Do platforms want to counter it?
Seems to me with an unreliable video selfie age verification:
* Reasonable people with common sense don't need to upload scans of their driving licenses and passports
* The platform gets to retain users without too much hassle
* Porn site users are forced to create accounts; this enables tracking, boosting ad revenue and growth numbers.
* Politicians get to announce that they have introduced age controls.
* People who claimed age checks wouldn't invade people's privacy don't get proven wrong
* Teens can sidestep the age checks and retain their access; teens trying to hide their porn from their parents is an age-old tradition.
* Parents don't see their teens accessing porn. They feel reassured without having to have any awkward conversations or figure out any baffling smartphone parental controls.
Everyone wins.
We already had a half-assed solution, where websites would require you to press the button that says "I am over 18". Clearly somebody decided that wasn't good enough. That person is not going to stop until good enough is achieved.
> Reasonable people with common sense don't need to upload scans of their driving licenses and passports
Cue random bans.
> People who claimed age checks wouldn't invade people's privacy don't get proven wrong
And? Is that supposed to change anything?
I'm curious the sites that enforce this like 'your state has banned...' what traffic loss they have. Because I'm not gonna sign up for a porn site lmao, the stigma
My guess is that's probably one of the reasons Google tried to push for Play Store only apps, provide a measurable/verifiable software chain for stuff like this.
It's not the fancy structured light of phone-style Face ID, but it still protects against the more common ways of fooling biometrics, like holding up a photo or wearing a simple paper mask.
Maybe new ones are different but that’s how they used to be. Little Kinect devices, really, for sensing faces instead of whole people.
https://learn.microsoft.com/en-us/windows-hardware/design/de...
These cameras are considered a "secure biometric" device and AFAIK nobody has faked them. I've flagged the poster who said "try two flat images"
I don’t this will happen in the US but I can see it in more privacy responding countries.
Apple and Google may also add some kind of “child flag” parents can enable which tells websites and apps this user is a child and all age checks should immediately fail.
Like, you’d enroll it by adding a DOB and the computer/phone/etc would just intentionally fail all compatible age checks until that date is 18 years in the past. To remove it (e.g. reuse a device for a non-child), an adult would need to show ID in person at Apple.
Government IDs could be used to do completely privacy preserving, basically OpenID Connect but with no identifying property, just an “isEighteenOrMore” property. However, i agree it’ll never happen in the US because “regular” people still don’t know how identity providers can attest without identifying, and thus would never agree to use their government ID to sign into a pornsite. And on top of all that yeah nobody trusts the government, basically in either party, so they’d be convinced the government was secretly keeping a record of which porn sites they use. Which to be fair is not entirely unlikely. Heck, they’d probably even do it by incompetence via logs or something and then have people get blackmailed!
I never put in my real birthday. It's just one more datapoint to leak in an inevitable hack and help scammers exploit me.
Just because a website sticks a field on a form, doesn't mean you need to fill it out.
I can think of maybe 1 website I use that has a legitimate use to know this info about me... and a dozen that use my fictious birthday for no other purpose than an excuse to market at me under the shallow guise of a 'Happy Birthday' email.
IIRC, it went like this: the account creation screen prompted them for a birthdate. They entered a fictitious one and pretended to be over 13. (I saw my niece do this in front of me, and I just sighed a very heavy sigh. She was way more interested in Club Penguin.)
Then later, they let the cat out of the bag. They tell their friends "lol I'm only 10! Today's my birthday, so give me a hat!" or something. And so if they claimed they're 10 they got 3 years suspension.
I think there was never any verification done, and no verification was possible: think about it, under COPPA, a service in the USA cannot collect PII from children under 13, so what do you do when a kid gives you two contradicting datapoints? Err on the side of caution.
I gave Yahoo! a false birthdate when I signed up. I was 27, but I also just felt they weren't entitled to knowing it. However, I soon found that maintaining a fraudulent identity is tiresome and error-prone. And Yahoo! wouldn't let me simply change my birthdate as often as I wanted to.
I once had a conversation with a friend about cheating on IRS taxes. She said "can you lie to a piece of paper?" like fudging numbers wasn't like lying to an auditor's face. It was a rhetorical question, of course.
ID checks aren't very worthwhile if anyone can use any ID with no consequences.
How long would it take for someone's 18 year old brother to realize they can charge everyone $10 to "verify" everyone's accounts with their ID, because it doesn't matter whose ID is used?
The older brother could also rent an R (or x) rated movie, buy cigarettes, lighters, dry ice, and give them to the kids. The point of the age check is to prevent kids from getting access without an adult in the loop, not to prevent an adult from providing kids access
South Korea also has had various versions of this even going back to ~2004 I think.
Credit cards don't have photos.
> How many Americans wouldn't be able to present a CC or ID?
The number of Americans who don't have a government issued photo ID is estimated around 1%. The number gets larger if you start going by technicalities like having an expired ID that hasn't been renewed yet.
The intersection between the 1% of 18+ Americans who don't have an ID and those who want to fully verify their Discord accounts is probably a very small number.
Same in the UK, but Steam uses credit cards for age verification there and refuses if you provide a debit card instead. Evidently the payment backends can tell credit and debit apart.
> Nearly 21 million voting-age U.S. citizens do not have a current (non-expired) driver’s license. Just under 9%, or 20.76 million people, who are U.S. citizens aged 18 or older do not have a non-expired driver’s license. Another 12% (28.6 million) have a non- expired license, but it does not have both their current address and current name. For these individuals, a mismatched address is the largest issue. Ninety-six percent of those with some discrepancy have a license that does not have their current address, 1.5% have their current address but not their current name, and just over 2% do not have their current address or current name on their license. Additionally, just over 1% of adult U.S. citizens do not have any form of government-issued photo identification, which amounts to nearly 2.6 million people.
From https://cdce.umd.edu/sites/cdce.umd.edu/files/pubs/Voter%20I...
> Additionally, just over 1% of adult U.S. citizens do not have any form of government-issued photo identification, which amounts to nearly 2.6 million people.
The rest of the statistic is about driver's licenses specifically, including technicalities like expiration dates and address changes. The online ID check for age verification don't care about the address part anyway, in my experience.
If someone has an expired drivers' license or they changed their name and haven't updated their IDs, they have bigger problems than age-verifying their Discord accounts.
I actually only renewed it to get medical care and because renewing the license was only a little more expensive than getting an ID-only card.
It did prevent me from using some porn sites because my state requires ID verification but many sites just ignore the requirement so I just didn't use the sites that required ID.
For DL alone:
>Data indicates that approximately 84% to 91% of all Americans hold a driver's license, with roughly 237.7 million licensed drivers in the U.S. as of 2023.
Add in an ID and Passport and we are likely closer to 99%
I think you're... missing the point of the pushback. People DO NOT WANT to be identified online, for fear for different types of persecution.
In Japan, there are already multiple apps which use something like this to verify user's age via the "my number card" + the smartphone's NFC reader.
It's more or less impossible to forge without stealing the government's private keys, or infiltrating the government and issuing a fraudulent card.
Of course, the US isn't a functioning state, the people don't trust it with their identity and security and would rather simply give all their information to private companies instead.
Does this also leak your identity to the app?
My guess is that 95% or more of all Discord users do not care and simply upload their selfie or ID card and be done with it. I know I will (although they did say that they expect 80%+ to not require verification since they can somehow infer their age from other parameters)
Are you a minority, LGBTQ+, etc or of a "different" political persuasion that might have any reason to be distrustful of the US government? If so, you probably wouldn't just "be done with it".
Yes but for completely different reasons: I will not bother to play the game and stop using the platform.
That's the endgame and what the EU really wants. No poasting unless they can arrest you for inconvenient memes.
Weird thing.. the people who want this validation fully expect for you to pay for, maintain, keep it valid, and pay for upkeep/service for their desires. Honestly, this is something that SHOULD get very aggressive pushback.. but most people accept for no reason.
Ad-hoc identification can occur via other means like dynamic knowledge based authentication. The sources of this mechanism can be literally anything. Social media itself being one obvious source for the target cohort.
You can walk into many US financial institutions without an ID and still get really far using KBA workflows. The back office will hassle you for a proper scan of a physical ID, but you can often get an account open and funded with just KBA.
This basically only gets used for businesses that need a fig leaf for regulatory purposes. You know, $30 loans for uber eats and tiny loans like that.
In the nomenclature of Multi-Factor Authentication, "something you know" is one factor. So if you know a password and you have a hardware token, that's 2 factors and combining different types is the key to MFA.
Many "knowledge based authentication" tries to string together "things you know" without a different type, and that's a weakness.
However, it can be strengthened through various techniques. If a human is authenticating you in real-time, they may choose a factoid that an impostor is unlikely to know which may be agreed in advance. For example, the security questions combined with other challenges, or a "curve ball" that may elicit a stutter, pause, or prevarication. This is a dynamic method that bob refers to.
In fact, knowledge-based quizzes are used routinely by credit reporting agencies -- the big ones like Experian. And they've been presented by background check services, too. They work like this: they scrape your credit reports and public records in a deep dive for your old addresses, employers, contact info, a whole smorgasbord of stuff. Maybe attackers know some of it. But it's multiple choice: "which of these did you live at? None of the above? All of them?" "Which one of these wasn't your employer?" And the attacker would need to have the same list of public records, and also know the wrong answers! Knowing the wrong answers is the "curve ball" here! How many attackers know that I didn't work for Acme, Inc, and I never lived in San Antonio?
It's also worth pointing out that I've opened at least 3 bank accounts without setting foot in a bank. Even if yours is brick-and-mortar, they probably have a flow on their website for account creation and funding. It is not difficult to satisfy their ID requirements. If they glitch, then you're just flagged a bit, and you follow up as instructed. I've also authenticated identity to the federal government agencies, and accessed several DMV services, using only the apps and websites.
People may feel reticent about establishing their identity online, but isn't it better that you do it first before someone else does? If your identity is known and registered and builds up data points that correspond to you, aren't you less likely to be a victim of fraud or identity theft when things don't add up?
There are a lot of countries and US states where such validation is possible.
Given the state is mandating these checks, it only makes sense that the state should be responsible for making it possible to perform these checks.
Gross.
(I'm not verifying anywhere unless required for official business. Still have my non-KYC sim for people)
They also have you move your head in multiple directions.
It would be interesting to see a model completely indistinguishable from a real human in behavior, as well as real-time reflection off different surfaces, etc.
The next step would be to make a complete digital clone of a person based on surreptitiously recording them with hidden cameras. I doubt it's possible.
We had facerig for over a decade now. Facefilter recently. It's not hard anymore.
Your better bet would be to generate a face as an image and then you can easily generate that same face in different expected poses and conditions. You can then use existing models where you get to select the starting image and the ending image. Add some filters and noise to just make it look like normal crappy low light camera.
As for the color that's another expected condition and can be overlayed or pre-generated.
See: Login.gov (USPS offline proofing) and other national identity systems.
(digital identity is a component of my work)
That's going to be a no from me, dawg. I'm sympathetic to ID checks like if you're buying beer or whatever, but not linking my real life identity to discord or whatever.
Pornhub is fighting state age verification and keeps losing state by state, for example.
1. Removes the pain of age verification, encouraging some people to stay in the proprietary walled garden when everyone would be better served by open platforms (and network effects).
2. Provides a pretext for more invasive age verification and identification, because "the privacy-respecting way is too easily circumvented".
3. Encourages people to run arbitrary code from a random Web site in connection with their accounts, which is bad practice, even if this one isn't malware and is fully secure.
The code was released, therefore it is not arbitrary (problem #3). Should companies react with more invasive techniques (problem #2), users can always move to other platforms (problem #1).
But in practice, this only holds if regulators are either inattentive or satisfied with checkbox compliance. If a government is competent and motivated, this approach won’t hold up—and it may even antagonize regulators by looking like bad-faith compliance.
I’ve also heard that some governments are already pushing for much stricter age-verification protocols, precisely because people can bypass weaker checks—for example, by using a webcam with partial face covering to confuse ID/face matching. I can’t name specific vendors, but some providers are responding by deploying stronger liveness checks that are significantly harder to game. And many services are moving age verification into mobile apps, where simple JavaScript-based tricks are less likely to work.
{"error":"error parsing webview url"}
Edit: Apparently my discord account is in some kind of A/B feature test that uses a different verification provider, Persona
narrator> And that's when he discovers his account has now been hacked...
;)
Calling it a "mild effort" assumes skills that older generations took for granted but many young people seem to have been actively trained out of. We're past the era where I take for granted that aspiring programmers need to have the basics of a terminal or shell explained to them, into one where they might need an explanation for the basics of a file system and paths. I wouldn't be surprised to hear that hardly any of them could touch-type, either. (I wonder what the speed record is for cell phone text input...)
Yes, they can query a search engine (kind of) or, I guess nowadays, ask ChatGPT. But there's going to be more to setting up an alternative than that. And they need to have the idea that an alternative might exist. (After all, they're asking ChatGPT, not some alternative offering from a company that provides alternatives to Google services....)
Look at the Amnezia VPN. It's an app that helps you buy a VPS from a range of cloud provides, then sets it up, completely from the phone, as an exit node under user control.
I don't see why a chat server cannot be set up and managed this way. It only takes one dedicated developer to produce.
by a system with a incentive to keep them in centralized black boxes, yes.
>The rest will be taken care of.
It's never the tech hat's hard, but the networks. If people were able to just jump on a whim a lot of dynamics of modern corruption would fall apart.
The Network Effect.
That's it. Their friends are there so they're there.
What's the problem? You're filtering out people who don't really care about participation in whatever group or society is there. People who want to participate will move to an acceptable service and those who feel that is too much effort probably weren't participating much (if at all) anyway - in that case the only difference is the visible list of people with accounts going down, not the actual "users".
It’s also a futile effort since age checks for adult content is becoming the law around the world so soon any platform you move to will have the same checks.
Most people just care about being able to talk to each other, not their devotion to some "group or society".
You underestimate how many people would rather do nothing than be inconvenienced, sadly. If you're not the personality that the community is rotating around, you'll find the migration pretty lonely.
Heck, even esablished personalities can only do so much. Remember that Microsoft paid top Twitch streamers 10s of milllions to move to Mixer for exclusive streaming. Even that wasn't enough to give a leg up.
The effort to coordinate everyone to move at the same time is bordering on impossible.
There are a lot of barriers between kids and better solutions, one of which is that anything needs a domain and a server, and that means a credit card.
In the gaming sphere it's so universally used that all the friends you've ever made while gaming are on it, as well as all your chat history, and the entire history of whatever server you met them on. And if you want to make new friends, say to play a particular game, it's incredibly easy to find the official game server and start talking to people and forming lobbies with them.
My main friend group in particular has a server that we've had running since we were teenagers (all in our mid-20s now) which is a central place for all of the conversations we've ever had, all of the pictures we've ever sent each other, all the videos we've ever shared, and so on. That's something I search back through frequently looking for stuff we talked about years ago.
So I'm not saying it's impossible to move, but understand that it would require:
- Intentionally separating from the entire gaming sphere, making it so, so much harder to make new friends or talk to people. - Getting every single one of your friends that you play games with to agree to downloading and signing up for this new service (in my case that would be approx. a dozen people) - Accepting that this huge repository of history will be wiped out when moving to the new service (I suppose you could always log back in and scroll through it, but it's at least _harder_ to access, and is separated from all your new history)
On top of this, every time I've looked for capable alternatives to Discord I've come up empty-handed. Nothing else, as far as I can tell supports free servers, the ability to be in multiple servers, text chat divided into separate channels, optional threaded communication, voice chat joinable at any time with customizable audio setup (voice gate, push-to-talk, etc), game streaming from the voice chat at any time, and some "friend" system so that DMs and private calls can be made with each other. And even if I found one, then again I can't express enough that in the gaming sphere effectively _zero_ people use it or even know what it is.
Anyways, I'm not saying that nothing could make me abandon Discord, I'm just saying that doing so is a tremendous effort, and the result at the end will be a significantly worse online social life. So not a mild inconvienence.
This is true, but one needs to regularly back this up elsewhere if you care about it. If you're not in control of it, it can go away in an instant; Discord could one day decide to ban your server or anything else, and then it's gone.
And yet here we all are, still in an uproar every time GitHub goes down. Change is slow, we can't all leave GitHub in a day. Same with Discord users.
Getting everyone to switch away from Discord has been hard because getting everyone to spontaneously switch with no clear benefit hasn't worked. They want to just keep using the app and get back into a game with their friend.
It's different to lock a door and task users with getting the key to come back in. This is more similar to an MMORPG that kills their audience because they cause the core group to stop playing and then all of the other players experiences get worse, which causes a downward trend that avalanches.
Somehow Discord pulled it off. It really didn't have much of an edge over the other chat apps at launch, just was slightly easier to use because it was simpler. A new site launching now could easily have that over Discord.
because that's not how they view it. For most Gen Z users and younger their digital identity already is their identity and they have no problem verifying it because the idea of being anonymous on a social network defeats the purpose of being there in the first place.
They grew up being watched. They know what these data harvesting operations are and how dangerous this is. They've got front row seats to the dystopia. The difference is that they can't / couldn't do anything about it.
They think the world is broken and that you broke it. They're pissed off. And powerless. Not a good combination
Even McKinsey is now reporting on it,
Some Gen Zers push back on a lack of privacy, creating online subcultures that fantasize about anonymity: the pastoral “cottagecore” aesthetic, inspired by tiny cabins and homegrown greens, was one of Gen Z’s first major trends.
Some opt out; the New York Times recently reported on a group of self-described Luddite teens who found community by kicking smart devices in favor of the humble flip phone.
Even if you don’t go that far, many young people are veering away from “everyone knows everything” social media to curate a close group of friends and carefully monitor how much they put online.
Looking at the numbers that TikTok or Meta are doing I think you can unequivocally say that the vast majority of young people do not care, at all, the 'luddite teen' is the digital version of, and about as real, as the Gen Z 'trad wife'.
If you're going to a CCC event you're much more likely to see resistance in the form of someone like Cory Doctorow, an actually angry middle aged guy who to my knowledge has not converted to flip phone cottage core to stick it to the man.
From experience, I know if I leave that few of my friends will follow. So I understand the resistance.
Discord will require a face scan or ID for full access next month - https://news.ycombinator.com/item?id=46945663 - Feb 2026 (1999 comments)
Discord Alternatives, Ranked - https://news.ycombinator.com/item?id=46949564 - Feb 2026 (456 comments)
Discord faces backlash over age checks after data breach exposed 70k IDs - https://news.ycombinator.com/item?id=46951999 - Feb 2026 (21 comments)
However, the orgs don’t get to capture verified adult user identity to pad the value of their user data profiles…
[0] https://blog.google/company-news/inside-google/around-the-gl...
{"error":"failed to execute k-id privately action (status=404)"}
If I recall, I had a fairly decent view of their various checks because it was delivered completely unminified, including a couple amusing sections and unimplemented features. (A gesture detector with the middle finger gesture in the enumerable commented out, for example...)
Another attack vector that I speculated upon was intercepting and replacing their tflite model with ones own, returning whatever results required.
Additionally, I believe they had a check for virtual camera names in place, as checks would quietly fail with a generic message in the interface, but show the reason as being virtual camera within responses. (Camera names are mutable though, so...)
One from '03: https://groups.google.com/g/microsoft.public.security/c/IpR2...
> p.s. greetz out to X, R, S, F, and the "bastards across the river"....see, McLean, it depends on your point of view as to who is the 'bastard' and what side of the 'river' you're on.....see you on the wires, chumps....
God, so good.
> the presence of clunky workarounds like this doesn't affect it if it doesn't reach the mainstream.
i suspect that mainstream would eventually find it - like how VPNs suddenly became very popular in the UK.
Apparently Twitch doesn't like Mozilla Firefox...
You can also self-host the backend from https://github.com/xyzeva/k-id-age-verifier.
There are many ways in which such a system could be implemented. They could have asked people to use a credit card. Adult entertainment services have been using this as a way to do tacit age verification for a very long time now. Or, they could have made a new zero-knowledge proof system. Or, ideally, they could have told the authorities to get bent.
Tech is hardly the first industry to face significant (justifiable or unjustifiable) government backlash. I am hesitant to use them as examples as they're a net harm, whereas this is about preventing a societal net harm, but the fossil fuel and tobacco industries fought their governments for decades and straight up changed the political system to suit them.
FAANG are richer than they ever were. Even Discord can raise more and deploy more capital than most of the tobacco industry at the time. It's also a righteous cause. A cause most people can get behind (see: privacy as a selling point for Apple and the backlash to Ring). But they're not fighting this. They're leaning into it.
Let's take a look at what they're asking from people for a second, the face scan,
If you choose Facial Age Estimation, you’ll be prompted to record a short video selfie of your face. The Facial Age Estimation technology runs entirely on your device in real time when you are performing the verification. That means that facial scans never leave your device, and Discord and vendors never receive it. We only get your age group.
k-id, the age verification provider discord uses doesn't store or send your face to the server. instead, it sends a bunch of metadata about your face and general process details.
Discord is also doing profiling along vectors (presumably behavioral and demographic features) which the author describes as,
after some trial and error, we narrowed the checked part to the prediction arrays, which are outputs, primaryOutputs and raws.
turns out, both outputs and primaryOutputs are generated from raws. basically, the raw numbers are mapped to age outputs, and then the outliers get removed with z-score (once for primaryOutputs and twice for outputs).
Is some or all of this data being turned into features that are being fed to this third-party k-ID? https://www.k-id.com/
https://www.forbes.com/sites/mattgardner1/2024/06/25/k-id-cl...
https://www.techinasia.com/a16z-lightspeed-bet-singapore-par...
k-ID is (at first glance) extracting fairly similar data from Snapchat, Twitch etc. With ID documents added into the mix, this certainly seems like a very interesting global profiling dataset backstopped with government documentation as ground truth. :)
Just comply. You wouldn't fight if a policeman told you to assume the position (some people did that when it was first implemented and they eventually gave in).
This is not the right hill to die on.