Comment by stego-tech
4 months ago
A long, long time ago (within the past ten years), I had to verify my age with a site. They didn't ask for my ID, or my facial scan, but instead asked for my credit card number. They issued a refund to the card of a few cents, and I had to tell them (within 24hr) how much the refund was for, after which point they'd issue a charge to claw it back. They made it clear that debit and gift cards would not be accepted, it must be a credit card. So I grabbed my Visa card, punched in the numbers, checked my banking app to see the +$0.24 refund, entered the value, got validated, and had another -$0.24 charge to claw it back.
Voila, I was verified as an adult, because I could prove I had a credit card.
The whole point of mandating facial recognition or ID checks isn't to make sure you're an adult, but to keep records of who is consuming those services and tie their identities back to specific profiles. Providers can swear up and down they don't retain that information, but they often use third-parties who may or may not abide by those same requests, especially if the Gov comes knocking with a secret warrant or subpoena.
Biometric validation is surveillance, plain and simple.
That was, in fact, what COPA mandated in the US in 1998, and SCOTUS struck it down as too onerous in Ashcroft v. American Civil Liberties Union, kicking off the last 20 years of essentially completely unregulated Internet porn commercially available to children with nothing more than clicking an "I'm 18" button. At the time, filtering was seen as a better solution. Nowadays filtering is basically impossible thanks to TLS (with things like DoH and ECH being deployed to lock that down even further), apps that ignore user CAs and use attestation to lock out owner control, cloud CDNs, TLS fingerprinting, and extreme consolidation of social media (e.g. discord being for both minecraft discussions and furry porn).
Despite TLS, filtering is easier to set up now than it was in 1998. You might have to block some apps in the short term, but if you suggest apps can avoid age verification if they stop pinning certificates then they'll jump at the option.
Consolidation is the only tricky part that's new.
Filtering has never been easy or practical for the general public. But the situation has become much worse.
In 1998 it was easy for a family to have no computer at all, or to put their single computer in the living room where it could be supervised. Internet use was limited because it tied up the phone line. These factors made it easy for parents to supervise their children.
Today, computers are everywhere, fit in your pocket, and its very easy to get online. Even if you don't buy any computer for your children (which is hard, because your children will tell you that they're getting bullied and socially ostracized, which probably won't even be a lie!) they will probably be given a computer by their school and any filters on that computer will inevitability be circumvented. And even if that doesn't happen, they can trade or buy one of their peers old phones and use that on free WiFi to access the internet without you knowing it. Are you going to thoroughly search their belongings every week? If you do, they'll know and find ways to hide it anyway.
And yes, I know kids used to procure and hide porno mags. What they have access to on the internet is a lot more extreme than a tattered playboy.
3 replies →
lets just skip straight to the logical conclusion, buddy. no amount of "web" or "discord" regulation stops porn consumption. the statistic of "minors viewing porn" wouldn't be affected even slightly, even if all of the regulation in question here were passed to the fullest extent. this is because people can just download and run whatever software they want, and communicate with any party they want. what you want is for people to not have control over their computers/communications made from them. people talk about a middle ground, but there is none, because you will always just notice that the "minors viewing porn" statistic is not affected by your latest law, until you have absolute control over civilian communications. this is completely against what anyone in the open source community let alone democracy, stand for.
My complaint was exactly that with modern devices, the owner does not have absolute control over communication on the device, and that's a problem. I think anyone in the open source community or people that believe in democracy would agree that e.g. the owner of a phone or computer should absolutely have the ability to intercept, record, manipulate, and filter all communication that device is doing.
Right. My friends in middle school would trade floppies with porn on them, which older students and siblings would be happy to provide.
Do you believe the ease with which a service can be used influences the amount of people who use that service?
Like with marginal users?
This has already come up before the Supreme Court, with the argument that filtering was a less invasive technique to fulfill the government’s legitimate interests back in the early 2000s.
That ship has sailed. Even the opposition admits that trying to get everyone to filter is not going to work and is functionally insignificant. The only question is whether age verification is still too onerous.
> trying to get everyone to filter
We never needed everyone to filter, just parents busy lobbying the government to impose crap onto every possible service and website across the entire world.
Instead, they should purchase devices for their kids that have a child-lock and client-side filters. All sites have to do is add an HTTP header loosely characterizing it's content.
1. Most of the dollar costs of making it all happen will be paid by the people who actually need/use the feature.
2. No toxic Orwellian panopticon.
3. Key enforcement falls into a realm non-technical parents can actually observe and act upon: What device is little Timmy holding?
4. Every site in the world will not need a monthly update to handle Elbonia's rite of manhood on the 17th lunar year to make it permitted to see bare ankles. Instead, parents of that region/religion can download their own damn plugin.
35 replies →
> The only question is whether age verification is still too onerous.
You've skipped right past the "does it work" question. It doesn't. Porn is available on file sharing networks in far greater quantity than it is on reputable websites.
The only realistic methods I'm aware of are whitelist filtering, sufficient supervision, or sufficient interaction and education.
[flagged]
I suppose you do not have children. I am open-minded, mid 40's. The level of violence in porn you can get access to with just one click, has no comparison with what I could get access to as a kid (basically nothing).
With the net, you get access in one click to the worse and the best. It is a lot of work as a parent to educate the kids about that.
As kids, teenager and even as 20 something, if we wanted to do some experience, we had to physically access the media or be physically present. This was not on-demand over a screen.
So, I filter the access at home while also trying my best to educate. This is not easy and I can understand that non tech savvy people request more laws, even so I am personally against.
The article is pretty well balanced, we have no silver bullet here.
26 replies →
My girl discovered self-pleasure at the age of 5, ironically during an exam from her doctor (she doesn't think it was intentional). I had an ex discover masturbation around the same age. I personally discovered it around 11 or 12. All of the above discovered porn accidentally as kids. I don't know about them but after that I intentionally sought it out.
Guess what! Both of us are perfectly fine!! (Well the ex is a bit psychotic but that's unrelated...)
This obsession with protecting kids from the realities of life is just fucking stupid. We as a species have the stupidest, most ridiculous views about something that is required to keep us alive!
The problem is that most porn depicts sex as somewhat violent and sets unreasonable expectations of what sex is like.
Not every woman is capable of deep-throating or going straight from vaginal to anal without adding some extra lube. Most women don't want their man to put his hands around her throat during sex. Almost none of them are okay with going from ass to mouth.
Porn also sets an unrealistic standard for penis size. When the average is 5.2 inches with a standard deviation of about an inch, it becomes clear that the 7+ inch penises used in porn are like the top 5%.
I don't think parents are having these conversations with their kids about this.
1 reply →
it is recommended not to employ sarcasm when counterpoints are easily available
8 replies →
> Jesus, how does your society still function when underage people can see videos of people having sex?!
It kind of isn't anymore. But not just because of porn, obviously.
Early porn exposure goes hand in hand with the problems we see typified in the recent Netflix movie Adolescence. Seen women constantly railed and treated like meat when that young probably does do something.
"Videos of people having sex" is deliberately misleading, modern porn is not dry educational science videos. It's clear you'd rather be snide than correct.
5 replies →
[dead]
Is card verification a lesser form of surveillance? And there’s a good chance your card issuer (or your bank, one hop away from it) has your biometrics anyway.
I don’t like either of them… (And why does YouTube ask me to verify my age when I’m logged into a Google account I created in 2004?)
Oh, make no mistake, I hate both of these. I loathe this forced surveillance of everyone because parents can't be bothered to supervise and teach their children about the most primary of human animal functions (sex), regardless of their reasons for it.
I take great pains to keep minors out of my adult spaces, and don't have to resort to anything as invasive as biometric surveillance or card charges. This notion that the entire world should be safe for children by default, and that anything and everything adult should be vilified and locked up, is toxic as all get-out and builds shame into the human animal over something required for the perpetuation of the species.
The adult content isn't the problem, it's the relationship some folks have towards it that's the issue. That's best corrected by healthy intervention early on, not arbitrary age checks everywhere online that mainly serve as an exercise of power by the ruling class against "undesirable" elements of society.
> take great pains to keep minors out of my adult spaces, and don't have to resort to anything as invasive as biometric surveillance or card charges.
What sort of spaces are these (online or in person), and how do you enforce this? I have an online space where such non invasive measures could be useful.
2 replies →
> This notion that the entire world should be safe for children by default, and that anything and everything adult should be vilified and locked up, is toxic as all get-out and builds shame into the human animal over something required for the perpetuation of the species.
The world should be safe for kids because kids are the future of our society. When the world isn't safe, families won't have kids and society will start to decline. Maybe that means giving up some of the privileges you have. That's the cost of our future.
3 replies →
> And why does YouTube ask me to verify my age when I’m logged into a Google account I created in 2004?
Yeah those checks are super annoying. The internet has been around long enough, mechanisms for this should exist.
And even in the smaller term, if I had to be 13 to make this account, and it has been more than 5 years, maybe relax?
> Is card verification a lesser form of surveillance?
It's not just about which is worse surveillance, it's also simply that everyone has a face but not everyone has a credit card. I'm not deemed creditworthy in this country I moved to (never had a debt in my life but they don't know that) so the card application got rejected. Do we want to upload biometrics or exclude poor and unknown people from "being 18"? I really don't know which is the lesser poison
> (And why does YouTube ask me to verify my age when I’m logged into a Google account I created in 2004?)
I'd guess they didn't want to bother with that edge case. Probably <0.01% of active Youtube accounts are >18 years old
>everyone has a face
Does everyone who is 18+ have a face that passes for 18+ (and the inverse as well)?
Overall it seems like a bad idea, but one demanded by what sounds like a good idea with not reasonable way to fully implement it, leading to a tangled network of bad ideas patching other bad ideas patching other bad ideas all the way down.
4 replies →
Why/how would my bank have my biometrics?
I logged into my Starling Bank account on a new phone, and I had to film my face reading a 6 digit number.
2 replies →
They almost certainly have a photo of your passport or other identification.
2 replies →
Don't know about the US, but over here the last couple of years it has been a big wave of "enable biometrics sign-in! Totes safe, your face is the best ID, just click this checkbox, please, we would really like you to use it, pretty please" in the bank apps. No idea why they pushed it so hard, and it seems to have largely subsided now.
What you describe is called QES (Qualified Electronic Signature) and is still widely used to validate identities.
Unfortunately it is not enough to prove an identity (you could be using the credit card of your traveling uncle) and regulation requires for it to be combined with another proof.
I see a lot of people associating identity verification with evil intent (advertising, tracking).
I work in this domain and the reality is a lot less interesting: identity verification companies do this and only this, under strict scrutiny both from their customers and from the regulators.
We are not where we want to be from a privacy standpoint but the industry is making progress and the usage of identity data is strictly regulated.
As someone looking in from the outside: what regulations govern this type of work?
In EU: eIDAS and ETSI.
In the US: BIPA started in Illinois and is expanding to other states.
BIPA sets a brutal bar in terms of regulation.
1 reply →
Paypal used this method as identity (or at least account) verification back in the very early days, IIRC. They made a very small deposit and I think they just let you keep it but I can't recall that for sure.
Credit cards are trivially traceable to your legal identity, since anti-money-laundering and know-your-customer laws require that credit card companies keep this information. The government can subpoena this information just as easily as they could with pictures of your face or ID.
How do you prove the person typing in the credit card details is the same person who owns the card?
I know I've read stories of kids taking cards to purchase games or other things online numerous times over the last 20+ years.
As we've seen, if the information is retained, it will be used.
The only safe approach is for that information not to exist in the first place.
I had a debit card when I was 13. An absolute godsend during international travel, not having to bother with cash as a forgetful teenager.
The card providers share your identity in monetary transactions, but I don't think this data does & should include birthdate.
These checks accept only a credit card.
That's useful as one option, but can't be expected of 18 year olds in most countries, and older adults in many.
I had a credit card at 15. I had to travel for some school related stuff and it was easier to carry a card than excessive amounts of cash.
What if you don't have a credit card? This solves nothing, the good way to do this is as system like Polish "MojeID" (my ID) [1]. This works in the following way, a site needs to verify information X, then it redirects users to a bank (that has to provide this service), login over there and then agree to let the bank know whatever it was requested - it could be only one information, birth date.
This is a good solution, as banks are obliged to provide free bank account for anyone (there is EU regulation on that), this is very save, gives users full information what data third party requested.
[1] https://www.kir.pl/nasza-oferta/klient-indywidualny/identyfi...
1. Your old credit card solution needs a credit card. So you exclude out the poor, bad credit, etc.
2. Parents will help kids bypass checks like that.
3. It can be bypassed by a half-smart 13-year-old who can access an app on a phone that will give them the card details and be able to see transactions.
Any verification that doesn't actually verify you via proper means is easy to fake. Hell, we can fake passport/id photos easy enough so now we have to jump on calls with the passport and move it around.
The days of the wild west of the internet are long gone. It's time to realise that it's so important that it deserves the same level of verification we give to in person activities. Someone seeing you and/or your id. It's the only thing that has the best chances of not being bypassed with ease.
They issued a refund to the card of a few cents, and I had to tell them (within 24hr) how much the refund was for, after which point they'd issue a charge to claw it back.
This was one of the methods that CompuServe used back in the 1980's, though using a checking account.
It's sad that so many aspects of technology have completely failed to improve in half a century.
I don't really get your point, surely a credit card is even more strongly linked to your identify than your face?
I basically agree with you, but it's not like you could not be tracked using your credit card number.
This is not about tracking, having your biometrics means they can resell the data to other providers (e.g. palantir or some other hellish enterprise). With that, the places and means of following you in real time are practically limitless...
There have been so many dystopian movies about this kind of tech, it's a good insight of what comes next.
> Biometric validation is surveillance, plain and simple.
Eh. It's just easier and cheaper. I'll bet Discord has outsourced this to one of those services that ask you for a face scan when you sign up to [some other service].