MoreRSS

site iconAlec MuffettModify

Alec is a technologist, writer & security consultant who has worked in host and network security for more than 30 years, with 25 of those in industry.
Please copy the RSS to your reader, or quickly subscribe to:

Inoreader Feedly Follow Feedbin Local Reader

Rss preview of Blog of Alec Muffett

Jess Miers on Bluesky and Age Verification: “why no pushback?”

2025-07-12 05:53:12

Thread:

“I completely understand bluesky’s hand being forced to comply in the UK … But I also agree that there was an opportunity here for [BS] to at least push back on the rhetoric and highlight that age verification makes its users LESS safe.”

Having worked for Google, I completely understand bluesky's hand being forced to comply in the UK. Blame the regulators. But I also agree that there was an opportunity here for @bsky.app to at least push back on the rhetoric and highlight that age verification makes its users LESS safe.

Jess Miers ? (@jmiers230.bsky.social) 2025-07-11T13:45:17.062Z

Bluesky, Britain, Age-Verification, Age-Attestation, and Railway Trains | …what child-protection measures British Civil Society *ought* to be demanding

2025-07-11 17:14:55

A friend/peer asked me “What are you going to do about Bluesky’s announcement of Age Verification?” as recently described in the Verge — and this is my response:


At the moment I am going with “point and laugh, loudly” because if you pick a side then various self-righteous twerps will either chide you for not protecting children, or they will chide you for not being sympathetic to Bluesky being at the mercy of draconian law (“but what can we do, mustn’t grumble, etc etc…”)

I feel that we should take a different approach.

I believe that [British Civil Society] severely mishandled the online safety act, in many respects caving to the child protection and age verification lobbies in a manner which I presume was meant to keep us with a seat at the table but which has in the process sold-out the privacy of the internet user. 

What we should have been doing on this matter is fighting a similar fight to that which we saw during COVID – demanding (once we worked out / it was announced that it was possible) that platforms solve the problem in a privacy-preserving manner, rather than each and every nation-state being free to (in that case) squirt its own infected-person-tracking code into each and every Android and iOS device in the world

With respect to age verification, we should have led with three observations: 

  1. that the current system of age verification for buying (e.g.) booze in shops works because vendors are obligated to accept reasonable credentials being presented to them (flashing your driver’s licence, etc) 
  2. that it is entirely possible to replicate this architecture in a privacy preserving manner with digital credentials as [some kind of] “bearer” tokens, [for trivial example] a HTTP header which contains a token saying “the user of this web browser is over 18 but not over 40, do with this information what you will”
  3. that the architectural choice to burden and obligate {vendors, platforms, social media, other age-dependent sites} with engaging third party AV service providers, both (a) proliferates user data unnecessarily (see above) plus (b) worsens the user experience by obligating the user to jump through hoops in order to buy something (different providers for different vendors) — when in fact they should just have a single credential which they can flash at the vendor web server.

It’s interesting to see that both Google and the W3C are starting to stick their nose into the latter [kinds of] solutions, so Britain – by “leading the way” – may have backed itself into a corner from which it will not readily emerge. Much like the railways we will lay down this [legal and regulatory infrastructure] early and come to regret it later.

[Basically: much like what happened to the original GCHQ/UK-Homebrew COVID-tracing app, but where the cost is smeared over everyone rather than coming exclusively from NHS coffers.]

So that’s why I’m going to “point and laugh” – because it’s not polite to criticise Bluesky for fulfilling its obligations under British law, however they will serve as a tragic example re: how precipitously user engagement will drop off under the “vendor-initiated” age verification regime, because we are all following Baroness Kidron’s illiberal march towards a safer world for our children, informed by the rent-seeking instincts of the age verification industry – as I first documented in 2016

Instead we need a world of “user-initiated” bearer-type tokens to fulfil age-verification obligations [- which themselves, in turn, should be minimised -] and we will also need civil society like ourselves to hold our noses re: the likely fact that this would (short term) put incrementally more information and power into the hands of Apple and Google – although in the ideal circumstance users should be enabled to purchase “age-attestation” services from whomever they like.

Instagram wrongly says some users breached child sex abuse rules | BBC News

2025-07-09 18:20:03

Instagram users have told the BBC of the “extreme stress” of having their accounts banned after being wrongly accused by the platform of breaching its rules on child sexual exploitation.

https://www.bbc.co.uk/news/articles/cy8kjdz9nr3o

I’m delighted to find that “The Internet Oracle” is still going, some 36+ years after it started

2025-07-09 13:48:56

One of the earliest and greatest experiments in crowdsourcing, and a staple of USENET humour & shared culture:

The Internet Oracle has pondered your question deeply, and in response, thus spake the Oracle:

https://internetoracle.org/digest.cgi?N=1613