No, your original point was, and I am literally quoting you here:

> They should be proposing systems that they believe are reasonable to meet their obligation, but they are not. Instead, they've gone from at least requiring credit cards to... absolutely nothing. They've frankly brought this on themselves.

This is categorically false. Not only are they proposing alternatives, not only have they only pulled out of states that do not offer a government ID system (even though it's offered criticism, Pornhub has not pulled out of Louisiana), they also proposed systems way before this legislation took effect -- like you said, RTA standard has been around for ages.

No, Pornhub has not preemptively lobbied for it to be legislated, but that is hardly unusual and hardly a cause for criticism; companies generally don't preemptively lobby for themselves to be legislated unless they're shooting for regulatory capture. Quite frankly, usually when companies lobby against regulation, they don't put forward alternatives. It's unusual that content companies are going this far out of their way to try and help solve the problem instead of just pointing out flaws with the government proposal.

----

> Like now I really don't understand what they're suggesting.

There are several ways of approaching this: one is to do age verification using a standardized system -- ideally that system would be standardized on a federal level. Where states have such a system, Pornhub hasn't pulled out. This is the least-good solution, but it is a solution that Pornhub in specific seems to be generally fine with.

A better way of approaching this is to do age verification using a standardized system that is purely device-bound -- ie, a system where a flag is set purely locally, possibly with one-time verification through a company like Apple or Google, and where requesting websites are sent no data other than a general "yes/no" byte alongside requests. This would be a considerably better system for privacy and security, and it is the ideal that Pornhub in particular is advocating for. One reason why this system would be better is because once verified, verification data would never need to be transmitted off-device at any point. It would also not run the same risks of training customers to upload ID information to arbitrary websites, which is a large phishing risk.

Pornhub's stance on this is weaker than my own. I would prefer for this to be handled entirely through filtering. In practice, the vast majority of parents can easily enter an age into a device when creating an account, and then any standardized age verification system could pull from that parental control with no need to ever expose sensitive ID information to even Apple/Google/Microsoft. Or, even better, parents could be given the option to be more granular with their filters, relying on devices to filter specific content and pages based on their own determinations about what their children can and can't see.

Pornhub also advocates for filtering solutions, but is comfortable with verification/blocking if there are systems in place that make that secure and private.

I don't know the specifics of Utah's digital ID system, but given that Pornhub hasn't pulled out of Louisiana, I would guess the reason they have pulled out of Utah is because they believe that Utah's system isn't secure enough or comprehensive enough to meet their needs. I can only guess what the reason would be -- whether it's a lack of desktop support, or whether the app transmits more data than Pornhub would like to receive, or some other critique. Maybe they will eventually adopt that system in Utah.

But the biggest critique Pornhub has around these laws is a defacto requirement to use 3rd-party ID systems or to collect data themselves. Because they (very correctly) point out that 3rd-party ID systems have security risks, are generally run by shady companies, and generally teach users bad data and privacy habits. Again, their stance is less extreme than mine, Pornhub is only lobbying for a workable ID system, I would argue that these ID systems are inherently insecure, inherently raise 1st-Amendment questions, and as designed fundamentally do a worse job of protecting kids than labeling laws would. I would also argue that several of the states pushing these laws have directly proposed creating registries of trans and LGTBTQ citizens and that like 3rd-party verification industries, those governments themselves should also not be trusted with touching ID verification data at all (again, I would note that none of the bills bar collection of data for these purposes).

But Pornhub is OK with those systems... if they exist and are (somewhat) secure and private. Pornhub has some other critiques that I think are pretty reasonable (and that have been spelled out in the articles that I've linked), including the fact that the enforcement mechanisms (lawsuits rather than direct regulatory action) generally leave smaller and less responsible porn sites untouched and make kids more likely to visit them. And we've already covered how these laws fail to protect kids from porn spread on general social media like Reddit and on non-commercial sites like Mastodon. But the most basic critique Pornhub has is that the 3rd-party ID verification ecosystem as it exists today makes it dangerous to do this kind of verification.

> Why are they starting discussions with Apple and Google to build it? Shouldn't they be integrating with the wallet provider who already has?

A general solution here built into platforms is obviously preferable to a state-by-state solution, particularly given how bad most states are at building secure software. It makes a ton of sense to work with Apple and Google directly on this -- governments themselves should be working directly with Apple and Google on this.

----

> My read at this point is that this is more an attempt at stalling tactic.

Okay, think through this for a second. This doesn't make sense. Pornhub is pulling out of these states. Pornhub does not win in any of these interactions; there's no benefit to Pornhub to stalling, every day they stall hurts their business.

Paypal "stalls" when I try to withdraw money because they get something out of it, they get continued interest on the money they hold. Apple "stalls" on app store regulation because they get something out of it, they get continued revenue from the app store while regulators go back and forth with them. Pornhub doesn't get any of that -- they get zero revenue from these states while this is being litigated.

This does not make sense as an analysis. If Pornhub thinks that they're going to need to go back to these states, they lose more money the longer they wait. Clearly there's something else here going on other than just greed.

----

> Movie ratings are not mandatory because they are not obscenity without artistic merit. An R rated movie will be safe. A porn movie likely not.

What percentage of Reddit porn doesn't have artistic merit? This is nonsensical, you're still looking at a situation where 50 Shades of Grey and Game of Thrones are legal to show to children. That content would rightly fall under NSFW classifications on most sites, and I think most adults would agree that content shouldn't be shown to minors. By any reasonable definition, 50 Shades of Grey and Game of Thrones contain pornographic content. But it's still legal, and you're arguing that this kind of content wouldn't be covered under these laws.

> As far as I know no one's challenged it.

This does not necessarily mean that if it was challenged, it would hold up. Most of the movie industry voluntarily restricts access beyond what the law requires. What we do know is that when these laws have been challenged, particularly on the federal level, and particularly where the Internet is concerned, they've been difficult to defend and have been struck down in high-profile cases (https://en.wikipedia.org/wiki/Communications_Decency_Act)

Regulations on technological capabilities are not free from constitutional risk, but they are far less likely to run into these problems.

Now, if your point here is that these filtering laws are only going to protect kids from X-rated full-on smut with no plot, and that artistic pornography won't be covered -- then these aren't effective laws. They're not protecting kids. Yes, we have obscenity laws in the United States, but if we're going to go in-depth on those laws, we have to start with the point that "porn" and "obscenity" are not the same thing legally speaking. Porn can be obscenity, but not all porn is classified that way. You draw a bright line between R rated movies and X rated movies, but it's not the government that makes that classification, it's a completely arbitrary industry-drawn line. Where content online is concerned, there is no easy test to determine whether a pornographic piece of art or video has artistic merit -- and in fact R-ratings are not based on artistic merit or social value, only on how graphic or disturbing the content is.

Yet the laws you're championing require making that distinction on such a large scale that we would be able to tell what percentage of a website consists of obscenity. It's not realistic, it can't be done without disregarding 1st Amendment concerns.

If you're trying to protect kids from porn, it is not enough to target obscenity -- there is plenty of 1st Amendment protected pornographic speech that should never be shown to children. Which is why filtering laws in these situations are preferable; because they dodge (some) 1st Amendment concerns while allowing parents agency to filter material that would not fall under obscenity law, but that is still probably not a great thing for kids to look at it.

Like I said it's quite difficult to find information about this stuff. I don't even know if RTA is what IE used. It's not clear that anyone notable ever implemented it. I don't see it referenced on bugzilla.mozilla.org. Mozilla came up with their own proposal (Prefer: safe) in 2014 and actually submitted it to IETF, and didn't reference the Rating header. Did anyone try to tell them about it? They had like a 30% market share at the time. I can't find any references to it on issues.chromium.org either. I don't see any discussions on chromium's developer mailing list archives. I don't see it on the Android archives. Did they bring it to a lawmaker? To any standards body? To anyone?

Did they even reach out to tech companies like they said?

The howto for android https://www.rtalabel.org/index.html?content=howtoandroid just says you need to agree to their terms, gives no instructions, and has... an ad for travel services. Is there even an android implementation? This seems to be representative of the effort here.

Anyway, my original point was that the whole discussion seems to be disingenuous. They say they want an on-device age verification, and they even said that specifically in response to Utah's law. But Utah explicitly allows that already.

The reporting sucks. They didn't link to the laws. Almost none of the articles about this even name the laws (e.g. SB 287) so you have to go searching for it. The reporters don't seem to bother to read the laws, even when they're only 2 pages long. That CNN article says Pornhub doesn't like Utah's law because they want on-device verification. Utah's law explicitly allows for that, and they already have a working system. It's in fact an ISO standard, and seems to have wide traction building among US states:

https://www.mdlconnection.com/implementation-tracker-map/

(Incidentally, that site seems to be exactly what it looks like when someone is actually advocating for a proposal)

Why don't the reporters ask for some clarification on what they don't like about the law? Or the system? On their face, their complaints seem to be silly.

It's also disingenuous to characterize KYC services as shady. Their main customers are banks, and they're going to undergo annual audits for SOC 2, ISO 27001, etc. because every bank requires that. Their entire business is legal compliance as a service. If the law says not to store your info, they wont.

Pornhub may not be used to people who think this way, but in the financial services sector where these vendors currently operate, compliance with the law is just an assumed baseline feature. It is entirely normal for customers to have their own security architects examine your architecture documents, have multi-month back-and-forths about how to ensure legal requirements will be met, and require annual third party audits and penetration tests of your system. A company I worked for had a system to help automate answering these kinds of questions because they come up constantly.

Service providers here also already have to deal with both retention requirements and non-retention requirements like CCPA, and figuring out which data has which requirements. Pornhub's use-case is less complicated.

They complain they don't want to store whatever info. But the laws don't say they need to, and in fact say they must not. If they need help, there are companies who sell exactly that service.

Why don't the reporters ask for clarification on what appear superficially to be contradictions?

Quite honestly, I don't think it is. I'm not an expert on this, I'm using the same search engines you're using. I'm able to find stuff online.

> I don't see it referenced on bugzilla.mozilla.org. Mozilla came up with their own proposal (Prefer: safe) in 2014 and actually submitted it to IETF, and didn't reference the Rating header. Did anyone try to tell them about it? They had like a 30% market share at the time. I can't find any references to it on issues.chromium.org either. I don't see any discussions on chromium's developer mailing list archives. I don't see it on the Android archives

This is a lot of critique that boils down to "browser makers and lawmakers didn't implement it." But porn companies are not in charge of browsers. I could ask the same question in the opposite direction -- lawmakers have literally entire teams of paid staff to research this stuff, they are literally required by law under strict scrutiny to research it... and like I said above, I'm able to find information when I search online. So why weren't they able to find anything?

I don't think this is an excuse, I don't think lawmakers need to babied about looking for potential solutions to bills when strict scrutiny is in play. Strict scrutiny does not say that the government should be narrow and specific and research alternatives unless nobody sent them an official proposal on letter paper in which case how were they to know, we can just do whatever, all rules are off. Strict scrutiny places an obligation on the government to do research.

----

> That CNN article says Pornhub doesn't like Utah's law because they want on-device verification. Utah's law explicitly allows for that, and they already have a working system. It's in fact an ISO standard, and seems to have wide traction building among US states:

Looking more at it, I will say that MDL looks reasonably interesting, there's stuff here that I like quite a bit. I will also say that it's not available on Windows, Mac, or Linux, and that it doesn't look like it will ever work via 3rd-party ROMs. But sure, other than that it looks promising. And maybe Pornhub will adopt it at some point, I do think this system looks like it would be an improvement over a lot of ID verification I'm forced to do for services with KYC rules. So I'm all for that.

I will also point out that it's not available in Texas. And we have talked about this, you can't treat these laws like they're some kind of composite whole where one state addressing a problem means the other states no longer have that problem. Okay, you think that Pornhub is being disingenuous about Utah? Fine. The original link at the top of this thread is about VPN usage surging in Texas, which does not implement an MDL standard.

----

> The reporting sucks. They didn't link to the laws. Almost none of the articles about this even name the laws (e.g. SB 287) so you have to go searching for it.

> [...] Why don't the reporters ask for clarification on what appear superficially to be contradictions?

This is not specific to these laws, all political reporting about bills has this problem. Every time that I want to find the original text of a bill that's being reported on by even mainstream sites, I have to search for it. Could it be better? Sure, I regularly advocate that reporters should link to bill text. Do reporters in most interviews tend to ask only softball questions (regardless of who they're interviewing)? Yes. Does that common problem get rid of criticisms of the bills? No, it doesn't.

----

> It's also disingenuous to characterize KYC services as shady. Their main customers are banks, and they're going to undergo annual audits for SOC 2, ISO 27001, etc. because every bank requires that.

I will 100% stand by my representation. Common KYC services are shady. Credit reporting services are shady. This entire information economy is shady; it doesn't matter if they're working with the government. We're only a few years out from Equifax (which is used for customer verification sometimes) leaking the financial information of nearly every single adult American in the US. But what, they work with banks? They work with the people who haven't learned how to do proper 2FA yet? They work with the people who retain massive amounts of customer information and offer credit cards that are privacy nightmares? I have bad news for you about bank privacy in the US. None of these companies have a good track record on this.

I fully stand behind my characterization of them: these services are shady and should not be expanded recklessly to other areas of our life. I think that's an easy conclusion to draw.

> Their entire business is legal compliance as a service. If the law says not to store your info, they wont.

3rd-party KYC services fundamentally can not work without storing your info. Like, by definition -- the requirement is literally know your customer. That involves... knowing them. And comparing pre-gathered information is still storing info. You can not do a "verify your identity by telling us something we already know" question without already knowing the answer to the question that you're asking.

> They complain they don't want to store whatever info. But the laws don't say they need to, and in fact say they must not.

We have been ever this multiple times already: no they do not. None of these laws ban storing metadata or linking identities to requests by these 3rd-party companies. There is nothing in these laws that clearly prevent a 3rd-party ID service from aggregating data about which users have accessed porn. None of these laws ban government storage of information (and once again, states have said that they want to have databases of LGBTQ+ citizens). The majority of these laws do not offer sufficient penalties to incentivize companies not to violate restrictions (user-brought lawsuits are not sufficient, data privacy laws get violated all the time). None of these laws clarify how long information can be retained and most don't clarify what damages a user would actually be entitled to if their information was leaked.

----

I do want to loop back around to:

> Anyway, my original point was that the whole discussion seems to be disingenuous.

These bills have problems. At their best, even if MDL turns out to be great and private -- they're still going to increase user propensity to fall for phishing attacks, they still use a selective enforcement mechanism that will let off the worst actors, they still have 1st Amendment concerns, they still don't really address the majority of porn online (I will remind you that Reddit demands verification in zero of the states that have passed this legislation), they still have insufficient protections against data retention. They still require distinguishing between obscenity and porn on a scale that is impossible to do without abridging 1st-Amendment speech, and they still hue closely to similar federal attempts to legislate porn that have been ruled unconstitutional.

And we're reaching the point where we're basically arguing over "has Pornhub done enough? Why haven't they looked at this standard? Why didn't the government look at this standard? What is everyone's intentions?"

I want to take a step back and say that even if Pornhub did absolutely nothing (which again, I would argue they did not), that doesn't change anything at all about the objections to these bills. And if we're talking about disingenuous, it feels disingenuous to have a conversation that's constantly bouncing between incompatible statements like "this protects kids", and "R rated movies like 50 Shades of Grey wouldn't be covered", and "Mastodon wouldn't be affected" -- and to have all of those problems and contradictions swept under the rug in favor of "but Pornhub was asking for it."

We can look at the laws as implemented today and look at their effects and we can say objectively and indisputably -- they are not working. A lot of porn is still available in those states. So what the heck is the rest of this conversation? You don't need much evaluation beyond: you passed the law and r/insert-depraved-porn-sub is still available in your state without age verification, so... the law didn't work.

I do still feel like you're looking at this through a lens that misrepresents what most lobbying effort and what most political reporting looks like on every issue. But you know what? It doesn't matter. You think that Pornhub should have gotten more involved, great, that's very idealistic. You want political reporting to get better, great, that's an effort I can get behind. It doesn't mean that these bills don't have 1st Amendment concerns, don't contradict themselves in talking about retention and data collection while advocating 3rd-party services that literally can not operate without collecting data, it doesn't mean the bills aren't vague. And it doesn't mean the bills work. And I'm sorry if you don't like porn companies, but these are still bad laws. I'm sorry if you think that porn companies aren't playing nice, but you're still spreading misinformation about ID verification and 1st Amendment protections as they exist today that is just not true.

What is the disingenuous thing here: litigating whether or not Pornhub cares enough about kids, or dismissing obvious problems with legislation and spreading misinformation about that legislation just because you don't feel an industry was proactive enough in preempting it? I'll loop around again to -- I don't even care if you support the laws; fine. But don't say things about the laws that are not true.