Jakub

@wwahammy As I'm reading more on this, it looks like there are different models of implementing this. Policies in California seems to be different than what is proposed by the EU. If the OS or app let's you hold a certificate that you are an adult (just a binary information) and you can agree to provide it when requested, that seems reasonable. If you have an OS providing an age bracket of the user in the background without consent - that is crazy.

@JonnyT @wwahammy I share a lot of the concerns brought up. I'm just saying this does not give a potential attacker a way to be certain that anyone is underage. They can only be certain a user is an adult (if that user decided to confirm). My understanding is the system does not share the actual age, it shares a certificate confirming the user is above an age limit. An underage will simply not be able to provide such a certificate, making them appear just as those who refuse to provide one.

@wwahammy Why would the OS advertise the age status of the user without explicit approval from the user? From the perspective of the app/website you can only tell that the user is an adult if they agreed to confirm their age, or that their status is unknown if they did not confirm their age.