The site and an idiotic bill Topic is solved

[Mæstro]

Today, a friend brought to my awareness an idiotic bill proposed in New York’s legislature. Pertinent sections for us are quoted here, with emphasis added.

2. "Age category" shall mean data that a user is (a) under the age of thirteen years; (b) at least thirteen but under sixteen years; (c) at least sixteen but under eighteen years; or (d) at least eighteen years. […]
5. "Covered developer" shall mean a person who owns or controls a website, online service, online application, mobile application, or portion thereof that is accessed by a user in the state of New York.
6. "Covered manufacturer" shall mean a manufacturer of an internet-enabled device, an operating system provider, or an application store.
[…] A covered manufacturer shall provide a covered developer with a digital signal indicating the age category of a user via a real-time application programming interface (API) upon receiving a request for such signal from such developer.
[…] All covered developers shall request an age category signal for a user from a covered manufacturer when such user downloads and launches such developer's website, service, or application.
[…] Whenever it appears to the attorney general, either upon complaint or otherwise, that any person, within or outside the state, has engaged in or is about to engage in any of the acts or practices stated to be unlawful in this article, the attorney general may bring an action or special proceeding in the name and on behalf of the people of the state of New York to enjoin any violation of this article…to obtain damages caused directly or indirectly by any such violation, to obtain civil penalties of up to ten thousand dollars per violation, and to obtain any such other and further relief as the court may deem proper, including preliminary relief.

The bill itself, like a similar, stupid Californian law which only treats operating systems, might also be of interest more generally in a discussion for the Windows 11 thread or perhaps a new one in the off-topic board, but this thread should be about bearings on this site in particular, at least at first. As presently written, the bill simply forgets that static, non-interactive sites, like Pale Moon excluding the board, even exist: ‘website’ is treated as synonymous with ‘remote application’, but prudence would dictate the most stupidly literal interpretation possible. Any webmaster with visitors in New York State would be liable, if I am reading this right, although in our case, there is nothing to launch, since again, we are not a remote application. What are we to do in the face of such a daft policy if it should become law?

[andyprough]

I personally think you have to strongly consider geo-blocking such corrupt jurisdictions. Refuse web access to them, refuse downloads and updates to people in those jurisdictions, refuse git access and forum access. If your IP shows you are trying to access any of the sites or resources from those corrupt jurisdictions, you are automatically blocked.

It's a very harsh remedy and will be harmful to a lot of users, but these laws include financial penalties that would absolutely destroy any free software project.

This is just my opinion. And of course VPNs would (and should) make it exceptionally easy to bypass the geo-block. I'm living in a jurisdiction that is highly likely to pass such a corrupt law in the near future, so I'd likely have to use a VPN.

[Mæstro]

There is a grave problem with approaches like that: developers can happen to live, like you, in such a jurisdiction, which makes cutting off whole regions unviable in the long term as more jurisdictions pass laws like these. Suppose Sweden happens to pass such a law one day. Should we expect Moonchild to move house so soon after he has just settled into his new home? Or, to confine it to the USA, should Athenian be kicked off the project if Georgia does this? What if the new location either finds follows suit? Helping fragment the web is a bad idea in any case.

[Moonchild]

First off: New York can pass all bills it wants but it's not our task to police the internet, and I will not make it our task. If there is a problem with kids accessing our website or forum, then that is on the parents of kids to parentally control them. If you breed kids, you'll have to "adult" 24/7 from then on. Don't want that? Then don't breed kids.
I will not geoblock based on this nonsense. I briefly considered it when the UK started this last year, but rejected it. It's not our responsibility to limit access from locations that might have restrictive rules. It will be the responsibility of those regions to block outbound access to sites not complying with their local laws, just like any other good authoritarian country does.
Otherwise? We don't care. My business is in Sweden, and only subject to Swedish law. The bill has a bunch of US defaultism applied speaking about "out of state" -- out of state does not mean beyond the purview of the federal government which applies solely to the USA.
Any of our websites can be hosted in any jurisdiction, so if there's an imposed restriction on geographical server location, it can be moved elsewhere. They are currently not hosted in the USA other than the US download mirror (and in terms of age restriction to that, see below), and I don't intend to host them there.

Assuming it can somehow become enforced globally in its proposed state or something extremely similar to it, then let's have a look, shall we?
So, the hypothetical:
If you read the bill carefully, you'll notice that it wants a signal to be requested by the website, service or application from a connecting client or (in the case of an application) a device API (assuming built into an O.S.)
i.e.: the bill asks that a website, service or application checks a device API to get a user's age group, and restrict access based on that age group if the site, service or application is age-limited in its content. It is incumbent on the connecting client/device to provide this signal. If such a signal isn't received, then we on our end can rightfully assume it is not a covered manufacturer and this entire proposed legislation doesn't apply (since the legislation will mandate such signals be sent by all compliant devices).
This means that if and when a web client/device provides a specific signal to the web server, service or application, then and only then would we need to check the age group. However, since Pale Moon is suitable for all age groups (PEGI-3), we effectively don't need to do anything in terms of software availability, structure or implementation.
Since the forum is the only part of our project subject to an age limit (I've set that to 16+ in our forum registration terms), it will be easy to comply with that by checking for a signal from whatever client/device that is covered, and blocking as-needed (e.g. by checking a request header or browser API, if implemented that way -- there are no details surrounding practical implementations yet, so the bill is running ahead of its goal; as a developer, we'd need a detailed API specification to be able to check), which would be similar to receiving a parental control signal but with the difference that parental control would be client-side. Once again, if such a signal isn't received then we can assume the client/device isn't covered and we don't have to restrict anything.

[andyprough]

My business is in Sweden, and only subject to Swedish law.

True, and I have a US-centric viewpoint when looking at potential legal pitfalls.

It's the dollar amount of the potential monetary fines with most of these new laws that catches my attention, and the vague way that most of them are written. They are an overzealous bureaucrat's dream.

[Mæstro]

First off: New York can pass all bills it wants but it's not our task to police the internet, and I will not make it our task…I will not geoblock based on this nonsense… It will be the responsibility of those regions to block outbound access to sites not complying with their local laws, just like any other good authoritarian country does. Otherwise? We don't care.

This is the answer I predicted and hoped to read. Good man!

So, the hypothetical:

Aye, I hope even the New York bill remains moot. Planning for such a nightmare scenario is nevertheless wise, and I thank you for giving it attention.

I think the following questions will likely be of interest to any webmaster unhappy enough to be caught up in this in the worst case.

Any of our websites can be hosted in any jurisdiction, so if there's an imposed restriction on geographical server location, it can be moved elsewhere. They are currently not hosted in the USA…and I don't intend to host them there.

Where would you recommend somebody host a server for a personal website if he cannot do so at home, possibly due to unfavourable local laws? Would you know any providers which would not impose Cloudflare or other Pale Moon-unfriendly features?

If you read the bill carefully, you'll notice [that] the bill asks that a website, service or application checks a device API to get a user's age group, and restrict access based on that age group if the site, service or application is age-limited in its content. It is incumbent on the connecting client/device to provide this signal. If such a signal isn't received, then we on our end can rightfully assume it is not a covered manufacturer and this entire proposed legislation doesn't apply… [It would] be easy to comply with [age restrictions] by checking for a signal from whatever client/device that is covered, and blocking as-needed (e.g. by checking a request header or browser API[,] which would be similar to receiving a parental control signal but with the difference that parental control would be client-side.

I imagine that parental control signals like this have likely existed for decades, and your mention of browser headers this can be done without adding even more intrusive JavaScript to websites, even on the server side. Out of curiosity, would you know how servers have traditionally coped with parental control signals?

It's the dollar amount of the potential monetary fines with most of these new laws that catches my attention, and the vague way that most of them are written. They are an overzealous bureaucrat's dream.

The egregious vagueness stood out to me, too. The way I first read it, I thought it was asking that, whenever Chalmers tries to access Wikipedia from his Utica home, the Wikimedia Foundation (or, at its most extreme, the whole Wikipedia community!), as a covered developer, must contact either HP or Microsoft (who would both literally qualify as covered manufacturers) on the spot about whether Chalmers’ computer supposedly belongs to an adult upon determining where he is, at least, if Chalmers ‘launches’ Wikipedia, whatever that is supposed to mean for a static site. I doubted this was quite how it was meant, but it is not as if the intended reading is much better.

[Gemmaugr]

Even if the Digital ID/Age Verification law is passed in another country, that hasn't stopped Australia and UK from trying to impose it on others. Geoblocking was required from one site to not get Australian fines (and Australian VPN's have since skyrocketed https://reclaimthenet.org/australia-age ... -vpn-surge).

Also, Florida getting in on it too: https://reclaimthenet.org/florida-gives ... -id-checks

Where would you recommend somebody host a server for a personal website if he cannot do so at home, possibly due to unfavourable local laws? Would you know any providers which would not impose Cloudflare or other Pale Moon-unfriendly features?

I've heard LeaseWeb is quite okay. One of the Free Speech forums I frequent use it.

[andyprough]

I doubted this was quite how it was meant, but it is not as if the intended reading is much better.

Intentional vagueness can leave a law like that open to interpretation, and at least in the US we are commonly seeing some pretty wild and crazy judicial interpretations. People literally get thrown in jail over this kind of stuff.

Even if the Digital ID/Age Verification law is passed in another country, that hasn't stopped Australia and UK from trying to impose it on others.

Yes, this kind of "long-arm" jurisdiction posture is worrisome.

[Moonchild]

Where would you recommend somebody host a server for a personal website if he cannot do so at home, possibly due to unfavourable local laws?

I'd have recommended Afterburst but it looks like the AI bubble is putting them out of business, so just a more generic recommendation to look at VPS providers that have a decent track record and have been in business for a while. If it's just for a personal website with very little traffic, then you could use shared hosting as well which tends to be very cheap.

providers which would not impose Cloudflare

VPS providers should never impose CloudFlare. I don't know about shared hosting.

mention of browser headers this can be done without adding even more intrusive JavaScript to websites

I surely hope it becomes an agreed-on request header and not JS.

Out of curiosity, would you know how servers have traditionally coped with parental control signals?

They haven't, because parental controls are client-side! The server isn't involved. Parental controls prevent requests from being made to begin with.

[andyprough]

$10,000 per violation.

So, if your script that checks for an age verification API happens to be down for the weekend, and 1,000 New Yorkers happen to visit your website over the weekend, you could get a bill on Monday for $10 million dollars.

Think about that.

[Moonchild]

Think about that.

I did, when the UK's Online Safety Act was passed and they were starting to try and probe businesses outside of the UK. And I concluded that they simply have no legal reason to impose any fines for laws that apply to the UK only. The same goes for the USA, for Australia, for any other area looking at these things. It is utter nonsense to even consider it. Unless I operate my business in a region that has these kinds of laws in effect, there is simply no way these arbitrary laws and fines can be imposed.

The premise is also a little weird:

if your script that checks for an age verification API happens to be down for the weekend

What makes you think that such a script can be "down" when the actual site is not?

[andyprough]

Unless I operate my business in a region that has these kinds of laws in effect, there is simply no way these arbitrary laws and fines can be imposed.

Yes, we already established that. I, on the other hand, am under the thumb of every legislator in 50 jurisdictions nationwide, and under the thumb of all their Attorneys General. And my country would probably allow the enforcement of UK and Australian judgments against me just for their amusement.

What makes you think that such a script can be "down" when the actual site is not?

This is all hypothetical stuff. You also won't literally get a bill for $10 million on Monday - that would take at least until Tuesday. I'm just thinking out loud while I'm typing.

[Mæstro]

My thanks again to Moonchild for answering those further questions.

To build upon Prough’s comment, since there are important US American developers for the Pale Moon project, and the bill is ambiguous, it is prudent to consider, as we have been doing, possible hazards for those developers if their involvement with a non-commercial browser and website is misunderstood by a dimwitted judge or prosecutor who is incapable of grasping what open source means. His report on Floridian developments mentions that a judge is soon to evaluate whether this family of law is legal by US American law. The results of that will be interesting.

[andyprough]

His report on Floridian developments ...

That report is cited by @Gemmaugr

Just thought I'd give credit where it is due, especially since I haven't read the Florida report yet. I'm sure it is full of bad ideas.

[Mæstro]

Oops, I forgot who had posted it when writing.

I was coming back to edit that post to add something else I have found, in any case. These developments are not strictly Anglo-Saxon, for the European Union have our own guidelines. The guidelines feature a compliant, open-source reference implementation. The DSA as such should not apply to this board, thanks to our small size, but studying the reference would surely shed some light on this.

[frostknight]

Moderator note: Post content removed for pushing specific strong political viewpoints.
Not necessary for this discussion.

[Mæstro]

Although expressing our attitudes about a bill qualifies as political by definition, its political aspect is incidental. I kindly suggest, while it can be done informally, we avoid making it central by discussing whether certain factions are good or bad. The more valuable question, for this board’s purposes, is what practical bearing policy like this might have on non-commercial webmasters and open-source programmers.

[Moonchild]

I looked through the EU documentation and it simply does not provide applicable information. It's presented as a "stop-gap measure" until EUID is rolled out end of this year (?) and the "reference implementation" presented makes a lot of assumptions, is opaque, and is React/Typescript based (i.e. typical front-end work assuming Blink), as well as everything specifically geared to "over 18" age limits for adult content. None of that applies here. It goes into detail about "how to provide attestation" and is therefore a guidebook on creating age verification apps or services, but it barely skims over the part where site operators (i.e. "relying parties") should request and verify an age signal, even in the "technical specification" which reads like a half-assed RFC in initial structure, but ultimately is a management document, not a tech spec. Everything is way too high level other than some examples at the end where it just shows the generic json structures of a specific API implementation, and some vague reference that a relying party needs to make sure the response comes from a vetted list of trusted sources published by the european commission.
Even so, none of that is relevant here. Our scope and this forum's nature neither makes us a digital service provider nor social media. If it would come to a point, I'd sooner drop the arbitrary age limit I set to clearly indicate this forum is not "designed for young kids" than enforcing any sort of ID or age verification sledgehammer.

[therube]

(Aside from the monetary penalty end & whatnot, this is related, The Movement To Restrict Minors' Social Media Use.
[The actual talk starts at 4:10.])

[Stargate38]

$10,000 per offense? If it does pass, someone should sue NY for violation of the Eighth Amendment. Also, any type of age verification system that requires you to show your face or ID violates the rights to anonymity, thus violating the First Amendment (it has been ruled before that anonymity is a First Amendment right), as well as the right to privacy.

In other words, this bill is a blatant violation of the U.S. Constitution and Bill of Rights. Same goes with the "You must check the kid-friendly checkbox on kid-friendly Youtube videos, or be fined $42,000" law. That one is even more in violation of the Eighth Amendment, as it imposes a huge fine on those who don't check that checkbox, and it's enough money to buy a new car. Instead, they need to make it completely optional to check that box, as people have a fundamental right not to check it. Seriously, the fine should be abolished for that, and I'm hoping that NY bill doesn't pass.

It's weird how lawmakers use the "Think of the children" argument. As someone on Reddit said, that's what pedophiles do all the time, in a twisted and extremely evil way. It should be up to the parents to protect children from these offenders on the Internet, not the governments. Just keep an eye on what websites they access, and who they chat with. Do NOT let them access the Internet unattended.