Direct digital censorship

A lot of the energy behind age verification comes from authoritarians eager to censor political dissent, promote propaganda and retaliate against critics. This is a power grab, with bills designed to seize power over specific content the government objects to:

Governments are, of course, trying to claim control over “public discourse”. Like all seizing of arbitrary power, the risks associated with this are volatile and unbounded, because they depend on who holds power at any given moment in a political system where power is expected to rotate.

Discord

As a case study, let’s take a look at one of the latest major services to attempt age verification: Discord. At time of writing, Discord is in the process of trying to switch to a “Teen Default” system, where every user is assumed to be a minor unless they can prove their age to Discord. Discord is a communications platform used widely by adults, and during COVID Discord very intentionally expanded their market domain beyond gaming to focus on being a global platform, so the assumption that all spaces are for kids is clearly incorrect.¹ But Discord is sometimes used by children, and since it’s a communications platform people can use it to communicate horrible things. Boomers have learned they can be insane about this, so Discord is under significant pressure to balance its goal of being a universal communications platform with child safety.

There is room for improvement

People on the privacy side of the age verification war — my side — will argue that parents already have everything they need for comprehensive web filtering if they want to use it. I think this isn’t quite true; there’s one notable architectural gap that a technical solution could meaningfully fill.

There are many existing content filtering tools geared toward child safety but their weakness is that they’re reactive. Traffic filters can identify and block traffic from known websites and on-device content filters can try to detect and block specific content. But this requires the user reacting and defending against every possible source and behavior. It’s the same cat-and-mouse game as adblockers. And like adblockers, the more closed down the system is — like iOS or gaming consoles — the harder it is for developers to make exactly the right product.

The internet sometimes assumes minors are supervised — since they have parental consent to have the device in the first place — but this often isn’t the case. It’s very common for minors to have their own phones or tablets with unsupervised access. When they’re online or downloading apps, they’re not sitting with a parent, they’re unsupervised, roaming children. Parents are dropping their kids off in the city.

This isn’t inherently bad; it seems like parents and children both want children to be able to exist independently without granular supervision, and so there’s a desire to make that situation safer. That shouldn’t come at the cost of any adult liberty or even the liberty of children with parental consent; it just means we want an ecosystem that allows for unsupervised children to exist within it.

Right now the burden is on parents to be active defenders protecting their children from a vast ecosystem of companies investing research and capital into optimizing how efficiently they can exploit money and data out of everyone in the world. It would be a meaningful improvement if there were a safe way to prevent some of this exploitation by putting reasonable requirements on providers, so long as this can be done in a way that doesn’t cause more problems.

Taxonomy

There are three basic categories of age filtering: nothing, client attestation, and client verification. These provide services varying levels of confidence in their knowledge of users. (It’s tempting to simplify confidence to labels like “strong” or “weak” but it’s important to think about what’s actually being secured, and from who.) Different people call these different things, but here’s my taxonomy with the labels I’ll use.

Argument is stupid

First, to be clear, what was actually being argued at the time was exceedingly stupid. I’m not giving that any credit.

After committing to significantly overpay to purchase Twitter with no requirements that they do due diligence (yes, really!) Elon Musk tried to call off the deal.

Elon Musk@elonmusk

If our twitter bid succeeds, we will defeat the spam bots or die trying!

Thu Apr 21 18:53:55 +0000 2022

Elon Musk@elonmusk

That is why we must clear out bots, spam & scams. Is something actually public opinion or just someone operating 100k fake accounts? Right now, you can’t tell.

And algorithms must be open source, with any human intervention clearly identified.

Then, trust will be deserved.

1651594704000

Elon Musk@elonmusk

Twitter deal temporarily on hold pending details supporting calculation that spam/fake accounts do indeed represent less than 5% of usershttps://www.reuters.com/technology/twitter-estimates-spam-fake-accounts-represent-less-than-5-users-filing-2022-05-02/ …

1652435078000

This was a pretty transparent attempt to get out of the purchase agreement after manipulating the price, and it was correctly and widely reported as such.

Scott Nover, “Inside Elon Musk’s legal strategy for ditching his Twitter deal”

Elon Musk has buyer’s remorse. On April 25, the billionaire Tesla and SpaceX CEO agreed to buy Twitter for $44 billion, but since then the stock market has tanked. Twitter agreed to sell to Musk at $54.20 per share, a 38% premium at the time; today it’s trading around $40.

That’s probably the real reason Musk is spending so much time talking about bots.

I don’t want to get too bogged down in the details of why Elon was using this tactic, but fortunately other people wrote pages and pages about it, so I don’t have to.

The Store

This was the precipitating announcement: VRChat releasing a beta for an in-game real-money store.

Paid Subscriptions: Now in Open Beta! — VRChat Over the last few years, we’ve talked about introducing something we’ve called the “Creator Economy,” and we’re finally ready to reveal what the first step of that effort is going to look like: Paid Subscriptions!

As it stands now, creators within VRChat have to jump through a series of complicated, frustrating hoops if they want to make money from their creations. For creators, this means having to set up a veritable Rube Goldberg machine, often requiring multiple external platforms and a lot of jank. For supporters, it means having to sign up for those same platforms… and then hope that the creator you’re trying to support set everything up correctly.

(The problem, of course, is that “frustrating jank” was designed by VRChat, and their “solution” is rentiering.)

Currently, the only thing to purchase is nebulous “subscriptions” that would map to different world or avatar features depending on the content. But more importantly, this creates a virtual in-game currency, and opens the door to future transaction opportunities. I’m especially thinking of something like an avatar store.

I quit playing VRChat two years ago, when they started to crack down on client-side modifications (which are good) by force-installing malware (which is bad) on players’ computers. Since then I’ve actually had a draft sitting somewhere about software architecture in general, and how you to evaluate whether it’s safe or a trap. And, how just by looking at the way VRChat is designed, you can tell it’s a trap they’re trying to spring on people.

The Store of Tomorrow

Currently, the VRC Creator Economy is just a currency store and a developer api. Prior to this, there was no way for mapmakers to “charge users” for individual features; code is sandboxed, and you only know what VRC tells you, so you can’t just check against Patreon from within the game¹.

But the real jackpot for VRC is an avatar store. Currently, the real VRC economy works by creators creating avatars, maps, and other assets in the (mostly-)interchangeable Unity format, and then selling those to people. Most commonly this is seen in selling avatars, avatar templates, or custom commissioned avatars. Users buy these assets peer-to-peer.

This is the crucial point: individuals cannot get any content in the game without going through VRC. When you play VRChat, all content is streamed from VRChat’s servers anonymously by the proprietary client. There are no URLs, no files, no addressable content of any kind. (In fact, in the edge cases where avatars are discretely stored in files, in the cache, users get angry because of theft!) VRChat isn’t a layer over an open protocol, it’s its own closed system. Even with platforms like Twitter, at least there are files somewhere. But VRChat attacks the entire concept of files, structurally. The user knows nothing and trusts the server, end of story.

The API is the product

Reddit and all these other companies who are making user-level API access prohibitively expensive have forgotten that the API is the product. - The API is the interface that lets you perform operations on the site. The operations a user can do are the product, they’re not auxiliary to it!

“Application programming interface” is a very formal, internal-sounding term for a system that is none of those things. The word “programming” in the middle comes from an age where using a personal computer at all was considered “programming” it.

What an API really is a high-level interface to the web application that is Reddit. Every action a user can take — viewing posts, posting, voting, commenting — goes from the app (which interfaces with the user) to the API (which interfaces with the Reddit server), gets processed by the server using whatever-they-use-it-doesn’t-matter, and the response is sent back to the user.

The API isn’t a god mode and it doesn’t provide any super-powers. It doesn’t let you do anything you can’t do as a user, as clearly evidenced by the fact that all the actions you do on the Reddit website go through the API too.

The Reddit website, the official Reddit app, and the Apollo app all interface with the user in different ways and on different platforms, but go through the same API to interact with what we understand as “Reddit”. The fact that the API is the machine interface without the human interface should also concisely explain why “API access” is all Apollo needs to build its own app.

Right now, you can view the announcement thread at https://www.reddit.com/r/apolloapp/comments/144f6xm/apollo_will_close_down_on_june_30th_reddits/, and you can view the “API” data for the same thread at https://www.reddit.com/r/apolloapp/comments/144f6xm/apollo_will_close_down_on_june_30th_reddits.json. It’s not very fun to look at, but it’s easy to tell what you’re looking at: the fundamental representation of the page without all the trappings of the interface.

Public APIs are good for both the user and the company. They’re a vastly more efficient way for people to interact with the service than by automating interaction (or “scraping”). Having an API cuts out an entire layer of expense that, without an API, Reddit would pay for.

The Reddit service is the application, and you interface with it through WHATEVER. Whatever browser you want, whatever browser extensions you want, whatever model phone you want, whatever app you want. This is fundamentally necessary for operability and accessibility.

The API is the service. The mechanical ability to post and view and organize is what makes Reddit valuable, not its frontend. Their app actually takes the core service offering and makes it less attractive to users, which is why they were willing to pay money for an alternative!

Netflix’s pricing model

So, first, what are multi-user accounts in the first place, and how does “password sharing” relate to that?

Human Agency: Why Property is Good

or, “Gio is not a marxist, or if he is he’s a very bad one”

First: individual autonomy — our agency, our independence, and our right to make our own choices about our own lives — is threatened by the current digital ecosystem. Our tools are powered by software, controlled by software, and inseparable from their software, and so the companies that control that software have a degree of control over us proportional to how much of our lives relies on software. That’s an ever-increasing share.

History of twitter verification

Twitter first introduced verification in 2009, when baseball man Tony La Russa sued Twitter for letting someone set up a parody account using his name. It was a frivolous lawsuit by a frivolous man who has since decided he’s happy using Twitter to market himself, but Twitter used the attention to announce their own approach to combating impersonation on Twitter: verified accounts.