US States enforcing new age verification for adult content—how could this be done properly?
Seeing the news about Utah and Virginia over in the US, there’s been a lot of discourse about how unsafe it is to submit government ID online. Even the states that have their own age-verification portals are likely to introduce a lot of risk of leaks, phishing, and identity theft.
My interest, however, focused on this as an interesting technical and legislative problem. How _could_ a government impose age-verification control in a better way?
My first thought would be to legislate the inclusion of some sort of ISP-level middleware. Any time a user tried to access a site on the government provided list of adult content, they’d need to simply authenticate with their ISP web credentials.
Parents could give their children access to the internet at home or via cellular networks knowing this would block access to adult content and adults without children could login to their ISP portal and opt-out of this feature.
As much as I think these types of blocks aren’t particularly effective—kids will pretty quickly figure out how to use a VPN—I think a scheme like mine would be at least _as effective_ as the one the governments have mandated without adding any new risk to users.
What do you all think? Are any of you from these states or other regions where some sort of age-restriction is enforced? How does this work where you are from?
Edit:
Using a simple captive portal—just like the ones on public wifi—would probably be the simplest way to accomplish this. It’s relatively low friction to the end-user, most web browsers will deal with the redirect cleanly despite the TLS cert issues, and it requires no collection of any new PII.
Also, I don’t think these types of filters are useful or worth legislating, I’m just looking at ways to implement them without harming security or privacy.
I don’t really like all these anti-porn laws. If kids want porn, there are too many leaky buckets they can drink from. Hell, they could just messages pics and videos to each other.
That said, if we are forced to do strong verification, the best I can think of is some sort of mix of the ideas we use for certificate authorities and oauth.
Certificate authorities are really just trusted identity providers. In my solution, you would choose from a list of trusted identity providers. You provide them with all the private information necessary for them to validate your identity. From there a third party can validate information about you with your permission.
The way this workflow would work is similar to oauth workflows people are familiar with for Google, Facebook, and other single sign-on solutions. You go to a adult site, select your provider from a list of trusted identity providers, the adult site redirects you to the provider site, you log in and give the adult site the privilege to verify you are over 18. The browser redirects to the adult site. The adult site would get nothing else about you besides what identify provider you use and if you are over 18.
Now ultimately, you have to give your private details to someone but at least you don’t have to give it to everyone. Unfortunately, your provider could potentially keep track of what sites you are allowing to verify your information. We would need strict laws on these providers on what records they are allowed to keep.
I definitely agree that these types of blocking are ineffective and generally do more harm than good, but if governments are going to push for this stuff, it would be good to have a solution that doesn’t harm people’s security and privacy.
Another idea is to actually use mutual TLS. Your browser provides your certificate. That certificate has nothing else in it but your status as an adult. Still have to give a certificate authority your information though.
@TheCuriousCoder87
You wouldn’t necessarily have to actually give a CA any details about yourself, just integrate this into the existing ISP portals.
An adult can log into the provider’s website and click to generate any client certs they need.
I think this method is maybe a bit _too_ technical (compared to a simple captive portal like you get on public wifi) but I think it would work okay as long as end-users didn’t have to go to a 3rd-party or provide any additional information to their ISP to use it.
On the plus side, we could repurposed this system to prevent a lot of types of online fraud. You could use a provider to create a online bank account, sign documents, and other things that require identity.
On the negative side, a lot of sites might start requiring it just because they want to know who you are for advertising purposes.