"You" probably don't, but it's not just "you". There's also the counterparty who's asking to see that report. Maybe they're doing it for paper-pushing purposes of their own, but ultimately, somewhere up the chain, there's someone thinking "I can't personally audit all my suppliers, and I can't be sure they're doing the right thing, so I'm going to ask them to get an independent audit".
Of course, this shows that the entire system is a bit of a charade, but the point is that someone cares and they're gonna be annoyed when they find out that the audit appears to be a sham.
Whether they have a good alternative is a separate question. But here's another way to look at it: if we show blatant disregard for self-regulation, the government is eventually going to show up and come up with more onerous rules.
Is it true, though? Or has everyone just been psyched into asking for that certification out of a vague fear of "consequences" or of being left behind?
It's not either-or. Companies care about security because of the consequences. If you're a big company contracting a small one, you don't want to get owned through that vendor because you know you'll be the one holding the bag (data loss, reputational damage, regulatory scrutiny, lawsuits).
Small vendors will tell you what you want to hear because they're desperate for your business. Independent auditing is, in theory, a way to get closer to the ground truth. Well, in theory.
Probably not, in fact your auditors not being terribly thorough might be a selling point. But your clients, who are the ones asking for the box to be checked, might.
In my experience, clients don't dig deeply into the report or the auditor, they just want to see that you 1) have the report 2) it doesn’t have any egregious exceptions. Perhaps if this makes big enough news, that’ll change.
As the company? No. In fact, it's likely better for you if they do a bad job. You potentially get shielded from blame, but don't actually have to put in the work.
As a user/customer/potential victim? Yeah, you do.
My point is that model providers are just a compute service, and should have no say in what sends the data, or displays the data. Especially when they only bill based on the quantity of data.
They have an API for exactly that. You can use it.
They offer a separate plan with discounts for use with their tools. You can also choose to take advantage of those discounts with the monthly fee, within the domain where that applies. You cannot, however, expect to demand that discount to apply to anything you want.
You can argue about what you want it to be all day long, but when you go to the subscription page and choose what to purchase it's very clear what you're getting.
> They are basically a utility
Utilities like my electric company also have different plans for different uses. I cannot, for example, sign up for a residential plan and then try to connect it to my commercial business, even though I'm consuming power from them either way.
Utilities do not work like that. They do have contractual agreements about how you can use the resources provided.
By adding a simple birthdate field to your account info and a system API of some sort for retrieving the account owner's age range, same as everyone else.
Why not? They're definitely not perfect security boundaries, but neither are VMs. I think containers provide a reasonable security/usability tradeoff for a lot of use cases including agents. The primary concern is kernel vulnerabilities, but if you're keeping your kernel up-to-date it's still imo a good security layer. I definitely wouldn't intentionally run malware in it, but it requires an exploit in software with a lot of eyes on it to break out of.
It's certainly better than nothing. Hence "probably doesn't matter too much in this context" - but of course it always matters what your threat model is. Your own agents under your control with aligned models and not interacting with attacker data? Should be fine.
But too many people just automatically equate docker with strong secure isolation and... well, it can be, sometimes, depending a hundred other variables. Thus the reminder; to foster conversations like this.
counter-intuitively, the fact that docker on the mac requires a linux-based VM makes it safer than it otherwise would be. But your point stands in general, of course.
I'm probably missing something, but when I read the California statute I didn't understand it to be anything like "computers enforcing age" - more like, when you create an account it needs to ask your age, and then provide a system API by which apps can ask what bracket the account holder is in. This seems better than the current solution of every app asking independently?
Again, I'm probably missing something but it strikes me as pretty trivial to comply with?
The government really shouldn't be telling us how/what we can compute at all.
But on this specific point - It's a bellwether. They're doing this to lay the groundwork and test the waters for compulsory identification and/or age verification. Getting MacOS and Windows and Linux and etc to implement this WILL be used as evidence that compulsory identity verification for computer use is legally workable.
>The government really shouldn't be telling us how/what we can compute at all.
You could say the same thing about restaurants. "The government really shouldn't be telling us how/what we can cook at all."
When you are selling a product to the public, that is something that people have decided the government can regulate to reduce the harms of such products.
I think it's a bit more analogous to the government telling you what you can cook in your own kitchen. Sure I might have some friends over, maybe even some strangers, but it would be quite overbearing to hold my personal kitchen to the same standard as a restaurant.
And there's not really a clear+observable difference between the two on the internet. The biggest difference between the NYT and my cousin's blog is scale, which is pretty hard to know up front - HN itself frequently DDOSes tiny websites.
Being "trivial to comply with" is completely disjunct and not at all an argument against "this type of law is fundamentally at odds with the liberty and self-determination that open source projects require and should protect." It's a shot across the bow to open-source, it's literally the government telling you what code your computer has to run. It is gesturing in the direction of existential threat for Free software and I am not exaggerating. It's purposefully "trivial" so you don't notice or protest too much that this is the first time the State is forcing you to include something purely of their own disturbed ideation in your creative work.
Free software is already mandated to do a lot of things, like not defraud the user. If you make a bitcoin wallet that sends 5% of your money to the developer without asking I'm pretty sure you'll be prosecuted, so the government is compelling you to ask the user for consent to do that.
When you make food you're compelled to write the ingredients. We tolerate these because they are obvious and trivial, but pedantically, food labelling laws also violate the first amendment.
> Free software is already mandated to do a lot of things, like not defraud the user.
Surely you recognize the difference between "you cannot go out of your way to do crime" and "your software must include this specific feature"??
> When you make food you're compelled to write the ingredients.
Well, the point about how this affects open source is that under a similar California law, every home kitchen would need to be equipped with an electronic transponder whose purpose is to announce to the world what ingredient bucket you used for tonight's casserole.
In the earnest interpretation of your question that presumes you're not trying to drag this into a quagmire of nitpicking over the metaphor, the analogous part of the California law to the casserole ingredient advertisement is announcing the user's age bucket to the world. The world being, any app or website that happens to ask for it. I don't know why you brought browser histoy into this, it's not in the law and I didn't mention it.
Anyway, the whole point of the metaphor, because I feel like I will have to explain it, is that we don't put these onerous "required labeling" rules in place for private individuals going about their own lives. So just like you don't have to tell anyone who asks what you put in your dinner last night, private individuals should not have to tell anyone who asks (websites, apps) what age demographic they fall into.
Note: this is one of many arguments I endorse against this type of law. This shouldn't be interpreted as "so that's all you're worried about?" just because we dissected it in detail here.
If that’s true, I think the law is fine. There are good solutions for anonymous disclosure of information about you, the most mature being Verifiable Credentials, which is an open standard: https://en.wikipedia.org/wiki/Verifiable_credentials
You can disclose just a subset of a credential, and that can be a derived value (eg age bracket instead of date of birth), and a derived key is used so that its cryptographically impossible to track you. I wish more people discussed using that, but I suspect that it’s a bit too secure for their real intentions.
In general, any proposal to use government ID for "age verification" over the internet is going to end in someone using it for mass surveillance, and it's probably not wrong to suspect that as the intention to begin with.
There is no benefit in doing that because parents already know how old their kid is. They don't need the government to certify it to them, and then they can configure the kid's device not to display adult content.
Involving government ID is pointless because the parent, along with the large majority of the general population, has an adult ID, and therefore has the ability to configure the kid's device to display adult content or not even in the presence of an ID requirement if that's what they want to do. At which point an ID requirement is nothing but a footgun to "accidentally" compromise everyone's privacy. Unless that was the point.
I don't know what the proposal for doing this in the US looks like, but the alternative I mentioned with Verifiable Presentations being used was designed to strictly prevent tracking, hence it's useless for mass surveillance. I would love to engage on discussions about the technical side of it and how the EU is currently developing its own identification system based on that, but this thread seems to be purely about politics unfortunately.
And those are better than the ones that do involve ID, which also exist, but not as good as the thing where the service tells your device the rating of the content instead of the user telling the service their age.
How would that work when the service has mixed content? You'd have to go to kids.facebook.com to get the child-friendly version? With a client-sent signal they can just filter it, the same way Accept-Language can automatically translate the UI.
Agreed. Which is why I think the OS level is dumb. Kids can just live boot or launch a vm or keylog their parents' account.
If it's windows, they can just live boot into the OS and get access to pretty much all the files anyway, if the parent didn't encrypt things.
My point is, if the implementation is trivial to bypass, why do we need this legislation? Just let the parents use the existing tools we have and parent.
Elements that contain adult content are tagged and then the user agent doesn't display them.
This also has the extremely useful benefit of making you aware that something is being censored, because then it has a censorship box in place of the content. Whenever censorship is happening it should be flagrantly conspicuous rather than invisible.
It doesn't even need to be that complicated. OS asks you your birthday at setup time. Stores it. Later, an app asks whether the user falls into one of the following brackets:
A) under 13 years of age, or B) at least 13 years of age and under 16 years of age, or C) at least 16 years of age and under 18 years of age or D) at least 18 years of age.
that's it. The OS can decide how it wants to implement that, but personally I'd literally just do get_age_bracket_enum(now() - get_user_birthday());
I think the uproar comes because the well is already poisoned. People are already trained to respond with an outburst of anger to any law that mentions the age of the user, and will find excuses to rationalize that outburst, even when the law isn't that bad.
I mean, "compelled speech"? Really? That's people's argument? This is about as bad as the government compelling you to write a copyright notice.
Compelled speech is bad and it’s something we don’t do, at all. All kinds of bad things come with compelled speech. Mandatory loyalty oaths, erosion of the fifth amendment, compelled work to weaken encryption, etc.
The well should be poisoned. The whole idea is poison.
I don’t oppose limited regulation of messaging regarding products that are for sale, as long as they are aimed at ensuring that buyers have full and correct information about what they’re buying. Also some limited safety regulation on products, but I do think you should be allowed to buy/sell “unsafe” things if you really want to (if properly labeled).
Regulation of products for sale is in line with the commerce clause. (I also think federal regulations on this should comply with the 10th amendment and not apply to local-only products. Wickard v. Filburn was a poor decision.)
The boundary between what is speech and commerce can be fuzzy, but if something is free and provides no profit to its maker then it’s obviously not commerce.
As a mobile dev at YouTube I'd periodically scroll through crash reports associated with code I owned and the long tail/non-clustered stuff usually just made absolutely no sense and I always assumed at least some of it was random bit flips, dodgy hardware, etc.
I heard the same thing from a colleague who worked on a Dutch banking app, they were quite diligent in fixing logic bugs but said that once you fix all of those, the rest is space rays.
As an aside, Apple and Google's phone home crash reports is a really good system and it's one factor that makes mobile app development fun / interesting.
For the Mastodon Android app, I also sometimes see crashes that make no sense. For example, how about native crashes, on a thread that is created and run by the system, that only contains system libraries in its stack trace, and that never ran any of my code because the app doesn't contain any native libraries to begin with?
Unfortunately I've never looked at crashes this way when I worked at VKontakte because there were just too many crashes overall. That app had tens of millions of users so it crashed a lot in absolute numbers no matter what I did.
Well, vendors' randomly modified android systems are chock full of bugs, so it could have easily been some fancy os-specific feature failing not just in your case, but probably plenty other apps.
Usually I'd just look at clusters of crashes (those that had similar stack traces) but sometimes when you're running a very small % experiment there's not enough signal so you end up looking at everything. And oh boy was there a lot of noise.
In an app with >billion users you get all kinds of wild stuff.
reply