A long, long time ago (within the past ten years), I had to verify my age with a site. They didn't ask for my ID, or my facial scan, but instead asked for my credit card number. They issued a refund to the card of a few cents, and I had to tell them (within 24hr) how much the refund was for, after which point they'd issue a charge to claw it back. They made it clear that debit and gift cards would not be accepted, it must be a credit card. So I grabbed my Visa card, punched in the numbers, checked my banking app to see the +$0.24 refund, entered the value, got validated, and had another -$0.24 charge to claw it back.

Voila, I was verified as an adult, because I could prove I had a credit card.

The whole point of mandating facial recognition or ID checks isn't to make sure you're an adult, but to keep records of who is consuming those services and tie their identities back to specific profiles. Providers can swear up and down they don't retain that information, but they often use third-parties who may or may not abide by those same requests, especially if the Gov comes knocking with a secret warrant or subpoena.

Biometric validation is surveillance, plain and simple.

That was, in fact, what COPA mandated in the US in 1998, and SCOTUS struck it down as too onerous in Ashcroft v. American Civil Liberties Union, kicking off the last 20 years of essentially completely unregulated Internet porn commercially available to children with nothing more than clicking an "I'm 18" button. At the time, filtering was seen as a better solution. Nowadays filtering is basically impossible thanks to TLS (with things like DoH and ECH being deployed to lock that down even further), apps that ignore user CAs and use attestation to lock out owner control, cloud CDNs, TLS fingerprinting, and extreme consolidation of social media (e.g. discord being for both minecraft discussions and furry porn).

Is card verification a lesser form of surveillance? And there’s a good chance your card issuer (or your bank, one hop away from it) has your biometrics anyway.

I don’t like either of them… (And why does YouTube ask me to verify my age when I’m logged into a Google account I created in 2004?)

What you describe is called QES (Qualified Electronic Signature) and is still widely used to validate identities.

Unfortunately it is not enough to prove an identity (you could be using the credit card of your traveling uncle) and regulation requires for it to be combined with another proof.

I see a lot of people associating identity verification with evil intent (advertising, tracking).

I work in this domain and the reality is a lot less interesting: identity verification companies do this and only this, under strict scrutiny both from their customers and from the regulators.

We are not where we want to be from a privacy standpoint but the industry is making progress and the usage of identity data is strictly regulated.

Paypal used this method as identity (or at least account) verification back in the very early days, IIRC. They made a very small deposit and I think they just let you keep it but I can't recall that for sure.

As we've seen, if the information is retained, it will be used.

The only safe approach is for that information not to exist in the first place.

Credit cards are trivially traceable to your legal identity, since anti-money-laundering and know-your-customer laws require that credit card companies keep this information. The government can subpoena this information just as easily as they could with pictures of your face or ID.

I had a debit card when I was 13. An absolute godsend during international travel, not having to bother with cash as a forgetful teenager.

The card providers share your identity in monetary transactions, but I don't think this data does & should include birthdate.

What if you don't have a credit card? This solves nothing, the good way to do this is as system like Polish "MojeID" (my ID) [1]. This works in the following way, a site needs to verify information X, then it redirects users to a bank (that has to provide this service), login over there and then agree to let the bank know whatever it was requested - it could be only one information, birth date.

This is a good solution, as banks are obliged to provide free bank account for anyone (there is EU regulation on that), this is very save, gives users full information what data third party requested.

[1] https://www.kir.pl/nasza-oferta/klient-indywidualny/identyfi...

1. Your old credit card solution needs a credit card. So you exclude out the poor, bad credit, etc.

2. Parents will help kids bypass checks like that.

3. It can be bypassed by a half-smart 13-year-old who can access an app on a phone that will give them the card details and be able to see transactions.

Any verification that doesn't actually verify you via proper means is easy to fake. Hell, we can fake passport/id photos easy enough so now we have to jump on calls with the passport and move it around.

The days of the wild west of the internet are long gone. It's time to realise that it's so important that it deserves the same level of verification we give to in person activities. Someone seeing you and/or your id. It's the only thing that has the best chances of not being bypassed with ease.

They issued a refund to the card of a few cents, and I had to tell them (within 24hr) how much the refund was for, after which point they'd issue a charge to claw it back.

This was one of the methods that CompuServe used back in the 1980's, though using a checking account.

It's sad that so many aspects of technology have completely failed to improve in half a century.

I don't really get your point, surely a credit card is even more strongly linked to your identify than your face?

I basically agree with you, but it's not like you could not be tracked using your credit card number.

> Biometric validation is surveillance, plain and simple.

Eh. It's just easier and cheaper. I'll bet Discord has outsourced this to one of those services that ask you for a face scan when you sign up to [some other service].