This is perhaps a controversial statement from someone who is fed up with all this age verification stuff, but having the user age be set on account creation (without providing ID or anything dumb like that) doesn’t seem that bad. It just feels like a way to standardise parental controls. Instead of having to roll their own age verification stuff, software like Discord can rely on the UserAccountStorage value. If it were possible to plug into a browser in a standard, privacy conscious way, it also reduces the need for third party parental control browser extensions, which I imagine can be a bit sketchy. OSes collect and expose language and locale information anyway. What harm is age bands in addition to that?

I thought similarly that a minimally privacy invasive set up like sending a “I’m over/under 18” signal that didn’t require verifying government ID/live face scans/AI “age approximation” would be a good idea, but I now think that this system would fall over very quickly due to the client and server not being able to trust each other in this environment. The client app, be it browser, chat, game etc, can’t trust that the server it is communicating with isn’t acting nefariously, or is just collecting more data to be used for profiling. An example would be a phishing advert that required a user to “Verify their Discord account”, gets the username and age bracket signal and dumps it into a list that is made available to groomers [1]. Conversely, the server can’t trust that the client is sending accurate information. [2] Even in the proposal linked, it’s a DBUS service that “can be implemented by arbitrary applications as a distro sees fit” - there would be nothing to stop such a DBUS service returning differing age brackets based on the user’s preference or intention. This lack of trust would land us effectively back to “I’m over 18, honest” click throughs that “aren’t enough” for lawmakers currently, and I think there would be a requirement in short order to have “effective age verification at account creation for the age bracket signal” with all the privacy invasive steps we all hate, and securing these client apps to prevent tampering. At best, services wouldn’t trust the age bracket signal and still use those privacy invasive steps, joining the “Do Not Track” header and chocolate teapot for usefulness, and at worst “non verified clients/servers” (ie not Microsoft/Apple/Goolge/Meta/Amazon created) would be prevented from connecting. The allure of the simplicity and minimal impact of the laws is what’s giving this traction, and I think the proposals are just propelling us toward a massive patch of black ice, sloped or otherwise. Having said that, I can’t blame the devs for making an effort here, as it is a law, regardless of how lacking it is. [1] I realise “Won’t someone think of the children!” is massively overused by authoritarians, give me some slack with my example :) [2] Whilst the California/Colorado laws seem to make allowance for “people lie”, this is going to get re-implemented elsewhere without these exemptions.

I can see the slippery slope argument, however it overlooks the fact that countries/states are already willing to implement the non-privacy systems. If these systems take off, it will give privacy advocates the ability to point at California’s system and say “look, they have a system that is as effective as the strong assurance stuff but without the people sending you angry emails.” I see it as almost a “reverse slippry slope”. A way for people to push for less strict verification.