The Age of Consent
How protecting kids online could spell the end of privacy.
I’m in the middle of a lot of projects right now (I have Season Two of the podcast to finish editing!), but if I were open to doing some coding, I know exactly what I’d want to develop: An identity-verification app that doesn’t require you to turn over all of the personal information on your driver’s license (or other documents) to access certain sites.
As concern about children’s online safety has grown in recent years, many of the proposals put forth by legislation in the US and abroad require certain types of sites (namely social media and porn) to demand age verification for access. Multiple states have already enacted age-gating for social media, and there are several federal bills in the pipeline, which I’ve written about here. This can range from checking a consent box to entering your age when creating an account: Super easy to fake.
And so stricter requirements are being explored and enacted, such as requiring uploading a driver’s license, entering a credit card or going through a digital intermediary. These also have potential workarounds: Kids can borrow someone else’s (or sneak Mom or Dad’s).
It gets creepier. One idea that’s already being employed by Facebook and Instagram is to use facial ID software to guess if you’re over 18. And in France, they’ve floated the idea of using AI to search all of your data to infer your age. Both have accuracy flaws, and both are terrifying.
We seem to have solutions, right now, which are either super easy to fake, or are asking you to give over a disturbing amount of information.
Under the aegis of protecting children’s privacy, which is an extremely worthy cause, platforms would suddenly be given free rein to hoover up a treasure trove of personal data, which they can then sell (and/or have stolen). And if you've been reading the newsletter in recent months, you know that I’m big on data privacy: It’s the focus of the second season of the podcast, as the trailer will tell you!
My Modest Proposal
Have you noticed that since iOS 16, your iPhone allows you to select only the fields you feel comfortable sending when you’re sharing a contact with another person? When you go to share that contact, a popup window shows up that allows you to choose if you want to share a person’s birthdate or their address – bundled along with their phone number or email address. Could that be a model for online age verification?
When I send my driver’s license to access a site, I’m not just confirming my date of birth, I’m also sending over my license ID number, my photo, my address, and my height and weight to a third party that could get hacked, giving them more information about me than I would like. Why can’t we just send our DOB? Or even better, just your age. As an analogy, the same applies in the real world: When I go to a bar, why do I need to share my home address with the bartender? All they need is a verifiable way of knowing that I’m of drinking age. Why not the same thing in the digital world? (And the nice side effect: I don’t have to worry about that bar getting hacked, because they are probably not keeping a copy of all my data.)
There are lots of different ways to put this together. One could be some form of trusted intermediary. Let’s call it AgeVerify. Imagine AgeVerify as a software non-profit — similar to Signal or Mozilla — and they have your, the user’s, best interest in mind. You verify yourself to them — probably via your driver’s license. That intermediary then stores your birthdate and destroys everything else. But here is the important part: When a third-party website wants to know your age, it can ask AgeVerify. And AgeVerify can do what its name says. It just verifies your age. And nothing else.
And if this works, there are other things you could do. Maybe a one-time verify — so, like the bar example above, you know that your data isn’t held by the requestor. They have to come back and ask again. Or maybe you can get an email once a week or month to show you everybody who has been asking for this data about you.
I might sound like an armchair developer. But having worked in the industry for decades, I know it can be done. There is an open gap in the world right now, and tech can fill it to protect our privacy.
Please share your thoughts in the comments below, and, by all means, forward this to your friends in the industry looking for that next big idea. It might not be a cash-out idea like Facebook or Instagram, but our privacy is more important. Let’s not just give it away.
Worth the Read
For just $15 in bitcoin, hackers can access a dizzying list of very personal information about you from credit bureaus. It’s being advertised in chat rooms and is being used in terrifying ways.
Axios reports that AI has helped scientists at UC San Francisco analyze patients’ records to predict Alzheimer’s up to seven years before symptoms appear.
AT&T’s recent breach affected 73 million users, and that info is being shared on the dark web, raising serious questions about how we can protect ourselves. Those with AT&T accounts should start by freezing their credit reports at all three major agencies (Equifax, Experience and TransUnion), then signing up for credit monitoring and enabling two-factor authentication on their account. According to CBS News, the Federal Trade Commission offers free credit freezes and fraud alerts that consumers can set up to protect them from identity theft.
In the UK the Information Commissioner’s Office announced that tech platforms must improve the way they protect children online by 2025, including turning off location tracking and feed algorithms for young users.
A fantastic read from the New York Times about how a software engineer managed to stop a major supply chain attack just by noticing that something was off with the open-source code he was developing for Microsoft. Score one for Linux!