> government passes law that requires companies to age verify users
> said government provides no way to actually verify a human's age
> hilarity ensues
This really deserves a digital solution. Let me get a government account and generate tokens that websites can ingest to confirm I'm an adult (and other optional details about me).
Having to use passports or poor solutions like face scanning isn't good enough. I guess the reason they don't do this is because they fear the cost, anything governments price up these days seems to be in the billion range. So the politicians who don't understand how cheap it is to build software assume it's way out of their price range.
When you place all the requirements on a software product like what the government has to, then it’s going to be expensive. Anyone who thinks that the total cost of a privacy protecting, government accredited, widely available, reliable, audited, and domestically produced age verification system isn’t going to be in the hundreds of millions has never actually shipped something comparable.
It is literally illegal to slap a few lines of glue code and say “there’s your age verification, look how cheap it is.” The public would be happy about saving money right up until there’s a massive privacy breach and all the ways you cut corners are exposed.
I don’t know if leaving the standards unspecified is the right thing to do (it’s probably not), but don’t pretend like a government verified solution could ever be cheap when dealing with citizens’ identities.
A small group of closely working skilled engineers would produce something more reliable and far less likely to have a privacy breach than the typical government contracting system.
The idea that a small group of people can't produce something that can scale to millions of people is just false.
It also wouldn't just be cheaper; it would be better. The "government" way of doing things would be far more likely to be broken glue code with privacy issues because all those committee meetings and bottom of the barrel contractor selection don't produce better end results
I disagree. This is exactly what happened with the initial launch of Healthcare.gov after the Affordable Care Act. The government spent hundreds of millions contracting a large firm that completely botched the site, it couldn't even handle a few hundred users at launch.
Then a small team of highly skilled engineers from Google/Facebook etc were brought in to fix it. They stabilized and relaunched the system in weeks at a fraction of the original cost. It showed that the problem wasn't the complexity or the standards, it was how the project was managed and who was building it.
IIRC, it wasn't even that it contracted one firm, it contracted many, and the individual contracts were managed separately. None of the systems were actually required to work with each other in letter, only in spirit.
The major advantage of bringing in the engineers (only one ex-googler, most were oracle and redhat, again IIRC) was that they were all already bigwigs and knew how to take ownership of large systems, and were given the authority to do so.
Problem: the millisecond this system is rolled out, personal data will be attached to it, not least because I'm just going to generate unlimited 18+ tokens and sell them for $10 apiece
You don't need to identify the user, just be able to show that two tokens are the same user and invalidate, log out both users, and make them generate a new token. You can sell your license to kids today, but it doesn't scale and is a terrible idea to give a kid an ID to a place you frequent.
That's exactly what pisses me off about it. The government could have at least devised a technical solution to verify the age of people privately. Data breaches happen all the time, do they just not care about the consequences when millions of peoples' porn watching habits are inevitably leaked?
It's a great first step toward making criticism of the government scary. Porn, hate speech, and other "legal but private/embarrassing" speech are the sharp end of the spear. When it's okay to restrict those, it becomes more easier to restrict political opposition.
My bank has an API endpoint that (basically) returns your name and age (in this use case). It can return more for signing electronic docs etc. and is basically your digital ID.
Need to buy "toys", vape products, alcohol... anything adult online?
There's a 3rd party web app (you rightfully don't trust) as an age check in the shopping cart / user account of any of these adult shops, and this has multiple ways of verifying your age - and one of them is the bank's api, you pick it, your bank's identity sharing page loads, you log in, it shows exactly what information will be shared in a bullet point list, you tap OK, immediately a request like "this app wants to know your age, please verify" pops up in your smart banking app on your phone, you tap ok, fingerprint scan, DONE.
Problem solved. The 3rd party app knows just what it needs to. All of this takes maybe a minute and your personal info is perfectly safe (unless you don't trust your bank at which point you have bigger problems to worry about...)
Identity shouldn’t be tied to a private institution that requires you to have a bank account to login.
Two of the well-used solutions to identity in the U.S. are login.gov (government-managed) and id.me (private, but used by government). Basically to get setup, at some point you have to have physical presence to get an actual government-approved physical ID, which can still be a barrier to some, but it doesn’t require a bank account.
Just don’t implement your own like Discourse and Tea.app.
> Just don’t implement your own like Discourse and Tea.app.
FWIW discord did not implement their own (sensibly), but since the british government does not provide this service it basically mandates possibly dodgy middlemen.
>Identity shouldn’t be tied to a private institution
This right here. Just look at what happened with visa/mastercard this week, private institutions can and will cave to special interest groups advocating to block access to legal content.
Whether it’s a government controlled or private identity provider which can or has to provide data to the government, in the end it’s still the perfect way to control what people do online. It’s age restricted stuff at first, but can just as well be applied to any store or social media. Not so eager to express your dissent if it has your name stapled to it.
As a Brit that relocated to Norway a decade ago, trust me when I say you cannot fathom the lack of organization around identity that the UK (somewhat intentionally) has. (It’s constantly used for political Godwin’s-law fear-mongering)
There is no centralized ID number, the closest is your social security number but this is basically only outbound for PAYE tax and haphazardly correlated to your pension payments in late life.
Everything operates on a “trust system” where you often present paper (!) with whatever address you claim to be living at as proof you are real (e.g. opening bank accounts).
Passport loss is rectified by seeking out “professionals” with government-approved occupations that are not related to you that can vouch you are actually the person you are trying to replace a passport for.
The entire thing is a mess and living in digital-identity-native Europe is a dream come true that you should be extremely thankful for.
It's even worse now: A lot of places now accept PDF's of things like bank statements, since so many people don't get paper copies any more.
It's not that it was hard to fake before if you wanted to, but when you can just get a real PDF as a starting point, and edit it slightly it's just theatre.
>>There is no centralized ID number, the closest is your social security number
Until you find out that due to a cock up years ago the National Insurance numbers are not guaranteed to be unique, and you realize that somehow the best proof of identity British people have is a humble driving licence because DVLA is at least somewhat competent.
B-but... if we have an ID card the "government" will be able to track us! /s
It does annoy me how much people get away with scaremongering, I just read a comment of someone who's against digital payments because "then the government will be able to work out how much tax you owe"????
This is the way. Belgian banks joined forces years ago to create such a platform for identity verification and private companies can get granular acces when needed and after they are vetted.
It's all based on the 2014 eIDAS regulation.
If I've understood it correctly, Pornhub can't see anything except that you've turned 18 (no names, no date of births, nothing) and your local government can't see that you've signed up for Pornhub using the app.
Yes, this is correct. As I understand it, the server asks the application some questions ("is the user above 18?" "are they a resident of country X?" or whatever), you confirm that you want to share the answer, and the application just gets "yes" or "no" to each question.
Actually, they could release a platform quite easily that only delivers age verification, without anything else.
For example, our id's have a qr on it that contains some basic info. Why not provide a platform for age checks with that qr? Anyway, fuck them. Education goes a lot further than trying to force identity verification on private companies when there is no real life threat in play.
Why should the govt provide a way to verify? They should fine companies that violate. Companies will figure how to comply because they don't want to be fined.
On-device models are excellent for privacy, but they are fundamentally broken from a security perspective. Preventing people from spoofing the results would involve locking them out of their own devices, via DRM.
You're treating this as a computer security problem when it's actually a political problem. It doesn't have to work to be mandated. It doesn't even have to work, for everyone to get a pat on the back and a raise for implementing it. Keeping minors away from porn isn't the point, the point is more like to scare people about being surveilled so they voluntarily won't watch it.
Some of the age verification systems that use digital ids (mDLs) do the same thing but people freak out about how they work because I think they misunderstand the tech.
They system basically asks the mDL via an api call "is this user above the age of 18/21" and the app only responds with a yes or no. It doesn't pass the users fulls details over or anything like that.
> Identity documents are deleted after a user’s age group is confirmed, and the video selfies used for facial age estimation never leaves their device.
I've been hired and have hired people through the Discord community. It's no different than Hacker News in this respect, where I've done the same. Professionalism is orthogonal, though I will agree that ephemeral chats have serious drawbacks for project-oriented communities.
If it works for video game characters, why not just any random actor? There's going to be plenty of footage available of them in various positions to get around the can't use just one image "security" feature.
The fundamental issue is that these verification models are trained on datasets containing fictional characters and celebrities, so they're essentially being asked to distinguish between inputs that were part of their own training distribution.
Yet TFA shows the character used to beat the verification is a game character based on the likeness of an actor famous for the role he pays the game character is based. So you’re saying what, that the system isn’t aware it was trained on this person, the training isn’t looking that person is known to the training, or the system just doesn’t work as advertised?
Several articles say that Ofcom has said platforms must not host, share, or permit content encouraging the use of VPNs to bypass age checks, adding that parents should be aware of how VPNs can be used to bypass the Act.
All those parents that couldn’t use parental controls to limit what their children see in a browser are not suddenly going to start policing VPNs. This is terrible legislation wrapped in terrible advice.
That annoys me as the VPN isn't necessarily bypassing the age check, but instead is allowing the person to pretend that they don't live in a country with stupid laws. I mean, Ofcom might as well warn parents about cheap holiday websites that encourage people to bypass the age checks by flying to a sane country.
Yes? I expect that "take a weekend to France to bypass age verification" and "subscribe to NordVPN to bypass age verification" are both legal while "take a weekend to France to see the Eiffel tower" and "use NordVPN to increase your security" are both legal.
Did you never wonder why VPN ads don't really list any actual use cases, yet they're wildly popular? If you know what you need it for, the ad doesn't have to tell you - just has to tell you which company to give your money to.
Something that's occurred to me is that we are already deanonymized and tracked everywhere online but most people are fine with it because it's done secretly and transparently (you don't notice). Age verification w/ something like a license online brings the issue front and center. It's not hidden that you are not anonymous online and people freak out.
The banning guns is easier when you control the sales part.
Preventing children from accessing certain websites is not working at all. It also is a cop out. I have children aged 15 and 17. They received their forest smartphone at age 12. The phones were restricted in a certain way and they didn't get unlimited use. We educated them about proper use and at age 15 restrictions were lifted. They allready know how to use VPN's because they're on my paid account. I see it no different from sexual education.
I don't need a government to make a private company collecting my personal identification. The best guardrail against data loss is not collecting any.
The idea that some countries have managed to block children from accessing adult content is laughable. But are there countries that have banned guns? A quick Wikipedia check shows that, in 2025, more people were killed in school shootings in Europe than in the U.S.
Which is weird considering there have been over 10 times the amount of school shootings in the U.S. compared to Europe... including an incident where a gun went off in the backpack of a second grader at an elementary school.
Age verification should be made on OS or firmware level when buying a device. And not by sending your passport scan to random companies with dubious data collection practices.
A law must mandate that an "adult" version of OS (or device) may be sold only to adult users. It is not difficult for Microsoft/Apple to implement this yet they do not want to for some reason.
This would allow more reliable age verification, without revealing identity of account owners. Well, maybe the govt wants exactly the opposite.
I can tell how this would be implemented. Microsoft rolls their own awkward standard nobody asked for. Other major companies try to use a somewhat common standard.
The Industrie enforces new rules and suddenly it costs $150000 and has awkward requirements to get your OS certified adult.
For the years to come only the most recent windows versions and customer devices like phones will work. No Linux will pay to get a standard they haven't asked for. Embed devices will stop working as more and more stuff gets simply flagged "adult only"
Just don't ... :)
Edit:// see Silverlight, or why it took years until something like Netflix was even legally technically possible
The California legislature is already working on forcing operating systems to attest the age of the user at the account level. See the recent gut-and-amend of AB1043 [0], which was a privacy bill [1] just a few months ago:
> This bill would require, among other things related to age verification on the internet, a covered manufacturer to provide an accessible interface at account setup that requires an account holder, as defined, to indicate the birth date, age, or both, of the user of that device for the sole purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store and to provide a developer, as defined, who has requested a signal with respect to a particular user with a digital signal via a real-time application programming interface regarding whether a user is in any of several age brackets, as prescribed. The bill would define “covered manufacturer” to mean a person who is a manufacturer of a device, an operating system for a device, or a covered application store. The bill would require a developer to request a signal with respect to a particular user from a covered manufacturer when that user requests to download an application.
> This bill would punish noncompliance with a civil penalty to be enforced by the Attorney General, as prescribed.
I’ve often talked about in private settings about how running open source OSes and DRM-free setups would likely become illegal in the future. With every passing day this vision seems closer to reality.
The UK doesn’t have any form of identity that can be used like this. There’s a very very vocal group of people who oppose the idea to the point that it hasn’t gained traction.
First, a vocal minority of security freaks lead by Tony Blair who think that forcing everybody to carry ID cards around is a proportionate way to protect Britain from terrorists, illegal immigrants and other foes.
Second, a large proportion of the country who think that the introduction of optional ID cards is a slippery slope towards the first group getting what they want.
Third, another large proportion of people who think that the risk of the first group getting what they want is overblown, or else think that the convenience of being able to prove identity more easily outweighs the inconvenience of having to carry an ID card around everywhere.
In the great ID card battle of the late-00s, the second group won decisively and politicians have been too scared to take up the issue ever since. Except for Blair, but having the face of your political campaign be a war criminal is of negative value to that cause.
I wouldn't describe myself as a very very vocal person, but I'm not a fan of the UK introducing identity cards as it would almost certainly be misused by the government and the data would be leaked as the UK government is utterly incompetent (when it comes to computers).
The Netherlands has this system but it is ripe for abuse. We still have a few Christ clowns and there's a big fascist party at the moment.
How about we don't make lists of people visiting porn sites? How about we accept that children are part of society and not try to put them in little cages like songbirds?
Children are part of society, but adults need to have their space to do their adult things, some of which are actually hurting children. The "little cages" are actually supposed to aid a healthy mental development.
But whatever age-verification solution I have seen so far sucked, really badly. And I can't believe people promote something like a government based age check. People need their privacy.
>How about we accept that children are part of society and not try to put them in little cages like songbirds?
It's the correct idea but the way it should be done is by coming to a democratic consensus that helicopter parenting is bad, not by attempting to hobble the infrastructure of government. If only for the practical reason that it'll simply be outsourced and privatized. In US states where the police can't scan license plates, there's a private industry doing that and then selling the data back to the police. The same result but now you pay a premium.
Lee Kuan Yew was fond of making this point. Weak "horizontal" administrations will creep in ways that are more opaque and without checks than strong "vertical" ones.
Tangential discussion, one thing I like a lot about the Netherlands is that it's not common to flaunt wealth, at least not as much as in some other countries. For all their other flaws, isn't this something that comes from the protestants? Or is there a different historical background here?
It's worth being careful with broad characterizations like this. Attributing complex policy opposition to fringe beliefs or bad faith motives oversimplifies the issue and shuts down good faith discussion. Whatever one’s views, that kind of framing isn’t helpful.
Having to use passports or poor solutions like face scanning isn't good enough. I guess the reason they don't do this is because they fear the cost, anything governments price up these days seems to be in the billion range. So the politicians who don't understand how cheap it is to build software assume it's way out of their price range.
It is literally illegal to slap a few lines of glue code and say “there’s your age verification, look how cheap it is.” The public would be happy about saving money right up until there’s a massive privacy breach and all the ways you cut corners are exposed.
I don’t know if leaving the standards unspecified is the right thing to do (it’s probably not), but don’t pretend like a government verified solution could ever be cheap when dealing with citizens’ identities.
The idea that a small group of people can't produce something that can scale to millions of people is just false.
It also wouldn't just be cheaper; it would be better. The "government" way of doing things would be far more likely to be broken glue code with privacy issues because all those committee meetings and bottom of the barrel contractor selection don't produce better end results
Then a small team of highly skilled engineers from Google/Facebook etc were brought in to fix it. They stabilized and relaunched the system in weeks at a fraction of the original cost. It showed that the problem wasn't the complexity or the standards, it was how the project was managed and who was building it.
The major advantage of bringing in the engineers (only one ex-googler, most were oracle and redhat, again IIRC) was that they were all already bigwigs and knew how to take ownership of large systems, and were given the authority to do so.
Not saying it’s good or bad. Just that it’s intentional.
https://en.wikipedia.org/wiki/BankID
Need to buy "toys", vape products, alcohol... anything adult online?
There's a 3rd party web app (you rightfully don't trust) as an age check in the shopping cart / user account of any of these adult shops, and this has multiple ways of verifying your age - and one of them is the bank's api, you pick it, your bank's identity sharing page loads, you log in, it shows exactly what information will be shared in a bullet point list, you tap OK, immediately a request like "this app wants to know your age, please verify" pops up in your smart banking app on your phone, you tap ok, fingerprint scan, DONE.
Problem solved. The 3rd party app knows just what it needs to. All of this takes maybe a minute and your personal info is perfectly safe (unless you don't trust your bank at which point you have bigger problems to worry about...)
Two of the well-used solutions to identity in the U.S. are login.gov (government-managed) and id.me (private, but used by government). Basically to get setup, at some point you have to have physical presence to get an actual government-approved physical ID, which can still be a barrier to some, but it doesn’t require a bank account.
Just don’t implement your own like Discourse and Tea.app.
FWIW discord did not implement their own (sensibly), but since the british government does not provide this service it basically mandates possibly dodgy middlemen.
My understanding is that discord uses (contracted?) https://www.k-id.com/
This right here. Just look at what happened with visa/mastercard this week, private institutions can and will cave to special interest groups advocating to block access to legal content.
Another victim of auto-correct!
There is no centralized ID number, the closest is your social security number but this is basically only outbound for PAYE tax and haphazardly correlated to your pension payments in late life.
Everything operates on a “trust system” where you often present paper (!) with whatever address you claim to be living at as proof you are real (e.g. opening bank accounts).
Passport loss is rectified by seeking out “professionals” with government-approved occupations that are not related to you that can vouch you are actually the person you are trying to replace a passport for.
The entire thing is a mess and living in digital-identity-native Europe is a dream come true that you should be extremely thankful for.
It's not that it was hard to fake before if you wanted to, but when you can just get a real PDF as a starting point, and edit it slightly it's just theatre.
Until you find out that due to a cock up years ago the National Insurance numbers are not guaranteed to be unique, and you realize that somehow the best proof of identity British people have is a humble driving licence because DVLA is at least somewhat competent.
https://en.m.wikipedia.org/wiki/EIDAS
https://ageverification.dev/
If I've understood it correctly, Pornhub can't see anything except that you've turned 18 (no names, no date of births, nothing) and your local government can't see that you've signed up for Pornhub using the app.
For example, our id's have a qr on it that contains some basic info. Why not provide a platform for age checks with that qr? Anyway, fuck them. Education goes a lot further than trying to force identity verification on private companies when there is no real life threat in play.
I hope they just improve that performance, rather than see this and back out of it entirely and require ID checks.
And that's why it's been bypassed already
https://x.com/Pirat_Nation/status/1949036664132657225
Some of the age verification systems that use digital ids (mDLs) do the same thing but people freak out about how they work because I think they misunderstand the tech.
They system basically asks the mDL via an api call "is this user above the age of 18/21" and the app only responds with a yes or no. It doesn't pass the users fulls details over or anything like that.
As in, if I repeatedly ask for age verification to the same service, does it know:
1) the identity of the user making the request, and 2) whether repeated requests comes from the same user (even if they don't know who it is?)
The vendor is https://www.k-id.com in Discord's case
> Identity documents are deleted after a user’s age group is confirmed, and the video selfies used for facial age estimation never leaves their device.
Personally, I will never use Discord and they just gave me another reason not to.
Either way, when I see a person or business advertise a Discord link, I immediately think of either as immature.
I miss the days of forums, and wish something like them could thrive again instead of rather private, but importantly ephemeral chats.
Open source projects have long had ephemeral chats, private to the people in the chat at that moment - it just used to be called IRC.
Did you never wonder why VPN ads don't really list any actual use cases, yet they're wildly popular? If you know what you need it for, the ad doesn't have to tell you - just has to tell you which company to give your money to.
(I still don't really know what people are actually using VPNs for.)
Ridiculous.
(iOS Safari)
Okay turning off content blockers did the trick. AdGuard was blocking the whole site for some reason.
Preventing children from accessing certain websites is not working at all. It also is a cop out. I have children aged 15 and 17. They received their forest smartphone at age 12. The phones were restricted in a certain way and they didn't get unlimited use. We educated them about proper use and at age 15 restrictions were lifted. They allready know how to use VPN's because they're on my paid account. I see it no different from sexual education.
I don't need a government to make a private company collecting my personal identification. The best guardrail against data loss is not collecting any.
Europe: 4 shootings distributed across 4 countries - <https://en.wikipedia.org/wiki/List_of_school_shootings_in_Eu...>
U.S.: 41 shootings across 19 states - <https://en.wikipedia.org/wiki/List_of_school_shootings_in_th...>
A law must mandate that an "adult" version of OS (or device) may be sold only to adult users. It is not difficult for Microsoft/Apple to implement this yet they do not want to for some reason.
This would allow more reliable age verification, without revealing identity of account owners. Well, maybe the govt wants exactly the opposite.
The Industrie enforces new rules and suddenly it costs $150000 and has awkward requirements to get your OS certified adult.
For the years to come only the most recent windows versions and customer devices like phones will work. No Linux will pay to get a standard they haven't asked for. Embed devices will stop working as more and more stuff gets simply flagged "adult only"
Just don't ... :)
Edit:// see Silverlight, or why it took years until something like Netflix was even legally technically possible
> This bill would require, among other things related to age verification on the internet, a covered manufacturer to provide an accessible interface at account setup that requires an account holder, as defined, to indicate the birth date, age, or both, of the user of that device for the sole purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store and to provide a developer, as defined, who has requested a signal with respect to a particular user with a digital signal via a real-time application programming interface regarding whether a user is in any of several age brackets, as prescribed. The bill would define “covered manufacturer” to mean a person who is a manufacturer of a device, an operating system for a device, or a covered application store. The bill would require a developer to request a signal with respect to a particular user from a covered manufacturer when that user requests to download an application.
> This bill would punish noncompliance with a civil penalty to be enforced by the Attorney General, as prescribed.
[0] https://legiscan.com/CA/text/AB1043/2025 [1] https://legiscan.com/CA/text/AB1043/id/3134744
If you want to know more about this lovely bait-and-switch tactic used by the Golden State's legislature, see here: https://californiaglobe.com/uncategorized/gut-and-amend-bill...
I don’t understand why other countries can’t do the same.
First, a vocal minority of security freaks lead by Tony Blair who think that forcing everybody to carry ID cards around is a proportionate way to protect Britain from terrorists, illegal immigrants and other foes.
Second, a large proportion of the country who think that the introduction of optional ID cards is a slippery slope towards the first group getting what they want.
Third, another large proportion of people who think that the risk of the first group getting what they want is overblown, or else think that the convenience of being able to prove identity more easily outweighs the inconvenience of having to carry an ID card around everywhere.
In the great ID card battle of the late-00s, the second group won decisively and politicians have been too scared to take up the issue ever since. Except for Blair, but having the face of your political campaign be a war criminal is of negative value to that cause.
How about we don't make lists of people visiting porn sites? How about we accept that children are part of society and not try to put them in little cages like songbirds?
But whatever age-verification solution I have seen so far sucked, really badly. And I can't believe people promote something like a government based age check. People need their privacy.
It's the correct idea but the way it should be done is by coming to a democratic consensus that helicopter parenting is bad, not by attempting to hobble the infrastructure of government. If only for the practical reason that it'll simply be outsourced and privatized. In US states where the police can't scan license plates, there's a private industry doing that and then selling the data back to the police. The same result but now you pay a premium.
Lee Kuan Yew was fond of making this point. Weak "horizontal" administrations will creep in ways that are more opaque and without checks than strong "vertical" ones.