Age verification becomes more common. Australia, France, etc. introduce such laws to ban children below 15 years from social media platforms, to protect them.
Will these laws also be relevant to fediverse/lemmy specifically?
Personally I think these laws will focus on the big platforms at first (facebook/meta, youtube, discord, instagramm), which will force younger users with technical skills onto smaller and niche sites. Over time focus on this question will increase for the fediverse.
You must log in or # to comment.
I think we should find alternative ways, provided they don’t already exist, to ban predators and bad actors that doesn’t punish the entire userbase. Unfortunately, with initially ethical control comes state- and money- sponsored surveillance and oppression. It is seemingly impossible for the former to be free of the latter.
We’re already bombarded by services requiring users give up their age in order to be placed in data farming and advertising categories, with some banning those who cannot be farmed. Hell, every social media provider’s user age limit is 13 as per the EU GDPR – regulators only need to increase that age to 15/16 if they’re uncomfortable with its current level.
And no - I do not see a way to enforce age restriction without breaching basic rights to privacy. The only reason services demand your permission for cookies, device information, identifying data etc. is because the regulators mandate they cannot take your data without your permission. If they cannot find a way to sandbox the under-18 internet from the over-17 internet, then we should just keep the existing rules and expand support for victims. I dont believe there is an ethical solution for preventative measures.
Each instance can decide whether to enforce any age restriction law, and possibly get banned in whatever country if they don’t apply by it. Seeing how most websites wipe their butt with GDPR however it likely means the age-verification will only be enforced hard on the big social media networks like Facebook where mass tracking happens.
Likely, Lemmy will be illegal in those countries. However, given the federated nature, I expect a more whack-a-mole approach to banning.
Yeah the anime pirate sites change the domain but keep the servers. It’s interesting how credentials transfer over
It might happen for some instances, but I think if some countries start requiring fediverse instances to do this, most users will switch to instances hosted in countries that don’t require it.
I’m based in the UK. But my instance only actually has single digits of actual active users. So, it’s not bothering me too much.
The moment I get a letter from OFCOM, or I see they’re enforcing against smaller federated sites, I’ll just remove non login readable capability and make it entirely invite only (which won’t be a problem, the only people joining for ages were bots and when I added the AI blocking/cloudflare protection they’ve stopped coming too). Until then I am assuming they’re going after the actual social media companies.
Will this switching become an illegal act?
I don’t think so. That would be a hard thing to enforce and rather pointless. Comparing it to other internet regulations like the GDPR, it’s not illegal to use a website that doesn’t adhere to it. That said, with the amount of stupidity we tend to see in politics, who knows what some countries might do.
What may happen is that the websites get blocked by the ISP at request.
Lemmy does manage to circumvent this by the fact every instance has its own domain and cached content.
Most likely, 4chan.org will be blocked and a British Firewall will be added.
One of the Aussie ones already does by you providing a pic of you having a drink at a pub.
That way the instance owner doesn’t have to hold PPI as someone having a drink at a pub means they are over 18 and aren’t subject to the law.
Some poor alcoholic Aussie relapses just to chat with strangers online.
Which one? Definitely novel, but pretty easy to defeat. I wonder how well it will hold up to legal challenge.
aussie.zone
But FWIW, the australian law only applies to the sites they (the government) have explicitly told have to comply. They are marketing it as “all social media”, but it’s only, among others, facebook, tiktok etc.
I tried that one first, is it part of the sign up process or later? Maybe they reverted it?
I’m not 100% sure. I have an account on aussie.zone, but I logged in recently, and there was no request or anything for anything. So i dunno. i think it’s based on the honour system
It absolutely won’t hold up. I think it was tongue in cheak
@[email protected] @[email protected]
Let us think outside the box for a bit.
First, we already see a phenomenon going on with Fediverse, and Web as a whole: invite-only and/or need-to-apply places. Because of multiple factors (bots, trolls, AI DDoS+crawling), there are fewer places where one can simply have an account without the need for approval from someone else (the instance admins) or needing to know someone to join the “closed club”. This means places are already imbuing themselves with gatekeeping, one where it’s not so trivial to get approval, especially if someone has no Web history to prove themselves, a lack of “verifiable Web history” of which applies both for introvert adult people and for children as well. In practice, Fediverse and other niche places feel like they’re are already kind of gatekept against children.
Then there’s this requirement shared among those laws being implemented worldwide, “meaningful mechanisms to check age”. I can see govs and corps coming up with some kind of API, a centralized “age validator” entity.
Using the country I reside as an example: gov.br already has an API so websites and platforms can allow logging in with a CPF (“Cadastro de Pessoas Físicas”, Brazilian legal ID). Back in the pandemics, I received, as a DevOps, a freelancer job request to integrate a website with the gov.br API system for validating COVID-19 Vaccination status (at the time, I refused because I was already working on something else, and also because I don’t like dealing with bureaucracies). But this means that any website could, essentially, check the user’s age by redirecting the user to gov.br auth flow and requesting the official Date of birth. gov.br login has 2FA using facial biometrics via their governmental app. Currently, many Brazilian businesses deal with Pix (instant payment system maintained by the Brazilian Central Bank) through its official APIs because they’re being socially compelled to accept Pix as a means of payment. Pix is becoming a model for instant payment worldwide, many countries are copying Brazil’s Pix (in turn, copied from India while improving the existing Indian payment system).
So it’s just a matter of time before we see countries copying gov.br, with corp platforms adding gov-kept authn+authz of citizens to their systems.
Then, back to Fediverse: even if instances decide not to implement age checking, let us remember Fediverse, even when “self-hosted”, is still part of the Internet, a infrastructure dependent on ICANN/IANA, ISPs, ASNs, overseas fiber cables, national DNS authorities (e.g. registro.br for Brazilian ccTLD websites), etc. So it’s pretty trivial for countries to mandate something: upon refusal of compliance, a country could simply cut the dissident from the countrywide DNS, and/or request ISPs to block the access…
So, I can foresee a near future where there’s no country left without this kind of law, and Fediverse as a whole is compelled into implementing this.
we already see a phenomenon going on with Fediverse, and Web as a whole: invite-only and/or need-to-apply places
The need-to-apply model would be totally unscalable for traditional social media platforms because of the sheer number of requests that would need to be processed on a centralized. But something like this can work on the Fediverse because you can split the workload up between different instances
@[email protected] @[email protected]
When Facebook and/or Instagram asks for ID (something that have been taking place for years, I myself had to send my driver’s license alongside a selfie holding it when I used to use Facebook several years ago), it needs to be manually checked by Facebook staff. The account stays in a “locked state” before the ID is approved, so it’s essentially a “need-to-apply” situation. I also remember seeing TikTok asking for people’s IDs, way before this age checking thing (part of the process to monetize a TikTok channel), with the account being locked out of the monetization sections of the website before the ID is approved. Google does the same for Youtube and other parts that involve money (such as Google Cloud Platform and Google Ads so to embed ads into a website).
Indeed the number of applications is sheer, but the amount of admins/staff they have at their disposal to check all those applications is also bigger than most Fediverse instances could dream of.
Then there’s also AI (corp-grade, not the average ChatGPT we people have access to) automatizing the flow, not as the ultimate approval, but more as a filtering mechanism (discarding selfies/ID photos that are clearly not a selfie/ID) so the staff has to check just what seems like legit selfies/IDs photos.
Ok so I stand corrected. I guess it is possible but it just requires a lot of man power
I believe something like this is supposed to be a use-case of the digital EU Wallet. A website is supposed to be able to receive an attestation of a users age without nessecarily getting any other information about the person.
https://en.wikipedia.org/wiki/EU_Digital_Identity_Wallet
Apparently the relevant feature is Electronic attestations of attributes (EAAs). I’m not really familiar with how it will be implemented though and I am a bit afraid of beurocratic design is going to fuck this up…
Imo something like this would be magnitudes better than the current reliance of video identification. Not only is it much more reliable, it will also not feel nearly as invasive as having to scan your face and hope the provider doesn’t save it somewhere.
@[email protected] @[email protected]
it will also not feel nearly as invasive as having to scan your face and hope the provider doesn’t save it somewhere.
Even when anonymized, the information may still ship with some PII (Personally Identifiable Information). That’s how the user can be checked as the one requesting access (because a kid could be using their relatives’ account, so the age check checks not just the age, but also who’s checking the age). For age checking systems without direct PII (name, social security numbers, etc), there’s still some kind of UUID that will persist across requests, so it’ll essentially work as a tracking cookie.
The result from the age check, anonymized or not, still needs to be saved, and once saved, it’s already a slippery slope: it will be used for “better” advertisement, it will be used for “better” algorithmic recommendations, it will be used to keep track of users behaviors online.
Alongside AI (not the LLMs we, the “mortal people”, have access, but things way more “sophisticated” in that regard), they could keep cross-reference an “anonymized age check token/UUID” to a real person solely by relying on the increased digital footprint: then, all of a sudden, the health insurance gets to know the sexual habits of someone and can promptly raise prices when they detect the imminence of sexual problems/complains, the renting corp gets to know their tenant got “frequent sexual activity” (or, even worse, some specific kinds of “kinks”) that could (in their bigoted minds) do some damage to the walls, so they can suddenly change the renting contract or raise prices to cover for wall painting, both parties can now know the political preferences (do we wonder why the US branch of TikTok is now asking for “immigration status” for US citizens? How could they possibly know the SSN for an USian TikTok user? The age checking, be it something already being done in the US or something that will become a reality soon (I’m not updated in this regard), is part of the “how”).
That’s the “Big Data” in action: crossing swathes of information across systems and databases, and corp-grade AI is another mechanism to achieve this.
Imo something like this would be magnitudes better than the current reliance of video identification
To some extent, indeed it is. But, in practice, it just delegates the video identification to the government (the citizen info is tied to biometrics, and authentication using things such as “EU wallet” may need 2FA with face biometrics within the government-backed app). There’s still going to be face recognition somewhere down this “age checking” road, be it corp-backed or government-backed.
Depends if the wallet records data of what site required verification. Any amount of privacy being eroded is bad.
@[email protected] @[email protected] @[email protected] @[email protected]
Depends if the wallet records data of what site required verification.
They have to.
Otherwise, the wallet wouldn’t be able to verify whether the website is authorized to request age check (say, if a website asks the wallet’s API “Hey, please hand me the age checking token for the email [email protected] which you checked for me some time ago, they’re trying to access the gatekept sections of my website again”, the wallet needs to be sure that this website did request it previously and is not trying to exfiltrate someone else’s data), or the person wouldn’t be able to know which sites previously got their age checking data (eventually the users will have lots of websites where they previously had to check their age, and as part of GDPR’s “Right to be forgotten”, they’d need to be sure which ones they would want to revoke previously handled data).
The Age check authn+authz flow isn’t unidirectional (i.e only the wallet handing out the result of age check to a website). In a nutshell, it works this way (at least, it’s how I think, as a DevOps formerly accustomed with building APIs for websites, how it would work):
- User requests to access sensitive (“adult”) content from a website.
- Website requests the user to check their age.
- User agrees to proceed with age check.
- Website redirects the user to the governmental wallet
- The wallet asks for user authentication and/or 2FA (“open the gov app” or something)
- After authentication and/or 2FA flow within the gov app, the gov app redirects the user to an OAuth endpoint within the original website, alongside a unique token
- The Oauth endpoint will be invoked by user’s browser’s request, then the website will check the wallet API if this token is valid.
- Gov wallet will check if this website previously went through a flow, then will check the requested token and answer “yes” to the website’s endpoint.
- Website redirects the user to the walled-garden they requested initially, storing the token both server-side and, indirectly, in the client-side via the framework session id (things such as
PHPIDcookie key-value pair which identifies asession_start()for PHP websites)
Notice how both the website and the wallet need to communicate in order to establish the authorization needed for the user to access the website.
Any amount of privacy being eroded is bad.
Yeah… Fully agree. And, sadly, this is becoming “normalcy”… ☹
It sounds like you are assuming that the wallet needs to re-validate each session and I don’t see why this would be needed. Each user account would just need to validate their age once then the website operator could store this in their database. If you’ve validated once you can be sure the user keeps being old enough.
@[email protected] @[email protected]
One scenario I can imagine of is an age check from someone who’s still legally a minor (I’m not sure whether the age check would check for minors faces, I can think of platforms intended to minors, e.g. schools and gaming, having to check if the user is not an adult, but it’s just my speculation), who tries again some time later when they’re legally into adulthood. If the token isn’t validated, they’d be stuck into a perpetual “minor” label.
Sure, a token could be not returned by the wallet if the age check fails (i.e. if the user is a minor), but the associated credentials (email, phone number, username) would be tied, database-wise, to a failed age check attempt, and those teens will one day become adults, and a system shouldn’t lock them out forever. Hence the need for re-validation.
Also, depending on how the token is built and stored, it may or may not have an expiration timeout. In computing systems, it’s common practice for tokens and sessions to have an expiration date (just like logged in sessions will eventually log out and ask for logging in again). It’s different from having to do the age check again: it’s simply about renewing the token that identifies someone as adult, someone who already did the age check, with the wallet simply returning the renewed token without demanding the user to go through the age check flow again.
Another scenario: imagine a relative’s phone being pick-pocketed/stolen by the kid during late night, and the kid somehow knows the relative’s password/pin/pattern or even uses the relative’s finger to the biometric sensor to unlock it, all during the relative’s sleep. Then they head into the “forbidden fruit website”, which happens to be accessed by the relative as well, so it means that the website is already authorized with the relative’s wallet. I can see govs foreseeing this situation and requiring that websites always re-validate the authorization before effectively letting the user into the website’s “adult” content.
I believe that it’s specified in the architectural reference framework that it has to re-validate every session, to ensure that the token hasn’t been revoked. I’d be happy to be corrected, though!
@[email protected] @[email protected] @[email protected]
Exactly! This, too. I forgot to mention it in the reply I just sent to SirHaxalot. And given the GDPR “Right to be forgotten”, an authorization must be revocable, so this means an authorization must be re-validated, even if this doesn’t necessarily mean having to go through the age check flow all over again.
Nation states absolutely have the power to erect great firewalls around their internet fiefdoms. But the dark-web also expands. Some minuscule part of the fediverse will be banned to the dark-web i think.
@[email protected] @[email protected]
Countries don’t need Great Firewalls for things that are becoming “consensus” globally (such as biometrics for web access): the way Internet works is, itself, a Great Firewall. Govs govern over their respective ccTLDs, telecom regulators (FCC, Anatel, etc) govern ISPs, as well as EM allocation (so Meshtastic and similar radio approaches for Internet-less networks could also be ruled “unlawful” whenever they want). IANA governs which countries and ISPs got which sets of IP numbers (IPv4/IPv6), ICANN governs TLD attribution to countries and corps (there are corps with their own TLDs, such as .google, ICANN is always involved as the ultimate “DNS keepers”). Then there are things such as CloudFlare, increasingly omnipresent (insofar large swathes of the Web go down whenever CloudFlare goes down). So the Internet is already heavily centralized, making it trivial for countries to enforce something when said thing transcends geographical boundaries, such as the “protect children”.
Great Firewalls are only a thing for imposing local politics, and it’s not always recognized as so: Brazil, for instance, have already been banning apps and platforms (ANATEL have been taking down entire IPTV servers, judiciary have been taking down social media platforms; I’m not entering the merit of it, just saying it’s already a thing around here), and we don’t hear “Brazil has a Great Firewall”.
We could think that corps are implementing checking mechanisms unwillingly. In fact, they’re the ones who profit the most: age checking means a new fingerprinting factor, even when age checking is “anonimized” (it still got a unique session identifier, moreso than commonly-used fingerprinting mechanisms). Ad partners are cheering!
Dark web: as much as I’m fond of it and used to participate there (Onion, I2P, former “Freenet” now “Hyphanet”, among others), they’re also reliant on Internet infrastructure. And when there are fewer countries where there’s still a regulation vacuum, there are fewer places to use as a bridge/router.
Then, something I didn’t mention before because it wouldn’t fit the char limit: the hardware and software oligopolies. No matter which OS and software we use, we’re still reliant on Intel, AMD or Qualcomm processors. We’re also still reliant on two major browser engines (Chromium and Firefox). The Tor Browser needs to be run inside a device with a CPU, and it also needs… a browser engine. Both engines are going down the AI road, maybe browser forks (inc. Tor Browser) are still managing to prune the clankers from the upstream, but the upstream is still needed to implement the fork, and the upstream can easily be bundled with binary blobs as dependencies for fundamental functions in the software (similarly to how, e.g., Windows Shell is dependent on Microsoft Edge so Edge can’t be pruned without crashing the whole OS)
Web is so entangled, it’s becoming increasingly hard to avoid the enshittification. ☹
I don’t think the structure of the fediverse allows it.
Of course that just means if it becomes popular some asshole politician is going to try and ban it.
