RE: Minimum Age verification from Mike O'Neill on 2016-09-30 (public-wicg@w3.org from September 2016)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Fri, 30 Sep 2016 08:44:42 +0100
To: "'Richard Dunne'" <richarddunnebsc@gmail.com>, "'Doug Turner'" <dft@google.com>, "'David Singer'" <singer@apple.com>
Cc: "'Dave Longley'" <dlongley@digitalbazaar.com>, <public-wicg@w3.org>
Message-ID: <49a401d21aee$82149010$863db030$@baycloud.com>

The creation of the attribute token should be at the device/OS level (where only the device purchaser can initiate a change). The user agent need only communicate it, in a way that ensures it cannot be used to track or identify. 

From: Richard Dunne [mailto:richarddunnebsc@gmail.com] 
Sent: 29 September 2016 23:25
To: Doug Turner <dft@google.com>; David Singer <singer@apple.com>
Cc: Dave Longley <dlongley@digitalbazaar.com>; public-wicg@w3.org
Subject: Re: Minimum Age verification

If adults were able to control privileges on all devices and content providers/publishers agreed to control users' access to content based on the those privileges, that could in theory at least solve part of the problem.  That would depend on minors not being able to circumvent those privileges.  

On Thu, 29 Sep 2016 at 22:01 Doug Turner <dft@google.com <mailto:dft@google.com> > wrote:

Somewhat related, there is an ietf draft that uses a HTTP header to signal
that the user agent prefers "safe" content.  See:

https://tools.ietf.org/html/draft-nottingham-safe-hint-06

This obviously is not a binding confirmation of age of consent, but rather
a simple approach to asking the publisher/server to not send content that
is "unsafe" for some meaning of "unsafe".

On Thu, Sep 29, 2016 at 1:16 PM, David Singer <singer@apple.com <mailto:singer@apple.com> > wrote:

> On Sep 29, 2016, at 12:56 , Dave Longley <dlongley@digitalbazaar.com <mailto:dlongley@digitalbazaar.com> > wrote:
>
> On 09/29/2016 03:35 PM, Richard Dunne wrote:
>> On your third point David, a reasonable right to know my age.  If we
>> take the assumption that all countries have the same age of consent
>> (18), which I know is not the case, a minimum age verification system
>> should not be telling me your age, only that you are either an adult or
>> a minor.  That is the scope from my perspective.  Is that achievable?
>
> Examples from the Verifiable Claims work have modeled this as
> essentially asserting that you are "18+" (or over some other important
> age), not as your specific age or birthdate, etc.
>

This is probably getting off topic for the mailing lists, but I would urge you to think about what might go wrong, unintended effects, and so on. For example, would this enable people to target minors (e.g. for scams)?

David Singer
Manager, Software Standards, Apple Inc.

Received on Friday, 30 September 2016 07:46:14 UTC