California's bill CA AB 2273, designed to enact the Age-Appropriate Design Code (AADC) is just one among the bills raising concerns in terms of how they might negatively affect the web going forward.
Like their counterparts in the EU, legislators in California, according to their critics, present online child safety as their only goal – and a stated desire to improve this is hard to argue with, even when arguments are valid – such as that the proposed bills may in fact do nothing to better protect children, while eroding the rights of every internet user.
Among other things, AB 2273 aims to require sites and apps to authenticate the age of all their users before allowing access. Attempts to introduce mandatory age authentication have also cropped up in other jurisdictions before, but have proven controversial, technically difficult to implement, with a high potential to compromise user data collected in this way, and intrusive to people's privacy.
In California, the situation doesn't look much different as critics of this bill say that authentication will require site operators and businesses to deal with personal data collection from every user, and worry about using and storing it securely.
We obtained a copy of the bill for you here.
In addition, some kind of government-issued ID – or surrendering biometric data such as that collected through facial recognition – is necessary to prove one's age in the first place; and this is where forcing sites and services to require this information would effectively mean the end of anonymity online.
As ever, this is a threat that is disproportionately felt by vulnerable categories of internet users such as various dissidents, contrarians, minorities, as well as whistleblowers and activists. And, the right to remain anonymous online also ties in with First Amendment protections in the US.
Anonymity is under threat considering that age authentication would be imposed on all internet users, and it also means that the way people use the internet today would change for good from the user experience point of view, with “age authentication walls” raised by websites. On top of that, the verification would have to be persistent (or require users to repeat the process each time they access a site or service), further aggravating privacy and data security concerns.
2022 is the year of US (midterm) elections, so focusing on this type of “feelgood” legislation, such as making children safe, is a way politicians are expected to pander to their constituencies, regardless of all the “unintended consequences” or even the low likelihood that the scheme could be efficiently implemented, purely from the technical point of view.
In other words, these proposals are not properly thought through or debated, and aren't even based on particularly successful attempts to square the same circle elsewhere in the world. The AADC is said to be inspired by UK's Children's Code, aka, Age Appropriate Design Code, which is a set of standards.
With the California proposal, the scope of issues covered by the bill is of particular concern to its critics. Privacy and safety of children are only one direct component, with others reaching as far as content moderation and consumer protection in general.
This raises fears among those critical of the bill that broad regulation of the internet could be introduced thanks to a seemingly innocuous act, in effect giving California Privacy Protection Agency (CPPA) new powers that would allow it to start acting as the state's overall internet regulator.
And the CPPA is seen as an agency that is neither interested nor competent enough to strike the right balance between a number of sensitive issues that would be covered by the new law, while at the same time getting the chance to usher in more censorship.
US federal legislation that deals with the same issue, Children's Online Privacy Protection Rule (COPPA) kicks in when online services are aware that their users are younger than 13; with the CPPA, these services are expected to assess when it is “reasonable to expect” a child – under 18- might be accessing them.
The plan is currently for the act to become law and be enforced to enact the AADC starting July 1, 2024, but the current wording of the draft leaves it unclear who exactly, and how would enforce it.
Critics warn that among those considered in California this year, AB 2273 is a bill of particular concern, given the possible consequences.