My kid has recently just quit playing Roblox because of the sketchy facial age check process. She said that her and all her friends know not to ever upload a picture of themselves to the Internet (good job, fellow Other Parents!!) so they're either moving on to other games or just downloading stock photos of people from the internet and uploading those (which apparently works).
What a total joke. These companies need to stop normalizing the sharing of personal private photos. It's literally the opposite direction from good Internet hygiene, especially for kids!
One aspect of this normalization of photo uploading is that, if a platform allows user-generated content that can splash a modal to kids, a bad actor can do things like say “you need to re-verify or you’ll lose all your in-game currency, go here” and then collect photo identification without even needing to compromise identity verification providers!
I truly fear the harm that will be done before legislators realize what they’ve created. One only hopes that this prevents the EU and US from doing something similar.
The fundamental question that needs answering is: should we actually prevent minors below the age of X from accessing social media site Y? Is the harm done significant enough to warrant providing parents with a technical solution for giving them control over which sites their X-aged child signs up, and a solution that like actually works? Obviously pinky-swear "over 13?" checkboxes don't work, so this currently does not exist.
You can work through robustness issues like the one you bring up (photo uploading may not be a good method), we can discuss privacy trade-offs like adults without pretending this is the first time we legitimately need to make a privacy-functionality or privacy-societal need trade-off, etc. Heck, you can come up with various methods where not much privacy needs trading off, something pseudonymous and/or cryptographic and/or legislated OS-level device flags checked on signup and login.
But it makes no sense to jump to the minutiae without addressing the fundamental question.
Every once in a while, eBay emails me out of the blue and asks me to update my personal details, with a link to a web page.
I always assumed they were phishing scams, but I looked closer at one, and it is a real link too a real page on their site. It's like they're training people to fall for phishing scams. One of them even displayed the name of a variable, instead of my user name.
> I truly fear the harm that will be done before legislators realize what they’ve created.
Not defending the legislation as I overwhelmingly disagree with it, but if I recall, I don't think any of the age verification legislation specifies a specific implementation of how to verify age.
Requiring photos, or photo ID, or any other number of methods being employed, were all decided on by the various private companies. All the legislators did is tell everyone "you must verify age." The fault here is on Roblox as much as it is on the legislature and they should equally share blame.
i call this slipstreaming, it can even occur during the signup yeah, once the bouncing around to many domains / uploading photos is psychologically normalized havoc can ensue. this is the greater evil.
I'm optimistic actually. I think "Gen Alpha" is gonna be alright and sufficiently wary of Internet sharing and privacy. Unlike the previous few generations, esp. Milleneals and to a somewhat lesser extent Gen Z and Boomers, who have massively over-shared and are now reaping some of the horrible harvest that comes from that oversharing. Today's teens and tweens seem to finally be getting the message.
I also actually think AI might be a savior here. The ability to fake realistic 18+ year old selfies might help put the nail in the coffin of these idiotic "share a photo with the Internet" verification methods.
I wondered for a while why I got so many ads targeted towards seniors when I made my facebook account as a kid. Then I remembered my birth year was set to 1905. I guess I should let the Guinness World Records know that their listing for oldest man in the world is inaccurate.
> These companies need to stop normalizing the sharing of personal private photos. It's literally the opposite direction from good Internet hygiene, especially for kids!
While I agree with you entirely, it's important to remember that these companies want to mis-educate the masses (and especially children) against their own interest. It's not just unfortunate that they're normalising uploading a photo just to play a videogame: it's an intentional choice to de-normalise privacy and normalise deeper and more in-grained online stalking.
Most of these companies don't even want to add age gates. They get in the way of their normal predatory marketing schemes, the little bits of extra data isn't worth it.
Stupid laws are forcing these companies to implement something. In most countries, there is no privacy-preserving way to verify that you're old enough digitally, so when these companies are forced to get something good enough going, they're going to go with the cheapest offer they can legally get away with.
Governments know this. They want certain websites to disappear entirely, and for certain platforms to just stop existing. Both sides are using weaponised incompetence to blame the other and users end up losing regardless of whose fault it is.
But I also don't want the alternative, that I have to ID myself. Anonymous and pseudonymous access is the best solution.
The EU tries to introduce age verification, simultaneously it currently talks about sharing police data with the US for the Visa waiver program.
If this verification data is collected and normalised, we will constantly have to fight how much data that is required for auth and it can just be legislated.
There seems to be a big movement (UK specifically) from governments using age gateing as an excuse to increase surveillance and online tracking. I don't know where Roblox is based or it's policies, but it's likely they are just implementing what the government has forced them to do.
We need to push back against governments that try and restrict the freedom of the internet and educate them on better regulations. Why can sites not dictate the content they provide, then let device providers provide optional parental controls.
Governments forcing companies to upload your passport/ID, upload pictures/videos of your face, is dangerous and we are going to see a huge increase of fraud and privacy breaches, all while reducing our freedoms and rights online.
IMO it should not be hard for large services like Roblox and Instagram to get together with device makers to come up with a sensible solution.
When you create a new profile on Netflix you mark it as "kids" and voila. Devices should have kid profiles with lots of sane defaults. The parent profiles have a thorough monitoring and governance features that are dead simple to use.
As always it's not perfect but it will go a long way. Just getting a majority of parents on sane defaults will help unknot the broader coordination problems.
I see lots of claims about governments using age gating to "track" people, but no evidence. Your last point about uploading ID documents to random online services (which i agree is a privacy risk) would be solved with a government digital ID.
That is never going to happen it seems, as -- in the UK at least -- people go crazy whenever it is mentioned. Despite "the government" having the ability to track whatever they wanted already, should they care to.
Age gating discussions always devolve into some fantasy land were people are arguing for children to have access to porn and other inappropriate material, and happily construct some straw man where age gates lead to censorship for everyone.
If your government wanted to censor the internet they can do it without age gates. As a parent I am happy to have society agree on some basic rules around what children can do online, as there are rules on what children can do in the real world.
Yes, I know all the come back arguments about how it is my responsibility as a parent. Don't worry, I will be responsible for what my children do online when they are older. But in the end a society raises children, and society should agree a limit on what children can be exposed to online.
Having to manage my kids online accounts have been a nightmare. So many different rules, with arbitrary age limits on things that go completely against my own rules for what my kids can do at different ages, with weird methods for linking or verifying or sharing/transferring purchases. I have gotten so frustrated trying to get accounts set up so we can play together.
> She said that her and all her friends know not to ever upload a picture of themselves to the Internet (good job, fellow Other Parents!!)
it's a video game, it's an aesthetic experience, if uploading a photo of yourself doesn't feel good, it's valid to say, it's a bad game or whatever.
but by some more objective criteria, this photo upload thing that you are saying doesn't really matter. they are uploading photos of themselves to the Internet all the time (what do you think Apple Photos is). of course, with kids, i can understand the challenges of making nuanced guidelines, but by that measure, it's simpler to just say, playing roblox is kind of a waste of time, or suggesting better games to play, rather than making it about some feel-good nonsense i'm-a-savvy-Internet-user rule. it's what this whole article is about, providing real answers, but who under 18 years old is going to read the whole thing?
> they are uploading photos of themselves to the Internet all the time
I worried about this at first, too. But I also check, like a good parent. And to my surprise my kid already learned on her own how to mask/blur faces and even details about the inside of her room when sharing photos. And her friends do, too. They are surprisingly savvy about Internet privacy and risks for their age--certainly more cognizant of the dangers than my generation was growing up with the Wild West Internet.
Governments and corporations are never interested in protecting children - they don't vote, and they don't have money. So making it "easier for predators to find victims" is not a failure of the policy.
Age verification on mainstream porn sites does absolutely zilch against teenagers accessing porn. There are countless other ways of obtaining porn. Even DDG with the safety off will provide plenty of it.
sorry but we're on the internet. You can type the literal words 'hardcore pornography' into any search engine of your choice and find about fifteen million bootleg porn sites hosted on some micro-nation that don't care about your age verification.
In fact ironically, this will almost certainly drive people to websites that host anything.
I was getting a haircut last week and chatting about our kids with the stylist, who said (basically): "I just started letting my 7 year old on Roblox. I know its full of pedophiles. I told him to come to me or his older brother if anyone tries to talk to him."
If the million reports of Mark Zuckerberg enabling pedophiles and scam artists haven't made it clear, the executives of these tech companies just don't care. They will sell children into sexual slavery if it improves next quarter's numbers.
The drip-feed of mindless brain-rot, micro-payments, and cyber-bullying should be much higher up the list of reasons for not letting a 7 year old use Roblox (and YouTube and FaceBook and…)
>If Google can guess your age, you may never even see an age verification screen. Your Google account is typically connected to your YouTube account, so if (like mine) your YouTube account is old enough to vote, you may not need to verify your Google account at all.
This has been proven false a bunch of times, at least if the 1000s of people complaining online about it are to be believed. My google account is definitely old enough to vote, but I get the verification popup all the time on YouTube.
I think the truth is, they just want your face. The financial incentive is to get as much data as possible so they can hand it to 3rd parties. I don't believe for a second that these social networks aren't selling both the data and the meta data.
I think the reality is a lot less nefarious. They don't want your face. But they also don't care enough to not take your face. Why would Google spend lobbying and legal money trying to fight this requirement when it doesn't hurt their bottom line? On the other hand, requirements like storing ID cards does hurt their bottom line because it means:
1. they need additional security measures to avoid leaking government documents (leaking face photos doesn't hurt them as much)
2. not every person has a valid government document
3. additional customer support staff to verify the age on documents rather than just using some fuzzy machine learning model with "good enough" accuracy.
The bottom line is that companies are lazy and will do the easiest thing to comply with regulations that don't hurt them.
My Google account is more than 18 years old and I hit an age prompt when I was trying to watch some FPGA video (out of all things). So no, account age is not necessarily a factor.
I wrote an April Fool's parody in 2021 that Google is going to get rid of authentication because they're following you around enough to know who you are anyway (modeling it after their No Captcha announcement[1]):
I just realized the parody also predicted that part (emphasis added):
>>In cases where our tracking cookies and other behavioral metrics can't confidently predict who someone is, we will prompt the user for additional information, increasing the number of security checkpoints to confirm who the user really is. For example, you might need to turn on your webcam or upload your operating system's recent logs to give a fuller picture.
I believe YouTube got hit with some EU compliance law at some point. My Google account was old enough to vote but I still had to verify it to watch certain YouTube videos. They put a one cent reservation on my credit card IIRC, no need to actually upload ID.
It happened right after ElsaGate, so they probably went overboard to cover for the weird shit happening on their platform. YouTube is full of pedo farms and weird porn if you know where to look for it, so they need something to point at so they can shout "look, we tried!"
I just got glasses yesterday and the optician needed to take a pic of my face to "make sure my glasses fit". The first thing I thought of was they are probably selling the data.
I agree they want the face data, but I think it's less clear they want to "hand it" (presumably that's really "sell it"?) to third parties. My sense is Google and Apple and Meta are amassing data for their own uses, but I haven't gotten the impression they're very interested in sharing it?
Sharing it is bad for business; selling insights derived from it for ad placement is the game. Faces definitely contain some useful information for that purpose.
also, even you think about using it "their own uses" - much of that is scrutinizing you to make you better susceptible to ads and other solicitations by their paying clients. I mean, people are not the clients of Google and Meta - they're the raw material.
you are correct. having that data is one of their competitive advantages, it makes no sense to sell it. they will collect as much as possible and monetize it through better ads, but they don't sell it
This comes across as incredibly paranoid. Most places use 3rd party age verification anyway. They're following the law/playing safe with the law in certain countries, and it's just easier to apply it everywhere.
I haven't gotten it yet on my account from 2006. Maybe it matters whether it's a brand account? Maybe it matters whether the accounts actually are connected?
Agreed. They treat people as data points and cash cows. This is also one reason why I think Google needs to be disbanded completely. And the laws need to be returned back to The People; right now Trump is just the ultimate Mr. Corporation guy ever. Lo and behold, ICE reminds us of a certain merc-like group in a world war (and remember what Mussolini said about fascism: "Fascism should more appropriately be called Corporatism because it is a merger of state and corporate power." - of course in italian, but I don't know the italian sentence, only the english translation)
I’ve noticed that many people struggle to simply let things go. Take a hypothetical case where HN requires ID verification. I'd just stop using HN, even if that meant giving up checking tech news. Sometimes things end, and that's fine.
I used to watch good soccer matches on public TV. When services like DAZN appeared, only one major match was available each weekend on public TV. Later, none were free to watch unless you subscribed to a private channel. I didn't want to do that, so I stopped watching soccer. Now I only follow big tournaments like the World cup, which still air on public TV (once every 4 years).
> I’ve noticed that many people struggle to simply let things go
Because it's not always about their entertainment. I know churches that post info about events only on WhatsApp groups, if you don't use it - you're screwed. I know kindergardens which use Facebook Messenger groups to send announcements to their parents' children - if you don't use it, you will miss important info.
For most people, letting go such things is very impractical. One can try to persuade for a better way to do something - but then you become the problem.
People need to be more comfortable being the problem more often. Even if people actually use these solutions, they're almost always suboptimal anyway. We shouldn't be relying on them the way we do.
I have a similar problem, I do swing dancing and all the information for dances in my area are exclusively posted on Facebook by a wide variety of people who are putting on the dances. I can try and go to each individual organizing a dance and try and get them off Facebook, but that's making their job harder when we've already had lots of people stop organizing events post-COVID, and the system they have now seems to really work for getting new people into dancing that haven't done it before with lots of new faces each dance. So I just go along with it.
A lot of small towns are like this too - no website, posting only to Facebook. I suppose they figure it's better than nothing, which maybe is true on some level.
Funny, I'm the opposite. Since information wants to be free, and storage/compute get more affordable every year, then really everything ever posted on the web should be mirrored somewhere, like Neocities.
I grew up in the 80s when office software and desktop publishing were popular. Arguably MS Access, FileMaker and HyperCard were more advanced in some ways than anything today. There was a feeling of self-reliance before the internet that seems to have been lost. To me, there appears to be very little actual logic in most websites, apps and even games. They're all about surveillance capitalism now.
Now that AI is here, I hope that hobbyists begin openly copying websites and apps. All of them. Use them as templates and to automate building integration tests. Whatever ranking algorithm that HN uses, or at least the part(s) they haven't disclosed, should be straightforward to reverse engineer from the data.
That plants a little seed in the back of every oligopoly's psyche that ensh@ttification is no longer an option.
If "information wants to be free," doesn't that cut both ways? It applies equally to the personal data that I don't want to upload to an age gate as it does to the information that people want to keep behind an age gate.
I get the impression that you purposely misunderstood. Parent suggested to evaluate if you can let go of the anti-privacy service. E.g. stop using YouTube not the way you worded it.
My main concern is that there isn't a reliable way to know your information is securely stored[0].
> A few years ago, I received a letter in the mail addressed to my then-toddler. It was from a company I had never heard of. Apparently, there had been a breach and some customer information had been stolen. They offered a year of credit monitoring and other services. I had to read through every single word in that barrage of text to find out that this was a subcontractor with the hospital where my kids were born. So my kid's information was stolen before he could talk. Interestingly, they didn't send any letter about his twin brother. I'm pretty sure his name was right there next to his brother's in the database.
> Here was a company that I had no interaction with, that I had never done business with, that somehow managed to lose our private information to criminals. That's the problem with online identity. If I upload my ID online for verification, it has to go through the wires. Once it reaches someone else's server, I can never get it back, and I have no control over what they do with it.
All those parties are copying and transferring your information, and it's only a matter of time before it leaks.
Exactly. Everything "private" that you post online will become public eventually.
Everyone says "we only store the data temporarily and it's deleted right after" including everyone who didn't do that and got hacked.
But I think we're far too late into this issue by now.
It's 2026 and we still don't have a way to know if our passwords are being stored in a secure way in their databases. What hope do we have to know about how our photos are being handled?
Honestly that main concern should be two main concerns.
You/your kid/your wife goes to hàckernews.com and is prompted for age verification again, evidently the other information has expired based on the message. So they submit their details. Oops, that was typosquatting and now who the hell knows has your information. Good luck.
VPNs are increasingly useless, with Cloudflare in front of 80% of the public net. I always wonder if people giving this advice try it themselves, most major sites are unusable with a common VPN provider.
I mean, the best option is to fight this legislation, and AIUI they're doing that too. But this article is not about that, it's about how to minimize the harm if you encounter it.
The days are numbered on this technique working. After enough countries enact their own age verification laws tech companies will just make that the global default policy, and I'm sure the opportunity to harvest user data will not be left to waste. Many sites already block and throttle VPNs.
When that day comes I'll stop casually using the internet or search for the underground alternative.
> For example, in 2025, Wisconsin lawmakers escalated their war on privacy by targeting VPNs in the name of “protecting children” in A.B. 105/S.B. 130. It’s an age verification bill that requires all websites distributing material that could conceivably be deemed “sexual content” to both implement an age verification system and also to block the access of users connected via VPN. Another proposed Michigan bill requires “An internet service provider providing internet service in this state [to] actively monitor and block known circumvention tools.” Circumvention tools being: VPNs.
Everyone seems to forget that using VPNs to violate your local laws gives lots of good ammo to the authoritarians that want to ban VPNs. The answer isn't to use a VPN to get around it (and thus give fodder to your enemies) but to change the law.
Not especially feasible if you want to support businesses. More likely is trying to demand that VPNs also enforce age verification, which business-targeted VPNs might do, and then ban the ones that don't.
I have never clicked "accept" on a cookie banner, as a matter of principle; I zap them away with uBlock Origin. Should the plague of age verification reach my jurisdiction, I'm sure I will handle it in like fashion.
I expect I'll need to employ some other technical means of circumvention, but the principle of refusing to engage with the thing on its own terms will remain the same.
The difference is that the cookie banner is not a gate. uBlock Origin is unlikely to be able to satisfy a website about your age without submitting the info that the site expects. (Assuming the age check has any teeth at all.) You're unlikely to be able to continue as usual if these kinds of measures become ubiquitous.
This makes me wonder if there's a business case for a privacy-preserving identity service which does age verification. Say you have a strong identity provider that you have proven your age to. Just as the 3rd party site could use SSO login from your identity provider, perhaps the identity provider could provide signed evidence to the 3rd party site that asserts "I have verified that this person is age X" but not divulge their identity. Sidestep the privacy issue and just give the 3rd party site what they need to shield them from liability.
That's quite an elaborate system. It goes through a lot of gyrations (not the least of which is inventing a whole new type of crime and passing laws about it) and doesn't sound even as strong as the age verification "required" to buy cigarettes in the US. I'd think "welcome to pornhub. Either log in or do Privacy-enhanced Age Verification by Auth0 (TM)" would be a lot easier to get off the ground.
What's ... boggled me about this issue since forever is that:
1. Most people access online content through either a personal or business broadband service (residential, mobile, or place-of-work).
2. Those services ... bill directly. Which means that it should be possible to specify an age preference for the service account as a whole, and/or subsets of it. The service can specify whether or not age-bounded online services are acceptable or not, as well as specific classes of age-bounded services. E.g., a workplace service would generally allow for >18 access, but might restrict usage of gaming, gambling, pr0n, or related sites. A household might request no age gating at all (all >18 or whatever minimum age is mandated) or several classes of service, say, if adults and children are present.
3. Where it's necessary to specify multiple preferences, multiple network segments could provide this logically (e.g., an IPv6 block with unrestricted and age-gated ranges), with distinct devices being allocated appropriate gateway addresses.
4. Effectively, the connectivity provider then attests for age, without requiring any finer-grained identity disclosure.
To be blunt, because it sounds insane and simultaneously solving the problem at the wrong abstraction level, and based on criteria that have nothing to do with age. Age-based IP ranges? This sounds like a recipe for reinventing the entire internet in a non-backwards-compatible way. Networks are not people. Why would we treat the network as your identity?
I’ve been noodling on this idea for a while but I think getting commercial acceptance would be hard. People have tried it with crypto albeit with lukewarm results. I think to have the network effects required to be successful in such an endeavor, it would have to come from a vendor like apple or google unfortunately.
You kind of want an mTLS for the masses with a chain of trust that makes sense.
mTLS is no good because the target service could then uniquely identify you. I think you explicitly want a three-party scheme where the target service just accepts the idp's assertion about your age in a cryptographically secure way.
The article does go into this and gives lip service to the idea that a secure third party could expose age without exposing identity. Ultimately, there's still the problem that even if point of verification can be done in a zero trust way, you are still entrusting very sensitive information to a third party which is subject to data breach.
If you do it right the only sensitive information exposed to the age gated site is that your age is above their threshold.
The party that actually has to at some point verify who you really are of course has your sensitive information, and there is no obvious way to work around that. However, there is a way to make it so that it doesn't matter.
That is by making them be a party that already has that information. Probably the simplest would be to make it be the same government agency that issues your physical identity documents like passports or drivers licenses. If we don't want it to be a government agency or we want to have competition banks would be a possibility.
The question is: why would services like Google and others want to use such privacy-preserving identity solutions? They wouldn't gain anything from a non-invasive, user-friendly system, so I don't think they'd use it. They want more data, so they are going for it.
> The question is: why would services like Google and others want to use such privacy-preserving identity solutions? They wouldn't gain anything from a non-invasive, user-friendly system, so I don't think they'd use it. They want more data, so they are going for it.
Considering that Google is releasing open source software they developed to facilitate such systems [1], apparently they are OK with the idea.
It could simply be that they realize that online age verification becoming required for some online activities is inevitable for the same reasons age checks are required for some non-online activities, and when that comes to pass they want to be able to do in a way that doesn't expose them to too much risk.
Yes, Google loves data but that doesn't mean they don't care about risk. The data they would from some of the age verification methods probably wouldn't improve their ability to advertise much but would cause a lot of problems if leaked.
Another possibility might be that have no choice. My understanding is that in the EU member states that enact online age verification laws will have to require that verification can be done using the privacy-preserving system that the EU Digital Identity Wallet will support. Sites will be able to use other methods too (as long as the don't violate GDPR) so they could support something that gives them more information for advertising, but they will still have to support the privacy-preserving option.
You've almost got it right. You just need to modify this part:
> Just as the 3rd party site could use SSO login from your identity provider, perhaps the identity provider could provide signed evidence to the 3rd party site that asserts "I have verified that this person is age X" but not divulge their identity
The way you compared it so SSO login makes it sounds like there would be interaction between the 3rd party site and the identity provider. That's bad because if someone got a hold of the records from both the site and the identity provider they might be able to match access time logs and figure out who you are.
A fix is to make it so you get your signed document from the identity provider ahead of time, and that document is not tied to doing age verification with any particular site(s). You get it once and then use it with as many sites as you want.
When you use it with a site to demonstrate age we need to do that in such a way that neither of you have to communicate with the identity provider. If the site needs to verify a signature of the identity provider on something you present they use the provider's previously published public key.
We need to make it so that when you use the signed document from the identity provider to show your age to a site they don't see enough from the document to identify you, even if they have been compromised and are collaborating with the identity provider to try to identify you.
Finally, the signed document should be bound to you in some way so that you can't just make copies and give them to others or sell them on the black market to people who want to evade age checks.
BTW, since under this approach the identity provide isn't actively involved after their issue your signed document what probably makes the most sense is to have your government be the identity provider. In particular, the same agency that issues your driver's license or passport or nation ID (if your country has those).
Such a system can in fact be built. The EU is including one in their EU Digital Identity Wallet project, which has been in development for several years and is not undergoing large scale field testing in several countries. It is supposed to be deployed to the public this year or next.
The first version handles the binding of the document to you by tying it to your smart phone's hardware security element. They plan to later support other types of hardware security elements. 90+% of adults in the EU have smart phones (95-98% for adults under 54), and it is going up, so the first version will already cover most cases.
Google has published some libraries for implementing a similar system. Both the Google libraries and the EU system are open source.
> That's bad because if someone got a hold of the records from both the site and the identity provider they might be able to match access time logs and figure out who you are
I see your point, but this doesn't sound like an actual risk to me. The idp will have security as one of their critical features and should be considered trustworthy in this regard. And having *both* the target site logs *and* the idp logs compromised is even more far-fetched. We aren't sitting around worrying about people correlating ISP logs to pornhub logs, and I don't trust my ISP any farther than I can throw them.
The beauty of using an SSO-style scheme is that one could actually see it easily slotting in as a subset of existing protocols. The site could get a SAML doc and the only claims it has in it are "user is over 18", for example. Use the infrastructure for exactly what it's designed for: identifying some selection of attributes that describe a person. It's very elegant and leverages existing well-understood (and well-integrated) tech plumbing.
This also takes all the sensitive data handling out of the hands of social media mongers and pornographers. Let them do what they're good at and let the competent security folks handle the sensitive bits.
First, I believe that age verification is coming, whether we want it or not. It is completely accepted to ask for an ID before entering a night club or buying alcohol, there is no way "people" will be convinced that it is unreasonable to do that for social media and porn. It is coming, period.
So the question is really: what is the best way to implement it?
* I find the "buying a gift card at a store" idea interesting: the seller checks your ID and gives you a gift card.
* I find the digital idea with privacy preservation interesting, too: the government already knows about me. If they can give me a token that only reveals my age, and I can use that token without revealing to the government where I used the token, then it works.
I think the EFF's stance on this is: "but some people will have issues using that technology". I would like to know how many people that is, and why we couldn't imagine a way to help them?
Isn't age guesstimation by appearance, even with advanced machine learning techniques, even if attempted by real person with honest effort, just total snake oil? This ongoing age verification push with weird emphasis on generating name-face pairs is beyond fishy.
If we truly need age gates on the internet, then I think the best method is to have non-internet based age verification. I envisage going to a local shop and buying something like a gift-card that the shops only sell to adults (c.f. tobacco sales in the UK). That way, the gift-card code would be the only information required to upload to websites to prove that you're an adult and existing legislation could cover the shops requirements to not sell them to minors.
I don't see why they'd need to expire after a time, but I think the purchaser should be able to revoke the code if they lose it if they particularly care. A least with it being a simple age verification system, there shouldn't be any worry about someone stealing your code as it shouldn't be linked to any accounts.
I'm 32 and submitted a photo of myself for age verification on Instagram and Threads. Was promptly banned, with no resource.
I do look a little younger than 32, due to a healthy lifestyle and religious use of sunscreen but I have a beard and moustache. It's a little insane that I was instantly banned with no way to move forward.
OpenAI uses AI to scan your ChatGPT conversations to determine your age. And even though I've been using ChatGPT for mostly work-related stuff, it has identified me, a man in my 40s, as under 18 and demanded government ID to prove my age. No thank you.
If my options are upload a picture of myself for Google to monetize through ads or not use Google / Youtube then I will be moving on regardless of the inconvenience to myself.
There were some amusing headlines a while back about Discord's verification being fooled with game screenshots. Does anyone know if that's still the case?
Is there a throwaway identity that people are using? A dead person unchecked in Mississippi somewhere? Like every teen in America using the same identity like everyone's extended family does with their uncle's Netflix account?
I don't want to google it because I don't want to be put on a list but I also feel somewhat confident that this is being done. Apparently, HN feels safe to ask questions like that for me.
Actually, a follow up. PII leaks are so common, I guess there must be millions of identities out there up for grabs. This makes me wonder: we’ve got various jurisdictions where sites are legally required to verify the age of users. And everybody (including the people running these sites) knows that tons of identities are out there on the internet waiting to be used.
How does a site do due diligence in this context? I guess just asking for a scan of somebody’s easily fabricated ID shouldn’t be sufficient legal cover…
> I don't want to google it because I don't want to be put on a list
Of all the controversial things out there we've become afraid to even google in order to learn more about the world around us, this one strikes me as not all that controversial.
But you're not wrong, just making a comment about how sad the world has become.
It would probably flag that multiple people are using the same photo or same persons name/ id, but I expect you could get away with doing using someone known to you. iirc the reason people are using game screenshots is because it's not going to match any image that the recogniser has seen before.
Use tor for the things you don't want to google and have associated with you.
Netflix has been checking accounts against public IP addresses and local networks for ages, at least in The Netherlands. if I use my Dad's account, I get flagged as being "not on the same home network" immediately.
I think that using a VPN and Netflix detecting that would only make matters worse, like termination of service.
I gave up on netflix years ago for unrelated reasons but never had any sort of issue both VPNing between various countries and traveling between them. My wife would pretty regularly want to watch netflix as if she was in Japan or the UK and so we'd turn a VPN on for the TV network and their own TV app never complained at all that it was suddenly on a different continent.
Last time I tried I could find a photo ID just with a basic image search. It is an unavoidable consequence of teaching people that scanning an ID is not utterly insane.
Ironically there was no way to report the image anonymously to the service hosting it.
...If you are worried about getting on a list by downloading the Tor browser, then take a trip to the next-town-over public library and download it from there. I guess your ISP could still guess that you were using Tor, and you might end up on a list of people using Tor. Also: If everyone is on the list, then no one is on the list.
Either the platform is trying to age-gate anonymously, in which case it is likely you (or your child) can just circumvent that with fake details; or it's some corporation with ongoing access to large government databases, and probably the government can tap the data it collects in some ways, and you (or your child) should probably be worried about being there in the first place.
If this is about porn or other content deemed age-sensitive, the moment it becomes difficult to source through "official," mainstream platforms, the content will move underground (P2P networks), making it even more difficult to analyze and regulate. So this is a very shortsighted move.
To be fair, this is sort of pitting two policy objectives against each other, preventing children from accessing pornography meant for adults on one hand and preventing the distribution of pornography illegal in all cases (e.g. revenge porn, CSAM) on the other. Reasonable people can disagree on which is more important and which should take priority (though I would agree that the latter should take priority)
It's hard to read this article when nearly 50% of my screen is a subscription to their newsletter. Plus, at my screen size, I can't even view all the related issues/tags underneath it without scrolling to the bottom of the article.
Basically every government on the planet has laws that apply specifically to children. The term "age discrimination" typically refers to disadvantaging someone for being of old age.
It is very easy to lie about age through age gates. I have yet to find one that is actually able to get strong proof of age, fake IDs are easy to upload.
The ones I have used do not accept photos, they require real-time video with the front-facing camera and they prompt you to move your head to face different directions on command. Not impossible to attack, I'm certain, but it's tougher than simply uploading a photo.
on desktops you can have virtual camera, if you can generate video fast enough wen AI you can ask to edit it according to instructions. Definitely tougher but I'm sure someone will offer services or software like that.
> Even though there’s no way to implement mandated age gates in a way that fully protects speech and privacy rights
I think the EFF would have more success spreading their message if they didn't outright lie in their blog posts. While cryptographic digital ID schemes have their problems (which they address below), they do fully protect privacy rights. So do extremely simple systems like selling age-verification scratchcards in grocery stores, with the same age restrictions as cigarettes or alcohol.
> So do extremely simple systems like selling age-verification scratchcards in grocery stores
Which stores sell age-verification scratchcards? How do you make sure they can't be traced back to the person who paid for them or where they were purchased from? How would a website know the person using the card is the same person who paid for them? It may be a simple system, but it still sounds ineffective, dangerous, and unnecessary.
> Which stores sell age-verification scratchcards?
Stores that sell other age-restricted products.
> How do you make sure they can't be traced back to the person who paid for them
How would they be traced? Pay cash. I've never had my ID scanned or recorded when I buy alcohol. And now I look old enough that I don't even have to show ID.
If someone can trace the store they're bought from and you're that paranoid, rotate between stores. Buy them from a third-party. Drive to another state and buy them there. So many options.
> How would a website know the person using the card is the same person who paid for them?
They don't. How does Philip Morris know the person who bought the cigarettes is the same person lighting up? It's clearly not that important when selling actual poisons so why would it matter for accessing a website? The system works well enough to keep most kids from smoking.
Rate-limit sales in a store (one per visit) and outlaw selling or transferring them to a minor (same penalties as giving alcohol or tobacco to a child). Require websites to implement one code per account policies with a code TTL of 6 months or a year, and identify and disallow account sharing. It's Good Enough verification with nearly perfect anonymity.
I'm honestly a bit mixed on this... I don't think that (especially young) children should have access to explicit, graphic sexual content, especially kink. If you as a parent want your kids to have access, so be it... but then the onus should be on the parent.
On similar lines, I think that something between an unrestricted smart phone and the classic dumb phone is a market segment that is needed.
Why can't the EFF tell people to lie? Because if you can get away with it, lying is almost always your best option. Unless there are actual real world consequences to lying like you may anger the police.
I'd imagine it is because several of the obvious options for "lying" here may violate criminal law. And also because the EFF is an civil liberties advocacy group, they want to change the law, not circumvent it.
Estonia basically got this completely right in 2002 with their e-ID. I'm kinda shocked nobody else has figured it out yet. Age verification could be simple, secure, robust, and require only the disclosure of your age, nothing more.
Instead, the rest of us have systems that are both far more vulnerable to privacy beaches, and far easier to circumvent anyway.
> At some point, you may have been faced with the decision yourself: should I continue to use this service if I have to verify my age?
An excellent question, which I didn't see the article really get into.
> If you’re given the option of selecting a verification method and are deciding which to use, we recommend considering the following questions for each process allowed by each vendor:
Their criteria implies a lot of understanding on the part of the user -- regarding how modern Web systems work, widespread industry practices and motivations, how 'privacy policies' are often exceeded and assurances are often not satisfied, how much "audits" should be trusted, etc.
I'd like to see advice that starts by communicating that the information will almost certainly be leaked and abused, in n different ways, and goes from there.
> But unless your threat model includes being specifically targeted by a state actor or Private ID, that’s unlikely to be something you need to worry about.
For the US, this was better advice pre-2025, before the guy who did salutes from the capitol was also an AI bro who then went around hoovering up data from all over government. Followed by a new veritable army and camps being created for domestic action. Paired with a posture from the top that's calling harmless ordinary citizens "terrorists", and taking quite a lot of liberties with power.
We'll see how that plays out, but giving the old threat model advice, without qualification, might be doing a disservice.
I don't know why I find myself to be the lone voice with this opinion, but the pushback here should for the governments themselves to implement age-verification, just like how it's their job to implement issuance of IDs.
They can implement a transparently auditable system, where you scan your id-card (nfc or camera) in the government's portal, and using oauth federation, it will confirm your age, and nothing more than that to sites requesting it.
Site that wish to prevent the fact that you visited them a secret from the government can use various temporary domains, ips, Tor,etc... so long as the government's verification service can reach it.
The government already has your ID information, and they already know at least your home IP (yes, this is actively shared with them in the US). The only privacy concern is them knowing what sites you're visiting.
I get resisting and fighting this, but it's been years now and people are having to endure this mess. It isn't going away either. I was complaining about KYC laws earlier, they started out the same, it was about "terrorists" then.
You can fight two fights in parallel. One to prevent the whole thing, another to require the government to implement a service themselves, do it transparently and preserve privacy while doing so.
Yet another proposal I have is for sites that offer oauth federated login (google,microsoft,github,etc..) to vouch for your id verification, either by them doing it directly or via the government portal i proposed earlier. You'll then just login to sites with the right google account or whatever and that's all the site will ask from you.
I would also be fine with buying a 'card' of some sort at stores that do id verification already, like where you'd buy a cigarette or alcohol. You also buy some scratchable card with a verification code on it. They can't argue it's not good enough, because it's good enough for cigs and alcohol. they can't say "what if a minor gets a hold of the card later" because what if a minor gets a hold of cigs or alcohol later as well?
In an ideal world, parents would be good parents, know what their kids are up to, install parental controls on their digital devices (software solutions out there range from free/bundled to not expensive), have conversations with kids about what's on the internet and what to avoid.
Government overreach is not the answer, it's a plaster (and an excuse for more surveillance which is arguably the primary factor) over bad parenting. In the UK at least, all major ISPs and mobile providers have a basic parental/adult-content control package that is set-up by default (opt-out by the bill payer). Albeit trivial to get around with a VPN/proxy or changing DNS servers etc.
Kids will be kids as well. They'll get around restrictions, they're clever, they talk with their mates in the playground about this sort of thing. Especially teens.
Think back to when you were a child. Did age verification ever stop you from doing anything? The automated, technologically-implemented age-verification is even less interested in properly verifying anything than the ID-checking bouncers at a bar. None of these things protect kids, they just annoy them and teach them that authority is stupid and lying is a convenient way to deal with stupid people.
Then they scrape together their pocket money and walk into a pawn shop and hand over the cash for a second hand smartphone. Plenty of free WiFi around.
My kid has recently just quit playing Roblox because of the sketchy facial age check process. She said that her and all her friends know not to ever upload a picture of themselves to the Internet (good job, fellow Other Parents!!) so they're either moving on to other games or just downloading stock photos of people from the internet and uploading those (which apparently works).
What a total joke. These companies need to stop normalizing the sharing of personal private photos. It's literally the opposite direction from good Internet hygiene, especially for kids!
One aspect of this normalization of photo uploading is that, if a platform allows user-generated content that can splash a modal to kids, a bad actor can do things like say “you need to re-verify or you’ll lose all your in-game currency, go here” and then collect photo identification without even needing to compromise identity verification providers!
I truly fear the harm that will be done before legislators realize what they’ve created. One only hopes that this prevents the EU and US from doing something similar.
The fundamental question that needs answering is: should we actually prevent minors below the age of X from accessing social media site Y? Is the harm done significant enough to warrant providing parents with a technical solution for giving them control over which sites their X-aged child signs up, and a solution that like actually works? Obviously pinky-swear "over 13?" checkboxes don't work, so this currently does not exist.
You can work through robustness issues like the one you bring up (photo uploading may not be a good method), we can discuss privacy trade-offs like adults without pretending this is the first time we legitimately need to make a privacy-functionality or privacy-societal need trade-off, etc. Heck, you can come up with various methods where not much privacy needs trading off, something pseudonymous and/or cryptographic and/or legislated OS-level device flags checked on signup and login.
But it makes no sense to jump to the minutiae without addressing the fundamental question.
42 replies →
Every once in a while, eBay emails me out of the blue and asks me to update my personal details, with a link to a web page.
I always assumed they were phishing scams, but I looked closer at one, and it is a real link too a real page on their site. It's like they're training people to fall for phishing scams. One of them even displayed the name of a variable, instead of my user name.
1 reply →
I’m sorry to say that a number of US states have instituted age verification laws over the past year
1 reply →
> I truly fear the harm that will be done before legislators realize what they’ve created.
Not defending the legislation as I overwhelmingly disagree with it, but if I recall, I don't think any of the age verification legislation specifies a specific implementation of how to verify age.
Requiring photos, or photo ID, or any other number of methods being employed, were all decided on by the various private companies. All the legislators did is tell everyone "you must verify age." The fault here is on Roblox as much as it is on the legislature and they should equally share blame.
20 replies →
i call this slipstreaming, it can even occur during the signup yeah, once the bouncing around to many domains / uploading photos is psychologically normalized havoc can ensue. this is the greater evil.
I'm optimistic actually. I think "Gen Alpha" is gonna be alright and sufficiently wary of Internet sharing and privacy. Unlike the previous few generations, esp. Milleneals and to a somewhat lesser extent Gen Z and Boomers, who have massively over-shared and are now reaping some of the horrible harvest that comes from that oversharing. Today's teens and tweens seem to finally be getting the message.
I also actually think AI might be a savior here. The ability to fake realistic 18+ year old selfies might help put the nail in the coffin of these idiotic "share a photo with the Internet" verification methods.
1 reply →
My kids also know that as far as the internet is concerned, their date of birth is 1 January 1970.
By an amazing coincidence, that's also my date of birth, as well as my kids'.
I wondered for a while why I got so many ads targeted towards seniors when I made my facebook account as a kid. Then I remembered my birth year was set to 1905. I guess I should let the Guinness World Records know that their listing for oldest man in the world is inaccurate.
> These companies need to stop normalizing the sharing of personal private photos. It's literally the opposite direction from good Internet hygiene, especially for kids!
While I agree with you entirely, it's important to remember that these companies want to mis-educate the masses (and especially children) against their own interest. It's not just unfortunate that they're normalising uploading a photo just to play a videogame: it's an intentional choice to de-normalise privacy and normalise deeper and more in-grained online stalking.
Most of these companies don't even want to add age gates. They get in the way of their normal predatory marketing schemes, the little bits of extra data isn't worth it.
Stupid laws are forcing these companies to implement something. In most countries, there is no privacy-preserving way to verify that you're old enough digitally, so when these companies are forced to get something good enough going, they're going to go with the cheapest offer they can legally get away with.
Governments know this. They want certain websites to disappear entirely, and for certain platforms to just stop existing. Both sides are using weaponised incompetence to blame the other and users end up losing regardless of whose fault it is.
But I also don't want the alternative, that I have to ID myself. Anonymous and pseudonymous access is the best solution.
The EU tries to introduce age verification, simultaneously it currently talks about sharing police data with the US for the Visa waiver program.
If this verification data is collected and normalised, we will constantly have to fight how much data that is required for auth and it can just be legislated.
The funniest case I've seen was somebody fooling one of these tools using Gmod by playing with the face sliders of those stock Half-Life characters.
There seems to be a big movement (UK specifically) from governments using age gateing as an excuse to increase surveillance and online tracking. I don't know where Roblox is based or it's policies, but it's likely they are just implementing what the government has forced them to do.
We need to push back against governments that try and restrict the freedom of the internet and educate them on better regulations. Why can sites not dictate the content they provide, then let device providers provide optional parental controls.
Governments forcing companies to upload your passport/ID, upload pictures/videos of your face, is dangerous and we are going to see a huge increase of fraud and privacy breaches, all while reducing our freedoms and rights online.
IMO it should not be hard for large services like Roblox and Instagram to get together with device makers to come up with a sensible solution.
When you create a new profile on Netflix you mark it as "kids" and voila. Devices should have kid profiles with lots of sane defaults. The parent profiles have a thorough monitoring and governance features that are dead simple to use.
As always it's not perfect but it will go a long way. Just getting a majority of parents on sane defaults will help unknot the broader coordination problems.
I see lots of claims about governments using age gating to "track" people, but no evidence. Your last point about uploading ID documents to random online services (which i agree is a privacy risk) would be solved with a government digital ID.
That is never going to happen it seems, as -- in the UK at least -- people go crazy whenever it is mentioned. Despite "the government" having the ability to track whatever they wanted already, should they care to.
Age gating discussions always devolve into some fantasy land were people are arguing for children to have access to porn and other inappropriate material, and happily construct some straw man where age gates lead to censorship for everyone.
If your government wanted to censor the internet they can do it without age gates. As a parent I am happy to have society agree on some basic rules around what children can do online, as there are rules on what children can do in the real world.
Yes, I know all the come back arguments about how it is my responsibility as a parent. Don't worry, I will be responsible for what my children do online when they are older. But in the end a society raises children, and society should agree a limit on what children can be exposed to online.
Having to manage my kids online accounts have been a nightmare. So many different rules, with arbitrary age limits on things that go completely against my own rules for what my kids can do at different ages, with weird methods for linking or verifying or sharing/transferring purchases. I have gotten so frustrated trying to get accounts set up so we can play together.
My favourite is Youtube.
I can get Youtube Family so my kids don't get ads.
But if your kids are under 13, they can't be added to a family account on YT - so they MUST watch the ads.
Can someone explain the logic here?
> She said that her and all her friends know not to ever upload a picture of themselves to the Internet (good job, fellow Other Parents!!)
it's a video game, it's an aesthetic experience, if uploading a photo of yourself doesn't feel good, it's valid to say, it's a bad game or whatever.
but by some more objective criteria, this photo upload thing that you are saying doesn't really matter. they are uploading photos of themselves to the Internet all the time (what do you think Apple Photos is). of course, with kids, i can understand the challenges of making nuanced guidelines, but by that measure, it's simpler to just say, playing roblox is kind of a waste of time, or suggesting better games to play, rather than making it about some feel-good nonsense i'm-a-savvy-Internet-user rule. it's what this whole article is about, providing real answers, but who under 18 years old is going to read the whole thing?
> they are uploading photos of themselves to the Internet all the time
I worried about this at first, too. But I also check, like a good parent. And to my surprise my kid already learned on her own how to mask/blur faces and even details about the inside of her room when sharing photos. And her friends do, too. They are surprisingly savvy about Internet privacy and risks for their age--certainly more cognizant of the dangers than my generation was growing up with the Wild West Internet.
I think the way Roblox is doing right now separating the users in age groups just makes it easier for predators to find victim.
Governments and corporations are never interested in protecting children - they don't vote, and they don't have money. So making it "easier for predators to find victims" is not a failure of the policy.
1 reply →
[flagged]
Age verification on mainstream porn sites does absolutely zilch against teenagers accessing porn. There are countless other ways of obtaining porn. Even DDG with the safety off will provide plenty of it.
>it might prevent that
On the global internet... good luck with that.
Oh, they'll ban us from looking at other countries net's soon enough for our safety.
>and this seems like it might prevent that
sorry but we're on the internet. You can type the literal words 'hardcore pornography' into any search engine of your choice and find about fifteen million bootleg porn sites hosted on some micro-nation that don't care about your age verification.
In fact ironically, this will almost certainly drive people to websites that host anything.
What evidence led you to believe this, when controlling for heritability?
18 replies →
I was getting a haircut last week and chatting about our kids with the stylist, who said (basically): "I just started letting my 7 year old on Roblox. I know its full of pedophiles. I told him to come to me or his older brother if anyone tries to talk to him."
If the million reports of Mark Zuckerberg enabling pedophiles and scam artists haven't made it clear, the executives of these tech companies just don't care. They will sell children into sexual slavery if it improves next quarter's numbers.
The drip-feed of mindless brain-rot, micro-payments, and cyber-bullying should be much higher up the list of reasons for not letting a 7 year old use Roblox (and YouTube and FaceBook and…)
>If Google can guess your age, you may never even see an age verification screen. Your Google account is typically connected to your YouTube account, so if (like mine) your YouTube account is old enough to vote, you may not need to verify your Google account at all.
This has been proven false a bunch of times, at least if the 1000s of people complaining online about it are to be believed. My google account is definitely old enough to vote, but I get the verification popup all the time on YouTube.
I think the truth is, they just want your face. The financial incentive is to get as much data as possible so they can hand it to 3rd parties. I don't believe for a second that these social networks aren't selling both the data and the meta data.
I think the reality is a lot less nefarious. They don't want your face. But they also don't care enough to not take your face. Why would Google spend lobbying and legal money trying to fight this requirement when it doesn't hurt their bottom line? On the other hand, requirements like storing ID cards does hurt their bottom line because it means:
1. they need additional security measures to avoid leaking government documents (leaking face photos doesn't hurt them as much) 2. not every person has a valid government document 3. additional customer support staff to verify the age on documents rather than just using some fuzzy machine learning model with "good enough" accuracy.
The bottom line is that companies are lazy and will do the easiest thing to comply with regulations that don't hurt them.
My Google account is more than 18 years old and I hit an age prompt when I was trying to watch some FPGA video (out of all things). So no, account age is not necessarily a factor.
Field programmable gatorade is an adult-only beverage.
They probably need to account for parents allowing kids to use their account, so account age can be a factor but not an automatic pass.
2 replies →
That makes sense. Golf has a minimum age of 35.
1 reply →
Can't allow any underage synthesis.
Yeah, they could/*should* infer your age just by the fact you're watching an FPGA video
1 reply →
I wrote an April Fool's parody in 2021 that Google is going to get rid of authentication because they're following you around enough to know who you are anyway (modeling it after their No Captcha announcement[1]):
http://blog.tyrannyofthemouse.com/2021/04/leaked-google-init...
Edit:
>I think the truth is, they just want your face.
I just realized the parody also predicted that part (emphasis added):
>>In cases where our tracking cookies and other behavioral metrics can't confidently predict who someone is, we will prompt the user for additional information, increasing the number of security checkpoints to confirm who the user really is. For example, you might need to turn on your webcam or upload your operating system's recent logs to give a fuller picture.
[1] https://security.googleblog.com/2014/12/are-you-robot-introd...
I believe YouTube got hit with some EU compliance law at some point. My Google account was old enough to vote but I still had to verify it to watch certain YouTube videos. They put a one cent reservation on my credit card IIRC, no need to actually upload ID.
It happened right after ElsaGate, so they probably went overboard to cover for the weird shit happening on their platform. YouTube is full of pedo farms and weird porn if you know where to look for it, so they need something to point at so they can shout "look, we tried!"
I just got glasses yesterday and the optician needed to take a pic of my face to "make sure my glasses fit". The first thing I thought of was they are probably selling the data.
just say no thank you, i will manage like everyone else has for decades.
else you and your money go elsewhere.
I agree they want the face data, but I think it's less clear they want to "hand it" (presumably that's really "sell it"?) to third parties. My sense is Google and Apple and Meta are amassing data for their own uses, but I haven't gotten the impression they're very interested in sharing it?
Sharing it is bad for business; selling insights derived from it for ad placement is the game. Faces definitely contain some useful information for that purpose.
Then you have not been paying attention for the past decade, I'm afraid...
Ed Snowden revealed that these companies share their data with the US government:
https://www.theguardian.com/world/2013/jun/06/us-tech-giants...
also, even you think about using it "their own uses" - much of that is scrutinizing you to make you better susceptible to ads and other solicitations by their paying clients. I mean, people are not the clients of Google and Meta - they're the raw material.
1 reply →
They’ll do whatever makes money.
Sell it and use it internally.
you are correct. having that data is one of their competitive advantages, it makes no sense to sell it. they will collect as much as possible and monetize it through better ads, but they don't sell it
This comes across as incredibly paranoid. Most places use 3rd party age verification anyway. They're following the law/playing safe with the law in certain countries, and it's just easier to apply it everywhere.
I haven't gotten it yet on my account from 2006. Maybe it matters whether it's a brand account? Maybe it matters whether the accounts actually are connected?
well as long as it's you logging in, they know you are minimum 20 years old!
1 reply →
They definitely already have your face though…
The more examples in various situations they can get, the higher their accuracy.
1 reply →
From where? Not everyone even puts selfies on the Internet.
2 replies →
> I think the truth is, they just want your face.
Agreed. They treat people as data points and cash cows. This is also one reason why I think Google needs to be disbanded completely. And the laws need to be returned back to The People; right now Trump is just the ultimate Mr. Corporation guy ever. Lo and behold, ICE reminds us of a certain merc-like group in a world war (and remember what Mussolini said about fascism: "Fascism should more appropriately be called Corporatism because it is a merger of state and corporate power." - of course in italian, but I don't know the italian sentence, only the english translation)
I’ve noticed that many people struggle to simply let things go. Take a hypothetical case where HN requires ID verification. I'd just stop using HN, even if that meant giving up checking tech news. Sometimes things end, and that's fine.
I used to watch good soccer matches on public TV. When services like DAZN appeared, only one major match was available each weekend on public TV. Later, none were free to watch unless you subscribed to a private channel. I didn't want to do that, so I stopped watching soccer. Now I only follow big tournaments like the World cup, which still air on public TV (once every 4 years).
Sometimes you just have to let things go
> I’ve noticed that many people struggle to simply let things go
Because it's not always about their entertainment. I know churches that post info about events only on WhatsApp groups, if you don't use it - you're screwed. I know kindergardens which use Facebook Messenger groups to send announcements to their parents' children - if you don't use it, you will miss important info.
For most people, letting go such things is very impractical. One can try to persuade for a better way to do something - but then you become the problem.
People need to be more comfortable being the problem more often. Even if people actually use these solutions, they're almost always suboptimal anyway. We shouldn't be relying on them the way we do.
3 replies →
I have a similar problem, I do swing dancing and all the information for dances in my area are exclusively posted on Facebook by a wide variety of people who are putting on the dances. I can try and go to each individual organizing a dance and try and get them off Facebook, but that's making their job harder when we've already had lots of people stop organizing events post-COVID, and the system they have now seems to really work for getting new people into dancing that haven't done it before with lots of new faces each dance. So I just go along with it.
A lot of small towns are like this too - no website, posting only to Facebook. I suppose they figure it's better than nothing, which maybe is true on some level.
It's probably a good idea to let church go in 2026 too.
Funny, I'm the opposite. Since information wants to be free, and storage/compute get more affordable every year, then really everything ever posted on the web should be mirrored somewhere, like Neocities.
I grew up in the 80s when office software and desktop publishing were popular. Arguably MS Access, FileMaker and HyperCard were more advanced in some ways than anything today. There was a feeling of self-reliance before the internet that seems to have been lost. To me, there appears to be very little actual logic in most websites, apps and even games. They're all about surveillance capitalism now.
Now that AI is here, I hope that hobbyists begin openly copying websites and apps. All of them. Use them as templates and to automate building integration tests. Whatever ranking algorithm that HN uses, or at least the part(s) they haven't disclosed, should be straightforward to reverse engineer from the data.
That plants a little seed in the back of every oligopoly's psyche that ensh@ttification is no longer an option.
If "information wants to be free," doesn't that cut both ways? It applies equally to the personal data that I don't want to upload to an age gate as it does to the information that people want to keep behind an age gate.
1 reply →
Many people don’t struggle to let privacy go.
I get the impression that you purposely misunderstood. Parent suggested to evaluate if you can let go of the anti-privacy service. E.g. stop using YouTube not the way you worded it.
1 reply →
My main concern is that there isn't a reliable way to know your information is securely stored[0].
> A few years ago, I received a letter in the mail addressed to my then-toddler. It was from a company I had never heard of. Apparently, there had been a breach and some customer information had been stolen. They offered a year of credit monitoring and other services. I had to read through every single word in that barrage of text to find out that this was a subcontractor with the hospital where my kids were born. So my kid's information was stolen before he could talk. Interestingly, they didn't send any letter about his twin brother. I'm pretty sure his name was right there next to his brother's in the database.
> Here was a company that I had no interaction with, that I had never done business with, that somehow managed to lose our private information to criminals. That's the problem with online identity. If I upload my ID online for verification, it has to go through the wires. Once it reaches someone else's server, I can never get it back, and I have no control over what they do with it.
All those parties are copying and transferring your information, and it's only a matter of time before it leaks.
[0]: https://idiallo.com/blog/your-id-online-and-offline
Exactly. Everything "private" that you post online will become public eventually.
Everyone says "we only store the data temporarily and it's deleted right after" including everyone who didn't do that and got hacked.
But I think we're far too late into this issue by now.
It's 2026 and we still don't have a way to know if our passwords are being stored in a secure way in their databases. What hope do we have to know about how our photos are being handled?
Honestly that main concern should be two main concerns.
You/your kid/your wife goes to hàckernews.com and is prompted for age verification again, evidently the other information has expired based on the message. So they submit their details. Oops, that was typosquatting and now who the hell knows has your information. Good luck.
I'm surprised that the EFF does not highlight the best option, here: use a VPN to a jurisdiction that doesn't have such ridiculous laws.
It might be bad for an activist group to advocate just ignoring the problem into a different jurisdiction.
They could sell it as "if your IP geolocation is inaccurate, or if the statute does not apply to you."
But FWIW VPNs can get flagged for suspicious behavior. YMMV
VPNs are increasingly useless, with Cloudflare in front of 80% of the public net. I always wonder if people giving this advice try it themselves, most major sites are unusable with a common VPN provider.
In many cases, using a VPN is a great way to get your account flagged as suspicious.
Care to share more details about this? Which account? What do you mean by “suspicious”? What specific effects does this have?
I use a VPN 24/7 on one machine. Zero issues even with banking, although sometimes I have to answer CAPTCHAs.
5 replies →
Then more people need to use a VPN!
"Give up" is not the best option. Certainly not from the EFF's perspective.
I mean, the best option is to fight this legislation, and AIUI they're doing that too. But this article is not about that, it's about how to minimize the harm if you encounter it.
The days are numbered on this technique working. After enough countries enact their own age verification laws tech companies will just make that the global default policy, and I'm sure the opportunity to harvest user data will not be left to waste. Many sites already block and throttle VPNs.
When that day comes I'll stop casually using the internet or search for the underground alternative.
I think EFF does not recommend for or against VPN in general because it's not always a clear win, depending on the VPN and the use case.
https://ssd.eff.org/module/choosing-vpn-thats-right-you
Next step: the same government that is demanding the age verification will ban VPNs.
Yep.
> For example, in 2025, Wisconsin lawmakers escalated their war on privacy by targeting VPNs in the name of “protecting children” in A.B. 105/S.B. 130. It’s an age verification bill that requires all websites distributing material that could conceivably be deemed “sexual content” to both implement an age verification system and also to block the access of users connected via VPN. Another proposed Michigan bill requires “An internet service provider providing internet service in this state [to] actively monitor and block known circumvention tools.” Circumvention tools being: VPNs.
https://www.eff.org/pages/vpns-are-not-solution-age-gating-m...
Everyone seems to forget that using VPNs to violate your local laws gives lots of good ammo to the authoritarians that want to ban VPNs. The answer isn't to use a VPN to get around it (and thus give fodder to your enemies) but to change the law.
8 replies →
Not especially feasible if you want to support businesses. More likely is trying to demand that VPNs also enforce age verification, which business-targeted VPNs might do, and then ban the ones that don't.
I doubt this would be workable.
They could, sadly, however, make it a crime to bypass things like The Online Safety Bill. Downloading or using Tor, for example.
At that point, the only sane option is to become a criminal.
I have never clicked "accept" on a cookie banner, as a matter of principle; I zap them away with uBlock Origin. Should the plague of age verification reach my jurisdiction, I'm sure I will handle it in like fashion.
Zapping only works if the site lets you continue/pull content without verification.
I expect I'll need to employ some other technical means of circumvention, but the principle of refusing to engage with the thing on its own terms will remain the same.
5 replies →
The difference is that the cookie banner is not a gate. uBlock Origin is unlikely to be able to satisfy a website about your age without submitting the info that the site expects. (Assuming the age check has any teeth at all.) You're unlikely to be able to continue as usual if these kinds of measures become ubiquitous.
ignoring the banner is the same as agreeing to all the opt-out "legitimate interest" shit
This makes me wonder if there's a business case for a privacy-preserving identity service which does age verification. Say you have a strong identity provider that you have proven your age to. Just as the 3rd party site could use SSO login from your identity provider, perhaps the identity provider could provide signed evidence to the 3rd party site that asserts "I have verified that this person is age X" but not divulge their identity. Sidestep the privacy issue and just give the 3rd party site what they need to shield them from liability.
This is how Swiss e-ID was proposed to work: https://www.eid.admin.ch/en
Yes. In fact the 3rd party doesn't even need to know who you are.
https://news.ycombinator.com/item?id=46447282
That's quite an elaborate system. It goes through a lot of gyrations (not the least of which is inventing a whole new type of crime and passing laws about it) and doesn't sound even as strong as the age verification "required" to buy cigarettes in the US. I'd think "welcome to pornhub. Either log in or do Privacy-enhanced Age Verification by Auth0 (TM)" would be a lot easier to get off the ground.
1 reply →
Or simply the connectivity provider, see: <https://news.ycombinator.com/item?id=46627433>.
What's ... boggled me about this issue since forever is that:
1. Most people access online content through either a personal or business broadband service (residential, mobile, or place-of-work).
2. Those services ... bill directly. Which means that it should be possible to specify an age preference for the service account as a whole, and/or subsets of it. The service can specify whether or not age-bounded online services are acceptable or not, as well as specific classes of age-bounded services. E.g., a workplace service would generally allow for >18 access, but might restrict usage of gaming, gambling, pr0n, or related sites. A household might request no age gating at all (all >18 or whatever minimum age is mandated) or several classes of service, say, if adults and children are present.
3. Where it's necessary to specify multiple preferences, multiple network segments could provide this logically (e.g., an IPv6 block with unrestricted and age-gated ranges), with distinct devices being allocated appropriate gateway addresses.
4. Effectively, the connectivity provider then attests for age, without requiring any finer-grained identity disclosure.
Why ...
A. Would this not work?
B. Is it not being generally proposed?
To be blunt, because it sounds insane and simultaneously solving the problem at the wrong abstraction level, and based on criteria that have nothing to do with age. Age-based IP ranges? This sounds like a recipe for reinventing the entire internet in a non-backwards-compatible way. Networks are not people. Why would we treat the network as your identity?
2 replies →
I'm more interested in a business that reliably provides fraudulent IDs to services that unnecessarily want IDs that I cannot avoid for some reason.
I’ve been noodling on this idea for a while but I think getting commercial acceptance would be hard. People have tried it with crypto albeit with lukewarm results. I think to have the network effects required to be successful in such an endeavor, it would have to come from a vendor like apple or google unfortunately.
You kind of want an mTLS for the masses with a chain of trust that makes sense.
mTLS is no good because the target service could then uniquely identify you. I think you explicitly want a three-party scheme where the target service just accepts the idp's assertion about your age in a cryptographically secure way.
1 reply →
The article does go into this and gives lip service to the idea that a secure third party could expose age without exposing identity. Ultimately, there's still the problem that even if point of verification can be done in a zero trust way, you are still entrusting very sensitive information to a third party which is subject to data breach.
If you do it right the only sensitive information exposed to the age gated site is that your age is above their threshold.
The party that actually has to at some point verify who you really are of course has your sensitive information, and there is no obvious way to work around that. However, there is a way to make it so that it doesn't matter.
That is by making them be a party that already has that information. Probably the simplest would be to make it be the same government agency that issues your physical identity documents like passports or drivers licenses. If we don't want it to be a government agency or we want to have competition banks would be a possibility.
The question is: why would services like Google and others want to use such privacy-preserving identity solutions? They wouldn't gain anything from a non-invasive, user-friendly system, so I don't think they'd use it. They want more data, so they are going for it.
I was thinking someone like Auth0 might want to offer it. They are not in the business of invasive user tracking but are in the business of trust.
> The question is: why would services like Google and others want to use such privacy-preserving identity solutions? They wouldn't gain anything from a non-invasive, user-friendly system, so I don't think they'd use it. They want more data, so they are going for it.
Consumer pressure and/or laws
Considering that Google is releasing open source software they developed to facilitate such systems [1], apparently they are OK with the idea.
It could simply be that they realize that online age verification becoming required for some online activities is inevitable for the same reasons age checks are required for some non-online activities, and when that comes to pass they want to be able to do in a way that doesn't expose them to too much risk.
Yes, Google loves data but that doesn't mean they don't care about risk. The data they would from some of the age verification methods probably wouldn't improve their ability to advertise much but would cause a lot of problems if leaked.
Another possibility might be that have no choice. My understanding is that in the EU member states that enact online age verification laws will have to require that verification can be done using the privacy-preserving system that the EU Digital Identity Wallet will support. Sites will be able to use other methods too (as long as the don't violate GDPR) so they could support something that gives them more information for advertising, but they will still have to support the privacy-preserving option.
[1] https://news.ycombinator.com/item?id=44457390
You've almost got it right. You just need to modify this part:
> Just as the 3rd party site could use SSO login from your identity provider, perhaps the identity provider could provide signed evidence to the 3rd party site that asserts "I have verified that this person is age X" but not divulge their identity
The way you compared it so SSO login makes it sounds like there would be interaction between the 3rd party site and the identity provider. That's bad because if someone got a hold of the records from both the site and the identity provider they might be able to match access time logs and figure out who you are.
A fix is to make it so you get your signed document from the identity provider ahead of time, and that document is not tied to doing age verification with any particular site(s). You get it once and then use it with as many sites as you want.
When you use it with a site to demonstrate age we need to do that in such a way that neither of you have to communicate with the identity provider. If the site needs to verify a signature of the identity provider on something you present they use the provider's previously published public key.
We need to make it so that when you use the signed document from the identity provider to show your age to a site they don't see enough from the document to identify you, even if they have been compromised and are collaborating with the identity provider to try to identify you.
Finally, the signed document should be bound to you in some way so that you can't just make copies and give them to others or sell them on the black market to people who want to evade age checks.
BTW, since under this approach the identity provide isn't actively involved after their issue your signed document what probably makes the most sense is to have your government be the identity provider. In particular, the same agency that issues your driver's license or passport or nation ID (if your country has those).
Such a system can in fact be built. The EU is including one in their EU Digital Identity Wallet project, which has been in development for several years and is not undergoing large scale field testing in several countries. It is supposed to be deployed to the public this year or next.
The first version handles the binding of the document to you by tying it to your smart phone's hardware security element. They plan to later support other types of hardware security elements. 90+% of adults in the EU have smart phones (95-98% for adults under 54), and it is going up, so the first version will already cover most cases.
Google has published some libraries for implementing a similar system. Both the Google libraries and the EU system are open source.
> That's bad because if someone got a hold of the records from both the site and the identity provider they might be able to match access time logs and figure out who you are
I see your point, but this doesn't sound like an actual risk to me. The idp will have security as one of their critical features and should be considered trustworthy in this regard. And having *both* the target site logs *and* the idp logs compromised is even more far-fetched. We aren't sitting around worrying about people correlating ISP logs to pornhub logs, and I don't trust my ISP any farther than I can throw them.
The beauty of using an SSO-style scheme is that one could actually see it easily slotting in as a subset of existing protocols. The site could get a SAML doc and the only claims it has in it are "user is over 18", for example. Use the infrastructure for exactly what it's designed for: identifying some selection of attributes that describe a person. It's very elegant and leverages existing well-understood (and well-integrated) tech plumbing.
This also takes all the sensitive data handling out of the hands of social media mongers and pornographers. Let them do what they're good at and let the competent security folks handle the sensitive bits.
First, I believe that age verification is coming, whether we want it or not. It is completely accepted to ask for an ID before entering a night club or buying alcohol, there is no way "people" will be convinced that it is unreasonable to do that for social media and porn. It is coming, period.
So the question is really: what is the best way to implement it?
* I find the "buying a gift card at a store" idea interesting: the seller checks your ID and gives you a gift card.
* I find the digital idea with privacy preservation interesting, too: the government already knows about me. If they can give me a token that only reveals my age, and I can use that token without revealing to the government where I used the token, then it works.
I think the EFF's stance on this is: "but some people will have issues using that technology". I would like to know how many people that is, and why we couldn't imagine a way to help them?
I thought the article was about finding a job when you reach a certain age, which is my problem.
Yeah, I didn't notice where the article was located at first, and I thought that's what it was going to be about also.
Isn't age guesstimation by appearance, even with advanced machine learning techniques, even if attempted by real person with honest effort, just total snake oil? This ongoing age verification push with weird emphasis on generating name-face pairs is beyond fishy.
If we truly need age gates on the internet, then I think the best method is to have non-internet based age verification. I envisage going to a local shop and buying something like a gift-card that the shops only sell to adults (c.f. tobacco sales in the UK). That way, the gift-card code would be the only information required to upload to websites to prove that you're an adult and existing legislation could cover the shops requirements to not sell them to minors.
https://news.ycombinator.com/item?id=46447282 I had the same idea
I don't see why they'd need to expire after a time, but I think the purchaser should be able to revoke the code if they lose it if they particularly care. A least with it being a simple age verification system, there shouldn't be any worry about someone stealing your code as it shouldn't be linked to any accounts.
3 replies →
I'm 32 and submitted a photo of myself for age verification on Instagram and Threads. Was promptly banned, with no resource.
I do look a little younger than 32, due to a healthy lifestyle and religious use of sunscreen but I have a beard and moustache. It's a little insane that I was instantly banned with no way to move forward.
OpenAI uses AI to scan your ChatGPT conversations to determine your age. And even though I've been using ChatGPT for mostly work-related stuff, it has identified me, a man in my 40s, as under 18 and demanded government ID to prove my age. No thank you.
If my options are upload a picture of myself for Google to monetize through ads or not use Google / Youtube then I will be moving on regardless of the inconvenience to myself.
There were some amusing headlines a while back about Discord's verification being fooled with game screenshots. Does anyone know if that's still the case?
saw a recent screenshot of someone doing it yesterday, so I think it still is a thing.
Is there a throwaway identity that people are using? A dead person unchecked in Mississippi somewhere? Like every teen in America using the same identity like everyone's extended family does with their uncle's Netflix account?
I don't want to google it because I don't want to be put on a list but I also feel somewhat confident that this is being done. Apparently, HN feels safe to ask questions like that for me.
That’s an interesting question.
Actually, a follow up. PII leaks are so common, I guess there must be millions of identities out there up for grabs. This makes me wonder: we’ve got various jurisdictions where sites are legally required to verify the age of users. And everybody (including the people running these sites) knows that tons of identities are out there on the internet waiting to be used.
How does a site do due diligence in this context? I guess just asking for a scan of somebody’s easily fabricated ID shouldn’t be sufficient legal cover…
These ID laws typically require a solution to be "commercially practical" or similar. The standard is not "impenetrable and impossible to circumvent"
That's why some of them don't even ask for ID but just guess the age based on appearance. That's good enough per the law, usually.
> I don't want to google it because I don't want to be put on a list
Of all the controversial things out there we've become afraid to even google in order to learn more about the world around us, this one strikes me as not all that controversial.
But you're not wrong, just making a comment about how sad the world has become.
It would probably flag that multiple people are using the same photo or same persons name/ id, but I expect you could get away with doing using someone known to you. iirc the reason people are using game screenshots is because it's not going to match any image that the recogniser has seen before. Use tor for the things you don't want to google and have associated with you.
Netflix has been checking accounts against public IP addresses and local networks for ages, at least in The Netherlands. if I use my Dad's account, I get flagged as being "not on the same home network" immediately. I think that using a VPN and Netflix detecting that would only make matters worse, like termination of service.
I gave up on netflix years ago for unrelated reasons but never had any sort of issue both VPNing between various countries and traveling between them. My wife would pretty regularly want to watch netflix as if she was in Japan or the UK and so we'd turn a VPN on for the TV network and their own TV app never complained at all that it was suddenly on a different continent.
Last time I tried I could find a photo ID just with a basic image search. It is an unavoidable consequence of teaching people that scanning an ID is not utterly insane.
Ironically there was no way to report the image anonymously to the service hosting it.
>I don't want to google it because I don't want to be put on a list
You might think about using something like the Tor Browser for anonymous web surfing:
https://www.torproject.org/download/
...If you are worried about getting on a list by downloading the Tor browser, then take a trip to the next-town-over public library and download it from there. I guess your ISP could still guess that you were using Tor, and you might end up on a list of people using Tor. Also: If everyone is on the list, then no one is on the list.
Either the platform is trying to age-gate anonymously, in which case it is likely you (or your child) can just circumvent that with fake details; or it's some corporation with ongoing access to large government databases, and probably the government can tap the data it collects in some ways, and you (or your child) should probably be worried about being there in the first place.
If this is about porn or other content deemed age-sensitive, the moment it becomes difficult to source through "official," mainstream platforms, the content will move underground (P2P networks), making it even more difficult to analyze and regulate. So this is a very shortsighted move.
To be fair, this is sort of pitting two policy objectives against each other, preventing children from accessing pornography meant for adults on one hand and preventing the distribution of pornography illegal in all cases (e.g. revenge porn, CSAM) on the other. Reasonable people can disagree on which is more important and which should take priority (though I would agree that the latter should take priority)
It's hard to read this article when nearly 50% of my screen is a subscription to their newsletter. Plus, at my screen size, I can't even view all the related issues/tags underneath it without scrolling to the bottom of the article.
>should I continue to use this service if I have to verify my age?
Simple answer, never accept this If everyone selected "cancel" you can be sure these sites will stop age banning, they wan $ more than anything else.
If a site asks me one question about me, I stop using if.
States need to stop sniffing for age really. This is age discrimination.
Basically every government on the planet has laws that apply specifically to children. The term "age discrimination" typically refers to disadvantaging someone for being of old age.
It is very easy to lie about age through age gates. I have yet to find one that is actually able to get strong proof of age, fake IDs are easy to upload.
How well does the selfie test detect AI-generated photos? That seems easy to bypass, especially if you copy the metadata over from a real photo.
The ones I have used do not accept photos, they require real-time video with the front-facing camera and they prompt you to move your head to face different directions on command. Not impossible to attack, I'm certain, but it's tougher than simply uploading a photo.
on desktops you can have virtual camera, if you can generate video fast enough wen AI you can ask to edit it according to instructions. Definitely tougher but I'm sure someone will offer services or software like that.
Face scan: download and install Gary's mod.
> Even though there’s no way to implement mandated age gates in a way that fully protects speech and privacy rights
I think the EFF would have more success spreading their message if they didn't outright lie in their blog posts. While cryptographic digital ID schemes have their problems (which they address below), they do fully protect privacy rights. So do extremely simple systems like selling age-verification scratchcards in grocery stores, with the same age restrictions as cigarettes or alcohol.
> So do extremely simple systems like selling age-verification scratchcards in grocery stores
Which stores sell age-verification scratchcards? How do you make sure they can't be traced back to the person who paid for them or where they were purchased from? How would a website know the person using the card is the same person who paid for them? It may be a simple system, but it still sounds ineffective, dangerous, and unnecessary.
> Which stores sell age-verification scratchcards?
Stores that sell other age-restricted products.
> How do you make sure they can't be traced back to the person who paid for them
How would they be traced? Pay cash. I've never had my ID scanned or recorded when I buy alcohol. And now I look old enough that I don't even have to show ID.
If someone can trace the store they're bought from and you're that paranoid, rotate between stores. Buy them from a third-party. Drive to another state and buy them there. So many options.
> How would a website know the person using the card is the same person who paid for them?
They don't. How does Philip Morris know the person who bought the cigarettes is the same person lighting up? It's clearly not that important when selling actual poisons so why would it matter for accessing a website? The system works well enough to keep most kids from smoking.
Rate-limit sales in a store (one per visit) and outlaw selling or transferring them to a minor (same penalties as giving alcohol or tobacco to a child). Require websites to implement one code per account policies with a code TTL of 6 months or a year, and identify and disallow account sharing. It's Good Enough verification with nearly perfect anonymity.
6 replies →
Go to thispersondoesnotexist and upload your favorite face to continue.
Switch VPN region or upload a random picture generated by AI, problem solved.
I'm honestly a bit mixed on this... I don't think that (especially young) children should have access to explicit, graphic sexual content, especially kink. If you as a parent want your kids to have access, so be it... but then the onus should be on the parent.
On similar lines, I think that something between an unrestricted smart phone and the classic dumb phone is a market segment that is needed.
Phone’s have these settings already. I don’t know if people know how or bother to use them.
https://support.apple.com/en-us/105121
Does that include a whitelist of allowed for children websites?
Why can't the EFF tell people to lie? Because if you can get away with it, lying is almost always your best option. Unless there are actual real world consequences to lying like you may anger the police.
And maybe consider using a VPN.
I'd imagine it is because several of the obvious options for "lying" here may violate criminal law. And also because the EFF is an civil liberties advocacy group, they want to change the law, not circumvent it.
For real. This should be an article about circumvention, not compliance.
That's not EFFs job, just ask your kids how they circumvent age gates for that :)
Estonia basically got this completely right in 2002 with their e-ID. I'm kinda shocked nobody else has figured it out yet. Age verification could be simple, secure, robust, and require only the disclosure of your age, nothing more.
Instead, the rest of us have systems that are both far more vulnerable to privacy beaches, and far easier to circumvent anyway.
> At some point, you may have been faced with the decision yourself: should I continue to use this service if I have to verify my age?
An excellent question, which I didn't see the article really get into.
> If you’re given the option of selecting a verification method and are deciding which to use, we recommend considering the following questions for each process allowed by each vendor:
Their criteria implies a lot of understanding on the part of the user -- regarding how modern Web systems work, widespread industry practices and motivations, how 'privacy policies' are often exceeded and assurances are often not satisfied, how much "audits" should be trusted, etc.
I'd like to see advice that starts by communicating that the information will almost certainly be leaked and abused, in n different ways, and goes from there.
> But unless your threat model includes being specifically targeted by a state actor or Private ID, that’s unlikely to be something you need to worry about.
For the US, this was better advice pre-2025, before the guy who did salutes from the capitol was also an AI bro who then went around hoovering up data from all over government. Followed by a new veritable army and camps being created for domestic action. Paired with a posture from the top that's calling harmless ordinary citizens "terrorists", and taking quite a lot of liberties with power.
We'll see how that plays out, but giving the old threat model advice, without qualification, might be doing a disservice.
I don't know why I find myself to be the lone voice with this opinion, but the pushback here should for the governments themselves to implement age-verification, just like how it's their job to implement issuance of IDs.
They can implement a transparently auditable system, where you scan your id-card (nfc or camera) in the government's portal, and using oauth federation, it will confirm your age, and nothing more than that to sites requesting it.
Site that wish to prevent the fact that you visited them a secret from the government can use various temporary domains, ips, Tor,etc... so long as the government's verification service can reach it.
The government already has your ID information, and they already know at least your home IP (yes, this is actively shared with them in the US). The only privacy concern is them knowing what sites you're visiting.
I get resisting and fighting this, but it's been years now and people are having to endure this mess. It isn't going away either. I was complaining about KYC laws earlier, they started out the same, it was about "terrorists" then.
You can fight two fights in parallel. One to prevent the whole thing, another to require the government to implement a service themselves, do it transparently and preserve privacy while doing so.
Yet another proposal I have is for sites that offer oauth federated login (google,microsoft,github,etc..) to vouch for your id verification, either by them doing it directly or via the government portal i proposed earlier. You'll then just login to sites with the right google account or whatever and that's all the site will ask from you.
I would also be fine with buying a 'card' of some sort at stores that do id verification already, like where you'd buy a cigarette or alcohol. You also buy some scratchable card with a verification code on it. They can't argue it's not good enough, because it's good enough for cigs and alcohol. they can't say "what if a minor gets a hold of the card later" because what if a minor gets a hold of cigs or alcohol later as well?
run through and then xor right
No. Fuck them. I'm not using whatever app. Use a VPN or pirate it.
[dead]
What a piss poor article.
"We disagree with age gates but our recommendation is to comply". Fuck this.
I think that age verification is important. While its not perfect, it is one tool to help protect kids.
Against what? How much struggle and pain are we actually seeing in the world because children have unrestricted internet access?
In an ideal world, parents would be good parents, know what their kids are up to, install parental controls on their digital devices (software solutions out there range from free/bundled to not expensive), have conversations with kids about what's on the internet and what to avoid.
Government overreach is not the answer, it's a plaster (and an excuse for more surveillance which is arguably the primary factor) over bad parenting. In the UK at least, all major ISPs and mobile providers have a basic parental/adult-content control package that is set-up by default (opt-out by the bill payer). Albeit trivial to get around with a VPN/proxy or changing DNS servers etc.
Kids will be kids as well. They'll get around restrictions, they're clever, they talk with their mates in the playground about this sort of thing. Especially teens.
You roll out the ‘bad parents’ trope then immediately admit bypassing parental controls is trivial.
1 reply →
I would say that normalizing giving random websites photos of yourself is harmful to children.
Think back to when you were a child. Did age verification ever stop you from doing anything? The automated, technologically-implemented age-verification is even less interested in properly verifying anything than the ID-checking bouncers at a bar. None of these things protect kids, they just annoy them and teach them that authority is stupid and lying is a convenient way to deal with stupid people.
Call your ISP and ban any NSFW/NSFL access by DNS, both in your children's phones and your home connection. Problem solved.
Then they scrape together their pocket money and walk into a pawn shop and hand over the cash for a second hand smartphone. Plenty of free WiFi around.
This does not work, browsers like Firefox don't even always use the system DNS by default.
2 replies →