A long, long time ago (within the past ten years), I had to verify my age with a site. They didn't ask for my ID, or my facial scan, but instead asked for my credit card number. They issued a refund to the card of a few cents, and I had to tell them (within 24hr) how much the refund was for, after which point they'd issue a charge to claw it back. They made it clear that debit and gift cards would not be accepted, it must be a credit card. So I grabbed my Visa card, punched in the numbers, checked my banking app to see the +$0.24 refund, entered the value, got validated, and had another -$0.24 charge to claw it back.
Voila, I was verified as an adult, because I could prove I had a credit card.
The whole point of mandating facial recognition or ID checks isn't to make sure you're an adult, but to keep records of who is consuming those services and tie their identities back to specific profiles. Providers can swear up and down they don't retain that information, but they often use third-parties who may or may not abide by those same requests, especially if the Gov comes knocking with a secret warrant or subpoena.
Biometric validation is surveillance, plain and simple.
That was, in fact, what COPA mandated in the US in 1998, and SCOTUS struck it down as too onerous in Ashcroft v. American Civil Liberties Union, kicking off the last 20 years of essentially completely unregulated Internet porn commercially available to children with nothing more than clicking an "I'm 18" button. At the time, filtering was seen as a better solution. Nowadays filtering is basically impossible thanks to TLS (with things like DoH and ECH being deployed to lock that down even further), apps that ignore user CAs and use attestation to lock out owner control, cloud CDNs, TLS fingerprinting, and extreme consolidation of social media (e.g. discord being for both minecraft discussions and furry porn).
Despite TLS, filtering is easier to set up now than it was in 1998. You might have to block some apps in the short term, but if you suggest apps can avoid age verification if they stop pinning certificates then they'll jump at the option.
lets just skip straight to the logical conclusion, buddy. no amount of "web" or "discord" regulation stops porn consumption. the statistic of "minors viewing porn" wouldn't be affected even slightly, even if all of the regulation in question here were passed to the fullest extent. this is because people can just download and run whatever software they want, and communicate with any party they want. what you want is for people to not have control over their computers/communications made from them. people talk about a middle ground, but there is none, because you will always just notice that the "minors viewing porn" statistic is not affected by your latest law, until you have absolute control over civilian communications. this is completely against what anyone in the open source community let alone democracy, stand for.
This has already come up before the Supreme Court, with the argument that filtering was a less invasive technique to fulfill the government’s legitimate interests back in the early 2000s.
That ship has sailed. Even the opposition admits that trying to get everyone to filter is not going to work and is functionally insignificant. The only question is whether age verification is still too onerous.
Is card verification a lesser form of surveillance? And there’s a good chance your card issuer (or your bank, one hop away from it) has your biometrics anyway.
I don’t like either of them… (And why does YouTube ask me to verify my age when I’m logged into a Google account I created in 2004?)
Oh, make no mistake, I hate both of these. I loathe this forced surveillance of everyone because parents can't be bothered to supervise and teach their children about the most primary of human animal functions (sex), regardless of their reasons for it.
I take great pains to keep minors out of my adult spaces, and don't have to resort to anything as invasive as biometric surveillance or card charges. This notion that the entire world should be safe for children by default, and that anything and everything adult should be vilified and locked up, is toxic as all get-out and builds shame into the human animal over something required for the perpetuation of the species.
The adult content isn't the problem, it's the relationship some folks have towards it that's the issue. That's best corrected by healthy intervention early on, not arbitrary age checks everywhere online that mainly serve as an exercise of power by the ruling class against "undesirable" elements of society.
> Is card verification a lesser form of surveillance?
It's not just about which is worse surveillance, it's also simply that everyone has a face but not everyone has a credit card. I'm not deemed creditworthy in this country I moved to (never had a debt in my life but they don't know that) so the card application got rejected. Do we want to upload biometrics or exclude poor and unknown people from "being 18"? I really don't know which is the lesser poison
> (And why does YouTube ask me to verify my age when I’m logged into a Google account I created in 2004?)
I'd guess they didn't want to bother with that edge case. Probably <0.01% of active Youtube accounts are >18 years old
What you describe is called QES (Qualified Electronic Signature) and is still widely used to validate identities.
Unfortunately it is not enough to prove an identity (you could be using the credit card of your traveling uncle) and regulation requires for it to be combined with another proof.
I see a lot of people associating identity verification with evil intent (advertising, tracking).
I work in this domain and the reality is a lot less interesting: identity verification companies do this and only this, under strict scrutiny both from their customers and from the regulators.
We are not where we want to be from a privacy standpoint but the industry is making progress and the usage of identity data is strictly regulated.
Paypal used this method as identity (or at least account) verification back in the very early days, IIRC. They made a very small deposit and I think they just let you keep it but I can't recall that for sure.
Credit cards are trivially traceable to your legal identity, since anti-money-laundering and know-your-customer laws require that credit card companies keep this information. The government can subpoena this information just as easily as they could with pictures of your face or ID.
What if you don't have a credit card? This solves nothing, the good way to do this is as system like Polish "MojeID" (my ID) [1]. This works in the following way, a site needs to verify information X, then it redirects users to a bank (that has to provide this service), login over there and then agree to let the bank know whatever it was requested - it could be only one information, birth date.
This is a good solution, as banks are obliged to provide free bank account for anyone (there is EU regulation on that), this is very save, gives users full information what data third party requested.
1. Your old credit card solution needs a credit card. So you exclude out the poor, bad credit, etc.
2. Parents will help kids bypass checks like that.
3. It can be bypassed by a half-smart 13-year-old who can access an app on a phone that will give them the card details and be able to see transactions.
Any verification that doesn't actually verify you via proper means is easy to fake. Hell, we can fake passport/id photos easy enough so now we have to jump on calls with the passport and move it around.
The days of the wild west of the internet are long gone. It's time to realise that it's so important that it deserves the same level of verification we give to in person activities. Someone seeing you and/or your id. It's the only thing that has the best chances of not being bypassed with ease.
They issued a refund to the card of a few cents, and I had to tell them (within 24hr) how much the refund was for, after which point they'd issue a charge to claw it back.
This was one of the methods that CompuServe used back in the 1980's, though using a checking account.
It's sad that so many aspects of technology have completely failed to improve in half a century.
This is not about tracking, having your biometrics means they can resell the data to other providers (e.g. palantir or some other hellish enterprise). With that, the places and means of following you in real time are practically limitless...
There have been so many dystopian movies about this kind of tech, it's a good insight of what comes next.
> Biometric validation is surveillance, plain and simple.
Eh. It's just easier and cheaper. I'll bet Discord has outsourced this to one of those services that ask you for a face scan when you sign up to [some other service].
People are less likely to criticize the government, or even participate in political debate, if their online identities are know by the government. Governments like obedient, scared citizens.
The only ethical response to laws like this, is for websites and apps to terminate operations completely in countries that create them. Citizens who elect politicians without respect for human rights and privacy don't really deserve anything nice anyway.
Providing identity and access services at scale is certainly a few people's next big plan, and it appears they've managed to sell the representatives of their own states on it first.
This sort of thing can't happen except through the largest tech companies in the world, who are coincidentally already poised to be the world's official providers of digital identity, and private internet enclaves.
Look at what Microsoft has done with Windows - mandatory minimum TPM to install and a Microsoft account registration for a local user. Try using an Apple iPad or iPhone without an iCloud account or adding a payment method. Google wants you to sign in with them, everywhere, aggressively. Cloudflare has been the web's own private gatekeeper for the last decade. Facebook's whole product is identity. IBM has sold surveillance, IAM, and facial recognition services for decades.
Instead of a clunky IP-based Great Firewall, imagine being able to render VPNs ineffective and unnecessary everywhere on the planet by a person's (verified national) identity. Click. Block and deactivate all members of group "Islamic State" on your platform. Click. Allow IDs registered to this ZIP Code to vote in this election. Click. CortanaSupreme, please dashboard viewer metrics by usage patterns that indicate loneliness, filtering for height, last assessed property values, and marriage status, and show their locations.
Currently, laws don't require age verification, just that ineligible parties are excluded. There's no legal requirement to card someone before selling them alcohol, and there's no reason anyone would need a depth map of someone's face when we could safely assume that the holder of a >5 year old email account is likely to be 18 if 13 is the minimum age to register with the provider.
Shifting the onus to parents to control what their kids do on the internet hasn't worked. However, that's a bare sliver of what's at stake here.
The anonymous, unchecked Internet got us where we are today. It was a great experiment in worldwide communication, but has now been converted into a weapon for the same type of authoritarians that previously used traditional media and propaganda channels. AI is only accelerating the possibilities for abuse. Critical thinking skills taught from a young age is the only defense.
That’s a very strange take on governments, treating them as a singular entity. A government that deserves that name is first and foremost and elected set of representatives of the constituents, and thus like citizens that vote for them again, act in their interests.
If the government is not working like that, you have an administrative problem, not a societal one. A state is its population.
Very dangerous thinking. Unless each and every citizens has approved the elected "representative" and every decision they made (which will never happen), you cannot assimilate the state and the population. The state has to be considered a separate entity, one which operate beyond the common man's thinking.
Oh that's not true at all. A state is an institution which is influenced by its population, but if anything, the attitudes of the population are more a product of the state, its constituent political parties, and the associated media apparatuses than of a freestanding "will of the people."
To give a trivial counterexample, if the American state "is" its population, then why does your presidential vote only matter if you live in a swing state, and why can you only vote for one of two candidates? Surely your vote should reflect all of your policy preferences and have equal influence no matter where you live.
> Citizens who elect politicians without respect for human rights and privacy don't really deserve anything nice anyway.
Unfortunately things don't always work out that cleanly:
- Sometimes you vote for the pro-freedom candidate, but your candidate loses.
- Sometimes there are only two dominant candidates, and both disrespect human rights.
- Sometimes one candidate disrespects human rights in some particular way, but the other candidate has different, bigger problems, so you vote for the lesser of two evils.
- Sometimes a candidate says one thing while campaigning, and then when elected does something different.
Aside from the privacy nightmare, what about someone who is 18 and just doesn't have the traditional adult facial features? Same thing for someone who's 15 and hit puberty early? I can imagine that on the edges, it becomes really hard to discern.
If they get it wrong, are you locked out? Do you have to send an image of your ID? So many questions. Not a huge fan of these recent UK changes (looking at the Apple E2E situation as well). I understand what they're going for, but I'm not sure this is the best course of action. What do I know though :shrug:.
Wise (nee Transferwise) requires a passport style photo taken by a webapp for KYC when transferring money. I was recently unable to complete that process over a dozen tries, because the image processing didn't like something about my face. (Photos met all criteria.)
On contacting their support, I learned that they refused to use any other process. Also it became apparent that they had outsourced it to some other company and had no insight into the process and so no way to help. Apparently closing one's account will cause an escalation to a team who determines where to send the money, which would presumably put some human flexability back into the process.
(In the end I was able to get their web app to work by trying several other devices, one had a camera that for whatever reason satisfied their checks that my face was within the required oval etc.)
> On contacting their support, I learned that they refused to use any other process.
I suspect this won't help you, but I think it's worth noting that the GDPR gives people the right to contest any automated decision-making that was made on a solely algorithmic basis. So this wouldn't be legal in the EU (or the UK).
Hah, indeed, a similar experience here. The desktop option is worse, trying to get a webcam to focus on an ID card took forever. The next step wanted a 3rd party company to do a live webcam session, no thanks! Closed the account. Or at least tried, after a several step nag process, they still keep the email blocked to that account, in case you change your mind...
There seems no way to push back against these technologies. Next it will be an AI interview for 'why do you transfer the money?'
Also, key point in the framing, when was it decided that Discord supposed to be the one enforcing this? A pop-up saying "you really should be 18+" is one thing, but this sounds like a genuine effort to lock out young people. Neither Discord nor a government ratings agency should be taking final responsibility for how children get bought up, that seems like something parents should be responsible for.
When a corner shop sells cigarettes to minors, who's breaking the law?
When a TV channel broadcast porn, who gets fined?
These are accepted laws that protect kids from "harm", which are relatively uncontroversial.
Now, the privacy angle is very much the right question. But as Discord are the one that are going to get fined, they totally need to make sure kids aren't being exposed to shit they shouldn't be seeing until they are old enough. In the same way the corner shop needs to make sure they don't sell booze to 16 year olds.
Now, what is the mechanism that Discord should/could use? that's the bigger question.
Can government provide fool proof, secure, private and scalable proof of age services? How can private industry do it? (Hint: they wont because its a really good source of profile information for advertising.)
> This is over-reach. Both in the UK and Australia
2/3 of Australians support minimum age restrictions for social media [1] and it was in-particular popular amongst parents. Putting the responsibility solely on parents shows ignorance of the complexities of how children are growing up these days.
Many parents have tried to ban social media only for those children to experience ostracisation amongst their peer group leading to poorer educational and social developmental outcomes at a critical time in their live.
That's why you need governments and platform owners to be heavily involved.
It almost certainly is overreach, but locking young people out of porn is hardly a new concern. We have variants of this argument continuously for decades. I'm not sure there is a definitive answer.
There's a SCOTUS case in FSC v. Paxton that could very well decide if age verification is enforced in the US as well so sadly this is just the beginning.
It's a good thing to think about. I knew a guy in high school who had male pattern baldness that started at 13 or 14. Full blown by the time he was 16. Dude looked like one of the teachers.
Same in my drivers ed at 16, guy had a mans face, large stocky build, and thick full beard. I once was talking to a tall pretty woman who turned out to be a 12 year old girl. And I have a friend who for most of his 20's could pass for 13-14 and had a hell of a time getting into bars.
This facial thing feel like a loaded attempt to both check a box and get more of that sweet, sweet data to mine. Massive privacy invasion and exploitation of children dressed as security theater.
It's not even edge cases - I was a pretty young looking woman and was mistaken for a minor until I was about 24-25. My mother had her first child (me) at 27 and tells me about how she and my father would get dirty looks because they assumed he was some dirty old man that had impregnated a teenager. (He was 3 years older than her).
I think, ironically, the best way to fight this would be to lean on identity politics: There are probably certain races that ping as older or younger. In addition, trans people who were on puberty blockers are in a situation where they might be 'of age' but not necessarily look like an automated system expects them to, and there might be discrepancies between their face as scanned and the face/information that's show on their ID. Discord has a large trans userbase. Nobody cares about privacy, but people make at least some show of caring about transphobia and racism.
> So many questions.
Do they keep a database of facial scans even though they say they don't? If not, what's to stop one older looking friend (or an older sibling/cousin/parent/etc.) from being the 'face' of everyone in a group of minors? Do they have a reliable way to ensure that a face being scanned isn't AI generated (or filtered) itself? What prevents someone from sending in their parent's/sibling's/a stolen ID?
Seems like security theater more than anything else.
I don't think they make much of a show of caring about trans rights in the UK right about now, unfortunately. In the US you can make a strong case that a big database of faces and IDs could be really dangerous though I think
I witnessed the Better Off Ted water fountain skit play out in real life once, it was incredible awkward. I was helping my buddy and his black friend and his wife set up accounts on online casinos in Michigan for the promos/refer-a-friend rewards. Some of the sites require the live video facial verification and we were doing it in a darkly lit space at night. It worked instantly and without issue for my friend and me but oh man, many many attempts later and many additional lights needed to get it to work for his friends.
With the UK currently battling Apple, Discord has no chance of not getting a lawsuit.
Ofcom is a serious contender in ruling their rules especially where Discord is multi-national that even "normies" know and use.
And if they got a slap of "we will let you off this time" they would still have to create some sort of verification service to please the next time.
You might as well piss off your consumers, loose them whatever and still hold the centre stage than fight the case for not. Nothing is stopping Ofcom from launching another lawsuit there after.
> Is there a market for leaked facial scans?
There's a market for everything. Fake driver licenses with fake pictures have been around for decades, that would be no different.
> what about someone who is 18 and just doesn't have the traditional adult facial features?
This can be challenging even with humans. My ex got carded when buying alcohol well into her mid thirties, and staff at the schools she taught at mistook her for a student all the time.
I grew a beard when I was younger because I was tired of being mistaken for a highschooler its quite annoying to have people assume you are 15 when your 20. still regularly carded in my 30s
No it's just nonsense you invented because you were unwilling to do any research.
The actual situation was that the board refused classification where an adult was intentionally pretending to be an underage child not that they looked like one.
I don't think the problem is that young people are finding porn on the internet. There is a problem, though, and it has to deal with psychological warfare on attention
Formats like shorts or news feeds to you algorithmically with zero lag are the problem. It makes for the zombification of decision making. Endless content breaks people down precisely because it's endless. I think if you add age verification but don't root out the endless nature, you will not really help any young person or adult.
When you look at people with unhealthy content addiction, it is always a case of excess and not necessarily type of content. There are pedophiles but honestly, we have had that throughout all time, with and without the internet. But the endless feeding of the next video robs people of the ability to stop by mentally addiciting them to see just one more. And because content is not really infinite, endless feeds invariably will feed people with porn, eating disorders, and other "crap" in quantities that slowly erode people.
There was just another article on HN about how Snapchat is harming children at an industrial scale. Not just giving them access to drugs, violence, pedophiles, and extortionists, but actively connecting them with those accounts. Kids have died from fentanyl or committed suicide from bullying and harassment.
Porn addiction is bad but it seems there are even worse things happening.
> The social media company requires users to take a selfie video on their phone and uses AI to estimate the person's age.
What I did not see in this article was anything about how AI can tell a 13 year old from a 12.9 year old with confidence. This seems unlikely to me.
I agree with the article's implication that websites will now want a scan of everyone's faces forever. Their insistence that they won't store the face scans is like one those cute lies that kids tell, and adults aren't fooled by. Either you're outright lying, or you're using the loophole of not storing the image, but rather storing a set of numbers, drived from the image, which act as a unique fingerprint. Or, you're sending it to a third party for storage. Or something like that. But you're definitely keeping track of everyone's faces, don't try to pull a fast one on me young lady, I've been around the block before.
I would like to think there there is a solution that can be engineered, in which a service is able to verify that a user is above an appropriate age threshold, while maintaining privacy safeguards, including, where relevant, for the age-protected service not to be privy to the identity of the user, and for the age verification service to not be privy to the nature of the age-protected service being accessed.
In this day and age, of crypto, and certificates, and sso, and all that gubbins, it's surely only a matter of deciding that this is a problem that needs solving.
(Unless the problem really isn't the age of the user at all, but harvesting information...)
Unfortunately, no amount of blockchains and zero-knowledge proofs can compensate for the fact that 15 year old has a 18 year old friend. Or the fact that other 15 year old looks older than some 20 year olds. Or the fact that other 15 year old's dad often leaves his wallet, with his driving license, unattended.
Over the next five years, you can look forward to a steady trickle of stories in the press about shocked parents finding that somehow their 15 year old passed a one-time over-18 age verification check.
The fact compliance is nigh-impossible to comply with is intentional - the law is designed that way, because the intent is to deliver a porn ban while sidestepping free speech objections.
Already exists in a lot of places. German national IDs for like 10 years or something like that have an eID feature. It's basically just a public/private key signing scheme. The government and a bunch of other trusted public providers are able to issue identities, you can sign transactions with them or verify your age to commercial service providers, or transfer some data if that's required with your consent. (https://www.personalausweisportal.de/Webs/PA/EN/citizens/ele...)
Estonia and South Korea I think also have similar features on their IDs, it's already a solved problem.
Talking about it or explaining it is like pulling teeth; generally just a thorough misunderstanding of the notion....even though cryptographic certificates make the modern internet possible.
Provide easy to use on-device content filtering tools so parents can easily control what their children can access (there are a few ways to do this through law, like requiring it from OS providers or ISPs or just writing these tools directly).
To make it easy, Discord can provide their services under both adults.discord.com and minors.discord.com so parents can more easily block only the 18+ version of Discord.
Require personal responsibility from parents to decide what is appropriate for their child.
The problem is who pays to maintain the system. There are systems that allow you to share your age anonymously (among other things) and they’re already widely used in Europe but the system knows what you’re using it for since the second party pays for the information, and some accounting info is needed for the billing. It would be completely illegal for the system to use that info for anything else though.
> a service is able to verify that a user is above an appropriate age threshold, while maintaining privacy safeguards
AFAIU, the German electronic ID card ("elektronischer Personalausweis") can do this, but it is not widely implemented, and of course geographically limited.
The problem is that it is much easier to implement such a check in a way which lets the verification service link the site to the user, with no discernable difference to the end user
e: I get the same feeling as I do reading about key escrow schemes in the Clipper chip vein, where nobody claimed it was theoretically impossible to have a "spare key" only accessible by warrant, but the resulting complexity and new threat classes [1] just was not worth it
Transferring your age and a way to verify it to any third party is by definition a privacy violation. Doing so in a safe way is literally impossible since I don't want to share that information in the first place.
I feel like you could, theoretically, have a service that has an ID (as drivers license ID), perhaps operated by your government, that has an API and a notion of an ephemeral identifier that can be used to provide a digital attestation of some property without exposing that property or the exact identity of the person. It would require that the attestation system is trusted by all parties though, which is I think the core problem.
> Transferring your age and a way to verify it to any third party is by definition a privacy violation.
No it's not. Unless...
> Doing so in a safe way is literally impossible since I don't want to share that information in the first place.
...well then it is.
But it's not constructive to claim that proving your age to someone is by definition a privacy violation. If someone wants to prove their age to someone, then that's a private communication that they're entitled to choose to make.
It is true that if technology to achieve this becomes commonplace, then those not wishing to do so may find it impractical to maintain their privacy in this respect. But that doesn't give others the right to obstruct people who wish to communicate in this way.
Crypto comes up every time this topic is discussed but it misses the point.
The hard part is identifying with reasonable accuracy that the person sitting in front of the device is who they say they are, or a certain age.
Offloading everything to crypto primitive moves the problem into a different domain where the check is verifying you have access to some crypto primitive, not that it’s actually you or yours.
Any fully privacy-preserving crypto solution would have the flaw that verifications could be sold online. Someone turns 21 (or other age) and begins selling verifications with their ID because there is no attachment back to them, and therefore no consequences. So people then start imaging extra layers that would protect against this, which start eroding the privacy because you’re returning back to central verification of something.
I'm in the UK and discord has asked me to complete this check (but I haven't, yet). I can still use discord just fine, it just won't let me view any media it considers "adult".
I am an adult but refuse to let them scan my face as a matter of principle, so I've considered using https://github.com/hacksider/Deep-Live-Cam to "deepfake" myself and perform the verification while wearing a fake face. If it works, I'll write about it.
I suspect the endgame of this campaign is to have mandatory ID checks for social media. Police would have access to these upon court orders etc and be able to easily prosecute anyone who posts 'harmful' content online.
<tin-foil-hat> ultimately, i think the endgame is to require government ID in order to access internet services in general, a la ender's game. </tin-foil-hat>
Funnily enough, when the Philippines did this, it was decried as a violation of human rights [1]. But usually, media are so silent on such things I'd call them complicit. One already cannot so much as rent a hotel room anywhere in the EU without showing government ID.
That would not be unprecedented: The first major change by the Lee Myung-bak government was to require websites with over 100,000 daily visitors to make their users register their real name and social security numbers. - https://en.wikipedia.org/wiki/Internet_censorship_in_South_K...
I'm afraid the endgame is, all this activity tied to real identities will be repeatedly leaked, get used for blackmail, and by foreign intelligence agencies.
I don't think it would kill social media, but it'd make it more similar to Chinese social media. Essentially impossible to use for protests or criticism of things the government doesn't critiques on.
It ties real world ultraviolence with social media. It won't kill social media, just make it materially toxic. IIUC South Korea in 2000s had exactly this, online dispute stories coming from there were much worse than anything I had heard locally.
Why is the Internet any different than say, a porn or liquor store? Why are we so fuckin allergic to verification? I'll tell ya why- money. Don't pretend it's privacy.
there two false equivalencies in your argument, as presented in response to GP:
1. ID checks are not the same as age verification.
2. a social media website is not the same as a porn website.
if you take the stance that social media sites should require ID verification, then i would furthermore point out that this is likely to impact any website that has a space for users to add public feedback, even forums and blogs.
Readit News
Voila, I was verified as an adult, because I could prove I had a credit card.
The whole point of mandating facial recognition or ID checks isn't to make sure you're an adult, but to keep records of who is consuming those services and tie their identities back to specific profiles. Providers can swear up and down they don't retain that information, but they often use third-parties who may or may not abide by those same requests, especially if the Gov comes knocking with a secret warrant or subpoena.
Biometric validation is surveillance, plain and simple.
Consolidation is the only tricky part that's new.
That ship has sailed. Even the opposition admits that trying to get everyone to filter is not going to work and is functionally insignificant. The only question is whether age verification is still too onerous.
Deleted Comment
Dead Comment
I don’t like either of them… (And why does YouTube ask me to verify my age when I’m logged into a Google account I created in 2004?)
I take great pains to keep minors out of my adult spaces, and don't have to resort to anything as invasive as biometric surveillance or card charges. This notion that the entire world should be safe for children by default, and that anything and everything adult should be vilified and locked up, is toxic as all get-out and builds shame into the human animal over something required for the perpetuation of the species.
The adult content isn't the problem, it's the relationship some folks have towards it that's the issue. That's best corrected by healthy intervention early on, not arbitrary age checks everywhere online that mainly serve as an exercise of power by the ruling class against "undesirable" elements of society.
Yeah those checks are super annoying. The internet has been around long enough, mechanisms for this should exist.
And even in the smaller term, if I had to be 13 to make this account, and it has been more than 5 years, maybe relax?
It's not just about which is worse surveillance, it's also simply that everyone has a face but not everyone has a credit card. I'm not deemed creditworthy in this country I moved to (never had a debt in my life but they don't know that) so the card application got rejected. Do we want to upload biometrics or exclude poor and unknown people from "being 18"? I really don't know which is the lesser poison
> (And why does YouTube ask me to verify my age when I’m logged into a Google account I created in 2004?)
I'd guess they didn't want to bother with that edge case. Probably <0.01% of active Youtube accounts are >18 years old
Unfortunately it is not enough to prove an identity (you could be using the credit card of your traveling uncle) and regulation requires for it to be combined with another proof.
I see a lot of people associating identity verification with evil intent (advertising, tracking).
I work in this domain and the reality is a lot less interesting: identity verification companies do this and only this, under strict scrutiny both from their customers and from the regulators.
We are not where we want to be from a privacy standpoint but the industry is making progress and the usage of identity data is strictly regulated.
I know I've read stories of kids taking cards to purchase games or other things online numerous times over the last 20+ years.
The only safe approach is for that information not to exist in the first place.
The card providers share your identity in monetary transactions, but I don't think this data does & should include birthdate.
That's useful as one option, but can't be expected of 18 year olds in most countries, and older adults in many.
This is a good solution, as banks are obliged to provide free bank account for anyone (there is EU regulation on that), this is very save, gives users full information what data third party requested.
[1] https://www.kir.pl/nasza-oferta/klient-indywidualny/identyfi...
2. Parents will help kids bypass checks like that.
3. It can be bypassed by a half-smart 13-year-old who can access an app on a phone that will give them the card details and be able to see transactions.
Any verification that doesn't actually verify you via proper means is easy to fake. Hell, we can fake passport/id photos easy enough so now we have to jump on calls with the passport and move it around.
The days of the wild west of the internet are long gone. It's time to realise that it's so important that it deserves the same level of verification we give to in person activities. Someone seeing you and/or your id. It's the only thing that has the best chances of not being bypassed with ease.
This was one of the methods that CompuServe used back in the 1980's, though using a checking account.
It's sad that so many aspects of technology have completely failed to improve in half a century.
There have been so many dystopian movies about this kind of tech, it's a good insight of what comes next.
Eh. It's just easier and cheaper. I'll bet Discord has outsourced this to one of those services that ask you for a face scan when you sign up to [some other service].
This is always about government overreach.
People are less likely to criticize the government, or even participate in political debate, if their online identities are know by the government. Governments like obedient, scared citizens.
The only ethical response to laws like this, is for websites and apps to terminate operations completely in countries that create them. Citizens who elect politicians without respect for human rights and privacy don't really deserve anything nice anyway.
This sort of thing can't happen except through the largest tech companies in the world, who are coincidentally already poised to be the world's official providers of digital identity, and private internet enclaves.
Look at what Microsoft has done with Windows - mandatory minimum TPM to install and a Microsoft account registration for a local user. Try using an Apple iPad or iPhone without an iCloud account or adding a payment method. Google wants you to sign in with them, everywhere, aggressively. Cloudflare has been the web's own private gatekeeper for the last decade. Facebook's whole product is identity. IBM has sold surveillance, IAM, and facial recognition services for decades.
Instead of a clunky IP-based Great Firewall, imagine being able to render VPNs ineffective and unnecessary everywhere on the planet by a person's (verified national) identity. Click. Block and deactivate all members of group "Islamic State" on your platform. Click. Allow IDs registered to this ZIP Code to vote in this election. Click. CortanaSupreme, please dashboard viewer metrics by usage patterns that indicate loneliness, filtering for height, last assessed property values, and marriage status, and show their locations.
Currently, laws don't require age verification, just that ineligible parties are excluded. There's no legal requirement to card someone before selling them alcohol, and there's no reason anyone would need a depth map of someone's face when we could safely assume that the holder of a >5 year old email account is likely to be 18 if 13 is the minimum age to register with the provider.
Shifting the onus to parents to control what their kids do on the internet hasn't worked. However, that's a bare sliver of what's at stake here.
If the government is not working like that, you have an administrative problem, not a societal one. A state is its population.
Very dangerous thinking. Unless each and every citizens has approved the elected "representative" and every decision they made (which will never happen), you cannot assimilate the state and the population. The state has to be considered a separate entity, one which operate beyond the common man's thinking.
Oh that's not true at all. A state is an institution which is influenced by its population, but if anything, the attitudes of the population are more a product of the state, its constituent political parties, and the associated media apparatuses than of a freestanding "will of the people."
To give a trivial counterexample, if the American state "is" its population, then why does your presidential vote only matter if you live in a swing state, and why can you only vote for one of two candidates? Surely your vote should reflect all of your policy preferences and have equal influence no matter where you live.
The entities that keep pushing for that stuff tends to be quite centralized.
Unfortunately things don't always work out that cleanly:
- Sometimes you vote for the pro-freedom candidate, but your candidate loses. - Sometimes there are only two dominant candidates, and both disrespect human rights. - Sometimes one candidate disrespects human rights in some particular way, but the other candidate has different, bigger problems, so you vote for the lesser of two evils. - Sometimes a candidate says one thing while campaigning, and then when elected does something different.
If they get it wrong, are you locked out? Do you have to send an image of your ID? So many questions. Not a huge fan of these recent UK changes (looking at the Apple E2E situation as well). I understand what they're going for, but I'm not sure this is the best course of action. What do I know though :shrug:.
On contacting their support, I learned that they refused to use any other process. Also it became apparent that they had outsourced it to some other company and had no insight into the process and so no way to help. Apparently closing one's account will cause an escalation to a team who determines where to send the money, which would presumably put some human flexability back into the process.
(In the end I was able to get their web app to work by trying several other devices, one had a camera that for whatever reason satisfied their checks that my face was within the required oval etc.)
I suspect this won't help you, but I think it's worth noting that the GDPR gives people the right to contest any automated decision-making that was made on a solely algorithmic basis. So this wouldn't be legal in the EU (or the UK).
There seems no way to push back against these technologies. Next it will be an AI interview for 'why do you transfer the money?'
This is over-reach. Both in the UK and Australia.
When a TV channel broadcast porn, who gets fined?
These are accepted laws that protect kids from "harm", which are relatively uncontroversial.
Now, the privacy angle is very much the right question. But as Discord are the one that are going to get fined, they totally need to make sure kids aren't being exposed to shit they shouldn't be seeing until they are old enough. In the same way the corner shop needs to make sure they don't sell booze to 16 year olds.
Now, what is the mechanism that Discord should/could use? that's the bigger question.
Can government provide fool proof, secure, private and scalable proof of age services? How can private industry do it? (Hint: they wont because its a really good source of profile information for advertising.)
2/3 of Australians support minimum age restrictions for social media [1] and it was in-particular popular amongst parents. Putting the responsibility solely on parents shows ignorance of the complexities of how children are growing up these days.
Many parents have tried to ban social media only for those children to experience ostracisation amongst their peer group leading to poorer educational and social developmental outcomes at a critical time in their live.
That's why you need governments and platform owners to be heavily involved.
[1] https://www.theguardian.com/australia-news/article/2024/jun/...
This facial thing feel like a loaded attempt to both check a box and get more of that sweet, sweet data to mine. Massive privacy invasion and exploitation of children dressed as security theater.
I think, ironically, the best way to fight this would be to lean on identity politics: There are probably certain races that ping as older or younger. In addition, trans people who were on puberty blockers are in a situation where they might be 'of age' but not necessarily look like an automated system expects them to, and there might be discrepancies between their face as scanned and the face/information that's show on their ID. Discord has a large trans userbase. Nobody cares about privacy, but people make at least some show of caring about transphobia and racism.
> So many questions.
Do they keep a database of facial scans even though they say they don't? If not, what's to stop one older looking friend (or an older sibling/cousin/parent/etc.) from being the 'face' of everyone in a group of minors? Do they have a reliable way to ensure that a face being scanned isn't AI generated (or filtered) itself? What prevents someone from sending in their parent's/sibling's/a stolen ID?
Seems like security theater more than anything else.
She was 26. She just was that young looking.
:/
Deleted Comment
Is there a market for leaked facial scans?
Ofcom is a serious contender in ruling their rules especially where Discord is multi-national that even "normies" know and use.
And if they got a slap of "we will let you off this time" they would still have to create some sort of verification service to please the next time.
You might as well piss off your consumers, loose them whatever and still hold the centre stage than fight the case for not. Nothing is stopping Ofcom from launching another lawsuit there after.
> Is there a market for leaked facial scans?
There's a market for everything. Fake driver licenses with fake pictures have been around for decades, that would be no different.
https://support.discord.com/hc/en-us/articles/30326565624343...
This can be challenging even with humans. My ex got carded when buying alcohol well into her mid thirties, and staff at the schools she taught at mistook her for a student all the time.
Edit: This isn't how it played out. See the comment below.
The actual situation was that the board refused classification where an adult was intentionally pretending to be an underage child not that they looked like one.
Formats like shorts or news feeds to you algorithmically with zero lag are the problem. It makes for the zombification of decision making. Endless content breaks people down precisely because it's endless. I think if you add age verification but don't root out the endless nature, you will not really help any young person or adult.
When you look at people with unhealthy content addiction, it is always a case of excess and not necessarily type of content. There are pedophiles but honestly, we have had that throughout all time, with and without the internet. But the endless feeding of the next video robs people of the ability to stop by mentally addiciting them to see just one more. And because content is not really infinite, endless feeds invariably will feed people with porn, eating disorders, and other "crap" in quantities that slowly erode people.
Porn addiction is bad but it seems there are even worse things happening.
https://www.afterbabel.com/p/industrial-scale-harm-tiktok
Dead Comment
What I did not see in this article was anything about how AI can tell a 13 year old from a 12.9 year old with confidence. This seems unlikely to me.
I agree with the article's implication that websites will now want a scan of everyone's faces forever. Their insistence that they won't store the face scans is like one those cute lies that kids tell, and adults aren't fooled by. Either you're outright lying, or you're using the loophole of not storing the image, but rather storing a set of numbers, drived from the image, which act as a unique fingerprint. Or, you're sending it to a third party for storage. Or something like that. But you're definitely keeping track of everyone's faces, don't try to pull a fast one on me young lady, I've been around the block before.
In this day and age, of crypto, and certificates, and sso, and all that gubbins, it's surely only a matter of deciding that this is a problem that needs solving.
(Unless the problem really isn't the age of the user at all, but harvesting information...)
Over the next five years, you can look forward to a steady trickle of stories in the press about shocked parents finding that somehow their 15 year old passed a one-time over-18 age verification check.
The fact compliance is nigh-impossible to comply with is intentional - the law is designed that way, because the intent is to deliver a porn ban while sidestepping free speech objections.
> 15 year old has a 18 year old friend
Adults can be prosecuted for helping minors circumvent the checks.
> Or the fact that other 15 year old looks older than some 20 year olds
See Australian approach. Site can verify you and both government and site don't know who you are. No need for photo.
> shocked parents finding
No law is a replacement for bad parenting. But good parenting is easier with the right laws.
> a one-time over-18 age verification check
it can happen more than once non intrusively.
Dead Comment
My boss is a. a jerk. b. a total jerk. c. an absolute total jerk. d. responsible for my paycheck. Correct answer: d.
dated, and very politically incorrect...
https://allowe.com/games/larry/tips-manuals/lsl1-age-quiz.ht...
(scroll down past answers to questions and answers)
Estonia and South Korea I think also have similar features on their IDs, it's already a solved problem.
https://news.ycombinator.com/item?id=40298552#40298804
Talking about it or explaining it is like pulling teeth; generally just a thorough misunderstanding of the notion....even though cryptographic certificates make the modern internet possible.
Provide easy to use on-device content filtering tools so parents can easily control what their children can access (there are a few ways to do this through law, like requiring it from OS providers or ISPs or just writing these tools directly).
To make it easy, Discord can provide their services under both adults.discord.com and minors.discord.com so parents can more easily block only the 18+ version of Discord.
Require personal responsibility from parents to decide what is appropriate for their child.
AFAIU, the German electronic ID card ("elektronischer Personalausweis") can do this, but it is not widely implemented, and of course geographically limited.
e: I get the same feeling as I do reading about key escrow schemes in the Clipper chip vein, where nobody claimed it was theoretically impossible to have a "spare key" only accessible by warrant, but the resulting complexity and new threat classes [1] just was not worth it
[1] https://academiccommons.columbia.edu/doi/10.7916/D8GM8F2W
No it's not. Unless...
> Doing so in a safe way is literally impossible since I don't want to share that information in the first place.
...well then it is.
But it's not constructive to claim that proving your age to someone is by definition a privacy violation. If someone wants to prove their age to someone, then that's a private communication that they're entitled to choose to make.
It is true that if technology to achieve this becomes commonplace, then those not wishing to do so may find it impractical to maintain their privacy in this respect. But that doesn't give others the right to obstruct people who wish to communicate in this way.
The hard part is identifying with reasonable accuracy that the person sitting in front of the device is who they say they are, or a certain age.
Offloading everything to crypto primitive moves the problem into a different domain where the check is verifying you have access to some crypto primitive, not that it’s actually you or yours.
Any fully privacy-preserving crypto solution would have the flaw that verifications could be sold online. Someone turns 21 (or other age) and begins selling verifications with their ID because there is no attachment back to them, and therefore no consequences. So people then start imaging extra layers that would protect against this, which start eroding the privacy because you’re returning back to central verification of something.
I am an adult but refuse to let them scan my face as a matter of principle, so I've considered using https://github.com/hacksider/Deep-Live-Cam to "deepfake" myself and perform the verification while wearing a fake face. If it works, I'll write about it.
Funnily enough, when the Philippines did this, it was decried as a violation of human rights [1]. But usually, media are so silent on such things I'd call them complicit. One already cannot so much as rent a hotel room anywhere in the EU without showing government ID.
[1] https://en.wikipedia.org/wiki/SIM_Registration_Act
Followed by governments basically shrugging.
(mind you, ID/age requirements for access to adult content go way, way back in all countries)
If you run a social media site, then you have an API that allows government access to your data.
Why is the Internet any different than say, a porn or liquor store? Why are we so fuckin allergic to verification? I'll tell ya why- money. Don't pretend it's privacy.
1. ID checks are not the same as age verification.
2. a social media website is not the same as a porn website.
if you take the stance that social media sites should require ID verification, then i would furthermore point out that this is likely to impact any website that has a space for users to add public feedback, even forums and blogs.
Deleted Comment