The Age Verification Trap: Verifying age undermines everyone's data protection

> I just like, can't help but start with fuck these companies. All other arguments are downstream of that.

The solution would then be to break them up or do things like require adversarial interoperability, rather than ineffective non-sequiturs like requiring them to ID everyone.

The perverse incentive comes from a single company sitting on a network effect. You have to use Facebook because other people use Facebook, so if the algorithm shows you trash and rage bait you can't unilaterally decide to leave without abandoning everyone still there, and the Facebook company gets to show ads to everyone who uses it and therefore wants to maximize everyone's time wasted on Facebook, so the algorithm shows you trash and rage bait.

Now suppose they're not allowed to restrict third party user agents. You get a messaging app and it can send messages to people on Facebook, Twitter, SMS, etc. all in the same interface. It can download the things in "your feed" and then put it in a different order, or filter things out, and again show content from multiple services in the same interface, including RSS. And then that user agent can do things like filter out adult content, if you want it to.

We need to fix the actual problem, which is that the hosting service shouldn't be in control of the user interface to the service.

>There is almost literally documented examples of Facebook executives twirling their mustaches wondering how they can get kids more addicted.

Then close their business. Age verification just makes their crimes even more annoying.

> I just like, can't help but start with fuck these companies. All other arguments are downstream of that. Better the nanny state than Nanny Zuck.

Wild times when we're seeing highest voted Hacker News commenters call for the nanny state.

If you're thinking these regulations will be limited to singular companies or platforms you don't use, there is no reason to believe that's true.

There was already outrage on Hacker News when Discord voluntarily introduced limited ID checks for certain features. The invitations to bring on the nanny state reverse course very quickly when people realize those regulations might impact the sites they use, too.

A lot of the comments I'm seeing assume that only Facebook or other platforms will be impacted, but there's now way that would be the case.

> ... start with fuck these companies. Better the nanny state than Nanny Zuck.

I'm not sure how those two positions connect.

Execs bad, so laws requiring giving those execs everyone's IDs, instead of laws against twirled mustaches?

>Better the nanny state than Nanny Zuck.

For me this is a crux, at least in principle. Once online media is so centralized... the from argument freedom is diminished.

There are differences between national government power and international oligopoly but... even that is starting to get complicated.

That said... This still leaves the problem in practice. We get decrees that age-restriction is mandatory. There will be bad compliance implementations. Privacy implications.

Meanwhile a while... how much will we actually gain when it comes to child protection.

You can come up will all sorts of examples proving "Facebook bad" but that doesn't mean these things are fixed when/if regulation actually comes into play.

Social media is like tobacco. We went after tobacco for targeting kids, we should do the same to social media. Highly engineered addictive content is not unlike what was done to cigarettes.

Those execs were also using the tactics to addict adults, and while they may have targeted teens, the problem is, at its core: humans. So no amount of nannying by either the company nor the government will solve this issue.

Who would be responsible if a child developed alcohol addiction? A nicotine problem? Any other addiction?

Exactly. The same people that should be responsible for giving them unfettered access to an internet that is no longer safe. Even adults have to be wary of getting hooked on scrolling, and while I agree that the onus is on the companies, it has been demonstrated over and over again that they will not be held to account for their behavior.

So the only logical choice left that actually preserves freedom is for parents to get off their ass and keep their child safe. Parent's that don't use filtering and monitoring software with their children should be charged with neglect. They are for sending a kid into the cold without a coat, or letting them go hungry, why is it different sending them onto the internet?

And to your last point: You are dead wrong. No government anywhere in the world has demonstrated that they have the resources, expertise, or technical knowledge to solve this problem. The most famously successful attempt is the Chinese Great Firewall, which is breached routinely by folks. As soon as a government controls what speech you are allowed to consume, the next logical step for them is to restrict what speech you can say, because waging war on what people access will always fail. I mean, Facebook alone already contains tons of content that's against its terms of service, and they have more money than God, so either they actually want that content there, or they are too understaffed to deal with the volume, and the volume problem only ever increases.

So in my view, you are the one against freedom by advocating for the government to control the speech adults can access for the sake of "protecting the children" when the actual people that are socially, morally, and legally culpable for that protection are derelict in their duties.

Screw over Meta then. Not everybody else.

Meta is the bozo in a panel van with no windows. All The legit porn sites put up Big Blinking Neon Signs.

> Better the nanny state than Nanny Zuck.

This is a huge self own. I can't believe I'm reading this on a website called "hacker news".

> I just like, can't help but start with fuck these companies. All other arguments are downstream of that. Better the nanny state than Nanny Zuck.

How about we reject all institutional nannies?

It is much easier to implement user-controlled on-device settings than any sort of over-the-Internet verification scheme. Parents purchase their children's devices and can adjust those settings before giving it to their kids. This is the crux of the problem, and all other arguments are downstream of this.

The problem is that internet is used nowadays for democratic purposes. Once you introduce a globally unique personal ID, you will be monitored. And boy, you will be monitored throughoutly. In case of any democratic process that needs to be undertaken in future against government, this very government will take the tools of identification and will knock to the doors of people who try to raise awareness and maybe mutiny. And this is what Orwell wrote about

> Better the nanny state than Nanny Zuck.

why-not-both.jpg

Maximizing corporate freedom leads inevitably to corporate capture of government.

Opposing either government concentration of power alone or corporate concentration of power alone is doomed to failure. Only by opposing both is there any hope of achieving either.

Applying that principle to age-verification, which I think is inevitable: Prefer privacy-preserving decoupled age-verification services, where the service validates minimum age and presents a cryptographic token to the entity requiring age validation. Ideally, discourage entities from collecting hard identification by holding them accountable for data breaches; or since that's politically infeasible, model the service on PCI with fines for poor security.

The motivation for this regime is to prevent distribution services from holding identification data, reducing the information held by any single entity.

> Better the nanny state than Nanny Zuck.

The state can imprison you. Zuck can't.

> I know this is weird, but I'm in some ways not really sure who is on the side of freedom here. I get your position, but like.

No one. You’ll see a few politicians and more individuals stuck to their principles, but anyone with major clout sees the writing on the wall and is simply working to entrench their power.

> Better the nanny state than Nanny Zuck.

Indeed, what lolberts fail to understand usually is not a choice between government vs “freedom” it’s a choice between the current government and whoever will fill up the power vacuum left by the government.

You sound like someone that would work for the CIA or FBI if they offered you a job. Those are the types of people that I cannot and will not ever trust. I do not respect your opinion.

Centralization and standardization are going to be the topic in the 21st century.

For all the complaining some U.S.-Americans seem to do about the EU approach to these issues, things like the Digital Markets Act aim to fix exactly these types of issues.

>I get your position ... There is almost literally documented examples of Facebook executives twirling their mustaches wondering how they can get kids more addicted. This isn't a few bands

Their position was to compare it to alcohol, guns, and tobacco, not bands using naughty words. Alcohol and tobacco definitely enter mustache swirling territory, getting children addicted and funding misinformation on the harms of their product.

> I know this is weird, but I'm in some ways not really sure who is on the side of freedom here.

That’s because “freedom” is complicated and doesn’t precisely map to the interests of any of the major actors. Its largely a war between parties seeking control for different elites for different purposes.

> documented examples of Facebook executives twirling their mustaches wondering how they can get kids more addicted

If you genuinely believe that this is about those moustache twirling executives, then I have a bridge to sell you.

Have you ever wondered why and how these systems are being implemented? Have you ever gone why Discord / Twitch / what have you and why now? Have you ever thought that this might be happening because of Nepal and the fears of another Arab spring?

https://www.aljazeera.com/news/2025/9/15/more-egalitarian-ho...

I think too many people on this platform don't understand what this is about. This is about power. It's not about what's good for you or the children. Or for the constituents. It's about power. Real power. Karp-ian "scare enemies and on occasion kill them" power.

There are many ways in which such a system could be implemented. They could have asked people to use a credit card. Adult entertainment services have been using this as a way to do tacit age verification for a very long time now. Or, they could have made a new zero-knowledge proof system. Or, ideally, they could have told the authorities to get bent. †

Tech is hardly the first industry to face significant (justifiable or unjustifiable) government backlash. I am hesitant to use them as examples as they're a net harm, whereas this is about preventing a societal net harm, but the fossil fuel and tobacco industries fought their governments for decades and straight up changed the political system to suit them. ††

FAANG are richer than they ever were. Even Discord can raise more and deploy more capital than most of the tobacco industry at the time. It's also a righteous cause. A cause most people can get behind (see: privacy as a selling point for Apple and the backlash to Ring). But they're not fighting this. They're leaning into it.

Let's take a look at what Discord asked people for a second, the face scan,

    If you choose Facial Age Estimation, you’ll be prompted to record a short video selfie of your face. The Facial Age Estimation technology runs entirely on your device in real time when you are performing the verification. That means that facial scans never leave your device, and Discord and vendors never receive it. We only get your age group.

Their specific ask is to try and get depth data by moving the phone back and forth. This is not just "take a selfie" – they're getting the user to move the device laterally to extract facial structure. The "face scan" (how is that defined??) never leaves the device, but that doesn't mean the biometric data isn't extracted and sent to their third-party supplier, k-Id.

There was an article that went viral for spoofing this, https://age-verifier.kibty.town/ // https://news.ycombinator.com/item?id=46982421 . In the article, the author found by examining the API response the system was sending,

    k-id, the age verification provider discord uses doesn't store or send your face to the server. instead, it sends a bunch of metadata about your face and general process details.

The author assumes that "this [approach] is good for your privacy." It's not. If you give me the depth data for a face, you've given me the fingerprint for that face.

We're anthropomorphising machines. A machine doesn't need pictures; "a bunch of metadata" will do just fine.

We are assuming that the surveillance state will require humans sitting in a shadow-y room going over pictures and videos. It won't. You can just use a bunch of vectors and a large multi-modal model instead. Servers are cheap and never need to eat or sleep.

Certain firms are already doing this for the US Gov, https://x.com/vxunderground/status/2024188446214963351 / https://xcancel.com/vxunderground/status/2024188446214963351

We can assume de facto that Discord is also doing profiling along vectors (presumably behavioral and demographic features) which that author described as,

    after some trial and error, we narrowed the checked part to the prediction arrays, which are outputs, primaryOutputs and raws.

    turns out, both outputs and primaryOutputs are generated from raws. basically, the raw numbers are mapped to age outputs, and then the outliers get removed with z-score (once for primaryOutputs and twice for outputs).

Discord plugs into games and allows people to share what they're doing with their friends. For example, Discord can automatically share which song a user is listening on Spotify with their friends (who can join in), the game they're playing, whether they're streaming on Twitch etc.

In general, Discord seems to have fairly reliable data about the other applications the user is running. Discord also has data about your voice and now your face.

Is some or all of this data being turned into features that are being fed to this third-party k-ID? https://www.k-id.com/

https://www.forbes.com/sites/mattgardner1/2024/06/25/k-id-cl...

https://www.techinasia.com/a16z-lightspeed-bet-singapore-par...

k-ID is (at first glance) extracting fairly similar data from Snapchat, Twitch etc. With ID documents added into the mix, this certainly seems like a very interesting global profiling dataset backstopped with government documentation as ground truth.

I'm sure that's totally unrelated. :)

-

† like they already have for algorithmic social media and profiling, https://www.newyorker.com/magazine/2024/10/14/silicon-valley...

Somehow there's tens to hundreds of millions available for crypto causes and algorithmic social media crusades, but there's none for the "existential threat" of age verification.

†† Once again, this is old hat. See also: Turbotax, https://www.propublica.org/article/inside-turbotax-20-year-f...

I don't get your point, at least not in relation to the GP post. I agree with GP, parents need to be more accountable. We as parents, and We should all be concerned about future children/generations, should be demanding more regulation to help force the change we need on this topic. We as a society need to treat SM like those other addictive product classes. The fact SM is addicting and execs try to juice it more, is frankly to be expected.

Vilify them all you want, but same has been done with nicotine products, alcohol products, etc. and to GPs point, we SM as a toy for our children to play with. We chose to change the rules (laws, regulations, etc) because capitalists can never be simply trusted to do what's best for anything except their bottom line. That's a fundamental law no different than inertia or gravity in a capitalistic society. That's why regulators exist. Until you regulate it, they will wear their villain badge and rake in the billions. It's easy to be disliked when the topic of your disdain is what makes you filthy rich (in other words, they don't care what you or I think of what they're doing).

> There is almost literally documented examples of…

lol

Nobody is putting a gun to your head and forcing you to use Facebook or whatever other site. I quit using most social media over a decade ago. If you don't want to use it, or you don't want your children to use it, then don't use it.

As a parent of young children, this is your entire problem:

> the terms of engagement are, I can block it however I want from the network side, and if he can get around it, he can watch.

You're treating this as a technical problem, not a parental rules problem. Your own rules say he's allowed to watch!

You have to set the expectations and enforce it as a parent.

Sounds like a smart kid, is part of you secretly proud of him for his tenacity?

Is it impractical to keep an eye on what he's doing on his computer, i.e. physically checking in on him from time to time?

How about holding him responsible for his own behavior, to develop respect for the rules you impose? Is it just hopeless, and if so how come? Is it impossible for him to understand why you don't want him watching certain content or why he should care about being worthy of your trust?

I'm not judging here, I'm genuinely curious.

I remember when I was a kid that age there were rules and some were technically enforced. But if you found a way around the technical enforcement you were in huge trouble. The equivalent here would he been, if you used a proxy to watch what you weren't meant to, then you lose all screen time indefinitely. Sneaking around parents' rules was absolutely not on.

Putting controls on the machine you want to restrict is pretty normal. While I agree with your first sentence that it's hard for parents to get proper monitoring tools, the rest of this sounds like a self-imposed problem. If you don't want to mess with the actual machine then run a proxy it has to use.

[deleted]

when I was a kid in the early 90's, my state (and many others) banned cigarette vending machines since there was no way to prevent them being used by minors, unless they were inside a bar, where minors were already not allowed.

Parents can't easily prevent their kids from going to those kinds of stores once they're at the age where the parent doesn't need to keep an eye on them all the time and they can travel about on their own.

The difference though is that parents are generally the ones to give their kids their phones and devices. These devices could send headers to websites saying "I'm a kid" -- but this system doesn't exist, and parents apparently don't use existing parental controls properly or at all.

I think the argument is more around it being illegal so as to not be forced into playing "the bad guy". It's hard to prevent a level of entitlement and resentment if those less well parented have full access. If nobody is allowed then there's no parental friction at all.

Its unfortunate that the application of this rule is being performed at the software level via ad-hoc age verification as opposed to the device level (e.g. smartphones themselves). However that might require the rigimirole of the state forcibly confiscating smartphones from minors or worrying nepalise outcomes.

ISPs and OSs should be the ones providing these tools and make is stupid easy to set up a child's account and have a walled garden for kids to use.

Companies are legally prohibited from marketing and selling certain products like tobacco and alcohol because they historically tried to.

Parents are legally and socially expected to keep their kids away from tobacco and alcohol. You're breaking legal and social convention if you allow your kids to access dangerous drugs.

Capitalist social media is exactly as dangerous as alcohol and tobacco. Somebody should be held responsible for that, and the legal and social framework we already have for dealing with people who want to get kids addicted to shit works fairly well.

The school, in loco parentis.

Not responsible for selling to all minors, just theirs.

Well the parents entrust their kids to the school, so they would be the ones responsible for what goes on on their premises. In turn, school computers are famously locked down to the point of being absolutely useless.

> which means that if you put a trampoline in your backyard, and a kid passing through sees it, decides to do a sick jump off of it, and breaks their leg, that was partly your fault for having something so awesome that kids would probably like.

That's not exactly accurate. The two key parts of the attractive nuisance law are a failure to secure something combined with the victim being too young to understand the risks.

So if you put a trampoline in your front yard, that's an easy attractive nuisance case.

If you put a pool in your back yard with a fence and a locked gate, it would be much harder to argue that it was an attractive nuisance.

If a 17 year old kid comes along and breaks into your back yard by hopping a 6-foot tall fence, you'd also have a hard time knowing they didn't understand that their activities came with some risk. Most cases are about very young children, though there are exceptions

And that law is incredibly and hideously stupid, as it's a heckler's veto on having cool stuff.

The Internet is basically the final frontier where this harmful law doesn't reach, though the Karens are really trying to expand their power there.

It would not be quite that simple. The trampoline (or pool, or whatever) would have to be visible, in a place children were likely to be, not protected by any reasonable amount of care, and the kid would have to be young enough to not know any better.

The legal doctrine is also not specific to the US, of course.

> we invented this new thing called fire [...] So the tribe leader (who, by the way, gropes your children) proposed a solution: centralize control of all the fire

Of all the things, a "save-the-children prolegomena to the Prometheus myth" certainly wasn't on my bingo card today. So thank you for that, but I'm not aware of any reports of fire-keeping in the way you've described. Societies and religions do have sacred traditions related to fire (like Zoroastrians) but that doesn't come with restrictions on practical use AFAIK.

Am I the only one that is repeatedly amused at how many smart people are just caving to making this about parents/children at all?

We've literally watched things unfold in real time out in the open in the last year I don't know how much more obvious it could be that child-protections are the bad-faith excuse the powers that be are using here. Combined with their control of broadcasting/social media, it's the very thing they're pushing narratives in lockstep over. All this to effectively tie online identities to real people. Quick and easy digital profiles/analytics on anyone, full reads on chat history assessments of idealogies/political affiliations/online activities at scale, that's all this ever was and I _know_ hackernews is smart enough to see that writing on the wall. Ofc porn sites were targeted first with legislation like this, pornography has always been a low-hanging fruit to run a smear campaign on political/idealogical dissidents. It wasn't enough, they want all platform activity in the datasets.

I can't help but feel like the longer we debate the merits of good parenting, the faster we're just going to speedrun losing the plot entirely. I think it goes without saying that no shit good parenting should be at play, but this is hardly even about that and I don't know why people take the time of day. It's become reddit-caliber discussion and everyone's just chasing the high of talking about how _they_ would parent in any given scenario, and such discussion does literally nothing to assess/respond to the realities in front of us. In case I'm not being clear, talking about how correct-parenting should be used in lieu of online verification laws is going to do literally nothing to stop this type of legislation from continually taking over. It's not like these discussions and ideas are going to get distilled into the dissent on the congressional floors that vote on these laws. It is in it's own way a slice of culture war that has permeated into the nerd-sphere.

Its more like age verification corporations, identity verification corporations, the child "safety" organizations that were lobbying for Chat Control versus individuals who want to protect their privacy.

Yes if they do bad things like drunk, have sex and do drugs.

I would start with banning cellphones.

Could your child not just call or text their friends? Or is the real expectation to not have to intervene at all about their preferred platform?

Sorry, I know it's a hard line for parents to tread and it's really easy to criticize parenting decisions other people are making, but the "everyone else is doing it so I have to" always seems as lazy to me today, as it probably did to my parents when I said it to them as a teenager.

Is it more important to prevent your son from being weaponized and turned into a little ball of hate and anger, and your daughter from spending her teen years depressed and encouraged to develop eating disorders, or to make sure they can binge the same influencers as their "friends"?

this is the biggest problem, so many parents are head-in-the-sand when it comes to things that can damage a child’s mind like screen time, yet no matter how much you protect them if it’s not a shared effort it all goes out the window, then the kid becomes incentivized to spend more time with friends just for the access, and can develop a sense that maybe mom and dad are just wrong because why aren’t so-and-so’s parents so strict?

because their parents didn’t read the research or don’t care about the opportunity cost because it can’t be that big of a deal or it would not be allowed or legal right? at least not until their kid gets into a jam or shows behavioral issues, but even then they don’t evaluate, they often just fall prey to the next monthly subscription to cancel out the effects of the first: medication

Should the state have force your parents to give you up for adoption? That's the social support the state can offer.

This.

The world is becoming increasingly more uncertain geopolitically. We have incipient (and actual) wars coming, and near term potential for societal disruption from technological unemployment. Meanwhile social media has all but completely undermined broadcast media as a means of social control.

This isn't about protecting children. It's about preventing a repeated of the Arab Spring in western countries later this decade.

"Think of the children" is the oldest trick in the book, and should always be met with skepticism.

Devices such as phones come with an option when you start the device asking simply is this for a child or an adult. Your router generally these days comes with a parental filter option on start up too. Heck we have chatgpt that can guide a parent through setting up a system if they want something more custom.

If people want to push, they should just push to make these set up options more ubiquitous, obvious and standardized. And perhaps fund some advertising for these features.

This is where Apple, Microsoft and Android need to step up. Indeed they already have in many ways with things being better than they used to be.

There needs to be a strict (as in MDM level) parental control system.

Furthermore there needs to be a "School Mode" which allows the devices to be used educationally but not as a distraction. This would work far better than a ban.

It wasn’t always this way: “Ask not what your country can do for you — ask what you can do for your country”

[dead]

The internet is not an object, its a communication medium. That is an apples to organges argument, it doesn't wash.

So we should trust the governments of the world? The same governments that don't seem to be doing anything about a large group of people that visited a specific island to abuse minors?

How easy is it for kids to bypass Parental Controls on iOS devices?

Yes, but how on earth is their malicious compliance at providing parental controls a good reason to go for the surveillance state that hurts absolutely everyone?

Social media operators love the surveillance state idea. That's why they aren't pushing against this.

I even cancelled YT Premium because their "made for kids" system interfered with being able to use my paid adult account. I urge other people to do the same when the solutions offered are insufficient.

> Except companies provide wholly inadequate safeguards and tools. They are buggy, inconsistent, easily circumvented, and even at time malicious. Consumers should be better able to hold providers accountable, before we start going after parents.

We could mandate that companies that market the products actually have to deliver effective solutions.

Step 0 is physical device access. Kids shouldn't have tablets or smartphones or personal laptops before age 16.

Age verification tech companies are lobbying heavily for governments to legally require their services. The proposed "solutions" are about funneling money into the hands of other tech companies and shady groups, while violating user privacy.

If anything, we should be banning the collection of any age related information to access social media and more mature content. We need companies to respect privacy, rather than legislation even more privacy violations.

Tobacco, yes you can order pipe tobacco and cigars online sent to your house without ID.

Guns yes, you can buy a schmidt-rubin cartridge rifle or black powder revolver sent straight to your home from an online (even interstate) vendor no ID or background check, perfectly legal.

Alcohol yes, you can order wine straight to your house without ID.

These are all somewhat less known "loopholes" but not really turned out to be a problem despite no meaningful controls on the seller. You probably didn't even know about these loopholes, actually -- that's how little of a problem it's been.

It's funny, all the bible wankers screamed about "the mark of the beast" over things like RealID. Now we have fascists setting up surveillance and censorship tools to tie speech and movement to centralized ID...and they're lining up to lick boots.

You should need to show ID and prove you're over 18 to enter a church. At least we know they're actually harmful to children.

also there's a huge argument to be made that surveilling your kids is really really bad for their development

That same argument doesn't hold water on the internet. Its a communication medium. Its like a flow of information. You don't enter or leave physically spaces. the information flows to you where ever you are. trying to apply the same kinds of laws to the internet is a recipe for disaster because you are effecting everyone at the same time.

Well, yes. If your friends can all go 'round to David's house, where David's parents hand each child a case of beer and send them on their way, any attempt by the other parents to prohibit underage drinking is going to be ineffective. But most parents don't do that. (I've actually never heard of it.) So social solutions involving parent consensus clearly do work here.

"But it's behavioural!" I hear you cry. "What's stopping children from going out, buying a cheap unlocked smartphone / visiting their public library / hacking the parental control system, and going on the internet anyway?" And that's an excellent objection! But, what's stopping children from playing in traffic?

    That’s why most people make sure it doesn’t happen

Back in the day you would beat up that person.

> The thing is, what are the parents to do beyond restricting things?

Well, I can't speak for parents (as in all parents). I can, however, tell you what we did.

When two of my kids were young we gave them iPods. The idea was to load a few fun educational applications (I had written and published around 10 at the time). Very soon they asked for Clash of Clans to play for a couple of hours on Saturdays. We said that was OK provided they stuck to that rule.

Fast forward to maybe a couple of months later. After repeated warnings that they were not sticking to the plan and promises to do so, I found them playing CoC under the blankets at 11 PM, when they were supposed to be sleeping and had school the next day.

I did not react and gave no indication of having witnessed that.

A couple of days later I asked each of them to their room and asked them to place their top ten favorite toys on the floor.

I then produced a pair of huge garbage bags and we put the toys in them, one bag for each of the kids.

I also asked for their iPods.

No anger, no scolding, just a conversation at a normal tone.

I asked them to grab the bags and follow me.

We went outside, I opened the garbage bin and told them to throw away their toys. It got emotional very quickly. I also gave them the iPods and told them to toss them into the bin.

After the crying subsided I explained that trust is one of the most delicate things in the world and that this was a consequence of them attempting to deceive us by secretly playing CoC when they knew the rules. This was followed by daily talks around the dinner table to explain just how harmful and addictive this stuff could be, how it made them behave and how important it was to honor promises.

Another week later I asked them to come into the garage with me and showed them that I had rescued their favorite toys from the garbage bin. The iPods were gone forever. And now there was a new rule: They could earn one toy per month by bringing top grades from school, helping around the house, keeping their rooms clean and organized and, in general, being well behaved.

That was followed by ten months of absolutely perfect kids learning about earning something they cherished every month. Of course, the behavior and dedication to their school work persisted well beyond having earned their last toy. Lots of talks, going out to do things and positive feedback of course.

They never got the iPods back. They never got social media accounts. They did not get smart phones until much older.

To this day, now well into university, they thank me for having taken away their iPods.

So, again, I don't know about parents in the aggregate, but I don't think being a good parent is difficult.

You are not there to be an all-enabling friend, you are there to guide a new human through life and into adulthood. You are there to teach them everything and, as I still tell them all the time, aim for them to be better than you.

https://www.youtube.com/watch?v=99j0zLuNhi8

It is literally the parents responsibility. You want to blame someone else. Raising a kid doesn't mean letting society raise them you have to make tough choices.

If parents can't handle that they can give them up to the state.

That is not what the post you are replying to is advocating for at all - try reading it one more time without so much hostility

Can you offer some rebuttal to give some credence to your point?

> EU's planned system requires highly invasive age verification

EUDI wallets are connected to your government issued ID. There is no "highly invasive age verification".

We are literally sending a request to our government's server to sign, with their private key, message "this john smith born on 1970-01-01 is aged over 18" + jwt iat. There are 3 claims in there. They are hashed with different salts. This all is signed by the government.

You get it with the salts. When you want to prove you are 18+ you include salt for the "is aged over 18" claim, and the signed document with all the salts and the other side can validate if the document is signed and if your claim matches the document.

No face scanning, no driver license uploading to god-knows-where, no anything.

> to obtain 30 single use, easily trackable tokens that expire after 3 months

This is the fallback mechanism. You are supposed to use bbs+ signatures that are zero knowledge, are computed on the device and so on. It is supposed to provide the "unlinkability". I don't feel competent enough to explain how those work.

> jailbreaking / "prevent tampering"

This is true. The eidas directive requires that secret material lives in a dedicated hardware / secure element. It's really not much different than what a banking app would require.

> You have to blindly trust that the tokens will not be tracked

This is not true, the law requires core apps to be opensource. Polish EUDI wallet has been even decompiled by a youtuber to compare it with sources and check if the rumors about spying are true. So you can check yourself if the app tracks you.

Also we can't have a meaningful discussion without expanding on definition of "tracking".

Can the site owner track you when you verify if you are 18+? Not really, each token is unique, there should be no correlation here.

Can the government track you? No, not alone.

Can the site owner and the government collude to track you? Yes they can! Government can track all salts for your tokens, site can collect all salts, they can compare notes. There are so called policy mitigations currently: audits and requirements for governments to remove salts from memory the moment stuff is issued.

Can they lie? Sure.

Can the site owner and the government collude to track you if you are using bbs+? No. Math says no.

Can they lie if you are using bbs+? Math says no.

Thanks for posting this.

The inherent problem with all zero knowledge identity solutions is that they also prevent any of the safeguards that governments want for ID checking.

A true zero knowledge ID check with blind signatures wouldn't work because it would only take a single leaked ID for everyone to authenticate their accounts with the same leaked ID. So the providers start putting in restrictions and logging and other features that defeat the zero knowledge part that everyone thought they were getting.

Link?

There's no dynamic analysis done, necessarily. In the Swiss design, fex, SD-JWTs are used for selective disclosure. For those, any information that you can disclose is pre-hashed and included in the signed credential. So `over_18: true` is provided as one of those hashes and I just show this to the verifier.

The verifier gets no other information than the strictly necessary (issuer, expiry, that kind of thing) and the over 18 bit, but can trust that it's from a real credential.

That's not strictly a zero knowledge proof based system, though, but it is prvacy-preserving.

Attestation from government sounds like the ideal solution. This could actually provide _more_ privacy because we can begin using attestation for things we currently use IDs for such as “Has the privilege of driving a car” or “Can purchase alcohol”

> If it’s analyzes my ID 100% client side I can fake any info I want. If my ID goes to a server,

amplifying your point, there is effectively no way for the layperson to make this distinction. And because the app needs to send data over an encrypted channel, it would be difficult at best for a sophisticated person to determine whether their info is being sent over the wire.

Aren't the companies also expected to do revocation checking, essentially creating a record of who identified where, with a fig leaf of "pseudonymity" (that is one database join away from being worthless)?

That assumes the companies store the individual tokens, as does the government. Neither of which are part of the design, but could be done if both sides desired it.

The Swiss design actually doesn't store the issued tokens centrally. It only stores a trust root centrally and then a verifier only checks the signature comes from that trust root (slightly simplified).

> we didnt have any of these guards in the 90s and early 2000s and everybody turned out just fine

One of the most highly valued tech companies of today makes a software that sometimes talks its user's into killing themselves. Some guy put "uwu notices bulge" on a bullet casing and shot Charlie Kirk: things turned out fine indeed.

In the Swiss system, it depends on what they verified. If they required your full ID, that has a document number like a passport and they could track that.

If they did the right thing and only asked for the over 18 bit, then they wouldn't have a trackable identifier.

It's this I believe: https://www.w3.org/TR/vc-data-model-2.0/

You should be able to choose what's age-appropriate for your kids. Giving them access to e.g. "PG-13" media when they're 9 isn't the problem. Giving mature kids unrestricted access isn't a problem. The problem is culture:

- Many parents don't think about restricting their kids' online exposure at all. And I think a larger issue than NSFW is the amount of time kids are spending: 5 hours according to this survey from 2 years ago https://www.apa.org/monitor/2024/04/teen-social-use-mental-h.... Educating parents may be all that is needed to fix this, since most parents care about their kids and restrict them in other ways like junk food

- Parents that want to restrict their kids struggle with ineffective parental controls: https://beasthacker.com/til/parental-controls-arent-for-pare.... Optional parental controls would fix this

> Fuck man, I can even legally give my kids alcohol - I don't see why it's appropriate to enforce what content I allow them to see.

In the USA it depends on the state. Federal guidelines for alcohol law does suggest exemptions for children drinking under the supervision of their parents, but that's not uniformly adopted. 19 states have no such exceptions, and in many of the remaining 31, restaurants may be banned from allowing alcohol consumption by minors even when their parents are there.

The law is there to protect children in the case they have absent/neglectful parents. Unfortunately not every child has a parent as aware as you.

People angrily replying to the top comment on this article are going to be pissed when they find out about this guy.

this seems to be an issue of being able to be a parent, period.

yup we should all be able, to talk to our kids instead of screaming at them.

The older sibling should be old enough to know better. Or if they're still a kid, they can have their privileges temporarily revoked.

This problem probably can't be solved entirely technologically, but technology can definitely be a part of solving it. I'm sure it's possible to make parental controls that most kids can't bypass, because companies can make DRM that most adults can't bypass.

> If ID checks are fully anonymous (as many here propose when the topic comes up) then every kid will just have their friends’ older sibling ID verify their account one afternoon.

Exactly the same way that kids used in former days to get cigarettes or alcohol: simply ask a friend or a sibling.

By the way: the owners of the "well-known" beverage shops made their own rules, which were in some sense more strict, but in other ways less strict than the laws:

For example some small shop in Germany sold beverages with little alcohol to basically everybody who did not look suspicious, but was insanely strict on selling cigarettes: even if the buyer was sufficiently old (which was in doubt strictly checked), the owner made serious attempts to refuse selling cigarettes if he had the slightest suspicion that the cigarettes were actually bought for some younger person. In other words: if you attempted to buy cigarettes, you were treated like a suspect if the owner knew that you had younger friends (and the owner knew this very well).

More simply: If ID checks are fully anonymous (as many here propose when the topic comes up) then every kid will just have their friends’ older sibling ID verify their account one afternoon. Or they’ll steal their parents’ ID when they’re not looking.

Digital ID with binary assertion in the device is an API call that Apple's app store curation can ensure is called on app launch or switch. Just checking on launch or focus resolves that problem. It's no longer the account being verified per se, it's the account and the use.

Probably will limit to one device per person, to save the children, so we won’t share with others.

(So you need to keep all your stuff into one device to be fully tracked easily. And have no control over your device, share your location… )

Circumventing controls as a kid is what taught me enough about computers to get the job that made college affordable (in those days you could just boot windows to a livecd Linux distro and have your way with the filesystem, first you feel like a hacker, later the adults are paying you to recover data).

If we must have controls, I hope the process of circumventing them continues to teach skills that are useful for other things.

> what would stop anyone from merely hosting porn in Romania or some country that didn't care about US age-verification laws

A government could implement the equivalent of China's great firewall. Even if it doesn't stop everyone, it would stop most people. The main problem I suspect is that it would be widely unpopular in the US or Europe, because (especially younger) people have become addicted to porn and brainrot, and these governments are still democracies.

Wrong incentive. If you don’t give a shit about exposing children to snuff or porn, but do give a shit about page views and ad revenue, you obviously don’t rate your content or rate it as G to increase that revenue.

I imagine there would be a set of filters, including some on by default that most adults keep for themselves. For example, most people don't want to see gore. More would be OK with sexual content, even more would be OK with swear words, ...

> Most guardians would willingly do similar with locked devices.

Considering the echo chamber in which I was at school, my friends would have simply used some Raspberry Pi (or a similar device) to circumvent any restriction the parents imposed on the "normal" devices.

Oh yes: in my generation pupils

- were very knowledgeable in technology (much more than their parents and teachers) - at least the nerds who were actually interested in computers (if they hadn't been knowledgeable, they wouldn't have been capable of running DOS games),

- had a lot of time (no internet means lots of time and being very bored),

- were willing to invest this time into finding ways to circumvent technological restrictions imposed upon them (e.g. in the school network).

The kids in your social circle are used to not having access to alcohol, but they're not used to not having access to social media.

Hypothetically, if every kid in your social circle had their device "locked", the adults would probably have a very hard time the kids away from their devices, or just relent, because the kids would be very unhappy. Although maybe with today's knowledge, most people will naturally restrict new kids who've never had unrestricted access, causing a slow culture shift.

I never specified age.

The whitelist would be decided by the market: the parents have the unlocked device, there are multiple solutions to lock it and they choose one. Which means that in theory, the dominant whitelist would be one that most parents agree is effective and reasonable; but seeing today's dominant products and vendor lock-in...

Digital media use is easier to conceal than weapons. My parents did not protect me from it growing up because they were not responsible, and I was harmed as a result. To this day they still do not realize I was harmed, because I did not tell them and we are not on speaking terms. Trying to be honest would have resulted in further rejection from them. This was on a personality level and I had no way to deal with this as a developing human.

I could not control how my parents were going to raise me, I was only able to play with the hand I was dealt. I hate the idea that parents are sacrosanct and do not share blame in these situations. At the same time, if this is just the family situation you're given and you're handed a device unaware of the implications, who is going to protect you from yourself and others online if your parents won't? Should anyone?

The "Bank identity" system in Czech Republic (and likely other countries) can be used to log into to various government services. The idea is that you already authenticated to the bank when getting the account, so they can be sure it is really sou when you log in - so why not make it possible for you to log in to other services as well if you want to ?

So we trust a bank more than the government that they won’t extend this to earn more money by disclosing more information? Bad idea. You need a neutral broker.

This could help, but without the culture shift, way too many parents will intentionally and unintentionally break that law.

That would be the status quo if we had better parental controls.

Trying to enforce parental controls via regulation may only be as effective as Europe enforcing the DMA against Apple. But maybe not, because there's a huge market; if Apple XOR Android does it, they'll gain market share. Or governments can try incentive instead of regulation (or both) and fund a phone with better parental controls. Europe wants to launch their own phone; such a feature would make it stand out even among Americans.

Parents can do this today if they wanted to

The problem of "kids accessing the Internet" is a purposeful distraction from the intent of these laws, which is population-level surveillance and Verified Ad Impressions.

It would not be solved without a culture shift. But with a culture shift, giving a kid an unlocked device would be as rare as giving them drugs.

I'm sure it will occasionally happen. But kids are terrible at keeping secrets, so they will only have the unlocked device for temporary periods, and I believe infrequent use of the modern internet is much, much less damaging than the constant use we see problems from today. A rough analogy, comparing social media to alcohol: it's as if today kids are suffering from chronic alcoholism, and in the future, kids occasionally get ahold of a six pack.

Well, age verification is the "we have to do something about this nebulous problem even if the best thing we can think of actually makes everything worse for everyone but it makes us feel better" fallacy, which is equally ridiculous.

I'm saying that, in today's culture, age-gating the internet is likely to be much less effective than age-gating alcohol or tobacco. Most kids spend an appalling amount of time on social media (think, 5 hours/day*); most kids didn't spend this much time or invest this much of their lives into drugs.

* according to this survey from over 2 years ago: https://www.apa.org/monitor/2024/04/teen-social-use-mental-h...

For the smoking analogy to fit, you'd have to have parents giving their children packs of cigarettes to play with and then being mad at Marlboro they figured out how to smoke them.

It doesn’t come with a ton of PII you can sell to data brokers.

> They have to know who the children are to not target them.

There is a difference between identifying specific children, and running programs that target children more generally; and / or having research that shows how your product harms children, and failing to do anything to stop it. We can tackle both of those issues without requiring age verification. We're headed down the path of age verification because we know now that not only is social media harmful, it's especially harmful to kids, and has been specifically targeted to them. Those are things that can be fixed, regardless of how you feel about age verification. Its not different than tobacco being not allowed to create advertisements for kids; its the same type of people doing the same types of things in the end.

At least then it wouldn't be the government requiring it, is what people may think I imagine.

Then ones who won't will become the preferred choice

For a while it was thought that we could never bring back anti-trust.

Sure, there's a lot of corruption right now. Doesn't have to stay that way.

If we create age verification tools with strong privacy protections that solve the problems they raise, we can can call their bluff.

If we fight every and any solution, we may end up with their solution, becauase they build it. We end up in the position of saying "don't use the thing they built" without offering alternatives. I'd rather be saying "use whatbwe built, ita is better."

Is it though? Do you have any proof that is the case?

Google/Apple already know where you and your mistress live. In case you pay for any service, they've got your identity too. Ever had a single shipment confirmation to your address come to your mail? They know who you are.

The hardware providers already have the information. You only need to make them reveal it to 3rd parties.

But that doesn't verify that the person using the ID is the person that it was issued to.

I think this is actually the correct way to move forward.

We should be able to verify facts about people on the internet without compromising personal data. Giving platforms the ability to select specific demographics will, in my view, make the web a better place. It doesn’t just let us age restrict certain platforms, but can also make them more authentic. I think it’s really important to be able to know some things to be true about users, simply to avoid foreign election interference via trolling, preventing scams and so much more.

With this, enforcement would also be increasingly easy: Platforms just have to prove that they’re using this method, e.g. via audit.

So you would deny children the greatest source of knowledge in the history? I have learned math and programming thanks to unlimited access to the web and would not be where I am without it.

Bugs get fixed when systems are iterated on. They also tend to be single results from single mistakes, not compound end results of the implementation.

Design features tend to persist.

The phrase/idiom "the purpose of a system is what it does" maps best to situations where a multiple decisions within a system make little sense when viewed through the lens of the stated purpose, but make perfect sense if the actual outcome is the desired one.

It is an invitation to analyze a system while suspending the assumption of good faith on the part of the implementors.

If third party does verification with ZKP, you only need to trust that third party. The company that requires verification will not have any data to store.

As we can see from this user who has fallen ill with Epstein Brain, the real victims of social media algorithms are actually adults.

He is currently prepping to overthrow his local Pizzeria while the rest of us argue as if social media even exists anymore (it doesn't, it's just algorithmic TV now).

Some platforms did display notices like this for a while, but I noticed that they stopped the practice after a few months.

I bet that the Chat Control lobbyist groups are involved to some degree, as they tried to require age verification in Chat Control before it was shot down. They probably haven't given up after that defeat.

This is a group particularly beloved by politicians, because you can pretty much use them as a smokescreen whenever you want to pass authoritarian legislation...

> US now requires cars to report data, which was optional before (e.g. onstar) and china joined on this since the ev boom.

This isn't true, there is no federal requirement for a cellular modem in cars. Most modern cars have one, but nothing prevents you from disabling or removing it. I certainly would not tolerate such a "bug" in by car.

> In the US every store tracks and report to ad networks your Bluetooth ids.

This also isn't true, modern phones randomize Bluetooth identifiers. I personally disable Bluetooth completely.

When one of the only two political parties does not want everyone to vote (cause they’d lose every election) you get what we got…

You may underestimate the levels of classism and racism in the US. Go on and bring up a conversation about it and you'll eventually get someone talking about how that would be socialism and we can't do that.

It seems like the solution is to provide an age verification mechanism with robust privacy protections. That way when we offer a solution that works for all of their states concerns, if they disagree with the privacy preserving approach we force them to say outright "I want to keep a record of every website you visit."

Anonymity is a myth. I am sure by now an LLM can figure out who you are and where you live by your HN posts alone.

Not my point in the comment but my personal opinion:

To regulate access to addicting material. This is done in the physical world - why should digital be lawless when it applies to the same human behaviors?

I've been addicted to a lot of digital media parts in harmful ways and I had the luck and support to grow out of most of it. A lot of people are not that lucky.

I don't think that's what the original comment was discussing at all...

If governments want to require private companies to verify ages, those same governments need to provide accessible ways for their citizens to get verification documents, starting from the same age that is required.

[deleted]

Why should gambling be the exception? One could argue other app-based vices are just as bad, if not worse.

That's not what this user was talking about.

For example, with a German ID you can provide proof that you are older than 18 without giving up any identifying information. I mean, nobody uses this system at the moment, but it does exist and it works.

So do you buy an ID every month or can we depreciate that over 15 years?

Really more so than money is the amount of time. Sitting at the DMV for half a day, and that is with an appointment, really sucks.

What you’re describing is infrastructure that doesn’t necessarily exist right now for use online, and has all the privacy problems described. Why should I have to share more than required?

The government will want some way to uncover who bought the token. They'll probably require the store to record the ID and pretend like since it's a private entity doing it, that it isn't a 4A violation. Then as soon as the token is used for something illegal they'll follow the chain of custody of the token and find out who bought it.

No matter what the actual mechanism is, I guarantee they will insist on something like that.

I agree. I've been researching a lot of this tech lately as a part of a C2PA / content authenticity project and it's clear that the math are outrunning practicality in a lot of cases.

As it is we're seeing companies capture IDs and face scans and it's incredibly invasive relative to the need - "prove your birth year is in range". Getting hung up on unlinkable sessions is missing the forest for the trees.

At this point I think the challenge has less to do with the crypto primitives and more to do with building infrastructure that hides 100% of the complexity of identity validation from users. My state already has a gov't ID that can be added to an apple wallet. Extending that to support proofs about identity without requiring users to unmask huge amounts of personal information would be valuable in its own right.

You seem to have missed requirement #3 -> tracking and identifying reuse.

An 18-year-old creating an account for a 12-year-old is a legal issue, not a service provider issue. How does a gas station keep a 21-year-old from buying beer for a bunch of high school students? Generally they don't, because that's the cops' job. But if they have knowledge that the 21-yo is buying booze for children, they deny custom to the 21-yo. This is simple.

In general, any government already has your information, and it's naive to think that they don't; if you pay taxes, have ever had a passport, etc. they already have all identifying information that they could need. For services, or for the government knowing what you do (which services you visit), then a zero-knowledge proof would work in this case.

The companies don’t, and th government already has your government id.

This is like rhetorically asking, "Are you saying that doom and marylin manson aren't harmful to children?"

The problem with social media isn't the inherent mixing of children and technology, as if web browsers and phones have some action-at-a-distance force that undermines society; it's the 20 years or so they spent weaponizing their products into an infinite Skinner box. Duck walk Zuckerburg.

This is all assuming good faith interest in "the children," which we cannot assume when what government will gain from this is a total, global surveillance state.

Last time I checked there's no scientific consensus if social media causes harm at all. The best studies found null or very small effects. So yeah, I am skeptical it is harmful.

What are some links to HN comments that you (or anyone else) feel is "coordinated astroturfing"?

The site guidelines ask users to send those to us at hn@ycombinator.com rather than post about it in the threads, but we always look into such cases when people send them.

It almost invariably turns out to simply be that the community is divided on a topic, and this is usually demonstrable even from the public data (such as comment histories). However, we're not welded to that position—if the data change, we can too.

> Governments (and a few companies) really want this.

The cynic in me fears they don't want a privacy-preserving solution, which blinds them to 'who'. Because that would satisfy parents worried about their kids and many privacy conscious folks.

Rather, they want a blank check to blackmail or imprison only their opponents.

> It’s apparent if you watch the discussions across platforms, there are obvious shared talking points that come in waves

This is true of basically any issue discussed on the internet. Saying it must be astroturfing is reductive

[deleted]

> It’s apparent if you watch the discussions across platforms, there are obvious shared talking points that come in waves.

How do you know what is "shared talking points" vs "humans learning arguments from others" and simply echoing those? Unless you work at one of the social media platforms, isn't it short of impossible to know what exactly you're looking at?

> there is a lot of coordinated astroturfing.

Interesting. Are you saying all the concerns raised by the proponents of ID verification are invalid and meritless? For example,

1. Foreign influence campaigns

2. Domestic influence campaigns

3. Filtering age-appropriate content

I’m sure there are many other points with various degree of validity.

  One of the huge reasons for the First Amendment is to ensure that people are able to counter lies uttered in the public sphere with truth.

> there is a lot of coordinated astroturfing. It’s apparent if you watch the discussions across platforms, there are obvious shared talking points that come in waves.

Is that really evidence of astroturfing? If we're in the middle of an ongoing political debate, it doesn't seem that far fetched for me that people reach similar conclusions. What you're hearing then isn't "astro-turfing" but one coalition, of potentially many.

I often hear people terrified that the government will have a say on what they view online, while being just fine with google doing the same. You can agree or disagree with my assesment, but the point is that hearing that point a bunch doesn't mean it's google astroturfing. It just means there's an ideology out there that thinks it's different (and more opressive seemingly) when governments do it. It means all those people have a similar opinion, probably from reading the same blogs.

More than a few companies. Nothing would allow advertisers to justify raising ad rates quite like being able to point out that their users are real rather than bots.

"A few"?

"Real" user verification is a wet dream to googlr, meta, etc. Its both a ad inflation and a competive roadblock.

The benefits are real: teens are being preyed upon and socially maligned. State actors and businesses alike are responsible.

The technology is not there nor are governments coordinating appropiate digital concerns. Unsurprising because no one trusts gov, but then implicitly trust business?

Yeah, so obviously, its implementation that will just move around harms.

> there are obvious shared talking points that come in waves.

Groups of people who wake up at the same time of the day often have a tendency to be from a similar place, hold similar values and consume similar media.

Just because a bunch of people came to the same conclusion and have had their opinions coalesce around some common ideas, doesn't mean it's astroturfing. There's a noticeable difference between the opinions of HN USA and HN EU as the timezones shift.

I think we should be careful of writing off this sea change as simple professional influence campaigns. That kind of thinking is just what got Trump to the Whitehouse, and is currently getting the immigrants rounded up.

Things that didn't seem likely to have broad support previously, now are seen as acceptable. In the 90's no one could envision rounding up immigrants. No one could envision uploading an ID card to use ICQ. No one could envision the concept of DE-naturalization or getting rid of birthright citizenship.

Today, in the US for instance, there are entire new generations of people alive. And many, many people who were alive in the 90's are gone. Well these new people very much can envision these things. And they seem to have stocked the Supreme Court to make all these kinds of things a reality.

All because the rest of us keep dismissing all of this as just harmless extreme positions that no one in society really supports. We have to start fighting things like this with more than, "It's not real."

[deleted]

You are missing the age/ID verification tech companies, who profit from violating privacy here. They have a strong incentive to try and convince/trick governments into legally requiring their services.

When anonymity is outlawed, then only outlaws will be anonymous.

I like this take. Ultimately the only people responsible for what kids consume are the parents. It’s on them to control their kids’ internet access, the government has no place in it. If you want to punish someone for a child being exposed to inappropriate content, punish the negligence of the parents.

I've thought the same.

At least here in US: Google/Apple device controls allow app to request whether user meets age requirements. Not the actual age, just that the age is within the acceptable range. If so, let through, if not, can't proceed through door.

I know I am oversimplifying.

But I like this approach vs. uploading an ID to TikTok. Lesser of many evils?

This also means the only operating systems allowing access to the internet will be these with the immense surveillance and ad-infested.

It doesn't sound simple. Now there needs to be some kind of pipeline that can route a new kind of information from the OS (perhaps from a physical device) to the process, through the network, to the remote process. Every part of the system needs to be updated in order to support this new functionality.

now?

Seems like these articles and the subsequent top replies saying

"use a token from the device so the ID never leaves, this is way better right!"

This is the true objective. They actually want DEVICE based ID.

I want LESS things that are tied to me financially and legally to be stolen when(not if) these services and my device are compromised.

This is what the LLMs are actually good for.

If you dig into the CEO of the The Age Verification Providers Association (AVPA), he has spent years going out of his way to spam pro-age verification propaganda across random sites like Techdirt and Michael Geist's blog.

Its not unreasonable to assume that he would seek to automate his bullshit.

See here for some examples:

https://www.techdirt.com/2022/08/26/who-would-benefit-from-c...

https://www.michaelgeist.ca/2025/10/senate-bill-would-grant-...

Unless you live in North Korea, no there is not. This is pure conspiracy theory.

> and still there's no mechanism for privacy friendly approval for adults apart from sending over the whole ID. Of course this is a huge failure of governments but probably also of W3C

I consider it a huge success of the Internet architects that we were able to create a protocol and online culture resilient for over 3 decades to this legacy meatspace nonsense.

> That being said, this is a 1 bit information, adult in current legislation yes/no.

If that's all it would take to satisfy legislatures forever, and the implementation was left up to the browser (`return 1`) I'd be all for it. Unfortunately the political interests here want way more than that.

SSO and passkeys don't solve adult verification. I don't see how this problem is embarrassing for the www - it's a hard problem in a socially permissible way (eg privacy) that can successfully span cultures and governments. If you feel otherwise, then solutions welcome!

I think that not doing partial-identity checks invite bot noise into conversations. We could have id checks that only check exactly what needs to be checked. Are you human? Are you an adult? And then nothing else is known.

> We could potentially do ID checks that only show exactly what the receiver needs to know and nothing else.

A stronger statement: we know how to build zero-knowledge proofs over government-issued identification, cf. https://zkpassport.id/

The services that use these proofs then need to implement that only one device can be logged in with a given identity at a time, plus some basic rate limiting on logins, and the problem is solved.

[deleted]

> Back in the day, it was very clear that the second problem was far worse than the first.

This is still the case. The difference now is that the astroturfed bot accounts are pushing for fascism (I.E., the second problem).

The difference is that at the strip club, you show your ID to the bouncer, who makes sure its valid and that the photo matches your face, and then forgets all about it. Online, that data is stored forever.

The principle of online ID checks is completely sound; the implementation is not.

Until sex, sexuality, and sexual fantasies no longer have any potential stigma associated with them, any sort of verification to view mature content is unacceptable.

That sort information can permanently destroy peoples lives.

People are saying privacy is dead for decades, yet privacy continually declines more and more. And there's still quite a ways it can go from here. The defeatist attitude only helps further erosion.

Too may in tech for the money that’s for sure. No fundamentals, just drilled leetcode.

Many of the things you mention are also tools that many people use in a professional context which mostly doesn't work if you try to be anonymous. Yes, some people choose to be pseudonymous but that mostly doesn't work if your real-life and virtual identities intersect, such as attending conferences or company policies that things you write for company publications be under your real name.

> Better to let a hundred Black men be hanged than to let another White woman be radicalized or abused or misled by their predation.

This is how you sound to me.

> “privacy”

Why did you put "privacy" in scare quotes?

I don't subscribe to this. I value my privacy more.

No. There are significant numbers of real people who genuinely support this type of thing. Dismissing it as "bots" or a "false narrative" leads to complacency that allows this stuff to pass unchallenged.

[deleted]

Both Google and Facebook have enforced real identity and its not improved the state of peoples comments at all. I don't think anonymity particular changes what many people are willing to say or how they say it, people are just the creature you see and anonymity simple protects them it doesn't change their behaviour all that much.

I think opt-in ID is great. Services like Discord can require ID because they are private services*. Furthermore, I think that in the future, a majority of people will stay on services with some form of verification, because the anonymous internet is noisy and scary.

The underlying internet should remain anonymous. People should remain able to communicate anonymously with consenting parties, send private DMs and create private group chats, and create their own service with their own form of identity verification.

* All big services are unlikely to require ID without laws, because any that does not will get refugees, or if all big services collaborate, a new service will get all refugees.

The problem is this is only true for values of "reasonable" that are "unlikely to be viewed in a negative light by my government, job, or family; either now or at any time in the future". The chilling effect is insane. There was a time in living memory when saying "women should be able to vote" was not a popular thing.

I mean, this is _literally the only thing needed_ for the Trump admin to tie real names to people criticizing $whatever. Does anyone want that? Replace "Trump" with "Biden", "AOC", "Newsom", etc. if they're the ones you disagree with.

> I think people will be more reasonable if they weren't anonymous.

I've seen people post appalling shit on fuckin LinkedIn under their own names.

Strong moderation keeps Internet spaces from devolving into cesspools. People themselves have no shame.

That's what I believe as well. Anons have turned the internet into an unsafe cesspit. It's the opposite of a "town square."

If they are so intent on disobeying what makes you they won't just use a VPN or ask someone older to login for them (or any other workaround, depending on the technology)?

I think the tech crowd appreciates how hard it is to lock down access to tech, since they were the kids bypassing the restrictions

You are the one handing them those screens.

[deleted]

> Tons of data also showing higher suicide rates

Here is the data:

https://www.cdc.gov/mmwr/volumes/66/wr/mm6630a6.htm

and the more recent data:

https://afsp.org/suicide-statistics/

I was a child of the 90's, where the numbers were higher, where we had peak PMRC.

> depression rates

Have these changed? Or have we changed the criteria for what qualifies as "depression"? We keep changing how we collect data, and then dont renormalized when that collection skews the stats. This is another case of it, honestly.

> eating disorders

Any sort of accurate data collection here is a recent development:

https://pmc.ncbi.nlm.nih.gov/articles/PMC7575017/

> never ending cat and mouse game with my kids (especially my son)

Having lived this with my own, I get it. Kids are gonna be kids, and they are going to break the rules and push limits. When I think back to the things I did as a kid at their age, they are candidly doing MUCH better than I, or my peer group was. Drug use, Drinking, ( https://usafacts.org/articles/is-teen-drug-and-alcohol-use-d... ) teen pregnancy are all down ( https://www.congress.gov/crs-product/R45184 )

The only thing this is going to achieve is to bar unverified users form the vaguely reputable and mainstream places into the small, completely unregulated spaces, sites and networks.

I presume you prefer hard requirement of IDs.

I'm saying this will make kids go to i2p, tor, to the obscure fora in countries not giving a f* about western laws.

As a parent to the teens and teens, THIS makes me concerned. The best vpns are very hard to detect (I know, I try it myself).

So you basically want to prevent your children from doing what you did at their age?

And you don't mind that freedoms of all of us would be restricted as a result?

And then, we keep blaming boomers for those restrictions.

> When you’re older and have children—especially preteens and teenagers—you want those barriers up, because you’ve seen just how fucked up some children can get after overexposure to unhealthy materials.

You mean that you shirk your responsibility to teach your child how to protect themself on the Internet, and instead trust the faceless corp to limit their access at the cost of everyone's privacy? How does this make sense...

I don't quite get your point. The signer is blind to what it signs, but that does not mean there is no identity per se.

A signed key is still unique.

- You can still check that user 1 and user 2 don't use the same key.

- You can still issue a challenge to the user every 10 days to make sure he has indeed access to his key and not just borrowed it.

- You can still enforce TPM use of said keys, so that they cannot be extracted or distributed online, but require a physical ID card.

- You can still do whatever revocation system you want for the cases when a key is stolen or lost.

Really the "blind" nature of the signature changes nothing to what you would normally do with a PKI.

> Why don't we just get a key from the government?

Because one could argue that the government could keep track of the keys they give away.

That is where blind signing is interesting. The government can sign _your_ key without knowing it.

You do see it in policy discussions from officials in the EU. You probably don't see it in policy discussions in the US because the groups that should be telling US officials how to do age verification without giving up anonymity are not doing so.

What third party do they require you to blindly trust?

They are one time use by definition. You can't know they are used by respectful owner, but the idea is you have to provide a new token every few weeks/months. Much like when using other services nowadays, I mean even Gmail will have you authorize every few months even if you didn't log out. Plus you fine/prosecute those who sell/misuse theirs. Just like you prosecute adults who buy kids alcohol or other substances.

Obvious flaws are OK. I absolutely hate the Nirvana fallacy that you people think is acceptable here, while hundreds of millions of kids suffer from serious developmental issues, as reported left and right by all kinds of organizations and governments themselves.

Astroturfing will still be a thing after ID. What, you think the government is going to go after their own bot armies?

This sounds a lot like the pro-gun rhetoric of bogging down the "good" gun owners but not doing enough to the "bad" gun owners.

> At this point the harms to children from social media use are very well documented

Our middle child (aged 12) has an Android phone, but it has Family Link on it.

Nominally he gets 60 mins of phone time per day, but he rarely even comes close to that, according to Family Link he used it for a total of 17 minutes yesterday. One comes to the conclusion that with no social media apps, the phone just isn't that attractive.

He seems to spend most of his spare time reading or playing sports...

We need to destroy privacy and anonymity online for the noble goal of the government banning teenagers from looking at Twitter and Instagram?

If it's a concern, parents can prevent or limit their children's use. If all this were being done to prevent consistent successful terrorist attacks in the US with tens of thousands of annual casualties, I'd say okay maybe there is an unavoidable trade-off that must be made here, but this is so absurd.

Do you genuinely believe the major tech companies and gov reps actually want to close their addiction revenue taps?

I am though. In the world I live in I already have to give power over myself to corporations and a government, I don’t buy this as an argument for continuing to let internet companies skirt existing laws.

newer passports and driver licenses do.

I want to sincerely ask whether you read my post, because your response is so unrelated I believe you might accidentally be responding to another post? If so, please ignore the rest, which is only intended in the case where you are actually responding to what I wrote.

Your system seems to address none of the issues I listed. For example, I argue that one difficulty is in the fact that these systems would be highly phishable -- a property that is present in your described "easy" solution. Your system trains users to become accustomed to being pestered by pop up windows that ask to see their ID and use their camera. Congrats, I can now trivially make a pop up a window that looks like this UI and use it to steal your info, as the user will just respond on auto-drive, as we have repeatedly shown both in user studies and in our own lived experiences. I also explained how a system like this would assist in the practice of trapping migrant workers by confiscating their government credentials [1]. This is a huge problem today in Asia, and one of the few outlets captive workers can use to escape this control is the internet -- a "loophole" your system would dutifully close for these corporations.

I am happy to have a discussion about this -- it's how we come up with new solutions! But that requires reading and responding to the concerns I brought up, not assuming that my issue is that I can't imagine implementing a glorified OAuth login flow.

1. There's tons of articles about this, here is one of the first ones that comes up on Google: https://www.amnesty.org/en/latest/news/2025/05/saudi-arabia-...

More like fear of exposing their children to anything other than carefully curated "conservative" ideas.

That works until minor-removing-flag proxys start popping up.

ZKP is integrated in Google Wallet and has been running in production for a few months. We (Google) released the ZKP library as open source last year (this is the library used in production).

Announcement: https://blog.google/innovation-and-ai/technology/safety-secu...

Library: https://github.com/google/longfellow-zk

Paper: https://eprint.iacr.org/2024/2010

Afterwards, folks from ISRG produced an independent implementation https://github.com/abetterinternet/zk-cred-longfellow with our blessing and occasional help. I don't know if the authors would call it "production ready" yet, but it is at least code complete, fast enough, and interoperable with ours.

Helping parents would be useful rather than telling them to "just do it".

The pain in trying to set up fortnite and minecraft online as parents is unsummounted, involving creating half a dozen accounts with different companies just to get some form of control. Far easier to just give them an adult account.

The process to create a child account should be seamless and no harder than creating an adult account.

It is a valid alternative avenue towards a legal implementation of "child safeguarding" IMO. Someone pays for the internet, that person is responsible for what minors do on their connection. If they have trouble doing that we can use normal societal mechanisms like idk social services, education, and government messaging.

This is the way it works with e.g. alcohol and cigarettes, most places. Famously kids can just get a beer from a random fridge and chug it, but someone 16/18/21+ will be responsible and everyone seems mostly fine with this.

every contract by every ISP i have ever signed has required me to be over the age of 18 to enter the contract.

or goes outside at all. free wifi is everywhere

Yep, it is easy to circumvent, and the silver lining of all of this is that regulators don't care. They care that these companies made an effort in guessing.