US States enforcing new age verification for adult content—how could this be done properly?

@technology

Seeing the news about Utah and Virginia over in the US, there’s been a lot of discourse about how unsafe it is to submit government ID online. Even the states that have their own age-verification portals are likely to introduce a lot of risk of leaks, phishing, and identity theft.

My interest, however, focused on this as an interesting technical and legislative problem. How _could_ a government impose age-verification control in a better way?

My first thought would be to legislate the inclusion of some sort of ISP-level middleware. Any time a user tried to access a site on the government provided list of adult content, they’d need to simply authenticate with their ISP web credentials.

Parents could give their children access to the internet at home or via cellular networks knowing this would block access to adult content and adults without children could login to their ISP portal and opt-out of this feature.

As much as I think these types of blocks aren’t particularly effective—kids will pretty quickly figure out how to use a VPN—I think a scheme like mine would be at least _as effective_ as the one the governments have mandated without adding any new risk to users.

What do you all think? Are any of you from these states or other regions where some sort of age-restriction is enforced? How does this work where you are from?

Edit:

Using a simple captive portal—just like the ones on public wifi—would probably be the simplest way to accomplish this. It’s relatively low friction to the end-user, most web browsers will deal with the redirect cleanly despite the TLS cert issues, and it requires no collection of any new PII.

Also, I don’t think these types of filters are useful or worth legislating, I’m just looking at ways to implement them without harming security or privacy.

  • Jeff@social.rights.ninjaOP
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    No, they wouldn’t get any additional information about who is viewing content. There would be a single login used by adults. What information would that provide to them that they don’t already know?

    As for a kid slipping in and watching porn on a shared computer immediately after an adult, it would be possible but not likely. My suggestion in a previous post is something like a 5-10 minutes timeout after traffic to an unblocked site stops. Adults would just have to avoid using shared computers for porn in situations where children might be using it immediately afterwards.

    Also, remember that this isn’t meant to be—and could never be—a perfect solution. It’s meant to tick a box for right-wing politicians who want to say that the government is doing due diligence in reducing something they see as a problem.

    • BlameThePeacock
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Anything from your ISP to log into porn leaves a trace even if they aren’t recording which site you visited, and if you only have to do it for porn, that means they know exactly when you’re using it. That’s a privacy violation and information they shouldn’t have. If that data gets leaked, people could lose their spouses, friendships, and even their jobs.

      You are seriously out of touch if you don’t think shared computers exist and are common. A large portion of the population doesn’t have the wealth for dedicated machines.

      • Jeff@social.rights.ninjaOP
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        1 year ago

        I certainly never said that shared computers don’t exist. What I said was that a session timeout could be used to make it unlikely that a child could access adult content after an adult did.

        You’re correct in saying that the system would be imperfect, but I think it’s a worthwhile tradeoff in order to get rid of ID checks which are more invasive and more dangerous. Remember, I’m not advocating for porn blockers, I’m just trying to prove that it can be done without invasive ID checks.

        As for ISPs getting information, what information would they haven’t that they don’t already have? Unless you use a VPN your ISP already knows every IP you connect to—and in a default configuration they probably also know all your DNS lookups—and if you _do_ use a VPN then you’re just shifting that information over to your VPN provider.