US States enforcing new age verification for adult content—how could this be done properly?

@technology

Seeing the news about Utah and Virginia over in the US, there’s been a lot of discourse about how unsafe it is to submit government ID online. Even the states that have their own age-verification portals are likely to introduce a lot of risk of leaks, phishing, and identity theft.

My interest, however, focused on this as an interesting technical and legislative problem. How _could_ a government impose age-verification control in a better way?

My first thought would be to legislate the inclusion of some sort of ISP-level middleware. Any time a user tried to access a site on the government provided list of adult content, they’d need to simply authenticate with their ISP web credentials.

Parents could give their children access to the internet at home or via cellular networks knowing this would block access to adult content and adults without children could login to their ISP portal and opt-out of this feature.

As much as I think these types of blocks aren’t particularly effective—kids will pretty quickly figure out how to use a VPN—I think a scheme like mine would be at least _as effective_ as the one the governments have mandated without adding any new risk to users.

What do you all think? Are any of you from these states or other regions where some sort of age-restriction is enforced? How does this work where you are from?

Edit:

Using a simple captive portal—just like the ones on public wifi—would probably be the simplest way to accomplish this. It’s relatively low friction to the end-user, most web browsers will deal with the redirect cleanly despite the TLS cert issues, and it requires no collection of any new PII.

Also, I don’t think these types of filters are useful or worth legislating, I’m just looking at ways to implement them without harming security or privacy.

  • sylver_dragon
    link
    8
    edit-2
    1 year ago

    I’d preface this by saying the idea is bad and the legislators passing such laws should be voted out.
    That said, looking at it from purely a technology point of view, it’s going to be difficult to implement in a secure and privacy preserving fashion. At minimum, there needs to be some sort of third party trust site where an adult site operator can validate age requests. In order to preserve privacy, this will need to operate via hashes and challenges which prevent either the adult website operator or the trust provider from marrying up user and usage data.
    To spitball it:

    1. All internet users are required to register with third party trust site (Trust Site).
      1a. Because any sort of profit motive would make this site untrustworthy, this probably has to be a government run site.
      1b. By law, the site would be forbidden from collecting or retaining logs or metadata of requests.
      1c. By law the site would be exempt from all wiretap requests including by law enforcement and security agencies. Violations would need to be pursued and punished very harshly. Which is one reason this whole thing is a Bad Idea™. Enforcement would never happen.
    2. When a user visits any website (not just adult websites), the site sends a random nonce to the browser.
      2a. The nonce would be tied to the session via a session cookie.
      2b. The nonce is purely random with no site identifying information.
    3. The user’s web browser communicates this nonce to the Trust Site along with the user’s credentials.
      3a. Nothing else is ever transmitted to the Trust Site. Just the nonce and credentials.
    4. The Trust Server validates the credentials, appends a single bit to the nonce (Response).
      4a. A 1 means “is adult” a 0 means “is not adult” (Adult Bit)
    5. The Trust Server digitally signs the Response with its private key.
      5a. The Trust Site’s public key is publicly available and expected to be cached by all websites.
    6. The Trust Server sends the Response back to the user’s browser.
    7. The user’s browser sends the Response back to the website.
    8. The website validates the digital signature on the Response.
    9. The website provides/denies content based on the Adult Bit in the Response.

    As I said, this is just a spitball and probably has holes/problems. But, it is an attempt to look at the issue constructively.

    • @[email protected]
      link
      fedilink
      21 year ago

      secure and privacy preserving fashion

      If a local government mandates age verification with no implementation, there’s no way we’ll get either security or privacy unfortunately.

      With the huge amount of adult material out there, I doubt a technological solution exists to this problem and ultimately requires parents communicate with their children.