US States enforcing new age verification for adult content—how could this be done properly?

@technology

Seeing the news about Utah and Virginia over in the US, there’s been a lot of discourse about how unsafe it is to submit government ID online. Even the states that have their own age-verification portals are likely to introduce a lot of risk of leaks, phishing, and identity theft.

My interest, however, focused on this as an interesting technical and legislative problem. How _could_ a government impose age-verification control in a better way?

My first thought would be to legislate the inclusion of some sort of ISP-level middleware. Any time a user tried to access a site on the government provided list of adult content, they’d need to simply authenticate with their ISP web credentials.

Parents could give their children access to the internet at home or via cellular networks knowing this would block access to adult content and adults without children could login to their ISP portal and opt-out of this feature.

As much as I think these types of blocks aren’t particularly effective—kids will pretty quickly figure out how to use a VPN—I think a scheme like mine would be at least _as effective_ as the one the governments have mandated without adding any new risk to users.

What do you all think? Are any of you from these states or other regions where some sort of age-restriction is enforced? How does this work where you are from?

Edit:

Using a simple captive portal—just like the ones on public wifi—would probably be the simplest way to accomplish this. It’s relatively low friction to the end-user, most web browsers will deal with the redirect cleanly despite the TLS cert issues, and it requires no collection of any new PII.

Also, I don’t think these types of filters are useful or worth legislating, I’m just looking at ways to implement them without harming security or privacy.

  • @average650
    link
    12 years ago

    This still introduces ways for identities to be stolen, albeit in a different way.

    The better way is to separate the method of checking identity for credit from these identity checks completely.

    • JeffOP
      link
      fedilink
      12 years ago

      My scheme doesn’t require any identity information to be provided by the user.

      The ISP already has PII, but that’s a risk that already exists today.

      • @average650
        link
        12 years ago

        Then how can we tell the difference between an adult and a child in the house? The entire connection will just be banned.

        • JeffOP
          link
          fedilink
          12 years ago

          It can’t tell the difference between an adult and a child but only the adult would have access to the ISP account credentials.

          You’re right that, using a simple captive portal system, there’s no way to differentiate between devices on the local network, but if each session is short enough that’s not too big of a deal.

          Let’s say it requires reauthentication for each different domain and a domain will stay unblocked for only 5 minutes after traffic to that site stops.

          It’s imperfect, but _any_ system is going to be imperfect. I’m inclined to optimize for low friction for users and no additional PII being sent.

          • JeffOP
            link
            fedilink
            12 years ago

            It would also remain very simple for mobile connections, which I think is a major area of concern for the parents pushing for these laws.