Their initial publication was backed by a Git repository with hundreds of pages of documents written in just three days (https://web.archive.org/web/20260314224623/https://tboteproj...). It also contained nonsense like an "anomaly report" with recommendations from the LLM agent to itself, which covers an analysis of contributors to Linux's BPF, Android's Gerrit, and parser errors in using legislative databases. https://web.archive.org/web/20260314103202/https://tboteproj... . The repository was rewritten since, though.
This post follows their usual pattern. The second source they link to has been a dead link for 11 months (https://web.archive.org/web/20250501000000*/https://www.pala...). There's a lot about Persona's design, MCPs, vulnerabilities, data leaks, but nothing proving they use it for mass surveillance. The entire case for it being mass surveillance rests on two points: that they interact with AI companies and they offer MCP endpoints (section titled "Persona's Surveillance Architecture")
Quite disappointing tbh.
And this is where I'd say I disagree. There's nothing about Peter Thiel, and his current business focus, that shows anyone he's not in the business of surveillance. Look at the company he keeps and then align that with many of the things Peter and who he surrounds himself with have said publicly. Thiel is tied to Palantir and Alex Karp. That relationship alone should tell you very clearly that, even if Thiel wasn't actually in the game of surveillance (opinion: he is) he would be very much associated with supporting it.
Karp said: “I love the idea of getting a drone and having light fentanyl-laced urine spraying on analysts that tried to screw us.”
Yeah, sure... I mean I can't imagine the fact that Thiel is tied at the hip to Palantir that he doesn't have an agenda with it other than data analytics and, what, ad rev? Right.
Thiel said, publicly, that everyone should be concerned about surveillance AI [0]. Let's call spade a spade. Thiel is in the business of surveillance whether or not there's some poor LLM generated sites stating that is the case, but then using that as the basis to give Thiel a pass on this because: not enough evidence here.
Thiel is a big part of what's wrong with his class. He's worried about something that he wants to control. He's not actually worried about you or I though. He's worried about someone else having the full surveillance view and so he's aimed to build and be part of that. So, maybe, we shouldn't give Thiel a pass just because he hasn't fully proven himself to be the person that the world paints him into a picture of.
[0] https://www.cnbc.com/2021/10/22/palantirs-peter-thiel-survei...
https://tboteproject.com/git/hekate/surveillancefindings-new...
Initially I thought they'd be fine, because AI-generated isn't intrinsically an issue and the comments can be good. But in practice, the AI posts tend to be slop, and usually there's a better human-written source for the same topic (for example, one of the many other recent "age verification is mass surveillance" posts here).
For instance, a recent example from yesterday:
https://bugs.ruby-lang.org/issues/21982
Part of this was written by AI, but with a human in "charge" who explained which part of AI was used here. Would that also be a bannable example for you? I am not so convinced that this is bannable per se. Perhaps it may be different if the AI-slop was not announced, but when it was announced and explained?
> one of the many other recent "age verification is mass surveillance" > posts here
Well, it actually is. It taps very much into other similar laws e. g. "chat control", aka chat sniffing.
- age verification
- chat control
- RTO vs. remote work
- AI bubble
- ditching American tech
In the meantime a FOSS maintainer who is just trying to put the pieces in place to comply with the law (as written) got doxxed and harassed.
I hate it here
In my experience, when a country like Britain passes a censorship law, people in other countries like America don't enjoy being given the tools to comply with it, even if the tools are entirely optional.
You would have to register using a digital ID with a government agency, to get a age certificate. Most European countries already have digital IDs, used for all sorts of things: such as taxes, online banking etc.
Then that certificate could be used in some sort of challenge-response protocol with web sites to verify your age, creating a new user ID in each session but without divulging anything that identifies that particular certificate.
I'm afraid that the alternative would be that social media would instead require login with the digital ID directly.
Since authorities have the power of accessing that data and identify the user who created the certificate, this scheme is not anonymous.
Authorities can access that data via court orders today, or via a global automatic mandatory data sharing law in the future.
In the example of USA, even if for some reason people still trust the current Government (although ICE already accessed private medical records to track and arrest people), I don't see why they should trust all future Governments which will have retroactive access to all that data.
We should not underestimate the power of the legal system to enforce freedom and anonymity. And on the flip side, it's hard to create a technical system which can actually withstand the force of the government if it chooses to come after you.
I believe the correct battlefield for freedom is the political one, in the end it decides everything. And neither guns nor technical tricks can secure freedom against a tyrannical state.
Wuth that said, it does tickle the curiosity to think about! A technical-political solution could be to introduce a new actor, the broker. It sits between the webpage and the age-verifier, receiving the age-verification, but then giving it's own proofs to the webpage (so acting as a trusted middleman). Now to match up visitors with identities you need to get the data from both the webpage, the broker and the age-verifier.
You could imagine that the broker were in a different jurisdiction, maybe even one without a close cooperation with the government. Maybe people could even choose their own brokers (among certified ones).
Once the whole technical system is implemented, it will be trivial to remove that bureaucratic limitation, and somehow it will be sold as better protection for the children.
Untraceable-but-single-use proof-of-age tokens? Good for privacy, but now that 14-year-old can get tokens from an 18-year-old friend for cash.
Proof tokens that only last a few minutes, or a three-way handshake between user, government and website? Harder to trade, but now the government's got a good guess about who's opening pornhub.
Requiring sites to keep audit records, to prove they really did the verification procedure? Wildly insecure, we don't want them storing passport photos. Requiring them to not keep audit records? Then they can skip or half-ass the checks.
Camera-based age estimation? Once again the 14-year-old can have an 18-year-old pass the check for them. Or a video game character creator or something. Scanning a government ID card? Better hope Dad never leaves his wallet unattended for 5 minutes. And not everyone has a passport or driver's license.
Age attestation from an electronic driver's license, plus face id biometric validation, with a secure element, trusted execution environment and code attestation? Congrats, now you've handed your national ID database to the world's largest adtech/tracking company. Hope you weren't trying to distance your nation from US tech dominance.
Set parental controls on set up, pass a single flag to websites and apps, similar to the Global Privacy Control.
No privacy is lost. Control is handed to the device owner, and implementation is technically trivial.
Fullly anonymous + untraceable attestation --> unlimited certificate sharing
Because it focuses on technical aspects and accepts the premise of 'age verification must be solved'. It doesn’t, and discretion what content and and what age children and teenagers can consume should be up to parents.
Not government, nor corporations.
You keep your own private key and the government has your public key.
People don't have to know security or cryptography to do their banking online.
Either way it would be infinitely better than the current social security number situation we have.
Verified anonymous age credentials don’t allow for this, so they don’t matter.
The negative privacy implications are the primary features of these laws, not a bug. It is intentional.
We also have gazillions of examples of apparently innocent rules being used to boil Chomsky's frog, one small temperature rise at a time. For the first time in a long while, I'm starting to sense a certain fanaticism on this topic here on HN, which sounds very much like the molecular agitation when water starts to boil.
>Stores the user's birth date for age verification, as required by recent laws in California (AB-1043), Colorado (SB26-051), Brazil (Lei 15.211/2025), etc.
[MERGED]
https://www.theregister.com/2026/03/24/foss_age_verification...
As a parent: the hard-won lesson is that most of this threat surface shrinks when you're genuinely present (listen/talk/educate).
I wonder why? Maybe these types of surveys don’t consider the implementation / what you need to give up in order to have age verification?
Because the internet, for all it's good, has caused society and individuals some pretty serious problems. I don't like the idea of mandatory age verification, but having unrestricted internet access as a kid was objectively bad for me and many of the people I know.
I think you're suffering from a lack of empathy. That doesn't mean OS age verification should be implemented or not, but that you're going to be insufferable and pretty ignorant about what's going on.
IMHO, the popularity of age-verification is due to the increasing awareness of the harms of much online activity, plus the impracticality of putting the whole burden of mitigating that for children onto the shoulders of parents. If you flippantly and contemptuously ignore those concerns, people will be happy to ignore your concerns.
And since you brought it up: honestly, I wouldn't feel bad "punishing" you with this policy, just because of the attitude displayed in your comment. It's needlessly aggressive and making contemptuous assumptions. Your comment actually shoots your position in the foot.
I wont feel bad helping the big corpos keep you locked in and oppressed and help free others. Enjoy your “safety” and “security” built from hate and FUD.
I don’t have to be empathetic to you or your “well I have an argument to help make the world worse” ideas and beliefs just because you can argue for it and ignore opposing beliefs and criticisms.
"Cattle camp"? Seriously?
FYI: you're off the rails if you use terms like "sheeple" unironically. I suggest you get help for that.
> I am not interested in your “this will be good for society” bs.
You also need to work on your reading comprehension.
> I don’t have to be empathetic to you or your “well I have an argument to help make the world worse” ideas and beliefs...
You're not going to get far acting self-righteous and pissing on other's legitimate concerns because you labeled them "mak[ing] the world worse."
> ...you... ignore opposing beliefs and criticisms.
Look in the mirror.
> And since you brought it up: honestly, I wouldn't feel bad "punishing" you with this policy, just because of the attitude displayed in your comment.
> You're not going to get far acting self-righteous and pissing on other's legitimate concerns
Look in the mirror as well. You started with the “punishing you just because”.
You actually introduced the "punishment" framing, which I think was unhelpful so mirrored it back to show that. You should also note that I scare-quoted it. And the point I was making was your attitude is harming your own advocacy.
"age verification" is not unlike "DEI" in that everyone will have different schemas about what it is and how it will be assumed to be implemented. We're not learning anything about the public unless we try to pose the question more directly.
They'll claim they already "know", but watch their opinion change after they get paper mail with a list of recently visited websites, or their words written on public or unencrypted chats, or their movement history thanks to phone spyware.
You and I can strongly suspect that there's a significant downside to these providers having so much sensitive personal data but, until that is proven, the voting population will only see the upside.
People understand this intuitively - hire someone to obviously follow them everywhere, record everything they do (or only as much as current surveillance records), and they'll want to put a quick stop to it. Do the same thing, but out of sight, out of mind, and their correctly evolved instincts fail to carry over.
The harms of big tech, social media, and addiction mechanics are a lot more tangible to the average person than the anonymity aspect.
Parental responsibility and better parental controls would be a MUCH better way of going about this.
Of course, the polling public is blissfully unaware of the wide ranging consequences of such an Age Verification implementation. People will continue to pave the road to fascist hell with good intentions.
The average person is not thinking about the ability for journalists and whistleblowers to create anonymous Facebook accounts, they are thinking about Mark Zuckerberg trying to sell sex chatbots to their kids and discord pedo servers.
Call we do all three?
Also, what about the irresponsible parents, or parents who don't have time/opportunity to be responsible over this issue?
We do regulate a lot of things to protect the people, especially the children. It's common to make it illegal for children to drink alcohol, smoke stuff and drive vehicles, and it seems completely natural for many of us. We usually don't say "it should be legal for a schools to sell cigarettes and whisky to kids, because it's the responsibility of the parents to educate their kids".
The same applies to the Internet: just like we don't want children to be able to buy porn in a store, we don't want them to be able to access porn on the Internet. Or, more recently, social media. So the obvious idea to prevent that is to do what we do in store: age verification.
The problem on the Internet is mass surveillance, and done incorrectly, age verification adds to that. Technically, we can do age verification in a privacy-preserving way, but:
- Politicians are generally not competent to understand "the right technical way", and the tech giants do benefit from surveillance. Even if they mean well, it's hard for them to take the right decision out of incompetence.
- In some big countries that tend to set the technical norms (e.g. the US), many people completely distrust the government. But private companies have no interest in implementing the privacy-preserving solution, so the only viable way is with the help of government regulations (I would argue that the government should be the ones owning the service).
- The vast majority of people, including the vast majority of politicians, do not understand and do not give a damn about surveillance capitalism. It just does not exist for them. And in those conditions, there is of course no reason to even consider a privacy-preserving solution, because it is technically more complex.
I strongly believe that in many countries they mean to do well. They are just not competent to understand the problem, and they turn to tech giants who do understand it, but have an interest in making sure that the politicians implement it wrongly.
WHO IS PROVIDING INTERNET TO A CHILD
they are liable
there's no such thing as free open access internet without someone paying the bill
unless it can be demonstrated the child stole internet somehow, hacking, etc.
then the person providing the internet is liable for the child's activity
Same if you aren't going to supervise your child and they come home for hours after school and watch porn on the TV
They don't age verify to get cable TV
If you have a credit card, you are an adult
Someone is paying the bill, they are the adult, they are responsible
If not before but with high school kids will need access to a computer and also the internet in many schools and countries.
I get that parents are responsible but parents have limited resources. Even the best parenthood will not keep kids from wanting to engage with peers. Even the best filter or block by parents will not cover the www and their millions of websites and services.
Should society help the child, by making it more difficult for them to access harmful material, in the same way we age verify alcohol?
What if the parent is responsible, but finds themselves in a situation where they don't have the time/ability to either educate or set up robust controls? Should we make their responsibilities easier?
The social media also cant just do it themselves with a box, "are you over 16, yes no" they will require to identify against the government.
Essentially this makes it so that every user's actual ID is being tracked. Fully intended to control speech online.