US States enforcing new age verification for adult content—how could this be done properly?
@technology
Seeing the news about Utah and Virginia over in the US, there's been a lot of discourse about how unsafe it is to submit government ID online. Even the states that have their own age-verification portals are likely to introduce a lot of risk of leaks, phishing, and identity theft.
My interest, however, focused on this as an interesting technical and legislative problem. How _could_ a government impose age-verification control in a better way?
My first thought would be to legislate the inclusion of some sort of ISP-level middleware. Any time a user tried to access a site on the government provided list of adult content, they'd need to simply authenticate with their ISP web credentials.
Parents could give their children access to the internet at home or via cellular networks knowing this would block access to adult content and adults without children could login to their ISP portal and opt-out of this feature.
As much as I think these types of blocks aren't particularly effective—kids will pretty quickly figure out how to use a VPN—I think a scheme like mine would be at least _as effective_ as the one the governments have mandated without adding any new risk to users.
What do you all think? Are any of you from these states or other regions where some sort of age-restriction is enforced? How does this work where you are from?
Edit:
Using a simple captive portal—just like the ones on public wifi—would probably be the simplest way to accomplish this. It's relatively low friction to the end-user, most web browsers will deal with the redirect cleanly despite the TLS cert issues, and it requires no collection of any new PII.
Also, I don't think these types of filters are useful or worth legislating, I'm just looking at ways to implement them without harming security or privacy.
The ISP middleware is an interesting idea, basically an SSO (think the "Sign in with Google" you see everywhere). However, this would require some level of integration between every ISP and adult site, which would get seriously tedious as such things roll out all over the country. This doesn't even get into the fact that each law would vary somewhat in the specific requirements and that it just kicks the job to verifying IDs and ages to the ISP instead of the downstream site.
There are lots of ways around doing a full SSO integration, though.
In the simplest form, the ISP could simply use a captive portal of some sort directing the user to authenticate first.
While captive portals can't serve the correct certificate most browsers these days are smart enough to detect a captive portal redirect and give the user a smoother experience.
That solution puts the burden on the ISP to do the filtering. While it is the technologically easiest solution, it would require overturning the laws protecting ISPs from the content they serve.
@werewolf_nr
You're right, I don't think it would make sense to put the legal liability on the ISPs.
I think, like the current system, it would be a registry that adult websites would have to sign up for in order to be in compliance with the law.