My kid has recently just quit playing Roblox because of the sketchy facial age check process. She said that her and all her friends know not to ever upload a picture of themselves to the Internet (good job, fellow Other Parents!!) so they're either moving on to other games or just downloading stock photos of people from the internet and uploading those (which apparently works).
What a total joke. These companies need to stop normalizing the sharing of personal private photos. It's literally the opposite direction from good Internet hygiene, especially for kids!
One aspect of this normalization of photo uploading is that, if a platform allows user-generated content that can splash a modal to kids, a bad actor can do things like say “you need to re-verify or you’ll lose all your in-game currency, go here” and then collect photo identification without even needing to compromise identity verification providers!
I truly fear the harm that will be done before legislators realize what they’ve created. One only hopes that this prevents the EU and US from doing something similar.
The fundamental question that needs answering is: should we actually prevent minors below the age of X from accessing social media site Y? Is the harm done significant enough to warrant providing parents with a technical solution for giving them control over which sites their X-aged child signs up, and a solution that like actually works? Obviously pinky-swear "over 13?" checkboxes don't work, so this currently does not exist.
You can work through robustness issues like the one you bring up (photo uploading may not be a good method), we can discuss privacy trade-offs like adults without pretending this is the first time we legitimately need to make a privacy-functionality or privacy-societal need trade-off, etc. Heck, you can come up with various methods where not much privacy needs trading off, something pseudonymous and/or cryptographic and/or legislated OS-level device flags checked on signup and login.
But it makes no sense to jump to the minutiae without addressing the fundamental question.
There seems to be a big movement (UK specifically) from governments using age gateing as an excuse to increase surveillance and online tracking. I don't know where Roblox is based or it's policies, but it's likely they are just implementing what the government has forced them to do.
We need to push back against governments that try and restrict the freedom of the internet and educate them on better regulations. Why can sites not dictate the content they provide, then let device providers provide optional parental controls.
Governments forcing companies to upload your passport/ID, upload pictures/videos of your face, is dangerous and we are going to see a huge increase of fraud and privacy breaches, all while reducing our freedoms and rights online.
I was getting a haircut last week and chatting about our kids with the stylist, who said (basically): "I just started letting my 7 year old on Roblox. I know its full of pedophiles. I told him to come to me or his older brother if anyone tries to talk to him."
If the million reports of Mark Zuckerberg enabling pedophiles and scam artists haven't made it clear, the executives of these tech companies just don't care. They will sell children into sexual slavery if it improves next quarter's numbers.
I generally agree, but I also think that free access to hardcore pornography is disastrous for minors and this seems like it might prevent that (if better implemented, can’t believe stock photos work).
Age verification on mainstream porn sites does absolutely zilch against teenagers accessing porn. There are countless other ways of obtaining porn. Even DDG with the safety off will provide plenty of it.
How about that 38% of young women in the UK have experienced asphyxiation; combined with studies showing there is zero safe threshold without brain damage markers in the blood?
Before the widespread adoption of pornography, this rate was near 0%. Now we have literally a significant minority of women with permanent brain damage, induced from widespread pornography, unknown harms long-term, and studies already suggesting increased risk of random stroke decades afterwards.
> Before the widespread adoption of pornography, this rate was near 0%
Bullshit. Men and women have been dying of autoerotic asphyxiation long before the internet. And we only hear about the ones that fuck up badly enough to make the news.
I'm puzzled by this phenomenon myself, but there is apparently a significant minority of women who enjoy getting choked in bed:
This doesn't excuse people who choke without consent, but there's something going on here waaaay more complex than "see it in porn, do it". Humans are weird.
Nobody studying this issue, from the UK government to independent researchers to NGOs, says this anymore. PornHub in legal filings never uses this argument, but instead focuses on rights to expression rather than dispute the claim.
The causation is clear, documented, proven. Increased pornography exposure with dangerous behaviors, causes those dangerous behaviors to be repeated, even when participants are warned of the risk.
At this point, denial is like saying flat earth has merit.
> Before the widespread adoption of pornography, this rate was near 0%.
Big giant citation needed on that one. How would it ever have been near 0%?
First, I’d like to point out that we don’t make other media illegal or age gated with privacy-compromising tactics because it depicts harmful things. There’s no age verification gate for watching movies and TV that depict murder and other serious crimes.
Watching NFL football, boxing, and UFC fighting isn’t illegal even those sports conclusively cause brain damage.
Pornography is singled out because it’s taboo and for no other reason. People won’t politically defend it because nobody can publicly admit that they like watching it.
Second, what I see missing from your links is really solid studied link to an increase in choking injuries directly caused by changes in pornography trends and viewership. Were these kinks just underreported in the past? Heck, I read 4 of your linked articles and none of them actually compared the rate of choking injury over time, they just sort of pointed it out as something that exists and jumped to blaming pornography.
I am perfectly willing to accept your hypothesis but I don’t think we’ve been anywhere near scientific enough about evaluating it, and even if that was the case, we don’t really treat pornography the same as other media just like I mentioned.
sorry but we're on the internet. You can type the literal words 'hardcore pornography' into any search engine of your choice and find about fifteen million bootleg porn sites hosted on some micro-nation that don't care about your age verification.
In fact ironically, this will almost certainly drive people to websites that host anything.
>If Google can guess your age, you may never even see an age verification screen. Your Google account is typically connected to your YouTube account, so if (like mine) your YouTube account is old enough to vote, you may not need to verify your Google account at all.
This has been proven false a bunch of times, at least if the 1000s of people complaining online about it are to be believed. My google account is definitely old enough to vote, but I get the verification popup all the time on YouTube.
I think the truth is, they just want your face. The financial incentive is to get as much data as possible so they can hand it to 3rd parties. I don't believe for a second that these social networks aren't selling both the data and the meta data.
My Google account is more than 18 years old and I hit an age prompt when I was trying to watch some FPGA video (out of all things). So no, account age is not necessarily a factor.
I would have watched those at 10 if the internet was a thing when I was 13. I think most people here would have. (I may or may not have understood it, but I would have tried)
I agree they want the face data, but I think it's less clear they want to "hand it" (presumably that's really "sell it"?) to third parties. My sense is Google and Apple and Meta are amassing data for their own uses, but I haven't gotten the impression they're very interested in sharing it?
Sharing it is bad for business; selling insights derived from it for ad placement is the game. Faces definitely contain some useful information for that purpose.
you are correct. having that data is one of their competitive advantages, it makes no sense to sell it. they will collect as much as possible and monetize it through better ads, but they don't sell it
I haven't gotten it yet on my account from 2006. Maybe it matters whether it's a brand account? Maybe it matters whether the accounts actually are connected?
Honestly, it's probably already happening, but I would not be surprised if retail stores that check your ID also have cameras snaping your face and selling that to data brokers.
Anything you can image that is bad with privacy, figure what is occurring is far worse.
I wrote an April Fool's parody in 2021 that Google is going to get rid of authentication because they're following you around enough to know who you are anyway (modeling it after their No Captcha announcement[1]):
I just realized the parody also predicted that part (emphasis added):
>>In cases where our tracking cookies and other behavioral metrics can't confidently predict who someone is, we will prompt the user for additional information, increasing the number of security checkpoints to confirm who the user really is. For example, you might need to turn on your webcam or upload your operating system's recent logs to give a fuller picture.
I just got glasses yesterday and the optician needed to take a pic of my face to "make sure my glasses fit". The first thing I thought of was they are probably selling the data.
Agreed. They treat people as data points and cash cows. This is also one reason why I think Google needs to be disbanded completely. And the laws need to be returned back to The People; right now Trump is just the ultimate Mr. Corporation guy ever. Lo and behold, ICE reminds us of a certain merc-like group in a world war (and remember what Mussolini said about fascism: "Fascism should more appropriately be called Corporatism because it is a merger of state and corporate power." - of course in italian, but I don't know the italian sentence, only the english translation)
I’ve noticed that many people struggle to simply let things go. Take a hypothetical case where HN requires ID verification. I'd just stop using HN, even if that meant giving up checking tech news. Sometimes things end, and that's fine.
I used to watch good soccer matches on public TV. When services like DAZN appeared, only one major match was available each weekend on public TV. Later, none were free to watch unless you subscribed to a private channel. I didn't want to do that, so I stopped watching soccer. Now I only follow big tournaments like the World cup, which still air on public TV (once every 4 years).
> I’ve noticed that many people struggle to simply let things go
Because it's not always about their entertainment. I know churches that post info about events only on WhatsApp groups, if you don't use it - you're screwed. I know kindergardens which use Facebook Messenger groups to send announcements to their parents' children - if you don't use it, you will miss important info.
For most people, letting go such things is very impractical. One can try to persuade for a better way to do something - but then you become the problem.
Funny, I'm the opposite. Since information wants to be free, and storage/compute get more affordable every year, then really everything ever posted on the web should be mirrored somewhere, like Neocities.
I grew up in the 80s when office software and desktop publishing were popular. Arguably MS Access, FileMaker and HyperCard were more advanced in some ways than anything today. There was a feeling of self-reliance before the internet that seems to have been lost. To me, there appears to be very little actual logic in most websites, apps and even games. They're all about surveillance capitalism now.
Now that AI is here, I hope that hobbyists begin openly copying websites and apps. All of them. Use them as templates and to automate building integration tests. Whatever ranking algorithm that HN uses, or at least the part(s) they haven't disclosed, should be straightforward to reverse engineer from the data.
That plants a little seed in the back of every oligopoly's psyche that ensh@ttification is no longer an option.
I have never clicked "accept" on a cookie banner, as a matter of principle; I zap them away with uBlock Origin. Should the plague of age verification reach my jurisdiction, I'm sure I will handle it in like fashion.
I expect I'll need to employ some other technical means of circumvention, but the principle of refusing to engage with the thing on its own terms will remain the same.
These things are integrated into the authentication systems of these services. They aren't implemented client side. Refusing to engage with them means you cannot use the service.
The difference is that the cookie banner is not a gate. uBlock Origin is unlikely to be able to satisfy a website about your age without submitting the info that the site expects. (Assuming the age check has any teeth at all.) You're unlikely to be able to continue as usual if these kinds of measures become ubiquitous.
The days are numbered on this technique working. After enough countries enact their own age verification laws tech companies will just make that the global default policy, and I'm sure the opportunity to harvest user data will not be left to waste. Many sites already block and throttle VPNs.
When that day comes I'll stop casually using the internet or search for the underground alternative.
Not especially feasible if you want to support businesses. More likely is trying to demand that VPNs also enforce age verification, which business-targeted VPNs might do, and then ban the ones that don't.
Everyone seems to forget that using VPNs to violate your local laws gives lots of good ammo to the authoritarians that want to ban VPNs. The answer isn't to use a VPN to get around it (and thus give fodder to your enemies) but to change the law.
OpenAI uses AI to scan your ChatGPT conversations to determine your age. And even though I've been using ChatGPT for mostly work-related stuff, it has identified me, a man in my 40s, as under 18 and demanded government ID to prove my age. No thank you.
My main concern is that there isn't a reliable way to know your information is securely stored[0].
> A few years ago, I received a letter in the mail addressed to my then-toddler. It was from a company I had never heard of. Apparently, there had been a breach and some customer information had been stolen. They offered a year of credit monitoring and other services. I had to read through every single word in that barrage of text to find out that this was a subcontractor with the hospital where my kids were born. So my kid's information was stolen before he could talk. Interestingly, they didn't send any letter about his twin brother. I'm pretty sure his name was right there next to his brother's in the database.
> Here was a company that I had no interaction with, that I had never done business with, that somehow managed to lose our private information to criminals. That's the problem with online identity. If I upload my ID online for verification, it has to go through the wires. Once it reaches someone else's server, I can never get it back, and I have no control over what they do with it.
All those parties are copying and transferring your information, and it's only a matter of time before it leaks.
Honestly that main concern should be two main concerns.
You/your kid/your wife goes to hàckernews.com and is prompted for age verification again, evidently the other information has expired based on the message. So they submit their details. Oops, that was typosquatting and now who the hell knows has your information. Good luck.
This makes me wonder if there's a business case for a privacy-preserving identity service which does age verification. Say you have a strong identity provider that you have proven your age to. Just as the 3rd party site could use SSO login from your identity provider, perhaps the identity provider could provide signed evidence to the 3rd party site that asserts "I have verified that this person is age X" but not divulge their identity. Sidestep the privacy issue and just give the 3rd party site what they need to shield them from liability.
I’ve been noodling on this idea for a while but I think getting commercial acceptance would be hard. People have tried it with crypto albeit with lukewarm results. I think to have the network effects required to be successful in such an endeavor, it would have to come from a vendor like apple or google unfortunately.
You kind of want an mTLS for the masses with a chain of trust that makes sense.
The article does go into this and gives lip service to the idea that a secure third party could expose age without exposing identity. Ultimately, there's still the problem that even if point of verification can be done in a zero trust way, you are still entrusting very sensitive information to a third party which is subject to data breach.
The question is: why would services like Google and others want to use such privacy-preserving identity solutions? They wouldn't gain anything from a non-invasive, user-friendly system, so I don't think they'd use it. They want more data, so they are going for it.
If my options are upload a picture of myself for Google to monetize through ads or not use Google / Youtube then I will be moving on regardless of the inconvenience to myself.
There were some amusing headlines a while back about Discord's verification being fooled with game screenshots. Does anyone know if that's still the case?
The ones I have used do not accept photos, they require real-time video with the front-facing camera and they prompt you to move your head to face different directions on command. Not impossible to attack, I'm certain, but it's tougher than simply uploading a photo.
on desktops you can have virtual camera, if you can generate video fast enough wen AI you can ask to edit it according to instructions. Definitely tougher but I'm sure someone will offer services or software like that.
> Even though there’s no way to implement mandated age gates in a way that fully protects speech and privacy rights
I think the EFF would have more success spreading their message if they didn't outright lie in their blog posts. While cryptographic digital ID schemes have their problems (which they address below), they do fully protect privacy rights. So do extremely simple systems like selling age-verification scratchcards in grocery stores, with the same age restrictions as cigarettes or alcohol.
Basically every government on the planet has laws that apply specifically to children. The term "age discrimination" typically refers to disadvantaging someone for being of old age.
Is there a throwaway identity that people are using? A dead person unchecked in Mississippi somewhere? Like every teen in America using the same identity like everyone's extended family does with their uncle's Netflix account?
I don't want to google it because I don't want to be put on a list but I also feel somewhat confident that this is being done. Apparently, HN feels safe to ask questions like that for me.
> I don't want to google it because I don't want to be put on a list
Of all the controversial things out there we've become afraid to even google in order to learn more about the world around us, this one strikes me as not all that controversial.
But you're not wrong, just making a comment about how sad the world has become.
Actually, a follow up. PII leaks are so common, I guess there must be millions of identities out there up for grabs. This makes me wonder: we’ve got various jurisdictions where sites are legally required to verify the age of users. And everybody (including the people running these sites) knows that tons of identities are out there on the internet waiting to be used.
How does a site do due diligence in this context? I guess just asking for a scan of somebody’s easily fabricated ID shouldn’t be sufficient legal cover…
It would probably flag that multiple people are using the same photo or same persons name/ id, but I expect you could get away with doing using someone known to you. iirc the reason people are using game screenshots is because it's not going to match any image that the recogniser has seen before.
Use tor for the things you don't want to google and have associated with you.
Netflix has been checking accounts against public IP addresses and local networks for ages, at least in The Netherlands. if I use my Dad's account, I get flagged as being "not on the same home network" immediately.
I think that using a VPN and Netflix detecting that would only make matters worse, like termination of service.
I gave up on netflix years ago for unrelated reasons but never had any sort of issue both VPNing between various countries and traveling between them. My wife would pretty regularly want to watch netflix as if she was in Japan or the UK and so we'd turn a VPN on for the TV network and their own TV app never complained at all that it was suddenly on a different continent.
Last time I tried I could find a photo ID just with a basic image search. It is an unavoidable consequence of teaching people that scanning an ID is not utterly insane.
Ironically there was no way to report the image anonymously to the service hosting it.
Why can't the EFF tell people to lie? Because if you can get away with it, lying is almost always your best option. Unless there are actual real world consequences to lying like you may anger the police.
I'd imagine it is because several of the obvious options for "lying" here may violate criminal law. And also because the EFF is an civil liberties advocacy group, they want to change the law, not circumvent it.
My kid has recently just quit playing Roblox because of the sketchy facial age check process. She said that her and all her friends know not to ever upload a picture of themselves to the Internet (good job, fellow Other Parents!!) so they're either moving on to other games or just downloading stock photos of people from the internet and uploading those (which apparently works).
What a total joke. These companies need to stop normalizing the sharing of personal private photos. It's literally the opposite direction from good Internet hygiene, especially for kids!
One aspect of this normalization of photo uploading is that, if a platform allows user-generated content that can splash a modal to kids, a bad actor can do things like say “you need to re-verify or you’ll lose all your in-game currency, go here” and then collect photo identification without even needing to compromise identity verification providers!
I truly fear the harm that will be done before legislators realize what they’ve created. One only hopes that this prevents the EU and US from doing something similar.
The fundamental question that needs answering is: should we actually prevent minors below the age of X from accessing social media site Y? Is the harm done significant enough to warrant providing parents with a technical solution for giving them control over which sites their X-aged child signs up, and a solution that like actually works? Obviously pinky-swear "over 13?" checkboxes don't work, so this currently does not exist.
You can work through robustness issues like the one you bring up (photo uploading may not be a good method), we can discuss privacy trade-offs like adults without pretending this is the first time we legitimately need to make a privacy-functionality or privacy-societal need trade-off, etc. Heck, you can come up with various methods where not much privacy needs trading off, something pseudonymous and/or cryptographic and/or legislated OS-level device flags checked on signup and login.
But it makes no sense to jump to the minutiae without addressing the fundamental question.
I’m sorry to say that a number of US states have instituted age verification laws over the past year
Aka, morality laws mostly.
There seems to be a big movement (UK specifically) from governments using age gateing as an excuse to increase surveillance and online tracking. I don't know where Roblox is based or it's policies, but it's likely they are just implementing what the government has forced them to do.
We need to push back against governments that try and restrict the freedom of the internet and educate them on better regulations. Why can sites not dictate the content they provide, then let device providers provide optional parental controls.
Governments forcing companies to upload your passport/ID, upload pictures/videos of your face, is dangerous and we are going to see a huge increase of fraud and privacy breaches, all while reducing our freedoms and rights online.
I was getting a haircut last week and chatting about our kids with the stylist, who said (basically): "I just started letting my 7 year old on Roblox. I know its full of pedophiles. I told him to come to me or his older brother if anyone tries to talk to him."
If the million reports of Mark Zuckerberg enabling pedophiles and scam artists haven't made it clear, the executives of these tech companies just don't care. They will sell children into sexual slavery if it improves next quarter's numbers.
I think the way Roblox is doing right now separating the users in age groups just makes it easier for predators to find victim.
I generally agree, but I also think that free access to hardcore pornography is disastrous for minors and this seems like it might prevent that (if better implemented, can’t believe stock photos work).
Age verification on mainstream porn sites does absolutely zilch against teenagers accessing porn. There are countless other ways of obtaining porn. Even DDG with the safety off will provide plenty of it.
>it might prevent that
On the global internet... good luck with that.
Oh, they'll ban us from looking at other countries net's soon enough for our safety.
What evidence led you to believe this, when controlling for heritability?
How about that 38% of young women in the UK have experienced asphyxiation; combined with studies showing there is zero safe threshold without brain damage markers in the blood?
https://www.bbc.com/news/articles/c62zwy0nex0o
https://www.theguardian.com/society/2025/nov/18/sexually-act...
https://wecantconsenttothis.uk/blog/2020/12/21/the-horrifyin...
https://www.nytimes.com/2024/04/12/opinion/choking-teen-sex-...
https://www.psychologytoday.com/us/blog/consciously-creating...
https://www.itleftnomarks.com.au/wp-content/uploads/2024/07/...
Before the widespread adoption of pornography, this rate was near 0%. Now we have literally a significant minority of women with permanent brain damage, induced from widespread pornography, unknown harms long-term, and studies already suggesting increased risk of random stroke decades afterwards.
> combined with studies showing there is zero safe threshold without brain damage markers in the blood?
Are you saying that there's zero safe threshold of choking, or for viewing porn?
(To be clear, choking someone without consent is assault and unacceptable, whether a blood test shows damage or not.)
A. There is zero safe threshold for choking.
B. Choking is inherently, obviously, dangerous.
C. Pornography has caused choking behaviors among youth to go from negligible to over 38%.
D. Brain damage is measurable in anyone who has been choked.
E. As such, pornography does, in fact, have blame for encouraging this kind of experimentation.
F. If "fighting words" and "misinformation" shouldn't be free speech, who is to say pornography does not incite risk, when other things can?
> Before the widespread adoption of pornography, this rate was near 0%
Bullshit. Men and women have been dying of autoerotic asphyxiation long before the internet. And we only hear about the ones that fuck up badly enough to make the news.
I'm puzzled by this phenomenon myself, but there is apparently a significant minority of women who enjoy getting choked in bed:
https://link.springer.com/article/10.1007/s13178-025-01247-9
This doesn't excuse people who choke without consent, but there's something going on here waaaay more complex than "see it in porn, do it". Humans are weird.
Nobody is saying that nobody did this before. We are saying now that it is a health crisis, objectively.
You're the guy saying that 110 MPH speed limits can't be responsible for crashes because people also died at 20 MPH.
I'm trying to find the contact for the does-not-imply-causation dept but I think I lost my slashdot account in 2004.
Nobody studying this issue, from the UK government to independent researchers to NGOs, says this anymore. PornHub in legal filings never uses this argument, but instead focuses on rights to expression rather than dispute the claim.
The causation is clear, documented, proven. Increased pornography exposure with dangerous behaviors, causes those dangerous behaviors to be repeated, even when participants are warned of the risk.
At this point, denial is like saying flat earth has merit.
> Before the widespread adoption of pornography, this rate was near 0%.
Big giant citation needed on that one. How would it ever have been near 0%?
First, I’d like to point out that we don’t make other media illegal or age gated with privacy-compromising tactics because it depicts harmful things. There’s no age verification gate for watching movies and TV that depict murder and other serious crimes.
Watching NFL football, boxing, and UFC fighting isn’t illegal even those sports conclusively cause brain damage.
Pornography is singled out because it’s taboo and for no other reason. People won’t politically defend it because nobody can publicly admit that they like watching it.
Second, what I see missing from your links is really solid studied link to an increase in choking injuries directly caused by changes in pornography trends and viewership. Were these kinks just underreported in the past? Heck, I read 4 of your linked articles and none of them actually compared the rate of choking injury over time, they just sort of pointed it out as something that exists and jumped to blaming pornography.
I am perfectly willing to accept your hypothesis but I don’t think we’ve been anywhere near scientific enough about evaluating it, and even if that was the case, we don’t really treat pornography the same as other media just like I mentioned.
>and this seems like it might prevent that
sorry but we're on the internet. You can type the literal words 'hardcore pornography' into any search engine of your choice and find about fifteen million bootleg porn sites hosted on some micro-nation that don't care about your age verification.
In fact ironically, this will almost certainly drive people to websites that host anything.
>If Google can guess your age, you may never even see an age verification screen. Your Google account is typically connected to your YouTube account, so if (like mine) your YouTube account is old enough to vote, you may not need to verify your Google account at all.
This has been proven false a bunch of times, at least if the 1000s of people complaining online about it are to be believed. My google account is definitely old enough to vote, but I get the verification popup all the time on YouTube.
I think the truth is, they just want your face. The financial incentive is to get as much data as possible so they can hand it to 3rd parties. I don't believe for a second that these social networks aren't selling both the data and the meta data.
My Google account is more than 18 years old and I hit an age prompt when I was trying to watch some FPGA video (out of all things). So no, account age is not necessarily a factor.
They probably need to account for parents allowing kids to use their account, so account age can be a factor but not an automatic pass.
Field programmable gatorade is an adult-only beverage.
That makes sense. Golf has a minimum age of 35.
Did you hear they are letting kids play pickleball these days! How scandalous.
Can't allow any underage synthesis.
Yeah, they could/*should* infer your age just by the fact you're watching an FPGA video
I would have watched those at 10 if the internet was a thing when I was 13. I think most people here would have. (I may or may not have understood it, but I would have tried)
I agree they want the face data, but I think it's less clear they want to "hand it" (presumably that's really "sell it"?) to third parties. My sense is Google and Apple and Meta are amassing data for their own uses, but I haven't gotten the impression they're very interested in sharing it?
Sharing it is bad for business; selling insights derived from it for ad placement is the game. Faces definitely contain some useful information for that purpose.
They’ll do whatever makes money.
Sell it and use it internally.
you are correct. having that data is one of their competitive advantages, it makes no sense to sell it. they will collect as much as possible and monetize it through better ads, but they don't sell it
I haven't gotten it yet on my account from 2006. Maybe it matters whether it's a brand account? Maybe it matters whether the accounts actually are connected?
well as long as it's you logging in, they know you are minimum 20 years old!
They definitely already have your face though…
The more examples in various situations they can get, the higher their accuracy.
From where? Not everyone even puts selfies on the Internet.
Honestly, it's probably already happening, but I would not be surprised if retail stores that check your ID also have cameras snaping your face and selling that to data brokers.
Anything you can image that is bad with privacy, figure what is occurring is far worse.
I wrote an April Fool's parody in 2021 that Google is going to get rid of authentication because they're following you around enough to know who you are anyway (modeling it after their No Captcha announcement[1]):
http://blog.tyrannyofthemouse.com/2021/04/leaked-google-init...
Edit:
>I think the truth is, they just want your face.
I just realized the parody also predicted that part (emphasis added):
>>In cases where our tracking cookies and other behavioral metrics can't confidently predict who someone is, we will prompt the user for additional information, increasing the number of security checkpoints to confirm who the user really is. For example, you might need to turn on your webcam or upload your operating system's recent logs to give a fuller picture.
[1] https://security.googleblog.com/2014/12/are-you-robot-introd...
I just got glasses yesterday and the optician needed to take a pic of my face to "make sure my glasses fit". The first thing I thought of was they are probably selling the data.
just say no thank you, i will manage like everyone else has for decades.
else you and your money go elsewhere.
> I think the truth is, they just want your face.
Agreed. They treat people as data points and cash cows. This is also one reason why I think Google needs to be disbanded completely. And the laws need to be returned back to The People; right now Trump is just the ultimate Mr. Corporation guy ever. Lo and behold, ICE reminds us of a certain merc-like group in a world war (and remember what Mussolini said about fascism: "Fascism should more appropriately be called Corporatism because it is a merger of state and corporate power." - of course in italian, but I don't know the italian sentence, only the english translation)
I’ve noticed that many people struggle to simply let things go. Take a hypothetical case where HN requires ID verification. I'd just stop using HN, even if that meant giving up checking tech news. Sometimes things end, and that's fine.
I used to watch good soccer matches on public TV. When services like DAZN appeared, only one major match was available each weekend on public TV. Later, none were free to watch unless you subscribed to a private channel. I didn't want to do that, so I stopped watching soccer. Now I only follow big tournaments like the World cup, which still air on public TV (once every 4 years).
Sometimes you just have to let things go
> I’ve noticed that many people struggle to simply let things go
Because it's not always about their entertainment. I know churches that post info about events only on WhatsApp groups, if you don't use it - you're screwed. I know kindergardens which use Facebook Messenger groups to send announcements to their parents' children - if you don't use it, you will miss important info.
For most people, letting go such things is very impractical. One can try to persuade for a better way to do something - but then you become the problem.
Funny, I'm the opposite. Since information wants to be free, and storage/compute get more affordable every year, then really everything ever posted on the web should be mirrored somewhere, like Neocities.
I grew up in the 80s when office software and desktop publishing were popular. Arguably MS Access, FileMaker and HyperCard were more advanced in some ways than anything today. There was a feeling of self-reliance before the internet that seems to have been lost. To me, there appears to be very little actual logic in most websites, apps and even games. They're all about surveillance capitalism now.
Now that AI is here, I hope that hobbyists begin openly copying websites and apps. All of them. Use them as templates and to automate building integration tests. Whatever ranking algorithm that HN uses, or at least the part(s) they haven't disclosed, should be straightforward to reverse engineer from the data.
That plants a little seed in the back of every oligopoly's psyche that ensh@ttification is no longer an option.
I have never clicked "accept" on a cookie banner, as a matter of principle; I zap them away with uBlock Origin. Should the plague of age verification reach my jurisdiction, I'm sure I will handle it in like fashion.
Zapping only works if the site lets you continue/pull content without verification.
I expect I'll need to employ some other technical means of circumvention, but the principle of refusing to engage with the thing on its own terms will remain the same.
These things are integrated into the authentication systems of these services. They aren't implemented client side. Refusing to engage with them means you cannot use the service.
Then it wasn't meant to be. Let it go.
Fun and games until your government makes getting access to the internet at all work that way.
The problem there is when it's inescapable, on every site.
The difference is that the cookie banner is not a gate. uBlock Origin is unlikely to be able to satisfy a website about your age without submitting the info that the site expects. (Assuming the age check has any teeth at all.) You're unlikely to be able to continue as usual if these kinds of measures become ubiquitous.
ignoring the banner is the same as agreeing to all the opt-out "legitimate interest" shit
I'm surprised that the EFF does not highlight the best option, here: use a VPN to a jurisdiction that doesn't have such ridiculous laws.
It might be bad for an activist group to advocate just ignoring the problem into a different jurisdiction.
They could sell it as "if your IP geolocation is inaccurate, or if the statute does not apply to you."
But FWIW VPNs can get flagged for suspicious behavior. YMMV
"Give up" is not the best option. Certainly not from the EFF's perspective.
In many cases, using a VPN is a great way to get your account flagged as suspicious.
The days are numbered on this technique working. After enough countries enact their own age verification laws tech companies will just make that the global default policy, and I'm sure the opportunity to harvest user data will not be left to waste. Many sites already block and throttle VPNs.
When that day comes I'll stop casually using the internet or search for the underground alternative.
I think EFF does not recommend for or against VPN in general because it's not always a clear win, depending on the VPN and the use case.
https://ssd.eff.org/module/choosing-vpn-thats-right-you
Next step: the same government that is demanding the age verification will ban VPNs.
I doubt this would be workable.
They could, sadly, however, make it a crime to bypass things like The Online Safety Bill. Downloading or using Tor, for example.
At that point, the only sane option is to become a criminal.
Not especially feasible if you want to support businesses. More likely is trying to demand that VPNs also enforce age verification, which business-targeted VPNs might do, and then ban the ones that don't.
Everyone seems to forget that using VPNs to violate your local laws gives lots of good ammo to the authoritarians that want to ban VPNs. The answer isn't to use a VPN to get around it (and thus give fodder to your enemies) but to change the law.
While I agree with this in spirit, here in the UK both major parties along with the public at large generally support these types of laws.
OpenAI uses AI to scan your ChatGPT conversations to determine your age. And even though I've been using ChatGPT for mostly work-related stuff, it has identified me, a man in my 40s, as under 18 and demanded government ID to prove my age. No thank you.
My main concern is that there isn't a reliable way to know your information is securely stored[0].
> A few years ago, I received a letter in the mail addressed to my then-toddler. It was from a company I had never heard of. Apparently, there had been a breach and some customer information had been stolen. They offered a year of credit monitoring and other services. I had to read through every single word in that barrage of text to find out that this was a subcontractor with the hospital where my kids were born. So my kid's information was stolen before he could talk. Interestingly, they didn't send any letter about his twin brother. I'm pretty sure his name was right there next to his brother's in the database.
> Here was a company that I had no interaction with, that I had never done business with, that somehow managed to lose our private information to criminals. That's the problem with online identity. If I upload my ID online for verification, it has to go through the wires. Once it reaches someone else's server, I can never get it back, and I have no control over what they do with it.
All those parties are copying and transferring your information, and it's only a matter of time before it leaks.
[0]: https://idiallo.com/blog/your-id-online-and-offline
Honestly that main concern should be two main concerns.
You/your kid/your wife goes to hàckernews.com and is prompted for age verification again, evidently the other information has expired based on the message. So they submit their details. Oops, that was typosquatting and now who the hell knows has your information. Good luck.
This makes me wonder if there's a business case for a privacy-preserving identity service which does age verification. Say you have a strong identity provider that you have proven your age to. Just as the 3rd party site could use SSO login from your identity provider, perhaps the identity provider could provide signed evidence to the 3rd party site that asserts "I have verified that this person is age X" but not divulge their identity. Sidestep the privacy issue and just give the 3rd party site what they need to shield them from liability.
I’ve been noodling on this idea for a while but I think getting commercial acceptance would be hard. People have tried it with crypto albeit with lukewarm results. I think to have the network effects required to be successful in such an endeavor, it would have to come from a vendor like apple or google unfortunately.
You kind of want an mTLS for the masses with a chain of trust that makes sense.
This is how Swiss e-ID was proposed to work: https://www.eid.admin.ch/en
The article does go into this and gives lip service to the idea that a secure third party could expose age without exposing identity. Ultimately, there's still the problem that even if point of verification can be done in a zero trust way, you are still entrusting very sensitive information to a third party which is subject to data breach.
The question is: why would services like Google and others want to use such privacy-preserving identity solutions? They wouldn't gain anything from a non-invasive, user-friendly system, so I don't think they'd use it. They want more data, so they are going for it.
I was thinking someone like Auth0 might want to offer it. They are not in the business of invasive user tracking but are in the business of trust.
If my options are upload a picture of myself for Google to monetize through ads or not use Google / Youtube then I will be moving on regardless of the inconvenience to myself.
I thought the article was about finding a job when you reach a certain age, which is my problem.
Switch VPN region or upload a random picture generated by AI, problem solved.
There were some amusing headlines a while back about Discord's verification being fooled with game screenshots. Does anyone know if that's still the case?
saw a recent screenshot of someone doing it yesterday, so I think it still is a thing.
How well does the selfie test detect AI-generated photos? That seems easy to bypass, especially if you copy the metadata over from a real photo.
The ones I have used do not accept photos, they require real-time video with the front-facing camera and they prompt you to move your head to face different directions on command. Not impossible to attack, I'm certain, but it's tougher than simply uploading a photo.
on desktops you can have virtual camera, if you can generate video fast enough wen AI you can ask to edit it according to instructions. Definitely tougher but I'm sure someone will offer services or software like that.
Face scan: download and install Gary's mod.
> Even though there’s no way to implement mandated age gates in a way that fully protects speech and privacy rights
I think the EFF would have more success spreading their message if they didn't outright lie in their blog posts. While cryptographic digital ID schemes have their problems (which they address below), they do fully protect privacy rights. So do extremely simple systems like selling age-verification scratchcards in grocery stores, with the same age restrictions as cigarettes or alcohol.
States need to stop sniffing for age really. This is age discrimination.
Basically every government on the planet has laws that apply specifically to children. The term "age discrimination" typically refers to disadvantaging someone for being of old age.
>should I continue to use this service if I have to verify my age?
Simple answer, never accept this If everyone selected "cancel" you can be sure these sites will stop age banning, they wan $ more than anything else.
If a site asks me one question about me, I stop using if.
Is there a throwaway identity that people are using? A dead person unchecked in Mississippi somewhere? Like every teen in America using the same identity like everyone's extended family does with their uncle's Netflix account?
I don't want to google it because I don't want to be put on a list but I also feel somewhat confident that this is being done. Apparently, HN feels safe to ask questions like that for me.
> I don't want to google it because I don't want to be put on a list
Of all the controversial things out there we've become afraid to even google in order to learn more about the world around us, this one strikes me as not all that controversial.
But you're not wrong, just making a comment about how sad the world has become.
That’s an interesting question.
Actually, a follow up. PII leaks are so common, I guess there must be millions of identities out there up for grabs. This makes me wonder: we’ve got various jurisdictions where sites are legally required to verify the age of users. And everybody (including the people running these sites) knows that tons of identities are out there on the internet waiting to be used.
How does a site do due diligence in this context? I guess just asking for a scan of somebody’s easily fabricated ID shouldn’t be sufficient legal cover…
These ID laws typically require a solution to be "commercially practical" or similar. The standard is not "impenetrable and impossible to circumvent"
That's why some of them don't even ask for ID but just guess the age based on appearance. That's good enough per the law, usually.
It would probably flag that multiple people are using the same photo or same persons name/ id, but I expect you could get away with doing using someone known to you. iirc the reason people are using game screenshots is because it's not going to match any image that the recogniser has seen before. Use tor for the things you don't want to google and have associated with you.
Netflix has been checking accounts against public IP addresses and local networks for ages, at least in The Netherlands. if I use my Dad's account, I get flagged as being "not on the same home network" immediately. I think that using a VPN and Netflix detecting that would only make matters worse, like termination of service.
I gave up on netflix years ago for unrelated reasons but never had any sort of issue both VPNing between various countries and traveling between them. My wife would pretty regularly want to watch netflix as if she was in Japan or the UK and so we'd turn a VPN on for the TV network and their own TV app never complained at all that it was suddenly on a different continent.
Last time I tried I could find a photo ID just with a basic image search. It is an unavoidable consequence of teaching people that scanning an ID is not utterly insane.
Ironically there was no way to report the image anonymously to the service hosting it.
Why can't the EFF tell people to lie? Because if you can get away with it, lying is almost always your best option. Unless there are actual real world consequences to lying like you may anger the police.
And maybe consider using a VPN.
I'd imagine it is because several of the obvious options for "lying" here may violate criminal law. And also because the EFF is an civil liberties advocacy group, they want to change the law, not circumvent it.
For real. This should be an article about circumvention, not compliance.
That's not EFFs job, just ask your kids how they circumvent age gates for that :)
What a piss poor article.
"We disagree with age gates but our recommendation is to comply". Fuck this.
I think that age verification is important. While its not perfect, it is one tool to help protect kids.
Against what? How much struggle and pain are we actually seeing in the world because children have unrestricted internet access?
Call your ISP and ban any NSFW/NSFL access by DNS, both in your children's phones and your home connection. Problem solved.
This does not work, browsers like Firefox don't even always use the system DNS by default.