72 comments

[ 2.4 ms ] story [ 65.7 ms ] thread
I'm surprised that the EFF does not highlight the best option, here: use a VPN to a jurisdiction that doesn't have such ridiculous laws.
VPNs are increasingly useless, with Cloudflare in front of 80% of the public net. I always wonder if people giving this advice try it themselves, most major sites are unusable with a common VPN provider.
I have never clicked "accept" on a cookie banner, as a matter of principle; I zap them away with uBlock Origin. Should the plague of age verification reach my jurisdiction, I'm sure I will handle it in like fashion.
Is there a throwaway identity that people are using? A dead person unchecked in Mississippi somewhere? Like every teen in America using the same identity like everyone's extended family does with their uncle's Netflix account?

I don't want to google it because I don't want to be put on a list but I also feel somewhat confident that this is being done. Apparently, HN feels safe to ask questions like that for me.

>I don't want to google it because I don't want to be put on a list

You might think about using something like the Tor Browser for anonymous web surfing:

https://www.torproject.org/download/

...If you are worried about getting on a list by downloading the Tor browser, then take a trip to the next-town-over public library and download it from there. I guess your ISP could still guess that you were using Tor, and you might end up on a list of people using Tor. Also: If everyone is on the list, then no one is on the list.

>If Google can guess your age, you may never even see an age verification screen. Your Google account is typically connected to your YouTube account, so if (like mine) your YouTube account is old enough to vote, you may not need to verify your Google account at all.

This has been proven false a bunch of times, at least if the 1000s of people complaining online about it are to be believed. My google account is definitely old enough to vote, but I get the verification popup all the time on YouTube.

I think the truth is, they just want your face. The financial incentive is to get as much data as possible so they can hand it to 3rd parties. I don't believe for a second that these social networks aren't selling both the data and the meta data.

I think the reality is a lot less nefarious. They don't want your face. But they also don't care enough to not take your face. Why would Google spend lobbying and legal money trying to fight this requirement when it doesn't hurt their bottom line? On the other hand, requirements like storing ID cards does hurt their bottom line because it means:

1. they need additional security measures to avoid leaking government documents (leaking face photos doesn't hurt them as much) 2. not every person has a valid government document 3. additional customer support staff to verify the age on documents rather than just using some fuzzy machine learning model with "good enough" accuracy.

The bottom line is that companies are lazy and will do the easiest thing to comply with regulations that don't hurt them.

This comes across as incredibly paranoid. Most places use 3rd party age verification anyway. They're following the law/playing safe with the law in certain countries, and it's just easier to apply it everywhere.
I believe YouTube got hit with some EU compliance law at some point. My Google account was old enough to vote but I still had to verify it to watch certain YouTube videos. They put a one cent reservation on my credit card IIRC, no need to actually upload ID.

It happened right after ElsaGate, so they probably went overboard to cover for the weird shit happening on their platform. YouTube is full of pedo farms and weird porn if you know where to look for it, so they need something to point at so they can shout "look, we tried!"

(comment deleted)
Face scan: download and install Gary's mod.
There were some amusing headlines a while back about Discord's verification being fooled with game screenshots. Does anyone know if that's still the case?
How well does the selfie test detect AI-generated photos? That seems easy to bypass, especially if you copy the metadata over from a real photo.
States need to stop sniffing for age really. This is age discrimination.
I thought the article was about finding a job when you reach a certain age, which is my problem.
Yeah, I didn't notice where the article was located at first, and I thought that's what it was going to be about also.
My kid has recently just quit playing Roblox because of the sketchy facial age check process. She said that her and all her friends know not to ever upload a picture of themselves to the Internet (good job, fellow Other Parents!!) so they're either moving on to other games or just downloading stock photos of people from the internet and uploading those (which apparently works).

What a total joke. These companies need to stop normalizing the sharing of personal private photos. It's literally the opposite direction from good Internet hygiene, especially for kids!

I think the way Roblox is doing right now separating the users in age groups just makes it easier for predators to find victim.
My kids also know that as far as the internet is concerned, their date of birth is 1 January 1970.
Having to manage my kids online accounts have been a nightmare. So many different rules, with arbitrary age limits on things that go completely against my own rules for what my kids can do at different ages, with weird methods for linking or verifying or sharing/transferring purchases. I have gotten so frustrated trying to get accounts set up so we can play together.
My favourite is Youtube.

I can get Youtube Family so my kids don't get ads.

But if your kids are under 13, they can't be added to a family account on YT - so they MUST watch the ads.

Can someone explain the logic here?

> She said that her and all her friends know not to ever upload a picture of themselves to the Internet (good job, fellow Other Parents!!)

it's a video game, it's an aesthetic experience, if uploading a photo of yourself doesn't feel good, it's valid to say, it's a bad game or whatever.

but by some more objective criteria, this photo upload thing that you are saying doesn't really matter. they are uploading photos of themselves to the Internet all the time (what do you think Apple Photos is). of course, with kids, i can understand the challenges of making nuanced guidelines, but by that measure, it's simpler to just say, playing roblox is kind of a waste of time, or suggesting better games to play, rather than making it about some feel-good nonsense i'm-a-savvy-Internet-user rule. it's what this whole article is about, providing real answers, but who under 18 years old is going to read the whole thing?

> These companies need to stop normalizing the sharing of personal private photos. It's literally the opposite direction from good Internet hygiene, especially for kids!

While I agree with you entirely, it's important to remember that these companies want to mis-educate the masses (and especially children) against their own interest. It's not just unfortunate that they're normalising uploading a photo just to play a videogame: it's an intentional choice to de-normalise privacy and normalise deeper and more in-grained online stalking.

The funniest case I've seen was somebody fooling one of these tools using Gmod by playing with the face sliders of those stock Half-Life characters.
But I also don't want the alternative, that I have to ID myself. Anonymous and pseudonymous access is the best solution.

The EU tries to introduce age verification, simultaneously it currently talks about sharing police data with the US for the Visa waiver program.

If this verification data is collected and normalised, we will constantly have to fight how much data that is required for auth and it can just be legislated.

Why can't the EFF tell people to lie? Because if you can get away with it, lying is almost always your best option. Unless there are actual real world consequences to lying like you may anger the police.

And maybe consider using a VPN.

If my options are upload a picture of myself for Google to monetize through ads or not use Google / Youtube then I will be moving on regardless of the inconvenience to myself.
I think that age verification is important. While its not perfect, it is one tool to help protect kids.
Think back to when you were a child. Did age verification ever stop you from doing anything? The automated, technologically-implemented age-verification is even less interested in properly verifying anything than the ID-checking bouncers at a bar. None of these things protect kids, they just annoy them and teach them that authority is stupid and lying is a convenient way to deal with stupid people.
I would say that normalizing giving random websites photos of yourself is harmful to children.
In an ideal world, parents would be good parents, know what their kids are up to, install parental controls on their digital devices (software solutions out there range from free/bundled to not expensive), have conversations with kids about what's on the internet and what to avoid.

Government overreach is not the answer, it's a plaster (and an excuse for more surveillance which is arguably the primary factor) over bad parenting. In the UK at least, all major ISPs and mobile providers have a basic parental/adult-content control package that is set-up by default (opt-out by the bill payer). Albeit trivial to get around with a VPN/proxy or changing DNS servers etc.

Kids will be kids as well. They'll get around restrictions, they're clever, they talk with their mates in the playground about this sort of thing. Especially teens.

>should I continue to use this service if I have to verify my age?

Simple answer, never accept this If everyone selected "cancel" you can be sure these sites will stop age banning, they wan $ more than anything else.

If a site asks me one question about me, I stop using if.

This makes me wonder if there's a business case for a privacy-preserving identity service which does age verification. Say you have a strong identity provider that you have proven your age to. Just as the 3rd party site could use SSO login from your identity provider, perhaps the identity provider could provide signed evidence to the 3rd party site that asserts "I have verified that this person is age X" but not divulge their identity. Sidestep the privacy issue and just give the 3rd party site what they need to shield them from liability.
The article does go into this and gives lip service to the idea that a secure third party could expose age without exposing identity. Ultimately, there's still the problem that even if point of verification can be done in a zero trust way, you are still entrusting very sensitive information to a third party which is subject to data breach.
I’ve been noodling on this idea for a while but I think getting commercial acceptance would be hard. People have tried it with crypto albeit with lukewarm results. I think to have the network effects required to be successful in such an endeavor, it would have to come from a vendor like apple or google unfortunately.

You kind of want an mTLS for the masses with a chain of trust that makes sense.

I'm more interested in a business that reliably provides fraudulent IDs to services that unnecessarily want IDs that I cannot avoid for some reason.
You've almost got it right. You just need to modify this part:

> Just as the 3rd party site could use SSO login from your identity provider, perhaps the identity provider could provide signed evidence to the 3rd party site that asserts "I have verified that this person is age X" but not divulge their identity

The way you compared it so SSO login makes it sounds like there would be interaction between the 3rd party site and the identity provider. That's bad because if someone got a hold of the records from both the site and the identity provider they might be able to match access time logs and figure out who you are.

A fix is to make it so you get your signed document from the identity provider ahead of time, and that document is not tied to doing age verification with any particular site(s). You get it once and then use it with as many sites as you want.

When you use it with a site to demonstrate age we need to do that in such a way that neither of you have to communicate with the identity provider. If the site needs to verify a signature of the identity provider on something you present they use the provider's previously published public key.

We need to make it so that when you use the signed document from the identity provider to show your age to a site they don't see enough from the document to identify you, even if they have been compromised and are collaborating with the identity provider to try to identify you.

Finally, the signed document should be bound to you in some way so that you can't just make copies and give them to others or sell them on the black market to people who want to evade age checks.

BTW, since under this approach the identity provide isn't actively involved after their issue your signed document what probably makes the most sense is to have your government be the identity provider. In particular, the same agency that issues your driver's license or passport or nation ID (if your country has those).

Such a system can in fact be built. The EU is including one in their EU Digital Identity Wallet project, which has been in development for several years and is not undergoing large scale field testing in several countries. It is supposed to be deployed to the public this year or next.

The first version handles the binding of the document to you by tying it to your smart phone's hardware security element. They plan to later support other types of hardware security elements. 90+% of adults in the EU have smart phones (95-98% for adults under 54), and it is going up, so the first version will already cover most cases.

Google has published some libraries for implementing a similar system. Both the Google libraries and the EU system are open source.

What's ... boggled me about this issue since forever is that:

1. Most people access online content through either a personal or business broadband service (residential, mobile, or place-of-work).

2. Those services ... bill directly. Which means that it should be possible to specify an age preference for the service account as a whole, and/or subsets of it. The service can specify whether or not age-bounded online services are acceptable or not, as well as specific classes of age-bounded services. E.g., a workplace service would generally allow for >18 access, but might restrict usage of gaming, gambling, pr0n, or related sites. A household might request no age gating at all (all >18 or whatever minimum age is mandated) or several classes of service, say, if adults and children are present.

3. Where it's necessary to specify multiple preferences, multiple network segments could provide this logically (e.g., an IPv6 block with unrestricted and age-gated ranges), with distinct devices being allocated appropriate gateway addresses.

4. Effectively, the connectivity provider then attests for age, without requiring any finer-grained identity disclosure.

Why ...

A. Would this not work?

B. Is it not being generally proposed?

I’ve noticed that many people struggle to simply let things go. Take a hypothetical case where HN requires ID verification. I'd just stop using HN, even if that meant giving up checking tech news. Sometimes things end, and that's fine.

I used to watch good soccer matches on public TV. When services like DAZN appeared, only one major match was available each weekend on public TV. Later, none were free to watch unless you subscribed to a private channel. I didn't want to do that, so I stopped watching soccer. Now I only follow big tournaments like the World cup, which still air on public TV (once every 4 years).

Sometimes you just have to let things go

Funny, I'm the opposite. Since information wants to be free, and storage/compute get more affordable every year, then really everything ever posted on the web should be mirrored somewhere, like Neocities.

I grew up in the 80s when office software and desktop publishing were popular. Arguably MS Access, FileMaker and HyperCard were more advanced in some ways than anything today. There was a feeling of self-reliance before the internet that seems to have been lost. To me, there appears to be very little actual logic in most websites, apps and even games. They're all about surveillance capitalism now.

Now that AI is here, I hope that hobbyists begin openly copying websites and apps. All of them. Use them as templates and to automate building integration tests. Whatever ranking algorithm that HN uses, or at least the part(s) they haven't disclosed, should be straightforward to reverse engineer from the data.

That plants a little seed in the back of every oligopoly's psyche that ensh@ttification is no longer an option.

> I’ve noticed that many people struggle to simply let things go

Because it's not always about their entertainment. I know churches that post info about events only on WhatsApp groups, if you don't use it - you're screwed. I know kindergardens which use Facebook Messenger groups to send announcements to their parents' children - if you don't use it, you will miss important info.

For most people, letting go such things is very impractical. One can try to persuade for a better way to do something - but then you become the problem.

A lot of small towns are like this too - no website, posting only to Facebook. I suppose they figure it's better than nothing, which maybe is true on some level.
Many people don’t struggle to let privacy go.
(comment deleted)
My main concern is that there isn't a reliable way to know your information is securely stored[0].

> A few years ago, I received a letter in the mail addressed to my then-toddler. It was from a company I had never heard of. Apparently, there had been a breach and some customer information had been stolen. They offered a year of credit monitoring and other services. I had to read through every single word in that barrage of text to find out that this was a subcontractor with the hospital where my kids were born. So my kid's information was stolen before he could talk. Interestingly, they didn't send any letter about his twin brother. I'm pretty sure his name was right there next to his brother's in the database.

> Here was a company that I had no interaction with, that I had never done business with, that somehow managed to lose our private information to criminals. That's the problem with online identity. If I upload my ID online for verification, it has to go through the wires. Once it reaches someone else's server, I can never get it back, and I have no control over what they do with it.

All those parties are copying and transferring your information, and it's only a matter of time before it leaks.

[0]: https://idiallo.com/blog/your-id-online-and-offline

Honestly that main concern should be two main concerns.

You/your kid/your wife goes to hàckernews.com and is prompted for age verification again, evidently the other information has expired based on the message. So they submit their details. Oops, that was typosquatting and now who the hell knows has your information. Good luck.

Exactly. Everything "private" that you post online will become public eventually.

Everyone says "we only store the data temporarily and it's deleted right after" including everyone who didn't do that and got hacked.

But I think we're far too late into this issue by now.

It's 2026 and we still don't have a way to know if our passwords are being stored in a secure way in their databases. What hope do we have to know about how our photos are being handled?

> Even though there’s no way to implement mandated age gates in a way that fully protects speech and privacy rights

I think the EFF would have more success spreading their message if they didn't outright lie in their blog posts. While cryptographic digital ID schemes have their problems (which they address below), they do fully protect privacy rights. So do extremely simple systems like selling age-verification scratchcards in grocery stores, with the same age restrictions as cigarettes or alcohol.

> So do extremely simple systems like selling age-verification scratchcards in grocery stores

Which stores sell age-verification scratchcards? How do you make sure they can't be traced back to the person who paid for them or where they were purchased from? How would a website know the person using the card is the same person who paid for them? It may be a simple system, but it still sounds ineffective, dangerous, and unnecessary.

What a piss poor article.

"We disagree with age gates but our recommendation is to comply". Fuck this.

Switch VPN region or upload a random picture generated by AI, problem solved.
OpenAI uses AI to scan your ChatGPT conversations to determine your age. And even though I've been using ChatGPT for mostly work-related stuff, it has identified me, a man in my 40s, as under 18 and demanded government ID to prove my age. No thank you.
Isn't age guesstimation by appearance, even with advanced machine learning techniques, even if attempted by real person with honest effort, just total snake oil? This ongoing age verification push with weird emphasis on generating name-face pairs is beyond fishy.
If this is about porn or other content deemed age-sensitive, the moment it becomes difficult to source through "official," mainstream platforms, the content will move underground (P2P networks), making it even more difficult to analyze and regulate. So this is a very shortsighted move.