- "k-id, the age verification provider discord uses doesn't store or send your face to the server. instead, it sends a bunch of metadata about your face and general process details."
I think the primary issue is not the "send your face" (face info) to a server. The problem is that private entities are greedy for user data, in this case tying facial recognition to activities related to interacting with other people, most of them probably real people. So this creates a huge database - it is no surprise that greedy state actors and private companies want that data. You can use it for many things, including targeted ads.
For me the "must verify" is clearly a lie. They can make it "sound logical" but that does not convince me in the slightest. Back in the age of IRC (I started with mIRC in the 1990s, when I was using windows still), the thought of requiring others to show their faces never occurred to me at all. There were eventually video-related formats but to me it felt largely unnecessary for the most part. Discord is (again to me) nothing but a fancier IRC variant that is controlled by a private (and evidently greedy) actor.
So while it is good to have the information how to bypass anything there, my biggest gripe is that people should not think about it in this way. Meaning, bypassing is not what I would do in this case; I would simply abandon the private platform altogether. People made Discord big; people should make Discord small again if they sniff after them.
- > the thought of requiring others to show their faces never occurred to me at all
I know you meant as a service provider, but as a avid IRC (and an online game that conventionally alt-tabbed into a irc-like chat window) chatter as a young preteen in the 90s and 00s, I made a lot of online friends that I would not discover what they looked like IRL for decades, some never. People I was gaming with in the 90s, for the first time, I would see what they looked like over FB in a group made for the now-almost-dead game in the 10s. It was like "swordfish - man, where are you now? I don't even know your real name to find ya. shardz - you look exactly like I would picture ya!."
Just some musings.
- In the early 2000s, the biggest social media (though we didn't call it that back then) in Finland was IRC-Galleria (IRC-Gallery). It was originally made for IRC users to upload pictures of themselves and see what fellow IRCers looked like. You'd create a profile, add pictures and tag which channels/servers you were on.
Since there were no other websites like that back then, it was eventually overrun by non-IRC-users and transformed into what we'd now call a more generic social media platform. Something like the eternal September I guess. People started calling the gallery "IRC" as shorthand, which royally pissed off the original userbase. Fun times.
Then Facebook appeared and everyone moved there.
It's still up, but it's more of a historical relic these days. Not sure who, if anyone, still uses it: https://irc-galleria.net/
Wikipedia: https://en.wikipedia.org/wiki/IRC-Galleria
- It's weird how different and hyper-local the social media landscape was back then. It's not just that every country had their own thing, it's also that they were all very different concepts and ideas.
Poland's social media of choice was "Nasza Klasa" (lit. "Our Class"), the American alternative was called "Classmates" as far as I know. It was intended as a service that let you re-unite with your old classmates, designed with the way the Polish school system worked in mind. It was used for far more than that though, and was quite popular among kids who were still at school.
We're still in that era with messaging apps somehow. WHile the local alternatives have mostly died out, the world is now a patchwork of WhatsApp, Messenger and Telegram, with islands of iMessage, Line, KakaoTalk and WeChat thrown into the mix. Most countries have basically standardized on one of these, but they can't agree on which one.
- >as a young preteen in the 90s and 00s, I made a lot of online friends
As another 90s preteen, sure, but the internet today has a lot more pedos and groomers online than in the 90s, and preteens today easily share footage of themselves to those adult weirdos, which didn't happen in the 90s because mostly limitations of technology.
BUt if you look at tiktok live it's full of preteen girls dancing, and creepy old men donating them money to the point where tiktok live is basically a preteen strip club. We can't ignore these obvious problems just because we grew up with internet in the 90s and turned out alright.
We have to separate kids from adults on the internet somehow even though i distrust age-verifications systems as they basically remove your anonymity but a solution is inevitable even though it will be faulty and unpopular and people will try to bypass it.
- Chat rooms in early 2000s were full pedos.
And they didn't even try to hide very much.
Look at the story from darknet diaries, where the interviewee talks about setting up an AOL account with girlie name and instantly getting flooded with messages, 9/10 of them being from pedos.
https://darknetdiaries.com/transcript/56/
Don't have any examples myself because I was a spectrum kid at that time, quite oblivious to the idea.
- The solution is parents using the parental control feature on their children’s devices.
If laws need to be made about something it should be to punish those parents who neglect to safeguard their children using the tools already available to them.
If the parental controls currently provided aren’t sufficient then they should be modified to be so - in addition to filtering, they should probably send a header to websites and a flag to apps giving an age/rating.
- Australian laws decided to explicitly not blame the parents and place the responsibility on the platform. Turns out not all parents are responsible adults with a diploma in dark pattern navigation, and some kids don't even have parents. So if the goal is to help the kids, rather than have someone to blame when they get abused, you can't just pass the buck.
- Curious: are you ok with the other laws that are in place in the world to prevent underage people to engage with all sorts of activities? Like, for example, having to show an ID to being able to purchase alcohol?
- The difference is the internet is forever. A one-time unrecorded transaction like showing your ID at the bar is not. It is a false equivalence.
Not only is the internet forever, but what is on it grows like a cancer and gets aggregated, sold, bundled, cross-linked with red yarn, multiplied, and multiplexed. Why would you ever want cancer?
- > It is a false equivalence
It's a false equivalence only if you decide to equate the two. My question wasn't worded that way. I'm curious to know if someone who oppose this type of laws is also for or against other laws that are dealing with similar issues in other contexts.
Also, as I said in another post, there are plenty of places, online, where you have to identify yourself. So this is already happening. But again, I'm personally interested in people's intuitions when it comes to this because I find it fascinating as a subject.
- They aren't comparable. Showing an ID to a staff member isn't stripping my anonymity. I know the retailer won't have that on file forever, tied to me on subsequent visits. Also they stop ID'ing you after a certain age ;)
There isn't any way to achieve the same digitally.
- Actually there is, various age verification systems exist where the party asking for it does not need to process their ID, like the Dutch iDIN (https://www.idin.nl/en/) that works not unlike a digital payment - the bank knows your identity and age, just like they know your account balance, and can sign off on that kind of thing just like a payment.
I hope this becomes more widespread / standardized; the precursor for iDIN is iDEAL which is for payments, that's being expanded and rebranded as Wero across Europe at the moment (https://en.wikipedia.org/wiki/Wero_(payment)), in part to reduce dependency on American payment processors.
- The privacy issue has two facets, when I show ID to get in to a club or buy alcohol, the entire interaction is transient, the merchant isn't keeping that information and the issuer of the credential doesn't know that happened (i.e. the government).
Just allowing a service provider to receive a third party attestation that you "allowed" still allows the third party to track what you are doing even if the provider can't. That's still unacceptable from a privacy standpoint, I don't want the government, or agents thereof, knowing all the places I've had to show ID.
- We have a similar system in Italy so the age verification process itself doesn't personally concerns me that much since the verification process is done by the government itself and they obviously already have my information.
I'm personally more interested in the intuition people have when it comes to squaring rejecting age verification online while also accepting it in a multitude of other situations (both online and offline)
- My main issue is trust.
In real world scenarios, I can observe them while they handle my ID. And systematic abuse(e.g. some video that gets stored and shows it clearly) would be a violation taken serious
With online providers it's barely news worthy if they abuse the data they get.
I'm not against age verification (at least not strongly), but I'd want it in a 2 party 0 trust way. I.e. one party signs a jwt like thing only containing one bit, the other validates it without ever contacting the issuer about the specific token.
So one knows the identity, one knows the usage But they are never related
- > So one knows the identity, one knows the usage But they are never related
I could be wrong but I think this is how the system we have in place in Italy works. And I agree that it's how it should work.
- [dead]
- I know they're not compatible. I'm asking if you're also ok with those. There are also plenty of situations where you are asked to provide an ID, digitally, when above a certain age. For example booking hotels and other accommodations.
Personally I'm still trying to figure out where my position is when it comes to this whole debate because both camps have obvious pros and cons.
- Which hotel asks for id online..? I've only ever had to provide it once on-site and checking in.
And when then, only when I'm in foreign countries.
- Happens quite often with Airbnb for example. You often don't meet the host in person so there's no way to show them a physical ID.
- I'm a lot more okay with that because alcohol purchasing doesn't have free speech implications.
It's weird how radicalized people get about banning books compared to banning the internet.
- > It's weird how radicalized people get about banning books compared to banning the internet.
I don't think asking for age verification is the same as banning something. Which connection do you see between requiring age and free speech?
- First, children also have a right to free speech. It is perhaps even more important than for adults, as children are not empowered to do anything but speak.
Second, it's turn-key authoritarianism. E.g. "show me the IDs of everyone who has talked about being gay" or "show me a list of the 10,000 people who are part of <community> that's embarrassing me politically" or "which of my enemies like to watch embarrassing pornography?".
Even if you honestly do delete the data you collect today, it's trivial to flip a switch tomorrow and start keeping everything forever. Training people to accept "papers, please" with this excuse is just boiling the frog. Further, even if you never actually do keep these records long term, the simple fact that you are collecting them has a chilling effect because people understand that the risk is there and they know they are being watched.
- > First, children also have a right to free speech.
Maybe I'm wrong (not reading all the regulations that are coming up) but the scope of these regulations is not to ban speech but rather to prevent people under a certain age to access a narrow subset of the websites that exist on the web. That to me looks like a significant difference.
As for your other two points, I can't really argue against those because they are obviously valid but also very hypothetical and so in that context sure, everything is possible I suppose.
That said something has to be done at some point because it's obvious that these platforms are having profound impact on society as a whole. And I don't care about the kids, I'm talking in general.
- > narrow subset of the websites on the web
Under most of these laws, most websites with user-generated content qualify.
I'd be a lot more fine with it if it was just algorithms designed for addiction (defining that in law is tricky), but AFAIK a simple forum where kids can talk to each other about familial abuse or whatever would also qualify.
- > but AFAIK a simple forum where kids can talk to each other about familial abuse or whatever would also qualify.
I'm currently scrolling through this list https://en.wikipedia.org/wiki/Social_media_age_verification_... and it seems to me these are primarily focused on "social media" but missing from these short summaries is how social media is defined which is obviously an important detail.
Seems to me that an "easy" solution would be to implement some sort of size cap this way you could easily leave old school forums out.
It would no be a perfect solution, but it's probably better than including every site with user generated content.
- > I'd be a lot more fine with it if it was just algorithms designed for addiction (defining that in law is tricky)
An alternative to playing whac-a-mole with all the innovative bad behavior companies cook up is to address the incentives directly: ads are the primary driving force behind the suck. If we are already on board with restricting speech for the greater good, that's where we should start. Options include (from most to least heavy-handed/effective):
1) Outlaw endorsing a product or service in exchange for compensation. I.e. ban ads altogether.
2) Outlaw unsolicited advertisements, including "bundling" of ads with something the recipient values. I.e. only allow ads in the form of catalogues, trade shows, industry newsletters, yellow pages. Extreme care has to be taken here to ensure only actual opt-in advertisements are allowed and to avoid a GDPR situation where marketers with a rapist mentality can endlessly nag you to opt in or make consent forms confusing/coercive.
3) Outlaw personalized advertising and the collection/use of personal information[1] for any purpose other than what is strictly necessary[2] to deliver the product or service your customer has requested. I.e. GDPR, but without a "consent" loophole.
These options are far from exhaustive and out of the three presented, only the first two are likely to have the effect of killing predatory services that aren't worth paying for.
[1] Any information about an individual or small group of individuals, regardless of whether or not that information is tied to a unique identifier (e.g. an IP address, a user ID, or a session token), and regardless of whether or not you can tie such an identifier to a flesh-and-blood person ("We don't know that 'adf0386jsdl7vcs' is Steve at so-and-so address" is not a valid excuse). Aggregate population-level statistics are usually, but not necessarily, in the clear.
[2] "Our business model is only viable if we do this" does not rise to the level of strictly necessary. "We physically can not deliver your package unless you tell us where to" does, barely.
- The chilling effect of tying identity to speech means it directly effects free speech. The Founding Fathers of the US wrote under many pseudonyms. If you think you may be punished for your words, you might not speak out.
We know we cannot trust service providers on the internet to take care of our identifying data. We cannot ensure they won't turn that data over to a corrupt government entity.
Therefore, we can not guarantee free speech on these platforms if we have a looming threat of being punished for the speech. Yes these are private entities, but they have also taken advantage of the boom in tech to effectively replace certain infrastructure. If we need smart phones and apps to interact with public services, we should apply the same constitutional rights to those platforms.
https://en.wikipedia.org/wiki/List_of_pseudonyms_used_in_the...
- > If we need smart phones and apps to interact with public services, we should apply the same constitutional rights to those platforms.
Are private social media platforms "public services"? And also, you mentioned constitutional rights. Which constitution are we talking about here? These are global scale issues, I don't think we should default on the US constitution.
> We know we cannot trust service providers on the internet to take care of our identifying data.
Nobody needs to trust those. I can, right now, use my government issues ID to identify myself online using a platform that's run by the government itself. And if your rebuttal is that we can't trust the government either then yeah, I don't know what to say.
Because at some point, at a certain level, society is built on at least some level of implicit trust. Without it you can't have a functioning society.
- > Because at some point, at a certain level, society is built on at least some level of implicit trust. Without it you can't have a functioning society.
This is somewhat central to being remain anonymous.
Protesters and observers are having their passports cancelled or their TSA precheck revoked due to speech. You cannot trust the government to abide by the first amendment.
Private services sell your data to build a panopticon, then sell that data indirectly to the government.
Therefore, tying your anonymous speech to a legal identity puts one at risk of being punished by the government for protected speech.
- > You cannot trust the government to abide by the first amendment.
Again, this is a global issue. There is no first amendment here where I live. But the issue of the power these platforms have at a global level is a real one and something has to be done in general to deal with that. The problem is what should we do.
- [dead]
- > The solution is parents using the parental control feature on their children’s devices.
This is a stopgap at best, and to be blunt, it's naive. They can go on their friends' phones, or go to a shop and buy a cheap smartphone to circumvent the parental controls. If the internet is locked down, they'll use one of many "free" VPN services, or just go to school / library / a friend's place for unrestricted network access.
Parents can only do so much, realistically. The other parties that need to be involved are the social media companies, ISPs, and most importantly the children themselves. You can't stop them, but they need to be educated. And even if they're educated and know all about the dangers of the internet, they may still seek it out because it's exciting / arousing / etc.
I wish I knew less about this.
- >> This is a stopgap at best, and to be blunt, it's naive
Not if the rule includes easy rule circumvention. For example, if you could parent-control lock the camera roll to a white list of apps.
Want to post on social media so your friends would see? No can do, but you can send it to them through chat apps. Want to watch tik-tok? Go ahead. Want to post on tik-tok? It's easier to ask parent to allow it on the list, then circumvent, and then the parent would know that their child has a tik-tok presence, and — if necessary — could help the child by monitoring it.
The current options for parent control are very limited indeed. You can't switch most apps to readonly, even if you are okay with your child reading them — it's posting you are worried about.
But in ideal world there would be better options that would provide more privacy and security for the child, while helping parents restrict options if they fell their child isn't ready to use some of the functions.
- yeah I think there is a way to do this elegantly. I didn't have my own device until I was 20 or so actually, and it wasn't a big problem. As a young teenager I could use the family desktop for education and entertainment. I had online friends in my late teens I played games with, and would have done much more so if I had a more more powerful cpu lol. Should mention though, these friends were through in person networks on discord, so I wasn't really in the public square I guess.
So I could explore things but not get into anything naughty.
When I decided to get into software dev I got my own cpu and my own phone once I had a job in dev.
Might seem pretty conservative but it worked, and I'm technical enough now. I wish I would have got into coding earlier but I've done alright so :shrug: Depending on the environment for my kids I'd move the timeline back a little, but not too much. Having too much time and just the unfiltered internet to fill it is too dangerous for young teens.
- In what universe do you live where children have enough disposable income to buy a smartphone ?
- You only need $25-30. It'll be locked to a carrier, but that doesn't matter and is perhaps preferable (no monthly fee for a subsidized device) if you are able to use wifi. There's an ETA prime video which explores using a 2025 Moto 5G as handheld game console: https://www.youtube.com/watch?v=5ad5BrcfHkY
tl;dw it's quite capable for the money and would could easily get on social media apps/sites.
- You can get a usable smartphone for well under 100 USD on AliExpress or a reasonable secondhand one from a reputable brand for about the same price here in Norway on online trading sites. Don't teenagers get pocket money or do weekend jobs any more? My sons were grown up by the time smartphones were affordable but No. 2 son bought his own Siemens C65 with saved up pocket money when he was in his early teens.
- You can get smartphones for 80 dollars (like the moto E15)
- if you make smartphones an 18+ item like alcohol many of these problems would go away.
- That would also spur the market to produce actually nice pure communication devices. Flip phones could stop being for people with AARP cards again and would give better options to adults who don't want the smart phone all the time.
- And have schools stop giving kids laptops or tablets. I wonder how much of the Chromebooks for school incitive was to develop a new market for Google
- It's wild seeing these opinions on hackernews of all places. Do we want future generations to know nothing about computing?
I would not be here if I didn't get my start in my early teen years.
- When I was an early teen I had access to the internet but my activities weren't entirely unsupervised (and I doubt yours were either). Since it was a new technology there was a lot of discussion around how best to talk to children and make sure they felt safe reporting threats or harms to parents.
A smart phone is too disconnected of a device when compared to the desktops we all grew up on. No one is talking about fully banning <18s from the internet (at least no one serious) - it's a discussion about making sure that the way folks <18 use the internet is reasonably safe and that parents can make sure their children aren't being exposed to undue harm. That's quite difficult to do with a fully enabled smart phone.
- Mine was not supervised cause immigrant parents that didn't know anything about computers really. So more or less entirely unsupervised.
By 16 I was regularly ignoring my parents to go to bed when I was up coding or gaming and doing dumb script kiddie stuff on IRC.
I had an adult introduce me to Astalavista (https://en.wikipedia.org/wiki/Astalavista.box.sk)
Thinking back to that I was very well aware of the fucked up part of the internet much more so than most adults around me. People did in fact meet up in person with strangers from the internet even back then.
I think it's more important to teach around age 10-14 about the dark side of the internet so that late teens can know how to stay safe. Rather than simply throwing them into the reality of it unprepared as "adults".
Also frankly I don't want to know the search history of a late teen. There's a degree of privacy everyone is entitled to.
- Do you think the younger generations are properly prepared to view the internet as having a dark side? My impression has been that such an early introduction has caused those warnings to be delayed and lost and younger folks are much more trusting of the internet than most millenials were.
It's also important to acknowledge that kids that used the internet weren't everyone in our day and the usage of the internet varied wildly. While now-a-days it's an expectation for everyone to be at least moderately online (often required by academia) and often that their presences are tied to their real names.
- I think so yes. What's acceptable changes over time. Gore "content" of WW2 is now presented to 12 year olds as history.
It's not the porn or the LiveLeak gore content that would have me worried. It's groomers and other adults with bad intentions. Not something you can easily block and not something this ID check will stop. A groomer will slow burn a social relationship with someone until they are legal adults. That's something you can only teach someone to look out for. And even adults are susceptible to this.
- I remain skeptical. I have some 20sish cousins that seem to be highly aware of the potential dangers online and were pretty clear eyed about it in their teens - but the relatives I have that are five years younger seem absurdly trusting. This is empirical of course but it's concerning to me.
- Many parents of preteens and young teens that I know simply do not allow their childrend to use social media on their own devices. Doesn't sound like that bad a solution.
- Age verification clearly does not work either. Teens will circumvent it, or use alternative technologies.
- just make internet 18+, solves everything. demand ID's at the time of purchase.
- ICE agents will LOVE this one neat hack
- I think firstly the kids need to get education about this subject in school. The dangers online, the tools to use to protect oneself etc.
Secondly the parents need some similar education, either face-to-face education or information material sent home.
It will not prevent everything, but at least we cannot expect kids and parents to know about parental control features, ublock origin type tools or what dangers are out there.
We have to trust parents and kids to protect themselves, but to do that they need knowledge.
Of course some parents and kids don't care or do not understand or want to bypass any filters and protections, but at leaast a more informed society is for the better and a first step.
- >The solution is parents using the parental control feature on their children’s devices.
Yeah but many parents are stupid and want the government to force everyone to wear oven mitts to protect their kids from their poor/lack of parenting. What do you do then?
Remember how since a lot of men died in WW2 so kids were growing up in fatherless homes which led to a rise in juvenile delinquency, and the government and parents instead of admitting fatherless homes are the issue, the "researchers" then blamed it on the violent comic books being the issue, so the government with support from parents introduced the Comics Code Authority regulations.
People and governments are more than happy to offload the blame for societal issues messing up their kids onto external factors: be it comic books, rock music, MTV, shooter videogames, now the internet platforms, etc.
- > but the internet today has a lot more pedos and groomers online than in the 90s
Without some data analysis I honestly don't know. Even before Internet (ex: FidoNet) there was plenty of very bad stuff out there, I don't see any clear reason why the pedos and groomers would have avoided it.
> We have to separate kids from adults on the internet somehow
I think what is much worse than in other mediums is the actual lack of a community that observes. In real life, for many cases, you would have multiple people noticing interactions between kids and adults (sports, schools, parks, shops, etc.), so actions might be taken when/before things get strange. On some of the social networks on the internet it is too much one-to-one communication which avoids any oversight.
So, for me, the idea of "more separation" seems to generate on the long term even more problems, because of lack of (healthy) interactions and a community.
- > i distrust age-verifications systems as they basically remove your anonymity
I think it's technically possible to build a privacy-preserving age verification. I also think it should be done by the government, because the government already has this information.
- > As another 90s preteen, sure, but the internet today has a lot more pedos and groomers online than in the 90s
There were not fewer pedos and groomers online in the 90s, you were just lucky to have avoided it.
- There were ~16mn users of the internet in 1995. As of 2025 there are 5.56bn. Are you saying paedophilia has dropped by 99.7% over 30 years? If so, please provide a source for that claim.
- I think what matters are the percentages. Out of the 16mn users where there more or less than in the general population? I think it is reasonable to think they were as many percentage wise, if not more - because internet provides anonymity which is an advantage.
Nowadays with the number of users of the internet converging slowly to the total populations, the percentages are probably converging as well.
- [dead]
- [dead]
- The frustration aimed at Discord et al is largely misplaced. I'm sure these companies don't mind gathering extra data about their users, but the primary impetus for age verification is government legislation. Moving to alternative platforms is not a long term solution because it's attacking the problem from the wrong direction.
- Not just government legislation, but also lawsuits. I'm confident that Discord is a hotbed of all kinds of abuse and inappropriate / adult content, a lot targeting younger generations, and most of their resources are spent on that. Age verification doesn't solve that problem per se, but it makes things a bit easier.
The challenge with "protect the children" is not only evildoers targeting them, but targets actively seeking things out. They'll be the first ones looking for ways to circumvent age verification.
- It seems to me that also if you succeed in making child-only spaces, those spaces become a magnet for adult abusers. They become an all the more desirable prize for them. Whereas spaces like this - hacker news, that is - don't need any age verification because although it's a safe bet some users are underage here too, the abusers would have to search a long time for them and the seemingly most common manipulation techniques (like pretending to be a child yourself) probably wouldn't work.
- [dead]
- I agree that government legislation is part of the equation, but I don't agree that moving to other platforms is not a solution. If Discord were to witness a significant exodus of paying users because of this new verification process, they would probably start fighting the fight themselves.
That said, I don't expect this to happen, switching is very hard for many reasons.
- This is it. Governments dont care when the peasants gripe. But hit the corps in the wallet and youll see some actual pressure exerted.
- I meant that it's not a solution for users looking to avoid similar intrusions. When alternative platforms get big enough they'll be faced with the same legislative burdens. Of course there are decentralized options, but one of the primary attractions of these centralized services is that everyone's on there.
- The point is that the alternative platforms should be small per-community chat servers run by their users. A one-click installation on a $5/mo web host like DO or Vultr or similar. Good luck policing them away.
- You act like public opinion has no bearing on politics.
Historical precedent: prohibition.
Alternate future: the big websites start losing billions because people just use the internet less or not at all because it's a hassle with no return, and tax revenue drops. Then the politicians start to worry.
Even in the absence of democracy, public opinion affects politics.
- The problem is that public opinion is now very much in favor in general. https://www.ipsos.com/en-uk/britons-back-online-safety-acts-...
- Yes the same outraged users were totally fine with giving Discord all their personal conversations.
- The point is that 1) someone can claim there is a verification so we protect kids 2) but more importantly, there is a lot of money to be made selling verification solutions and usually these SaaS companies are owned by regulators and their buddies who make the rules about verifications.
Compliance industry has grown from zero to $90B after we cracked the nut everything needs compliance.
Here is a good book about the topic https://www.amazon.com/Compliance-Industrial-Complex-Operati...
- Speaks to the network effect I guess. People did not decide inorganically to make Discord big, and simillarly, its pretty hard to convince people to make an inorganic decision to make it small. Overtime it might happen if there is a valid alternative but expecting people to leave discord because of this thing is naive.
- I can't speak about this being a current law, but there were laws in multiple US states at various times that prevented you from storing facial data on the server. In turn features like snapchat's face filters were doing all the relevant computation locally on the device (which back then was certainly a complicated achievement).
US tech companies are constantly under FTC audit relating to how they use user data. This is certainly not something that needs to be seriously worried about, certainly less so than say the way in which cameras placed all over cities are used to track all sorts of people or storing GPS locations attached to a specific devices UUID.
- Yeah, isn't facial recognition metadata about relationships between facial features? Nothing about that statement makes me more at ease.
- Yep, it sounds like it was written to be falsely reassuring and it doesn't hold up to scrutiny. Facial recognition works on data, not just images, such as the ratios between features, jawline, cheek structure, etc... Most people won't spot this.
- Correct. AIM, YIM, MSN, Skype... to name a few all were giants that came before Discord. There will be alternatives over time that will overtake Discord.
- [flagged]
- You forgot one (the sane one, which is coming soon anyway):
Using a government issued eID system. The EU is going to rollout eID in a way that a site can just ask “is this person > age xy?”. The answer is cryptographically secure in the sense that this person really is this age, but no other information about you has to be known by the site owner.
Which is the actual correct way to do it.
I don’t understand why all the sites go crazy with flawed age verification schemes right now, instead of waiting a until the eID rollout is done.
EDIT: I forgot to mention that it’s only the correct way if the implementation doesn’t give away to your government on which sites you browse… Which I believe is correctly done in the upcoming EU eID but I could be wrong about it.
- What I don't understand about this approach is if it's truly completely privacy preserving what stops me from making a service where anyone can use my ID to verify? If the site owner really learns nothing about me except for my age then they can't tell that it's the same id being used for every account. And if the government truly knows nothing about the sites I verify on they can't tell that I'm misusing the id either. So someone must know more then you are letting on.
- One possible solution idea I just had is having the option of registered providers (such as Discord). They would have a public key, and the user has a private key associated to their eID. They could be mingled in such a way to create a unique identifier, which would be stored by the provider (and ofc the scheme would be such that the provider can verify that the mingled identifier, was created from a valid private key and their public key).
This would in total make sure that only one account can be created with the private key, while exposing no information about the private key aka user to the provider. I am fairly certain that should work with our cryptographic tools. It would ofc put the trust on the user not to share their eID private key, but that is needed anyway. Either you manage it or it gets managed (and you lose some degree of privacy).
- The hole is closed with per-site pseudonyms. Your wallet generates a unique cryptographic key pair for each site so same person + same site = same pseudonym, same person + different sites = different, unlinkable pseudonyms.
"The actual correct way" is an overstatement that misses jfaganel99's point. There are always tradeoffs. EUDI is no exception. It sacrifices full anonymity to prevent credential sharing so the site can't learn your identity, but it can recognize you across visits and build a behavioral profile under your pseudonym.
- presumably you'd just use unique one time codes derived from the eID
- I fail to see how that solves the problem? That's what I'm saying my service would provide. Unless the eID has some kind of client side rate limiting built in I can generate as many of them as I want. And assuming they are completely privacy preserving no one can tell they were all generated by the same ID.
- https://github.com/eu-digital-identity-wallet/av-doc-technic...
> Since Proof of Age Attestations are designed for single use, the system must support the issuance of attestations in batches. It is recommended that each batch consist of thirty (30) attestations.
It sounds like application would request batch of time-limited proofs from government server. Proofs gets burned after single use. Whether or not you've used any, app just requests another batch at a set interval (e.g. 30 once a month). So you're rate limited on the backend.
Edit: seems like issuing proofs is not limited to the government, e.g. banks you're client of also can supply you with proofs? (if they want to partake for some reason). I guess that would multiply numbers of proof available to you.
- Ok I have been convinced this is a technically feasible solution that could preserve privacy while reasonably limiting misuse. That said I'm worried that the document you linked does not require relying parties implement the zero knowledge proof approach. It only requires that they implement the attestation bearer token approach which is much weaker and allows the government to unmask an account by simply asking the relying party which attestation token was submitted to verify the account.
> Relying Party SHALL implement the protocols specified in Annex A for Proof of Age attestation presentation.
> A Relying Party SHOULD implement the Zero-Knowledge Proof verification mechanism specified in Annex A
- You could do some scheme that hashes a site specific identifier with an identifier on the smart element of the id.
If that ever repeats, the same I'd was used twice. At the same time, the site ID would act as salt to prevent simple matching between services.
- People do, in fact, have multiple profiles. For very valid reasons.
- the solution to this seems to be to issue multiple "IDs". So essentially the government mints you a batch of like 30 "IDs" and you can use each of those once per service to verify an account (30 verified accounts per service). That allows for the use case of needing to verify multiple accounts without allowing you to verify unlimited accounts (and therefor run into the large scale misuse issue I pointed out).
If you need to verify even more accounts the government can have some annoying process for you to request another batch of IDs.
- This is a solved problem in the authentication space. Short lived tokens backed by short lived keys.
A token is generated that has a timestamp and is signed by a private key with payload.
The public key is available through a public api. You throw out any token older than 30 seconds.
Unlimited IDs.
That's basically what you want.
- There are also alternatives that can be good enough, such as the Swedish BankId system, which is managed by a private company owned by many banks. They provide authentication and a chain of trust for the great majority of the population on about all websites (government, healthcare, banking and other commercial services) and is also used to validate online payments (3D Secure will launch the BankId app).
While it's not without faults (services do not always support alternative authentication which may support foreigners having the right to live in the country), it has been quite reliable for so many years.
So just to say, you can have successful alternatives to a government controlled system as many actors may decide it is quite valuable to develop and maintain such a system and that it aligns with their interest, and then have it become a de-facto standard.
- How does that prevent the ID service from discovering which services you use it for?
- Sites need to deal with Australia, which punted all responsibility to the platforms and provided no real assistance (like say the government half of the eID system that manages all the keys and metadata)
- > Sites need to deal with Australia
Do they? The UK’s population is more than double of Australia’s and some websites (e.g. imgur) are outright blocking the UK.
- All publicly-listed ad delivery systems like Meta do in fact need to deal with high-income countries.
They can't afford to and will never strike off 100m Brits and Aussies, and that number will only rise with more high-income countries making regulation.
- imgur blocking the UK is not due to ID verification, but because they refused to stop making money off childrens data.
- "Papers, please" is the fastest and slipperiest slope to authoritarianism. Europeans are ironically blasé.
- Its like it is evolving in front of our eyes! Eventually they might get somewhere that meets all the requirements, natural selection governed by lawsuits.
- This comment is so LLM-generated.
- The real and robust method will be generating artificial video input instead of the real webcam. I really don’t think any platform will be able to counter this. If they start requiring to use a phone with harder to spoof camera input, you will simply be able to put the camera in front of a high resolution screen. The cat and mouse game will not last long.
- > I really don’t think any platform will be able to counter this.
Do platforms want to counter it?
Seems to me with an unreliable video selfie age verification:
* Reasonable people with common sense don't need to upload scans of their driving licenses and passports
* The platform gets to retain users without too much hassle
* Porn site users are forced to create accounts; this enables tracking, boosting ad revenue and growth numbers.
* Politicians get to announce that they have introduced age controls.
* People who claimed age checks wouldn't invade people's privacy don't get proven wrong
* Teens can sidestep the age checks and retain their access; teens trying to hide their porn from their parents is an age-old tradition.
* Parents don't see their teens accessing porn. They feel reassured without having to have any awkward conversations or figure out any baffling smartphone parental controls.
Everyone wins.
- I think you forgot :
* authorities get to selectively crack down on sites for not implementing "proper" age verification. The sites never had a widespread problem with grooming to begin with but just so happened to have a lot of other activity that the authorities didn't like.
Having everyone operate in a gray area is dangerous and threatens the rule of law.
- Discord does have a problem with grooming.
- I did not mean to talk about Discord specifically but all sites which will be required to do age verification.
It wouldn't be hard to imagine a situation where social media sites leaning towards the government (e.g. Truth Social, X or the like) will be getting a free pass on using age verification methods which are easy to bypass while social media sites that are more critical (e.g. Reddit) will be sanctioned into implementing the strictest and most privacy invading measures. The end result is that people choosing the path of least resistance will be lead to the government-leaning sites.
- It depends. If the law says "you must perform such-and-such steps to verify age" then no, they don't care if you can counter it. If the law says "you must use an approach that is at least x% effective" then yes they do care if enough people counter it.
We already had a half-assed solution, where websites would require you to press the button that says "I am over 18". Clearly somebody decided that wasn't good enough. That person is not going to stop until good enough is achieved.
- How about just requiring browser, OS vendors, and phone makers to give parents real child accounts that are easy to use and keep kids off the Internet?
- There are a lot of actual solutions that could be implemented that don't invade privacy, but that's the point. These rules are all designed TO invade your privacy. They're designed for you to give up your online anonymity and make you accountable for your speech and actions online.
- > They're designed for you to give up your online anonymity and make you accountable for your speech and actions online.
They're designed destroy anonymity to give the in group pretext to persecute the out group. It will be propagandized as accountability but it will be anything but.
- Is this serious or meant as satire about us-vs-them framing?
- Both can be right. Some people in the debate think it's very important to check ages, while other people want to collect data, and a third group of people want excuses to shut down platforms.
The US is repealing section 230, and it appears to be a pretext for shutting down platforms that don't block anti–Trump speech. Australia has an age verification law that seems to actually be about keeping kids off social media.
- I would rather avoid having the government decide what I should run on my devices, private companies are already bad enough.
- I'm becoming increasingly cynical that the lack of privacy in online communication is what most of the sponsors of these bills are after, and people thinking of the real harms to children are useful to them.
- This would suddenly mean no more custom browsers, no more custom OSes, and I doubt they'd cater to the Linux and BSD crowds with this one. It's something the OSS community has been trying to fight for the last 4 decades. With a full-on government requirement this would lock you to the vetted platforms while letting anything other get in would be illegal for the site owners.
- It doesn't mean any of that? The point is that the parent, not the child, is the owner of the device. So the parent can restrict the device they own before handing it off to the child (or the same with accounts on the same device).
- That’s what we currently have with parental controls. If they wanted the OS to check for the parent legally being an adult, that would rule out custom OSes and browsers which couldn’t be trusted (by the government) to check for that.
- Not really, they'd just have to send the "I'm a child" header if the "I'm a child" flag is set. Linux could have /etc/childlocked set to 1 — a global setting instead of per account isn't ideal, but it would satisfy the law.
- Until somebody (likely a politician or anti-porn advocacy group) decides to poke the bear and ruin it
- [dead]
- If we normalize this shit everyone will lose.
> Reasonable people with common sense don't need to upload scans of their driving licenses and passports
Cue random bans.
> People who claimed age checks wouldn't invade people's privacy don't get proven wrong
And? Is that supposed to change anything?
- > Everyone wins.
Only if the lawmakers agreed.
- > Porn site users are forced to create accounts
I'm curious the sites that enforce this like 'your state has banned...' what traffic loss they have. Because I'm not gonna sign up for a porn site lmao, the stigma
- Don't Windows Hello camera devices have some kind of hardware attestation? I'm sure verification schemes like this will eventually go down that path soon.
My guess is that's probably one of the reasons Google tried to push for Play Store only apps, provide a measurable/verifiable software chain for stuff like this.
- That the camera is real doesn't imply the thing it's viewing is real.
- You're not wrong, but I have had to do video verification over a phone once, and it seemed quite advanced. It would flash through a number of colors and settings and take probably 30 frames of you. I presume they're checking for "this came from a screen and not a human", but of course I have no idea how it works, so I don't know if it's truly sophisticated or not.
- As I understand it, 'Windows Hello' requires a near-IR image alongside the RGB image.
It's not the fancy structured light of phone-style Face ID, but it still protects against the more common ways of fooling biometrics, like holding up a photo or wearing a simple paper mask.
- Fair enough. That removes the virtual option, and you'll be forced to point the camera at your older brother.
- Windows Hello cameras are all "depth" cameras so a flat photo won't pass muster.
- Two flat images, one for each of the sensor's camera
- That’s not how they work. They emit structured light in the form of an array of infrared dots and they measure the time of flight to where the dots strike something.
Maybe new ones are different but that’s how they used to be. Little Kinect devices, really, for sensing faces instead of whole people.
- You are exactly right. There's a description here:
https://learn.microsoft.com/en-us/windows-hardware/design/de...
These cameras are considered a "secure biometric" device and AFAIK nobody has faked them. I've flagged the poster who said "try two flat images"
- You don't need to flag people who make a mistake.
- Did you report your neighbours for skirting covid rules to?
- >I've flagged the poster who said "try two flat images"
Hello there! It appears you are misapplying the flagging system. While the suggestion may be incorrect, it is not an "egregious comment".
In addition, your comment doesn't follow the Hacker News Guidelines:
https://news.ycombinator.com/newsguidelines.html
Don't feed egregious comments by replying; flag them instead. If you flag, please don't also comment that you did.
Have a great day!
- [dead]
- Yes they do. Part of the reason why you can't use certain webcams that are Windows Hello compatible (I.e. with IR) in recent versions of Windows.
- IIRC they had these fingerprinting pads?
- They already support ID checks as an alternative to face scanning, if the latter proves to be untenable then it's literally a case of flipping a switch to mandate ID instead.
- The long term solution would have to be some kind of integration with a government platform where the platform doesn’t see your ID and the government doesn’t see what you are signing up for.
I don’t this will happen in the US but I can see it in more privacy responding countries.
Apple and Google may also add some kind of “child flag” parents can enable which tells websites and apps this user is a child and all age checks should immediately fail.
- I do like the idea of the “this is a child” taint (ok, terrible name but I really think it should be a near-unremovable thing on a platform like Apple’s that’s so locked down/crypto signed etc).
Like, you’d enroll it by adding a DOB and the computer/phone/etc would just intentionally fail all compatible age checks until that date is 18 years in the past. To remove it (e.g. reuse a device for a non-child), an adult would need to show ID in person at Apple.
Government IDs could be used to do completely privacy preserving, basically OpenID Connect but with no identifying property, just an “isEighteenOrMore” property. However, i agree it’ll never happen in the US because “regular” people still don’t know how identity providers can attest without identifying, and thus would never agree to use their government ID to sign into a pornsite. And on top of all that yeah nobody trusts the government, basically in either party, so they’d be convinced the government was secretly keeping a record of which porn sites they use. Which to be fair is not entirely unlikely. Heck, they’d probably even do it by incompetence via logs or something and then have people get blackmailed!
- When I played an MMOG, if the admins found out that a child was underage, it was customary for them to suspend their account until their 13th birthday. I thought this was a clever policy, but I just can't understand the reverse of authenticating someone's age based on that of their account...
- This assumes people are putting in their real birthdays, which IMO is a terrible practice to encourage.
I never put in my real birthday. It's just one more datapoint to leak in an inevitable hack and help scammers exploit me.
Just because a website sticks a field on a form, doesn't mean you need to fill it out.
I can think of maybe 1 website I use that has a legitimate use to know this info about me... and a dozen that use my fictious birthday for no other purpose than an excuse to market at me under the shallow guise of a 'Happy Birthday' email.
- There are many websites that believe I was born on January 1st, in a year close to my actual birth year.
When it's actually required by some law or regulation (e.g. financial stuff) I give my actual birthday. But when some site is just wanting to comply with age verification? Yep, I'm over 30, so you don't need to see my identification. (Jedi hand wave).
- Well, they would have the legal right to force-choke your account, or chain your partner to a golden bikini, when they discover that you weren't abiding by the Terms and Conditions which you agreed to. Seems fair.
- They were not, actually.
IIRC, it went like this: the account creation screen prompted them for a birthdate. They entered a fictitious one and pretended to be over 13. (I saw my niece do this in front of me, and I just sighed a very heavy sigh. She was way more interested in Club Penguin.)
Then later, they let the cat out of the bag. They tell their friends "lol I'm only 10! Today's my birthday, so give me a hat!" or something. And so if they claimed they're 10 they got 3 years suspension.
I think there was never any verification done, and no verification was possible: think about it, under COPPA, a service in the USA cannot collect PII from children under 13, so what do you do when a kid gives you two contradicting datapoints? Err on the side of caution.
I gave Yahoo! a false birthdate when I signed up. I was 27, but I also just felt they weren't entitled to knowing it. However, I soon found that maintaining a fraudulent identity is tiresome and error-prone. And Yahoo! wouldn't let me simply change my birthdate as often as I wanted to.
I once had a conversation with a friend about cheating on IRS taxes. She said "can you lie to a piece of paper?" like fudging numbers wasn't like lying to an auditor's face. It was a rhetorical question, of course.
- > where the platform doesn’t see your ID
ID checks aren't very worthwhile if anyone can use any ID with no consequences.
How long would it take for someone's 18 year old brother to realize they can charge everyone $10 to "verify" everyone's accounts with their ID, because it doesn't matter whose ID is used?
- Ok, at which point an adult has taken responsibility for giving them access.
The older brother could also rent an R (or x) rated movie, buy cigarettes, lighters, dry ice, and give them to the kids. The point of the age check is to prevent kids from getting access without an adult in the loop, not to prevent an adult from providing kids access
- This is a good point. We could extend it to computing devices: An adult gives a child access to a device, and now the adult is in the loop and takes responsibility. If said adult (parent, most often) want to automatically restrict certain activities/content on the device they can use the parental controls available. No panopticon required.
- You can only keep the adult in the loop if you have a panopticon that traces back to said adult.
- The system doesn’t have to be bulletproof. It just has to be better than the free for all it is today.
- Better?..
- Yes, there are good use cases for an anonymous age gate. So making one would be better than today's situation.
- I see this currently being pushed by some politicians in the EU. And I have a slight suspicion that some of these politicians are literally lobbyists.
The "oh my god, think of the children" is similar to "oh my god, think of the terrorists". I am not saying all of this is propaganda 1:1 or a lie, but a lot of it is and it is used as a rhetoric tool of influence by many politicians. Both seems to connect to many people who do not really think about who influences them.
- this is already how the EU infrastructure for digital ID works, basically. Using public/private keys on your national id, the government functions as a root authority that you (and other trusted verifiers downstream) can identify you with and commercial platforms only get a yes/no when you want to identify yourself but have no access to any data.
South Korea also has had various versions of this even going back to ~2004 I think.
- Yes, it has been possible for a long time to provide anonymous attestations. But somehow, they also always seem to require that you have something like Google play services running for you to ask for the attestation in the first place. And with PKI, even though they could do with just the public key, they somehow also always insist on generating the keys for you (so they have the private key as well).
- It's nice that the platforms don't get access to data, but does the government gets information about who is trying to access what?
- Do all EU countries have that? I know our (German) ID works that way, using the FOSS AusweisApp, but I hadn’t heard of it being EU-wide (it should be, though).
- Spanish ID cards have had an X. 509 cert inside them for more than 10 years, I use it all the time to sign documents and access government sites. There is already legislation and a push for an EU-wide digital identity wallet that should be up and running this year, look up eidas 2.0 and the EUDI wallet.
That looks like it should make things like privacy compatible age verification "trivial".
- Thanks, that looks very cool, and apparently close to coming into effect.
- It's been a slow rollout but yes, it's an EU wide thing. Slovenian IDs issued after around 2022 have them too.
- ID is much easier to forge, it's just a flat 2-d shape. None of the physical security features come through in images.
- In functioning states, the ID contains a chip with a private key that can be used to sign a message, and ID verification would not be an image of the ID card, but rather holding your phone's NFC reader to the card and signing a message from the site.
In Japan, there are already multiple apps which use something like this to verify user's age via the "my number card" + the smartphone's NFC reader.
It's more or less impossible to forge without stealing the government's private keys, or infiltrating the government and issuing a fraudulent card.
Of course, the US isn't a functioning state, the people don't trust it with their identity and security and would rather simply give all their information to private companies instead.
- > In Japan, there are already multiple apps which use something like this to verify user's age via the "my number card" + the smartphone's NFC reader.
Does this also leak your identity to the app?
- There is not a way to share just your date of birth. After providing your PIN it can read more than just your date of birth.
- That's... partially true.
If you use the _digital_ MyNa card (e.g. the one in the Wallet.app; not the plastic one); the iOS SDK lets you only request the "is user more than XX years old" flag; without getting the actual identity: https://developer.apple.com/documentation/passkit/requesting...
Now, AFAICT nobody actually does this, but the technical ability is there.
- When I had to prove my passport for my bank over a video call they told me to rotate it around in the sunlight to show that it had the holo-whatever ink. So I wouldn't put it past them.
- A call requires a human, which is inherently not scalable. And even humans have trouble distinguishing AI content these days.
- And it's not like Discord actually cares. They just care about appearing like they care. Something to keep the heat off of them from regulators and angry parents.
- Discord built its own TSA?
- A “video call” perhaps requires a human, but the type of test described need not be a video call. One can imagine a network trained to distinguish a fake id card from real one from a video recorded where the user is asked to move the card such that the holograph is glinting in the sunlight.
- They can't feasibly do this in the US since many people don't have drivers licenses or passports.
- Don't you have to be over 18 to get a credit card in the US? How many wouldn't be able to present a CC or ID?
- Age verification requires a document that can be matched to your ID, such as by the photo on your ID card.
Credit cards don't have photos.
> How many Americans wouldn't be able to present a CC or ID?
The number of Americans who don't have a government issued photo ID is estimated around 1%. The number gets larger if you start going by technicalities like having an expired ID that hasn't been renewed yet.
The intersection between the 1% of 18+ Americans who don't have an ID and those who want to fully verify their Discord accounts is probably a very small number.
- At least in Australia you absolutely can have a debit card under 18 and it’s extremely common for adults to not have a credit card.
- > At least in Australia you absolutely can have a debit card under 18
Same in the UK, but Steam uses credit cards for age verification there and refuses if you provide a debit card instead. Evidently the payment backends can tell credit and debit apart.
- When does steam require age verification?
It sometimes asks for my age for viewing a game and I can input any ol' date I want to. It doesn't even flinch if I input a different date every time.
I also don't recall them asking about my age when I was actually underage and paid using a PaySafeCard, but then again they didn't have porn on the platform at that point either.
- > When does steam require age verification?
They only enforce it in the "mature sexual content" category, which mainly applies to porn games. For everything else, including the "some sexual content" category, they still just take your word for it.
- > Evidently the payment backends can tell credit and debit apart.
Yeah those are parallel systems for reasons that amount to technical debt.
- Only to have your own card. You can be an authorized user on a credit card even if you're under 18.
- Ah right. That's no use for verification then, unless there's a way for payment gateways to distinguish the primary user from their authorized users.
- Those without driver's licenses or passports can get a state ID card instead, if I'm not mistaken. A pain, but an option.
- wat. the majority of Americans have a DL, ID, or Passport. What a silly thing to say.
For DL alone:
>Data indicates that approximately 84% to 91% of all Americans hold a driver's license, with roughly 237.7 million licensed drivers in the U.S. as of 2023.
Add in an ID and Passport and we are likely closer to 99%
- Yep. You basically cannot function in legal society without an ID. If you are an adult and don't have ID you are intentionally trying to live a cloaked life and it won't be very easy.
- Yeah that’s not true. It’s a lie. And we all know why it’s a lie. Adults in the US with ID is 99%
- *Citation needed
> Nearly 21 million voting-age U.S. citizens do not have a current (non-expired) driver’s license. Just under 9%, or 20.76 million people, who are U.S. citizens aged 18 or older do not have a non-expired driver’s license. Another 12% (28.6 million) have a non- expired license, but it does not have both their current address and current name. For these individuals, a mismatched address is the largest issue. Ninety-six percent of those with some discrepancy have a license that does not have their current address, 1.5% have their current address but not their current name, and just over 2% do not have their current address or current name on their license. Additionally, just over 1% of adult U.S. citizens do not have any form of government-issued photo identification, which amounts to nearly 2.6 million people.
From https://cdce.umd.edu/sites/cdce.umd.edu/files/pubs/Voter%20I...
- That seems like a good citation, but it supports the 99% number above
> Additionally, just over 1% of adult U.S. citizens do not have any form of government-issued photo identification, which amounts to nearly 2.6 million people.
The rest of the statistic is about driver's licenses specifically, including technicalities like expiration dates and address changes. The online ID check for age verification don't care about the address part anyway, in my experience.
If someone has an expired drivers' license or they changed their name and haven't updated their IDs, they have bigger problems than age-verifying their Discord accounts.
- My driver's license was expired for 8 years until last year. I wasn't driving so the pressure to renew it was very low.
I actually only renewed it to get medical care and because renewing the license was only a little more expensive than getting an ID-only card.
It did prevent me from using some porn sites because my state requires ID verification but many sites just ignore the requirement so I just didn't use the sites that required ID.
- [dead]
- Somehow they don’t have trouble getting an ID when they want to buy alcohol
- It only takes one person with ID buy alcohol for a group.
- A lot of people don't drink alcohol.
- Also, in a lot of states you don't get IDed for alcohol after about age 35.
- It's a sad reminder that I look as old as I am.
- Personal Identity Verification (PIV) and Common Access Card (CAC) credentials used by US government & military via NFC already work on web browsers. States should just move to digital IDs stored on smartphones, with chain of trust up through the secure element...
- This is extremely dangerous, and would only work with hardware/software that is nonfree (i.e., not under the user's control, or any attestation could be spoofed).
- This is effectively PKI for personhood. The State DMV acts as the Certificate Authority (CA), signing a "leaf certificate" that is bound to the device's hardware Secure Element.
It’s less like a TLS handshake and more like OpenID for Verifiable Presentations (OID4VP). The "non-free" hardware requirement serves as Remote Attestation—it allows a verifier to cryptographically prove that the identity hasn't been cloned or spoofed by a script. The verification happens offline or via a standard web flow using the DMV’s public key to validate the data signature, ensuring the credential is authentic without requiring a phone-home to the issuer.
- So centralizing control over personhood. Got it.
- > Personal Identity Verification (PIV) and Common Access Card (CAC) credentials used by US government & military via NFC already work on web browsers. States should just move to digital IDs stored on smartphones, with chain of trust up through the secure element...
I think you're... missing the point of the pushback. People DO NOT WANT to be identified online, for fear for different types of persecution.
- And lose every user in the process
- Is there any data on what kind of hits to enrollment were taken by facebook, gmail etc when they added requirements like a phone #? Maybe it's buried in their sec filings. Anyway, this "cat and mouse" game is probably irrelevant. They're not looking for and don't need a perfect system. Bc 99% of the public couldn't care less about handing over their information.
- Google does not require a phone number. They may ask for one and tell you it's for your own good, but you can skip the request.
- Is there any data on what kind of hits to enrollment were taken by facebook, gmail etc when they added requirements like a phone #? Maybe it's buried in their sec filings.
- I think you massively overestimate how many people actually care.
My guess is that 95% or more of all Discord users do not care and simply upload their selfie or ID card and be done with it. I know I will (although they did say that they expect 80%+ to not require verification since they can somehow infer their age from other parameters)
- Remember digg?
I've already cancelled my Nitro account. I'm quite active on a ~5k member programming server and we're giving Zulip another try. I think it's unlikely we'll stay on Discord.
Obviously anecdotal, but eventually this adds up.
- Also cancelled my Nitro after 5 years.
This whole thing being "for the safety of kids" is obviously a farce just to get more user data because Nitro users supposedly will have to do the ID check as well, but if you're paying with a CC/Paypal, you are obviously of sufficient age to not require an ID check.
- Those 5% are the unusual sorts that separate Discord from Facebook.
- > I know I will
Are you a minority, LGBTQ+, etc or of a "different" political persuasion that might have any reason to be distrustful of the US government? If so, you probably wouldn't just "be done with it".
- No, I'm not, and I also don't live under an opressive government that tracks those people down. I simply don't care if the us government or some random US company knows about what I play, eat, talk about or who I sleep with. And my guess is that outside the US LGBTQ+ and "different political view" bubble, most people also don't care. And that bubble makes up maybe 5% of Discord's user base
- The real question is, how much of the "terminally online" population who is more likely to use paid Discord features?
- Most people under the driving age don’t have ID’s, at least in the US.
- [dead]
- > The cat and mouse game will not last long.
Yes but for completely different reasons: I will not bother to play the game and stop using the platform.
- > you will simply be able to put the camera in front of a high resolution screen
Are you sure it's that simple? How high does the resolution need to be for the camera to not be able to tell? And I'm sure there are sublet clues. Remember, you can't modify the photo or change the camera.
- you counter this by using an id verified service like login.gov or okta verify.
That's the endgame and what the EU really wants. No poasting unless they can arrest you for inconvenient memes.
- Yes this is spot on. Apple & Google mobile platforms are locked down tight for this reason. Try installing okta verify on graphene OS. You cannot.
- They're getting worse with attested and validated environments. This one of the reasons that google is trying to kill sideloaded apps and checking for root access.
Weird thing.. the people who want this validation fully expect for you to pay for, maintain, keep it valid, and pay for upkeep/service for their desires. Honestly, this is something that SHOULD get very aggressive pushback.. but most people accept for no reason.
- It's not "accepting" - it's actual wanting. Many people want surveillance. Many people want age verification.
- A vague answer that says nothing and can't be proven. Thank you for wasting our time.
- Wow. The EU.
- yes, avoiding EU fines and ensuring availability there is most likely the motivating factor behind the change.
- There's no need to counter it, the whole point is to hit the social aspect of being on these platforms. If even half the kids can't figure out how to make it work, then a massive part of the problem is solved because a much larger percentage are only using it due to network effects.
- But how many users will do so? 1%? 5%?
Also, they will probably find that out, and the moment people do so, they become suspicious to state actors. I understand the rationale behind the work around you described; I just don't think it will be a huge factor. I see this elsewhere too - for instance, I use ublock origin a lot. But how many people world wide use it? I think never above 30%, most likely significantly fewer (or perhaps all anti-advertisement extensions, I think it most definitely is below 50% and probably below 30% too).
- They could do what a bank does and run everyone's ID through chexsystems. It's really hard to defeat this. Fake identities don't exist in the system and stolen ones would get flagged by geographic, time of use and velocity rules.
- Doesn't work for places like Australia, where the social media ban applies only to under-16s. Teenagers rarely have ID, especially in countries where the minimum driving age is higher than 16 (read: most of the world outside the US).
- The concept of identity doesn't necessarily have to be embodied by a piece of physical plastic that goes into a wallet.
Ad-hoc identification can occur via other means like dynamic knowledge based authentication. The sources of this mechanism can be literally anything. Social media itself being one obvious source for the target cohort.
You can walk into many US financial institutions without an ID and still get really far using KBA workflows. The back office will hassle you for a proper scan of a physical ID, but you can often get an account open and funded with just KBA.
- Knowledge-based authentication is a joke - it doesn't work at all.
This basically only gets used for businesses that need a fig leaf for regulatory purposes. You know, $30 loans for uber eats and tiny loans like that.
- Unix and Windows and MacOS and every computer since 1970 has relied on knowledge-based authentication, so let's cool the hyperbole.
In the nomenclature of Multi-Factor Authentication, "something you know" is one factor. So if you know a password and you have a hardware token, that's 2 factors and combining different types is the key to MFA.
Many "knowledge based authentication" tries to string together "things you know" without a different type, and that's a weakness.
However, it can be strengthened through various techniques. If a human is authenticating you in real-time, they may choose a factoid that an impostor is unlikely to know which may be agreed in advance. For example, the security questions combined with other challenges, or a "curve ball" that may elicit a stutter, pause, or prevarication. This is a dynamic method that bob refers to.
In fact, knowledge-based quizzes are used routinely by credit reporting agencies -- the big ones like Experian. And they've been presented by background check services, too. They work like this: they scrape your credit reports and public records in a deep dive for your old addresses, employers, contact info, a whole smorgasbord of stuff. Maybe attackers know some of it. But it's multiple choice: "which of these did you live at? None of the above? All of them?" "Which one of these wasn't your employer?" And the attacker would need to have the same list of public records, and also know the wrong answers! Knowing the wrong answers is the "curve ball" here! How many attackers know that I didn't work for Acme, Inc, and I never lived in San Antonio?
It's also worth pointing out that I've opened at least 3 bank accounts without setting foot in a bank. Even if yours is brick-and-mortar, they probably have a flow on their website for account creation and funding. It is not difficult to satisfy their ID requirements. If they glitch, then you're just flagged a bit, and you follow up as instructed. I've also authenticated identity to the federal government agencies, and accessed several DMV services, using only the apps and websites.
People may feel reticent about establishing their identity online, but isn't it better that you do it first before someone else does? If your identity is known and registered and builds up data points that correspond to you, aren't you less likely to be a victim of fraud or identity theft when things don't add up?
- > In fact, knowledge-based quizzes are used routinely by credit reporting agencies -- the big ones like Experian. And they've been presented by background check services, too.
Yes - and they don't work.
> They work like this: they scrape your credit reports and public records in a deep dive for your old addresses, employers, contact info, a whole smorgasbord of stuff.
Most of which don't work on an 18-year-old. No credit history, no past employers, no bill payments, no history of moving houses, address is their parents' house.
There is no smorgasbord. There's name, date of birth, parents' address - all of which are widely known matters of public record (which is why the credit rating agency has them in the first place).
> But it's multiple choice: "which of these did you live at? None of the above? All of them?" "Which one of these wasn't your employer?"
Fantastic, the credit rating agency has just told the fraudster several of your past addresses, and your past employers.
Sure, there's a phony or two in the list - but the fraudster can try as many times as they want, comparing employer and address lists between different credit applications.
- There is an easy solution to this - require a government ID, and only permit government IDs that can be verified with the state's government.
There are a lot of countries and US states where such validation is possible.
Given the state is mandating these checks, it only makes sense that the state should be responsible for making it possible to perform these checks.
- Remind me again, why do people need government approved ids to access discord in the first place? Everyone in this thread is solutioning how we could make government ids work, but no one seems to be asking if that’s a good idea.
- Well, certainly not for linking all of your online activities with your real life identity of course, not sure where you got that idea from. It's to protect children. And of course, just in some very limited anti-terrorism cases...
- Because governments really want people to think about children with naughty stuff.
Gross.
(I'm not verifying anywhere unless required for official business. Still have my non-KYC sim for people)
- I've heard a politician explicitly request a real name policy on all internet platforms in Germany. Obviously the goal is always mass surveillance.
- Manufacturing consent at work
- hardware attestation webcams :) . in the dark future of the 2k there is only windows
- This is the right question. Who will benefits from blocking young people? Probably not the platform.
- If it was that easy, Face ID wouldn't be used
- you put a flickering light, pwm creating artifacts in the video and have it apologize for it, to hopefully break some watermarks. my led light started acting up since yesterday, i have no other bulb.
- Death Stranding 2 photo-mode works well for this.
- I did this with OBS Virtual Camera for a thing in Oregon and it worked.
- Apple is believed to be adding multispectral imaging to future generations of the iPhone. This and 3d mapping are more than enough to defeat the "point the camera at a high res screen" trick.
The issue is that age verifiers (like Discord) are not really trying.
- Actually, there are many ways. For example they change colors on your screen and check in real time how it reflects on your face, eyes, etc. Very hard for a model to be trained to respond this quickly to what's on the screen.
They also have you move your head in multiple directions.
- You could always generate a random face model with real time rendering with enough details to trick any AI detector (or even human) and then you can do real time animation to orders or screen light tricks. You could also simply use some face filter on your face and these ones are really convincing these days (like on Snapchat and such).
- Show me such a model.
It would be interesting to see a model completely indistinguishable from a real human in behavior, as well as real-time reflection off different surfaces, etc.
The next step would be to make a complete digital clone of a person based on surreptitiously recording them with hidden cameras. I doubt it's possible.
- The pieces are there. If you're not modifying everything in the image all the time, there's no reason to run it through a visual model. Generate it once (we have it), transform into textured 3d model (we have it), animate and map to movements with vtuber software (we have it). Adding screen colour reflection is trivial. We just need a pipeline for this.
We had facerig for over a decade now. Facefilter recently. It's not hard anymore.
- This is doable using high end stuff like Runway with a draft quality.
Your better bet would be to generate a face as an image and then you can easily generate that same face in different expected poses and conditions. You can then use existing models where you get to select the starting image and the ending image. Add some filters and noise to just make it look like normal crappy low light camera.
As for the color that's another expected condition and can be overlayed or pre-generated.
- You require a human to identity proof in real life and bind that to a digital identity with a strong authenticator. Anti fraud detection systems can suspend or ban if evasion attempts are detected. Perfect is not the target, it doesn’t have to be.
See: Login.gov (USPS offline proofing) and other national identity systems.
(digital identity is a component of my work)
- >You require a human to identity proof in real life and bind that to a digital identity
That's going to be a no from me, dawg. I'm sympathetic to ID checks like if you're buying beer or whatever, but not linking my real life identity to discord or whatever.
- You have to show ID to buy beer?
- If you aren't obviously adult then yeah. Where do you live so there are no laws on selling the alcohol to children?
- There are laws, but in many countries they are not strictly enforced. In Japan, buying beer in the self checkout lane will just give you an “are you over 20?” prompt, no verification: https://news.ycombinator.com/item?id=46227987
- Store doesn't get to photograph your ID, share it with 548 of their advertising partners, and leak it to 7 different hacker groups.
- Not my call, it’ll be the law of the land. Some may leave, but most won’t, and that’s good enough for corporate and enterprise value purposes.
Pornhub is fighting state age verification and keeps losing state by state, for example.
- Porn site fined £800,000 for not rolling out age checks - https://news.ycombinator.com/item?id=46990755 - February 2026
- Why should anyone inclined to want to buy beer have to show ID to do it?
- I don't know how it works where you live, but in many jurisdictions around the world (including the one I live in), you have to provide ID to prove that you're of drinking age.
- I don't know how this false equivalency keeps coming up on HN, but see https://news.ycombinator.com/item?id=46983668.
- Not sure what your point was, here in Australia they just look at it, they can't take a photocopy.
- Because you’re required to in all 50 states to prove you’re over 21.
- I don't think that's true? Rather, stores must not sell to anyone under 21. I'm almost 40 and rarely get carded these days.
- Which is by nature transient. There are many more and quite dangerous strings attached to doing this online. You never know if all parties involved in the verification are trustworthy.
- [dead]
- NOTE: The script is broken, DO NOT ATTEMPT TO USE THE SCRIPT NOW. Attempting to run it may get your account flagged stopping you from trying face verification either temporarily or permanently, forcing you to use your ID.
- Hm, when attempting it I get redirected to https://age-verifier.kibty.town/webview?url=null, which says:
{"error":"error parsing webview url"}
Edit: Apparently my discord account is in some kind of A/B feature test that uses a different verification provider, Persona
- Persona is the same company oftentimes used for the "show your ID to get in the bar and also we'll data harvest you... and share your data with various people if asked". Go ahead and google search on them for more insight.
- Hopefully your comment gets pushed to the top. Would like the security guys from the blog to see it.
- It only works because the other provider has a more private implementation compounded with bad security.
- Three problems with this:
1. Removes the pain of age verification, encouraging some people to stay in the proprietary walled garden when everyone would be better served by open platforms (and network effects).
2. Provides a pretext for more invasive age verification and identification, because "the privacy-respecting way is too easily circumvented".
3. Encourages people to run arbitrary code from a random Web site in connection with their accounts, which is bad practice, even if this one isn't malware and is fully secure.
- Proving that something is possible doesn't mean encouraging it. This was a beautiful work of reverse engineering, that shows how hard it can be to verify personal data without invading privacy. I prefer this awareness to blind trust.
The code was released, therefore it is not arbitrary (problem #3). Should companies react with more invasive techniques (problem #2), users can always move to other platforms (problem #1).
- >users can always move to other platforms (problem #1)
Until the cycle restarts again with new platforms.
Also, I am convinced self-hosting or getting a new platform (including return to traditional forums) to run might as well be bureaucratically harder at this point, given the case of lfgss' shutdown: https://news.ycombinator.com/item?id=42433044
- > everyone would be better served by open platforms
Oh cool, which ones?!
…aaaand there's the problem.
- This suggests that the immediate availability of a drop-in replacement today means there is no utility in encouraging that growth.
There are multiple open-source tools that do everything Discord does. There are few-to-none that offer everything Discord does, and certainly none that are centralized, network-effect-capture-ready.
Short term:
* Small group chats with known friends: Signal, whatsapp, IRC, Matrix
* Community chat: Zulip, Rocket.chat
* Community voice: Mumble, Teamspeak
* Video / screen sharing and voice chat: Zoom, BigBlueButton, Jitsi
I've heard about Stoat but haven't read up on it.
- If you want to host your own stoat server, you will also need to recompile the apps to use your URL and distribute them to your friends, and they will not be compatible for any other server.
- Yes, I learned in the Zulip promo discussion earlier this week that self-hosted push notification servers have to have certs compiled directly into the app. I can't tell if it's malice, indifference or incompetence to have that design; any answer is completely believable.
Is there an architectural opportunity to build a "Self-hosted push notification" app and business, where the push broker builds an app to deploy to play, then the self-hosted apps build trust with the broker. The broker app sends push notifications to the user device, which can inform them of the message sent and open arbitrary app windows?
- This topic comes up with firebase avoidance on degoogled phones. Have a look at unifiedpush.org and ntfy.sh
There's an implementation sample here: https://fluffy.chat/en/faq/#push_without_google_services
- None of those play in the same league as discord for hosting a community, and none of them look in a position to be there in the foreseeable future. It sucks but that's how it is.
- This is how it always is, until suddenly one day it isn't. Linux didn't play in the same league as serious and commercial UNIX systems until one fateful day it killed them all dead forever.
- > until suddenly one day it isn't
Thread OP here. This is exactly my point: today isn't that day. I need it to be.
Some future server that I can migrate my community to isn't useful.
- That was true for the Twitter alternatives too, and look how fast they grew.
- Well, it’s a clever idea. Discord seems to have intentionally softened its age-verification steps so it can tell regulators, “we’re doing something to protect children,” while still leaving enough wiggle room that technically savvy users can work around it.
But in practice, this only holds if regulators are either inattentive or satisfied with checkbox compliance. If a government is competent and motivated, this approach won’t hold up—and it may even antagonize regulators by looking like bad-faith compliance.
I’ve also heard that some governments are already pushing for much stricter age-verification protocols, precisely because people can bypass weaker checks—for example, by using a webcam with partial face covering to confuse ID/face matching. I can’t name specific vendors, but some providers are responding by deploying stronger liveness checks that are significantly harder to game. And many services are moving age verification into mobile apps, where simple JavaScript-based tricks are less likely to work.
- > Discord seems to have intentionally softened its age-verification steps so it can tell regulators, “we’re doing something to protect children,” while still leaving enough wiggle room that technically savvy users can work around it.
...source?
I sincerely doubt that Discord's lawyers advocated for age verification that was hackable by tech savvy users.
It seems more likely that they are trying to balance two things:
1. Age verification requirements
2. Not storing or sending photos of people's (children's) faces
Both of these are very important, legally, to protect the company. It is highly unlikely that anyone in Discord's leadership, let alone compliance, is advocating for backdoors (at least for us.)
- Usually in cases like this, there is no source, there can’t be. Long long ago, long enough to be past the statute of limitations, I was involved in a similar regulatory compliance situation. We specifically communicated in such a way that “actual effectiveness” wasn’t talked about, and we set that up with a single, verbal only and without recording, meeting between the team and one of the lawyers.
Point is, these kinds of schemes where internal communication is deliberately hobbled to comply maliciously with requirements while still being completely in the clear as far as any actual recorded evidence goes. And there’s always at least one person piping in with a naïve “source?” as if people would keep recorded evidence of their criminal conspiracies.
- Unless the governments come out with a first party national digital ID that can convey age of majority, they had better make themselves happy with a checkbox because nothing else is realistically possible.
- It does appear to work. I received a message from Discord saying "We determined you're in the adult group. <learn more>"
narrator> And that's when he discovers his account has now been hacked...
;)
- Worked for me as well. Hopefully my account of 11+ years isn't penalized because of this. Not like it matters because I'll quit anyways if forced to send my face or ID.
- You probably won't even have to validate then. I guess they can safely assume that you didn't create your account when you were 7 years or younger. They said they expect 80% of users or so to be auto-verified by some other means (account age, typing statistics, whatever)
- My account is almost a decade old and discord is still asking me to complete age verification.
- Are they rolling this out in stages? I haven't been asked to prove the age of my account.
- I'm in the UK (where the law allows them to use heuristics).
- So VPN to the UK?
- What?
- Lots of websites assume you are located in the country where your IP address is, and thus apply the rules for that country. So perhaps if someone wanted to use heuristics instead of uploading an ID, they could pretend to be in the UK by using a VPN.
- Legislatively, the UK is among the stricter regimes wrt online age verification. It's a place you want to be VPNing out of. Discord is apparently rolling this out worldwide out of their own free will, not due to legislative pressures.
- >not due to legislative pressures
It's a pre-emptive move against any (potential) legislative pressures.
- maybe it's different per country shrug
- Unfortunately I wouldn’t be so sure that there aren’t any 7 year old Discord users
- 7 year olds with a credit card?
- Wonderful. Hopefully I'm not retroactively banned for things I said when I was fourteen on servers long gone.
- This isn't as fun as using the g-man from half life to verify
- i changed the password later just to be sure.
- Highly recommend wrapping the code to drop into the console in a immediately-invoked function expression; as it stands, it doesn't work in macOS Safari without an IIFE because top-level await is not supported in any version of Safari yet https://caniuse.com/wf-top-level-await.
- Why bother supporting Safari when they aren't interested in supporting the modern web? They're five years behind.
- In a way I agree with you; but practically 100% of iOS/iPad users are forced to use Safari. Plus, it's nice to have a browser engine that's not Chromium.
- If that browser engine is safari, I have to seriously question the validity of that final sentence.
The fact that safari refuses to support modern features and is forced on ios devices makes it even worse.
- I don't understand why (mostly) young people put so much effort into remaining customers of a service that is actively hostile against them and that they do not like. Does the convenience of remaining on a service you don't like the management of outweigh the mild effort to find an alternative solution?
- > the mild effort to find an alternative solution?
Calling it a "mild effort" assumes skills that older generations took for granted but many young people seem to have been actively trained out of. We're past the era where I take for granted that aspiring programmers need to have the basics of a terminal or shell explained to them, into one where they might need an explanation for the basics of a file system and paths. I wouldn't be surprised to hear that hardly any of them could touch-type, either. (I wonder what the speed record is for cell phone text input...)
Yes, they can query a search engine (kind of) or, I guess nowadays, ask ChatGPT. But there's going to be more to setting up an alternative than that. And they need to have the idea that an alternative might exist. (After all, they're asking ChatGPT, not some alternative offering from a company that provides alternatives to Google services....)
- I don't think it's beyond their comprehension to ask: "how can I have a chat system that I personally control?" The rest will be taken care of.
Look at the Amnezia VPN. It's an app that helps you buy a VPS from a range of cloud provides, then sets it up, completely from the phone, as an exit node under user control.
I don't see why a chat server cannot be set up and managed this way. It only takes one dedicated developer to produce.
- Even considering that one can personally control their own chat service is already a pretty big leap in technical knowledge. Many, many average users don't even know that's an option, nevermind how it's even done.
- >The rest will be taken care of.
by a system with a incentive to keep them in centralized black boxes, yes.
>The rest will be taken care of.
It's never the tech hat's hard, but the networks. If people were able to just jump on a whim a lot of dynamics of modern corruption would fall apart.
- Now we're having an event when networks would be shedding kids en masse, all at approximately the same time. It the best possible time for switching, when clinging to the old discord / snapchat / other centralized blackbox becomes hard or impossible.
- You’re ignoring the obvious reason, aside from the network effect: there are no alternative solutions. Some people are building Discord alternatives but they are far from production-ready, often lacking critical features (e.g. Matrix not being able to delete rooms, or still having trouble with decrypting messages). It is simply the case at this point in time that Discord is factually the least bad option for many many use cases.
- > I don't understand why (mostly) young people put so much effort into remaining customers of a service that is actively hostile against them
The Network Effect.
That's it. Their friends are there so they're there.
- I don't control most of the discord communities I'm in. Some have been going a long time, and every platform migration sheds and shreds members. The 'mild effort' to move an old community to a new platform more often than not killed the community
- > and every platform migration sheds and shreds members.
What's the problem? You're filtering out people who don't really care about participation in whatever group or society is there. People who want to participate will move to an acceptable service and those who feel that is too much effort probably weren't participating much (if at all) anyway - in that case the only difference is the visible list of people with accounts going down, not the actual "users".
- The people will just recreate the same community on the same platform without you as the owner. They don’t care about you running it.
It’s also a futile effort since age checks for adult content is becoming the law around the world so soon any platform you move to will have the same checks.
- In most cases, I would like to speak with those people and would miss them if I lost regular contact because they didn't want to change platforms.
Most people just care about being able to talk to each other, not their devotion to some "group or society".
- I disagree with this sentiment. It is entirely possible that there will be people who are regulars on one platform who are just unable (actually unable or perceives themselves unable) to migrate and the morale lost from losing their regulars is huge. Or a subset who insist on staying, forming their own sub-community, and neither the migrating group nor the people who insist on staying produce enough engagement for the members and so the community as a whole fizzles out. This is all squishiness. There is a reason why deplatforming appears to work in reducing the effectiveness of political groups, even if the people who remain in the community post-deplatforming are hardened in their loyalty to the political policy of the group.
- >You're filtering out people who don't really care about participation in whatever group or society is there.
You underestimate how many people would rather do nothing than be inconvenienced, sadly. If you're not the personality that the community is rotating around, you'll find the migration pretty lonely.
Heck, even esablished personalities can only do so much. Remember that Microsoft paid top Twitch streamers 10s of milllions to move to Mixer for exclusive streaming. Even that wasn't enough to give a leg up.
- Why do middle aged people still use Facebook marketplace rather than another platform? Because even if you put in the effort to use something different, you’ll be the only one there.
The effort to coordinate everyone to move at the same time is bordering on impossible.
- First mover advantage with network effects
- I'm the first and only one of my friend group on my IRC server. It's an elite claim, I know.
- Because being principled damages your social opportunities. Trust me. I resisted Instagram for years. When I finally gave in I instantly had access to more events, was able to connect with more people, felt less excluded. I realised all that I had missed out on.
I don't think asking people to abandon a platform works. We need to fight for open protocols.
- Most people don’t really care that their privacy is violated, at least not any more than a superficial “oh well it’s obvious they’re doing that, but what can you do about it!”, no point switching platform if there’s no one there to talk to.
- The network effect as seen in the other comments plays a big part, but also discord offers a useful service that really nobody else does well. there's a lot wrong with it but you can still create a community in a few clicks and you have text messages, photos, videos, gifs, voice chats, screenshare, a comprehensive permission/role system, tons of bots.. all for free and without needing to be too tech savvy, that's pretty damn cool.
- No other chat platform has as many seamless features and such a big userbase. The friction of verifying the identity for a random person that doesn't care about privacy is not really a big deal compared to the downgrade that migrating to another platform would be.
- Network effects apply but also there is no equivalent service that combines all of the salient functionality of discord.
- I think for a lot of people (me included) Discord isn't just a chat service like WhatsApp but more of a "home base" where you can hang out with all your friends, make new friends, share media, chat, play games together, stream games to each other, etc.
In the gaming sphere it's so universally used that all the friends you've ever made while gaming are on it, as well as all your chat history, and the entire history of whatever server you met them on. And if you want to make new friends, say to play a particular game, it's incredibly easy to find the official game server and start talking to people and forming lobbies with them.
My main friend group in particular has a server that we've had running since we were teenagers (all in our mid-20s now) which is a central place for all of the conversations we've ever had, all of the pictures we've ever sent each other, all the videos we've ever shared, and so on. That's something I search back through frequently looking for stuff we talked about years ago.
So I'm not saying it's impossible to move, but understand that it would require:
- Intentionally separating from the entire gaming sphere, making it so, so much harder to make new friends or talk to people. - Getting every single one of your friends that you play games with to agree to downloading and signing up for this new service (in my case that would be approx. a dozen people) - Accepting that this huge repository of history will be wiped out when moving to the new service (I suppose you could always log back in and scroll through it, but it's at least _harder_ to access, and is separated from all your new history)
On top of this, every time I've looked for capable alternatives to Discord I've come up empty-handed. Nothing else, as far as I can tell supports free servers, the ability to be in multiple servers, text chat divided into separate channels, optional threaded communication, voice chat joinable at any time with customizable audio setup (voice gate, push-to-talk, etc), game streaming from the voice chat at any time, and some "friend" system so that DMs and private calls can be made with each other. And even if I found one, then again I can't express enough that in the gaming sphere effectively _zero_ people use it or even know what it is.
Anyways, I'm not saying that nothing could make me abandon Discord, I'm just saying that doing so is a tremendous effort, and the result at the end will be a significantly worse online social life. So not a mild inconvienence.
- >Accepting that this huge repository of history will be wiped out when moving to the new service (I suppose you could always log back in and scroll through it, but it's at least harder to access, and is separated from all your new history)
This is true, but one needs to regularly back this up elsewhere if you care about it. If you're not in control of it, it can go away in an instant; Discord could one day decide to ban your server or anything else, and then it's gone.
- When I was a kid, we'd host the pics we want to post on forums on geocities and rename the file extensions to .txt to get past its "no hotlinking images" policy. So it's not like much has changed.
There are a lot of barriers between kids and better solutions, one of which is that anything needs a domain and a server, and that means a credit card.
- Because they are used to follow limitations since the day they were born, and have all the time in the world
- > remaining customers of a service that is actively hostile against them and that they do not like
And yet here we all are, still in an uproar every time GitHub goes down. Change is slow, we can't all leave GitHub in a day. Same with Discord users.
- I think the Discord situation is a bit different.
Getting everyone to switch away from Discord has been hard because getting everyone to spontaneously switch with no clear benefit hasn't worked. They want to just keep using the app and get back into a game with their friend.
It's different to lock a door and task users with getting the key to come back in. This is more similar to an MMORPG that kills their audience because they cause the core group to stop playing and then all of the other players experiences get worse, which causes a downward trend that avalanches.
- > getting everyone to spontaneously switch with no clear benefit hasn't worked
Somehow Discord pulled it off. It really didn't have much of an edge over the other chat apps at launch, just was slightly easier to use because it was simpler. A new site launching now could easily have that over Discord.
- You're ignoring the massive edge it had over TeamSpeak and Mumble. Back when Discord was launched, it was significantly better than its competitors and the cherry on top was that you didn't have to install anything or host your own server, just make an account.
- It also competed with Skype at the time which was one of the closest comparisons, but it had just been purchased by Microsoft and was being killed.
- I'm more than ready to leave if push really comes to shove. Wouldn't be the first time.
From experience, I know if I leave that few of my friends will follow. So I understand the resistance.
- I mean, it's called a social network
- >remaining customers of a service that is actively hostile against them
because that's not how they view it. For most Gen Z users and younger their digital identity already is their identity and they have no problem verifying it because the idea of being anonymous on a social network defeats the purpose of being there in the first place.
- Universalising any group is dangerous, but this isn't true for even the least informed young people I know.
They grew up being watched. They know what these data harvesting operations are and how dangerous this is. They've got front row seats to the dystopia. The difference is that they can't / couldn't do anything about it.
They think the world is broken and that you broke it. They're pissed off. And powerless. Not a good combination
Even McKinsey is now reporting on it,
https://www.mckinsey.com/~/media/mckinsey/email/genz/2023/01...Some Gen Zers push back on a lack of privacy, creating online subcultures that fantasize about anonymity: the pastoral “cottagecore” aesthetic, inspired by tiny cabins and homegrown greens, was one of Gen Z’s first major trends. Some opt out; the New York Times recently reported on a group of self-described Luddite teens who found community by kicking smart devices in favor of the humble flip phone. Even if you don’t go that far, many young people are veering away from “everyone knows everything” social media to curate a close group of friends and carefully monitor how much they put online.- sorry but the source for the wave of discontent is... a new york times op-ed on kids with flip phones? How many of them are there? I think universalizing is appropriate because unlike previous generations there isn't even a meaningful counter-culture. Even the luddites in all likelihood get more traction as a story on Instagram than the actual thing, where do you think they go to get their cottage core fix? I haven't seen a resurgence in self-hosted blogs. The sentence "cottage core is a major trend" is in itself hilarious. Where was it trending?
Looking at the numbers that TikTok or Meta are doing I think you can unequivocally say that the vast majority of young people do not care, at all, the 'luddite teen' is the digital version of, and about as real, as the Gen Z 'trad wife'.
If you're going to a CCC event you're much more likely to see resistance in the form of someone like Cory Doctorow, an actually angry middle aged guy who to my knowledge has not converted to flip phone cottage core to stick it to the man.
- > How many of them are there?
Indeed, this reads as a case of somebody forgetting that the news doesn't report what's absolutely normal to everybody. It reports what's unusual. (Plus all the articles that misrepresent people's opinions either deliberately for clicks, or accidentally through lack of understanding, sometimes due to being given a quota of articles to rush out per day.)
Perhaps the universalizing mistake is going a little bit in both directions here.
There's a huge current trend where people love to tar an entire generation with the same brush. When a person a generation or more removed (in either direction) says something we personally disagree with, it's become the norm to put down that entire generation as though they share the same viewpoint. It's a very unfortunate trend IMO because it often comes across as arrogant and/or patronising.
- If they are removing themselves from the places you would normally look for people, how do you plan to find them? Why would they go anywhere you are going? They don't want to hang out with angry middle aged guys.
- On Discord, I got the captcha, but then after it redirected, I got a page saying:
I'm very much an adult, this whole thing is ridiculous. Ban me, I don't care.{"error":"failed to execute k-id privately action (status=404)"}- I got this, but then refreshing that page made it work for me
- The text with the code shows another step.
- I tried it a couple more times, and it worked on the third try and showed me the green successfully verified message.
- I suspected something along these lines was possible when I looked at this provider a couple months ago.
If I recall, I had a fairly decent view of their various checks because it was delivered completely unminified, including a couple amusing sections and unimplemented features. (A gesture detector with the middle finger gesture in the enumerable commented out, for example...)
Another attack vector that I speculated upon was intercepting and replacing their tflite model with ones own, returning whatever results required.
Additionally, I believe they had a check for virtual camera names in place, as checks would quietly fail with a generic message in the interface, but show the reason as being virtual camera within responses. (Camera names are mutable though, so...)
- the cat-and-mouse game of digital age verification is such a massive compliance headache. if these guards are this easy to bypass the platforms are basically just checking a box to satisfy regulators while leaving the actual liability wide open. it’s hard to underwrite trust when the verification layer is this brittle.
- There is a way to do this, where nearly everyone is fine.[0]
However, the orgs don’t get to capture verified adult user identity to pad the value of their user data profiles…
[0] https://blog.google/company-news/inside-google/around-the-gl...
- It seems unlikely that "is user adult" is not already easily modeled by any of these companies to within a very high degree of confidence. Even 15 or 20 years ago Google search could bracket your age pretty effectively. It doesn't seem like this adds metadata that wasn't already there.
- Google prompts me to verify my age on my account I created in 2004. They’re not trying too hard.
- If they admit this, they wouldn't be able to advertise to children anymore without breaking many rules.
- Except that in the legal sense, "is user adult" flips from false to true overnight, and there isn't an easy way to account for that in any model that doesn't include verified ID. Same reason many liquor stores ID anyone who looks younger than 40.
- I prefer if it's pretty easy to bypass, if it's going to be law at all. My favourite example of this so far is how bluesky handles it.
https://gist.github.com/mary-ext/6e27b24a83838202908808ad528...
The official app/client is 100% legally compliant in its unmodified state. But doing something like using another client, having your PDS say you're age verified, or using a ublock origin rule to change where the geolocation API thinks you are completely sidestep it.
- It was never going to be perfect. I suspect the goal with things like these is to add additional friction to the process, to make it much harder for the general population to bypass them.
- As always, motivated minors will trivially bypass things.
Only annoyed adults, who don't see the point in pursuing a bypass, will supply their actual ID, which is what will eventually get breached in the inevitable yet-another-breach.
These schemes only place the honest at risk.
- Worth noting when you open up the developer tools console in discord (facebook and some other sites do it too), you get a regular message printed with "If someone told you to copy/paste something here, there’s an 11/10 chance you’re being scammed." and then "Pasting anything in here could give attackers access to your Discord account." in bold+red text. It used to also mention "free nitro" as an example of a scam you may be falling for.
I've heard, but haven't confirmed, they also detect you opening developer tools using various methods and remove your auth keys from localstorage while you have it open to make account takeovers harder. (but not impossible)
Opening the browser console in a separate window mitigates some of that detection.
- Yes, Google does this, and it is infurriating.
Every time I open the dev tools on Safari (to reverse-engineer some random broken website that doesn't let me do what I need to and forces me to write yet another Python script using Beautifulsoup4), Google logs me out of all of my accounts.
To add insult to injury, Google's auth management is so broken that if I log in to the "wrong" account first by accident (E.G. when joining a work meeting from Calendar.app), that account now becomes primary for Google Search / Youtube, and there's no way to change that without logging back out from all accounts and then logging into them again.
- > I've heard, but haven't confirmed, they also detect you opening developer tools using various methods and remove your auth keys from localstorage while you have it open to make account takeovers harder. (but not impossible)
You can open the network tab, click an API requesst, and copy the token from the Authorization header.
- >I've heard, but haven't confirmed, they also detect you opening developer tools using various methods and remove your auth keys from localstorage while you have it open to make account takeovers harder. (but not impossible)
No, they just keep moving it between updates. It's still there. It just gets harder to extract.
- Looks like it may already have been patched, it's not working for me.
Seems I'm not the only one either: https://github.com/xyzeva/k-id-age-verifier/issues/7
- The reaction to Discord age verification fiasco once again makes me believe that HN users just don’t have friends.
There is no alternative for Discord for bigger groups.
If there was, I still couldn’t move multiple social circles to it, no matter how much I evangelised.
The “just don’t use the less morally aligned platform” argument has always been valid only for those without a strong need for it, whether it’s X or Discord.
- > The reaction to Discord age verification fiasco once again makes me believe that HN users just don’t have friends. There is no alternative for Discord
Are you saying that people who don't talk to their friends over Discord don't have friends?
Is that a statement you genuinely find reasonable?
- They're saying people with friends generally don't have access to them all on one single alternative platform, like they might with Discord.
- Well, someone has to start. It's ok if you use the alternative with a subset of your contacts.
- It has to overcome some critical mass, i.e. political inertia.
- Using whatever platform you prefer with a subset of people is fine and doable, but you're lying to yourself if you think that it is the "start" of anything.
- Telegram, WhatsApp, Signal? I have friends and I don't use Discord or understand why I would want to use it.
- I mostly use Telegram with my friends circle. You can have groups with individual topics. But we don't do group calls. I don't really see the appeal of group calls unless you are a gamer maybe. If I want to talk to them, I go meet them.
Signal for direct messaging and calls
- > HN users just don’t have friends.
So once you have friends all connected parties requires to install Discords. How does that work?
Are your parents friendless, do they use Discord?
- Self hosted TeamSpeak for communication & gaming and a signal group for chatting.
- [dead]
- I do not believe in the necessity of identity verification
- The governments making laws which mandate it feel otherwise.
- No law mandates Discord impose this globally.
To be clear - this is a wholly discretionary act on their part to implement this in jurisdictions that have no such legal requirement.
- They are doing this pre-emptively since it will be the global law trend sooner or later.
- That's not for Discord or you to decide nor is that guaranteed!
- Yeah, the decision to do it pre-emptively obviously is discord’s to make. How could it be otherwise?
- I meant mandatory age verification becoming "global law" is not for Discord to decide.
- Guess we'll have to change the laws.. or the government.
- Wow that was a fun read, I never thought about the technical implementation of these verification systems.
- Tangentially, it's kind of weird how most of the sites' systems to verify your age try to get you to do it on a phone.
I've never used twitter on a phone, yet that's the only official way to go through the age verification process. Youtube too.
I attempted to get through the youtube one on a new account to see an age-gated video, but couldn't finish the process and gave up. At the time, I remember thinking it would be easier for me to buy an age verified google account from someone.
- My theory is that the vast majority of users won't have an Android with root access/a jailbroken iPhone, which reduces the risk of using a virtual camera? Then they can just block emulators/rooted/jailbroken devices which increases the barrier to entry.
- I pray the status quo is good enough for legal requirements and the hacks like these don't mean the end of on-device verification (or the requirement of chain of trust from boot)
- Recent and related:
Discord will require a face scan or ID for full access next month - https://news.ycombinator.com/item?id=46945663 - Feb 2026 (1999 comments)
Discord Alternatives, Ranked - https://news.ycombinator.com/item?id=46949564 - Feb 2026 (456 comments)
Discord faces backlash over age checks after data breach exposed 70k IDs - https://news.ycombinator.com/item?id=46951999 - Feb 2026 (21 comments)
- I hope that Discord, Twitch and Snapchat will die soon after introducing verification of adult persons. I hope it will be replace by more open and privacy respecting services.
- Your browser is not currently supported. Please use a recommended browser or learn more here.
Apparently Twitch doesn't like Mozilla Firefox...
- This project is something that we would want to archive pretty quickly. I can see those service being upset over that being exposed.
- You're assuming discord or twitch actually care. I doubt they actually do. It's there to preempt the regulatory hammer, and the presence of clunky workarounds like this doesn't affect it if it doesn't reach the mainstream. If it does, they can just patch it.
- the hammer of the gov't works slowly, but such bypasses will eventually be worked around - it doesn't matter if twitch/discord/etc actually care or not, because their care is irrelevant.
> the presence of clunky workarounds like this doesn't affect it if it doesn't reach the mainstream.
i suspect that mainstream would eventually find it - like how VPNs suddenly became very popular in the UK.
- This is an abhorrent threat to the safety of our children and just another example of how the [Red / Blue]* party are failing in online safety.
That is why we, the [Blue / Red] party are announcing today a manifesto pledge to outlaw all computers that allow unsigned booting of unauthorized platforms, to outlaw all browsers that do not participate in the chain of trust this provides, and to outlaw all websites that do not verify the code path from boot to browser.
Only with complete trust and authorization will we be able to sleep safe in the knowledge our children’s faces are being scanned by law abiding patriots and not subverted by evil hackers like xyzeva and Dziurwa.
— General Secretary gorgoiler
.. .. ..
*What do you do, btw, if you extend your political machine into another country by subsuming their party into yours, but when their colour is traditionally X and yours is traditionally Y? Mixed light: the White party? Mixed paint: the Brown party?
- It worked for me (I got the green success message) however I did not get a confirmation DM from the "official Discord account" like others said they did.
Anyone got a clue what that means?
- Doesn't appear to be working, at least for UK purposes. Tool claimed to have worked, I dropped my VPN and my account is not age verified.
- Why people act like this never has been implemented like the gigs and financial apps already validate indetity
- It's slightly different to access your bank account vs chatting with your friends.
- Alright, how long until they patch this? Anyone takin' bets?
- Sounds like it may already have been[1].
Edit: might only be a minor API call issue[2]
- UK user here, it still shows my account as Unverified after running :(
- Check the issues/PRs on their github.
- Never trust user input wins again... on one hand, discord never sees your picture, on the other, you get this. :)
- That worked for me. Got a response on desktop discord client once it was done. Wonder how long before they lock this down.
- With the way things are going, just go back to email.
CC everyone.
- Any chance this can be used to token-log people's accounts?
- It looks like only k-id's session token is transmitted back to the site, which can't be used to authenticate to Discord.
You can also self-host the backend from https://github.com/xyzeva/k-id-age-verifier.
- According to discord, there's an 11/10 chance you're being scammed by doing this.
- The implementation doesn't matter. Current options for bypassing it don't matter. The nature of the content being blocked doesn't matter.
The root problem is that Discord is asking users for their real identity in exchange for accessing social media content. That is a line that simply should not be crossed.
They can change the implementation later. They can make it harder to bypass. They can identify users who bypassed it and start them over from square one. They can change what type of content is blocked. They can alter the deal, but users cannot take back their identity once it is handed over.
Discord has become a platform that is outwardly adversarial to its users. Don't try to fight it. Don't keep investing in a platform that's actively hostile to you. Cut your losses now and find something else.
- > doesn't store or send your face to the server. instead, it sends a bunch of metadata about your face
we really need to teach people to stop being fooled by this, a "bunch of metadata" is often enough to fully reconstruct a face
- too late: I have already deleted my Discord account; Twitch is also going to enforce this? hmmm...
- if you don't actively use discord, then this is probably the best solution, I agree
- The comments so far assume that Discord / Twitch / Snapchat don't care as entities that people will start bypassing their age verification systems. I believe the rank-and-file think that's the case. I think even the engineers and PMs think that's the case. But that's not the game.
There are many ways in which such a system could be implemented. They could have asked people to use a credit card. Adult entertainment services have been using this as a way to do tacit age verification for a very long time now. Or, they could have made a new zero-knowledge proof system. Or, ideally, they could have told the authorities to get bent.
Tech is hardly the first industry to face significant (justifiable or unjustifiable) government backlash. I am hesitant to use them as examples as they're a net harm, whereas this is about preventing a societal net harm, but the fossil fuel and tobacco industries fought their governments for decades and straight up changed the political system to suit them.
FAANG are richer than they ever were. Even Discord can raise more and deploy more capital than most of the tobacco industry at the time. It's also a righteous cause. A cause most people can get behind (see: privacy as a selling point for Apple and the backlash to Ring). But they're not fighting this. They're leaning into it.
Let's take a look at what they're asking from people for a second, the face scan,
Their specific ask is to try and get depth data by moving the phone back and forth. This is not just "take a selfie" – they're getting the user to move the device laterally to extract facial structure. The "face scan" (how is that defined??) never leaves the device, but that doesn't mean the biometric data isn't extracted and sent to their third-party supplier, k-Id. From the article,If you choose Facial Age Estimation, you’ll be prompted to record a short video selfie of your face. The Facial Age Estimation technology runs entirely on your device in real time when you are performing the verification. That means that facial scans never leave your device, and Discord and vendors never receive it. We only get your age group.
The author assumes that "this [approach] is good for your privacy." It's not. If you give me the depth data for a face, you've given me the fingerprint for that face. A machine doesn't need pictures; "a bunch of metadata" will do just fine.k-id, the age verification provider discord uses doesn't store or send your face to the server. instead, it sends a bunch of metadata about your face and general process details.Discord is also doing profiling along vectors (presumably behavioral and demographic features) which the author describes as,
Discord plugs into games and allows people to share what they're doing with their friends. For example, Discord can automatically share which song a user is listening on Spotify with their friends (who can join in), the game they're playing, whether they're streaming on Twitch etc. In general, Discord seems to have fairly reliable data about the other applications the user is running. Discord also has data about your voice (which they say they may store) and now your face.after some trial and error, we narrowed the checked part to the prediction arrays, which are outputs, primaryOutputs and raws. turns out, both outputs and primaryOutputs are generated from raws. basically, the raw numbers are mapped to age outputs, and then the outliers get removed with z-score (once for primaryOutputs and twice for outputs).Is some or all of this data being turned into features that are being fed to this third-party k-ID? https://www.k-id.com/
https://www.forbes.com/sites/mattgardner1/2024/06/25/k-id-cl...
https://www.techinasia.com/a16z-lightspeed-bet-singapore-par...
k-ID is (at first glance) extracting fairly similar data from Snapchat, Twitch etc. With ID documents added into the mix, this certainly seems like a very interesting global profiling dataset backstopped with government documentation as ground truth. :)
- Worked, hopefully Discord will retroactively discover this and ban my account.
- Is this not easily patched by the provider encrypting and signing the whole payload? I would have thought that would be table stakes for an identity provider.
- The identity provider is on-device and has to run on phones which don't do hardware attestation.
- That’s only for selfies. If they use and id I’m pretty sure it is getting sent to a k-id server.
- That was fast.
- Age verification itself isn't such a bad thing. I feel most people are more angry about having to verify their actual identity. Every ad provider knows your address and complete identity every time you log into anything though. I guess its the illusion of anonymity that's so popular.
- Age verification is an excuse for identity checking.
- Horseshit.
There's often a degree of uncertainty with the data advertisers have. This would heavily reduce that uncertainty and enable worse behavior on the part of advertisers.
- Neat that this exists, but priming children to copy/paste random JavaScript into their Dev consoles feels like a recipe for disaster. Bets on how long before malware starts buying up "discord age verification bypass" ad spots?
- [dead]
- [dead]
- [dead]
- [dead]
918 points by JustSkyfall 23 hours ago | 435 comments