The practice suggested of offering a DoB at the earliest date accepted by the system (a practice I've long since adopted ... amongst other things, 100+ y.o. individuals tend to have weak appeal to advertisers) will also suffice.
I've also felt that, as with several other online issues, the matter of age-gating is probably best handled at the ISP level. Most people have a fairly strong relationship with their ISP (whether willingly or happily is another matter), and a combination of site-specific self-ratings (which would also fall under consumer-protection/fraud regulation) and an ISP toggle to enable or disable +18 / NSFW / sexual content, or other categories on an account-wide basis would enable a household or business to set such filters with a minimum of hassle.
For instances where multi-level tiers of access would be required, the ISP should be able to provide that through two or more virtual service addresses (effectively VPNs which various devices are configured through). And a household or business should be able to define specific exceptions to any filtering rules to avoid the overclassification problem and put ultimate control in the subscriber's hands rather than the ISP's.
In theory this is a good idea, but in practice I'm not sure I trust my ISP to manage that system. I'm not worried that they'll leak my data, they already do that, but I think they'd probably lock me out of content they shouldn't because of bugs and/or poorly designed system.
In practice your ISP already has this information and more (all traffic you're currently transacting). The information is less distributed than it would be in the case of providing all and sundry online publishers with that same information, and would offer less effective privacy control over how that information is used.
For those who'd bypass their ISP's access limitations/controls using a VPN ... you've now got additional complications and really no less effective control than voluntary age-disclosure rules.
Another option would be imputed age classification, which again is something that major sites (e.g., Google, YouTube, FB, Instagram, TikTok) can already perform via algorithmic / AI assessments of marketing categories based off of on-site activities, consumption trends, etc.
I think you may have misunderstood my post, as you appear to be arguing against me while basically repeating my sentiment.
Read again and I you will find I say I am NOT worried about data leakage, but only that the ISP will lock me out of content they shouldn't because they're incompetent. YMMV but my ISP would definitely mess that up somehow.
Ok but households with underage people tend to also contain adults, who might want access to such content... Without incredibly invasive technical measures, proper filtering just isn't possible. And given how trivial it is to bypass basically any filtering even for someone with no tech knowledge, I don't see a reason to even try.
Different devices would be assigned to different VPNs or VLANs.
It's not an absolutely secure system, but it strikes me as at least as functional as present systems, and far less intrusive.
It would require content providers to self-label where possible, and be subject to third-party labeling where the provider/publisher itself doesn't, won't, or cannot. I've reasons to believe that most would be reasonably willing to participate.
I also use some email providers ability to have +xyz at the end of the username. So for a registration I would for user.name+sitea@domain.com. has helped me track spam and leaks in the past.
Same here! Both GMail and iCloud Mail support this, among others.
It works 95% of the time, but be aware that it sometimes doesn't:
- Some webpages refuse addresses with a + in it.
- I’ve had at least one instance where I lost an important email because I could register and receive emails from them, but one of their internal databases silently failed on my address. (I lost the proofs for a paper accepted in a journal, and it took some time to figure out what was going on…)
- There was at least one web page that was smart enough to just remove the +… from my address after I registered.
- Some webpages require you to be able to send emails to them from the exact address you sign up with (including the +…)
Overall I’ve been happy with the feature since it makes e-mail sorting easier, and you can just redirect a given subaddress to spam if they leak it, and it’s less effort than creating a “real” email alias per page. Just keep in mind that there are many ways it can fail, so you might not want to use it for anything that is actually important.
Since I run my own email server, I get around some of those issues by configuring Postfix's recipient_delimiter to use . rather than +. I've never had a site treat accounts.company@mydomain.com as anything other than a normal email address. It certainly doesn't justify the effort I've spent dealing with deliverability issues, but it's a nice perk.
I literally setup an alias last week in O365 Outlook using the pattern a.b@c.com? I’ve been able to receive and send using the alias as well. Maybe this is a new feature/behavior?
I may have misunderstood the parent comment - with gmail, you can add dots anywhere in the mailbox and it all goes to the same place (standard gmail, not workspace)
e.g andrew@gmail.com, a.n.d.r.e.w@gmail.com and a.....ndrew@gmail.com all are the same user and will go into their mailbox (which I have used to avoid the + stripping that some sites do)
andrew@outlook.com and a.ndrew@outlook.com are two distinct users.
Obviously if you control the domain or use a provider who supports it you can add an alias with punctuation but then you might as well just use e.g ebay@c.com to track the email source.
I have a mail with catch all address so o can avoid the + so sites can never be strip it as it just randommail@domain, just have to hope nobody else figures it out and spams me at random addresses
The benefit of the + is that I don’t have to set up anything in advance. I can type an email address on any device, including devices I don’t own, and still have it work as an alias.
I do have a “real” email alias as well that I use for true spam (e.g. to get “customer club” discounts while everything they send me is autoredirected to spam by a mail filter). I reserve the + addresses for things I want in my inbox, but still want to be able to filter easily in my mail client.
I have had interactions with support in the past where “wait-a-second-it’s-a-long-nonsense-string” was good enough for them and they did NOT ask me to read it out.
I also had the interaction with a bank that asked me to read it out, and I was glad that my nonsense string was a list of 8 hyphenated words rather than a barfed up random string.
8henna-Such-Brain-Civil0-Grown5-modified8 is better than gpqmxsc5utowduc8fhqvntsXsgvMDzs0rclsiwzt
I use something similar to the hyphenated words now, as well. I use to make up random things like "Error Invalid" answer or missing input until I had to get support on one and the guy started his "I just need to ask you a coup...wait a second....hold on sorry, I'm getting an error, I need to put you on hold" and put me on hold before I could say anything, I waited and jumped in the moment he came back because I felt bad (the support center didn't make the system). He found it funny at least.
If the support staff can compare what you said with what's on their screen, it's obviously stored in plaintext. And they probably won't even distinguish uppercase from lowercase letters, or 5 from S.
So it's a waste of time to insist on a large amount of entropy for these things. Battery horse staple is where it's at. :)
Oh, yeah, my password manager is full of answers to 'security questions' like 'place of birth', 'name of first pet' and 'high school name'. Just about the only time that gets awkward, is when the same answers turn out to be required during certain phone conversations. Yes, I do in fact, happen to be born in Qjhdfoudvprx -- quaint little, very traditional village...
I used to give random strings like that. Next time you get asked one on a call, say "Oh I hate those intrusive questions so I just mashed the keyboard." Many support agents will accept that as a valid answer!
Yes, well, unless the poor CSR cannot actually see your answer, but has to enter it for a 'yes/no' response. Had a fun time with Rackspace support around the turn of the millennium, where I had used the output of 'openssl rand -base64 16' or somesuch, and that had to be entered verbatim, with the person on the other side apparently not understanding what a 'forward slash' was, and, yes, it was urgent...
Anyway, I don't find these questions intrusive as much as 'not fit for purpose', with a bit of (cultural) insensitivity mixed in. I once had to console a very-upset very-serious person from an African country with regards to the the 'name of pet' question they just had to answer as part of a mandatory signup for a US-based third-party service, and which they just couldn't find an answer to.
And whenever I'm asked about "name of high school" or (even worse) "high school mascot", I'm tempted to flip out with something like "yeah, which of the seven-or-so I attended, for no-fun-at-all reasons, and most of which I don't even remember, but I can assure you none of them had a mascot", but then I just take a chill pill and mash my keyboard...
I do the same, but I have been using random words.
So for my gas bill, my pet name is `chlorine wastrel percept`.
Easier than pure randomness, and strong enough for the purpose.
Using the earliest possible date isn't a great idea because it's very easy to guess if necessary for security purposes. Same for whatever the default date is, 01/01/1970, or any other date that follows a similar pattern
Besides, lots of badly designed systems spit out the Unix epoch if they can't handle a date string for whatever reason. Then you can't tell whether you're looking at the date you actually selected or the default fallback date.
https://pubmed.ncbi.nlm.nih.gov/15970864/: “Although there exists a popular belief that the phase of the lunar cycle and weather conditions affect birth rate, no such evidence was found in this study.”
⇒ If there is a correlation, it is a very, very, non-obvious one.
Um, yes. And similar for any other PII that YetAnotherCompany wants for such purposes.
But First - look for the little gray "continue as Guest" alternative to creating an account. And if there isn't one, take a few seconds to think about good-enough alternatives. Your purpose in life is not to help boost online account count metrics.