Skip to content

Piero Bosio Social Web Site Personale Logo Fediverso

Social Forum federato con il resto del mondo. Non contano le istanze, contano le persone
  1. Home
  2. Categories
  3. Uncategorized
  4. So, I have actually read the text of California law CA AB1043 and, honestly, I don't hate it.

So, I have actually read the text of California law CA AB1043 and, honestly, I don't hate it.

Uncategorized
85 56 1
  • not2b@sfba.socialundefined not2b@sfba.social

    @pinepotpourri @david_chisnall It goes beyond that. Maybe a parent shouldn't have absolute control of their kids. Maybe they shouldn't be able to prevent their LGBT child from finding out that they aren't monstrous freaks, all alone in the world, and there are others like them, living happy lives, just to give one example.

    pinepotpourri@mastodon.socialundefined

    @not2b Honestly yes, but without precautions, children can be put into far more danger than just "who am I?," as a gay I understand what you mean but I also feel that self confidence comes from the soul, not from those around you?

    0
  • nolitimere@toot.walesundefined nolitimere@toot.wales

    @drahardja @david_chisnall What about devices that have more than one user? E.g. Library computers, or family laptops, or “smart” home appliances?

    drahardja@sfba.socialundefined

    @nolitimere @david_chisnall Yep. What about kiosks?

    0
  • pemensik@fosstodon.orgundefined pemensik@fosstodon.org

    @drahardja @david_chisnall nope, I don't think we have something similar. What can stop 13 years old kid to create a new account parent doesn't even know about? Can Windows or Android prevent that? Can non-IT parent configure it? I don't think so.

    drahardja@sfba.socialundefined

    @pemensik And how does this law change that?

    The “parental controls” that exist today provides the same level of restriction as this law with less burden and fewer privacy issues.

    pemensik@fosstodon.orgundefined 2 Replies
    0
  • david_chisnall@infosec.exchangeundefined david_chisnall@infosec.exchange

    So, I have actually read the text of California law CA AB1043 and, honestly, I don't hate it. It requires operating systems to let you enter a date when you create a user account and requires a way for software to get a coarse-grained approximation of this that says either 'over 18' or one of three age ranges of under-18s. Importantly, it doesn't require:

    • Remote attestation.
    • Tamper-proof storage of the age.
    • Any validation in the age.

    In short, it's a tool for parents: it allows you to set the age of a child's account so that apps (including web browsers, which can then expose via JavaScript or whatever) can ask questions about what features they should expose.

    In a UNIX-like system, this is easy to do, with a tiny amount of new userspace things:

    • Define four groups for the four age ranges (ideally, standardise their names!).
    • Add a /etc/user_birthdays file (or whatever name it is) that stores pairs of username (or uid) and birthdays.
    • Add a daily cron job that checks the above file and updates group membership.
    • Modify user-add scripts / GUIs to create an entry in the above file.
    • Add a tool to create an entry in the above file for existing user accounts.

    This doesn't require any kernel changes. Any process can query the set of groups that the user is in already.

    If a parent wants to give their child root, they can update the file and bypass the check. And that's fine, that's a parent's choice. And that's what I want.

    I like this approach far more than things that require users to provide scans of passports and other toxically personal information to be able to use services. If we had this feature, then the Online Safety Act could simply require that web browsers provide a JavaScript API to query the age bracket and didn't work unless it returned 'over 18'.

    imrehg@fosstodon.orgundefined

    @david_chisnall nope

    0
  • david_chisnall@infosec.exchangeundefined david_chisnall@infosec.exchange

    So, I have actually read the text of California law CA AB1043 and, honestly, I don't hate it. It requires operating systems to let you enter a date when you create a user account and requires a way for software to get a coarse-grained approximation of this that says either 'over 18' or one of three age ranges of under-18s. Importantly, it doesn't require:

    • Remote attestation.
    • Tamper-proof storage of the age.
    • Any validation in the age.

    In short, it's a tool for parents: it allows you to set the age of a child's account so that apps (including web browsers, which can then expose via JavaScript or whatever) can ask questions about what features they should expose.

    In a UNIX-like system, this is easy to do, with a tiny amount of new userspace things:

    • Define four groups for the four age ranges (ideally, standardise their names!).
    • Add a /etc/user_birthdays file (or whatever name it is) that stores pairs of username (or uid) and birthdays.
    • Add a daily cron job that checks the above file and updates group membership.
    • Modify user-add scripts / GUIs to create an entry in the above file.
    • Add a tool to create an entry in the above file for existing user accounts.

    This doesn't require any kernel changes. Any process can query the set of groups that the user is in already.

    If a parent wants to give their child root, they can update the file and bypass the check. And that's fine, that's a parent's choice. And that's what I want.

    I like this approach far more than things that require users to provide scans of passports and other toxically personal information to be able to use services. If we had this feature, then the Online Safety Act could simply require that web browsers provide a JavaScript API to query the age bracket and didn't work unless it returned 'over 18'.

    randamumaki@mstdn.socialundefined

    @david_chisnall Or just don't start adding unneeded user verification processes. There's nothing more needed than a UID and a way for them to secure their account themselves using systems they themselves have control over, and none of that requires any form of PID. Least of all their age.

    0
  • david_chisnall@infosec.exchangeundefined david_chisnall@infosec.exchange

    So, I have actually read the text of California law CA AB1043 and, honestly, I don't hate it. It requires operating systems to let you enter a date when you create a user account and requires a way for software to get a coarse-grained approximation of this that says either 'over 18' or one of three age ranges of under-18s. Importantly, it doesn't require:

    • Remote attestation.
    • Tamper-proof storage of the age.
    • Any validation in the age.

    In short, it's a tool for parents: it allows you to set the age of a child's account so that apps (including web browsers, which can then expose via JavaScript or whatever) can ask questions about what features they should expose.

    In a UNIX-like system, this is easy to do, with a tiny amount of new userspace things:

    • Define four groups for the four age ranges (ideally, standardise their names!).
    • Add a /etc/user_birthdays file (or whatever name it is) that stores pairs of username (or uid) and birthdays.
    • Add a daily cron job that checks the above file and updates group membership.
    • Modify user-add scripts / GUIs to create an entry in the above file.
    • Add a tool to create an entry in the above file for existing user accounts.

    This doesn't require any kernel changes. Any process can query the set of groups that the user is in already.

    If a parent wants to give their child root, they can update the file and bypass the check. And that's fine, that's a parent's choice. And that's what I want.

    I like this approach far more than things that require users to provide scans of passports and other toxically personal information to be able to use services. If we had this feature, then the Online Safety Act could simply require that web browsers provide a JavaScript API to query the age bracket and didn't work unless it returned 'over 18'.

    natalie@nya.socialundefined
    @david_chisnall@infosec.exchange Oh man
    0
  • pwloftus@pwl.farted.netundefined pwloftus@pwl.farted.net

    @drahardja @david_chisnall Tizen OS - a Linux based OS by Samsung.

    Hold on, need to verify my age so I can open my fridge and drink my Mountain Dew Verification can before losing access to my devices.

    txtx@mastodon.socialundefined

    @pwloftus Is this the straw man engineering department? ;)

    @drahardja@sfba.social @david_chisnall

    pwloftus@pwl.farted.netundefined 1 Reply
    0
  • avuko@infosec.exchangeundefined avuko@infosec.exchange

    @david_chisnall nice feature to have in an OS. Not so nice feature to have because of a law.

    qgustavor@urusai.socialundefined

    @avuko @david_chisnall
    Nice feature to be a web standard so parents can block adult websites easier (of course, sure, I know from experience, children will find bypasses) and for adults not to have to answer for the 1000th time that they are adults just to check a Steam page or something like this.
    But not a law.

    0
  • drahardja@sfba.socialundefined drahardja@sfba.social

    @david_chisnall So I also read the text https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB1043

    I have MANY issues with how poorly defined many of the terms are in the document (e.g. is a website an “application”?), and how it still holds developers liable for verifying the provided age information (“internal clear and convincing information…that a user’s age is different”), but…

    The part that to me implies implementation is that there is no leeway for the OS to *under*-report the account’s age group, e.g. reporting that a user is younger than they actually are—strictly, they are liable for civil penalties either way. This implies that the OS *must* collect the user’s date of birth and store it somewhere, and derive the age bracket from that date on a daily basis (like your algorithm says). This means that it’s not enough for a parent to set up an account as “13–16 years old” and leave it at that forever.

    IMO the fact that the OS *must* collect a child’s birthdate to comply is an erosion of privacy.

    ieure@retro.socialundefined

    @drahardja @david_chisnall Also, "coarse-grained" is nothing but theater. Frequently visited sites can determine a child's exact birth date by noticing when the API changes from returning "under 13" to "between 13 and 16."

    ids1024@mathstodon.xyzundefined 1 Reply
    0
  • david_chisnall@infosec.exchangeundefined david_chisnall@infosec.exchange

    So, I have actually read the text of California law CA AB1043 and, honestly, I don't hate it. It requires operating systems to let you enter a date when you create a user account and requires a way for software to get a coarse-grained approximation of this that says either 'over 18' or one of three age ranges of under-18s. Importantly, it doesn't require:

    • Remote attestation.
    • Tamper-proof storage of the age.
    • Any validation in the age.

    In short, it's a tool for parents: it allows you to set the age of a child's account so that apps (including web browsers, which can then expose via JavaScript or whatever) can ask questions about what features they should expose.

    In a UNIX-like system, this is easy to do, with a tiny amount of new userspace things:

    • Define four groups for the four age ranges (ideally, standardise their names!).
    • Add a /etc/user_birthdays file (or whatever name it is) that stores pairs of username (or uid) and birthdays.
    • Add a daily cron job that checks the above file and updates group membership.
    • Modify user-add scripts / GUIs to create an entry in the above file.
    • Add a tool to create an entry in the above file for existing user accounts.

    This doesn't require any kernel changes. Any process can query the set of groups that the user is in already.

    If a parent wants to give their child root, they can update the file and bypass the check. And that's fine, that's a parent's choice. And that's what I want.

    I like this approach far more than things that require users to provide scans of passports and other toxically personal information to be able to use services. If we had this feature, then the Online Safety Act could simply require that web browsers provide a JavaScript API to query the age bracket and didn't work unless it returned 'over 18'.

    arcayr@gts.mischief.expertundefined

    @david_chisnall systemd-birthdayd :^)

    0
  • txtx@mastodon.socialundefined txtx@mastodon.social

    @pwloftus Is this the straw man engineering department? ;)

    @drahardja@sfba.social @david_chisnall

    pwloftus@pwl.farted.netundefined

    @txtx @david_chisnall It’s the Reduced Absurdity Dept. The Staw Men are down the hall ;)

    0
  • david_chisnall@infosec.exchangeundefined david_chisnall@infosec.exchange

    So, I have actually read the text of California law CA AB1043 and, honestly, I don't hate it. It requires operating systems to let you enter a date when you create a user account and requires a way for software to get a coarse-grained approximation of this that says either 'over 18' or one of three age ranges of under-18s. Importantly, it doesn't require:

    • Remote attestation.
    • Tamper-proof storage of the age.
    • Any validation in the age.

    In short, it's a tool for parents: it allows you to set the age of a child's account so that apps (including web browsers, which can then expose via JavaScript or whatever) can ask questions about what features they should expose.

    In a UNIX-like system, this is easy to do, with a tiny amount of new userspace things:

    • Define four groups for the four age ranges (ideally, standardise their names!).
    • Add a /etc/user_birthdays file (or whatever name it is) that stores pairs of username (or uid) and birthdays.
    • Add a daily cron job that checks the above file and updates group membership.
    • Modify user-add scripts / GUIs to create an entry in the above file.
    • Add a tool to create an entry in the above file for existing user accounts.

    This doesn't require any kernel changes. Any process can query the set of groups that the user is in already.

    If a parent wants to give their child root, they can update the file and bypass the check. And that's fine, that's a parent's choice. And that's what I want.

    I like this approach far more than things that require users to provide scans of passports and other toxically personal information to be able to use services. If we had this feature, then the Online Safety Act could simply require that web browsers provide a JavaScript API to query the age bracket and didn't work unless it returned 'over 18'.

    m3ow@bark.lgbtundefined

    @david_chisnall this seems to infringe on the rights of children who don't want to be identified as a child? And this also perpetuates power imbalances as a parent can limit what the child does. I disagree with this post and wish the worst on you. I am sending you an immense amount of negative energy now

    0
  • jeramee@mastodon.socialundefined jeramee@mastodon.social

    @david_chisnall

    Kids are smart enough to get around age limits. Many parents don't understand tech enough to set them up correctly to begin with.

    When lawmakers realize this doesn't really help in a few years, they will then demand that we begin uploading ID's. It'll be a small step since so many readily capitulated with the OS intrusion.

    Honestly, our gov't supports genocide, illegal wars, and protects child abusers instead of prosecuting them. Why trust them?

    nicolas17@social.treehouse.systemsundefined

    @Jeramee @david_chisnall The government that made this age-range law is not the same government that started illegal wars.

    0
  • nicolas17@social.treehouse.systemsundefined nicolas17@social.treehouse.systems

    @Jeramee @david_chisnall The government that made this age-range law is not the same government that started illegal wars.

    andres4ny@social.ridetrans.itundefined

    @nicolas17 @Jeramee @david_chisnall Are you kidding?

    0
  • andres4ny@social.ridetrans.itundefined andres4ny@social.ridetrans.it

    @nicolas17 @Jeramee @david_chisnall Are you kidding?

    nicolas17@social.treehouse.systemsundefined

    @Andres4NY state vs federal?

    0
  • nicolas17@social.treehouse.systemsundefined nicolas17@social.treehouse.systems

    @Andres4NY state vs federal?

    andres4ny@social.ridetrans.itundefined

    @nicolas17 Have you seen who is the governor of the state that is proposing this? Have you seen who was AG of that state for half a decade (starting around 2011) who openly supported genocide? Both parties have happily supported the Epstein class. Pretending that there's some vast difference between the feds and states when it comes to this stuff is pretty wishful thinking.

    0
  • david_chisnall@infosec.exchangeundefined david_chisnall@infosec.exchange

    So, I have actually read the text of California law CA AB1043 and, honestly, I don't hate it. It requires operating systems to let you enter a date when you create a user account and requires a way for software to get a coarse-grained approximation of this that says either 'over 18' or one of three age ranges of under-18s. Importantly, it doesn't require:

    • Remote attestation.
    • Tamper-proof storage of the age.
    • Any validation in the age.

    In short, it's a tool for parents: it allows you to set the age of a child's account so that apps (including web browsers, which can then expose via JavaScript or whatever) can ask questions about what features they should expose.

    In a UNIX-like system, this is easy to do, with a tiny amount of new userspace things:

    • Define four groups for the four age ranges (ideally, standardise their names!).
    • Add a /etc/user_birthdays file (or whatever name it is) that stores pairs of username (or uid) and birthdays.
    • Add a daily cron job that checks the above file and updates group membership.
    • Modify user-add scripts / GUIs to create an entry in the above file.
    • Add a tool to create an entry in the above file for existing user accounts.

    This doesn't require any kernel changes. Any process can query the set of groups that the user is in already.

    If a parent wants to give their child root, they can update the file and bypass the check. And that's fine, that's a parent's choice. And that's what I want.

    I like this approach far more than things that require users to provide scans of passports and other toxically personal information to be able to use services. If we had this feature, then the Online Safety Act could simply require that web browsers provide a JavaScript API to query the age bracket and didn't work unless it returned 'over 18'.

    vint@mastodon.mlundefined

    @david_chisnall This shouldn't be allowed, as it creates a precident to intrude more into our peaceful lives. Fascism is sickening.

    0
  • david_chisnall@infosec.exchangeundefined david_chisnall@infosec.exchange

    So, I have actually read the text of California law CA AB1043 and, honestly, I don't hate it. It requires operating systems to let you enter a date when you create a user account and requires a way for software to get a coarse-grained approximation of this that says either 'over 18' or one of three age ranges of under-18s. Importantly, it doesn't require:

    • Remote attestation.
    • Tamper-proof storage of the age.
    • Any validation in the age.

    In short, it's a tool for parents: it allows you to set the age of a child's account so that apps (including web browsers, which can then expose via JavaScript or whatever) can ask questions about what features they should expose.

    In a UNIX-like system, this is easy to do, with a tiny amount of new userspace things:

    • Define four groups for the four age ranges (ideally, standardise their names!).
    • Add a /etc/user_birthdays file (or whatever name it is) that stores pairs of username (or uid) and birthdays.
    • Add a daily cron job that checks the above file and updates group membership.
    • Modify user-add scripts / GUIs to create an entry in the above file.
    • Add a tool to create an entry in the above file for existing user accounts.

    This doesn't require any kernel changes. Any process can query the set of groups that the user is in already.

    If a parent wants to give their child root, they can update the file and bypass the check. And that's fine, that's a parent's choice. And that's what I want.

    I like this approach far more than things that require users to provide scans of passports and other toxically personal information to be able to use services. If we had this feature, then the Online Safety Act could simply require that web browsers provide a JavaScript API to query the age bracket and didn't work unless it returned 'over 18'.

    twipped@twipped.socialundefined

    @david_chisnall Does this law only apply to desktop OSes? I fail to see why my NAS needs an age api.

    0
  • david_chisnall@infosec.exchangeundefined david_chisnall@infosec.exchange

    So, I have actually read the text of California law CA AB1043 and, honestly, I don't hate it. It requires operating systems to let you enter a date when you create a user account and requires a way for software to get a coarse-grained approximation of this that says either 'over 18' or one of three age ranges of under-18s. Importantly, it doesn't require:

    • Remote attestation.
    • Tamper-proof storage of the age.
    • Any validation in the age.

    In short, it's a tool for parents: it allows you to set the age of a child's account so that apps (including web browsers, which can then expose via JavaScript or whatever) can ask questions about what features they should expose.

    In a UNIX-like system, this is easy to do, with a tiny amount of new userspace things:

    • Define four groups for the four age ranges (ideally, standardise their names!).
    • Add a /etc/user_birthdays file (or whatever name it is) that stores pairs of username (or uid) and birthdays.
    • Add a daily cron job that checks the above file and updates group membership.
    • Modify user-add scripts / GUIs to create an entry in the above file.
    • Add a tool to create an entry in the above file for existing user accounts.

    This doesn't require any kernel changes. Any process can query the set of groups that the user is in already.

    If a parent wants to give their child root, they can update the file and bypass the check. And that's fine, that's a parent's choice. And that's what I want.

    I like this approach far more than things that require users to provide scans of passports and other toxically personal information to be able to use services. If we had this feature, then the Online Safety Act could simply require that web browsers provide a JavaScript API to query the age bracket and didn't work unless it returned 'over 18'.

    zeus@shitpost.poridge.clubundefined

    @david_chisnall@infosec.exchange
    Я это вижу так, что в системе просто должен быть какой-то файлик, который будет хранить мою дату рождения, и все приложения смогут обратиться к этому файлику просто чтобы не спрашивать меня, есть ли мне 18. Условно, захожу я на страницу игры в Steam, на сайт секс-шопа, на страницу фильма с рейтингом 18+ на сайте кинотеатра. Я не хочу каждый раз вводить дату своего рождения. Будет удобно, если это можно будет как-то автоматизировать. Но опять же, я не вижу причины, почему это должно быть делом государства. Это задача инженерная, а не юридическая.

    0
  • ieure@retro.socialundefined ieure@retro.social

    @drahardja @david_chisnall Also, "coarse-grained" is nothing but theater. Frequently visited sites can determine a child's exact birth date by noticing when the API changes from returning "under 13" to "between 13 and 16."

    ids1024@mathstodon.xyzundefined

    @ieure @drahardja @david_chisnall Which makes it probably irresponsible for a parent to provide their child's real birth-date into this field that may be leaked to arbitrary untrusted parties.

    ieure@retro.socialundefined 1 Reply
    0
Log in to reply

Feed RSS
So, I have actually read the text of California law CA AB1043 and, honestly, I don't hate it.

Gli ultimi otto messaggi ricevuti dalla Federazione
@pierobosio@soc.bosio.info
Post suggeriti