Oh yes, "simply" obey a law that would not respect the privacy of people, and given the current religious zealousness in the US, may expose customers to future danger.
I think some folks absolutely want to know what folks are watching what kind of porn.
Especially in rural areas, some of those wingnuts would like to go back to the days where you can lynch people you do not like.
Other than the wingnut faction pushing this legislation, I think some hope for a deterrent effect for minors as well as adults. They are wrong to expect any kind of deterrent effect of course.
How does age verification break privacy? I have to show ID to get into an adult "bookstore," to enter a bar, or purchase alcohol. I have to show ID to check into my hotel, get through airport security, drive my car, buy Pseudo. Are you saying there is absolutely no way to perform this action online in a way that respects privacy just the same as all of those operations? No way at all to do a verification that's immediately tossed in a privacy preserving way?
If so, then it sounds like maybe things that require age verification shouldn't be allowed to operate on the internet.
> Are you saying there is absolutely no way to perform this action online in a way that respects privacy just the same as all of those operations? No way at all to do a verification that's immediately tossed in a privacy preserving way?
There's ways yes but the bigger issue is that it's much harder to verify. When I show my ID to a cashier I can see whether they photocopy it or not. I can't verify websites and porn ones could be shady.
Not that I personally care that people know I watch porn. But maybe people do care.
One thing is to have someone visually checking on your ID you're an adult, another thing is to record your full name and IP address, along with the site you access, who knows on what insecure database and probably forever. When you leave a brick-and-mortar adult store, no one asks you what your name is, records it down next to your purchase, and sends it to state authorities.
These are two very different things.
This law is not only about Pornhub or porn, but about anything each state government consider "harmful". Porn is the excuse for blocking you from accessing, in a not-so-distant future, any topic your local government frames as harmful.
There are cryptographic tools (zero-knowledge proofs, for example) that can provide anonymous attestations for a user's age. The problem is that the infrastructure to support it isn't provided by the same government that's requiring it to exist.
And even if the private sector innovated here, there's no approval from the government to accept math nerd solutions as legally valid.
Which means you basically have to scan and upload your photo ID to these websites, or use a payment card, or something else that will stand up in court.
Do these cryptographic tools prevent the government entity providing them from knowing which websites verify your age? If not, then that's too much Uncle Sam watching over your shoulder as you watch your porn.
For a simple example, a JWT doesn't need to be done with shared secrets, and can instead use RSA private/public keys. The payload could contain just two fields like "issued" (to ensure the token isn't shared and reused) and "age" (what you want to share), you'd be able to decode the payload to see what's in it and know there's no identifying information, and the government site would provide the public key allowing anyone (like a porn site) to verify the JWT hasn't been tampered with without knowing who it was that got the JWT.
Yes, but the idea is they wouldn't know why or for what site. In the JWT version I'm imagining, the porn site would say "go to your government website, generate this token, then copy/paste it here". There's no connection between the porn site and government site, and if the public key was retrieved and cached earlier there isn't even a timing-based way to connect them.
(JWT in general is a bad solution, but let's ignore that for the sake of discussion.)
I think you're severely underestimating the efficacy of traffic analysis and correlation efforts.
PrivacyPass is a better starting point, IMHO. The Cwtch developers (Open Privacy) even implemented PrivPass over Ristretto255, which is objectively awesome.
Didn't find many details, so please excuse the questions.
So the user would get a number of signed tokens from the gov to prove age, then a token could be shared with a site that verifies age without connecting to gov, assuming it's already aware of the gov's public key?
What prevents the same token from being used by more than one person?
How can the site prove compliance with the law? Will they need to store the tokens for each user? Can the gov tie a stored token back to a particular person that that verified?
Yeah, I was assuming the JWT might not be the best, but my point was that it's a simple example that doesn't require someone to read a math-heavy page.
> I think you're severely underestimating the efficacy of traffic analysis and correlation efforts.
The porn site would have the public key already stored/cached, so there isn't any traffic to correlate. There's still an issue with the first request, but like I said, this is a simple example that's easy to understand without getting into anything math-heavy.
No. The output of the government site is an attestation of age. It's a bundle of bytes. The site doesn't know or care what you do with the attestation.
The commercial incentives around this are also terrible, given that the prevailing assumption is that a private third party will do the attestation as a for-profit service. It's practically guaranteed to add cost and liability for the porn vendor as well as risk of leaks, tracking, and data brokering for the consumer. It may as well have been designed to shut down free porn altogether.
And maybe it was, considering the history of porn regulation in the US. If you look at the requirements and contemporary rhetoric around 18 USC 2257 (yes, the thing that basically all legit porn sites with US operations have a disclaimer for), it was pretty blatantly intended to render the porn industry unable to operate. Porn producers were never actually intended to come into compliance, but rather presumed to be unable to (due to the ridiculous procedures and the supposed omnipresent use of underage, undocumented, and coerced performers).
> It may as well have been designed to shut down free porn altogether.
There was and is a fairly coordinated program of shopping this around to various legislative bodies (not only US states). It started maybe two years ago, I think. It didn't just catch on organically.
Some of it seems to be driven/funded by the AV companies, who presumably actually want the verification to happen. But a lot of the legwork and political contacts are provided by organizations that would definitely love to drive every porn site out of business. I doubt they expect to get all of them, or even all the free ones, but, sure, somebody like NCOSE knows that it's a major burden, and absolutely thinks that any damage to adults' access to porn is a positive feature.
It's not obvious that most of the legislators who vote for these things understand the implications at all.
So some of the people you could blame for this legislation definitely have such intentions, but probably not all of them.
> If you look at the requirements and contemporary rhetoric around 18 USC 2257 (yes, the thing that basically all legit porn sites with US operations have a disclaimer for), it was pretty blatantly intended to render the porn industry unable to operate.
Hmm. I'm ready to believe you, but 2257 doesn't seem totally infeasible to comply with in a VHS world. Dangerous to the performers, yes, because it requires tons of people to keep records of who they are and where they live, and those records are pretty much guaranteed to leak and be abused. An expensive nuisance, also yes. A chance to hound anybody who messes up out of business, and threaten them with prison, OK. Obnoxious overreach, sure. But totally impossible to comply with? I'm not sure about that. It actually seems easier than user AV.
The thing that always really got me about 2257 was that the claim was it was supposed to prevent another Traci Lords. They checked Traci Lords' ID. She showed ID. She had a real driver's license (based on a fake birth certificate, but it was the state that was supposed to check that, and anyway it was presumably a good fake). As far as I know, 2257 wouldn't even have slowed Traci Lords down.
> Hmm. I'm ready to believe you, but 2257 doesn't seem totally infeasible to comply with in a VHS world.
I'm not saying that it was supposed to be impossible to comply with per se, but rather that it was supposed to be impossible specifically for the porn industry as anti-porn crusaders imagined/alleged it to be at the time. There was a bunch of drug-war-like rhetoric about how porn had become more violent, exploitative, and outright criminal since 1970, when the previous government commission on the subject reported that porn wasn't an important social problem and should not be restricted for adults.
Which makes sense, and also sounds like applying monetary pressure, say losing access to multiple states in the US, would incentivize prioritizing some engineers into solving this. The reason it doesn't exist yet, is because we've collectively decided through indifference and inaction that an "I swear bro" button is fine in the virtual world, but not the physical, and have now learned that it's not enough.
there is a HUGE difference between presenting ID in the physical world and digital world. In the digital world, once I provide an ID it is there forever. and it will be used for who knows what by who knows who. the only way to compare the two would be if in the physical world we provided an ID and whoever requested it gets to keep it and of course no place like that exists, you flash the ID (not that much unlike “I am 18 I swear” button in a lot of places) and you move on
You didn't read the post you were replying to. That would be a "math nerd solution" that the states have not committed to accept, regardless of whether it actually works. Also, that sort of thing tends to require active cooperation from the entity issuing the IDs, which no state governments have committed to provide.
By the way, Pornhub actually has a preferred technical solution involving "device attestation". It's only marginally better than the snake oil the AV industry wants to use, and I don't like it, but they have said they'd stop objecting if something along those lines were standardized.
They just don't want to have to deal with a patchwork of mutually incompatible stuff (a) that's totally ineffective, (b) that leaves them either handling everybody's ID or dealing with questionable contractors to hold it, and/or (c) that leaves them having to convince the users to trust them or those questionable contractors with those ID images.
> require active cooperation from the entity issuing the IDs
It doesn't actually. Third party zero knowledge attestation works just fine. Think through the cryptosystem. It's possible for an authority to verify an ID for a given name and target site without revealing the former to the latter of the latter to the former
> No way at all to do a verification that's immediately tossed in a privacy preserving way?
Not if you want to be able to pass any kind of audit, no. Not unless the authority issuing the ID participates in a complicated cryptographic protocol. Which none of them do and which is definitely not standardized.
One of the early states passing these, I think it was Louisiana, actually did at least try to step up and deal with the privacy issue. They came up with a trusted-third-party thing. The third parties, who are private entities, have to pinky promise not to leak the data or keep them beyond certain limits. They are not audited. There are no actual penalties if they screw up. That's not acceptable assurance. There are also no limits on what they can charge, come to think of it, and it's not exactly going to be a large fluid market.
None of the other states even went that far. Nor did any of them try to come up with a shared standard.
There's definitely nothing out there that the user can verify as working, or that's certified by anybody the user should trust.
There are also the facts that--
1. All of the "age verification" protocols that the various activists are pushing and the various vendors are hawking are ineffective, in that any halfway motivated kid can easily figure out how to circumvent them, and
2. Kids just seeing porn isn't actually a big problem, especially if they've sought it out.
I've seen no auditing requirements on any bill, and in fact all that I've read make it illegal to retain information used for verification. Audits also aren't done in person; stings are. Why does auditing always come up with this topic?
It seems to me that these bills aren't prescriptive (they say you can use a "commercially reasonable" method). Most states are also moving to adopt the ISO mDL standard[0].
What? First, that has nothing to do with anything. Second, it's not true: most auditing has an in-person component, and many stings don't. Do you actually know what an audit is? Hint: a "pen test" isn't an audit and isn't much like an audit. Neither is a code review.
> Why does auditing always come up with this topic?
1. All security controls need to be audited.
2. There is a 100 percent chance that many of the organizations advocating for these laws, most of which would actually prefer for porn to be outlawed completely, will grab any chance they can to accuse sites of not complying. They'll either try to get sympathetic law enforcement agencies to take up those accusations, or, if they can find a legal avenue, they'll bring lawsuits themselves. They will undoubtedly find anecdotes of system failures, since any large-scale system will fail sometimes. They will claim that as evidence that the rules aren't being followed. Evidence, no matter how flimsy, has to be countered with other evidence, especially if you're in a "preponderance of the evidence" situation. It's pretty hard to show that what you're doing is reasonable or effective if you don't have at least a sample of records.
Do you know what an audit is? Have you ever worked somewhere with record keeping requirements? At a financial company I worked at, we recorded every customer interaction and every decision made for accounts (including "nothing to do now") along with the inputs to those decisions. Auditors would ask to see details of random accounts to show we were keeping those records and executing the correct logic. Your grocery store or liquor store aren't getting their shipments and sales audited for id checks. You can tell because they don't even always card you if you look old enough, or might accept being flashed an id. The way the law is enforced in person is that an underage person buys something they're not allowed to as part of a sting. You get in trouble for actually providing service to a minor. This is different from e.g. firearms dealers who do have to keep records.
Like I said, I've seen no laws requiring any audits or record keeping, and actually every law I've seen explicitly makes such records illegal. I don't see why the evidence that sites aren't doing their job wouldn't be the same as in person: the police have someone access the site without valid id, and the site didn't have a commercially reasonable system in place as a defense. If they're not doing their job, it will be easy for police to demonstrate it, and the site will actually be in the wrong.
That's not an "anecdote", just like selling cigarettes to a 16 year old without an id is not an "anecdote". That is breaking the law. It's on companies to follow the law every time.
Most if not all of those were met with complaints that we were on the slippery slope towards being a police state where the government forced its way into private matters.
Given that, your argument seems to be that since we are on the slippery slope, we might as well go further.
For what it's worth, I don't have to show ID to get into an adult bookstore, or enter a bar, or purchase alcohol, because I live in a place which doesn't require ids for people who are obviously old enough.
I've also stopped flying in part because I think airport security is oppressive and a facade, and I don't drive because I managed to find a place where I'm not forced to have a car to live. I hate the pseudoephedrine id law because I think the state should have no business in that matter, and like airport security it's a case of the government seeming to Doing Something even though it does nothing.
Last time I needed pseudoephedrine, I got a friend to buy it for me.
> Are you saying there is absolutely no way to perform this action online in a way that respects privacy just the same as all of those operations?
Correct. I can buy wine without an id because the store clerk can physically verify that I am of age without checking a piece of plastic or otherwise establishing my identity.
Once purchased I could of course give it to a local 16 year old, which would be illegal, but an id check wouldn't change things.
You'll have to have a camera check the user before each porn site visit, or at random checks, and deal with the false positives of a 16-year-old which looks 19 (or false negatives of a 21 year old who looks 17), and strict laws preventing any recording of that information, and somehow assure people that the laws will never change to collect more information - which is hard to believe given the slippery slope shown at airports and elsewhere.
> maybe things that require age verification shouldn't be allowed to operate on the internet.
How do you propose we do that? Block off all IP addresses at the national level for porn site servers hosted in other countries? Block DNS lookups for them? Prevent VPN use? Nix their ability to charge via Visa and MasterCard, or take payments via SWIFT?
I actually don’t think there’s a way to “toss” that information, no. In fact, if you don’t use any content blockers, and never clean your cookies - chances are the browser fingerprints and databasss already know your age with 90% certainty. Without any pictures of your documents flying around.
Pornhub is pretty tame compared to a lot of the stuff out there, which won't be blocked because it's hosted in Russia or wherever and won't comply. I don't think limiting access to mainstream porn sites is going to do anything positive wrt porn addiction, and it could drive people to much darker stuff.
a. the vast majority of people are neither addicted to porn nor lacking in ability to form relationships. if that has happened to some people they are a minority
b. pornhub has no monopoly over the internet porn industry. insofar as those men did get so addicted, that would have happened regardless of pornhub existing.
"a. the vast majority of people are neither addicted to porn nor lacking in ability to form relationships. if that has happened to some people they are a minority"
Dropping birth rates are just because kids are a burden these days. With both parents needing to work to pay for a house it's a huge hassle. I'm glad I never had any. My life is much freer now.
And we're not going to go extinct. Plenty of people want kids and have them. Maybe we'll reduce the population a bit which would be great. Less pollution, less pressure on the overloaded housing situation.
> Less pollution, less pressure on the overloaded housing situation.
Generally when one group shrinks in evolution, it doesn't reduce for long the total pressures on the environment. What usually happens is other groups grow into the new opportunities that have opened up.
> What usually happens is other groups grow into the new opportunities that have opened up.
Which is only a bad thing if you assume "other groups" are inherently worse. But if the current state is so bad people are openly cheering after a murder, perhaps there are more pressing issues - which likely also contribute to low birth rate.
I agree that porn addiction can be destructive. But the idea that you can somehow block porn is ludicrous. Work on the problem from some other angle. This is just puritanical politicians throwing their weight around.
> Work on the problem from some other angle. This is just puritanical politicians throwing their weight around.
Sure. But if I look at this objectively, I am not sure it is going to be solved from another angle by liberal societies any time soon. And religious societies, or at least those that are puritanical in this regards will get a significant and likely sustainable demographic advantage as a result. I think this speaks to the larger issues of why religion has persisted and why atheism has yet to be a sustainable endeavour, rather than a demographic sink. Truth doesn't actually matter, viability via demographic sustainability is how things are actually judged.
I don't think we should be attempting to force parenthood on children in order to solve birthrates. Maybe you should have to show proof of being a child to access porn? Might work.
Almost everyone watches porn and almost everyone has relationships. And if they don't it's not because they don't need sex. In fact sex is a less important part of relationships IMO. Being in an open relationship we both enjoy that with others too but we're not less special to each other. Those other people come and go and sex is a nice pleasure, but she's the one keeping me warm at night and comforting me when I'm sad. That matters a lot more to me.
Porn addiction does not exist in anything other than a possible symptom of some other mental health issue, but puritanical people like yourself and religious lobbyists like to pretend the degradation of society revolves around sexual liberty.
Good for Pornhub. They made the right call.