Meeting minutes
The Zoom is acting up a bit, please stand by...
<npdoty> I guess I can scribe since I have more Internet access
ben: agenda: workshop summary to start
Debrief from workshop
IAB + W3C jointly ran the workshop: get people from different groups under Chatham House style venue to talk about problem
regulatory folks, child safety orgs, browser vendors etc
lot of considerations to think about, many intersecting components
<mt_hates_irc> insert obligatory avenue Q reference
Group provided several ideas of the major impacts, e.g., phishing risk from data collection
properties of good solutions, e.g., purpose-limitations of data collected
want to be based on open standards
architectural groundwork
<smcgruer_[EST]> [We see a diagram of content -> service -> network -> device -> user]
Roles in enforcement: verifier; enforcer; policy selector; content rater
Nick: lot of architectural options
… roles can be spread across different parties, or grouped together
… or cooperative arrangements
ex: "signalling" - device to signal to service "I am a certain age, so serve me certain content"
… content rating can be done by service (knows the context of the content)
… existing work: declared age-range API, see CA law which mandates age range be supported
labelling switches these roles, e.g., parental controls
service can signal the type of content, can be enforced at device (does not serve it under policy)
credential-based age proof: issuer of credential, verifies user's age
Open discussion
<Zakim> phila, you wanted to talk about labeling
@phila: worked on this for a long time (25 yr), "Internet Content Rating Assoc
… labelling does not work (based on my experience)
… is like P3P. What do you do about unlabelled site/content.
verifiable credentials is more promising (limited disclosure)
<smcgruer_[EST]> Nina: How does VC if content provider doesn't want to play?
<smcgruer_[EST]> Phil: Absolutely doesn't work if they don't want to play. Same problem.
<smcgruer_[EST]> ... There are many harms beyond adult content, as you said
<smcgruer_[EST]> ... We need to do something about it, but bad actors will be bad actors
<michaelficarra2> can we have a way to get on the queue without internet connection? I keep getting booted off
<smcgruer_[EST]> manu_: Wanted to point out some work in the area (sorry we weren't at the workshop)
<smcgruer_[EST]> ... ??? is from the True Age program, non-profit in USA, age verification platform using VCs
<smcgruer_[EST]> ... Been in production 2 years, 150k retail locations in USA
<smcgruer_[EST]> ... There are people at W3C with deep experience with age-gating
<smcgruer_[EST]> ... It is retail, not online, but it is using VC
Platform: TrueAge
<smcgruer_[EST]> ... We should take those learnings into account
<smcgruer_[EST]> manu_: There are some very large players in this space already
<smcgruer_[EST]> ... ??? sells 55% of alcohol in USA
<smcgruer_[EST]> ... They serve millions of age checks a day
<smcgruer_[EST]> ... They already have published standards for this
<smcgruer_[EST]> ... I hope whatever work is done next, coordinates with True Age, with ???, with the VC working group
<smcgruer_[EST]> ???: +1, would be nice if we could graduate from underage to age appropriate
<smcgruer_[EST]> AramZS: +1 to what was said about labeling - anything that requires that an external entity be labelling the age safety or content on the web is unworkable
<smcgruer_[EST]> ... A lot of free speech problems
<smcgruer_[EST]> ... The way this should work is if I believe my content is 18+, i should be asking if this person is 18+, not waiting for someone else to rate me
<smcgruer_[EST]> Ben: That means you're rating yourself
<smcgruer_[EST]> AramZS: Whole range of rating is problematic - movies, comics, etc
<npdoty> National Association of Convenience Stores (NACS) was one of those references from Manu
<smcgruer_[EST]> ... People are put in spaces that are bad, that creates corruption
<smcgruer_[EST]> ... It should be self-attested
<smcgruer_[EST]> Hadley Beeman: Unfortunately the legislation does not agree with you in many countries
<npdoty> self-attested would be an example of content rating by the service provider
<smcgruer_[EST]> AramZS: Want to make sure we're not adding tools to allow others to rate us
<mt_hates_irc> oops, that's not good, that was Hadley Beeman instead
<dveditz> actually that reply was hadley
<npdoty> many businesses already do this, for existing parental controls, whether we like it or not (both self-rating and labeling others, with kinds of heuristics)
<smcgruer_[EST]> mnot: Framing for this workshop, for me, this was a workshop we should have held years ago
<smcgruer_[EST]> ... The technical community keeps saying we won't engage, but this is what happens when we don't engage
<dveditz> (dunno if that works)
<smcgruer_[EST]> ... Its not what we're going to introduce here, it's already here, and we're going to be stuck with what is here
<smcgruer_[EST]> ... So we have to hope that the current thing eventually fails, and we build a good thing that can be adopted next
<smcgruer_[EST]> AramZS: I agree we need some sort of age controls, but I think the context in which we present them and how we setup the power dynamics are extremely important
<smcgruer_[EST]> Ben: +1, yes
<smcgruer_[EST]> ... was discussed at the workshop
<Zakim> npdoty, you wanted to comment on brainstorming possible work, not on stopping every proposed area of work
<smcgruer_[EST]> npdoty: Appreciate the passionate viewpoints!
<smcgruer_[EST]> ... I expect we need a spectrum of solutions, of which some of us will think they are not a good choice
<smcgruer_[EST]> ... Handling an imperfect situation is hard, I don't think we're looking for a single solution
<smcgruer_[EST]> michaelficarra: A lot of the things we're talking about seem to be focused on is age above a certain range
<smcgruer_[EST]> ... But the opposite problem is actually interesting too, e.g. creating safe spaces for teenagers only
<smcgruer_[EST]> ... Difficulties with overage persons entering those spaces
<smcgruer_[EST]> ... Is this in scope?
<npdoty> it might be a different problem, but it's a certainly a relevant/related problem
<smcgruer_[EST]> Ben: It was discussed at the workshop, hard problem
The Advanced Persistent Teenager issue
… how can we combine solutions
<smcgruer_[EST]> timcappalli: This has potential to impact existing tech, like passkeys
<smcgruer_[EST]> ... People are using passkeys to do this now, which is really bad
<smcgruer_[EST]> ... Since you can share passkeys
<npdoty> I saw that announced more widely on Monday, before that I thought it was just speculative
<smcgruer_[EST]> alexis_hancock: What I mostly see around risk of youth or minors is contact risk
<smcgruer_[EST]> ... There won't be one technical solution
<smcgruer_[EST]> ... Age verification doesn't teach kids to be safe online
<smcgruer_[EST]> ... So we want to be able to find solutions that have unlinkability, etc
<smcgruer_[EST]> ... To help decouple from data brokers
<smcgruer_[EST]> ... We see data brokers working with age verification systems to gather data
<smcgruer_[EST]> ... I want to see us break away from that
<smcgruer_[EST]> ... We won't find a perfect solution, but we can find a collection of solutions that I think can help
<mt_hates_irc> age verification only partitions people by age, it does nothing to create safe spaces (or to keep people out of unsafe spaces)
<smcgruer_[EST]> ... A lot of this is around social, and there's no technology that fully solves social
<smcgruer_[EST]> ... We spent a lot of time debating perfect vs good, whether we should step away or not
<smcgruer_[EST]> ... We are still trying to fight age verification laws so people can still have anonymity
<smcgruer_[EST]> ... But its likely to be here a long time
<AramZS> +1 - we should be very limited here in terms of what we provide - a specific signal of age range but not broad context and as little meaning to that signal as possible.
<smcgruer_[EST]> andrewcampling: +1 that the focus shouldn't just be age verifying kids to keep them off of adult sites, but also the inverse, as was said
<smcgruer_[EST]> ... let's not ignore the harms also of NOT age verifying
<smcgruer_[EST]> ... there are harms of doing it, but also the opposite
<smcgruer_[EST]> martin: Quick interjection, one thing that keeps coming up is question of outright illegal content
<smcgruer_[EST]> ... There is a limit to how much we can solve illegal content
<smcgruer_[EST]> andrewcampling: I think there is an overlap, where the pathway to creating the illegal content comes through legal channels to start with
<npdoty> most of the age verification proposals are not focused on distribution of illegal abuse material -- those aren't suited to cooperative mechanisms of age-verification (because they aren't compliant, clearly)
<smcgruer_[EST]> mnot: Major theme at workshop was that these mechanisms are not perfect
<smcgruer_[EST]> ... Think the regulations were not written with that in mind
<npdoty> s/???: Major theme/mnot: Major theme/
<smcgruer_[EST]> ... Being able to verify the outcomes to say that age verification does come with a reduction in harm is very valuable
<smcgruer_[EST]> rbyers: We definitely should have done the workshop 3 years ago, but I disagree that its too late now
<smcgruer_[EST]> ... My example is Digital Credentials - we've been challenged, its been hard, its not perfect, but we have to try and we're making progress
<smcgruer_[EST]> ... Digital Credentials in Chrome is seeing an uptake in usage already, using ZPK for adult content sites in UK and other age-restricting geographies
<smcgruer_[EST]> ... Thats a standard in scope for W3C to influence, for this group to influence
<smcgruer_[EST]> ... If we can move and accept not perfect
<smcgruer_[EST]> mnot: One thing that comes up is that its not clear if DC is the solution
<npdoty> note that if you suggest improvements, you might also hear that it needs to be too urgently deployed and so we don't have time to make those improvements
<smcgruer_[EST]> hadleybeeman: A lot of us in W3C have talked about how this tech won't work
<smcgruer_[EST]> ... How there's always a way around it
<smcgruer_[EST]> ... At the workshop, we talked about introducing concept of an acceptable failure level
<smcgruer_[EST]> ... Bringing that to the regulators
<smcgruer_[EST]> ... And trying to shift the conversation policy side to be probablistic
<smcgruer_[EST]> ... To me, that unlocked a way to do good without being perfect
<Zakim> dezell, you wanted to talk about "age over' and the importance of advocacy
<PaulZiv> +1 to Manu. Especially with laws already on the books that do not delineate between adults and children’s.
<smcgruer_[EST]> dezell: We have a fairly successful age verification program
<smcgruer_[EST]> ... Largely because we're laser focused on one specific case
<smcgruer_[EST]> ... In our case, we follow government policy
<smcgruer_[EST]> ... That keeps you from doing things that will infringe on free speech rights, court cases, etc
<smcgruer_[EST]> ... Another thing. Privacy preserving works both ways
<smcgruer_[EST]> ... In my opinion, a bad actor's privacy is just as sacrosanct as others'
<smcgruer_[EST]> ... We keep records and they are verifiable, but don't want to pollute data lakes with how old you are
<smcgruer_[EST]> ... Finally, we focus on age-over. Just do that. Don't tell birthdates. Need to know basis.
<dveditz> except different jurisdictions and cases need different age boundaries
<smcgruer_[EST]> ... We can make headway in this, but need to choose where the battle happens
<smcgruer_[EST]> ... We also need advocacy in the legislative process
<smcgruer_[EST]> ... You need to make a difference there too
<Zakim> npdoty, you wanted to comment on abuse reporting (not for content restriction but for other harms)
<smcgruer_[EST]> npdoty: Workshop was focused on restriction of access to content, where the restriction was age based
<smcgruer_[EST]> ... the potential harms to children definitely not scoped to just that (maybe not even aligned)
<smcgruer_[EST]> ... if we are going to look at the broader question of (child) safety online
<smcgruer_[EST]> ... might suggest other work that needs done
<smcgruer_[EST]> ... reporting abusive websites, mechanisms for identifying bad situations
<bvandersloot> close the queue
<smcgruer_[EST]> ... not an area where we've done a lot of standards work at w3c, but I think it is an important area
<bvandersloot> ty, smcgruer!
<smcgruer_[EST]> syllaal: It is not too late to make an impact (from perspective of someone working in Germany)
<smcgruer_[EST]> ... EU is focused on wallet for age assurance (18+)
<smcgruer_[EST]> ... But everything else is left open
<smcgruer_[EST]> ... Either technology agnostic, or very vague on what technology
<smcgruer_[EST]> ... And vague on being 'more or less sure'
<smcgruer_[EST]> ... A lot of smaller companies really struggle to comply due to lack of guidance
<smcgruer_[EST]> ... So definitely not too late
<smcgruer_[EST]> ... Also, whatever system is developed is agnostic to the use case.
<smcgruer_[EST]> ... can always be used for use-cases other than the legally required
<smcgruer_[EST]> ... that is a dilemma we have to face
<npdoty> laser-focus on use case and agnostic to use case is a tough contradiction of advice
<npdoty> but I do think use case limitation would be relevant and significant
<smcgruer_[EST]> AramZS: We should aim for as minimal as possible a signal, store as little as possible (preferably nothing)
<smcgruer_[EST]> ... We will also have to figure out signals around users aging out of restricted area
<smcgruer_[EST]> ... No clear path at the moment
<Zakim> manu_, you wanted to ask if this work is really about age verification, or is it about ensuring protected spaces/communities online?
<smcgruer_[EST]> manu_: Is this really about age? Seems to be more about safe spaces for communities?
<smcgruer_[EST]> ... Age is a subset use-case
<smcgruer_[EST]> ... I'm concerned we're going to over-optimize on age
<AramZS> It is about age because that's the specific thing that is required of us by law
<npdoty> I think that's a good example, actually. communities self-police their boundaries, and we should enable that.
<smcgruer_[EST]> hadleybeeman: There is a big difference between things you self-assert for, versus things you are not legally allowed to declare (such as what age I am)
<smcgruer_[EST]> mt_hates_irc: Different people have different conceptions of what the requirements are in the space
<smcgruer_[EST]> ... That includes things like privacy, and there are difficult conversations there in this space
<smcgruer_[EST]> ... Things like record keeping questions is a difficult question
<dveditz> what authority attests to your membership of the LGBT+ community? Kind of an offensive question, but if people can self-declare then the mechanism will fail to meet the age-gating legal requirements
<smcgruer_[EST]> ... So focusing on the requirements is important
<smcgruer_[EST]> Ben: Want to thank everyone for coming, the chairs of the workshop
<smcgruer_[EST]> ... I think there are a few clear steps to take, we didn't quite get there but great conversation anyway
<smcgruer_[EST]> ... DC is one area, meta tag in WhatNot ? group tomorrow
<smcgruer_[EST]> ... If anyone wants to talk about all this, find me
<AramZS> I didn't want to further raise this topic with the limited time but I very much worry we will fall into creating a digital Comstock stamp and I'm not sure we've got a clear line avoiding that