age appropriate design code – Techdirt (original) (raw)

Ctrl-Alt-Speech: ChatGPT Told Us Not To Say This, But YOLO

from the ctrl-alt-speech dept

Ctrl-Alt-Speech is a weekly podcast about the latest news in online speech, from Mike Masnick and Everything in Moderation‘s Ben Whitelaw.

Subscribe now on Apple Podcasts, Overcast, Spotify, Pocket Casts, YouTube, or your podcast app of choice — or go straight to the RSS feed.

In this week’s round-up of the latest news in online speech, content moderation and internet regulation, Mike is joined by guest host Daphne Keller, the Director of the Program on Platform Regulation at Stanford’s Cyber Policy Center. They cover:

This episode is brought to you with financial support from the Future of Online Trust & Safety Fund.

Filed Under: age appropriate design code, chatgpt, content moderation, dsa, kosa, ninth circuit
Companies: patreon, tiktok, twitter, x, yolo, youtube

Court Sees Through California’s ‘Protect The Children’ Ruse, Strikes Down Kids Code

from the gee,-who-could-have-predicted dept

Friday morning gave us a nice victory for free speech in the 9th Circuit, where the appeals court panel affirmed most of the district court’s ruling finding California’s “Age Appropriate Design Code” unconstitutional as it regulated speech.

There’s a fair bit of background here that’s worth going over, so bear with me. California’s Age Appropriate Design Code advanced through the California legislature somewhat quietly, with little opposition. Many of the bigger companies, like Meta and Google, were said to support it, mainly because they knew they could easily comply with their buildings full of lawyers, whereas smaller competitors would be screwed.

Indeed, for a period of time it felt like only Professor Eric Goldman and I were screaming about the problems of the law. The law was drafted in part by a British Baroness and Hollywood movie director who fell deep for the moral panic that the internet and mobile phones are obviously evil for kids. Despite the lack of actual evidence supporting this, she has been pushing for laws in the UK and America to suppress speech she finds harmful to kids.

In the US, some of us pointed out how this violates the First Amendment. I also pointed out that the law is literally impossible to comply with for smaller sites like Techdirt.

The Baroness and the California legislators (who seem oddly deferential to her) tried to get around the obvious First Amendment issues by insisting that the bill was about conduct and design and not about speech. But as we pointed out, that was obviously a smokescreen. The only way to truly comply with the law was to suppress speech that politicians might later deem harmful to children.

California Governor Gavin Newsom eagerly signed the bill into law, wanting to get some headlines about how he was “protecting the children.” When NetChoice challenged the law, Newsom sent them a very threatening letter, demanding they drop the lawsuit. Thankfully, they did not, and the court saw through the ruse and found the entire bill unconstitutional for the exact reasons we had warned the California government about.

The judge recognized that the bill required the removal of speech, despite California’s claim that it was about conduct and privacy. California (of course) appealed, and now we have the 9th Circuit which has mostly (though not entirely) agreed with the district court.

The real wildcard in all of this was the Supreme Court’s decision last month in what is now called the Moody case, which also involved NetChoice challenging Florida’s and Texas’ social media laws. The Supreme Court said that the cases should be litigated differently as a “facial challenge” rather than an “as-applied challenge” to the law. And it seems that decision is shaking up a bunch of these cases.

But here, the 9th Circuit interpreted it to mean that it could send part of the case back down to the lower court to do a more thorough analysis on some parts of the AADC that weren’t as clearly discussed or considered. In a “facial challenge,” the courts are supposed to consider all aspects of the law, and whether or not they all violate the Constitution, or if some of them are salvageable.

On the key point, though, the 9th Circuit panel rightly found that the AADC violates the First Amendment. Because no matter how much California claims that it’s about conduct, design, or privacy, everyone knows it’s really about regulating speech.

Specifically, they call out the DPIA requirement. This is a major portion of the law, which requires certain online businesses to create and file a “Data Protection Impact Assessment” with the California Attorney General. Part of that DPIA is that you have to explain how you plan to “mitigate the risk” that “potentially harmful content” will reach children (defined as anyone from age 0 to 18).

And we’d have to do that for every “feature” on the website. Do I think that a high school student might read Techdirt’s comments and come across something the AG finds harmful? I need to first explain our plans to “mitigate” that risk. That sure sounds like a push for censorship.

And the Court agrees this is a problem. First, it’s a problem because of the compelled speech part of it:

We agree with NetChoice that the DPIA report requirement, codified at §§ 1798.99.31(a)(1)–(2) of the California Civil Code, triggers review under the First Amendment. First, the DPIA report requirement clearly compels speech by requiring covered businesses to opine on potential harm to children. It is well-established that the First Amendment protects “the right to refrain from speaking at all.”

California argued that because the DPIA reports are not public, it’s not compelled speech, but the Court (rightly) says that’s… not a thing:

The State makes much of the fact that the DPIA reports are not public documents and retain their confidential and privileged status even after being disclosed to the State, but the State provides no authority to explain why that fact would render the First Amendment wholly inapplicable to the requirement that businesses create them in the first place. On the contrary, the Supreme Court has recognized the First Amendment may apply even when the compelled speech need only be disclosed to the government. See Ams. for Prosperity Found. v. Bonta, 594 U.S. 595, 616 (2021). Accordingly, the district court did not err in concluding that the DPIA report requirement triggers First Amendment scrutiny because it compels protected speech.

More importantly, though, the Court recognizes that the entire underlying purpose of the DPIA system is to encourage websites to remove First Amendment-protected content:

Second, the DPIA report requirement invites First Amendment scrutiny because it deputizes covered businesses into serving as censors for the State. The Supreme Court has previously applied First Amendment scrutiny to laws that deputize private actors into determining whether material is suitable for kids. See Interstate Cir., Inc. v. City of Dallas, 390 U.S. 676, 678, 684 (1968) (recognizing that a film exhibitor’s First Amendment rights were implicated by a law requiring it to inform the government whether films were “suitable” for children). Moreover, the Supreme Court recently affirmed “that laws curtailing [] editorial choices [by online platforms] must meet the First Amendment’s requirements.” Moody, 144 S. Ct. at 2393.

The state’s argument that this analysis is unrelated to the underlying content is easily dismissed:

At oral argument, the State suggested companies could analyze the risk that children would be exposed to harmful or potentially harmful material without opining on what material is potentially harmful to children. However, a business cannot assess the likelihood that a child will be exposed to harmful or potentially harmful materials on its platform without first determining what constitutes harmful or potentially harmful material. To take the State’s own example, data profiling may cause a student who conducts research for a school project about eating disorders to see additional content about eating disorders. Unless the business assesses whether that additional content is “harmful or potentially harmful” to children (and thus opines on what sort of eating disorder content is harmful), it cannot determine whether that additional content poses a “risk of material detriment to children” under the CAADCA. Nor can a business take steps to “mitigate” the risk that children will view harmful or potentially harmful content if it has not identified what content should be blocked.

Accordingly, the district court was correct to conclude that the CAADCA’s DPIA report requirement regulates the speech of covered businesses and thus triggers review under the First Amendment.

I’ll note that this is an issue that is coming up in lots of other laws as well. For example, KOSA has defenders who insist that it is only focused on design, and not content. But at the same time, it talks about preventing harms around eating disorders, which is fundamentally a content issue, not a design issue.

The Court says that the DPIA requirement triggers strict scrutiny. The district court ruling had looked at it under intermediate scrutiny (a lower bar), found that it didn’t pass that bar, and said even if strict scrutiny is appropriate, it wouldn’t pass since it couldn’t even meet the lower bar. The Appeals court basically says we can jump straight to strict scrutiny:

Accordingly, the court assumed for the purposes of the preliminary injunction “that only the lesser standard of intermediate scrutiny for commercial speech applies” because the outcome of the analysis would be the same under both intermediate commercial speech scrutiny and strict scrutiny. Id. at 947–48. While we understand the district court’s caution against prejudicing the merits of the case at the preliminary injunction stage, there is no question that strict scrutiny, as opposed to mere commercial speech scrutiny, governs our review of the DPIA report requirement.

And, of course, the DPIA requirement fails strict scrutiny in part because it’s obviously not the least speech restrictive means of accomplishing its goals:

The State could have easily employed less restrictive means to accomplish its protective goals, such as by (1) incentivizing companies to offer voluntary content filters or application blockers, (2) educating children and parents on the importance of using such tools, and (3) relying on existing criminal laws that prohibit related unlawful conduct.

In this section, the court also responds to the overhyped fears that finding the DPIAs unconstitutional here would mean that they are similarly unconstitutional in other laws, such as California’s privacy law. But the court says “um, guys, one of these is about speech, and one is not.”

Tellingly, iLit compares the CAADCA’s DPIA report requirement with a supposedly “similar DPIA requirement” found in the CCPA, and proceeds to argue that the district court’s striking down of the DPIA report requirement in the CAADCA necessarily threatens the same requirement in the CCPA. But a plain reading of the relevant provisions of both laws reveals that they are not the same; indeed, they are vastly different in kind.

Under the CCPA, businesses that buy, receive, sell, or share the personal information of 10,000,000 or more consumers in a calendar year are required to disclose various metrics, including but not limited to the number of requests to delete, to correct, and to know consumers’ personal information, as well as the number of requests from consumers to opt out of the sale and sharing of their information. 11 Cal. Code Regs. tit. 11, § 7102(a); see Cal Civ. Code § 1798.185(a)(15)(B) (requiring businesses to conduct regular risk assessments regarding how they process “sensitive personal information”). That obligation to collect, retain, and disclose purely factual information about the number of privacy-related requests is a far cry from the CAADCA’s vague and onerous requirement that covered businesses opine on whether their services risk “material detriment to children” with a particular focus on whether they may result in children witnessing harmful or potentially harmful content online. A DPIA report requirement that compels businesses to measure and disclose to the government certain types of risks potentially created by their services might not create a problem. The problem here is that the risk that businesses must measure and disclose to the government is the risk that children will be exposed to disfavored speech online.

Then, the 9th Circuit basically gives up on the other parts of the AADC. The court effectively says that since the briefing was so focused on the DPIA part of the law, and now (thanks to the Moody ruling) a facial challenge requires a full exploration of all aspects of the law, the rest should be sent back to the lower court:

As in Moody, the record needs further development to allow the district court to determine “the full range of activities the law[] cover[s].” Moody, 144 S. Ct. at 2397. But even for the remaining provision that is likely to trigger First Amendment scrutiny in every application because the plain language of the provision compels speech by covered businesses, see Cal. Civ. Code §§ 1798.99.31(a)(7), we cannot say, on this record, that a substantial majority of its applications are likely to fail First Amendment scrutiny.

For example, the Court notes that there’s a part of the law dealing with “dark patterns” but there’s not enough information to know whether or not that could impact speech or not (spoiler alert: it absolutely can and will).

Still, the main news here is this: the law is still not going into effect. The Court recognizes that the DPIA part of the law is pretty clearly an unconstitutional violation of the First Amendment (just as some of us warned Newsom and the California legislature).

Maybe California should pay attention next time (he says sarcastically as a bunch of new bad bills are about to make their way to Newsom’s desk).

Filed Under: 9th circuit, aadc, ab 2273, age appropriate design code, california, dpia, gavin newsom, protect the children, rob bonta
Companies: netchoice

Google Decides To Pull Up The Ladder On The Open Internet, Pushes For Unconstitutional Regulatory Proposals

from the not-cool dept

It’s pretty much the way of the world: beyond the basic enshittification story that has been so well told over the past year or so about how companies get worse and worse as they get more and more powerful, there’s also the well known concept of successful innovative companies “pulling up the ladder” behind them, using the regulatory process to make it impossible for other companies to follow their own path to success. We’ve talked about this in the sense of political entrepreneurship, which is when the main entrepreneurial effort is not to innovate in newer and better products for customers, but rather using the political system for personal gain and to prevent competitors from havng the same opportunities.

It happens all too frequently. And it’s been happening lately with the big internet companies, which relied on the open internet to become successful, but under massive pressure from regulators (and the media), keep shooting the open internet in the back, each time they can present themselves as “supportive” of some dumb regulatory regime. Facebook did it six years ago by supporting FOSTA wholeheartedly, which was the key tide shift that made the law viable in Congress.

And, now, it appears that Google is going down that same path. There have been hints here and there, such as when it mostly gave up the fight on net neutrality six years ago. However, Google had still appeared to be active in various fights to protect an open internet.

But, last week, Google took a big step towards pulling up the open internet ladder behind it, which got almost no coverage (and what coverage it got was misleading). And, for the life of me, I don’t understand why it chose to do this now. It’s one of the dumbest policy moves I’ve seen Google make in ages, and seems like a complete unforced error.

Last Monday, Google announced “a policy framework to protect children and teens online,” which was echoed by subsidiary YouTube, which posted basically the same thing, talking about it’s “principled approach for children and teenagers.” Both of these pushed not just a “principled approach” for companies to take, but a legislative model (and I hear that they’re out pushing “model bills” across legislatures as well).

The “legislative” model is, effectively, California’s Age Appropriate Design Code. Yes, the very law that was just declared unconstitutional just a few weeks before Google basically threw its weight behind the approach. What’s funny is that many, many people have (incorrectly) believed that Google was some sort of legal mastermind behind the NetChoice lawsuits challenging California’s law and other similar laws, when the reality appears to be that Google knows full well that it can handle the requirements of the law, but smaller competitors cannot. Google likes the law. It wants more of them, apparently.

The model includes “age assurance” (which is effectively age verification, though everyone pretends it’s not), greater parental surveillance, and the compliance nightmare of “impact assessments” (we talked about this nonsense in relation to the California law). Again, for many companies this is a good idea. But just because something is a good idea for companies to do does not mean that it should be mandated by law.

But that’s exactly what Google is pushing for here, even as a law that more or less mimics its framework was just found to be unconstitutional. While cynical people will say that maybe Google is supporting these policies hoping that they will continue to be found unconstitutional, I see little evidence to support that. Instead, it really sounds like Google is fully onboard with these kinds of duty of care regulations that will harm smaller competitors, but which Google can handle just fine.

It’s pulling up the ladder behind it.

And yet, the press coverage of this focused on the fact that this was being presented as an “alternative” to a full on ban for kids under 18 to be on social media. The Verge framed this as “Google asks Congress not to ban teens from social media,” leaving out that it was Google asking Congress to basically make it impossible for any site other than the largest, richest companies to be able to allow teens on social media. Same thing with TechCrunch, which framed it as Google lobbying against age verification.

But… it’s not? It’s basically lobbying for age verification, just in the guise of “age assurance,” which is effectively “age verification, but if you’re a smaller company you can get it wrong some undefined amount of time, until someone sues you.” I mean, what’s here is not “lobbying against age verification,” it’s basically saying “here’s how to require age verification.”

A good understanding of user age can help online services offer age-appropriate experiences. That said, any method to determine the age of users across services comes with tradeoffs, such as intruding on privacy interests, requiring more data collection and use, or restricting adult users’ access to important information and services. Where required, age assurance – which can range from declaration to inference and verification – should be risk-based, preserving users’ access to information and services, and respecting their privacy. Where legislation mandates age assurance, it should do so through a workable, interoperable standard that preserves the potential for anonymous or pseudonymous experiences. It should avoid requiring collection or processing of additional personal information, treating all users like children, or impinging on the ability of adults to access information. More data-intrusive methods (such as verification with “hard identifiers” like government IDs) should be limited to high-risk services (e.g., alcohol, gambling, or pornography) or age correction. Moreover, age assurance requirements should permit online services to explore and adapt to improved technological approaches. In particular, requirements should enable new, privacy-protective ways to ensure users are at least the required age before engaging in certain activities. Finally, because age assurance technologies are novel, imperfect, and evolving, requirements should provide reasonable protection from liability for good-faith efforts to develop and implement improved solutions in this space.

Much like Facebook caving on FOSTA, this is Google caving on age verification and other “duty of care” approaches to regulating the way kids have access to the internet. It’s pulling up the ladder behind itself, knowing that it was able to grow without having to take these steps, and making sure that none of the up-and-coming challenges to Google’s position will have the same freedom to do so.

And, for what? So that Google can go to regulators and say “look, we’re not against regulations, here’s our framework”? But Google has smart policy people. They have to know how this plays out in reality. Just as with FOSTA, it completely backfired on Facebook (and the open internet). This approach will do the same.

Not only will these laws inevitably be used against the companies themselves, they’ll also be weaponized and modified by policymakers who will make them even worse and even more dangerous, all while pointing to Google’s “blessing” of this approach as an endorsement.

For years, Google had been somewhat unique in continuing to fight for the open internet long after many other companies were switching over to ladder pulling. There were hints that Google was going down this path in the past, but with this policy framework, the company has now made it clear that it has no intention of being a friend to the open internet any more.

Filed Under: aadc, age appropriate design code, age assurance, age estimation, age verification, duty of care, for the children
Companies: google

Court Says California’s Age Appropriate Design Code Is Unconstitutional (Just As We Warned)

from the the-1st-amendment-still-matters dept

Some good news! Federal Judge Beth Labson Freeman has recognized what some of us have been screaming about for over a year now: California’s Age Appropriate Design Code (AB 2273) is an unconstitutional mess that infringes on the 1st Amendment. We can add this to the pile of terrible moral panic “protect the children!” laws in Texas and Arkansas that have been similarly rejected (once again showing that the moral panic issue about the internet and children, combined with an ignorance of the 1st Amendment is neither a right nor a left issue — it’s both).

The Age Appropriate Design Code in California got almost no media attention while it was being debated or even after it passed. At times it felt like Professor Eric Goldman and myself were the only ones highlighting the problems with the bill. And there are many, many problems. Including problems that both Goldman and I told the court about (and both of us were cited in the decision).

For what it’s worth, I’ve heard through the grapevine, that one of the reasons why there was basically no media coverage was that many of the large tech companies are actually fine with the AADC, because they know that they already do most of what the law requires… and they also know full well that smaller companies will get slammed by the law’s requirements, so that’s kind of a bonus for the big tech companies.

As a reminder, the AADC was “sponsored” (in California outside organizations can sponsor bills) by an organization created and run by a British Baroness who is one of the loudest moral panic spreaders about “the kids on the internet.” Baroness Beeban Kidron has said that it’s her life’s mission to pass these kinds of laws around the world (she already helped get a similarly named bill passed in the UK, and is a driving force behind the dangerous Online Safety Act there as well). The other major sponsor of the AADC is… Common Sense Media, whose nonsense we just called out on another bill. Neither of them understand how the 1st Amendment works.

Thankfully, the judge DOES understand how the 1st Amendment works. As I noted a month and half after attending the oral arguments in person, the judge really seemed to get it. And that comes through in the opinion, which grants the preliminary injunctions, blocking the law from going into effect as likely unconstitutional under the 1st Amendment.

The judge notes, as was mentioned in the courtroom, that she’s “mindful” of the fact that the law was passed unanimously, but that doesn’t change the fact that it appears to violate the 1st Amendment. She says that protecting the privacy of people online is obviously a valid concern of the government, but that doesn’t mean you get to ignore the 1st Amendment in crafting a law to deal with it.

California insisted that nothing in the AADC regulated expression, only conduct. But, as the judge had called out at the hearing, it’s quite obvious that’s not true. And thus she finds that the law clearly regulates protected expression:

The State argues that the CAADCA’s regulation of “collection and use of children’s personal information” is akin to laws that courts have upheld as regulating economic activity, business practices, or other conduct without a significant expressive element. Opp’n 11– 12 (citations omitted). There are two problems with the State’s argument. First, none of the decisions cited by the State for this proposition involved laws that, like the CAADCA, restricted the collection and sharing of information. See id.; Rumsfeld v. Forum for Acad. & Inst. Rights, Inc., 547 U.S. 47, 66 (2006) (statute denying federal funding to educational institutions restricting military recruiting did not regulate “inherently expressive” conduct because expressive nature of act of preventing military recruitment necessitated explanatory speech); Roulette v. City of Seattle, 97 F.3d 300, 305 (9th Cir. 1996) (ordinance prohibiting sitting or lying on sidewalk did not regulate “forms of conduct integral to, or commonly associated with, expression”); Int’l Franchise, 803 F.3d at 397–98, 408 (minimum wage increase ordinance classifying franchisees as large employers “exhibit[ed] nothing that even the most vivid imagination might deem uniquely expressive”) (citation omitted); HomeAway.com, 918 F.3d at 680, 685 (ordinance regulating forms of short-term rentals was “plainly a housing and rental regulation” that “regulate[d] nonexpressive conduct—namely, booking transactions”); Am. Soc’y of Journalists & Authors, 15 F.4th at 961–62 (law governing classification of workers as employees or independent contractors “regulate[d] economic activity rather than speech”).

Second, in a decision evaluating a Vermont law restricting the sale, disclosure, and use of information about the prescribing practices of individual doctors—which pharmaceutical manufacturers used to better target their drug promotions to doctors—the Supreme Court held the law to be an unconstitutional regulation of speech, rather than conduct. Sorrell, 564 U.S. at 557, 562, 570–71. The Supreme Court noted that it had previously held the “creation and dissemination of information are speech within the meaning of the First Amendment,” 564 U.S. at 570 (citing Bartnicki v. Vopper, 532 U.S. 514, 527 (2001); Rubin v. Coors Brewing Co., 514 U.S. 476, 481 (1995); Dun & Bradstreet, Inc. v. Greenmoss Builders, Inc., 472 U.S. 749, 759 (1985) (plurality opinion)), and further held that even if the prescriber information at issue was a commodity, rather than speech, the law’s “content- and speaker-based restrictions on the availability and use of . . . identifying information” constituted a regulation of speech, id. at 570– 71; see also id. at 568 (“An individual’s right to speak is implicated when information he or she possesses is subject to ‘restraints on the way in which the information might be used’ or disseminated.”) (quoting Seattle Times Co. v. Rhinehart, 467 U.S. 20, 32 (1984)).

While California argued that Sorrell didn’t apply here because it was a different kind of information, the court notes that this argument makes no sense.

… the State is correct that Sorrell does not address any general right to collect data from individuals. In fact, the Supreme Court noted that the “capacity of technology to find and publish personal information . . . presents serious and unresolved issues with respect to personal privacy and the dignity it seeks to secure.” Sorrell, 564 U.S. at 579–80. But whether there is a general right to collect data is independent from the question of whether a law restricting the collection and sale of data regulates conduct or speech. Under Sorrell, the unequivocal answer to the latter question is that a law that—like the CAADCA—restricts the “availability and use” of information by some speakers but not others, and for some purposes but not others, is a regulation of protected expression.

And, thus, the court concludes that the restrictions in the AADC on collecting, selling, sharing, or retaining any personal information regulates speech (as a separate note, I’m curious what this also means for California’s privacy laws, on which the AADC is built… but we’ll leave that aside for now).

Separate from the restrictions on information collection, the AADC also has a bunch of mandates. Those also regulate speech:

The State contended at oral argument that the DPIA report requirement merely “requires businesses to consider how the product’s use design features, like nudging to keep a child engaged to extend the time the child is using the product” might harm children, and that the consideration of such features “has nothing to do with speech.” Tr. 19:14–20:5; see also id. at 23:5–6 (“[T]his is only assessing how your business models . . . might harm children.”). The Court is not persuaded by the State’s argument because “assessing how [a] business model[] . . . might harm children” facially requires a business to express its ideas and analysis about likely harm. It therefore appears to the Court that NetChoice is likely to succeed in its argument that the DPIA provisions, which require covered businesses to identify and disclose to the government potential risks to minors and to develop a timed plan to mitigate or eliminate the identified risks, regulate the distribution of speech and therefore trigger First Amendment scrutiny.

And she notes that the AADC pushes companies to create content moderation rules that favor the state’s moderation desires, which clearly is a 1st Amendment issue:

The CAADCA also requires a covered business to enforce its “published terms, policies, and community standards”—i.e., its content moderation policies. CAADCA § 31(a)(9). Although the State argues that the policy enforcement provision does not regulate speech because businesses are free to create their own policies, it appears to the Court that NetChoice’s position that the State has no right to enforce obligations that would essentially press private companies into service as government censors, thus violating the First Amendment by proxy, is better grounded in the relevant binding and persuasive precedent. See Mot. 11; Playboy Ent. Grp., 529 U.S. at 806 (finding statute requiring cable television operators providing channels with content deemed inappropriate for children to take measures to prevent children from viewing content was unconstitutional regulation of speech); NetChoice, LLC v. Att’y Gen., Fla. (“NetChoice v. Fla.”), 34 F.4th 1196, 1213 (11th Cir. 2022) (“When platforms choose to remove users or posts, deprioritize content in viewers’ feeds or search results, or sanction breaches of their community standards, they engage in First-Amendment-protected activity.”); Engdahl v. City of Kenosha, 317 F. Supp. 1133, 1135–36 (E.D. Wis. 1970) (holding ordinance restricting minors from viewing certain movies based on ratings provided by Motion Picture Association of America impermissibly regulated speech).

Then there’s the “age estimation” part of the bill. Similar to the cases in Arkansas and Texas around age verification, this court also recognizes the concerns, including that such a mandate will likely hinder adult access to content as well:

The State argues that “[r]equiring businesses to protect children’s privacy and data implicates neither protected speech nor expressive conduct,” and notes that the provisions “say[] nothing about content and do[] not require businesses to block any content for users of any age.” Opp’n 15. However, the materials before the Court indicate that the steps a business would need to take to sufficiently estimate the age of child users would likely prevent both children and adults from accessing certain content. See Amicus Curiae Br. of Prof. Eric Goldman (“Goldman Am. Br.”) 4–7 (explaining that age assurance methods create time delays and other barriers to entry that studies show cause users to navigate away from pages), ECF 34-1; Amicus Curiae Br. of New York Times Co. & Student Press Law Ctr. (“NYT Am. Br.”) 6 (stating age-based regulations would “almost certain[ly] [cause] news organizations and others [to] take steps to prevent those under the age of 18 from accessing online news content, features, or services”), ECF 56-1. The age estimation and privacy provisions thus appear likely to impede the “availability and use” of information and accordingly to regulate speech.

Again, the court admits that protecting kids is obviously a laudable goal, but you don’t do it by regulating speech. And the fact that California exempted non-profits from the law suggests targeting only some speakers, a big 1st Amendment no-no.

The Court is keenly aware of the myriad harms that may befall children on the internet, and it does not seek to undermine the government’s efforts to resolve internet-based “issues with respect to personal privacy and . . . dignity.” See Sorrell, 564 U.S. at 579; Def.’s Suppl. Br. 1 (“[T]he ‘serious and unresolved issues’ raised by increased data collection capacity due to technological advances remained largely unaddressed [in Sorrell].”). However, the Court is troubled by the CAADCA’s clear targeting of certain speakers—i.e., a segment of for-profit entities, but not governmental or non-profit entities—that the Act would prevent from collecting and using the information at issue. As the Supreme Court noted in Sorrell, the State’s arguments about the broad protections engendered by a challenged law are weakened by the law’s application to a narrow set of speakers. See Sorrell, 564 U.S. at 580 (“Privacy is a concept too integral to the person and a right too essential to freedom to allow its manipulation to support just those ideas the government prefers”).

Of course, once you establish that protected speech is being regulated, that’s not the end of the discussion. There are situations in which the government is allowed to regulate speech, but only if certain levels of scrutiny are met. During the oral arguments, a decent portion of the time was spent debating whether or not the AADC should have to pass strict scrutiny or just intermediate scrutiny. Strict scrutiny requires there to be both a compelling state interest in the law and that the law is narrowly tailored to achieve that result. Intermediate scrutiny says it must just be an “important government objective” (slightly less than compelling) and rather than “narrowly tailored” the law has to be substantially related to achieving that important government objective.

While I think it seemed clear that strict scrutiny should apply, here the court went with a form of intermediate scrutiny (“commercial scrutiny”) not necessarily because the judge thinks it’s the right level, but because if the law is unconstitutional even at intermediate scrutiny, then it wouldn’t survive strict scrutiny anyway. And thankfully, the AADC doesn’t even survive the lower level of scrutiny.

The court finds (as expected) that the state has a substantial interest in protecting children, but is not at all persuaded that the AADC does anything to further that interest, basically, because the law was terribly drafted. (They leave out that it had to be terribly drafted, because the intent of the bill was to pressure websites to moderate the way the state wanted, but they couldn’t come out and say that so they had to pretend that it was just about “data management.”):

Accepting the State’s statement of the harm it seeks to cure, the Court concludes that the State has not met its burden to demonstrate that the DPIA provisions in fact address the identified harm. For example, the Act does not require covered businesses to assess the potential harm of product designs—which Dr. Radesky asserts cause the harm at issue—but rather of “the risks of material detriment to children that arise from the data management practices of the business.” CAADCA § 31(a)(1)(B) (emphasis added). And more importantly, although the CAADCA requires businesses to “create a timed plan to mitigate or eliminate the risk before the online service, product, or feature is accessed by children,” id. § 31(a)(2), there is no actual requirement to adhere to such a plan. See generally id. § 31(a)(1)-(4); see also Tr. 26:9–10 (“As long as you write the plan, there is no way to be in violation.”),

Basically, California tried to tap dance around the issues, knowing it couldn’t come out and say that it was trying to regulate content moderation on websites, so it claims that it’s simply regulating “data management practices,” but the harms that the state’s own expert detailed (which drive the state’s substantial interest in passing the law) are all about the content on websites. So, then, by admitting that the law doesn’t directly require moderation (which would be clearly unconstitutional, but would address the harms described), the state effectively admitted that the AADC does not actually address the stated issue.

Because the DPIA report provisions do not require businesses to assess the potential harm of the design of digital products, services, and features, and also do not require actual mitigation of any identified risks, the State has not shown that these provisions will “in fact alleviate [the identified harms] to a material degree.” Id. The Court accordingly finds that NetChoice is likely to succeed in showing that the DPIA report provisions provide “only ineffective or remote support for the government’s purpose” and do not “directly advance” the government’s substantial interest in promoting a proactive approach to the design of digital products, services, and feature. Id. (citations omitted). NetChoice is therefore likely to succeed in showing that the DPIA report requirement does not satisfy commercial speech scrutiny.

So California got way to clever in writing the AADC and trying to wink wink nod nod its way around the 1st Amendment. By not coming out and saying the law requires moderation, it’s admitting that the law doesn’t actually address the problems it claims it’s addressing.

Ditto for the “age estimation” requirement. The issue here was that California tried to tap dance around the age estimation requirement by saying it wasn’t a requirement. It’s just that if you didn’t do age estimation, then you have to treat ALL users as if they’re children. Again, this attempt at being clever backfires by making it clear that the law would restrict access to content for adults:

Putting aside for the moment the issue of whether the government may shield children from such content—and the Court does not question that the content is in fact harmful—the Court here focuses on the logical conclusion that data and privacy protections intended to shield children from harmful content, if applied to adults, will also shield adults from that same content. That is, if a business chooses not to estimate age but instead to apply broad privacy and data protections to all consumers, it appears that the inevitable effect will be to impermissibly “reduce the adult population … to reading only what is fit for children.” Butler v. Michigan, 352 U.S. 380, 381, 383 (1957). And because such an effect would likely be, at the very least, a “substantially excessive” means of achieving greater data and privacy protections for children, see Hunt, 638 F.3d at 717 (citation omitted), NetChoice is likely to succeed in showing that the provision’s clause applying the same process to all users fails commercial speech scrutiny.

Similarly, regarding the requirement for higher levels of privacy protection, the court cites the NY TImes’ amicus brief, basically saying that this law will make many sites restrict content only to those over 18:

NetChoice has provided evidence that uncertainties as to the nature of the compliance required by the CAADCA is likely to cause at least some covered businesses to prohibit children from accessing their services and products altogether. See, e.g., NYT Am. Br. 5–6 (asserting CAADCA requirements that covered businesses consider various potential harms to children would make it “almost certain that news organizations and others will take steps to prevent those under the age of 18 from accessing online news content, features, or services”). Although the State need not show that the Act “employs . . . the least restrictive means” of advancing the substantial interest, the Court finds it likely, based on the evidence provided by NetChoice and the lack of clarity in the provision, that the provision here would serve to chill a “substantially excessive” amount of protected speech to the extent that content providers wish to reach children but choose not to in order to avoid running afoul of the CAADCA

Again and again, for each provision in the AADC, the court finds that the law can’t survive this intermediate level of scrutiny, as each part of the law seems designed to pretend to do one thing while really intending to do another, and therefore it is clearly not well targeted (nor can it be, since accurately targeting it would only make the 1st Amendment concerns more direct).

For example, take the provision that bars a website from using the personal info of a child in a way that is “materially detrimental to the physical health, mental health, or well-being of a child.” As we pointed out while the bill was being debated, this is ridiculously broad, and could conceivably cover information that a teenager finds upsetting. But that can’t be the law. And the court notes the lack of specificity here, especially given that children at different ages will react to content very differently:

The CAADCA does not define what uses of information may be considered “materially detrimental” to a child’s well-being, and it defines a “child” as a consumer under 18 years of age. See CAADCA § 30. Although there may be some uses of personal information that are objectively detrimental to children of any age, the CAADCA appears generally to contemplate a sliding scale of potential harms to children as they age. See, e.g., Def.’s Suppl. Br. 3, 4 (describing Act’s requirements for “age-appropriate” protections). But as the Third Circuit explained, requiring covered businesses to determine what is materially harmful to an “infant, a five-year old, or a person just shy of age seventeen” is not narrowly tailored.

So, again, by trying to be clever and not detailing the levels by which something can be deemed “age appropriate,” the “age appropriate design code,” fails the 1st Amendment test.

There is also an important discussion about some of the AADC requirements that would likely pressure sites to remove content that would be beneficial to “vulnerable” children:

NetChoice has provided evidence indicating that profiling and subsequent targeted content can be beneficial to minors, particularly those in vulnerable populations. For example, LGBTQ+ youth—especially those in more hostile environments who turn to the internet for community and information—may have a more difficult time finding resources regarding their personal health, gender identity, and sexual orientation. See Amicus Curiae Br. of Chamber of Progress, IP Justice, & LGBT Tech Inst. (“LGBT Tech Am. Br.”), ECF 42-1, at 12–13. Pregnant teenagers are another group of children who may benefit greatly from access to reproductive health information. Id. at 14–15. Even aside from these more vulnerable groups, the internet may provide children— like any other consumer—with information that may lead to fulfilling new interests that the consumer may not have otherwise thought to search out. The provision at issue appears likely to discard these beneficial aspects of targeted information along with harmful content such as smoking, gambling, alcohol, or extreme weight loss.

The court points out the sheer inanity of California’s defense on this point, which suggests that there’s some magical way to know how to leave available just the beneficial stuff:

The State argues that the provision is narrowly tailored to “prohibit[] profiling by default when done solely for the benefit of businesses, but allows it . . . when in the best interest of children.” Def.’s Suppl. Br. 6. But as amici point out, what is “in the best interest of children” is not an objective standard but rather a contentious topic of political debate. See LGBT Tech Am. Br. 11–14. The State further argues that children can still access any content online, such as by “actively telling a business what they want to see in a recommendations profile – e.g., nature, dance videos, LGBTQ+ supportive content, body positivity content, racial justice content, etc.” Radesky Decl. ¶ 89(b). By making this assertion, the State acknowledges that there are wanted or beneficial profile interests, but that the Act, rather than prohibiting only certain targeted information deemed harmful (which would also face First Amendment concerns), seeks to prohibit likely beneficial profiling as well. NetChoice’s evidence, which indicates that the provision would likely prevent the dissemination of a broad array of content beyond that which is targeted by the statute, defeats the State’s showing on tailoring, and the Court accordingly finds that State has not met its burden of establishing that the profiling provision directly advances the State’s interest in protecting children’s well-being. NetChoice is therefore likely to succeed in showing that the provision does not satisfy commercial speech scrutiny

This same issue comes up in the prohibition on “dark patterns,” which are not explained clearly and again run into the issue of how a site is supposed to magically know what is “materially detrimental.”

The last of the three prohibitions of CAADCA § 31(b)(7) concerns the use of dark patterns to “take any action that the business knows, or has reason to know, is materially detrimental” to a child’s well-being. The State here argues that dark patterns cause harm to children’s well-being, such as when a child recovering from an eating disorder “must both contend with dark patterns that make it difficult to unsubscribe from such content and attempt to reconfigure their data settings in the hope of preventing unsolicited content of the same nature.” Def.’s Suppl. Br. 7; see also Amicus Curiae Br. of Fairplay & Public Health Advocacy Inst. (“Fairplay Am. Br.”) 4 (noting that CAADCA “seeks to shift the paradigm for protecting children online,” including by “ensuring that children are protected from manipulative design (dark patterns), adult content, or other potentially harmful design features.”) (citation omitted), ECF 53-1. The Court is troubled by the “has reason to know” language in the Act, given the lack of objective standard regarding what content is materially detrimental to a child’s well-being. See supra, at Part III(A)(1)(a)(iv)(7). And some content that might be considered harmful to one child may be neutral at worst to another. NetChoice has provided evidence that in the face of such uncertainties about the statute’s requirements, the statute may cause covered businesses to deny children access to their platforms or content. See NYT Am. Br. 5–6. Given the other infirmities of the provision, the Court declines to wordsmith it and excise various clauses, and accordingly finds that NetChoice is likely to succeed in showing that the provision as a whole fails commercial speech scrutiny.

Given the 1st Amendment problems with the law, the court doesn’t even bother with the argument about the Dormant Commerce Clause being violated by the AADC, saying it doesn’t need to go there, and also highlighting that it’s a “thorny constitutional issue” that is in flux due to a very recent Supreme Court decision. While the judge doesn’t go into much detail on the argument that existing federal laws COPPA and Section 230 preempt California’s laws, she does say she doesn’t think that argument alone would be strong enough to get a preliminary injunction, saying the question of preemption would depend on what policies were impacted (basically saying that it might be preempted but we can’t tell until someone tries to enforce the law).

I fully expect the state to appeal and the issue will go up to the 9th Circuit. Hopefully they see the problems as clearly as the judge here did.

Filed Under: 1st amendment, aadc, ab 2273, age appropriate design code, age estimation, age verification, beeban kidron, beth labson freeman, california, for the children
Companies: netchoice

I Explained To A Court How California’s ‘Kid’s Code’ Is Both Impossible To Comply With & An Attack On Our Expression

from the the-wrong-approach dept

Last year, Techdirt was one of only a very few sites where you could find out information on California’s AB 2273, officially the “California Age Appropriate Design Code” or “Kid’s code.” As with so many bills that talk about “protecting the children,” everyone we talked to said they were afraid to speak up, because they worried that they’d be branded as being against child safety. Indeed, I even had some people within some larger tech companies reach out to me suggesting it was dangerous to speak out against the bill.

But the law is ridiculous. Last August, I explained how it was literally impossible to comply with the bill, questioned why California lawmakers were willing to pass a law written by a British Baroness (who is also a Hollywood filmmaker) with little to no understanding of how any of this actually works, and highlighted how the age verification requirements would be a privacy nightmare putting more kids at risk, rather than protecting them. Eric Goldman also pointed out the dark irony, that while the Kid’s Code claims that it was put in place to prevent internet companies from conducting radical experiments on children, the bill itself is an incredibly radical experiment in trying to reshape the internet. Of course, the bill was signed into law last fall.

In December, NetChoice, which brought the challenges to Texas and Florida’s bad internet laws, sued to block the law. Last week, they filed for a preliminary injunction to block the law from going into effect. Even though the law doesn’t officially take effect until the summer of 2024, any website would need to start doing a ton of work to get ready. With the filing, there were a series of declarations filed from various website owners to highlight the many, many problems this law will create for sites (especially smaller sites). Among those declarations was the one I filed highlighting how this law is impossible to comply with, would invade the privacy of the Techdirt community, and act as an unconstitutional restriction on speech. But we’ll get to that.

First up, the motion for the injunction. It’s worth reading the whole thing as it details the myriad ways in which this law is unconstitutional. It violates the 1st Amendment by creating prior restraint in multiple ways. The law is both extremely vague and overly broad. It regulates speech based on its content (again violating the 1st Amendment). It also violates the Commerce Clause as a California law that would impact those well outside of the state. Finally, existing federal law, both COPPA and Section 230 pre-empt the law. I won’t go through it all, but all of those are clearly laid out in the motion.

But what I appreciate most is that it opens up with a hypothetical that should illustrate just how obviously unconstitutional the law is:

Imagine a law that required bookstores, before offering books and services to the public, to assess whether those books and services could “potentially harm” their youngest patrons; develop plans to “mitigate or eliminate” any such risks; and provide those assessments to the state on demand. Under this law, bookstores could only carry books the state deemed “appropriate” for young children unless they verified the age of each patron at the door. Absent such age verification, employees could not ask customers about the types of books they preferred or whether they had enjoyed specific titles—let alone recommend a book based on customers’ expressed interests—without a “compelling” reason that doing so was in the “best interests” of children. And the law would require bookstores to enforce their store rules and content standards to the state’s satisfaction, eliminating the bookstores’ discretion as to how those rules should be applied. Penalties for violations could easily bankrupt even large bookstores. Such a scheme would plainly violate fundamental constitutional protections.

California has enacted just such a measure: The California Age Appropriate Design Code Act (AB 2273). Although billed as a “data protection” regulation to protect minors, AB 2273 is the most extensive attempt by any state to censor speech since the birth of the internet. It does this even though the State has conceded that an open, vibrant internet is indispensable to American life. AB 2273 enacts a system of prior restraint over protected speech using undefined, vague terms, and creates a regime of proxy censorship, forcing online services to restrict speech in ways the State could never do directly. The law violates the First Amendment and the Commerce Clause, and is preempted by the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501 et seq., and Section 230 of the Communications Decency Act, 47 U.S.C. § 230. Because AB 2273 forces online providers to act now to redesign services, irrespective of its formal effective date, it will cause imminent irreparable harm. The Court should enjoin the statute.

As for my own filing, it was important for me to make clear that a law like AB 2273 is a direct attack on Techdirt and its users’ expression.

Techdirt understands that AB 2273 will require covered businesses to evaluate and mitigate the risk that “potentially harmful content” will reach children, with children defined to equally cover every age from 0 to 18 despite the substantial differences in developmental readiness and ability to engage in the world around them throughout that nearly two-decade age range. This entire endeavor results in the State directly interfering with my company’s and my expressive rights by limiting to whom and how we can communicate to others. I publish Techdirt with the deliberate intention to share my views (and those of other authors) with the public. This law will inhibit my ability to do so in concrete and measurable ways.

In addition to its overreaching impact, the law’s prohibitions also create chilling ambiguity, such as in its use of the word “harm.” In the context of the issues that Techdirt covers on a daily basis, there is no feasible way that Techdirt can determine whether any number of its articles could, in one way or another, expose a child to “potentially harmful” content, however the State defines that phrase according to the political climate of the moment. For example, Techdirt covers a broad array of hot-button topics, including reporting on combating police brutality (sometimes with accompanying images and videos), online child sexual abuse, bullying, digital sexual harassment, and law enforcement interrogations of minors—all of which could theoretically be deemed by the State to be “potentially harmful” to children. Moreover, Techdirt’s articles are known for their irreverent and snarky tone, and frequently use curse words in their content and taglines. It would be impossible to know whether this choice of language constitutes “potentially harmful content” given the absence of any clear definition of the term in AB 2273. Screening Techdirt’s forum for “potentially harmful” content—and requiring Techdirt to self-report the ways its content and operations could hypothetically “harm” children—will thus cause Techdirt to avoid publishing or hosting content that could even remotely invite controversy, undermining Techdirt’s ability to foster lively and uninhibited debate on a wide range of topics of its choosing. Moreover, not only would Techdirt’s prospective expression be chilled, but the retroactive application of AB 2273 would result in Techdirt needing to censor its previous expression, and to an enormous degree. The sheer number of posts and comments published on Techdirt makes the self-assessment needed to comply with the law’s ill-defined rules functionally impossible, requiring an enormous allocation of resources that Techdirt is unable to dedicate.

Also, the age verification requirements would fundamentally put the privacy of all of our readers at risk by forcing us to collect data we do not want about our users, and which we’ve gone to great lengths to make sure is not collected.

Redesigning our publication to verify the ages of our readers would also compromise our deliberate practice to minimize how much data we collect and retain about our readers to both limit our obligations that would arise from the handling of such data as well as preserve trust with our readers and undermine our relationship with our readers of any age, including teenagers, by subjecting them to technologies that are at best, unreliable, and at worst, highly privacy-intrusive (such as facial recognition). Moreover, because a sizeable portion of Techdirt’s readership consists of casual readers who access the site for information and news, any requirement that forces users to submit extensive personal information simply to access Techdirt’s content risks driving away these readers and shrinking Techdirt’s audience.

I have no idea how the courts are going to treat this law. Again, it does feel like many in the industry have decided to embrace and support this kind of regulation. I’ve heard from too many people inside the industry who have said not to speak up about it. But it’s such a fundamentally dangerous bill, with an approach that we’re starting to see show up in other states, that it was too important not to speak up.

Filed Under: 1st amendment, aadc, ab 2273, age appropriate design code, age verification, facial scanning, free expression, kids code, privacy
Companies: netchoice

As US, UK Embrace ‘Age Verify Everyone!’ French Data Protection Agency Says Age Verification Is Unreliable And Violates Privacy Rights

from the privacy-or-age-verification:-pick-one dept

We keep seeing it show up in a variety of places: laws to “protect the children” that, fundamentally begin with age verification to figure out who is a child (and then layering in a ton of often questionable requirements for how to deal with those identified as children). We have the Online Safety Bill in the UK. We have California’s Age Appropriate Design Code, which a bunch of states are rushing to emulate in their own legislatures. In Congress, there is the Kids Online Safety Act.

All of these, in the name of “protecting the children,” include elements that effectively require sites to use age verification technology. We’ve already spent many, many words explaining how age verification technology is inherently dangerous and actually puts children at greater risk. Not to mention it’s a privacy nightmare that normalizes the idea of mass surveillance, especially for children.

But, why take our word for it?

The French data protection agency, CNIL, has declared that no age verification technology in existence can be deemed as safe and not dangerous to privacy rights.

Now, there are many things that I disagree with CNIL about, especially its views that the censorial “right to be forgotten in the EU” should be applied globally. But one thing we likely agree on is that CNIL does not fuck around when it comes to data protection stuff. CNIL is generally seen as the most aggressive and most thorough in its data protection/data privacy work. Being on the wrong side of CNIL is a dangerous place for any company to be.

So I’d take it seriously when CNIL effectively notes that all age verification is a privacy nightmare, especially for children:

The CNIL has analysed several existing solutions for online age verification, checking whether they have the following properties: sufficiently reliable verification, complete coverage of the population and respect for the protection of individuals’ data and privacy and their security.

The CNIL finds that there is currently no solution that satisfactorily meets these three requirements.

Basically, CNIL found that all existing age verification techniques are unreliable, easily bypassed, and are horrible regarding privacy.

Despite this, CNIL seems oddly optimistic that just by nerding harder, perhaps future solutions will magically work. However, it does go through the weaknesses and problems of the various offerings being pushed today as solutions. For example, you may recall that when I called out the dangers of the age verification in California’s Age Appropriate Design Code, a trade group representing age verification companies reached out to me to let me know there was nothing to worry about, because they’d just scan everyone’s faces to visit websites. CNIL points out some, um, issues with this:

The use of such systems, because of their intrusive aspect (access to the camera on the user’s device during an initial enrolment with a third party, or a one-off verification by the same third party, which may be the source of blackmail via the webcam when accessing a pornographic site is requested), as well as because of the margin of error inherent in any statistical evaluation, should imperatively be conditional upon compliance with operating, reliability and performance standards. Such requirements should be independently verified.

This type of method must also be implemented by a trusted third party respecting precise specifications, particularly concerning access to pornographic sites. Thus, an age estimate performed locally on the user’s terminal should be preferred in order to minimise the risk of data leakage. In the absence of such a framework, this method should not be deployed.

Every other verification technique seems to similarly raise questions about effectiveness and how protective (or, well, how not protective it is of privacy rights).

So… why isn’t this raising alarm bells among the various legislatures and children’s advocates (many of whom also claim to be privacy advocates) who are pushing for these laws?

Filed Under: ab 2273, age appropriate design code, age verification, cnil, facial recognition, kosa, online safety bill

Is California’s Kids Code Screwing Up The Efforts For A Federal Privacy Law?

from the thinking-stuff-through-might-be-nice dept

It really does feel like the legislative process regarding the tech world and privacy is a complete mess. While politicians are right that it would be good if we got a comprehensive privacy bill in place, they seem to have no idea what that even means. Actually, it seems like they don’t even know what privacy means. And thus, the mess just continues. California tried to leap ahead into the unknown by putting together a truly ridiculous bill (CCPA) that no one has even figured out yet, despite it having passed years ago. And, without even bothering to understand any of it, California has pushed ahead again with the California’s Age Appropriate Design Code law, which somehow intersects with the CCPA, but again, no one’s quite sure how or why.

And now, people are pointing out that the kid’s code is actually messing up plans for a federal privacy law. Even before the law was signed by Governor Newsom, House Speaker Nancy Pelosi announced that she was putting the brakes on the only federal privacy law with any traction (not that it was good…) because it might upset Californian politicians. The concern: federal law might pre-empt California’s laws:

_“However, Governor Newsom, the California Privacy Protection Agency and top state leaders have pointed out the American Data Privacy and Protection Act does not guarantee the same essential consumer protections as California’s existing privacy laws. Proudly, California leads the nation not only in innovation, but also in consumer protection. With so much innovation happening in our state, it is imperative that California continues offering and enforcing the nation’s strongest privacy rights. California’s landmark privacy laws and the new kids age-appropriate design bill, both of which received unanimous and bipartisan support in both chambers, must continue to protect Californians — and states must be allowed to address rapid changes in technology._“

The concern is that the federal law would basically wipe out state laws. I know that some people are concerned about this, but a federal law really needs to do exactly that. First off, whatever you think of California’s attempts at privacy laws, there are all those other states out there as well. And we’re already seeing how states like Florida and Texas have been passing dangerous content moderation bills that are more designed to spite internet companies than actually protect users.

How soon do you think they’re going to do the same with privacy laws as well?

Second, it’s basically impossible for smaller companies to comply with even California’s weird law. How are we going to comply with 50 separate state laws, each with their own variations and quirks and problems (and, likely, contradictions). A federal law that pre-empts state laws sets a single standard across the country. As bad as the EU’s Digital Services Act and Digital Markets Act may turn out to be, at the very least, they’re trying to harmonize the laws across the EU.

The US, which should be more harmonized than the EU in general, seems to be going in the other direction.

Yes, sure, California feels the need to do stuff because no one in DC can get their act together to pass a reasonable federal privacy law. But that doesn’t mean that we should just let any state do whatever it wants (or what UK aristocrats want).

The fact that this awful California law is now being used as an excuse to hold up any effort on a federal privacy law seems like a really, really silly excuse. And, to be clear, it almost certainly is an excuse, because Pelosi and others in Congress know that they’re currently unable to pass any actually serious privacy law, so claiming that it will somehow “block” terrible California laws is seen as a way to hide their own failings.

But, at the very least, it seems to suggest that maybe California should stop rushing through so many half-baked laws.

Filed Under: ab 2273, age appropriate design code, california, federal privacy law, nancy pelosi, privacy

California’s Age Appropriate Design Code Is Radical Anti-Internet Policy

from the radical-experiments-on-children dept

When a proposed new law is sold as “protecting kids online,” regulators and commenters often accept the sponsors’ claims uncritically (because… kids). This is unfortunate because those bills can harbor ill-advised policy ideas. The California Age-Appropriate Design Code (AADC / AB2273, just signed by Gov. Newsom) is an example of such a bill. Despite its purported goal of helping children, the AADC delivers a “hidden” payload of several radical policy ideas that sailed through the legislature without proper scrutiny. Given the bill’s highly experimental nature, there’s a high chance it won’t work the way its supporters think–with potentially significant detrimental consequences for all of us, including the California children that the bill purports to protect.

In no particular order, here are five radical policy ideas baked into the AADC:

Permissioned innovation. American business regulation generally encourages “permissionless” innovation. The idea is that society benefits from more, and better, innovation if innovators don’t need the government’s approval.

The AADC turns this concept on its head. It requires businesses to prepare “impact assessments” before launching new features that kids are likely to access. Those impact assessments will be freely available to government enforcers at their request, which means the regulators and judges are the real audience for those impact assessments. As a practical matter, given the litigation risks associated with the impact assessments, a business’ lawyers will control those processes–with associated delays, expenses, and prioritization of risk management instead of improving consumer experiences.

While the impact assessments don’t expressly require government permission to proceed, they have some of the same consequences. They put the government enforcer’s concerns squarely in the room during the innovation development (usually as voiced by the lawyers), they encourage self-censorship by the business if they aren’t confident that their decisions will please the enforcers, and they force businesses to make the cost-benefit calculus before the business has gathered any market feedback through beta or A/B tests. Obviously, these hurdles will suppress innovations of all types, not just those that might affect children. Alternatively, businesses will simply route around this by ensuring their features aren’t available at all to children–one of several ways the AADC will shrink the Internet for California children.

Also, to the extent that businesses are self-censoring their speech (and my position is that all online “features” are “speech”) because of the regulatory intervention, then permissioned innovation raises serious First Amendment concerns.

Disempowering parents. A foundational principle among regulators is that parents know their children best, so most children protection laws center around parental decision-making (e.g. COPPA).The AADC turns that principle on its head and takes parents completely out of the equation. Even if parents know their children best, per the AADC, parents have no say at all in the interaction between a business and their child. In other words, despite the imbalance in expertise, the law obligates businesses, not parents, to figure out what’s in the best interest of children. Ironically, the bill cites evidence that “In 2019, 81 percent of voters said they wanted to prohibit companies from collecting personal information about children without parental consent” (emphasis added), but then the bill drafters ignored this evidence and stripped out the parental consent piece that voters assumed. It’s a radical policy for the AADC to essentially tell parents “tough luck” if parents don’t like the Internet that the government is forcing on their children.

Fiduciary obligations to a mass audience. The bill requires businesses to prioritize the best interests of children above all else. For example: “If a conflict arises between commercial interests and the best interests of children, companies should prioritize the privacy, safety, and well-being of children over commercial interests.” Although the AADC doesn’t use the term “fiduciary” obligations, that’s functionally what the law creates. However, fiduciary obligations are typically imposed in 1:1 circumstances, like a lawyer representing a client, where the professional can carefully consider and advise about an individual’s unique needs. It’s a radical move to impose fiduciary obligations towards millions of individuals simultaneously, where there is no individual considerations at all.

The problems with this approach should be immediately apparent. The law treats children as if they all have the same needs and face the same risks, but “children” are too heterogeneous to support such stereotyping. Most obviously, the law lumps together 17 year-olds and 2 year-olds, even though their risks and needs are completely different. More generally, consumer subpopulations often have conflicting needs. For example, it’s been repeatedly shown that some social media features provide net benefit to a majority or plurality of users, but other subcommunities of minors don’t benefit from those features. Now what? The business is supposed to prioritize the best interests of “children,” but the presence of some children who don’t benefit indicates that the business has violated its fiduciary obligation towards that subpopulation, and that creates unmanageable legal risk–despite the many other children who would benefit. Effectively, if businesses owe fiduciary obligation to diverse populations with conflicting needs, it’s impossible to serve that population at all. To avoid this paralyzing effect, services will screen out children entirely.

Normalizing face scans. Privacy advocates actively combat the proliferation of face scanning because of the potentially lifelong privacy and security risks created by those scans (i.e., you can’t change your face if the scan is misused or stolen). Counterproductively, this law threatens to make face scans a routine and everyday occurrence. Every time you go to a new site, you may have to scan your face–even at services you don’t yet know if you can trust. What are the long-term privacy and security implications of routinized and widespread face scanning? What does that do to people’s long-term privacy expectations (especially kids, who will infer that face scans just what you do)? Can governments use the face scanning infrastructure to advance interests that aren’t in the interests of their constituents? It’s radical to motivate businesses to turn face scanning of children into a routine activity–especially in a privacy bill.

(Speaking of which–I’ve been baffled by the low-key response of the privacy community to the AADC. Many of their efforts to protect consumer privacy won’t likely matter in the long run if face scans are routine).

Frictioned Internet navigation. The Internet thrives in part because of the “seamless” nature of navigating between unrelated services. Consumers are so conditioned to expect frictionless navigation that they respond poorly when modest barriers are erected. The Ninth Circuit just explained:

The time it takes for a site to load, sometimes referred to as a site’s “latency,” is critical to a website’s success. For one, swift loading is essential to getting users in the door…Swift loading is also crucial to keeping potential site visitors engaged. Research shows that sites lose up to 10% of potential visitors for every additional second a site takes to load, and that 53% of visitors will simply navigate away from a page that takes longer than three seconds to load. Even tiny differences in load time can matter. Amazon recently found that every 100 milliseconds of latency cost it 1% in sales.

After the AADC, before you can go to a new site, you will have to do either face scanning or upload age authenticating documents. This adds many seconds or minutes to the navigation process, plus there’s the overall inhibiting effects of concerns about privacy and security. How will these barriers change people’s web “surfing”? I expect it will fundamentally change people’s willingness to click on links to new services. That will benefit incumbents–and hurt new market entrants, who have to convince users to do age assurance before users trust them. It’s radical for the legislature to make such a profound and structural change to how people use and enjoy an essential resource like the Internet.

A final irony. All new laws are essentially policy experiments, and the AADC is no exception. But to be clear, the AADC is expressly conducting these experiments on children. So what diligence did the legislature do to ensure the “best interest of children,” just like it expects businesses to do post-AADC? Did the legislature do its own impact assessment like it expects businesses to do? Nope. Instead, the AADC deploys multiple radical policy experiments without proper diligence and basically hopes for the best for children. Isn’t it ironic?

I’ll end with a shoutout to the legislators who voted for this bill: if you didn’t realize how the bill was packed with radical policy ideas when you voted yes, did you even do your job?

Filed Under: ab 2273, age appropriate design code, california, face scans, fiduciary duty, for the children, gavin newsom, parents, permissionless innovation, protect the children

Gavin Newsom Fucks Over The Open Internet, Signs Disastrously Stupid Age Appropriate Design Code

from the well,-there-goes-the-neighborhood dept

This isn’t a surprise, but it’s still frustrating. Gavin Newsom, who wants to be President some day, and thus couldn’t risk misleading headlines that he didn’t “protect the children,” has now signed AB 2273 into law (this follows on yesterday’s decision to sign the bad, but slightly less destructive, AB 587 into law). At this point there’s not much more I can say about why AB 2273 is so bad. I’ve explained why it’s literally impossible to comply with (and why many sites will just ignore it). I’ve explained how it’s pretty clearly unconstitutional. I’ve explained how the whole idea was pushed for and literally sponsored by a Hollywood director / British baroness who wants to destroy the internet. I’ve explained how it won’t do much, if anything, to protect children, but will likely put them at much greater risk. I’ve explained how the company it will likely benefit most is the world’s largest porn company not to mention COVID disinfo peddlers and privacy lawyers. I’ve explained how the companies supporting the law insist that we shouldn’t worry because websites will just start scanning your face when you visit.

None of that matters, though.

Because, in this nonsense political climate where moral panics and culture wars are all that matter in politics, politicians are going to back laws that claim to “protect the children,” no matter how much of a lie that is.

Newsom, ever the politician, did the political thing here. He gets his headlines pretending he’s protecting kids.

“We’re taking aggressive action in California to protect the health and wellbeing of our kids,” said Governor Newsom. “As a father of four, I’m familiar with the real issues our children are experiencing online, and I’m thankful to Assemblymembers Wicks and Cunningham and the tech industry for pushing these protections and putting the wellbeing of our kids first.”

The press release includes a quote from Newsom’s wife, who is also a Hollywood documentary filmmaker, similar to the baroness.

“As a parent, I am terrified of the effects technology addiction and saturation are having on our children and their mental health. While social media and the internet are integral to the way we as a global community connect and communicate, our children still deserve real safeguards like AB 2273 to protect their wellbeing as they grow and develop,” said First Partner Jennifer Siebel Newsom. “I am so appreciative of the Governor, Assemblymember Cunningham, and Assemblymember Wicks’ leadership and partnership to ensure tech companies are held accountable for the online spaces they design and the way those spaces affect California’s children.”

Except that the bill does not create “real safeguards” for children. It creates a massive amount of busywork to try to force companies to dumb down the internet, while also forcing intrusive age verification technologies on tons of websites.

It puts tremendous power in the hands of the Attorney General.

The bill doesn’t go into effect until the middle of 2024 and I would assume that someone will go to court to challenge it, meaning that what this bill is going to accomplish in the short run is California wasting a ton of taxpayer dollars (just as Texas and Florida did) to try to pretend they have the power to tell companies how to design their products.

It’s all nonsense grandstanding and Governor Newsom knows it, because I know that people have explained all this to him. But getting the headlines is more important than doing the right thing.

Filed Under: ab 2273, age appropriate design code, california, for the children, gavin newsom

Kids Use Discord Chat To Track Predator Teacher’s Actions; Under California’s Kids Code, They’d Be Blocked

from the be-careful-how-you-"protect"-those-children dept

It’s often kind of amazing at how much moral panics by adults treat kids as if they’re completely stupid, and unable to do anything themselves. It’s a common theme in all sorts of moral panics, where adults insist that because some bad things could happen, they must be prevented entirely without ever considering that maybe a large percentage of kids are capable enough to deal with the risks and dangers themselves.

The Boston Globe recently had an interesting article about how a group of middle school boys were able to use Discord to successfully track the creepy, disgusting, and inappropriate shit one of their teachers/coaches did towards their female classmates, and how that data is now being used in an investigation of the teacher, who has been put on leave.

In an exclusive interview with The Boston Globe, one of the boys described how in January 2021,he and his friends decided to start their “Pedo Database,” to track the teacher’s words and actions.

There’s even a (redacted) screenshot of the start of the channel.

The kids self-organized and used Discord as a useful tool for tracking the problematic interactions.

During COVID, as they attended class online, they’d open the Discord channel on a split-screen and document the teacher’s comments in real time:

“You all love me so choose love.”

“You gotta stand up and dance now.”

Everyone “in bathing suits tomorrow.”

Once they were back in class in person, the boys jotted down notes to add to the channel later: Flirting with one girl. Teasing another. Calling the girls “sweetheart” and “sunshine.” Asking one girl to take off her shoes and try wiggling her toes without moving her pinkies.

“I felt bad for [the girls] because sometimes it just seems like it was a humiliating thing,” the boy told the Globe. “He’d play a song and he’d make one of them get up and dance.”

When the school year ended, the boys told incoming students about the Discord channel and encouraged them to keep tabs on the teacher. All in all, eight boys were involved, he said.

Eventually, the teacher was removed from the school and put on leave, after the administration began an investigation following claims that “the teacher had stalked a pre-teen girl at the middle school while he was her coach, and had been inappropriate with other girls.”

The article notes that there had been multiple claims in the past against the teacher, but that other teachers and administrators long protected the teacher. Indeed, apparently the teacher bragged about how he’d survived such complaints for decades. And that’s when the kids stepped up and realized they needed to start doing something themselves.

“I don’t think there was a single adult who would ever — like their parents, my mom, like anybody in the school — who had ever really taken the whole thing seriously before,” he added.

The boy’s mother contacted Conlon, and now the “Pedo Database” is in the hands of the US attorney’s Office, the state Department of Children, Youth, and Families, the state Department of Education, and with lawyer Matthew Oliverio, who is conducting the school’s internal investigation.

“I did not ever think this would actually be used as evidence, but we always had it as if it was,” said the boy, who is now 15 and a student at North Kingstown High School. “So I’m glad that we did, even though it might have seemed like slightly stupid at times.”

So, here we have kids who used the internet to keep track of a teacher accused of preying on children. Seems like a good example of helping to protect children.

Yet, it seems worth noting that under various “protect the children” laws, this kind of activity would likely be blocked. Already, under COPPA, it’s questionable if the kids should even be allowed on Discord. Discord, like many websites, limits usage in its terms of service to those 13 years or older. That’s likely in an attempt to comply with COPPA. But, the article notes that the kids started keeping this database as 6th graders, when they were likely 11-years old.

Also, under California’s AB 2273, Discord likely would have been more aggressive in banning them, as it would have had to employ much more stringent age verification tools that likely would have barred them from the service entirely. Also, given the other requirements of the “Age Appropriate Design Code,” it seems likely that Discord would be doing things like barring a chat channel described as a “pedo database.” A bunch of kids discussing possible pedophilia? Clearly that should be blocked as potentially harmful.

So, once again, the law, rather than protecting kids, might have actually put them more at risk, and done more to actually protect adults who were putting kids’ safety at risk.

Filed Under: ab 2273, age appropriate design code, kids, kids code, teachers
Companies: discord