Hacker News new | past | comments | ask | show | jobs | submit login
Why Are Creators Paying for TikTok’s Mistake? (eff.org)
181 points by panarky 26 days ago | hide | past | web | favorite | 120 comments

It's mind boggling that they just "forgot" about COPPA.

Out of curiosity I browse the Snapchat scrolling feed from time to time, and since a few months ago I have been inundated with TikTok ads. 90% of them seem to be targeting teenagers, featuring pre- to early teens, dancing in front of the camera and flicking rubber bands at folded pieces of paper with Sharpied messages on them.

Something like - "to all the boys who think I'm cute..." (note 1, rubber band flick) "wait till you see..." (note 2, flick to reveal third note, which is covered up by the TikTok logo that prompts you to download to find out the rest).

It seems more likely to me that they just followed the classic "move fast and break things," gambling that no one noticed.

The last time I encountered a COPPA opt-in was on the register.php page of a vBulletin forum where you had to enter your birthdate.

It doesn't boggle my mind. I'm sure very few services online would stand up to scrutiny. It's just that such few platforms are ever in that position.

Are you sure your not just mentally filtering it out? I see "[checkbox] I agree that I am 13 years old or the legal guardian blah blah blah" pretty frequently on signup pages.

That's possible, but not that I can tell. Neither Twitter.com, Reddit.com, nor Pornhub.com ask, for example.

Though, TikTok is a video platform with immense popularity among children. Put those two together and you're bound to be first on this sort of COPPA chopping block, so I suppose I do see how OP's mind could be boggled after all. Maybe it's "just" a fine of $5.7 million.

(1) In determining whether a Web site or online service, or a portion thereof, is directed to children, the Commission will consider its subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the Web site or online service, as well as whether advertising promoting or appearing on the Web site or online service is directed to children. The Commission will also consider competent and reliable empirical evidence regarding audience composition, and evidence regarding the intended audience.

In other words, nothing substantial about whether it's actually used by children...

> The Commission will also consider competent and reliable empirical evidence regarding audience composition

It seems pretty clear that userbase demographics are a factor. It's the best evidence you can have.

In law, intent matters

> Neither [...] nor Pornhub.com ask, for example.

Funnily enough, I think it's fair for pornhub to assume their audience is 13 or older.

Porn sites used to make you affirm that you were at least 18, though. I wonder what happened to that.

They (pornhub) do ask people about their age, depending on the country they're visiting from. For Russians they even tied confirmation process to one of local social networks (source in Russian): https://tjournal.ru/flood/46247-kak-rabotaet-proverka-vozras...

Reddit terms that you agree to when creating an account say:

“Children under the age of 13 are not allowed to create an account or otherwise use the Services.”


TikTok allows users under 13 with some requirement that the person signing up should have their parent review these terms.

“If you are under age 18, you may only use the Services with the consent of your parent or legal guardian. Please be sure your parent or legal guardian has reviewed and discussed these Terms with you.”


That IMO was TikToks downfall... They should have simply said "No children under 13" and made a date of birth selector making it impossible to select a date younger than 13.

Children would then have to ignore the terms and lie to the date of birth screen (fraud) to gain access, yet I'm sure that wouldn't stop most of them.

TikToks as a company can publish age stats from the data 'proving' they have nobody under 13, and all of the above should satisfy FTC

> "They should have simply said "No children under 13" and made a date of birth selector making it impossible to select a date younger than 13."

I don't believe the FTC would consider this compliance, since such a dialogue is designed to encourage children to lie.

>3. Can I block children under 13 from my general audience website or online service?

> Yes. COPPA does not require you to permit children under age 13 to participate in your general audience website or online service, and you may block children from participating if you so choose. By contrast, you may not block children from participating in a website or online service that is directed to children as defined by the Rule. See FAQ D.2 above.

> If you choose to block children under 13 on your general audience site or service, you should take care to design your age screen in a manner that does not encourage children to falsify their ages to gain access to your site or service. Ask age information in a neutral manner at the point at which you invite visitors to provide personal information or to create a user ID.

A bit more to the point:

> In designing a neutral age-screening mechanism, you should consider: Making sure the data entry point allows users to enter their age accurately. An example of a neutral age-screen would be a system that allows a user freely to enter month, day, and year of birth. A site that includes a drop-down menu that only permits users to enter birth years making them 13 or older, would not be considered a neutral age-screening mechanism since children cannot enter their correct ages on that site.


> Children would then have to ignore the terms and lie to the date of birth screen (fraud) to gain access

Out of curiosity - is that really fraud? It doesn’t sound like it hurts the company.

Falsifying information to trick a company into doing something illegal (collecting data on a minor) for personal gain (ability to use service) sounds like fraud to me.

If you're considered too young to have the right judgement to vote, drink, die for your country or be married off (excepting the US states that still allow marriage from age 12[0]), you should also be too young to be held liable for fraud.


Isn't that the point, you pass off the legal liability to the user who can't be held liable and so bypass the need to restrict your service to over-13s.

lying isn't the same thing as fraud.

Yes, but exactly: it's on some user agreement policy along with all the other rules nobody ever reads.

I bet TikTok had the same thing. But look at TikTok's attempt at complying in TFA: they didn't just make a /policy edit. They started asking birthdate upon register/login but managed to botch that, so they started asking users for scans of their government-issued ID.

If these are the sorts of measures that the FTC needs to see, then who actually is compliant under scrutiny?

You can upload selfie image/videos directly to Reddit. Wouldn't Reddit be just as incapable of deleting all content from users that were <13yo at time of upload like TikTok was ordered to do?

Don't get me wrong, I think "Are you over 13?" is about as useful as "Are you over 18?" and "Do you agree with our cookie policy?"

And children "under the age of 13" are supposed to be reading terms of use?

>"It's mind boggling that they just "forgot" about COPPA."

These are United states laws for a Chinese company...

Yeah the Chinese don't mind either if American companies operating in China break their laws.

The Chinese government is a dictatorship that restricts its citizens access to websites which dont follow their regulations. I dont see what your point is supposed to be here.

I assume they were being sarcastic...

Yes its amazing I work a lot on sites in the Drinks industry and the amount of effort technically and on the legal side to make sure the age gate works correctly is huge.

And this is a brand (cant say which one) that has well over a hundred brands and works in almost 200 countries.

Can I just say how much I hate those? It's not like someone is going to verify it, and I have no idea what happens with that data, either, so I always put the wrong date. If, that is, I even bother to do that. Most of them are easily bypassed. This idea that these are somehow legally required boggles my mind. You don't ask my age before advertising to me...

Also totally bogus. Which jurisdiction even counts?

When I am of legal drinking age in Germany (16 years for beer) but visiting a micro brewery page from the US (21 years in some states, right?) - what does that mean then? :P

They should have a site for the German locale which is what myclinet does - same problem occurs whit competitions you have to exclude states that don't allow some types of competition.

They must have missed that episode of Silicon Valley

Tangent: I don't trust TikTok. I notice "they" use bots on other media platforms to post gifs/images with their logo (Imgur was getting this a lot) to drive people to their platform.

Couple that with that we now know how Russia (and ostensibly others) are using social media platforms for manipulation, and it just seems rather suspicious.

I'm probably just being tinfoil hat paranoid, but I feel like memes are basically vehicles for propaganda and we should be cautious with where we spend our time.

>Couple that with that we now know how Russia (and ostensibly others) are using social media platforms for manipulation, and it just seems rather suspicious.

TikTok's parent company is a Chinese tech company headquartered in Beijing, so I would be astonished if it wasn't a stalking horse for some kind of PRC surveillance.

Any thoughts to their motivation for doing this, seems like a waste of time, or maybe a thought experiment on their part.

Why leave data on the table

This whole time I've been worried about Belt & Road, South China Sea militarization, and tech IP theft - who knew that the secret to China's world domination would be through the lip syncing aspirations of our pre-teens!

They are spamming their app to make money. There's no political conspiracy.

That's totally possible and maybe even probable lol :)

> "they" use bots on other media platforms to post gifs/images with their logo

Are you sure these are bots? They might just be regular users that download these videos through the app. No matter what, when you download a video on TikTok, it downloads you a watermarked version.

I can't speak for every post, but there are plenty that are bots. At first I thought the same, because I noticed people leaving notes on these posts like "Don't upvote, bot" (not that it ever mattered) but I wasn't sure - so whenever I saw tiktok I started checking account histories and nearly every time it was an account with no activity other than maybe one or two failed tiktok posts, then one successful front page post. There'd also be posts that took already successful FP content, and reposted it with the tiktok branding.

Not very scientific, but it was enough at the time for me to sort of take note.

I was going to say this. TikTok makes it trivially easy to download content by default. I've probably got a couple hundred videos in my photo library now.

If you share video through their platform, it will have their logo. I do, because if I want to share video with music and so effects, TikTok is the easiest one to use, and then I share the video on other platforms as well, with the logo of course.

If you don’t trust tik tok then please use their platform as the paranoia will make you prudently cautious.

There really isn’t much reason to treat any social media company as trustworthy, or the networks themselves as inherently safe and healthy. Both Syria and Christchurch provide ample evidence for the dangers they can transmit.

> Couple that with that we now know how Russia (and ostensibly others) are using social media platforms for manipulation, and it just seems rather suspicious.

PR and propaganda is essentially the same thing. It shouldn't be a surprise to anyone that private actors are engaging in the same kind of social media manipulation as state actors. Every ad you see, every business social media account and every mention of the benefits of a product or a service in a blog should be considered first as a deliberate attempt at exploiting your concern and manipulate you into wasting money or time.

So no, don't take off your tinfoil hat, but make that it shields you from the EM radiation evenly :)

I mean isn't every form of social media a platform for influencing(another word for manipulating) people?

of course that every government will try to abuse it, so will corporations, it is very convenient and profitable for them.


Um, what? All you've stated is "look, the CIA is manipulating people, so dont worry about Russia or China manipulating people", which again makes little to no sense.

I was replying to the blind blaming of the evil foreigner in 'that we now know how Russia (and ostensibly others) are using social media platforms for manipulation'.

That's just spewing hate against others.

It's not 'spewing hate' to point out relevant verified actions of an organization.

pure whataboutism.

>defaulted to putting in the current date while also not making crystal clear to users why it needed that information and what could result

It's been years since I've worked with COPPA, but isn't it illegal both to 1. default to e.g. 1970-01-01 so that accepting implies you're of age, and 2. for your prompt to be "You must be 13+ to use this service. If you are under 13 your videos will be deleted. What is your birthday?" because you're basically encouraging kids to lie?

Just leave it blank and force the user to explicitly enter something? I don't see how defaulting to the current date is ever useful for date of birth from a user interface design perspective.

Defaulting to the current date is just lazy coding - lots of date UI controls do that by default.


Also whenever you ask for a birthdate don't use a datepicker (or use one that allows selection of the year)

It's not fun dragging or scrolling the picker month by month until you get to your birthdate

Those of us with birthdates back in the '60s salute you.

It's been a while since I dealt with COPPA, but I'm almost positive you're correct.

The FTC's FAQ page on COPPA compliance concurs:


>If you choose to block children under 13 on your general audience site or service, you should take care to design your age screen in a manner that does not encourage children to falsify their ages to gain access to your site or service. Ask age information in a neutral manner at the point at which you invite visitors to provide personal information or to create a user ID.

> In designing a neutral age-screening mechanism, you should consider: [...] Avoiding encouraging children to falsify their age information, for example, by stating that visitors under 13 cannot participate or should ask their parents before participating. In addition, simply including a check box stating, “I am over 12 years old” would not be considered a neutral age-screening mechanism.

Having gone through this just recently I feel compelled to comment. I feel this isn't being discussed more, because parents are ashamed they allowed their children to use the service (I am not).


My kids started on Musical.ly before other social media. Private accounts, IRL friends only.

My daughter, a TikTok user was prompted one day to enter her birthdate.

Not thinking too much about it (and without asking me), she did so. She entered her birth DAY but used the current year: 2018 (see the article). Should be an easy fix right?

Despite this obvious error (do 5 month olds really use the app?) she was now locked out.


We requested a copy of all her videos.

TikTok sent a text file to our email with a list of MP4 URLS.

I downloaded a browser extension to help auto-download this rather extensive list.

My daughter now has a new account, with a just old enough age to not get locked out again. sigh


TikTok literally built a billion dollar business on kids and are now giving them the boot.

Age requirements for any web app always struck me as a joke. I'm sure everyone is telling the truth when they click "I am over 13/18 years old".

Somehow I'm reminded of the Leisure Suit Larry age check [0]... which for a young teenager all those years ago was quite hard. You need to be a certain age to get quite a lot of the answers.

[0] Sample questions here: http://allowe.com/games/larry/tips-manuals/lsl1-age-quiz.htm...

For a young teenager back then those were hard. For a mid-late 20 year old today they're still hard.

I wonder what sort of questions one would ask to implement such a age verification scheme these days. Ask, "what does AOL stand for?" or, "which one of the following audio clips is 'the dial-up tone'?". Or how about "what is a 'hanging-chad'?". Heck that last one doesn't even work anymore, there are 18 years today born after the 2000 election... I'm getting old.

Although I guess Google and widespread internet adoption has rendered this kind of age verification useless.

I know the answer to the first two of those, but I have never heard about a “hanging-chad”. Is that something people from outside of the US (as I myself am) would be likely to know?

Even AOL, which I happen to know about is something I think few people in my country would be likely to know.

These questions strike me then as not purely relating to age but also to culture.

And even the dial-up tone question could be difficult for some people to answer. We had dialup at my child home but not everyone did.

And like you said, most questions can be Googled anyway.

Hanging chad is a reference to disputed ballots in to 2000 presidential election, Hence my reference to the year 2000 [1]. Definitely yes, these are questions about culture rather than age and is more specific to Americans. The same applies to the original Leisure Suite Larry age questions [2]. My post was intended to be more humorous than practical.

1. https://en.wikipedia.org/wiki/Chad_(paper)

2. http://allowe.com/games/larry/tips-manuals/lsl1-age-quiz.htm...

That was the first time I had heard the name Nixon and prompted me to learn about Watergate from the dead-tree encyclopedia in first grade.

I've always pondered whether this could be an effective way of tricking children into learning bits of history like trying to understand jokes from The Simpsons or the little bits of trivia that used to pop up on the loading screens in Call of Duty single player modes.

Nah it wasn't that hard. You just guessed till you got five right, while recording the ones you got right and wrong so you could change your guess. It didn't have that many questions, and some of them you could look up in the encyclopedia, or just yell down the hall and hope your parents didn't wonder why you were asking about Nixon. :)

"Peter Piper picked..."? Was that an adults-only tongue twister at some point? How is that supposed to distinguish an 18-year-old from a four-year-old?

It takes it from 'we didn't even bother asking' to 'the person actively lied to us when we tried to do the right thing'. Seems like a big difference in responsibility to me.

I don't deny that TikTok made a mistake. I'm pointing out that in practice throwing up an age gate changes nothing. Sure, it's a dirt simple way of avoiding responsibility and TikTok should have at least done that much (doubly so since a whole story arc about this was aired on Silicon Valley). But if we really care about keeping under 13-year-olds from using these web apps or having their data collected then a more robust system of verification should be implemented.

I think the point is nobody really cares about stopping 12 year olds using the service.

The 12 year old themselves wants to use the service. The service wants to be used. Most parents want their child to be able to do what they think is fun.

The only people against it are the people who don't want to properly supervise their children online, but also don't want them disadvantaged, so want the entire online service banned so nobody gets access.

COPPA isn't about preventing children accessing the service, it's about protecting their right not to have their personal data gathered and sold. Wikipedia has a reasonable summary: https://en.wikipedia.org/wiki/Children%27s_Online_Privacy_Pr...

isnt that all out of the gate once the kids press the "Im over 13 y.o"(or input false d.o.b) button to use their app/site?

If yes, then Im not sure what it protects except false sense of security

Yeah, like what was the lowest age their ad targeting tools would go?

It is very strange, but either the government just wanted to pretend it cared (back when they introduced the law), or it doesn't care and accepts that this implementation is good enough.

Interestingly with all the cameras on devices and AI/ML to recognize age and gender from a face, if this law came around nowadays they'd probably mandate face scanning to determine that you're of age...

> but either the government just wanted to pretend it cared (back when they introduced the law), or it doesn't care and accepts that this implementation is good enough.

It's all about responsibility transfer, I think.

If you've ticked some box that you should not have, then it's YOU who is responsible for whatever bad may happen.

It's not far off:

> When a UK IP address attempts to access a website with pornographic content, the person browsing the web will have to verify themselves. It's up to each individual porn website to implement the technology that allows people to prove they're old enough to view the material.[..]

> The first [option from Yoti] is using your face. There will be the option to use the camera on a phone, tablet or computer and Yoti's "age estimation technology" will determine whether the person is old enough to access the explicit material.


When customs asks you to check off off that you aren't a murderer or drug smuggler or terrorist, they aren't expecting you to confess on that scrap of paper, they want to be able to go back if they later suspect you and say "here is the form where you lied to the U.S. government."

I keep getting SMS text messages from TikTok several times a week even though I have never used the service. They are in the format:

[#][TikTok] 1234 is your verification code aBcDefGhij1

At first I assumed these were someone accidentally or deliberately giving TikTok my phone number when registering. But if they never got the code, How could they activate the account? So why would they (or others) keep using my number? I read online that it may be a confirmation needed to delete an account. But that implies that TikTok accepted my phone number without verification. And again, if the person didn't get the code, what good did using my phone number do them?

All very dubious.

I remember years ago, at a startup, we had a person complaining that they were getting SMSs from us several times a day. It turned out that we had a test that wasn't properly mocked, it also used a 'fake' number which was actually a real person (should always use 555 numbers in tests). So every time the tests were run, this user would get an SMS similar to what you are getting.

> should always use 555 numbers in tests

...And don't give your test suite access to the real world.

Reminds of me a "spa confirmation" I got to my email a few weeks back from a spa 3,000+ miles from me. We called to clarify and they embarrassingly admitted that they used our email address, assuming it wasn't a legit address. The funny part is my email address is not generic like testguy@gmail.com. It was an amusing call.

This could be a way to get their name out there? And claim it's a bug in their verification system or something if anyone asks.

Could be. I've had emails from other services which were clearly fishing for me to respond to an account registration that was "accidentally" sent to my email address, probably hoping that I'd take on the account or see what the service was and create my own.

Yeah, that has happened to me too. Not sure why my comment has been downvoted.

This reminds me of a great quote from Tropic Thunder: "Behold, God's mistake!"

Anyhow, interesting to see the eff getting in on what it perceives as a dark UI pattern. I ran through this age check screen and had no problem.

I do not see a profound issue with creators that rushed through it having to submit gov ID. If the account is that valuable, teenagers can get ID. Frankly, they should probably have one anyway.

Related: “New hunting ground for paedophiles: Chinese apps” https://m.timesofindia.com/india/new-hunting-ground-for-paed...

>The FTC required TikTok to “destroy” the “personal information” of any account belonging to someone currently 13 or under...

If they are required to "destroy" the data, how can they restore it after proving age using a government ID?

I thought that too, but perhaps only personal data is deleted irrecoverably, allowing them to retrieve other/periphery account data; maybe an account's "fans" aren't considered personal data, for instance? I'm not familiar with TikTok, admittedly.

Otherwise, perhaps there was some delay on account deletion?

A 30 day delay on deletion is commonplace

The problem isn't they forget, it's more along the lines of their culture. In China, they do the {thing} first then apologise.

On a related note, TikTok is just a rebranded version of DouYin [0] which was originally built by a small group of young programmers called Beijing Shaking Youth [1]. It wasn't until their recent funding [2] they sent up an office in the USA by which time the damage had already been done. Not only do they violate laws their app is riddled with dark patterns by US standards (all of which btw is normal in China).

If you go on LinkedIn and look up Jobs in Los Angeles you'll notice TikTok has 1200+ open positions. You'll also notice they're hiring people specifically to develop policies for each region.

[0] https://Douyin.com

[1] https://www.reddit.com/r/OutOfTheLoop/comments/9iy84y/whats_...

[2] https://techcrunch.com/2018/08/08/bytedance-is-raising-2-5b-...

>their app is riddled with dark patterns by US standards (all of which btw is normal in China)

I've never used tiktok, could you give a few examples?

" In China, they do the {thing} first then apologise."

That's startup culture in the U.S., too. It was popularized by the likes of Facebook, Uber, and Airbnb. Chinese companies also do their own version of it.

"its easier to ask forgiveness than permission" is an ancient tenant of business at this point

"they do the thing first then apologize"

This isn't Chinese culture, this is what any capitalist willing to accept some risk does. If anything, they learned it from us.

The mistake here is not the prior lack of COPPA compliance.

The mistake here is their rushed implementation of the compliance.

Why do I feel like many companies, in the exact same situation, would have also messed up?

Aggressively deleting accounts of even older users due to messing up birthdate collection, with no recourse is such a bone headed move. Falling back to defensively asking for government ID can't really be counted as recourse.

This is the same exact thing that happened to Dinesh and PiperChat on Silicon Valley...

Seems to me that they totally forgot about COPPA when designing the app, and then hastily added the age verification in response to the FTC fine. Didn't test the change properly, rolled it out, and disaster ensued.

> We hope online service providers of all stripes learn from TikTok’s mistakes.

Right; heaven forbid the users should learn a lesson about stuffing content into someone's walled garden.

When I get into Youtube from a private browser, it shows videos in my country. What if I'm under 13? Clearly it's using my IP and it doesnt ask whether I'm 13 or older?

COPPA isn't about banning people under 13 from the app. It's about gathering personal information from those users, and about letting them delete their content.

This means if you're under 13 you can watch videos on YouTube, but you can't create an account or use notifications or subscriptions.

THis does create weird things though. Children like that notification bell, and so they use their parent's accounts. This means advertisers think the person viewing the videos is over 18, and that it's okay to show ads for alcohol or gambling.

That's not ok in the UK, and the regulator tells advertisers to be more careful when placing ads.

"Please sign in to verify age" pops up all the time on youtube, it depends on the content.

They're not collecting personally identifying information so what's the problem?

I think COPPA applies to US only. TikTok is doing fine elsewhere in the world. Anyway, I wonder how big a market US is for TikTok?

Oh yes someone is asking the real questions here!


Creators are paying for TikTok's mistake because TikTok made even more mistakes in attempting to comply with COPPA.

Why does the EFF care about this?

Why wouldn't the EFF concern itself with the careless and disorganised response of a digital company to online privacy legislation?

I support EFF from time to time, but ISTM this case could have inspired some reflection on the not-completely-graceful COPPA regulation itself, in addition to the low-calorie castigation of the latest Chinese-origin USA moral panic. How effective is COPPA in meeting its stated goals? Could it be more effective, with fewer undesirable side effects like those described here?

"Users logging in for the first time after the order were prompted to give their birthdate, but TikTok’s own interface defaulted to putting in the current date while also not making crystal clear to users why it needed that information and what could result."

If you can't work a birthdate field in 2019 you should not be on the internet.

My daughter did this by accident - she'd run rings around you on the Internet.

Don't blame the user for terrible design.

Have you never had your phone slip in your hand and hit something you didn't mean to?

It seems to be TikTok should be castigated for the first two mistakes (allowing children on their platform, and implementing the birth date dialog poorly.) However their response to that second error seems sane to me. If they're going to reactivate accounts closed for being too young, shouldn't they make an attempt to verify the age of the person reopening the account? I doubt the FTC would be amused if TikTok started permitting 12 year olds to reopen their accounts with no form of attempted verification.

Also I'm not quite sure I buy the argument that the birth date dialog was bugged. Defaulting it to the current date is dumb, but was it really non-functional for some users? Really? Or did some users just click past it unthinking, annoyed that they were being asked something without bothering to stop and look at what they were being asked? The later seems more likely to me. These users would doubtlessly be annoyed, but what really can be done about that scenario? Those users should take it as a learning experience and be thankful TikTok is a thoroughly frivolous platform so they lost nothing of worth this time.

If it's possible to click through a form with all defaults retained, you should assume that some users will do so. It's probably also safe to assume that deleting their account and all of their uploaded content is not the typical user expected behavior from doing so.

I don't think the problem was defaulting to the current date. No default is probably better in general for this sort of thing, and in hindsight it definitely would have been better in this case. But for a field for which you really need the user to provide a value, if you're going to set a default, that default should be obviously and universally invalid (the current date qualifies for that when you're asking for DOB), and you should have logic in place to deal with obviously invalid inputs.

Sure. But even if they did that form right, they'd still have some adults flip the year a few years, some falling short of 13. At that point they get banned because that's what the FTC requires, so what procedure do you use to let them appeal? Asking for an ID seems reasonable to me.

I agree that the appeals decision is a little bit tricky and that asking for an ID is probably the best option in those cases. But I'd bet that some very basic, sensible validation would have reduced the number of those cases by orders of magnitude.

You could ask for a CC or something like that, which wouldn't be bulletproof but probably reasonably good enough. But I think you'd still have the EFF complaining that not everybody has a credit card, particularly teenagers, just like they object to the photo ID requirement.

Asking for a photo ID was probably easier for them than asking for a credit car though, since with the credit card method they now have to worry about PCI compliance. Getting themselves out of one regulatory shithouse by walking into another probably wasn't something they were eager to do.

They could ask the appealing user to upload a quick video of themselves requesting the appeal, and then use common sense to grant the appeal to people who reasonably appeared to be adults. That might make the FTC upset with them a second time though, since you'd doubtlessly have kids filming and uploading appeal videos, which would probably put TikTok back in violation of COPPA...

I don't think asking for a link to other social media like facebook would help, because even though Facebook is presumably in compliance with COPPA, somebody having an account on Facebook and being in compliance with COPPA doesn't necessarily mean they are >13 years old; their parent or legal guardian could have given them permission to use facebook, but not tiktok. So you can't assume that control of a facebook account means they're >13 or have parental approval to use your service.

There might be other ways out of this mess, but I can't think of any at the moment.

> was it really non-functional for some users? Really?

What matters is the result, not some technicality like whether the form worked correctly in every browser.

And the result was bad. No users were actually zero days old but they got their videos deleted just the same.

When you get bad results, don't blame the user for not understanding your system. It's always a bad design.

See also: Boeing 737 Max

What's the minimum age do you think? You've got toddlers running around with ipads. I know they use youtube, they might be using tiktok as well.

TikTok assumed that what my daughter entered was correct. The birth date she saved made her 5 months old.

> These users would doubtlessly be annoyed, but what really can be done about that scenario?

Easy--never create an input field where clicking through on the default value is guaranteed to do something the user doesn't want, irreversibly. That's terrible design.

That doesn't really solve the problem, only reduces the magnitude of it. You'd still have 30 year olds entering something like 2010 as their birth date just because they're impatient, didn't care to provide their real birth date, and didn't realize the significance of the question.

They'd go from "wtf stop asking me questions" to "you don't need to know that about me" to "wtf I'm locked out?" in about 5 seconds flat. And I don't think there is anything you can do about that. If they implemented a second chance system ("are you sure about that? input a different year or we're going to lock your account") it sounds like that would be another violation of COPPA, defeating the point of the whole ordeal.

Of course good design won't solve every single user problem, but it will solve a lot of them, and we have a responsibility to do that.

> Also I'm not quite sure I buy the argument that the birth date dialog was bugged

Sorry to break it to you, but this happened to my daughter. Defaulted to 2018, she saved quickly (assuming her birth year was the default) without noticing.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact