Support us on Patreon
PayPalWe've covered here before on individual US states setting up their own age verification laws, and now a new US Congress bill has been proposed for it. If passed, this would then potentially set it all up to be nation-wide across the entirety of the US.
The bill was introduced on April 13th and has been referred to the US House Committee on Energy and Commerce. It's being sponsored by the Democratic party's Josh Gottheimer, with it being co-sponsored by Republican Elise M. Stefanik so it has bipartisan support.
The current concerning thing - is that the actual bill text doesn't seem to have been provided yet. All we know is the main introduction title of: "To require operating system providers to verify the age of any user of an operating system, and for other purposes".
It could go either way with it simply asking for people to enter their date of birth or more concerning is actual proper verification using some form of ID. The other bit about it being for "other purposes" also leaves me with a rather uneasy feeling. These types of bills we've seen elsewhere are always a first step towards something worse. They all mean less privacy, less freedom, more tracking and a potential for more security problems when things inevitably get leaked somewhere.
This appears to be part of the "Parents Decide Act" announced earlier in April by Gottheimer, as just one step in the process. So expect a lot more to come. Some bullet point plans from it:
- Require operating system developers like Apple and Google to verify users’ ages when setting up a new device, rather than relying on self-reported ages.
- Allow parents to set age-appropriate content controls from the start, including limiting access to social media, apps, and AI platforms.
- Ensure that age and parental settings securely flow to apps and AI platforms, so content is tailored appropriately for children.
- Prevent children from accessing harmful or explicit content — including inappropriate AI chatbot interactions — by creating a consistent, trusted standard across platforms.
Currently, the bill is only in the introductory stage so it hasn't yet passed and become law, so if this is important to you in the US you may want to speak to your representatives.
Article taken from GamingOnLinux.com.
About the author - Liam Dawe
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
See more from me
Some you may have missed, popular articles from the last month:
You can also find comments for this article on social media: All posts need to follow our rules. Please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Readers can also email us for any issues or concerns.
15 comments
hardpenguin 4 hours ago
This is insane, impractical, and unenforceable under any normal circumstances. What, we want to prevent minors from using technology now? For what purpose? It doesn't make any sense at all.
2 Likes
Liam Dawe 3 hours ago
Updated to add more info.
0 Likes
This is not the job of a government. This is the job of the parents.
This has a very good chance of sliding into a 1984 scenario.
This has a very good chance of sliding into a 1984 scenario.
4 Likes
It could go either way with it simply asking for people to enter their date of birth ...The pro and anti big government politicians in the us seem to have settled on bad government as a compromise.
Silly buggers.
1 Likes
Quoting: tfkThis is not the job of a government. This is the job of the parents.And the article mentions a "parents decide act", which I could theoretically get behind. I don't think it is outside of the governments job to make sure that information and tools are provided by companies to help parents actually parent their children.
Of course this one is .... problematic. It doesn't really take a realistic stance of what operating systems are, what user software is and how things work together. Also giving parents the tools and information is not the same trying to enforce it into everything where it will undoubtedly run into problems of what can technically be achieved.
So again this feels like it was designed by people who's idea of "operating systems" doesn't go beyond phones and tablets.
1 Likes
How do you verify a user's age in a way that doesn't run head-first into a user's human right to privacy? ...okay, I admit, that's a stupid question, infringing on the right to privacy is kind of the point of the bill.
0 Likes
How does this work for servers. Or IOT devices. Or multi-account devices. Or offline devices. Or or or...
Yet another brain dead government proposal from people without a single clue how tech works.
"Think of the children" is simply a dog whistle for "give up your privacy".
Yet another brain dead government proposal from people without a single clue how tech works.
"Think of the children" is simply a dog whistle for "give up your privacy".
2 Likes
Congress too; sad.
On one side I feel smug.
I knew this would come, so for school I'm working on an anonymous and cryptographically secure functioning Age Verification system.
I already have a good design.
In the spoiler is the written down version
The requirements for a privacy respecting arbitrary static property verification system are that:
System abuse and it's prepretators can be detected.
The way it's used isn't detectable to the verifier of the static property.
The identity of the user isn't revealed to the ones who make the uses possible.
The hashsing algorithm I will be using is sha256, because I can assure that ids will be unique and unrelated.
I will be using the proven slow prngs, because the qualtity of this protocol falls and stands with the qualtity of a prng
The verifying party randomly generates n ids.
The verifying party runs each of the id's through the pseudorandom generator and generates (n-1)*p codes based on it.
It divides this set up in (n-1) subsets, one for each other ringmember.
Each of the subsets is labeled with a within the ring shared pseudonym for one of the other ringmembers.
The codes are send to the individual.
After which it's added to a pool of similarly labeled sets of the other ringmembers, here they are pooled together without saving to which member they originally belonged.
In total n*(n-1)*p=np(n-1)=n^2+pn-n-p codes are generated.
For each receiving server a seed is generated by the verifier and each of the codes is hashed with this seed as pepper.
This set of hashes, labeling and the seed is send to the receiving server, but not the original values.
When an individual connects to an age verifying server the server sends its seed and the individual randomly picks a value from the received ones and hashes it with the seed and sends that hash to the age verifying server.
If it matches the received hash with one of the hashes that hash is removed and the age is labeled as verified.
To determine potential abusers of the system the age verifying servers can simply check whether some of the n labeled subsets are getting abnormally underutelized.
If this turns out the system abusers are apperantly the ones in the underutelized sets.
After which not only the abuse, but also the abuser have been identified and appropiate action can be undertaken.
Many of these could involve reporting the abuse to some authority like the verifier.
This authority would need some proof of appropiate conduct at the side of the reporter.
The best I can offer is pseudonymous labeling for the subsets, so the reporter can't know who they reported.
To avoid birthday attacks p should be at least as large as n and probably larger, because accidentally matching a p row isn't a problem, but an n match allows one to blame other people for sharing codes.
p = 1.000.000
(n-1) = 1000
total storage use is
3 8bit bytes par sha256 hash
order can communicate subcatogrisation, since every other user has the same redundancy
n^2+pn-n-p
10^3^2+10^6*10^3-10^3-10^6=10^6+10^9-10^3-10^6=10^9-10^3=1,0000003*10^10
1,000003*10^10*3=3,0000009*10^10
around 10gb usage for the client
the servers store the hashes everybody and the seed, thus around
(n^2+pn-n-p)*n+1
1,0000009^10*10^3+1
is around 10 terabyte par server
On the other side it's stil yet another way to force mass surveilance and monopolistic behavior.
On te EU one can at least force that they fix the "informationless ID" part themselves(lookup dsa age verification), there is good reason to not trust it, but at least they do it themselves without passing the bug to big tech.
The USA just says "be like Microsoft/Amazon/Google", but I don't want and am unable to surveil someone their whole youth.
You might ask how doe age verification force mass surveilance and monopolistic behavior?
The only ways to reliably verify someone's age are through methodically keep record of them since their birth or some very invasive biometric measurements.
Behavioral tests only work on a case by case basis if at all.
I hope it's clear how "keeping records of someone, since birth" is mass surveillance when not done by a semi-trusted party like the government.
Invasive biometric measurement requires hardware changes and access to someone's person, which are once again great angles for mass surveilance and monopolisation.
Also people don't tend to trust many parties with that kind of access making it a monopolization angle(people are right btw)
On one side I feel smug.
I knew this would come, so for school I'm working on an anonymous and cryptographically secure functioning Age Verification system.
I already have a good design.
In the spoiler is the written down version
Spoiler, click me
The requirements for a privacy respecting arbitrary static property verification system are that:
System abuse and it's prepretators can be detected.
The way it's used isn't detectable to the verifier of the static property.
The identity of the user isn't revealed to the ones who make the uses possible.
The hashsing algorithm I will be using is sha256, because I can assure that ids will be unique and unrelated.
I will be using the proven slow prngs, because the qualtity of this protocol falls and stands with the qualtity of a prng
The verifying party randomly generates n ids.
The verifying party runs each of the id's through the pseudorandom generator and generates (n-1)*p codes based on it.
It divides this set up in (n-1) subsets, one for each other ringmember.
Each of the subsets is labeled with a within the ring shared pseudonym for one of the other ringmembers.
The codes are send to the individual.
After which it's added to a pool of similarly labeled sets of the other ringmembers, here they are pooled together without saving to which member they originally belonged.
In total n*(n-1)*p=np(n-1)=n^2+pn-n-p codes are generated.
For each receiving server a seed is generated by the verifier and each of the codes is hashed with this seed as pepper.
This set of hashes, labeling and the seed is send to the receiving server, but not the original values.
When an individual connects to an age verifying server the server sends its seed and the individual randomly picks a value from the received ones and hashes it with the seed and sends that hash to the age verifying server.
If it matches the received hash with one of the hashes that hash is removed and the age is labeled as verified.
To determine potential abusers of the system the age verifying servers can simply check whether some of the n labeled subsets are getting abnormally underutelized.
If this turns out the system abusers are apperantly the ones in the underutelized sets.
After which not only the abuse, but also the abuser have been identified and appropiate action can be undertaken.
Many of these could involve reporting the abuse to some authority like the verifier.
This authority would need some proof of appropiate conduct at the side of the reporter.
The best I can offer is pseudonymous labeling for the subsets, so the reporter can't know who they reported.
To avoid birthday attacks p should be at least as large as n and probably larger, because accidentally matching a p row isn't a problem, but an n match allows one to blame other people for sharing codes.
p = 1.000.000
(n-1) = 1000
total storage use is
3 8bit bytes par sha256 hash
order can communicate subcatogrisation, since every other user has the same redundancy
n^2+pn-n-p
10^3^2+10^6*10^3-10^3-10^6=10^6+10^9-10^3-10^6=10^9-10^3=1,0000003*10^10
1,000003*10^10*3=3,0000009*10^10
around 10gb usage for the client
the servers store the hashes everybody and the seed, thus around
(n^2+pn-n-p)*n+1
1,0000009^10*10^3+1
is around 10 terabyte par server
On the other side it's stil yet another way to force mass surveilance and monopolistic behavior.
On te EU one can at least force that they fix the "informationless ID" part themselves(lookup dsa age verification), there is good reason to not trust it, but at least they do it themselves without passing the bug to big tech.
The USA just says "be like Microsoft/Amazon/Google", but I don't want and am unable to surveil someone their whole youth.
Spoiler, click me
You might ask how doe age verification force mass surveilance and monopolistic behavior?
The only ways to reliably verify someone's age are through methodically keep record of them since their birth or some very invasive biometric measurements.
Behavioral tests only work on a case by case basis if at all.
I hope it's clear how "keeping records of someone, since birth" is mass surveillance when not done by a semi-trusted party like the government.
Invasive biometric measurement requires hardware changes and access to someone's person, which are once again great angles for mass surveilance and monopolisation.
Also people don't tend to trust many parties with that kind of access making it a monopolization angle(people are right btw)
0 Likes
English is not my strong side. I am aware verify could mean check, so maybe OS been forced to check how old are users - not just asks.
0 Likes
Idea seems to not be that bad as many people told. Currently there is no mechanism to check age in many places, but should. But any other implementation than field in passwd is bad. Of course - there should been an options to put X into this field, meaning no information, so give full access.
0 Likes
Quoting: hardpenguinThis is insane, impractical, and unenforceable under any normal circumstances. What, we want to prevent minors from using technology now? For what purpose? It doesn't make any sense at all.For what purpose once can speculate, all we know is that this is due to lobbying from Meta who have spent over $2bn on lobbying efforts for this specifically.
0 Likes
UltraViolet 1 hour ago
Quoting: F.UltraWho can then continue to abuse their users, as age-gating will not be in their control (how convenient)Quoting: hardpenguinThis is insane, impractical, and unenforceable under any normal circumstances. What, we want to prevent minors from using technology now? For what purpose? It doesn't make any sense at all.For what purpose once can speculate, all we know is that this is due to lobbying from Meta who have spent over $2bn on lobbying efforts for this specifically.
0 Likes
So first you've got to define operating system in such a way that it doesn't include half the devices in your house.. (before you can press this doorbell you need to present your passport for verification).
Then you've got to define it so it doesn't make business completely unviable. You're going to make linux illegal?
Then given that narrow definition, if you can even do that, you've got to deal with all the thousands of edge cases..
There *are* solutions coming, like verification apps where the data stays on your device and simply provides attestation that you're over 18, that don't require ham fisted legislation like this. But with lawmakers being typically 80+ they don't understand the problem enough to wait for it.
Then you've got to define it so it doesn't make business completely unviable. You're going to make linux illegal?
Then given that narrow definition, if you can even do that, you've got to deal with all the thousands of edge cases..
There *are* solutions coming, like verification apps where the data stays on your device and simply provides attestation that you're over 18, that don't require ham fisted legislation like this. But with lawmakers being typically 80+ they don't understand the problem enough to wait for it.
0 Likes
Quoting: TonyHoyleSo first you've got to define operating system in such a way that it doesn't include half the devices in your house.. (before you can press this doorbell you need to present your passport for verification).They're gonna do only the first part.
Then you've got to define it so it doesn't make business completely unviable. You're going to make linux illegal?
Then given that narrow definition, if you can even do that, you've got to deal with all the thousands of edge cases..
There *are* solutions coming, like verification apps where the data stays on your device and simply provides attestation that you're over 18, that don't require ham fisted legislation like this. But with lawmakers being typically 80+ they don't understand the problem enough to wait for it.
The amount of doorbells visiting porn sites'll grow explosively.
0 Likes
mr-victory 45 minutes ago
Quoting: F.UltraSource for the curious:Quoting: hardpenguinThis is insane, impractical, and unenforceable under any normal circumstances. What, we want to prevent minors from using technology now? For what purpose? It doesn't make any sense at all.For what purpose once can speculate, all we know is that this is due to lobbying from Meta who have spent over $2bn on lobbying efforts for this specifically.
https://old.reddit.com/r/linux/comments/1rshc1f/i_traced_2_billion_in_nonprofit_grants_and_45/
1 Likes
How to setup OpenMW for modern Morrowind on Linux / SteamOS and Steam Deck
How to install Hollow Knight: Silksong mods on Linux, SteamOS and Steam Deck