315 comments

[ 0.19 ms ] story [ 437 ms ] thread
Anyone here recommend a VPN, for personal information safety and security rather than hiding porn?
Tor Project.
The tor network is really not built for streaming and you slow it down for everyone else when you do.
GP didn't mention streaming.
A VPN so you can hide your IP address and whatnot? Mullvad.
How are these two use cases different? Are there vpn services that let you do one and not the other?
Presumably GP's fear is that there are a lot of VPN providers, and they all claim to offer security, etc (or if you google for a "$VPN_provider_name review" there'll be dozen of shill sites saying how secure this particular VPN provider is, click here to get a discount using our referral code), so it all feels like shady business.

For bypassing Sharia-state firewalls like Texas', any VPN provider should be good enough, but GP is asking for recommendations for providers who can be trusted to ensure privacy.

Mullvad is the best, but last I saw, they had to disable port forwarding due to bad actors ruining it for everyone else.

https://news.ycombinator.com/item?id=36113215

They also work with Tailscale which makes per-device setup easier: https://mullvad.net/en/blog/tailscale-has-partnered-with-mul.... Tailscale was using a bit too much of my iPhone battery last I tried it out, but they're at least aware of it.

After mullvad disabled port forwarding, I switched to AirVPN and it works fine. I trust it slightly less than Mullvad but I'm avoiding copyright trolls, not three letter agencies.
I've been using AirVPN for a few years now, seems fairly trustworthy so far.
Not to sound snarky, because this is a genuine question, but what does that even mean? Unless you’ve been brazenly selling child porn over the VPN and been getting away with it for years, I don’t really know how you would establish a VPN is trustworthy vs you just haven’t been targeted for your minor torrenting, or whatever.
Well, it's been operating for a while now without any major outages, no issues with torrents, exposes way more "techie" features than any other VPN I've used (customizable port forwarding, dynamic dns and customizable subdomain names on those ports, different device profiles, customizable dns filtering lists, all sorts of stat graphs for their various nodes, script generators for openvpn which allow choosing all sorts of protocol related details) works fine for bypassing region locks on the obscure music sites I care about and they've been completely fine with an anonymous Monero payment (well, as anonymous as you can be to what is effectively your ISP).

They have a good record of responding to various restrictive legislation around the world (eg pulling out of Italy after they passed an overly broad 'anti-piracy' law) and also haven't had any open scandals. That's about as good as I can really expect considering that I'm mostly just not interested in my local ISP knowing what I'm up to, and am not doing anything hugely illegal or pirating at a large scale.

For reference, the VPN I used before then offered no real controls besides a limited country selection and a randomly assigned port forward. It was bought up by a company owned by a guy known for running scams, after which I switched out. Now having seen all the customization I was missing out on, I can't really go back to a simpler VPN.

(Tailscalar here) I identified a big chunk of the background drain on iPhone recently, and so drain just for being on in the background is much reduced now. There’s still more to do, and we still end up with accounting for dns if you force dns via us, but things are much improved.
Fantastic news on that battery work. (Also the third party app beta!)

Our iOS users also report random delays turning it on, sometimes half a minute to connect. Sometimes full restarts are needed before connect.

And random ask -- could you enable a toggle for video conferencing to stay outside the tailnet? Teams, Zoom, WebEx, etc... You'd have to take on maintaining the IP lists, so users didn't have to. (This can be done today with features you have, but most users and even IT admins don't realize that.)

ProtonVPN is easy for split tunneling on my Androidish device. Linux requires a little CLI configuration.
I wish they had just disabled TCP port forwarding. Based on the description of bad actors it sounds like that would have been enough, and at least torrent clients would have continued to work.
What are you trying to protect yourself from?
If the need is for passively visiting a few handful of websites a week, I would recommend tor browsers. Takes a bit work to learn when to refresh routes, and how to handle websites that blocks public vpns, but easy to get started with. Pretty good when visiting websites that deal with medical information since tracing data from those are exceptional valuable to data brokers.

If it is for more regular use or if the occasionally slowness/vpn blocking is too much, I would likely pick mullvad but I have not used their services. They do seem to spend some money on pro-privacy activism, so that is at least a point in their favor.

iCloud private relay
To those skeptical, it’s the only VPN / proxy like service you can use without frequently getting blocked trying to use online banking and stripe merchants. Captchas are less common than with Mullvad too.

It’s not for every use case, but it’s helpful for me.

Can private relay be used by torrent clients? Or is it Safari only?
I use VPN for bypassing blocks created either by government of the country I currently live in or established as a sanctions by another governments.

I set up wireguard and unbound on VPS in Amsterdam and share with 10-15 people by posting wireguard config in private telegram channel.

Ironically enough, but I block porn access using StevenBlack hosts converted into Unbound config by awk script, so porhhub dot com will return REFUSE dns response from unbound.

I know, that is not impressive idea of how to utilize computing power of the VPS, but I also used it for running tor snowflake (disabled because of eating too much ram), running tor obfs4_proxy (would also eat much ram, but that can be adjusted, I don't remember clearly why I disabled it at one point) and I used it as a server for Postgres that I tried to use for uni's coursework on databases.

Maybe I am too lazy to setup tools like zapret for bypassing deep packet inspection locally on my laptop or on router. But still there should be a ton of things that can be done on the same vps.

PIA
Note that PIA constantly triggers captchas, even for basic google searches. And not the easy captchas; multi-step "no, you're wrong" ones. Can't speak to the prevalence of this with other services.
They are usually equally suitable for both. Are you asking for a friend?
The best VPN provider is one you control and is hard to ban.

I set up an OpenVPN server on DigitalOcean for a friend visiting China. It took 10 minutes with the template in the DO marketplace.

It even allows downloading a client with the parameters baked in.

I've been using Windscribe for several years and have no problem at all with them.
I rather enjoy using a pVPN (personal VPN) by just setting up wireguard on my server.
Why not just AWS EC2? That's probably where most of these commercial VPNs are hosted anyway, just with an additional cost on top.
Hardening societal infra-structure against democratic governments collapsing back into autocracies. Good times.
Porn is not a liberating force. It's like being mad at the government for making it hard for you to smoke cigarettes.
Cigarette causes lung cancer and a bunch of other things.
Especially also for bystanders. Porn is consumed mostly privately.
Right, but also porn is often a commercial engine for tech innovation (even if indirectly, as in this case), which in turn can be leveraged as a liberating force.
Porn also doesn't give you cancer. It's pretty transparent that the restrictions on it originate from hyper-religiosity and conservatism, rather than some genuine concern about public health.
Liberating force is a bit too far but it’s not the demon people seem to think. It’s about all things in moderation. Porn = dopamine. Fast food = sugars/fructose and the ilk. SM = dopamine. Loot boxes = dopamine. Ad nauseam…
Can I get a socially approved amount of porn then?

Would there be porn rations?

Just like other addictive things (sugar, caffeine, video games, gambling), the "socially approved amount" is determined by a given individual's own limits on what they can consume while remaining a functioning member of society.
Some where in between not talking about it with your mom and dad but chopping it up with a friend briefly about whatever models is so attractive and had a great scene on whatever website
s/cigarettes/weed/ and watch how many people suddenly get angry.

The problem is the government telling people what to do, period.

It is a canary in the coal mine litmus test for if you live in a free society or not.

It is absolutely a liberating force.

It's uniquely liberating right now since over half of all free/open sourced AI models have an NSFW or unaligned focus (nearly the majority in the diffusion model world).

Without the power of Waifus/booru websites ran by hentai aficionados, a solid amount of the generative AI revolution in the context of text to image models simply would not have happened.

People would be mad at the government for the exact same reason if they made selling cigarettes illegal.
Have you ever made your own porn? Very liberating.
Have you ever tried abstaining? You'll find you're not as liberated as you thought.
How very Christian. We're all "slaves to sin" and "idols" where "sin and idols" just means "anything people like doing", because it's hard to stop doing something you like.
It means anything that destroys and leads to misery. Hopefully you see that someday.
How very droll and condescending of you. The Golden Rule is to treat others how you'd like to be treated, so I can assume you want to be treated in a droll and condescending matter in turn, so allow me to oblige:

A: What is sin?

B: Anything that destroys and leads to misery.

A: Do X or Y actually destroy or lead to misery, or is it moral panic, pseudoscience, misery more caused by socially enforced guilt caused by the belief that X or Y is bad, some combination of the above?

[B and A engage in an interminable discussion, and eventually B's Heritage Foundation links are exhausted]

A: it doesn't seem clear that any of these things "destroy" anything, or inherently cause misery.

B: Well X or Y must be bad, because they're sin, so they seem gross and bad to me. There must be hidden detriments that scientists are unwilling to admit, or just haven't gotten around to proving yet. Just wait, when you grow up you'll think just like me.

A: maybe.

There will be plenty of time to abstain from sex when I'm dead.
”democratic governments collapsing back into autocracies”

I feel this statement in my bones.

We have one side making all the laws, the other side doing away with laws, both of them acting solely for political points.

No one in the middle is “radical” enough (by definition) to push back. Hard to see how that doesn’t end in major conflict with a single winner, as you say.

But the kids!
gp means they're accidentally getting people used to using VPNs etc by poorly implementing bans on popular things.
Usenet, DDL, and torrenting are alternatives too. I wonder if Cloudflare's free VPN would bypass state based blocking.
Surely it's overkill to pay for a whole month of constant vpn use. You could cook something up that provides access for a short session aaand we've circled back to dialers.
It's <$5 per month. The economics start to be more about the general cost of managing transactions, accounts, and customer service than about paying for how much VPN you actually use.
Yep, a $5/mo Mullvad subscription pays for itself several times over if you snag even just a few movies or one cracked Adobe tool every year.
4 or 8tb storage isn’t even that much these days. You could torrent thousands of gb of porn and just store it until later. Heck if you lived somewhere that was getting really stupid and cracking down you could even sell cheap dvds with porn in a weird black market. The world gets dumber by the day
A lot of VPN plans have a traffic limit instead although a free VPN with no traffic limit is really cheap tbh
> experts told PopSci platforms also oppose the laws because they don’t want to be responsible for collecting and maintaining torrents of sensitive users’ data that could pose a ripe target for cybercriminals.

Good thing these laws specifically ban them from storing that information that they don't want to store.

The implication here is so strange. Kids generally don't have a way to buy VPN services (I suppose they could mail cash to mullvad), so mission accomplished?

> Some of the anti-porn laws, like the one enacted in Utah, already possess language explicitly prohibiting online platforms from letting minors “change or bypass restrictions on access.”

That's a social media law, not a porn law, and it's about parental controls that the parent set up on an account that's been marked as a child account (so only the parent account can modify controls on the child account: duh!).

Absolutely garbage article. Didn't even link to the actual laws. And people complain that no one will pay for "journalism" like this.

Well they can learn to use tor but most likely they’ll get sucked into shady free VPN services and suffer worse.
No way you’re streaming anything via Tor
I used to leave porn downloading overnight over 56k in the mid 90s. They’ll just have to get a little more organised about it.
I used to leave porn downloading overnight over 56k in the mid 90s.

Literal, delayed gratification.

It's not uncommon to be able to get a few MBps via Tor. The latency tends to be crap, but once everything is set up it can go pretty fast.
Well, try it before making bold claims :)
> Good thing these laws specifically ban them from storing that information that they don't want to store.

Well... companies. They don't ban government agencies from retaining that data if they get access to it. But ignore that and assume for a second that they do.

The problem is that the laws kind of contradict themselves: "don't collect information that compromises privacy" and also "do this in a way that basically could only work if you collect information that compromises privacy."

Most of the bills I've read ban companies from saving this data, but require them to collect it presumably in some way that's auditable? They also provide no real mechanisms for guaranteeing that data won't be stored or will be transmitted securely between services. In Louisiana's bill (https://legis.la.gov/legis/ViewDocument.aspx?d=1289498) there is no penalty for retaining data other than that users can sue for "damages". But historically, proving damages from retained data tends to be difficult to do.

Of course the laws do not clarify how age verification is supposed to work under these restrictions, just that documents will be verified somehow: Texas's "example" of age verification explicitly refers to digital identification as information "stored on a digital network" (https://capitol.texas.gov/tlodocs/88R/billtext/pdf/HB01181F....). But sure, also make sure you don't store anything! /s

Presumably this all means that the information should be stored and transmitted until identification is done and then immediately deleted leaving no record of that identification other than that it happened (which hopefully will be sufficient evidence if the government ever accuses you of using a faulty verification method). But eventual deletion doesn't mean the information isn't still getting temporarily stored or that it's not passing between multiple hands, any of which could have rogue employees or leaks, or which could be storing "anonymized" data that turns out to later-on be identifiable.

----

One might argue that since the majority of these laws are proposed and backed by anti-porn organizations, the contradictions might kind of be advantageous to the goals of the backers -- if the law is functionally impossible to comply with and companies are forced to leave the state, well... that's exactly what these groups want anyway. Texas's AG is up-front about being pleased that porn companies are blocking the state. And despite the regular claim that this isn't about restricting porn generally, the vast majority of these bills have ties to religiously conservative groups that have public positions that porn should be banned for everyone.

But that's all besides the point: the point is it's just outright false to say that these laws don't require at least the transmission and collection of this data -- they just tack on "don't store it for too long, delete it afterwards." But that doesn't really mean anything: regular identity transmission over the web carries security and privacy risks even if companies could be trusted to reliably delete this data -- which in many cases, they can't. Advocates of these bills ignore that security researchers have an issue with collection and transmission of sensitive data in addition to storage, and so advocates point to narrow, non-specific language about long-term retention as if that solves all of the issues. It doesn't.

And to the extent that these laws include any real teeth like actual fines for data leakage, they don't really explain how companies can safely avoid those fines while still proving ...

Why would they need to be auditable? That's not in any of the laws I've read, and in fact as you note, the law makes that impossible. If the law contradicts a requirement that you made up, and does not itself contain that requirement, then why would you presume that it has that requirement?

There's literally no reason to have e.g. a knowledge based auth or signed id request hit disk. It doesn't need to be saved for a "short time". It doesn't need to be saved on permanent storage at all.

"Let's assume for a moment that the law says the opposite of what it actually says". But it doesn't.

It's easy for the government to investigate whether you check IDs: open the site and see if you request ID information. Present fake info and see if you accept it. Just like they do in person.

> If the law contradicts a requirement that you made up, and does not itself contain that requirement, then why would you presume that it has that requirement?

First off, always good to be clear that there are multiple laws here, even if many of them are templates of each other; there's not "the law". Secondly, this is hiding behind ambiguity in many of these laws' language; it's easy to claim that a law doesn't specifically require that companies retain information about their efforts, but I guarantee you in any court case about this, requests for that information would come up.

It is painfully naive to assume that any company would feel safe implementing a legally required system that does not provide them with any evidence to prove that their system works or has worked in the past. The ambiguity about what many of these bills mean when they call for a "reasonable method" of identity verification is exactly the kind of contradicting language that I'm talking about above. "We didn't ask you to do X, we just put you in a situation where not doing X would be extremely dangerous."

I would argue that a State going to a company and saying, "do something 'reasonable'" with no legal guarantee or precedent about what will and won't be reasonable, and then additionally adding restrictions that make it practically impossible for any existing ID verification system online that I'm aware of to fit that requirement -- I would argue that is tantamount to an attempt to ban porn. It's a system that can't really be safely complied with. Of course companies being able to provide documentation and evidence of their prior verifications is a practical requirement for them operating in that kind of environment.

> There's literally no reason to have e.g. a knowledge based auth or signed id request hit disk. It doesn't need to be saved for a "short time". It doesn't need to be saved on permanent storage at all.

I don't see any indication in the laws I've read that this would be sufficient; where are you getting this idea from? In fact (I'll remind you), Texas's law explicitly refers to digital identification as something that gets stored and accessed as proof of identity. The bill's own language does not support the idea that identification would be completely transient and instantaneous.

So it is completely reasonable for critics to question these requirements given that nothing in the law would prevent the government from making a case that completely transient identification is insufficient. And even if it was sufficient, from a purely technical perspective it is not clear to me how this magically transient identification would work. Information transmitted between parties gets stored, that's how this stuff works -- what ID verification system are you imagining that can happen instantaneously without referencing any stored information and without any information leaving RAM? I'm not aware of one.

> "Let's assume for a moment that the law says the opposite of what it actually says". But it doesn't.

What? Every single law I referenced requires the transmission of this data and explicitly suggests sharing it with 3rd-party verification services. That's not me reading into the laws, it's just fact.

> It's easy for the government to investigate whether you check IDs: open the site and see if you request ID information. Present fake info and see if you accept it.

What system for instant ID verification that does not rely on storing or accessing stored, indexed information about an identity works like this? How do you propose that sites detect fake info without referencing that info against stored identifying information? Because advocates for these laws keep on saying this is easy and then describing systems that as far as I can tell, do not exist.

-----

I'm accommodating a little bit of a rabbit h...

Sure, there are multiple laws. The ones I've read all seem similar enough to me on the points people bring up.

Identity verification is not that mysterious. If these sites are afraid to do it themselves, there are turnkey vendors for that, which e.g. banks or docusign use. All the laws I've read say sites can use third party verification services. The Utah law specifically mentions

> verification through an independent, third-party age verification service that compares the personal information entered by the individual who is seeking access to the material that is available from a commercially available database, or aggregate of databases, that is regularly used by government agencies and businesses for the purpose of age and identity verification;

i.e. KBA, which is already a thing. These companies already know facts about everyone. You claim you're person X. They ask you to tell them a fact they already know. They check your answer against their database. They don't need to store anything you tell them. I'm sure they can tweak their service to only tell the requesting site you are over 18 and not keep any records. These services know how to deal with a highly regulated environment.

The Utah law also allows the user to present a "data file from a state agency or an authorized agent of a state agency that contains all of the data elements visible on the face and back of a license or identification card and displays the current status of the license or identification card."

No need for the site to save anything. Just check the signature and age.

I don't see what makes porn sites unique vs. any other e-commerce business that requires customers to identify themselves wrt. security. Typically those actually store and sell your info.

Also many grocery stores do scan IDs when you hand them to the cashier. Who knows what they're doing with that info. Wouldn't surprise me if they retain and sell it.

> Sure, there are multiple laws. The ones I've read all seem similar enough to me on the points people bring up.

The laws are template laws, but do occasionally differ in important ways. You've mentioned before that Texas includes a financial penalty for retaining user IDs beyond verification. You didn't mention that Texas is pretty much the only state that does this, and the majority of the other bills only allow for suing for harm and attorney's fees. Harm can be difficult to prove for information retention, and these provisions rely on individual action for enforcement.

You mention later in this comment that Utah includes provisions for ID-only verification. You don't mention that Utah is (as far as I can tell) one of the only states that offers this kind of detail, most merely mentioning that "government identification" could be used for verification.

These things matter. When we treat these bills as a single unit, we run the risk of building a composite bill that theoretically addresses every concern, even though that composite bill doesn't actually exist anywhere.

----

> Identity verification is not that mysterious.

Agreed. Do you believe that the security professionals who are intimately familiar with identity verification services and who know how the current services work are just... lying? Like, what do you think is happening here? This is not something complicated where there are a bunch of debates about how ID verification can work, we know how the ID verification services today work. And security professionals are saying there's a security risk.

Does the Texas AG know something that they don't? Is there some secret new ID verification system that only lawmakers know about? Like you say, this isn't that mysterious, ID verification online exposes users to privacy and security risks. It's straightforward, this is a known risk.

The fact is, there are no identity verification services I'm aware of that I think are secure enough enough to use for this level of transaction -- and every 3rd-party ID service I'm aware of works by retaining and accessing stored information about users.

The people talking about the security risks know how existing identity verification services work. They're not that complicated. They work by collecting and transmitting and cross-referencing personally identifying data, and that process is vulnerable to attack and data misuse.

----

> i.e. KBA, which is already a thing. These companies already know facts about everyone. You claim you're person X. They ask you to tell them a fact they already know. They check your answer against their database. They don't need to store anything you tell them.

Okay, are you listening to yourself?

> They check your answer against their database.

So personally identifying information is collected and stored. And that information is linked to requests to access potentially compromising or embarrassing material on a level of granularity where those requests, if intercepted, can be used to link personal identities back to those requests. By your own admission.

I don't know, you're agreeing with me and then saying "see, that means that data doesn't have to be stored." No, you just described data getting stored and held by a 3rd-party (notably, a set of 3rd-parties that have had historically awful security and have regularly been irresponsible with those databases) and then cross-referenced with individual access requests in a way that would necessarily require personally identifying to these data brokers which individuals were interacting with which companies.

Sure, those services don't need to store your newly uploaded ID -- they already have it! But what comfort is that? They still have the ID either way. You are describing a system that can only exist by hoovering up and retaining huge amounts of data on individuals, and you're advocating that this system should be expanded.

And...

I don't think security professionals are lying. I think "security professional" is a meaningless descriptor like "thought leader" that one applies to themselves, and they shouldn't be given any specific credibility.

At the end of the day, I agree we should have stronger data protection and retention regulations, federally even. That's an orthogonal issue to whether adult services online should require some validation that the customer is an adult. It's not the first solution I'd reach for (I'd prefer requiring metadata to make client filtering easier), but the more I think about it, the more reasonable it seems. No one throws a fit when instacart scans your ID for alcohol orders. Buying a gun online has even more stringent requirements where you need to go visit an FFL to pick up. Likewise in my area, marijuana is legal (modulo federal illegality), but delivery is not; you basically can't buy it online.

I don't see why porn is special here. The law has always banned distribution to minors before the web existed. By default, sites (commercial ones at the very least) should be criminally liable for breaking the law if they distribute to minors, just like in-person stores are. They should be proposing systems that they believe are reasonable to meet their obligation, but they are not. Instead, they've gone from at least requiring credit cards to... absolutely nothing. They've frankly brought this on themselves.

The obvious elephant in the room to me is that none of this would even be controversial if sites hadn't moved to an ad-supported model. If you're paying for it, of course they need to know who you are for billing. Again, the more I think about it, the more reasonable it seems to me that if you're going to have that business model, then fine, but you need to at least do the checks you would've otherwise done during billing.

So perhaps the issue is

> sites that they don't have business relationships with

Is simply not a good model. If a business doesn't want to establish itself as credible to its customers such that they can trust it to professionally handle their information, then maybe they shouldn't be in an adult restricted industry where they need to handle that information. If they don't want to handle that information, perhaps they can propose a system where they don't need to (I've commented elsewhere on HN[0] about an oauth-like system where the government could provide age gate tokens without knowing who the token is being issued to or even if the age required is over 18 or over 21. It's not that complicated. Why do we have no one in these industries making such a proposal to lawmakers? They've had 30 years to do it.).

[0] https://news.ycombinator.com/item?id=39183486

https://news.ycombinator.com/item?id=39191568

> I don't think security professionals are lying. I think "security professional" is a meaningless descriptor like "thought leader" that one applies to themselves

You don't believe that people who study security for a living might know more about it? Certainly software security experts should be given more credibility about software security than politicians should be given. I'm not sure I've ever run into the view before that security research is a pseudoscience.

> At the end of the day, I agree we should have stronger data protection and retention regulations, federally even. That's an orthogonal issue to whether adult services online should require some validation that the customer is an adult.

In what way is that orthogonal? The lack of data protection and retention regulations is a big part of why this stuff is dangerous. This is a little silly, you agree that the existing standards and services are not sufficient, but you don't think that's relevant to whether or not their use should be massively expanded under the direction of the government?

Of course it's relevant.

----

> No one throws a fit when instacart scans your ID for alcohol orders. Buying a gun online has even more stringent requirements where you need to go visit an FFL to pick up.

I already talked about this, not all of these sites are transactional. Also, note that porn is tied into normal political and social speech in a way that it could never be fully transactional and commercial without restricting a large portion of that speech.

Also, people do throw a fit about data privacy and about at the very least improving security for ID verification. To your point:

> I don't see why porn is special here.

It's not. These debates happen in other areas too; attempts to clamp down on hate speech, propaganda, to restrict information flow across state lines, to track copyright violations, to access E2EE messaging, etc, etc. What you're seeing is completely normal consumer advocacy for privacy, security, and free speech, but because the US is so conditioned to think that porn is some kind of special category, advocacy that probably wouldn't make you blink in other situations feels weird to you now. You may not be aware about debates in other areas of customer tracking, but even with that lack of awareness porn jumps out and you are aware of that specific debate... because everyone thinks porn is some special category.

Data scientists and security experts ruining a legislator's day by pointing out that the systems they imagine actually have huge security holes is normal. It only feels different to you because this time it's about porn.

----

> They should be proposing systems that they believe are reasonable to meet their obligation, but they are not.

So here's an interesting thing to research: they are. Every single one of these sites labels content in a way that it could be intercepted and blocked at the router layer or by parental controls on devices. They all self-identify, even in areas where they're not legally required to.

If you think that porn companies are sitting around and doing nothing, you really have not done much research in this space. They have made plenty of proposals about how to make filtering easier, but states have largely ignored those proposals because:

A) they would require pushing companies like Apple to develop competent parental controls, and that doesn't poll as well among Conservative voters,

B) the majority of these laws have backing from explicitly anti-porn advocacy groups who do not want parental controls, they want to ban porn.

----

> The obvious elephant in the room to me is that none of this would even be controversial if sites hadn't moved to an ad-supported model.

I would advise doing more research on this, there are controversies about this kind of ID requirement even for purely transactional data because it does expose people to privacy risks. I wi...

They're orthogonal issues because you can address one, the other, neither, or both totally independently. We can have very strict data protection laws and also have strict id checking for regulated industries.

I'm well aware of RTA labels. I've pointed them out on similar threads. They're also not ideal (given that they're basically "yes/no" which will necessarily lead to arguments about what should be classified), but like I said, I'm inclined to prefer that kind of approach. Something like mandate commercial sites and commercial browsers (which is every major one) to implement it or something like it, with criminal liability for commercial porn sites that fail to do so.

That said, not all sites do implement it. e.g. reddit and redgifs do not, and reddit also hosts forums specifically targeted at children. Those two sites are very high traffic and are completely negligent here. Also, content can't be blocked at the router level if it's using TLS, which of course almost all of these sites do (you could potentially do SNI sniffing against a host blacklist, but even that will go away with ECH). Perhaps the "evil bit" could be used for that purpose at the IP layer so it works with TLS.

Generally, the more I think about it, it does seem "reasonable" to just say businesses dealing in adult restricted materials are liable for determining their customer is an adult (to a standard that a reasonable person would believe), and websites are not an exception unless it was e.g. a defacement. Let them figure out how to do it, and if the government can collect evidence that they failed to do so, they can charge them with distribution to minors. The sites can come up with their own system according to their risk tolerance. Basically, just raise (or introduce) the bar for negligence.

Alcohol distributors don't seem to have a problem doing this. Perhaps porn distributors can ask them for help.

> They're orthogonal issues because you can address one [...] independently. We can have very strict data protection laws and also have strict id checking for regulated industries.

We can not have secure ID checking without data protection laws. They're not orthogonal. This is the same conversation that comes up every time the government tries to mandate secure backdoors into encryption. You can't massively expand usage of an insecure technology and when it's pointed out that the current technology is insecure say, "well that's a separate issue, we don't have to worry about that right now." It's not a separate issue, you're massively expanding a technology that is currently insecure, just own it.

> I'm well aware of RTA labels.

Then why did you claim that porn industries weren't doing anything? I mean, I'm trying to be charitable here, it would be very reasonable for you not to be aware of those efforts, most people aren't aware of them. But you're saying you were?

You're telling me that when you said:

> They should be proposing systems that they believe are reasonable to meet their obligation, but they are not. Instead, they've gone from at least requiring credit cards to... absolutely nothing.

You knew that this was false -- like literally just straight-up wrong? When you commented that porn industries had 30 years to propose government ID systems to avoid handling this data themselves and hadn't... you knew that porn industries had actually proposed and lobbied for government ID systems?

So why did you say otherwise?

> They're also not ideal (given that they're basically "yes/no"

Come on, this is obviously not an issue for you because if it was, you wouldn't be supporting the current bills, which all implement binary "yes/no" classifications. We could debate whether or not broad classifications that refuse to distinguish between types of porn are good or bad, but you are currently arguing in favor of a binary classification for the purposes of liability, so I don't think that discussion would be a good use of time. Obviously you're OK with binary classification for age-verification, so this is not a real objection.

> reddit and redgifs do not

It's not clear that Reddit is liable under all of the laws proposed. Reddit hasn't pulled out of any of these states or added ID checks. Your argument against the proposal of labeling is a site who's content isn't addressed under the proposed laws.

Also, if you don't like that Reddit doesn't currently use the unlegislated standard... legislate it. Pornhub isn't lobbying to block labeling laws. You can require Reddit to use a labeling standard.

> Also content can't be blocked at the router level if it's using TLS

My sibling in Christ, you proposed blocking sites and VPNs at the router level. This was your solution to foreign porn sites that aren't covered by these laws. Now suddenly that's not sufficient?

Regardless, we use per-page metadata all over the place on platforms like iOS and Android to enable functionality based on page contents -- from device support to PWA indicators. There is no reason why these platforms can't work those same indicators into content blocking tools. And the presence of headers on landing pages for sites like Pornhub can be used at the network level to block these sites entirely, which again... you proposed doing!

Blocking per-page content is just a bonus, the current bills don't address that concern. It's a mark of the superiority of labeling that it allows a level of granularity that current bills don't.

> Alcohol distributors don't seem to have a problem doing this.

I'll repeat, porn isn't always transactional and porn is rolled into normal political and social speech in a way that prevents making it purely transactio...

You can of course have secure id checking without data protection laws: the companies doing the check can just not store information about the check, regardless of whether they are required to delete it. As long as they are not required to retain it, which I have not seen anywhere, they certainly can choose not to. Here though, the laws I've looked at all specify that they must not retain it. They could have higher penalties, but they already explicitly forbid it.

Like I said several times and have said in other similar threads, I'm inclined to think RTA headers are a "better" approach. Currently they're not consistently implemented on either end (e.g. Firefox doesn't support them, sites I mentioned don't send them), but it'd be a quick win to mandate that in commercial contexts, which would include Firefox.

But you don't have to look far to find people who think the filtering problem is entirely intractable (they're in this thread). I think it's worth trying the metadata approach more with commercial mandates to implement something along those lines. I can see why people could argue that's been tried enough (filters have existed for over 20 years, and access for children is still easy), and they need something more. It's not clear that they're even wrong, though I'd like to see us try still. But the more I consider it, it really doesn't seem like that big of a deal to just do ID checks. Presumably you'd do it once to establish an account that's above the age limit. Not the end of the world.

Maybe I'm wrong about these sites' lobbying efforts. Maybe most of them have been posting on their front page big banners asking people to tell their representatives to support mandatory metadata processing/filter enablement laws. I sort of doubt it, but it could be. I do know that some major sites (e.g. reddit) don't implement the metadata or any other controls.

It's not clear what the "percent of content" in these laws means, but when I looked at dumps last year, reddit looked to be ~40% porn by posts (obviously not if you consider comments to be content for counting). It is (or was, as of last year, if dumps are accurate) pretty close to being more porn than not. Certainly for a discussion about how porn sites behave, they are a major porn site with millions of users, and they do exactly nothing to turn away minors (in fact they obviously target them) or segregate the site.

I pointed out elsewhere that routers can block common VPN protocols (e.g. ipsec or wireguard). Of course they can do almost nothing to block something going over TLS:443, and soon they won't be able to do SNI sniffing either. So network filtering of sites is not possible anymore unless they stop using TLS.

Anyway, my point about worrying about data collection and retention is that people should worry about it to the same extent they do with eBay or some small shopify-based site. They should worry about it! But they shouldn't specifically worry about porn sites. And the laws here seem to all ban retention, which is good. Perhaps they could have higher penalties, but they do ban it. Generally e-commerce sites don't have retention regulations.

It's not clear to me how governments would get any records to retain, but sure they should disallow it.

3rd parties already store data that can be used for verification. I don't see KYC laws being undone anytime soon. There's no need to record any information about a verification occurring. I'm sure companies offering KYC services who are already used to operating in regulated environments can deal with not retaining submitted information.

I don't really understand your point about "transactional" relationships. If you have a business providing a service, they can follow relevant laws for their industry. If total wine decided to place an unmonitored "free beer" keg out front where childre...

> the companies doing the check can just not store information about the check, regardless of whether they are required to delete it.

Seriously? By that logic the bills themselves are orthogonal to porn, since sites can just institute ID requirements without being required to do it. There are no 3rd-party ID services that have good privacy handling or refuse to retain information. And in the absence of government-sponsored alternatives (which companies have asked for) this is a de-facto requirement to use 3rd-party ID services that put customer data at risk.

> Here though, the laws I've looked at all specify that they must not retain it. They could have higher penalties, but they already explicitly forbid it.

False. I already covered this:

> many of the laws have limited liability and recourse for data collection, and most only target retention of ID information, not aggregate data collection about users' browsing habits. Additionally, none of the laws limit government collection of data.

----

> I can see why people could argue that's been tried enough (filters have existed for over 20 years, and access for children is still easy)

People can argue a lot of stuff, that doesn't make any of it correct. If someone argues we've tried mandating labeling for online porn and legislating parental controls... we haven't. They're wrong. They can argue it if they want, but they're arguing fiction.

----

> Maybe I'm wrong about these sites' lobbying efforts. Maybe most of them have been posting on their front page big banners asking people to tell their representatives to support mandatory metadata processing/filter enablement laws.

Pornhub has in fact literally placed large banners in certain states lobbying about this topic and asking customers to go to their representatives and get involved. I've never seen a response from the company to any porn bill in which they don't put forward the idea of device-based filtering. They are constantly qualifying their responses with stuff like "of course, we also want to keep kids safe, so that's why we support local filtering and labeling laws".

It is strictly inaccurate to claim that these bills are the result of inaction from porn companies, or that porn companies have not proposed alternatives. You claimed that these companies had done nothing; but in reality they literally built a standard for the government. And pushed for government ID verification too as an alternative to 3rd-party services! :)

----

> It's not clear what the "percent of content" in these laws means

ie, the laws are over-ambiguous and don't clarify liability to an acceptable degree. A lot of things aren't clear in these laws. It's not clear what "reasonable" means. It's not clear what "damages" are for data retention. It's not clear what "retention" means in these laws!

They're badly written laws.

> Certainly for a discussion about how porn sites behave, they [Reddit] are a major porn site with millions of users, and they do exactly nothing to turn away minors (in fact they obviously target them) or segregate the site.

Multiple of these laws have taken effect in states already. Reddit requires an ID in none of those states. No politician I'm aware of has talked about suing Reddit. If you have a problem with Reddit's handling of porn, these bills aren't doing anything about it.

Because of course they aren't, no AG is going to be so foolish as to try and force an ID requirement in order to view Reddit posts. But you know what would allow blocking porn on Reddit? Labeling requirements.

You want to know who else isn't covered by these laws? Non-commercial sites -- because placing these kinds of restrictions on non-commercial hobby sites would be far more likely to raise 1st Amendment questions (not that the laws as they exist don't already raise 1st...

Where exactly have they put forward a proposal? I checked on pornhub's FAQ and Press section, and on their parent company Aylo's site. I see nothing. What is the proposal they have? That we put some liability on sites and browser/OS vendors to implement RTA headers? Including non-commercial (e.g. FOSS) distributors? That seems like a much larger abridgement on speech, and without it, you could trivially work around the filter by e.g. running Konqueror off a flash drive.

As far as I know RTA headers date back to IE6, and have gone mostly unimplemented (neither Firefox nor Chromium have any parental control options in their settings). It's actually hard to find any information about it. I only know about it from trying to find out how the old IE parental controls dialog was supposed to work. It's almost entirely undocumented anywhere.

This article[0] claims pornhub is in favor of mandating age verification, but at the "device level" whatever that means (likely it doesn't mean anything).

So what's been proposed? To which lawmakers have they presented these proposals? Have they just gone completely ignored? Where are their press releases urging people get their solution passed?

You said they placed large banners in certain states. Why not in all states? Or are they only placing banners after they've already had regulation passed against them?

The ruling from the 00s was based on technology at the time, and considered what seemed to be the least invasive way to feasibly do it. At that time, you could actually run a network-level filter. Conceivably your ISP could do it for you. That is almost impossible now, and will be completely impossible soon (except very coarse filters like geo-bans or protocol filters).

So your remaining options are (1) do nothing, (2) put requirements on companies/customers (and use geo-network filters for sites outside jurisdiction), or (3) put requirements on end-software/device providers (and porn companies). There is of course precedent for (3) (the V-Chip), but it's not even clear that that's less onerous than (2). Especially since in the meantime there's actually been an industry that's developed and can make id verification take a couple seconds. I can answer some questions without presenting any documents to satisfy bank KYC regulations; maybe some of the wording is overly vague but it seems existing commercial systems for id verification would fit the intent for "commercially reasonable" systems. As far as I understand, laws are supposed to be vague in the sense of saying things like "reasonable" in order to allow "reasonable" to change over time.

Note also that this new crop of laws seems to all be about commercial services. Mastodon, etc. are not in scope (unless your Mastodon instance is a commercial porn site). They also have the now-standard exceptions for things with literary/artistic/political/educational value. The "porn is speech" issue is tautologically handled by saying the laws only apply to the non-speech variety.

[0] https://www.cityweekly.net/utah/utahs-elected-leaders-push-n...

> Where exactly have they put forward a proposal?

Literally a banner ad in front of Utah users, the exact thing you asked for (https://kslnewsradio.com/2003298/adult-website-pornhub-block...):

> "Please contact your representatives before it is too late and demand device-based verification solutions that make the internet safer while also respecting your privacy."

This is silly. The language here could not be clearer. You asked for a banner ad, they literally put a banner ad up saying, "contact your representatives and ask for device-based verification." RTA headers are a completed standard for content filtering. The fact that they're not implemented widely is because they're not legislated and have never been legislated.

> So what's been proposed? To which lawmakers have they presented these proposals? Have they just gone completely ignored? Where are their press releases urging people get their solution passed?

Quite frankly, this was not hard to Google. From https://www.cnn.com/2023/06/07/tech/pornhub-age-verification...:

> The video’s release coincides with a previously unreported effort by Pornhub — and its private equity owners, Ethical Capital Partners (ECP) — to convince the world’s largest tech companies to intervene in the wider debate over age restrictions for digital porn and social media. [...] In recent weeks, ECP has lobbied Apple, Google and Microsoft to jointly develop a technological standard that might turn a user’s electronic device into the proof of age necessary to access restricted online content, according to Solomon Friedman, a partner at ECP. [...] One possible version of the idea, Friedman told CNN, would be for the tech companies to securely store a person’s age information on a device and for the operating system to provide websites requesting age verification with a yes-or-no answer on the owner’s behalf — allowing sites to block underage users without ever handling anyone’s personal information. [...] “We are willing to commit whatever resources are required to work proactively with those companies, with other technical service providers and as well with government,” Friedman said.

You are wrong. Porn companies are putting effort into this. You're moving goalposts for how much effort you think is fair, but what's wild is even with you moving those goalposts, you're still wrong.

What you're right about that we haven't seen much progress in this area. Why not? Well, from the same article:

> But it is far from clear the effort is succeeding. Friedman declined to say how, or even if, the companies have responded to Pornhub’s communications. Microsoft declined to comment for this story; Apple and Google didn’t respond to requests for comment. [...] Friedman characterized the discussions as being in “early stages,” though his other remarks implied the talks may be largely one-sided.

So companies reach out to tech companies and encourage law makers to pass laws, they're ignored, and then you come along and say "well, they should have said something". They did. They have been saying something. You came along and argued that these companies have said nothing. That there's been complete silence. You're wrong.

----

> That we put some liability on sites and browser/OS vendors to implement RTA headers? Including non-commercial (e.g. FOSS) distributors? That seems like a much larger abridgement on speech

Well... it's not. It's not completely absent 1st Amendment concerns, but it certainly has less of them. Liability on the level of distributors is a much clear...

So they put up a banner after these laws went into effect, only in states affected. My original point was where were their banners during the last 20 years? Obviously people have felt there's an issue. They did not put forward their idea. Other people did (even if it's a bad one). The article you posted also claims

> In recent weeks, ECP has lobbied Apple, Google and Microsoft

i.e they were not doing it until they found themselves being regulated.

Your quote indicates that device based age verification is not filtering:

> One possible version of the idea, Friedman told CNN, would be for the tech companies to securely store a person’s age information on a device and for the operating system to provide websites requesting age verification with a yes-or-no answer on the owner’s behalf

How you get that information is not specified. The rest of the article implies the idea is your phone would store your government id. What they're suggesting seems compatible with these laws. Their suggestion is even explicitly spelled out as acceptable in the Utah law. Utah seems to already have an app for the device side to handle the id. This site seems to be a demo of how to query it?

https://mdoc-reader-external.uc.r.appspot.com/

Like now I really don't understand what they're suggesting. They seem to be happy with what's being asked of them (at least in Utah and Louisiana)? Maybe they're still upset with Texas (though where they lack an existing system, they provide stronger privacy liability for a third party), but what's the issue with Utah?

Why are they starting discussions with Apple and Google to build it? Shouldn't they be integrating with the wallet provider who already has?

Are they upset that the timeline for integration was too short or the id app was missing part of the implementation? Why don't they complain about that if so?

My read at this point is that this is more an attempt at stalling tactic. They seem to suggest they're not even actually against mandatory age verification because at this point, it seems to have already been thought through and implemented in a privacy friendly, standardized way by at least two of these states.

On the tangent, most (all?) states have obscenity laws about giving e.g. porn to kids. Movie ratings are not mandatory because they are not obscenity without artistic merit. An R rated movie will be safe. A porn movie likely not. The government doesn't decide the artistic merit question; a jury does (it is a question of fact, not law).

Arizona where I grew up has a law specifically covering vending machines like Redbox, and says that if you did want to make a porn Redbox, you'd need to have a way to ensure the customer is an adult (e.g. a membership card or token that you buy with an id check). As far as I know no one's challenged it.

> So they put up a banner after these laws went into effect, only in states affected. My original point was where were their banners during the last 20 years?

No, your original point was, and I am literally quoting you here:

> They should be proposing systems that they believe are reasonable to meet their obligation, but they are not. Instead, they've gone from at least requiring credit cards to... absolutely nothing. They've frankly brought this on themselves.

This is categorically false. Not only are they proposing alternatives, not only have they only pulled out of states that do not offer a government ID system (even though it's offered criticism, Pornhub has not pulled out of Louisiana), they also proposed systems way before this legislation took effect -- like you said, RTA standard has been around for ages.

No, Pornhub has not preemptively lobbied for it to be legislated, but that is hardly unusual and hardly a cause for criticism; companies generally don't preemptively lobby for themselves to be legislated unless they're shooting for regulatory capture. Quite frankly, usually when companies lobby against regulation, they don't put forward alternatives. It's unusual that content companies are going this far out of their way to try and help solve the problem instead of just pointing out flaws with the government proposal.

----

> Like now I really don't understand what they're suggesting.

There are several ways of approaching this: one is to do age verification using a standardized system -- ideally that system would be standardized on a federal level. Where states have such a system, Pornhub hasn't pulled out. This is the least-good solution, but it is a solution that Pornhub in specific seems to be generally fine with.

A better way of approaching this is to do age verification using a standardized system that is purely device-bound -- ie, a system where a flag is set purely locally, possibly with one-time verification through a company like Apple or Google, and where requesting websites are sent no data other than a general "yes/no" byte alongside requests. This would be a considerably better system for privacy and security, and it is the ideal that Pornhub in particular is advocating for. One reason why this system would be better is because once verified, verification data would never need to be transmitted off-device at any point. It would also not run the same risks of training customers to upload ID information to arbitrary websites, which is a large phishing risk.

Pornhub's stance on this is weaker than my own. I would prefer for this to be handled entirely through filtering. In practice, the vast majority of parents can easily enter an age into a device when creating an account, and then any standardized age verification system could pull from that parental control with no need to ever expose sensitive ID information to even Apple/Google/Microsoft. Or, even better, parents could be given the option to be more granular with their filters, relying on devices to filter specific content and pages based on their own determinations about what their children can and can't see.

Pornhub also advocates for filtering solutions, but is comfortable with verification/blocking if there are systems in place that make that secure and private.

I don't know the specifics of Utah's digital ID system, but given that Pornhub hasn't pulled out of Louisiana, I would guess the reason they have pulled out of Utah is because they believe that Utah's system isn't secure enough or comprehensive enough to meet their needs. I can only guess what the reason would be -- whether it's a lack of desktop support, or whether the app transmits more data than Pornhub would like to receive, or some other critique. Maybe they will eventually adopt that system in Utah.

But the biggest critique Pornhub has around these laws is a defacto requirement to use 3rd-party ID systems ...

I suppose I conjugated my verbs poorly then; the poor agreement between "should be" and "have been" may have hinted at that, but conceded: I should have written that they "should have been".

Like I said it's quite difficult to find information about this stuff. I don't even know if RTA is what IE used. It's not clear that anyone notable ever implemented it. I don't see it referenced on bugzilla.mozilla.org. Mozilla came up with their own proposal (Prefer: safe) in 2014 and actually submitted it to IETF, and didn't reference the Rating header. Did anyone try to tell them about it? They had like a 30% market share at the time. I can't find any references to it on issues.chromium.org either. I don't see any discussions on chromium's developer mailing list archives. I don't see it on the Android archives. Did they bring it to a lawmaker? To any standards body? To anyone?

Did they even reach out to tech companies like they said?

The howto for android https://www.rtalabel.org/index.html?content=howtoandroid just says you need to agree to their terms, gives no instructions, and has... an ad for travel services. Is there even an android implementation? This seems to be representative of the effort here.

Anyway, my original point was that the whole discussion seems to be disingenuous. They say they want an on-device age verification, and they even said that specifically in response to Utah's law. But Utah explicitly allows that already.

The reporting sucks. They didn't link to the laws. Almost none of the articles about this even name the laws (e.g. SB 287) so you have to go searching for it. The reporters don't seem to bother to read the laws, even when they're only 2 pages long. That CNN article says Pornhub doesn't like Utah's law because they want on-device verification. Utah's law explicitly allows for that, and they already have a working system. It's in fact an ISO standard, and seems to have wide traction building among US states:

https://www.mdlconnection.com/implementation-tracker-map/

(Incidentally, that site seems to be exactly what it looks like when someone is actually advocating for a proposal)

Why don't the reporters ask for some clarification on what they don't like about the law? Or the system? On their face, their complaints seem to be silly.

It's also disingenuous to characterize KYC services as shady. Their main customers are banks, and they're going to undergo annual audits for SOC 2, ISO 27001, etc. because every bank requires that. Their entire business is legal compliance as a service. If the law says not to store your info, they wont.

Pornhub may not be used to people who think this way, but in the financial services sector where these vendors currently operate, compliance with the law is just an assumed baseline feature. It is entirely normal for customers to have their own security architects examine your architecture documents, have multi-month back-and-forths about how to ensure legal requirements will be met, and require annual third party audits and penetration tests of your system. A company I worked for had a system to help automate answering these kinds of questions because they come up constantly.

Service providers here also already have to deal with both retention requirements and non-retention requirements like CCPA, and figuring out which data has which requirements. Pornhub's use-case is less complicated.

They complain they don't want to store whatever info. But the laws don't say they need to, and in fact say they must not. If they need help, there are companies who sell exactly that service.

Why don't the reporters ask for clarification on wh...

> Like I said it's quite difficult to find information about this stuff.

Quite honestly, I don't think it is. I'm not an expert on this, I'm using the same search engines you're using. I'm able to find stuff online.

> I don't see it referenced on bugzilla.mozilla.org. Mozilla came up with their own proposal (Prefer: safe) in 2014 and actually submitted it to IETF, and didn't reference the Rating header. Did anyone try to tell them about it? They had like a 30% market share at the time. I can't find any references to it on issues.chromium.org either. I don't see any discussions on chromium's developer mailing list archives. I don't see it on the Android archives

This is a lot of critique that boils down to "browser makers and lawmakers didn't implement it." But porn companies are not in charge of browsers. I could ask the same question in the opposite direction -- lawmakers have literally entire teams of paid staff to research this stuff, they are literally required by law under strict scrutiny to research it... and like I said above, I'm able to find information when I search online. So why weren't they able to find anything?

I don't think this is an excuse, I don't think lawmakers need to babied about looking for potential solutions to bills when strict scrutiny is in play. Strict scrutiny does not say that the government should be narrow and specific and research alternatives unless nobody sent them an official proposal on letter paper in which case how were they to know, we can just do whatever, all rules are off. Strict scrutiny places an obligation on the government to do research.

----

> That CNN article says Pornhub doesn't like Utah's law because they want on-device verification. Utah's law explicitly allows for that, and they already have a working system. It's in fact an ISO standard, and seems to have wide traction building among US states:

Looking more at it, I will say that MDL looks reasonably interesting, there's stuff here that I like quite a bit. I will also say that it's not available on Windows, Mac, or Linux, and that it doesn't look like it will ever work via 3rd-party ROMs. But sure, other than that it looks promising. And maybe Pornhub will adopt it at some point, I do think this system looks like it would be an improvement over a lot of ID verification I'm forced to do for services with KYC rules. So I'm all for that.

I will also point out that it's not available in Texas. And we have talked about this, you can't treat these laws like they're some kind of composite whole where one state addressing a problem means the other states no longer have that problem. Okay, you think that Pornhub is being disingenuous about Utah? Fine. The original link at the top of this thread is about VPN usage surging in Texas, which does not implement an MDL standard.

----

> The reporting sucks. They didn't link to the laws. Almost none of the articles about this even name the laws (e.g. SB 287) so you have to go searching for it.

> [...] Why don't the reporters ask for clarification on what appear superficially to be contradictions?

This is not specific to these laws, all political reporting about bills has this problem. Every time that I want to find the original text of a bill that's being reported on by even mainstream sites, I have to search for it. Could it be better? Sure, I regularly advocate that reporters should link to bill text. Do reporters in most interviews tend to ask only softball questions (regardless of who they're interviewing)? Yes. Does that common problem get rid of criticisms of the bills? No, it doesn't.

----

> It's also disingenuous to characterize KYC services as shady. Their main customers are banks, and they're going to undergo annual audits for SOC 2, ISO 27001, etc. because every bank requires that.

I will 100% stand by my representation. Common KYC s...

Also it is extremely common in middle and high school to use VPNs to get around school network restrictions.
(comment deleted)
That must be a US thing, over here in Europe, most people just use hotspots (or cellular data) instead.

That was a thing even back in my day, when LTE availability was not a given and cellular packages were much less generous.

Tethering is idiot expensive in USA. Every provider will DPI and block it or throttle it. It's awful.
(comment deleted)
very easy to bypass simply by increasing TTL by 1
And what's the very easy way to do that?
Unless your phone is rooted, TTL mangling happens on the hotspot-using client devices.

Specific details depend on what that client device uses for an operating system, and this makes it impossible to neatly summarize.

But it can be done fairly easily with things like OpenWRT or Mikrotik's RouterOS, or a regular stand-alone Linux box, and IIRC it's a simple one-liner on a Windows machine.

Because it can't be easily summarized, Google is your friend here. Generally, you want the TTL of all packets leaving the client (router, tablet, laptop, or whatever) to be set to 65 -- which is one more than the Android default of 64.

That's all the information you need to know to Google up instructions that work with your particular devices.

(I may or may not keep a Mikrotik-based hotspot-abuser in my work truck as a problem solver.)

Ok that does seems more viable than mangling it on the average Android phone. Unless of course you're tethering another smartphone by sharing the wifi hotspot, which in my personal experience is a common use case.
Yeah, rootless smartphone-to-smartphone (or tablet) is a harder problem to solve without an intermediary device.

But! That intermediary device could be something like a Raspberry Pi Zero.

It isn't "low power" by the strictest definitions, but it is also not particularly expensive power-wise -- it can be powered with USB OTG from a smartphone from the past decade or so. And it is very small, which also counts.

It can obviously run a real Linux distro (or just parts of one), but can also run OpenWRT -- which by nature tends to tolerate intermittent power very well.

It's theoretical, but (again in theory): A Zero W running OpenWRT might be a relatively simple path for a portable hotspot abuser.

First, dump OpenWRT onto an SD card, plug it in an and get in there with a browser -- however that is done.

Second: Create an interface or two for getting hotspot data into it: Maybe one of them via wifi, and another via USB tethering from the connected phone.

Third: Test. At least the Pi itself should have Internet connectivity by this point.

Fourth: Set it up as a wifi access point (I think that chipset can do both at once in OpenWRT), and get NAT going.

Fifth: Utter the well-documented incantations for mangling TTL on all of the hotspot interfaces.

Sixth: Wrap it in nice 3M Super 33+ electrical tape for posterity and a minimum of protection for those tiny SMD parts.

Seventh: ???

Eighth: Profit!!! Or, better: Push the resulting SD card image to the usual places, with correct attribution and license compliance, so that others can benefit more-easily.

Seems doable. To use, just power it on/plug it in, and turn tethering/hotspot on with the donor phone. And then connect other phones to the WiFi AP provided by the Pi.

It'll eat phone batteries pretty quick, but it might last long enough to get someone else out of a jam. (It'll also work well on a portable power bank, and those are also cheap.)

My $15/mo plan in the US can pull hundreds of megabits at 20ms latency to most sites tethered. Tethering is baked into most phone plans and from my experiences not throttled any more than the regular phone data. Most plans have it, even the cheap prepaid options.
My $35/mo Visible plan offers throttled but unlimited hotspot for one device.
Huh. It's interesting that tethering restrictions are implemented via your device, i.e. the device you paid for working against you. Most Android custom ROMs bypass this, and tethering is always enabled regardless of whether your telecom wants you or not.
Tethering is free on my US T-Mobile account. I use it instead of crappy hotel Internet connections. Performance very much depends on your location, as the network is often shaky outside of cities.
I've had a very cheap provider in the US for years that has unlimited tethering/hotspot, and unlimited everything else.

I've "only" ever used it for as much as 1 or 2TB in a month, though -- which is a ton for most individuals. (And only occasionally. It Isn't my primary connection, but sometimes it is a very useful connection.)

(They do attempt to throttle it, but that's been solvable for me with just a TTL hack on a client/router or a PDANet fix on my particular devices.)

Did you mean 1 or 2 GB?
Hah, no. I do mean terabytes.

There's ways to get this done (at least here in the US) for those who are sufficiently motivated.

Yes, but its quite unfortunate in that you cannot do what you want with the data you pay for. Even in plan which not unlimited when I buy in visiting USA, I cannot even use the x GB I purchase without restriction.

I should not need to resorting TTL „unsupported hacks“ which also say company will ban me for.

Eh? What I pay for with my cheap-shit cellular connectivity is to use as much data as I wish, either on the phone itself and/or for exactly 1 hotspot-connected device, at speeds of up to 5Mbps for that singular hotspot-connected device. I can stay within the operating parameters of the service I signed up for by using up to 5Mbps with hotspot (along with literally-unlimited[1] bandwidth on the phone itself) all of the time, 24/7.

I absolutely do get what I pay for, and I absolutely do what I want with it, and let me tell you: I am not paying very much. I have nothing to complain about here.

But I am not alone when I occasionally extend that to more than one device (using a router), and/or using TTL mangling to negate the 5Mbps limit. I've never witnessed anyone being banned for this (and I've paid close-enough attention to the noises people make that if banning were a common thing, I'd have seen the screaming at least one time by now).

Indeed, some people (in some areas, with some devices) don't seem to have either 5Mbps nor 1-device limits on their phone's built-in hotspot -- without any hacks at all.

And while I have used it (and hacks to improve it) rather extensively at various times and for various reasons, I don't typically use it as a primary Internet connection at home:

While my (also inexpensive) DOCSIS connectivity at home is often slower than what my phone can provide on a given day, I prefer the stability and consistent latency of DOCSIS compared to using my phone's hotspot, and I like having my home LAN always-connected regardless of whether I am at home or not, and also I enjoy having my phone's battery last for days instead of hours between charges (wifi hotspot is a huge battery suck on a phone).

In terms of visiting the States: I don't know what to tell you. I've lived here my whole life so I don't ever travel to the US, but this service is not really intended for visitors. It can probably be made to happen with the help of a friend who does live here, but I don't think anyone but you was ever trying to address any issues of visiting the US here in these threads.

Is there a particular aspect about that concept that you'd like to more-thoroughly address?

I can answer questions.

[1]: Everything has limits, and bandwidth cannot ever be infinite, so "unlimited" is with a grain of salt.

I discovered my Turkish ISP is actually capable of relaying me anything that isn’t Instagram, Facebook, Netflix, Google or YouTube traffic reliably once I started using WireGuard VPN with a cheap DigitalOcean VPS.
Maybe it's also a generational thing. In the 90s, I remember running my own squid proxy on a remote shared box somewhere, in order to circumvent "things."

Granted, today, if it was just getting around general network restrictions via blacklist, then tethering is very convenient.

Ssh -D is quite handy
Tinyproxy also, when socks5 isn't supported
Depending on carrier, the parent can turn off data on the child's line and only allow it to be used for voice/text.
Back in my day, it was about obscure web proxies. I remember one that was called something like abelincolnfacts.com, which looked like a blog about Lincoln. But clicking an icon of his face in the top right revealed a web proxy interface to browse the web unfettered.
A super common one from my time is to use google translate’s web translation feature as a proxy since google translate is almost never blocked
Yep, that was a popular one. Later in high school I had a shared hosting account with shell access so I could spin up a proxy with something like

    ssh -NL 8080:localhost:8080 user@host
Then point the browser to use that as a socks proxy.
Though, circumvention of these things isn’t always even that involved, depending on the competency of IT.

At the religious private high school I attended, all it took to make a student a “hacker” was popping open Internet Options on the computer lab’s XP boxes and disabling the proxy they were using. Had to sneakily do this sometimes not to view blocked stuff, but to just have a working internet connection to complete assignments with because the proxy service was provided by some terribly run local company that must’ve been three Staples special Celeron Compaq Presarios and a Linksys router in a shack somewhere, because they were constantly having outages.

[flagged]
What you wrote sounds a bit like "As a minor I have lived in asbestos building and I can assure you I was not harmed". How do you know?

As far as I know, there are many scientific studies that disprove what you've said - and that porn has, in fact, a harmful effect on young minds. Of course there are many other harmful things that we nevertheless accept, like alcohol, cars or cigarettes. So maybe we can, as a society, decide that letting kid watch porn is OK and not worth the alternative (privacy intruding regulations). But arguing that it's not harmful at all is not, I believe, scientifically justified.

Respectfully:

1. I think censorship laws are abhorrent

2. It can be very difficult to tell what effect media has on you, and just because you do not (say) find yourself traumatised or find that your perceptions have been overtly altered does not mean you have not been negatively affected. And you will certainly never be unaffected by anything you experience or do. This is something that I've become more sensitive to and aware of as I've gotten older. And further, it is only through this sensitivity and awareness, and acceptance of the fact that I cannot just decide by fiat how things will affect me, that I have gained some measure of control.

[flagged]
Nor is it provable that you weren't. Which is the point of the previous comment. Anyways, enjoy the nosebleed material...
> ...and I can assure you I was not harmed

How do you know?

I'm not arguing porn is harmful to minors, I have no idea what the data says. But people tend to be terrible at self-diagnosis.

I've never seen any research into the topic and I can't imagine you can have one, since you don't have control group.

So I will assume you are conjuring facts out of thin air.

I didn’t state any facts, I asked “how do you know”?

Because patients are terrible at self-diagnosis.

Anecdote: I stayed in the Airbnb of an (obviously gay) couple in the South-Eastern very conservative Turkish city of Mersin many years ago.

The absolute joy they had when I showed them how to set up 1.1.1.1 on their Android TV, phones, and laptops… so they could watch unrestricted gay porn in their heavily censored and state-controlled slice of the World Wide Web…

I still get a virtual greeting card from them once in a while.

UK is also censoring porn sites...
At this point Turkey is probably more free than the UK.
Can you elaborate please? The UK isn't blocking gay porn sites for example.
I think freedom of speech is an obvious example.
… You think freedom of speech is worse in the UK than in Erdogan’s Turkey? Just what do you think is going on in the UK?
I’ve noticed Americans get some… extremely weird and biased reporting about free speech in the UK. Extreme outlier cases like that Count Dankula guy get reported as the norm.
Only with crappy ISPs like Virgin, which has court-mandated DNS bans for many websites (like ThePirateBay)

I use Zen which has no such restriction. Though for safety all my illegal activity is done via VPN because this is still a Five Eyes country.

EE also does this by default (you can turn it off, but you have to contact them)

EDIT: or is it Three? I can never remember which company provided the last "burner" SIM I got for each trip to the UK.

It's Three that asks for credit card numbers before watching the nudes.

I actually switched to EE and they have no such restriction.

Friendly reminder that all ISPs in the UK are required to store your entire browsing history for a full year, and 17 government agencies, including the Department of Agriculture, can access it without a warrant. Snoopers Act has been passed and lives on for years now, and I'm yet to meet a person who is even slightly bothered by it.
> Don’t all ISPs have retention notices? Probably not (for the reasons above), but this is not public information, and ISPs and others subject to retention notices face statutory prohibitions on disclosure.

> If all Internet access providers were subject to retention notices, wouldn’t it be easier to say that? There would be no need to dance around issues of secrecy, or explain why the list of notice recipients cannot be published. The fact that the Home Office chooses to take this approach undermines the claim that all providers have notices.

This source appears to be engaging in wishful thinking.

The people at my isp insist they don’t store anything other than bandwidth use (which is exposed to me so I know that already)

I don’t keep much data at work for that long

If it is a thing it’s either a massive conspiracy across thousands of network engineers or you could point to some technical details on how it’s implemented.

It's not a conspiracy, they just can't say by law. Did you expect them to tell you if they have an order from the Home Office telling them to not divuldge this information under the threat of massive fines and jail time?
Thousands of people, including a few friends and dozens of acquaintances, including those who have retired, emigrated, and changed citizenship, are all successfully keeping silent about this.

That’s by definition a conspiracy

That way the ISP still sees what you're doing though.
(comment deleted)
Only the DNS lookups. Not the content of what you’re viewing over https. Everything after domain name is encrypted
The DNS lookup are often enough. You can try to claim you were shopping for new shoes on pornhub.com, but not many people will buy it
There is no law against going to pornhub.com, the law is only concerned with dns blocking.
Supposing this was 100% accurate, I'm sure that you could understand that going to pornhub.com or definitelynotgayporn.net would arouse suspicion in a government that is banning such behavior and could cause a person to be under higher scrutiny. So even if you're right that the DNS bypass isn't what would technically get them in trouble, I think you can understand the motivation to encrypt your DNS traffic to ensure that you don't get a target painted on your back. And given this, I hope how you can understand that your comment does very little to contribute to the actual conversation and can even potentially mislead others. A lot of communication is implicit (otherwise it'd be incredibly cumbersome)
Misleading and disinformation also comes in the form of FUD, does it not?
You're going to have to clarify what the misleading/disinformation/FUD is. Because I don't see it.
Just read Every Single Suggestion in your reply.

> going to pornhub.com or definitelynotgayporn.net would arouse suspicion in a government that is banning such behavior

dns blocking doesn't mean adults are banned from visiting porn sites. You start by contradicting your initial concession of assuming this is 100% accurate.

> and could cause a person to be under higher scrutiny. So even if you're right that the DNS bypass isn't what would technically get them in trouble, I think you can understand the motivation to encrypt your DNS traffic to ensure that you don't get a target painted on your back.

This is a prime example of Fear and uncertainty.

> And given this, I hope how you can understand that your comment does very little to contribute to the actual conversation and can even potentially mislead others. A lot of communication is implicit (otherwise it'd be incredibly cumbersome)

And this is doubt. Never fails to accompany the other two.

One of us is very very VERY confused here
Yes, and they should stop patronizing.
I feel like the type of places with heavy handed censorship are also not the type of places you want to go "well, actually..." to the government.
That approach is way too apprehensive.

Those idiots tried to block google docs once.

It didn't go well as you might imagine. ERs, research institutes and several government facilities responded with cordial letters about the court's mental state. Then it was unblocked.

The reason they get to keep the porn bans is because it isn't enforced upon adults, and it does serve as a thin layer of protection against minors.

[flagged]
Watching for the plot…
I was just shopping for cpu cooling at OnlyFans?
Well, in some parts of the world the lie may be "I was watching 100% straight heterosexual porn, no homo". So a DNS lookup to pornhub.com does not reveal the lie.
or just claim ignorance. or the opposite and claim browser DNS prefetching when a blog spam comment linked to pornhub
SNI header from TLS handshake is unencrypted so service providers (and Government's packet inspection engines) absolutely do see what website you are visiting

https://en.wikipedia.org/wiki/Server_Name_Indication

Server Name Indication payload is not encrypted, thus the hostname of the server the client tries to connect to is visible to a passive eavesdropper. This protocol weakness was exploited by security software for network filtering and monitoring[4][5][6] and governments to implement censorship.[7] Presently, there are multiple technologies attempting to hide Server Name Indication.

Also some countries may mandate users to install and trust government's CA certificate which is then used to MITM HTTPS traffic

https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_a...

But the SNI hostname will only include everything left of the TLD. So that is the TLD, the domain name, and the subdomain. It excludes the rest of the URL.

If you have installed a root cert to allow the government to MITM, then there isn't really anything you can do...

SNI is enough to classify traffic for enforcement purposes.

dont forget that if certain SNI is detected, your ISP/government may try to force downgrade TLS or replace server-hello with their own cert - meaning you will need to install government certificate to browse certain websites and 99% of users will do that to get access

Set them up with some form of DNS over TLS.
Reminds me of a... peculiarity in Turkey. Men are required to serve a mandatory term in the military, but are exempt if they're homosexual. However, to prevent this being used as a loophole to evade service, the men in question must prove that they're gay.

This has resulted in the Turkish military having a very large collection of amateur gay porn.

this is basically that family guy episode where Quagmire tries to get out of his marriage to a hooker.
So they’re forced to choose between military service or having sex on camera? I’m not sure I’d call that “amateur porn” if it’s not consensual
Wanting to get out of a pre-existing obligation that every man has, and most don't get out of, should not qualify as lack of consent.
The obligation itself already lacks consent so anything you feel forced to do to get out of it is similarly non-consentual.
If by "similarly" you mean "equally bad at most", then I can agree with that.

But I think most people would rate non-consensual sex as significantly worse than a non-consensual day job.

So if you say the sex on camera is not consensual, you're implying a very different kind of consent violation than is actually happening.

> most people would rate non-consensual sex as significantly worse than a non-consensual day job

The argument here is non-consensual. No work is totally consensual, since you need to survive. You accept a life-long inconvenience in exchange for a beautiful house. Can we make sex consensual in exchange for a large enough inconvenience? The response lies in an experiment: Propose a menial job to prostitutes. Even at the same rate, most prefer their occupation. Therefore it’s consensual.

A funny quirk about non-consensual work is that the 1930’s ILO convention against slavery and forced work… excluded able-bodied men in age of working (article 11). Which kind of defeats the purpose of the convention.

This article was only abolished in 1957.

But compulsory military service still exists in probably half of the world countries.

What part of that isn't a lack of consent? Forced consent is not consent, their only other option was forced military service.
The Overton window has shifted such that two adults agreeing to engage in sexual activity in front of a camera can be in any way considered “non-consensual”? Wild.

Do you think adult actors agreeing to engage in sexual activity in front of a camera, but only because they have chosen to do that for a living when other viable employment alternatives were available, is also “non-consensual”?

"Hey I made this guy really mad go fight him for me"

"No he will kill me!"

"Alternatively you could have sex and let me film it"

Consent.

The problem is in line 1, not line 3.

There would be some serious issues with 3 if 1 was a fake threat meant to push you into 3, but it's not. The vast majority go along with 1.

I see it as rape with a implied third party threat of violence instead of a first party one.

You may feel differently if you feel that men's bodies belong to the state to be used in wars.

The violence was already there. It's not a threat to say and honestly mean "otherwise nothing changes (99% of people pick this option)".

The consent issues are all in the forced service itself, and apply to every man equally, whether or not they take the gay proof exemption.

The violence was not "already there." The violence is generated by the men who are not at risk of going to war.

There's an old saying about two people of different nationalities:

  The difference between you and me is smaller than the difference between us and our respective leaders.
Leaders must convince the public that some person in a far away land hates them and is coming to kill them, because otherwise no one gives a fuck. Because frankly, no one is going to come into contact with another. Normal people are not the ones going to invade other countries and claim territory.
I meant that the violence is a combination of "already caused by the leaders" and "foregone conclusion".

If you opt not to take the gay sex exemption, your fate is the same as if you had never been asked.

(comment deleted)
> and "foregone conclusion"

I'm unconvinced and be hard pressed to be.

> your fate is the same as if you had never been asked.

This is absolutely not true and is literally the entire reason people go to great lengths to do it. Not understanding this is probably why you're not understanding the rest. I'm not sure how you don't get it because if you're gay you're not going to military service and you're not going to jail. If you're not gay (or not faking) your choice is military service or jail. That's not "the same" no matter how you put it.

> I'm unconvinced and be hard pressed to be.

The leaders do bad things whether or not a few gay people join or get exemptions. Why are you not convinced of that?

> This is absolutely not true and is literally the entire reason people go to great lengths to do it.

I said if you don't take the gay option, your fate is the same as if you had never been asked. You do military service or go to jail, like everyone else.

You're talking about taking it. Of course it's different if you take it.

> The leaders do bad things whether or not a few gay people join or get exemptions.

I'm convinced of this. But this is not what you said.

In fact, that's kinda the theme of this conversation and the one you're having with others

When I said "otherwise nothing changes", what did you think I meant?

I thought it was reasonably clear I was talking about how this gay exemption plays out, not the entire world of possibilities.

And for the line that says "your fate is the same", I made that very direct and explicit and you somehow skipped half of the sentence to interpret it in an entirely different way. That one is definitely not my fault.

> in any way considered “non-consensual”? Wild.

Consensual means without coercion and being of sound mind.

Let's put it this way, do you consider a quid-pro-quo scenario where a boss will promote or give a raise to a female employee if she has sex with him "consensual?" Obviously this is arguable in both directions (as we could say that this is a contract between two adults, but then again, prostitution is illegal). What about if we change this to "Have sex with your boss or be fired?" The latter case is less ambiguous, but both cases would generally be considered non-consensual in Western legal systems and has been that way for quite some time. This is nothing new...

If you understand the above but fail to think "You *must* enter the military service, for 3 years, and are likely to go to combat and have a high risk of being killed or seriously injured (physically or even more likely mentally), or you can go to jail, OR put your dick in some guy's ass" I think you can understand how that constitutes significant cohesion. If you are unable to understand this, I am here to inform you that you are overfit and not robust to general problems.

> hat about if we change this to "Have sex with your boss or be fired?"

Definite coercion as stated.

But if the boss is already set on firing everyone in the department, but lets one or two people stay on if they have sex with him, I consider that to be a roundabout method of quid-pro-quo prostitution. Plus embezzlement. There's no retaliation if they say no, they go home like everyone else.

And the military example is similar, there's no retaliation, most men are doing the service. The offer of an alternate option, one that very few take, is not the problem here.

> But if the boss is already set on firing everyone in the department, but lets one or two people stay on if they have sex with him

But we'd still call this coercion. The "dual" of this is "have sex with me or be fired." Just because not everyone gets to have that opportunity does not mean it is not the same question stated differently.

> And the military example is similar, there's no retaliation, most men are doing the service.

There is retaliation, it's called jail.

Just because others are doing it doesn't make it any less of a coercion. This scales too.

> Just because not everyone gets to have that opportunity does not mean it is not the same question stated differently.

To me, it matters significantly if refusing is retaliated against or is neutral.

If having sex with the boss is the difference between 0 firings and 1 firing, that's retaliation. If it's the difference between 95% fired and 100% fired, that's not retaliation.

Also we can say everyone gets the offer if that matters.

-

The other "dual" of this is a version where some employees have already been offered money for sex, but by a completely unrelated party. So if they want they can go take that offer now that they have more free time and only so much severance pay. (Also I am assuming they can get a new job easily enough; there are no destitution-based consent problems in this hypothetical.)

Does consent hinge on who is making the offer?

> There is retaliation, it's called jail.

You misunderstand me. There is no retaliation for not doing the gay sex thing. The default expectation is that you won't do it.

Retaliation for refusing to serve in the military is a different matter. And also why I think the mandatory service is where the actual consent issues are.

Am I understanding your position right? If you have 10 employees and say to 1 of them "have sex with me or you're fired" - that's coercion. If you have 10 employees and say to each of them (separately) "have sex with me or you're fired" - also coercion. If you have 10 employees and say to 5 "have sex with me or you're fired" and to the other 5 just "you're fired" - suddenly no longer coercion?
No, that's not it.

At its core, it's about whether you're trying to pressure them into sex with you.

I should have specifically said everyone gets the offer, to keep it simple. If the expectation is that basically everyone refuses, then it's not very different from walking around town and telling random people you'll hire them if they have sex with you. Which is just prostitution, not coercion.

Whether someone feels pressured is a difficult communication problem. It's hard to reduce to a simple thought experiment.

Another aspect is the prevalence of bullying against gays, once pictures are taken. If gays are sometimes killed even in France (Lyon, 2015), it’s worth wondering whether you want photos of yourself at 18, in a country that could evolve both ways for the rest of your life.
Two adults agreeing to engage in sexual activity in front of a camera, because their only other option is forced military service.
My position is that the requirement was humiliating (a sibling comment says this has been discontinued, which is all to the good) and there's nothing consensual about mandatory military service. This was all explained to me in a verbal conversation, so I could be wrong about this part, but homosexuals didn't have to skip their military service, however many wanted to because they would be punished if caught in the act, so to speak. That makes deciding whether or not to submit photographic evidence into a pretty hard decision, but again, the nonconsensual part is being forced to serve in the military in the first place.

I would also guess that the number of men who submitted to anal intercourse on camera with someone they wouldn't normally have sex with is approximately zero, so it qualifies as consensual in the ordinary sense. I'm not sure calling the result "amateur gay porn" is the ideal way to put it, but it is in fact all of amateur, pornographic, and gay.

Apparently it doesn't happen anymore.

> The system has been undergoing change for the past few years: Lambda Istanbul's lawyer Fırat Söyle stated in 2012 that the rectal examinations, and the photographic evidence of anal intercourse have been dismissed as requirements when they gained worldwide and national media attention.

https://en.m.wikipedia.org/wiki/Pink_certificate

But from when it did happen, it sounds... bad.

> "With the picture it was a bit difficult. The face had to be recognizable as well as the penis and the ass. To put all this into a square was a bit complicated. Twice I got cramps because of the position. […] I also got humiliated at the selection, before they announce it [the final diagnosis]. There are about 12 military people, big ones, with uniforms and everything. […] They all looked one by one at the pictures and I had to bring ten pictures, ten different positions there. This is the difficulty of course, but I managed to do it. And at every single picture they looked and compared it with me. I was standing in the middle. And then they asked me questions. For example which positions I like and if I use this position they see regularly. Questions like that." — Irlenkauser, Julian. "Gender Identities and the Turkish Military." Thesis. European University Viadrina / Istanbul Bilgi University, 2012.

It's weird anyway. I know gay people that never do anal. That seems a weird "proof" despite it being completely out of line to expect that anyway.
I've never once heard of this, and I've spent years living in Turkey.
(comment deleted)
Configuring 1.1.1.1 is a great option for people outside the US whose countries are unable to pressure Cloudflare for information. A better option for those of us in the US is to run our own DNS resolvers. My DNS resolver runs on a little PFSense box that also has DNS blocking and a ton of other features.
Let's be realistic. Porn, the subject of this discussion, is not illegal in the US; this is about age verification laws that apply to the website operators, who then self-block users from particular states. No one is going after Cloudflare for this information as there is no crime committed by the user.

Given Cloudflare's logging policy (https://developers.cloudflare.com/1.1.1.1/privacy/public-dns...) and data disclosure practices, the only way US authorities would get anything worthwhile is if they had a specific individual target and a valid legal process. Cloudflare, like most of the big tech companies, is actually very good on this front; they have robust processes and are transparent (https://cf-assets.www.cloudflare.com/slt3lc6tev37/Q1INAiyBub...) about the limited cases in which they do hand over any user data.

(I don't work at Cloudflare, but do work on these issues for another big US tech company.)

(comment deleted)
The US is not the subject of this thread...

> [a] couple in the South-Eastern very conservative Turkish city of Mersin

Let’s be realistic - this is not about age verification but about restricting people from their rights to view a particular type of content because of how one religion feels about it. The age verification is just the smoke screen the Republicans use to take away your freedoms.
I don't think this subthread is about the US, but just as a sidenote on the US, Project 2025 directly calls for porn to be made illegal and for attacking Internet providers and companies like Cloudflare that enable its access (https://static.project2025.org/2025_MandateForLeadership_FOR...):

> Pornography, manifested today in the omnipresent propagation of transgender ideology and sexualization of children, for instance, is not a political Gordian knot inextricably binding up disparate claims about free speech, property rights, sexual liberation, and child welfare. It has no claim to First Amendment protection. Its purveyors are child predators and misogynistic exploiters of women. Their product is as addictive as any illicit drug and as psychologically destructive as any crime. Pornography should be outlawed. The people who produce and distribute it should be imprisoned. Educators and public librarians who purvey it should be classed as registered sex offenders. And telecommunications and technology firms that facilitate its spread should be shuttered.

Even in a Conservative-majority court this kind of ban would likely be ruled unconstitutional very quickly, but we should be clear when talking about this kind of thing where it is that a substantial number of Conservative foundations would like to go (https://www.project2025.org/about/advisory-board/). There is a non-trivial Conservative movement to to ban porn.

Agreed Cloudflare is a decent company, but some of us would rather not leave crumbs to pick up if/when things change for the worse.
Hopefully their country doesn't outlow watching porn itself, because in that case they are just accumulating evidences against them.
> how to set up 1.1.1.1

I just want to mention a few things: Fallback, other DNSs like 1.* and Mullvad's free DNS with more options

    # Standard
    1.1.1.1
    1.0.0.1
    2606:4700:4700::1111
    2606:4700:4700::1001

    # Block Malware 
    1.1.1.2
    1.0.0.2
    2606:4700:4700::1112
    2606:4700:4700::1002
    
    # Block Malware & Adult Content (not useful for this case)
    1.1.1.3
    1.0.0.3
    2606:4700:4700::1113
    2606:4700:4700::1003
You can find cloudflare information here[0], and remember to make sure you setup DNS over DoT (TLS) or DoH (HTTPS). Especially for them they will want to have encrypted DNS.

Mullvad also offers *free* DNS[1], which also supports encrypted DNS

    # DoH is port 443 and DoT is port 853
    # Standard
    dns.mullvad.net
    194.242.2.2
    2a07:e340::2

    # Block Trackers
    adblock.dns.mullvad.net
    194.242.2.3
    2a07:e340::3

    # Block Trackers + Malware
    base.dns.mullvad.net
    194.242.2.4
    2a07:e340::4
Mullvad also has block for Adult + gambling and social media (so there are 6 total configurations). You don't need the Mullvad VPN to use these.

I should also mention, as this frustrated me a bit, that your browser may implement its own DNS and so just setting these in your router (or pihole) may not completely resolve the issue. In Firefox, go to Settings > Privacy & Security > (scroll all the way down) Enable DNS over HTTPS using > then under either "Increased Protection" or "Max Protection" you can set a DNS resolver (or turn it off). They have defaults for Cloudflare (default!) and NextDNS. While you're there, also check your settings at the top of that page about "Enhanced Tracking Protection"

I am *NOT* a network/security person and would greatly appreciate replies to this comment with additional information. Especially about setting up things like piholes, TVs, browsers, encrypted DNS (especially this!), host files, and so on. Technical forum, so let's get technical and learn ^__^

[0] - https://developers.cloudflare.com/1.1.1.1/ip-addresses/ - https://developers.cloudflare.com/1.1.1.1/setup/#dns-over-ht...

[1] https://mullvad.net/en/help/dns-over-https-and-dns-over-tls

And AdGuard ... which also blocks ads.

Plain DNS:

  # Default servers
  # AdGuard DNS will block ads and trackers.
  IPv4:
  94.140.14.14
  94.140.15.15
  IPv6:
  2a10:50c0::ad1:ff
  2a10:50c0::ad2:ff

  # Non-filtering servers
  # AdGuard DNS will not block ads, trackers, or any other DNS requests.
  IPv4:
  94.140.14.140
  94.140.14.141
  IPv6:
  2a10:50c0::1:ff
  2a10:50c0::2:ff

  # Family protection servers
  # AdGuard DNS will block ads, trackers, adult content,
  # and enable Safe Search and Safe Mode, where possible.
  IPv4:
  94.140.14.15
  94.140.15.16
  IPv6:
  2a10:50c0::bad1:ff
  2a10:50c0::bad2:ff
Adguard DNS-over-HTTPS (DoH)

  # Default server
  # AdGuard DNS will block ads and trackers.
  https://dns.adguard-dns.com/dns-query

  # Non-filtering server
  # AdGuard DNS will not block ads, trackers, or any other DNS requests.
  https://unfiltered.adguard-dns.com/dns-query

  # Family protection server
  # AdGuard DNS will block ads, trackers, adult content,
  # and enable Safe Search and Safe Mode, where possible.
  https://family.adguard-dns.com/dns-query
DNS-over-TLS

  # Default server
  # AdGuard DNS will block ads and trackers.
  tls://dns.adguard-dns.com

  # Non-filtering server
  # AdGuard DNS will not block ads, trackers, or any other DNS requests.
  tls://unfiltered.adguard-dns.com

  # Family protection server
  # AdGuard DNS will block ads, trackers, adult content,
  # and enable Safe Search and Safe Mode, where possible.
  tls://family.adguard-dns.com
See more: https://adguard-dns.io/en/public-dns.html
isn't 1.1.1.1 of limited utility from this perspective? The ISP can still see the IP address, and I know more than one IP address can map to a single domain, but you're still leaking information that would allow one's adversaries to guess at one's intent.
> The absolute joy they had when I showed them how to set up 1.1.1.1 on their Android TV, phones, and laptops… so they could watch unrestricted gay porn in their heavily censored and state-controlled slice of the World Wide Web…

I'd be very careful giving security advice to someone in that situation - in fact, I probably wouldn't do it, even though I am an experienced professional who knows more than most people in IT.

Think about accuracy, which is correctness, completeness, and consistency:

Giving security advice to buddies trying to watch out-of-country sporting events has a much different accuracy requirement than advice for someone whose liberty, life, or pursuit of happiness (assets) are at stake. If your advice is incorrect, incomplete (you don't know or account for the entire picture), or inconsistent (different pieces of your advice don't line up) - these people don't miss their favorite team, the might go to jail, get tortured, lose their children, their careers, etc.

When I give professional security advice, I spend a lot of time on it. I make sure I know the whole picture, my advice is correct - rechecking old understandings, testing and retesting, etc. - and it's consistent. These people are trusting me. And then if I'm not sure of those things, I find someone who knows better than I do. I don't have time to do that at the Airbnb.

In this case, it seems to risk incorrectness and incompleteness: It may be incorrect because setting up DNS lookups so there are no leaks is tricky - I'm not even sure how to do it reliably. For example, some apps and OSes have DNS servers hardcoded; IME some just bypass your configuration (maybe the dev just didn't care to integrate with the system DNS settings); IIRC some have hardcoded fallbacks; sometimes the client overrides your config with the local gateway or the servers it supplies; also, DNS has a complex federated infrastructure. (My first stab at secure DNS is a secure VPN that doesn't leak - that seems much easier).

It's incomplete: the authorities might not see the DNS lookups but they will clearly see the IPs that the user accesses, including those of the porn websites.

These people are trusting you and you told them they could safely look at porn. Yikes, I would not want that responsibility without some serious work.

If they aren’t technical enough to know your setup, they won’t know their current setup either. No big deal, keep it relaxed.
No shit they can safely watch gay porn, it isn’t Russia/Iran
Well, by blocking it they're already well on the way there of course.

Blocking is step 1. Monitoring step 2. After that it starts getting into physical danger territory.

You clearly have no idea about Turkey and the situation. Watching porn isn't persecuted. The conservetive government just forced ISPs to ban them from their DNS. It was always available by using Google DNS and the whole country does this for like 15-20 years now.
I specifically said I don't know; that's one reason I would be very careful. Notice that your response is to assume complete and correct knowledge of your own.

I do know that being LGBTQ+ is persecuted in many places, even in the US; I know what is overlooked now can be persecuted later, even many years later; I know that in most places Internet usage is recorded and is used to build detailed profiles of users, and that those records are retained indefinitely.

I wouldn’t be breaking the law under a repressive government without at least a VPN in the middle.

DNS queries still leak the domain unless the client is using DoH.

Some people are reaching to really wrong conclusions from this post, so a couple of pointers

1. Gay porn is not specifically blocked in Turkey, porn is; so gay porn watchers would be mostly indistinguishable from any porn watchers via their evasion techniques

2. Not that it matters as you are free to be gay in Turkey

3. Not that it matters again, because access to blocked content is never prosecuted. No one ever receives letters from their ISP even for pirating

4. Calling the internet state controlled is a bit far imo, smaller ISPs don’t even apply some blocks and comparatively USDoJ can do domain seizures which is not too different from what happens there (websites being blocked via court orders and “administrative preventative measures”). Although I’d agree that the line for blocking is drawn too close.

5. I also wouldn’t call Mersin very conservative, the left CHP just won the municipal election with ~60% of the votes

One last thing, ISPs have moved on to using DPI to block websites so you might wanna suggest something like green-tunnel so they can up their game.

Have you registered just to say that everything is a-ok in Turkey?

Not to be overly suspicious, but it sounds very much like government-sponsored astroturfing.

I had just contacted hn support to de-associate my posts from my username so I’d feel guilty about posting with my regular account again. Now it’s only posting with throwaways that I don’t even keep track of the passwords of (hence a new username now).

Everything is not ok in Turkey, there’s lots and lots of stuff that needs to be fixed re: gay rights and acceptance in general public plus millions more of other things which led me to leave the country; but having to hide gay porn habits from the government/my isp was not one of them. Again, it’s not Iran or Russia.

(comment deleted)
How did the industry get away with calling proxies "VPNs" anyway?
Proxies and VPNs are different, that's why?
Yes, they are, and what gets sold to consumers as VPNs these days are just proxies.
I think we can split hairs and nitpick this a lot but... Nowadays most often setup is that you join a VPN (a very isolated one), and you use it for the same purpose as you would proxy. But from your machine's point of view, you're using a separate network for your default gateway. Using proxy is usually more involved, and you can configure it in your application. In fact, you can do both and sometimes it makes sense (like using tor socks proxy over vpn).
When you add the word "just", you make that statement false.
No, they are VPNs. They also include proxies in the same bundle, and sometimes it is easier to just use proxies rather than install an entire VPN client on your machines, but VPN (powered by Wireguard or OpenVPN) is what they are selling.
I think the distinction should be that if a private IP address is allocated for you, and hence this "tunnel" is forwarding layer3 packets or lower, then it's called a VPN. A proxy would not forward IP packets directly, but something at layer4 or higher.
They're not. Unless you've invented a new term "Layer3 Proxy", in which case : fine.
(comment deleted)
The major problem here is that our government is turning us all into criminals. Using a VPN doesn't make it legal for you to consume anonymously, even if doing so makes it harder to enforce, at least for now. Soon VPN use will be illegal in some states. Once again, hard to enforce. But these are things which, if for some reason the gov't decides to target you (in which case they can/will spend the effort to discover), can be used against you.

This is not a technology problem, it's a legislative one. It's another example of some of us are using the power of the government to constrain other people's behavior.

Yes

That is the problem with vice laws

Tough times

Isn’t “constrain(ing) other people’s behavior” kinda the point of law? If you’re trying to make a point you’re gonna have to be more specific. Preventing rape, theft, and murder are all instances of “behavioral constraint”, without any qualifiers you’re artificially inflating the magnitude of the situation
The issue is that for a large portion of the population, porn consumption is not considered immoral or even if it is immoral; not an offence worthy of calling someone a criminal over.

We all know that laws are not a good indicator of morality, but society is better when we try to align laws over time with our moral code.

The laws aren't against porn consumption or even anonymous porn consumption. They're about distributing porn to children, which most people are in alignment that we don't want to allow.

These age verification laws all mandate that no identifying information be kept. The Texas law has a $10,000 penalty per instance for record retention. It's still perhaps not the best way to do it, but people are being very disingenuous in their characterization of these laws. It's not that much different from requiring people to show ID at the door of an adult store.

It's still dangerous to share records that way. The structure of the law makes it be against porn consumption and anonymous porn consumption.
Even assuming that an age check can be done in a privacy-preserving way*, it is naive to assume that such measures are effective prevent people from getting access to porn. Sex is one if the strongest human drive and we are not in the 80s anymore when magazines and videos were the primary medias for porn.

*: are those verification schemes set up such that also the government doesn't get to see who accesses which sites?

I don't think it's as intractable as people make it out to be: require porn sites to do some level of due diligence. "But what about sites outside of US jurisdiction (e.g. Russia)?" Require ISPs to have a setting for customers to opt into blocking them. The reality is no one in my household ever has any reason to communicate with Russian, Chinese, etc. or even almost any European servers (maybe there could be exceptions for news, government, and university orgs), so it makes sense for us to just block them.

There you go. You just eliminated pretty much all access for children to online commercial providers.

It's not perfect, but that's a silly reason not to do it. We don't let kids into adult bookstores just because they could (currently) easily get it online. We don't let them buy drugs and alcohol at stores just because they could find an older friend to get it for them. It is already illegal to provide porn to children. Businesses (mostly ad-based ones) have just been getting away with being completely negligent about it for the last 10-20 years.

The Utah law for example seems to specify that either the user provides a digital id, which seems to be a sort of signed message from the state that they've saved into a secure element (so not doing realtime checks with the government. It's not really specified how it works, but it says they can save an ID file to their phone), or use a commercial knowledge based auth solution. So yes, it seems that it's been specified such that the government does not get access to that information.

VPNs still make it possible to access everything. Gotta have to ban these as well.

It seems like regulatory overreach into something which in the grand scheme of things is a very small problem. Today it's porn sites, what will it be tomorrow? Once in place, such laws will be very hard to repeal out of "think of the children" concern. In reality, such laws are never just about children.

Also, what even counts as a porn site to begin with? Is Reddit one, since it has lots of well-known porn subreddits? Do classic web forums for a similar purpose, or Whatsapp groups or Facebook count too? (Don't know how strict their content policy currently is)

The goal isn't to cut access. It's to cut access for children. And again, just because they can find a way doesn't excuse businesses doing exactly nothing to avoid serving them as customers, which they know is already illegal. Most children don't have the means to buy VPN access. There are also off-the-shelf routers that block common VPN protocols (though that may mostly only exist for business tier equipment right now).

Reddit is exactly the type of site that demonstrates the need for some regulation. They have major forums targeted at children (e.g. teenagers, roblox, minecraft) with millions of members, but half their site is porn, and there is no barrier between the two. You'd need to MITM and inspect which forum someone is on to figure out if it should be allowed.

You could say "just block the whole site", but if pornhub had a porn-free comment area labeled "teenagers" (for teenagers to discuss with each other, not for inappropriate images of teenagers, though reddit infamously had that too, and made a special "pimp daddy" trophy for the moderator that ran it), people would reasonably ask why a porn site has a kids section, and demand that even if the business wants to be in both spaces, the websites must be separated.

Brilliant argument against centralization of the web
"Our government" isn't doing it, some very specific ones are. And the people they represent are 100% behind all such laws. This is the democratic process working exactly as intended.
Constitutions are supposed to prevent laws like this. Because it is all too easy to make people forget the principles their democratic system is based on and without which it will degenerate into a tyranny of the majority.
(comment deleted)
If they did this for all social media I might pick up guitar
Unfortunately, the suggestive manual gesticulations required to finger your fretboard have caused guitar-playing to be banned in the state of Texas.
Not to mention those minor diminished sevenths that you've been playing recently. One more half-step towards microtonality, and you'll be looking at time in the slammer ...
It's important to always see the bright side
VPNs: $12/month if you sign up for 200+ months for blocked IPs and slow servers and service. awesome.
Reality: €5/month if you sign up for 1 month, blocked IPs, ~10% reduction in Mbps
For $12 a year you can get a VPS and just put OpenVPN there.
And who is going to pay for the bandwidth?
Those VPS come with like 1 TB a month of bandwidth.

It's storage and CPU that are kind of a premium.

Bandwidth is cheap.

DigitalOcean, OVH, Hetzner, Vultr, Linode, [...], all include a certain amount of bandwidth (or unlimited with a speed cap) with their VPS.
Which one are you using? It's overpriced and it sounds like a bad experience. Fortunately most VPNs you'll find are cheaper and better than what you're describing!
Tailscale exit node on a cheap vps and you're golden. Well as long as the stuff you're doing is "legal". It's still traceable back to you.
How well do subpoenas work across international borders, especially when the charge isn't illegal in the recieving jurisdiction?

(asking for a friend, obvs)

Things like torrenting will get you quickly shut down by the provider. My friend found this out while considering setting up their own seedbox.
Sounds like your friend was VPNing to the wrong jurisdiction.

PulsedMedia (Finland), IHostArt (Romania) and many other seedbox server providers exist and will not shut you down.

Highly recommend Whatbox.ca - i run a “pirate netflix” for all my family and friends off one cheap VPS. It also provides me with a more censorship-resistant VPN than most usual VPN providers. Many VPN services were blocked in GCC countries but not my private whatbox server VPN.
iirc ihostart actually host their servers in their basement, which is bad for reliability but perfectly fine for this use case. The operator also claimed to be an 18 years old, not sure if it's true but if it does I applaud their entrepreneurship spirit at such a young age.
very well as long as the country has an extradition treaty with your home country (if US, almost all you'd ever travel to does)
Nobody cares if it’s not terrorism or national security
1984.hosting

payable with Monero

Do you know any similar hosts that attempt to provide shielded VMs?
Would Mullvad count? You can even pay anonymously by mailing cash.
Hm, I don't know if Mullvad uses shielded VMs for their infra. I guess it would be neat, but I'm more talking about privacy-oriented generic-hosting providers that provided shielded VMs.

Maybe it's just where my head is at, but I look at something like the GP's post and go "cool!" and then realize that such a property would be a prime example of a honeypot. Do I think there are individuals interested in offering low-margin "privacy" VPS services that accept crypto? Yes. But also, I suspect there's plenty of intelligence outfits that would spin up such a project as a fun side project to spy on guest VMs. :| Unbounded money goes a long way. And while I like to cosplay paranoia, I just have to assume that clients of such services are seeking anonymity for Reasons.

Shielded VMs + monero payments would at least move the bar up to "you need to be a target worth leaning on AMD/Intel for shielded-vm compromise".

Granted, I think you could also create infra architecture that allows you to treat these cannon-fodder, but I digress.

Which VPS provider did you go with?

I tried AlphaVPS and another and I had no luck with the traffic routing out of the VPS. Went with a droplet in DigitalOcean in the end that's managed through Portainer. Works a treat and equivalently cheap.

Imagine Texas bans private VPNs next. Haha.
That's not even haha, that's like 6/10 likely.
I doubt Texas will. How would they enforce it? And good chance the federal courts will rule it is pre-empted by federal law (the FCC).

For historical (and arguably even political) reasons, federal courts give the states a bit more leeway when to adult content. But regulating general purpose content-neutral VPNs would really be stepping directly into the FCC’s domain, in a way which would directly impact interstate commerce, and I doubt the courts would let them do that

Great Firewall of Texas.

I could legit see them investing insane dollars on this project.

I don't think this is federally illegal either

> The Congress shall have power to regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes.
> I don't think this is federally illegal either

If the FCC wanted to overrule it, they could, and the Courts would likely be on the FCC's side. See https://crsreports.congress.gov/product/pdf/R/R46736

But I doubt it would ever get that far. It would be a huge burden on every large corporation operating in Texas, if interstate traffic had to go through some legally mandatory firewall or content filter. The Texas state legislature is generally pro-business, and if almost every major corporation in Texas would be lobbying them not to do something, I doubt they'll do it. And, in the very unlikely event the legislature ignored that lobbying and did it anyway, and the Governor didn't veto it – then those corporations would likely go straight to petitioning the FCC, and I think it is likely they'd succeed in convincing the FCC in overruling it.

Passing a law and actually enforcing a ban are very different things. In the case of porn the big corporate sites have no choice but to comply. VPN providers don't really care. Unless the state of Texas can manage to find and block every IP address of every VPN server worldwide, people are going to get through.
https://UpVPN.app for couple of minutes of VPN
This is exactly the kind of vpn that I need! I only need VPN for a few hours per month to get around some geo restriction or bad network quality.

Is this vpn provider trustworthy?

Gambling should be banned. Not porn.
Why?

No one forces anyone to gamble.

Eh, Gambling disproportionately impacts poor people.

It's as close to Sugar, Nicotine or Alcohol in terms of addiction as you can get without being chemical.

Same reason we ban certain ads targeting kids.

I agree: We should make it illegal for children to gamble.
I think gambling is a much more destructive force in the world than porn, but I don't think either should be banned. Don't look at it like we have to ban a certain number of things.
Anyone have experience with Aura's VPN feature?
If vpns become positioned primarily about accessing porn, well I look forward to the day people acknowledge tls exists and we stop seeing misleading advertisements with the various claims everyone on a network can see the contents of your online banking.
I've already seen a shift in the ads from "hide your banking details from hackers" to more "hide your country from Netflix". I can't prove causation, but it did seem to date from when Tom Scott did his "Honest VPN ad" video.
"hide your country from Netflix" This is the advertising I have seen for what has to be close to a decade at this point.
I mean, it's always been there, and the "security" claims are still out there, but the focus has shifted. In my experience.
one thing i noticed from vpn use recently: using a free vpn actually allows me to watch content otherwise inaccessible to due to geo restrictions. this was using a free vpn.

for a second, i was really happy because i thought the office was finally available in my region.

When it comes to internet vs government censorship, internet wins. Every time.

A lesson our baby boomer regulators will never, ever learn.

Pornography is one of the most powerful forms of control, because you cooperate in your own enslavement. Because of the deranging and darkening effect it has on the mind, you become increasingly less aware of what's actually happening to you, less conscious of the self-destruction you are employing against yourself.

And because it functions this way, it has also been instrumentalized. Sexual "liberation" is political control. Wilhelm Reich essentially wrote the playbook here, though we see plenty of precursors, and in the Enlightenment tradition, Marquis de Sade stands out (though he did not have access to mass media like we do).

As Chesterton observed, such "freedom" is the most transparent of all bribes that slavery can make to rob us of our freedom. Pleasure is far more effective than pain because it conceals the coercive nature of the act. Marcuse saw such things as a conservative force masquerading as "liberation", one intended as a distraction (like bread and circuses) and a way of sapping the attention and energies (and I would add intelligence) of those who partake that could otherwise be used toward criticism. The deranging effect is the worst effect of all, as such, but also because its effects can far outlast the period of consumption.

That people can use VPNs is not a substantive argument against bans or restrictions on pornography.

What you see wrt/ porn and liberation, including sexual liberation, is a step forward, not the end result. So it's not going to be perfect, it's going to have people abuse it and others through it, but the solution is not to go back, but to incorporate what we learned from it, and move forward. Respectfully, Wilhelm Reich is a pseudoscientist, I can't really take his thought on the matter seriously, especially on matters which evolved quite significantly since his observations.

People really do control other people through not just coercion. We can see a modern way of doing this in governments and corporations, currently being called Public Relations.

Consider that control cannot be exercised completely arbitrarily. Most of the time, people who want to control have to use what they have available, so that other people don't resist as much. This means that whatever is there, it will be used for control, but it doesn't mean that the thing exists for the main purpose of control. This is circling back to liberation of all sorts - these don't happen because they want to control us, liberation is happening as a large-scale social change and people who want to control co-opt it for their own purposes. Since it's happening either way, it's an opportunity for them to further their own goals as well.

I am overnighting in North Carolina this evening. Can’t watch porn without providing a drivers license or passport. (But VPN works good.)