But FWIW VPNs can get flagged for suspicious behavior. YMMV
I use a VPN 24/7 on one machine. Zero issues even with banking, although sometimes I have to answer CAPTCHAs.
Some examples: Imgur loads but does not display any content. USPS's website does not load.
You'd get different answers if, for instance, you ask "do you want to have to show ID or submit a picture of your face in order to access many sites on the Internet".
They could, sadly, however, make it a crime to bypass things like The Online Safety Bill. Downloading or using Tor, for example.
At that point, the only sane option is to become a criminal.
> For example, in 2025, Wisconsin lawmakers escalated their war on privacy by targeting VPNs in the name of “protecting children” in A.B. 105/S.B. 130. It’s an age verification bill that requires all websites distributing material that could conceivably be deemed “sexual content” to both implement an age verification system and also to block the access of users connected via VPN. Another proposed Michigan bill requires “An internet service provider providing internet service in this state [to] actively monitor and block known circumvention tools.” Circumvention tools being: VPNs.
https://www.eff.org/pages/vpns-are-not-solution-age-gating-m...
When that day comes I'll stop casually using the internet or search for the underground alternative.
I don't want to google it because I don't want to be put on a list but I also feel somewhat confident that this is being done. Apparently, HN feels safe to ask questions like that for me.
Actually, a follow up. PII leaks are so common, I guess there must be millions of identities out there up for grabs. This makes me wonder: we’ve got various jurisdictions where sites are legally required to verify the age of users. And everybody (including the people running these sites) knows that tons of identities are out there on the internet waiting to be used.
How does a site do due diligence in this context? I guess just asking for a scan of somebody’s easily fabricated ID shouldn’t be sufficient legal cover…
That's why some of them don't even ask for ID but just guess the age based on appearance. That's good enough per the law, usually.
Ironically there was no way to report the image anonymously to the service hosting it.
Of all the controversial things out there we've become afraid to even google in order to learn more about the world around us, this one strikes me as not all that controversial.
But you're not wrong, just making a comment about how sad the world has become.
You might think about using something like the Tor Browser for anonymous web surfing:
https://www.torproject.org/download/
...If you are worried about getting on a list by downloading the Tor browser, then take a trip to the next-town-over public library and download it from there. I guess your ISP could still guess that you were using Tor, and you might end up on a list of people using Tor. Also: If everyone is on the list, then no one is on the list.
This has been proven false a bunch of times, at least if the 1000s of people complaining online about it are to be believed. My google account is definitely old enough to vote, but I get the verification popup all the time on YouTube.
I think the truth is, they just want your face. The financial incentive is to get as much data as possible so they can hand it to 3rd parties. I don't believe for a second that these social networks aren't selling both the data and the meta data.
Note that this is adults letting kids use their accounts to view kids content, as the issue was parental approval for ad tracking.
Agreed. They treat people as data points and cash cows. This is also one reason why I think Google needs to be disbanded completely. And the laws need to be returned back to The People; right now Trump is just the ultimate Mr. Corporation guy ever. Lo and behold, ICE reminds us of a certain merc-like group in a world war (and remember what Mussolini said about fascism: "Fascism should more appropriately be called Corporatism because it is a merger of state and corporate power." - of course in italian, but I don't know the italian sentence, only the english translation)
Anything you can image that is bad with privacy, figure what is occurring is far worse.
Sell it and use it internally.
Ed Snowden revealed that these companies share their data with the US government:
https://www.theguardian.com/world/2013/jun/06/us-tech-giants...
also, even you think about using it "their own uses" - much of that is scrutinizing you to make you better susceptible to ads and other solicitations by their paying clients. I mean, people are not the clients of Google and Meta - they're the raw material.
http://blog.tyrannyofthemouse.com/2021/04/leaked-google-init...
Edit:
>I think the truth is, they just want your face.
I just realized the parody also predicted that part (emphasis added):
>>In cases where our tracking cookies and other behavioral metrics can't confidently predict who someone is, we will prompt the user for additional information, increasing the number of security checkpoints to confirm who the user really is. For example, you might need to turn on your webcam or upload your operating system's recent logs to give a fuller picture.
[1] https://security.googleblog.com/2014/12/are-you-robot-introd...
else you and your money go elsewhere.
1. they need additional security measures to avoid leaking government documents (leaking face photos doesn't hurt them as much) 2. not every person has a valid government document 3. additional customer support staff to verify the age on documents rather than just using some fuzzy machine learning model with "good enough" accuracy.
The bottom line is that companies are lazy and will do the easiest thing to comply with regulations that don't hurt them.
It happened right after ElsaGate, so they probably went overboard to cover for the weird shit happening on their platform. YouTube is full of pedo farms and weird porn if you know where to look for it, so they need something to point at so they can shout "look, we tried!"
What a total joke. These companies need to stop normalizing the sharing of personal private photos. It's literally the opposite direction from good Internet hygiene, especially for kids!
If the million reports of Mark Zuckerberg enabling pedophiles and scam artists haven't made it clear, the executives of these tech companies just don't care. They will sell children into sexual slavery if it improves next quarter's numbers.
We need to push back against governments that try and restrict the freedom of the internet and educate them on better regulations. Why can sites not dictate the content they provide, then let device providers provide optional parental controls.
Governments forcing companies to upload your passport/ID, upload pictures/videos of your face, is dangerous and we are going to see a huge increase of fraud and privacy breaches, all while reducing our freedoms and rights online.
When you create a new profile on Netflix you mark it as "kids" and voila. Devices should have kid profiles with lots of sane defaults. The parent profiles have a thorough monitoring and governance features that are dead simple to use.
As always it's not perfect but it will go a long way. Just getting a majority of parents on sane defaults will help unknot the broader coordination problems.
That is never going to happen it seems, as -- in the UK at least -- people go crazy whenever it is mentioned. Despite "the government" having the ability to track whatever they wanted already, should they care to.
Age gating discussions always devolve into some fantasy land were people are arguing for children to have access to porn and other inappropriate material, and happily construct some straw man where age gates lead to censorship for everyone.
If your government wanted to censor the internet they can do it without age gates. As a parent I am happy to have society agree on some basic rules around what children can do online, as there are rules on what children can do in the real world.
Yes, I know all the come back arguments about how it is my responsibility as a parent. Don't worry, I will be responsible for what my children do online when they are older. But in the end a society raises children, and society should agree a limit on what children can be exposed to online.
I truly fear the harm that will be done before legislators realize what they’ve created. One only hopes that this prevents the EU and US from doing something similar.
You can work through robustness issues like the one you bring up (photo uploading may not be a good method), we can discuss privacy trade-offs like adults without pretending this is the first time we legitimately need to make a privacy-functionality or privacy-societal need trade-off, etc. Heck, you can come up with various methods where not much privacy needs trading off, something pseudonymous and/or cryptographic and/or legislated OS-level device flags checked on signup and login.
But it makes no sense to jump to the minutiae without addressing the fundamental question.
Then require all nudity to be on a .edu, .art or .xxx, problem mostly solved.
Who's doing the requiring here? Sounds like yet another path to censorship dystopia.
edit: .edu provides for educational content, .art for artistic expression, .xxx for explicit content.
Combined with some blacklisted apps (e.g., all other browsers), this would be a passable opt-in solution. I'm sure there's either a subscription or a small incentive for someone to build this that hopefully isn't "Scam children".
It's not like kids are using PCs, and if they use someone else's phone, that's at least a severely limiting factor.
Allow -> opt in
And a techie customizing it is v. different than turnkey for parents.
But yeah! Same principle, that's why I'm sure it's been done / will be done.
As a parent that regularly fears who my children will encounter in the world, I’m glad there’s an “if” at the beginning of this sentence.
I have no problem with my kids watching a couple progress from kissing to foreplay to passion, if those kids already have the hormonal desires to experience these acts. But contemporary websites teach that violence is an integral part of sex - and I do not want my children learning this.
This is only an interesting question if we can prevent it. We couldn't prevent minors from smoking, and that was in a world where you had to physically walk into a store to buy cigarettes. The internet is even more anonymous, remote-controlled, and wild-west. What makes us think we can actually effectively age gate the Internet, where even Nobody Knows You're A Dog (1993)[1].
1: https://en.wikipedia.org/wiki/On_the_Internet,_nobody_knows_...
Smoking rates among minors have plummeted and continue to decline.
That's not really a good example because the war on underage smoking has been a resounding success.
Yeah we didn't stop every single minor everywhere from ever smoking at any time, but the decline was dramatic.
This is the right way to reduce childhood social media use: Make it socially disgusting, and make it widely known to be dangerous.
https://news.ycombinator.com/item?id=46447282 That should be good enough for anyone, unless their real motive is to force everyone to upload their IDs.
I suspect if you ask Hacker News commenters if we should put up any obstacles to accessing social media sites for anyone, a lot of people will tell you yes. The details don't matter. Bashing "social media" is popular here and anything that makes it harder for other people to use is viewed as a good thing.
What I've found to be more enlightening is to ask people if they'd be willing to accept the same limitations on Hacker News: Would they submit to ID review to prove they aren't a minor just to comment here? Or upvote? Or even access the algorithmic feed of user-generated content and comments? There's a lot of insistence that Hacker News would get an exception or doesn't count as social media under their ideal law, but in practice a site this large with user-generated content would likely need to adhere to the same laws.
So a better question might be: Would you be willing to submit to ID verification for the sites you participate in, as a fundamentally good thing for protecting minors from bad content on the internet?
The details very much DO matter.
You can look at all manner of posts here on HN that explain exactly how you should do age verification without uploading IDs or giving central authority to some untrustworthy entity.
The fact that neither the governments proposing these laws nor the social media sites want to implement them those ways tells you that what these entities want isn't "verification" but "control".
And, yes, most of us object to that.
That's not how ID verification works. The ID verification requirements are about associating the person logging in with the specific ID.
So kids borrow their parents' ID while they're not looking, complete the registration process that reveals nothing, then they're good forever.
Or in the scenario where nothing at all is revealed about the ID and there is no central authority managing rate limiting, all it takes is for a single ID to be compromised and then everyone can use it to authenticate everywhere forever.
That's why all of the age verification proposals are basically ID verification proposals. All of these anonymous crypto suggestions wouldn't satisfy those requirements.
The friction would be sufficient to give up. Arguably no loss to me and certainly none to the internet.
This is what has happened already, I am not giving my id to some shitty online provider. If I lose more sites so be it.
I would not. Because there are better options out there if the objective is purely age verification that's as rigorous as the status quo for buying alcohol or cigarettes.
Here's one option: https://news.ycombinator.com/item?id=46447282 that I proposed. It is by no means the best or only one.
If an at risk child’s parent is unwilling to do what they believe is the right thing by their child then they have failed the child and need to get a grip - confiscate the device or change the wifi password or sleep with the router under your pillow if you have to it’s really not that hard.
[1] https://www.eff.org/deeplinks/2025/12/why-isnt-online-age-ve...
Do we want kids becoming alcoholics? Do we want them turning up drunk to school and disrupting classes? Do we want to give parents trying to do the right thing some backup? So they know that when their kid is alone they can expect that other adults set a similar example.
Sure, you can't stop a kid determined to consume alcohol. But I think the societal norm is an overall good thing.
The same should be applied to the online space, kids spend more and more time there. Porn, social media, gambling etc. should be just a much of a concern as alcohol.
But we don't. Even with in person age/ID checks the clerk will often enter some of that data into the store's system and then who knows what happens with it.
I've only seen them enter the date of birth. No identifying information. If they record the ID itself I'd recommend going to a different store. Or ideally, writing your legislators to have the practice banned.
If one suspects a partner of buying alcohol and could convince or coerse the clerk, or even just peek in the book, and see the partner's date of birth written there, then that is good enough proof for many people and many purposes.
It's not a "robustness issue". Nobody has proposed anything that works at all.
But to answer your "fundamental question", no. Age gating is dumb. Giving parents total control is also dumb.
Who's 'we'? The parents? The government? Device manufacturers? Answers should differ wildly depending on who is doing the enforcement.
I also actually think AI might be a savior here. The ability to fake realistic 18+ year old selfies might help put the nail in the coffin of these idiotic "share a photo with the Internet" verification methods.
Not defending the legislation as I overwhelmingly disagree with it, but if I recall, I don't think any of the age verification legislation specifies a specific implementation of how to verify age.
Requiring photos, or photo ID, or any other number of methods being employed, were all decided on by the various private companies. All the legislators did is tell everyone "you must verify age." The fault here is on Roblox as much as it is on the legislature and they should equally share blame.
https://www.homburger.ch/de/insights/swiss-voters-approve-ne...!
States could do it, and maybe agree on some protocols so that things like privacy-preserving "age verification" could be done.
Maybe the feds could push it like they did with speed limits: make federal funding contingent upon adopting e-ID. Would still get a lot of pushback.
We still need the ability to be psuedoanonymous online. We should be able to verify age without divulging any identifying information to the service requesting age verification.
An e-ID registry could work on a sort of public/private key system so long as the services requesting informatino from the registry only receives a yes or no of "is this person old enough" and no further information.
That sounds like Apple & Google-blessed Android only, open source gadgets and non-Microsoft desktops not supported. Estonia at least used smart cards where a reader can be plugged into just about anything.
All the key does is attest that "this person is over X years old" with no other identifying information associated with it.
I think blending in person & digital together is going to be the best way forward. Like going to the store and buying alcohol. I have little privacy risk from the cashier glancing at my ID for a second to check my birth date.
Not possible, the key itself becomes identifying information similar to how an IP address + timestamp is identifying information even though their is no information abut you stored in the IP address or timestamp.
> I have little privacy risk from the cashier glancing at my ID for a second to check my birth date.
But also the mechanics of the check might be important. For instance, I always go to take the baby out of the back seat when I park, even though I have not driven a baby in years. Because I do not want to ever risk leaving a baby unattended in a car. The store policy might be to check every ID, even in seemingly obvious cases.
In the real world you turn up in person with a passport, or maybe use snail mail as a way to verify an address which is hard to fake.
Online we have to pretend it is still the internet of the 90s where it's all just chill people having a fun time using their handle...
I always assumed they were phishing scams, but I looked closer at one, and it is a real link too a real page on their site. It's like they're training people to fall for phishing scams. One of them even displayed the name of a variable, instead of my user name.
Then there are all the links that go to other sites to track clicks or because they have a separate domain for some reason. Again, training people to fall for phishing.
I can get Youtube Family so my kids don't get ads.
But if your kids are under 13, they can't be added to a family account on YT - so they MUST watch the ads.
Can someone explain the logic here?
it's a video game, it's an aesthetic experience, if uploading a photo of yourself doesn't feel good, it's valid to say, it's a bad game or whatever.
but by some more objective criteria, this photo upload thing that you are saying doesn't really matter. they are uploading photos of themselves to the Internet all the time (what do you think Apple Photos is). of course, with kids, i can understand the challenges of making nuanced guidelines, but by that measure, it's simpler to just say, playing roblox is kind of a waste of time, or suggesting better games to play, rather than making it about some feel-good nonsense i'm-a-savvy-Internet-user rule. it's what this whole article is about, providing real answers, but who under 18 years old is going to read the whole thing?
I worried about this at first, too. But I also check, like a good parent. And to my surprise my kid already learned on her own how to mask/blur faces and even details about the inside of her room when sharing photos. And her friends do, too. They are surprisingly savvy about Internet privacy and risks for their age--certainly more cognizant of the dangers than my generation was growing up with the Wild West Internet.
While I agree with you entirely, it's important to remember that these companies want to mis-educate the masses (and especially children) against their own interest. It's not just unfortunate that they're normalising uploading a photo just to play a videogame: it's an intentional choice to de-normalise privacy and normalise deeper and more in-grained online stalking.
Stupid laws are forcing these companies to implement something. In most countries, there is no privacy-preserving way to verify that you're old enough digitally, so when these companies are forced to get something good enough going, they're going to go with the cheapest offer they can legally get away with.
Governments know this. They want certain websites to disappear entirely, and for certain platforms to just stop existing. Both sides are using weaponised incompetence to blame the other and users end up losing regardless of whose fault it is.
The EU tries to introduce age verification, simultaneously it currently talks about sharing police data with the US for the Visa waiver program.
If this verification data is collected and normalised, we will constantly have to fight how much data that is required for auth and it can just be legislated.
And maybe consider using a VPN.
Please explain that too me.
I'm sorry for getting a little steamed here, but I have to wonder if you've put any thought into what you're asking for in the name of kids safety. And worse, if you think it will work globally what are you going to do when Saudi Arabia wants anything they don't like banned in the US, for example.
Government overreach is not the answer, it's a plaster (and an excuse for more surveillance which is arguably the primary factor) over bad parenting. In the UK at least, all major ISPs and mobile providers have a basic parental/adult-content control package that is set-up by default (opt-out by the bill payer). Albeit trivial to get around with a VPN/proxy or changing DNS servers etc.
Kids will be kids as well. They'll get around restrictions, they're clever, they talk with their mates in the playground about this sort of thing. Especially teens.
Simple answer, never accept this If everyone selected "cancel" you can be sure these sites will stop age banning, they wan $ more than anything else.
If a site asks me one question about me, I stop using if.
It could simply be that they realize that online age verification becoming required for some online activities is inevitable for the same reasons age checks are required for some non-online activities, and when that comes to pass they want to be able to do in a way that doesn't expose them to too much risk.
Yes, Google loves data but that doesn't mean they don't care about risk. The data they would from some of the age verification methods probably wouldn't improve their ability to advertise much but would cause a lot of problems if leaked.
Another possibility might be that have no choice. My understanding is that in the EU member states that enact online age verification laws will have to require that verification can be done using the privacy-preserving system that the EU Digital Identity Wallet will support. Sites will be able to use other methods too (as long as the don't violate GDPR) so they could support something that gives them more information for advertising, but they will still have to support the privacy-preserving option.
Consumer pressure and/or laws
The party that actually has to at some point verify who you really are of course has your sensitive information, and there is no obvious way to work around that. However, there is a way to make it so that it doesn't matter.
That is by making them be a party that already has that information. Probably the simplest would be to make it be the same government agency that issues your physical identity documents like passports or drivers licenses. If we don't want it to be a government agency or we want to have competition banks would be a possibility.
You kind of want an mTLS for the masses with a chain of trust that makes sense.
They're already writing laws about age verification. Tacking this onto a bill in progress would be the way to do it.
As for the other "gyrations", selling age-restricted products IRL is already done. Gift cards and the infrastructure for them is well-established. Most importantly, this is something a regular person on the street can understand. This is vital for capturing the "save the children" vote.
> Just as the 3rd party site could use SSO login from your identity provider, perhaps the identity provider could provide signed evidence to the 3rd party site that asserts "I have verified that this person is age X" but not divulge their identity
The way you compared it so SSO login makes it sounds like there would be interaction between the 3rd party site and the identity provider. That's bad because if someone got a hold of the records from both the site and the identity provider they might be able to match access time logs and figure out who you are.
A fix is to make it so you get your signed document from the identity provider ahead of time, and that document is not tied to doing age verification with any particular site(s). You get it once and then use it with as many sites as you want.
When you use it with a site to demonstrate age we need to do that in such a way that neither of you have to communicate with the identity provider. If the site needs to verify a signature of the identity provider on something you present they use the provider's previously published public key.
We need to make it so that when you use the signed document from the identity provider to show your age to a site they don't see enough from the document to identify you, even if they have been compromised and are collaborating with the identity provider to try to identify you.
Finally, the signed document should be bound to you in some way so that you can't just make copies and give them to others or sell them on the black market to people who want to evade age checks.
BTW, since under this approach the identity provide isn't actively involved after their issue your signed document what probably makes the most sense is to have your government be the identity provider. In particular, the same agency that issues your driver's license or passport or nation ID (if your country has those).
Such a system can in fact be built. The EU is including one in their EU Digital Identity Wallet project, which has been in development for several years and is not undergoing large scale field testing in several countries. It is supposed to be deployed to the public this year or next.
The first version handles the binding of the document to you by tying it to your smart phone's hardware security element. They plan to later support other types of hardware security elements. 90+% of adults in the EU have smart phones (95-98% for adults under 54), and it is going up, so the first version will already cover most cases.
Google has published some libraries for implementing a similar system. Both the Google libraries and the EU system are open source.
I see your point, but this doesn't sound like an actual risk to me. The idp will have security as one of their critical features and should be considered trustworthy in this regard. And having *both* the target site logs *and* the idp logs compromised is even more far-fetched. We aren't sitting around worrying about people correlating ISP logs to pornhub logs, and I don't trust my ISP any farther than I can throw them.
The beauty of using an SSO-style scheme is that one could actually see it easily slotting in as a subset of existing protocols. The site could get a SAML doc and the only claims it has in it are "user is over 18", for example. Use the infrastructure for exactly what it's designed for: identifying some selection of attributes that describe a person. It's very elegant and leverages existing well-understood (and well-integrated) tech plumbing.
This also takes all the sensitive data handling out of the hands of social media mongers and pornographers. Let them do what they're good at and let the competent security folks handle the sensitive bits.
1. Most people access online content through either a personal or business broadband service (residential, mobile, or place-of-work).
2. Those services ... bill directly. Which means that it should be possible to specify an age preference for the service account as a whole, and/or subsets of it. The service can specify whether or not age-bounded online services are acceptable or not, as well as specific classes of age-bounded services. E.g., a workplace service would generally allow for >18 access, but might restrict usage of gaming, gambling, pr0n, or related sites. A household might request no age gating at all (all >18 or whatever minimum age is mandated) or several classes of service, say, if adults and children are present.
3. Where it's necessary to specify multiple preferences, multiple network segments could provide this logically (e.g., an IPv6 block with unrestricted and age-gated ranges), with distinct devices being allocated appropriate gateway addresses.
4. Effectively, the connectivity provider then attests for age, without requiring any finer-grained identity disclosure.
Why ...
A. Would this not work?
B. Is it not being generally proposed?
What I'm suggesting for different service levels is simply to map a specified access / age-verification level to a specific network access point. This is better suited to IPv6 which has a much larger address space than IPv4, and often allocates a range of addresses rather than a single IP, though NAT or IP shenanigans might be possible for the latter as well.
The point is to put the heavy lifting of age validation at a level at which who is getting the service has already been vouched through service account provisioning.
I used to watch good soccer matches on public TV. When services like DAZN appeared, only one major match was available each weekend on public TV. Later, none were free to watch unless you subscribed to a private channel. I didn't want to do that, so I stopped watching soccer. Now I only follow big tournaments like the World cup, which still air on public TV (once every 4 years).
Sometimes you just have to let things go
I grew up in the 80s when office software and desktop publishing were popular. Arguably MS Access, FileMaker and HyperCard were more advanced in some ways than anything today. There was a feeling of self-reliance before the internet that seems to have been lost. To me, there appears to be very little actual logic in most websites, apps and even games. They're all about surveillance capitalism now.
Now that AI is here, I hope that hobbyists begin openly copying websites and apps. All of them. Use them as templates and to automate building integration tests. Whatever ranking algorithm that HN uses, or at least the part(s) they haven't disclosed, should be straightforward to reverse engineer from the data.
That plants a little seed in the back of every oligopoly's psyche that ensh@ttification is no longer an option.
Everyone’s age is information.
Data doesn’t want to be free.
Because it's not always about their entertainment. I know churches that post info about events only on WhatsApp groups, if you don't use it - you're screwed. I know kindergardens which use Facebook Messenger groups to send announcements to their parents' children - if you don't use it, you will miss important info.
For most people, letting go such things is very impractical. One can try to persuade for a better way to do something - but then you become the problem.
My neighborhood that I'm on the HOA board for has been entirely on a facebook group. When I joined, I made sure that we communicate all necessary communication via email (for others like me not in the group or on FB). I created a website for the neighborhood that does everything the FB group does and more, but people don't see a reason to visit another website when FB has everything they want, so they still only engage on Facebook.
I'm okay with being the problem (green bubbles are a whole nother thing for friends and family), but without sufficient pressure to switch, people generally prefer what they're comfy with.
I’m not advocating letting go of privacy, just addressing the reality of how people make choices.
> A few years ago, I received a letter in the mail addressed to my then-toddler. It was from a company I had never heard of. Apparently, there had been a breach and some customer information had been stolen. They offered a year of credit monitoring and other services. I had to read through every single word in that barrage of text to find out that this was a subcontractor with the hospital where my kids were born. So my kid's information was stolen before he could talk. Interestingly, they didn't send any letter about his twin brother. I'm pretty sure his name was right there next to his brother's in the database.
> Here was a company that I had no interaction with, that I had never done business with, that somehow managed to lose our private information to criminals. That's the problem with online identity. If I upload my ID online for verification, it has to go through the wires. Once it reaches someone else's server, I can never get it back, and I have no control over what they do with it.
All those parties are copying and transferring your information, and it's only a matter of time before it leaks.
You/your kid/your wife goes to hàckernews.com and is prompted for age verification again, evidently the other information has expired based on the message. So they submit their details. Oops, that was typosquatting and now who the hell knows has your information. Good luck.
Everyone says "we only store the data temporarily and it's deleted right after" including everyone who didn't do that and got hacked.
But I think we're far too late into this issue by now.
It's 2026 and we still don't have a way to know if our passwords are being stored in a secure way in their databases. What hope do we have to know about how our photos are being handled?
I think the EFF would have more success spreading their message if they didn't outright lie in their blog posts. While cryptographic digital ID schemes have their problems (which they address below), they do fully protect privacy rights. So do extremely simple systems like selling age-verification scratchcards in grocery stores, with the same age restrictions as cigarettes or alcohol.
Which stores sell age-verification scratchcards? How do you make sure they can't be traced back to the person who paid for them or where they were purchased from? How would a website know the person using the card is the same person who paid for them? It may be a simple system, but it still sounds ineffective, dangerous, and unnecessary.
Stores that sell other age-restricted products.
> How do you make sure they can't be traced back to the person who paid for them
How would they be traced? Pay cash. I've never had my ID scanned or recorded when I buy alcohol. And now I look old enough that I don't even have to show ID.
If someone can trace the store they're bought from and you're that paranoid, rotate between stores. Buy them from a third-party. Drive to another state and buy them there. So many options.
> How would a website know the person using the card is the same person who paid for them?
They don't. How does Philip Morris know the person who bought the cigarettes is the same person lighting up? It's clearly not that important when selling actual poisons so why would it matter for accessing a website? The system works well enough to keep most kids from smoking.
Rate-limit sales in a store (one per visit) and outlaw selling or transferring them to a minor (same penalties as giving alcohol or tobacco to a child). Require websites to implement one code per account policies with a code TTL of 6 months or a year, and identify and disallow account sharing. It's Good Enough verification with nearly perfect anonymity.
So far, I've never seen an age verification scratch card sold anywhere
> How would they be traced?
Your ID is collected at retail and its barcode scanned along with a barcode on the card, your personal data and card ID get uploaded to a server operated by the entity that created the cards and/or the state. ID barcode scan can be replaced or used alongside facial recognition, data collected (directly or passively) from your cell phone, your credit card info, etc. Even just being able to link a used card back to the time/place it was purchased could be enough to ID someone and put them at risk.
> It's clearly not important when selling actual poisons so why would it matter for social media?
The main difference is that I can't upload 1 million cigarettes to the internet for anyone of any age to anonymously download and smoke, but I could upload a spreadsheet of 1 million unredeemed scratch off codes to the internet for anyone to use. It seems highly likely that codes would get sold, shared online, generated, or leaked which means cards would be ineffective at keeping children from using them.
Why should we be okay with jumping through a bunch of hoops that don't even do what they're supposed to in the first place while costing us money and opening ourselves up to new risks in the process? I reject the premise that proving my identity to a website is necessary let alone being worth the costs/risks. Scratch cards seem likely to fail at being private or effective. Of course, "Think of the children" is really only the excuse. Surveillance and control is the real motivation and any system that doesn't meet that goal is doomed to be replaced by one that does.
It isn't something that exists today.
> Your ID is collected at retail...
You know perfectly well I already addressed that whole argument in my original comment. I know you're philosophically opposed to age verification (a perfectly valid opinion), but that's no reason to tear down strawmen.
If you care at all, here's the proposal in full: https://news.ycombinator.com/item?id=46447282
> Even just being able to link a used card back to the time/place it was purchased could be enough to ID someone
Even when close to every adult is buying them every year? Doubt. But in any case also addressed with alternatives in my original comment.
> I could upload a spreadsheet of 1 million unredeemed scratch off codes to the internet
You can't, for the same reason you can't just get unsold gift card codes on the internet.
> I reject the premise that proving my identity to a website is necessary
Again, a valid and reasonable position. But how long will the internet continue to operate like that?
> Of course, "Think of the children" is really only the excuse. Surveillance and control is the real motivation
Also mostly correct. Now I don't think children should be on social media. Whether or not there's a government ban, I'll do my best to keep my kids off it. The spooks are taking advantage of "save the children" voters to advance their own agenda. If it's possible to satisfy the "save the children" crowd, without violating anyone's privacy, then the spooks lose their support.
The alternative is to sit around as age gates get thrown up and you have to upload your passport to do anything.
Because it was an idea. Something that is not implemented yet, but could be interesting.
This is equivalent to saying you either need to be over 16 or have a parents permission which will not work for any number reasons that someone else can enumerate.
It's a nice idea. Won't work.
"We disagree with age gates but our recommendation is to comply". Fuck this.
On similar lines, I think that something between an unrestricted smart phone and the classic dumb phone is a market segment that is needed.
An excellent question, which I didn't see the article really get into.
> If you’re given the option of selecting a verification method and are deciding which to use, we recommend considering the following questions for each process allowed by each vendor:
Their criteria implies a lot of understanding on the part of the user -- regarding how modern Web systems work, widespread industry practices and motivations, how 'privacy policies' are often exceeded and assurances are often not satisfied, how much "audits" should be trusted, etc.
I'd like to see advice that starts by communicating that the information will almost certainly be leaked and abused, in n different ways, and goes from there.
> But unless your threat model includes being specifically targeted by a state actor or Private ID, that’s unlikely to be something you need to worry about.
For the US, this was better advice pre-2025, before the guy who did salutes from the capitol was also an AI bro who then went around hoovering up data from all over government. Followed by a new veritable army and camps being created for domestic action. Paired with a posture from the top that's calling harmless ordinary citizens "terrorists", and taking quite a lot of liberties with power.
We'll see how that plays out, but giving the old threat model advice, without qualification, might be doing a disservice.
Instead, the rest of us have systems that are both far more vulnerable to privacy beaches, and far easier to circumvent anyway.
I do look a little younger than 32, due to a healthy lifestyle and religious use of sunscreen but I have a beard and moustache. It's a little insane that I was instantly banned with no way to move forward.
They can implement a transparently auditable system, where you scan your id-card (nfc or camera) in the government's portal, and using oauth federation, it will confirm your age, and nothing more than that to sites requesting it.
Site that wish to prevent the fact that you visited them a secret from the government can use various temporary domains, ips, Tor,etc... so long as the government's verification service can reach it.
The government already has your ID information, and they already know at least your home IP (yes, this is actively shared with them in the US). The only privacy concern is them knowing what sites you're visiting.
I get resisting and fighting this, but it's been years now and people are having to endure this mess. It isn't going away either. I was complaining about KYC laws earlier, they started out the same, it was about "terrorists" then.
You can fight two fights in parallel. One to prevent the whole thing, another to require the government to implement a service themselves, do it transparently and preserve privacy while doing so.
Yet another proposal I have is for sites that offer oauth federated login (google,microsoft,github,etc..) to vouch for your id verification, either by them doing it directly or via the government portal i proposed earlier. You'll then just login to sites with the right google account or whatever and that's all the site will ask from you.
I would also be fine with buying a 'card' of some sort at stores that do id verification already, like where you'd buy a cigarette or alcohol. You also buy some scratchable card with a verification code on it. They can't argue it's not good enough, because it's good enough for cigs and alcohol. they can't say "what if a minor gets a hold of the card later" because what if a minor gets a hold of cigs or alcohol later as well?
My issue with having them expire is that people would have around 70 years of proving their age whilst minors only need to be prevented from accessing websites for up to 18 years (more likely just 10 years or so).
So the question is really: what is the best way to implement it?
* I find the "buying a gift card at a store" idea interesting: the seller checks your ID and gives you a gift card.
* I find the digital idea with privacy preservation interesting, too: the government already knows about me. If they can give me a token that only reveals my age, and I can use that token without revealing to the government where I used the token, then it works.
I think the EFF's stance on this is: "but some people will have issues using that technology". I would like to know how many people that is, and why we couldn't imagine a way to help them?