bills and laws like the UK online safety bill are likely to be huge unenforceable mess that may collapse under its own weight just look at the last age verification law that was delayed over and over again until it was quietly scraped.

    3. staringatclouds

      Re: The Real Web 3.0

      "The idea that the internet is evil & that freedom to say or read or interact with others is dangerous seems to have taken root amongst ruling elites"

      It is, to them

      The internet allows us to communicate, find kindred spirits & unite

      This takes away "divide & conquer" which has been our rulers preferred method of ruling since they became rulers

    4. Anonymous Coward
      Anonymous Coward

      Re: The Real Web 3.0

      Thing is the UK online safety bill is likely huge unenforceable mess that may collapse under its own weight becasue the the UK has a bad record at setting this stuff up. just look at the last age verification law that was delayed over and over again until it was quietly scraped so its unlikely the Britnet becomes a Teletext-style information service not even China or Russia been able to do that.

      Its very unlikely that online freedoms we've all gotten used to are going to disappear in the next five to ten years. and its unlikely we will all say goodbye to all those creative communities based around anime & fan fiction anytime soon. Saying there will be no viral videos of sea shanties on Tik Tok or ice bucket challenges is pretty hyperbole.

      The approaching tsunami of government legislation is likely to be a huge unenforceable mess that may also collapse under its own weight.

  4. Anonymous Coward
    Anonymous Coward

    Anonymous Speech

    is Free Speech.

    1. Anonymous Coward
      Anonymous Coward

      Re: Anonymous Speech

      Cowards are never free.

      1. staringatclouds

        Re: Anonymous Speech

        And people who use their real names on social media can have their lives ruined

        Like Mike Stuchbery who was doorstepped & harassed by Tommy Robinson (Stephen Yaxley-Lennon) & his sycophants

        A: Because he made the mistake of calling out TR on social media for posting misinformation, something TR admits to

        &

        B: Because he posted using his real name, which is quite distinctive, which allowed TR to track down his address & doorstep MS while livestreaming this to his followers, who now all knew where MS lived & started a campaign of harassment, eventually hounding MS out of the country

        See https://www.huffingtonpost.co.uk/entry/tommy-robinson-hounded-me-out-of-my-home-and-country_uk_5dfd0e41e4b0b2520d0aae59

        So, solve that problem before demanding people post using real names or calling them cowards, we can't all afford to change countries because some wingnut decides to camp on our doorstep over some remark we made on social media

        1. Version 1.0 Silver badge
          Headmaster

          Re: Anonymous Speech

          ...people who use their real names on social media can have their lives ruined...

          So what happens when someone creates a new real name on social media - do you think that "fixes" the problems? Maybe they can just create a new "name" and be safe, so should I create a new ElReg account with the name Joris Bohnson and then bounce around with new "anonymous" comments?

          Effectively all of the "solutions" to issues with social media are just an illusion.

        2. Anonymous Coward
          Anonymous Coward

          " people who use their real names on social media can have their lives ruined"

          Maybe the problem are social media? When people becomes accountable it will become much more difficult for them to try to ruin someone else on social media or outside.

          What you report is a crime. If it wasn't prosecuted then the problem lies elsewhere. If you want anarchy, you'll obtain the same exact effect, and anonymity won't protect you much because there are ways to identify people anyway, unless you are very, very cautious.

          Do you like a world where you are forced to hide because otherwise bullies can ruin your life? Do you understand that you are looking for the wrong solution to a real problem?

          Social media must be exactly reined in because they allow, and use these behaviours to make money. They're destroying society allowing some dangerous people too much leeway, and they will grow stronger in the dark.

        3. staringatclouds

          Re: Anonymous Speech

          And here we have "Version 1.0" & "LDS" arguing against anonymity because, of course, those are their real names

      2. yetanotheraoc Silver badge

        Re: Anonymous Speech

        "Cowards are never free."

        In the land of the free, a coward's freedoms are protected, just like everyone else's.

        Well, that's the theory anyway. In practice people moan loudly about having their own freedoms taken away, but are pretty blithe about doing the same to others.

        1. Anonymous Coward
          Anonymous Coward

          Re: Anonymous Speech

          Cowards freedom is protected by people who stand up and fight for their and other freedom. Feel free to look at History.

  5. doublelayer Silver badge

    Protect everyone and you won't need to verify

    There are two types of protections that children are supposedly getting with this system. The first I can't really do much about: to give children a seemingly safer system with dangerous features disabled which doesn't actually happen. However, the second one is protecting children from tracking, and that one I can do something about. If they passed a rigorous privacy protection law instead, they wouldn't have to identify who is and isn't a child. If tracking was illegal no matter how old the user was, then the same goal could be achieved without destroying anonymity. I'm an adult who wouldn't mind a privacy law that prevents tracking and gets enforced, so would someone please think of the adults who want it too?

    1. yetanotheraoc Silver badge

      Re: Protect everyone and you won't need to verify

      "would someone please think of the adults who want it too?"

      Just don't verify your age. By law the service provider will have to treat you like you are 13, ergo no tracking. Later when they match up your age-verified account with your age-non-verified account, you will pretty much know they never turned off the tracking for the children. But it's okay, the service provider won't be fined because the whole intent of this law is just to erode privacy. Instead, *you* will be fined for not providing the requested age-verification. Something about unlawfully trying to impersonate a 13-yo.

  6. Dinanziame Silver badge
    Unhappy

    I'm pessimistic on anonymity

    I think that in history, the early years of the internet when people could surf the web anonymously will be regarded as a historical anomaly that was obviously never going to work.

  7. Anonymous Coward
    Anonymous Coward

    Privacy and anonymity are different things.

    Do not conflate privacy and anonymity. They are two different things. You can have privacy without anonymity (your house is well known you live in, still inside you have privacy), and you can have anonymity without privacy - as it is happening now with companies like Google and Facebook letting you use "anonymous" accounts and still knowing everything about you.

    Anonymity is not always necessary. There are cases when it is needed, but it also have its dangers. Some acts needs to bear responsibility, and people need to know they are accountable - that's how life works most of the time - but it looks on the internet, and we should ask why.

    At the same time, thinking to protect privacy through anonymity is a big mistake - it's impossible unless privacy itself is protect by laws well enforced. Companies will push to keep the status quo because that's how they make money. They want people to believe they're anonymous when they actually are not where it counts - in the money making ads and propaganda business.

  8. John69

    The "good" result of all this could be switch back to a more decentralised internet

    Unless there will be a way of criminalising diaspora or mastodon or whatever, then the big companies will become unusable for most people, and the decentralised solutions will be in a perfect place to take over.

    1. Dinanziame Silver badge

      Re: The "good" result of all this could be switch back to a more decentralised internet

      I think that's wishful thinking — it's typically easier for large established companies to survive aggressive regulation, short of direct action like breaking them up.

  9. Anonymous Coward
    Anonymous Coward

    Complete Misdirection.....Cui Bono?

    (1) Child uses parent's machine/credentials (with or without permission)

    (2) Child uses parent's credit card (with or without permission)

    (3) Child hacks adult account (at school? at sixth form college?)

    (4) Bad actors sell "adult" credentials (paid for with other adult credit card, see #2)

    (5) Bad actors allow anonymous logon -- anyone can do anything

    ...and so on....

    In any case, it's not clear how any remote system can VERIFY age reliably.....all the remote system can do is check some authentication (e.g. credit card), and this type of authentication is a million miles from age verification (see above).

    So......who benefits from this spurious debate? Well...I can think of some legitimate (and many paranoid) answers to that question:

    (6) Software and hardware vendors (selling product to "solve" the "problem")

    (7) Politicians (seeking power through spreading fear)

    Others here will no doubt have much more optimistic views!

  10. Xalran

    anonimity ? Internet ?

    ah, that wet dream...

    Nobody is anonymous on Internet.

    Just to browse El Reg, even without registering, my public IP is logged, and can be traced back to a specific ISP. That ISP knows who is connected at this IP since I'm a subscriber of that ISP.

    Even if I use a VPN, I paid the VPN with some kind of throwable card ( like a google/steam/whatever card you cna buy at supermarkets ), the VPN provider still knows the source IP of the VPN, and we are back to stage one : the ISP knows who I am.

    There's no anonimity on Internet, just services providers unwilling to give information on their subscribers ( or more than willing in other cases ).

    Now to the topic of protecting kids from *things they are not old enough to see* , from my point of view it's the parent's responsibility to ensure their kids don't see them, not some regulator. ISP can offer tools to perform that protection. ( like a control panel in the triple play box configuration that say that for a given device [ 6 year old Timmy tablet for example ] he can only visit a very limited number of websites, while another device/set of devices [ 15 year old Ginny laptop & mobile phone ] can reach most of the Internet content.

    1. doublelayer Silver badge

      Re: anonimity ? Internet ?

      My ISP knows who I am, but if you come to my place and use my connection, it won't automatically know that. There are also methods to hide information about the destination, by using VPN providers that don't log, for example. Even if the VPN provider knows who I am through my payment method, they could still refrain from tracking my activities (and if they don't, that's not a VPN I want to use). If you want, there are more extreme ways to hide network activity. Just because some information is available to ISPs doesn't mean it always is or that it's reasonable to have other places collect even more.

      1. Anonymous Coward
        Anonymous Coward

        Re: anonimity ? Internet ?

        Also the ISP may know who you are but with a VPN they are unlikely to see what you are reading so you are anonymous.

    2. Anonymous Coward
      Anonymous Coward

      Re: anonimity ? Internet ?

      That not how a VPN works.

      Its likely your ISP does not know who you are because a VPN works by routing a device's internet connection through a private service rather than the user's regular internet service provider (ISP). The VPN acts as an intermediary between the user getting online and connecting to the internet by hiding their IP address.

      Using a VPN creates a private, encrypted tunnel through which a user’s device can access the internet while hiding their personal information, location, and other data. All network traffic is sent through a secure connection via the VPN. This means that any data transmitted to the internet is redirected to the VPN rather than from the user’s computer.

      When the user connects to the web using their VPN, their computer submits information to websites through the encrypted connection created by the VPN. The VPN then forwards that request and sends a response from the requested website back to the connection.

      1. that one in the corner Silver badge

        Re: anonimity ? Internet ?

        Your ISP knows who you are because the first hop, from your VPN endpoint running on your PC, is sending all of the traffic, encrypted, to your VPN provider. What the VPN is doing is to prevent your ISP connecting their knowledge of your identity to any services you access via the VPN provider.

        The VPN supplier can, of course, track where it sent your traffic and this data can be correlated with your ISP. Which is why you want to choose your VPN supplier carefully.

        Consider: you can use the VPN the old-fashioned way, with an endpoint in your LAN and an endpoint in another LAN you have access rights to, say at work, and then just share resources between the two without anyone in the middle eavesdropping. Both ISPs are fully aware that the LANs are talking to each other, and for how long, they just can't read the actual content. You can even go from your work LAN onto the rest of the Internet and, tada, your work is now behaving exactly like the generic VPN supplier; so does your work have the ability to track your access to the Internet? Then so does the generic VPN supplier.

        The value of a VPN for general browsing is at the furthest end from your ISP, where the Big Website Provider only sees lots and lots of traffic from the VPN supplier and trying to apply tracking techniques to that means your small bit of the traffic gets lost in the noise. Hopefully.

        But all of the bytes are always going via your ISP. And they know where you live.

  11. Anonymous Coward
    Anonymous Coward

    Anonymity -- Some Suggestions

    (1) Anonymity is not required at all times -- after all many activities don't require either approval or disapproval of others

    (2) But some activities might be ethical and legal.....but also might expose the user to harm (e.g. political dissent in some places)

    (3) So...get started by NEVER using the internet from a place (or on an account, see #4) which is identified to a person....

    e.g. use facilities like internet cafes

    (4) Go to mail.com and set up a fictitious identity (e.g. the_real_boris@journalist.com)

    (5) Using cash, buy an unlocked phone. Buy a SIM and pay-as-you-go minutes for cash in a convenience store

    (6) Make disciplined and limited use of the email and the "burner" phone

    Now, depending on your adherence to item #3, you are almost anonymous! But behaviour matters:

    (7) Never use your "real" email, or your "real" phone at the same time, or in the same place as your "anonymous" identity

    (8) Restrict giving out your fictitious identity. Remember that INCOMING emails or phone calls identify your contacts, and might "leak" your identity

    (9) Beware of CCTV (both in public places, and in retail environments - see items #4, #5, #6)

    (10) For the truly paranoid, repeat every few months.

    (11) As a corollary to item #8, perhaps you only disclose your fictitious identity to those who have already implemented items #3 to #10 (!!)

    This process will absolutely NOT guarantee anonymity.......but it will make the job of people interested in matching activity with identity (e.g. Google, FB, Palantir, GCHQ, NSA......and so on)....it will make their job significantly harder!

    P.S. I wonder how long it will be before some politician or another will attempt to make both the procedure and the behaviour illegal. Soon....probably!!

  12. Marty McFly Silver badge
    Black Helicopters

    Don't be the low hanging fruit

    The bulk of Internet users are really happy to 'Sign in with Facebook' or some other federated identity...because it is 'so easy for me'. This makes it trivial for big tech to track them.

    Those of us who care about privacy will be using independent logins, multiple email addresses, separate computers & browsers, VPNs, private DNS, etc. We will refuse to play by simply not having a Facebook, YouTube, or Google account.

    Can we be tracked? Yup.

    Is it trivial to do? No.

    Are we the minority? Yes.

    Are we worth the effort? Probably not.

    We cannot easily hide from law enforcement or some sort of targeted research in to our individual Internet activity. But we can make it difficult for big tech to slurp our data. Given the way non-techies are so ignorant to their privacy, we are the small fish and big tech couldn't care less.

  13. Anonymous Coward
    Anonymous Coward

    Wow

    So the whole Internet is expected to change to make California happy?

    Good luck with that...

    1. NapTime ForTruth

      Re: Wow

      No.

      California will pass some law or laws. Many large and influential tech companies are headquartered in California. Those tech companies are obliged to comply with California's new law(s). Managing compliance with multiple laws in multiple jurisdictions is complex, expensive, and steals focus and resources from more valuable work. To minimize that burden and the losses incurred thereby, the tech companies will generally (and eventually) comply with the broadest, most restrictive applicable laws affecting their most significant markets because those laws encompass most or all of the requirements of less restrictive jurisdictions as well, thus reducing overhead.

      As an example, this methodology is why Americans and Fiji Islanders and Indians and everyone else get GDPR notices from sites and services even though their locations aren't covered by GDPR.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like