Tell HN: Dropbox user age verification feature can lock your account
Dropbox released a "user age verification feature" today, which is a simple set of drop downs for you to fill in your birth date.
I made the mistake of choosing "2022" as my year of birth instead of my actual year of birth.
Obviously this is my mistake, but a warning to anyone else: I now have 48 hours to backup my files before I will be locked out of my account, and Dropbox support has been unable to confirm that they can fix the "issue" for me.
I think this is the single worst "feature" I've ever encountered in a software application. I'm honestly shocked. > Obviously this is my mistake No, it isn't. 2022 should not be a valid date of birth in the first place. And the account being locked because of that should probably also not happen without additional checks. It's okay to have standards even when most UIs are bad. Coder sees "We need feature X". Coder implements feature X, marks it as complete; next. So they have the coder (implementer) role covered, but not the "programmer" role ("thinker"/feature designer). Leslie Lamport - Thinking Above the Code: ~ A lot of people like to think that they're thinking, but they don't really do much thinking. [1] Evidently, there was no expectation that the coder/implementer was supposed to do any thinking here. This got past the undoubtedly upwards of nine product managers/business analysts/directors/etc on the team as well. Blaming the low man on that totem pole in a organization thick with management like that is silly. None of the "idea men" had the idea of "what if someone's cat walks across the keyboard when we ask them their birthday". That's the embarrassing failure here. This could actually be a feature and not a bug from a legal perspective. If they are blocking anyone who gives any indication that they are under 13 then it might be easier to show compliance with COPPA. This has made me wonder at times if the best way to get my data delete from someplace is to talk to customer service and repeatedly say that I'm twelve. That's definitely how it explicitly worked at one workplace; to the extent that account restrictions could form a poset, if we had evidence that some restriction might be required (e.g., from multiple forms of age evidence, do any of them indicate this might be a minor or some other protected class), that restriction would be applied. What should be the lowest valid date of birth? Is there some universal standard? I know it feels like 4 months is quite young, but where would you draw the line? At least in the US, I don't believe you're supposed to use the internet unless you're 13 or older. You could start there for your dropdown. My kid made a presentation for his class using Google Docs, then filled in his day of birth on his new phone when setting it up, then got locked out of his account. He was 12 at the time. Also, his class had a WhatsApp group chat in which school info was shared. This was kind of weird because it meant that all 12 year olds in the group must have cheated their dates of birth, because otherwise they could not have had a WhatsApp account Cheating on your DOB is a rite of passage on the internet. I did it in the 90s. I think my old hotmail account still has my mom's bday in it One of the main results of COPPA is teaching children to lie about their age on the internet. Why yes I was born on the 20th of April, way back in 1969, why do you ask? I’ve been a 41-year-old single dad ever since I was a nine year old. 90s? COPPA didn't go into effect until Q2 2000. Sorry, I was 10 so I don't have the best memory of the era. Lol. And I still probably lied about my age in the 90s. I doubt StarCraft allowed 8 year olds to play on battlenet Er, no. There is an actual privacy law with teeth if you're under 13 ("COPPA"). Companies don't want to be subject to any such regulation, so they choose to prohibit anyone under 13 from using their services. It's widely assumed that people under 13 simply work around these prohibitions by lying about their age, but as long as the companies don't have specific knowledge of this then legally everything is fine. Making the dropdown preclude ages under 13 could be interpreted as companies encouraging this behavior, and is thus a non-starter compliance wise. Thank you! Thank god there's someone who knows why features like this are being implemented. You can't just say you're compliant by adding a button that says "I'm above the age of 13." Dropbox has to include ages younger than 13 in their dropdown selection. Funny, the law about alcohol and tobacco related websites must not have the same “teeth”, to use grandparent’s wording. In those websites, a simple modal that says “Yes I am over 18” (tobacco) / “Yes, I am over 21” (alcohol) or “No I’m not” is what everyone uses. Not sure about those laws but yes, COPPA is more strict. Per the FTC: > In designing your age screen, you should ask age information in a neutral manner, making sure the data entry point allows users to enter their age accurately and does not default to an age 13 or over. An example of a neutral age screen would be a system that allows a user freely to enter the month and year of birth. Avoid encouraging children to falsify age information by, for example, stating that certain features will not be available to users under age 13. In addition, consistent with long standing Commission advice, FTC staff recommends using technical means, such as a cookie, to prevent children from back-buttoning to enter a different age. No, That's expressly not allowed. https://www.ftc.gov/business-guidance/resources/complying-co... >If you choose to block children under 13 on your general audience site or service, you should take care to design your age screen in a manner that does not encourage children to falsify their ages to gain access to your site or service. Ask age information in a neutral manner at the point at which you invite visitors to provide personal information or to create a user ID. >In designing a neutral age-screening mechanism, you should consider: >Making sure the data entry point allows users to enter their age accurately. An example of a neutral age-screen would be a system that allows a user freely to enter month and year of birth. A site that includes a drop-down menu that only permits users to enter birth years making them 13 or older would not be considered a neutral age-screening mechanism since children cannot enter their correct ages on that site. >Avoiding encouraging children to falsify their age information, for example, by stating that visitors under 13 cannot participate or should ask their parents before participating. In addition, simply including a check box stating, “I am over 12 years old” would not be considered a neutral age-screening mechanism. > No, That's expressly not allowed. Is "allowed" the right word, given "This document [...] is not binding", "guidance" and "should consider"? On an unrelated note: > consistent with long standing Commission advice, FTC staff recommends using technical means, such as a cookie, to prevent children from back-buttoning to enter a different age. So if 12-year-olds learn about a website they don't want their parents to ever visit, they just have to preemptively try to visit it from the same computer and tell the truth? I hear platforms ban < 13yo due to cost of compliance. Is this true? It was simple on Neopets when COPPA was new - just faxed a signed parental consent form so I could access the forums. You're definitely allowed to use the internet but there are very strict rules on data collection. I think the intent is to keep people under 13 from using the internet socially or being exposed to the data collection/PR/ad machines. I believe many countries have special laws about the online activities of children below the age of 13. Seems like a good cutoff. it varies from place to place but perhaps the minimum age for participation in a legal contract/useragreement to be binding I've been seeing age checks like this more and more. Recently the FTC came down hard[0] on Kurbo (aka Weight Watchers) for not doing enough/anything to stop children under 13 (COPPA) from making accounts. Since they're not confident there's no children with accounts, now all Kurbo's data is tainted and they have to delete all user data and destroy any "algorithms" derived from that data. Historically Dropbox probably never asked for a user's age so they might worry they could run into this problem in the future. The threat of all a company's data being tainted is a huge one, so of course they're now overreacting a bit. p.s. hopefully you can get your account fixed, but if not, you could use the amazing rclone[1] tool to copy your files off. (it's rsync for cloud storage). Or you could just put them in a folder shared with another DBX account. [0] https://www.ftc.gov/news-events/news/press-releases/2022/03/... OK but if you read the link you included WW specifically MADE an app for children and collected the data: "the agency... marketed a weight loss app for use by children as young as eight and then collected their personal information without parental permission." That is pretty wilful -- so we can be confident they have or had data targeted from children. Dropbox on the other hand -- I'm not sure how that case is similar. Are children now allowed to use cloud backup services? Why wouldn't they? Fair point! That does seem like a key difference. But I still wouldn't be surprised if all tech industry legal/compliance teams have been spooked by this. Also under COPPA no one under 13 can make an online account for anything, regardless of what it is. So it's definitely still illegal for Dropbox/Twitter/HN to have 12 year olds with accounts (without parent consent). They might just want to be able to demonstrate to the FTC that they're confident there's no children with accounts, instead of just telling the FTC "it's well known children don't really use cloud storage services anyway so we never bothered to ask for age". If you read the link at the link, they specifically call out maintaining accounts of kids who revised their birthdate below the limit, and for encouraging kids to lie by stating they had to be at least 13. > Are children now allowed to use cloud backup services? Why wouldn't they? It's basically a service for storing personal information, so probably not without parental consent. > It's basically a service for storing personal information, so probably not without parental consent. I'm not sure I see the logic there. The previous poster who said in the US children under 13 are not allowed to have online accounts makes more sense legally. Children can obtain parental consent for some online accounts, if the site supports it. Ex. Microsoft - https://support.microsoft.com/en-us/account-billing/parental... IANAL, but my understanding is that nothing in COPPA prevents children under 13 from making accounts or using Internet services. If this were true, Roblox would not exist. COPPA only limits collection of children's personal information. A company that says COPPA prevents them from allowing children to use their services really just doesn't want to go through the effort of not collecting that personal information. So, instead they throw up their hands and just blanket forbid children under 13 from signing up, to avoid having to comply with the law. But, this is their own policy, not anything mandated by COPPA. Kurbo is really controversial though. It’s a health tracker specifically for kids,
as young as 8, which focuses on calories and weight more than nutrition. And it tracks everyone’s data, so because of technicalities if the child is under 13 the parents have to sign them up (still tracks their data). I've gotten into the habit of being born on January 1, 1970. Seems like a good enough date to me. I always like to see how old I can make myself. 1902? (The 2038 problem in reverse.) 1776? 5 B.C.? My experience is that I can usually only go back to the 1930s. Ha, I do that as well. They're almost always menus and so I just pick the bottom-most box. Steam thinks I'm 120 years old. i wonder though if doing that doesn't risk detection since it's pretty obviously false. I am not sure if I care about detection. They will obviously shut down your account if you're too young, but they don't have any legal demand to shut down your account if you're too old, so they probably won't bother. Most of the places where I see these things are not services like Dropbox where I'm a customer, but for things like alcohol marketing websites. "To view our collection, you must be over 21. Type your age to verify." The law requires them to ban me for being under 21, but doesn't require them to ban me for being "too old", so they probably don't bother. (I imagine the hot topic at meetings is when they provide a year dropdown, what's the oldest year they should add. If the world's oldest person wants to visit their website, that should be allowed.) well, they could shut it down for being an obviously fake account. Same here.
I imagine someone at the company in some meeting: "We've even got a couple users who are in their 90s!" I'm born on January 1st, <Scroll down far enough> Hah, now you say it, I realize the distribution must look really funny. Wow whole lotta people born on jan 01! And stranger yet, no curve. Note that this is due to legal requirements around discovering a user's age in a "neutral" way, in order to block under-13 users (or varying other ages depending on global jurisdiction). This is called a "neutral age screen". The screen cannot indicate that there will be a lockout, or underage users would just say they were older to get around it. It sucks, but most apps of a certain size and liability profile have to implement it this way. Does the law also state that you can't fix the date afterwards, or that once entered verification is required? It's a paid account, they've already got my credit card details. And how does it make sense that I was born 2 weeks ago? I don't know, I felt really stupid when I entered the wrong year but since then I've grown increasingly frustrated by how poorly this feature has been implemented. Wouldn't it kind of defeat the purpose if you could simply change the age after? This is how I got locked out of my 10 year old skype account (good riddance). The support _cannot_ do anything due to some silly child protection laws (coppa maybe?). The age verification feature is for COPPA compliance, but I’d really like to see the provision that prevents correcting errors. They will correct errors, after you give them a bunch of document scans or a credit card. I wasn't willing to provide that to a random foreign company for a free service, I just moved to Discord. So it was correctable, and so no problem. The inconvenience isn't important when it's an outlier event. Does everyone bungle their Skype account profile 3 times a day or did it happen to one person out of millions and only one time in that person's life? For outlier cases, any form of redress at all is ok. All that really matters is that there IS a procedure at all and it is doable (doesn't cost $1000 or require something impossible). Unlike say getting your google/gmail account fixed when there is no such thing as a google customer support # you can call to fix things that the automated processes got wrong. The only problem I see is the discrepency between creating and updating. If there is a valid reason to require proof of age to update an account from child to adult, then by rights exactly that same proof should be required to create the account in the first place. then the convenience matters, and there should be some more practical way to supply something which is legally accepted as good enough, and that should be the same for both creation and update. I don't think we really have that "something", especially not globally and absolutely positively not anonymously. By now, in most countries there is probably some form of standard ID that most people in the country either have or can get. But they are different for every country and definitely creates a first world discrimination filter. Thinking about that, it seems like the whole idea is misguided and imvalid, unworkable. How would one do it? Even in a 1st world country and me having both a SSN and a drivers ID and or government ID, it still leaves the problem of anonymity and multiple/temp accounts etc, and still leaves the problem that I entered the wrong number which means probably someone ele's number, which means someone else could enter mine...so there needs to be a mechanism to prove that I own the number I entered, which there is no such mechanism. Maybe if ID#'s were really key pairs and you never simply entered a number but instead signed something or proved that you could decrypt something signed, but that is a high tech fantasy world we aren't quite in yet. Kids should be protected from those who would exploit them, but requiring proof of age to use on-line services isn't a functioning way to do it. Yes, I get that procedurally firms make it harder to correct information than to initially enter it. I just want to see the justification that the law in question actually requires that. > to a random foreign company Fair enough, but I’m not sure Microsoft could be described as a ‘random company’ Interesting that not but a week or two ago there was a post on HN stating that dropbox had the best programmers in the industry. lol the interviewing.io guy that drank their own koolaid! I think most people that commented in that thread were able to spot the cyanide dissolving into the drink I just finished using rclone to pull down my whole Dropbox last night. I'm closing my account today. Their app was a piece of crap that never worked for me anyway. I'm going to look at rsync.net simply because their people hang out on here. Note depending on the amount of storage, rsync.net is substantially more expensive. For $100 a year you can get 2TB of storage with Google Drive, which works flawlessly with rclone. Additionally, for roughly $80 you can get 15+months of Office 365 Family which provides 1TB of storage each for up to 6 users which also works with rclone and restic. For the same storage with rsync.net you could be looking at $500.00/month, and I believe that is with single-location storage. Yowch. I didn't realize the price difference was so substantial. I have GDrive and OneDrive accounts too. OneDrive's Windows integration works great. I'm just trying to get away from Google and Microsoft tie-downs because I don't trust their ability to give me support if I got locked out of my account for some reason. A reminder that there is a "HN Readers" discount - just email info@rsync.net and ask about it. How about have some transparent competitive pricing on your website? Not only is this a potential way to mess up your own account, but these systems are often exploited by malicious attackers to cause people headaches or impact their finances. For example, an attacker will call up PayPal and give their name as the real name of a famous online personality. They will tell the support rep "Hey sorry, I signed up for this account but I'm only 12. Can you turn off my account?". The rep will assume it is a low risk/legit request and lock the account without doing any other checks. This has happened to lots of online streamers, like Ninja. use compromised credentials just to force the company to do the dirty work! chaotic something I found a Dropbox alternative: https://nextcloud.com/ I'm never going back. Way better in every aspect than Dropbox. Nextcloud is not an alternative to Dropbox. Dropbox is a cloud storage provider, and Nextcloud is a software that runs on a cloud server. One you pay for the storage upfront and Dropbox provides some redundancy of the data. With Nextcloud, you could set it up on a single service with no redundancy and easily lose all your data, plus there is administration and maintenance costs. You can sign up to many different Nextcloud providers https://nextcloud.com/signup/ NextCloud also sells a device with it preinstalled and easy to use Those providers aren't competitive in pricing with Dropbox, and even if you have a device with it preinstalled, you are limited to whatever redundancy is built into the box and configuring security/firewall rules, etc. Plus, a lot of residential broadband services limit upload speed substantially, so if you're restoring offsite it could take a very long time. Dropbox at least has some resiliency distributed across multiple servers. I don't understand the objection. Every service or option has some sort of unique differences from each other, and there is always some good and bad points, including dropbox. Google drive is free and surely pretty well backed up, but requires hoping a service with no customer support process at all just never decides to kill your account, and probably they scan your drive contents just like they do your email, or will some day if not yet. Onedrive requires creating and using a Microsoft account and who knows how usable it even is from linux (can it do a synced folder on linux or just the browser interdace?). Other services like Mega or idk what maybe don't have a folder sync feature or something, but are hosted in another country and possibly better protected against invalid take downs or spying. So nextcloud costs a little more or is a little more work to set up. Yes and in trade for that there are other differences like you are the one in ultimate control of your stuff. You may not prefer that particular set of trade-offs, but fundamentally, so what? There is always a trade off of some sort including with dropbox. Google One is $10 a month or $99 a year, includes live support and 2TB of storage. OneDrive works with rclone, which supports mounting and now bisyncing, and there are third party clients that work just like the official client. None of this and other differences disqualifies it as an alternative. If it's possible to save and access files from any browser, from any location, set up an automatically syncing folder, and selectively share access with others, then you have an alternative to dropbox, and all the other cloud personal storage services. All of which nextcloud can do. The differences just mean you don't prefer that particular alternative the same way as if you didn't like the color scheme, or more realistically say the need to make a microsoft account for onedrive, or the way google probably scans the contents of google drive etc. They are all still alternatives with various pros & cons. Setting up your own nextcloud on a publicly accessible service is no different. The cons like effort and cost are noted. The pro is there is no one else in control of your stuff and it's impossible to lose your account due to some age verification, or any other reason like "communiy standards" or billing dispute. The worst that can happen is your hosting provider can drop you, but that is a commodity and there are infinite other hosting providers and methods. Keep your own mirror so you don't care even if the hosting provider deletes everything. If any alternative to dropbox has to be identical in every detail to qualify, then it has exactly the same problems as well. An alternative actually has to be different in some way or else it's not an alternative but just more of the same, and there is no point in that. > None of this and other differences disqualifies it as an alternative. So your friend is in the market to buy a house and tells you about an issue with a particular realtor they are having, and you say... "I got a great alternative, you can buy a piece of land, rezone it, get permits, go chop down your own wood, build your own house with your bare hands..." They say to you, I hate my realtor... I don't hate my job. What you're suggesting as an alternative is more like saying that building your own car is an alternative to buying one. They aren't in the same league, and so while it makes sense for people to resell or offer Nextcloud as an option for self-hosted solutions or security, it makes no sense to try to say they are an alternative to Dropbox. > The differences just mean you don't prefer that particular alternative the same way as if you didn't like the color scheme, or more realistically say the need to make a microsoft account for onedrive, or the way google probably scans the contents of google drive etc. The differences doesn't mean that I don't like it, in fact I self host a lot of my own solutions. I'm just saying they don't really compare or compete. Sure, if you want to purchase an array of servers that are distributed across multiple regions and setup a Ceph cluster to distribute storage in a resilient manner then go ahead. By all means do it, but to act like that somehow compares to purchasing a service that already does this is just misleading. After that person spends tens of thousands of dollars to replicate what Dropbox does, then they can finally have an alternative that they never thought of before paying $12/mo. for Dropbox. Hyperbole is not a valid argument. Why didn't you go all the way and talk about declaring your own country on an asteroid? Because obviously what I suggested was to write nextcloud, in assembly, on a cpu architecture you invent. No one has to write any software, or design or build any hosting system, those already exist. And they are even effortless common commodities. The land is already zoned and cleared and permitted, and the house is already designed, and even already built. Popping a copy of already written and packaged software on a vps is some percent more work than creating a Google drive account, but that percent is not a million. Even if it's 500% more work, that is still trivial, 5x a few minutes. And even if you for some reason also need an insane availability garantee, it's hardly any more work to then put that behind a cdn, which are another low-effort commodity. Without even looking, I garantee that there is a pre-made nextcloud droplet ready to go on DigitalOcean that takes mere seconds to activate, and they are surely not the only service provider with an equivalent app-on-a-stick ready to go in a few clicks like that. And if their own backup offerings and network backbones aren't good enough already, without even looking I bet there is very little effort required to hook that up to CloudFlare. And this is all while avoiding the probably even easier one-stop-shopping path of just using aws for everything, just because F Amazon. Selecting a house built to order from a developer's catalog, or even buying land and hiring an architect, is indeed a perfectly exemplary alternative to buying an existing house from a realtor. Minus the stupid hyperbolic nonsense about rezoning, the example was in fact pretty good support of my point. Thank you! to add, even if you pay for someone else to host it, you still have to manage it to some degree, unlike dropbox/syncthing. Fully agree! I self host and my family uses it. For them, there's no difference, except that when at home (99% of time), "our cloud" (Nextcloud) is much faster. Spent several minutes trying to find the price. It's hidden under the "Support" menu for no reason that makes sense. Looks like it starts at €3600 per year for the basic plan, but you can't buy it, you have to "get an offer" which is newspeak for have a salesperson call you for several hours to upsell you. Definitely not a replacement for my $14/month Dropbox account. that's enterprise support obviously, but yes it's more legwork to host nextcloud than using dropbox Hi OP, if you want drop an email to my HN handle at protonmail dot com. I can't promise magic but can speak with a person at work tomorrow to try to get this resolved for you. Hi, thanks for the offer, I caved and provided Dropbox support with a copy of my passport and that seemed to be enough to resolve the issue (I hope, I really really hope). If you work at Dropbox I think it could still be useful to raise some of the concerns mentioned here with whoever is the product owner of this feature. I did the same thing the other day setting up an iphone. I went back to fix my birthdate, but it prevented me for a while, telling me that my real birthdate was "invalid" or some such, and that I should try again later. Eventually, enough time passed that my birthdate became valid and I was able to proceed. It was annoying, but honestly it was probably less annoying than coding that onboarding screen must have been. 1. Accidentally enter invalid birth date 2. Refresh page for the next 15 years until birth date is valid There was a Twitter hoax going around which had users put a birthday making them <13yo effectively locking them out of their account. It was that widespread that the company made a tweet warning about it. rsync + a bash script doesn't sound so bad now. (I don't give a fuck what the market or normies want) There are stuff like NextCloud now, that you can run by yourself. Rsync + a bash script is horrible to get going in a mobile device. (What is the fault of the mobile OSes, and if you can get by with a less hostile one, great for you.) Those open-core ones put some work on it. I use syncthing to sync my entire phone. Now I have a 64GB folder on my desktop that /is/ my phone, but all normal local files I can treat like any other file. Taking a picture with my phone and having it show up on my computer in 5 seconds is pretty close to magic in terms of file sharing. Completely free, andno central server to introduce "age verification" or whatever. Syncthing user of many years and a semi recent Nextcloud convert here. Sc is very, very cool but you must sync both ways every time, so after some time, if your phone runs out of space, things get hard. The "do not erase on 'server'" setting is pretty well hidden and claimed not to be supported and can break things. Also, for "one way sync", with super easy setup, i have not found an alternative for btsync (now called resilio). SC is too clunky to set up the client and in this case, running Nextcloud server + setting up clients is crazy complex. TIL about Unison and will try it out... i've had the same issue with PayPal i created an account when i was 16 or something, but never used it before 18 after age verification they suspended my account, but allowed to move funds to a new account with other e-mail address That's insane haha stop paying the lawyers, and this will stop happening. For those of you in need of an immediate drop-in replacement that won't tie you to an organization which will do the same thing a decade from now: Syncthing[1] is awesome. It's all FOSS, peer to peer, you're limited by your own hardware and network, and it uses PKI instead of some central auth service. The only reason I don't use it anymore is because I've switched to git for all my textfiles and rsync (lol I know) for archiving binaries, that won't work for people who use a lot of GUI tools though so I'd recommend you use Syncthing. One feature of Dropbox I take shameless advantage of is sharing files (not pirated material, FWIW) via a link. Suggestions on a replacement for that, since Syncthing can't do that? This. I found old save games still shared via Dropbox or Google docs that work 7-8 years later. The combinations I see in other comments are not going to survive that long. ipfs + the cloudflare gateway is great for that, I use it for sharing files here. You don't even have to install anything and can use EG: https://anarkrypto.github.io/upload-files-to-ipfs-from-brows... I've never used Syncthing, but I used to use Unison pretty hard. Why did you switch to rsync for binaries? Was it that you really didn't need bidirectional sync, or was it a failing of the tool to handle large binary files? I don't edit binaries (or if I do the edits are always saved in a new file) so I just need a full archive of them. Syncthing is overkill for this so eventually I moved away from it and now only a couple of my machines have it running. What's wrong with using rsync for that? Nothing. But rsync isn't in the same space that syncthing is trying to do. It's like comparing `scp` to something like `sshfs` mounted to a shared folder, and having an algorithm to handle file conflicts. I'm a heavy syncthing user, but still do rsync to deploy changes to my personal VPS because I don't need any of that. If you made an account at any digital service before you turned 13 make a new one. I got a google account banned because I needed to update my date of birth and at the time I would not have been allowed to sign up.