One aspect of this normalization of photo uploading is that, if a platform allows user-generated content that can splash a modal to kids, a bad actor can do things like say “you need to re-verify or you’ll lose all your in-game currency, go here” and then collect photo identification without even needing to compromise identity verification providers!

I truly fear the harm that will be done before legislators realize what they’ve created. One only hopes that this prevents the EU and US from doing something similar.

There seems to be a big movement (UK specifically) from governments using age gateing as an excuse to increase surveillance and online tracking. I don't know where Roblox is based or it's policies, but it's likely they are just implementing what the government has forced them to do.

We need to push back against governments that try and restrict the freedom of the internet and educate them on better regulations. Why can sites not dictate the content they provide, then let device providers provide optional parental controls.

Governments forcing companies to upload your passport/ID, upload pictures/videos of your face, is dangerous and we are going to see a huge increase of fraud and privacy breaches, all while reducing our freedoms and rights online.

I think the way Roblox is doing right now separating the users in age groups just makes it easier for predators to find victim.

I was getting a haircut last week and chatting about our kids with the stylist, who said (basically): "I just started letting my 7 year old on Roblox. I know its full of pedophiles. I told him to come to me or his older brother if anyone tries to talk to him."

If the million reports of Mark Zuckerberg enabling pedophiles and scam artists haven't made it clear, the executives of these tech companies just don't care. They will sell children into sexual slavery if it improves next quarter's numbers.

I think the reality is a lot less nefarious. They don't want your face. But they also don't care enough to not take your face. Why would Google spend lobbying and legal money trying to fight this requirement when it doesn't hurt their bottom line? On the other hand, requirements like storing ID cards does hurt their bottom line because it means:

1. they need additional security measures to avoid leaking government documents (leaking face photos doesn't hurt them as much) 2. not every person has a valid government document 3. additional customer support staff to verify the age on documents rather than just using some fuzzy machine learning model with "good enough" accuracy.

The bottom line is that companies are lazy and will do the easiest thing to comply with regulations that don't hurt them.

My Google account is more than 18 years old and I hit an age prompt when I was trying to watch some FPGA video (out of all things). So no, account age is not necessarily a factor.

I agree they want the face data, but I think it's less clear they want to "hand it" (presumably that's really "sell it"?) to third parties. My sense is Google and Apple and Meta are amassing data for their own uses, but I haven't gotten the impression they're very interested in sharing it?

I haven't gotten it yet on my account from 2006. Maybe it matters whether it's a brand account? Maybe it matters whether the accounts actually are connected?

They definitely already have your face though…

I wrote an April Fool's parody in 2021 that Google is going to get rid of authentication because they're following you around enough to know who you are anyway (modeling it after their No Captcha announcement[1]):

http://blog.tyrannyofthemouse.com/2021/04/leaked-google-init...

Edit:

>I think the truth is, they just want your face.

I just realized the parody also predicted that part (emphasis added):

>>In cases where our tracking cookies and other behavioral metrics can't confidently predict who someone is, we will prompt the user for additional information, increasing the number of security checkpoints to confirm who the user really is. For example, you might need to turn on your webcam or upload your operating system's recent logs to give a fuller picture.

[1] https://security.googleblog.com/2014/12/are-you-robot-introd...

I just got glasses yesterday and the optician needed to take a pic of my face to "make sure my glasses fit". The first thing I thought of was they are probably selling the data.

> I think the truth is, they just want your face.

Agreed. They treat people as data points and cash cows. This is also one reason why I think Google needs to be disbanded completely. And the laws need to be returned back to The People; right now Trump is just the ultimate Mr. Corporation guy ever. Lo and behold, ICE reminds us of a certain merc-like group in a world war (and remember what Mussolini said about fascism: "Fascism should more appropriately be called Corporatism because it is a merger of state and corporate power." - of course in italian, but I don't know the italian sentence, only the english translation)

> I’ve noticed that many people struggle to simply let things go

Because it's not always about their entertainment. I know churches that post info about events only on WhatsApp groups, if you don't use it - you're screwed. I know kindergardens which use Facebook Messenger groups to send announcements to their parents' children - if you don't use it, you will miss important info.

For most people, letting go such things is very impractical. One can try to persuade for a better way to do something - but then you become the problem.

Many people don’t struggle to let privacy go.

Funny, I'm the opposite. Since information wants to be free, and storage/compute get more affordable every year, then really everything ever posted on the web should be mirrored somewhere, like Neocities.

I grew up in the 80s when office software and desktop publishing were popular. Arguably MS Access, FileMaker and HyperCard were more advanced in some ways than anything today. There was a feeling of self-reliance before the internet that seems to have been lost. To me, there appears to be very little actual logic in most websites, apps and even games. They're all about surveillance capitalism now.

Now that AI is here, I hope that hobbyists begin openly copying websites and apps. All of them. Use them as templates and to automate building integration tests. Whatever ranking algorithm that HN uses, or at least the part(s) they haven't disclosed, should be straightforward to reverse engineer from the data.

That plants a little seed in the back of every oligopoly's psyche that ensh@ttification is no longer an option.

It might be bad for an activist group to advocate just ignoring the problem into a different jurisdiction.

"Give up" is not the best option. Certainly not from the EFF's perspective.

In many cases, using a VPN is a great way to get your account flagged as suspicious.

The days are numbered on this technique working. After enough countries enact their own age verification laws tech companies will just make that the global default policy, and I'm sure the opportunity to harvest user data will not be left to waste. Many sites already block and throttle VPNs.

When that day comes I'll stop casually using the internet or search for the underground alternative.

I think EFF does not recommend for or against VPN in general because it's not always a clear win, depending on the VPN and the use case.

https://ssd.eff.org/module/choosing-vpn-thats-right-you

Next step: the same government that is demanding the age verification will ban VPNs.

Zapping only works if the site lets you continue/pull content without verification.

The difference is that the cookie banner is not a gate. uBlock Origin is unlikely to be able to satisfy a website about your age without submitting the info that the site expects. (Assuming the age check has any teeth at all.) You're unlikely to be able to continue as usual if these kinds of measures become ubiquitous.

ignoring the banner is the same as agreeing to all the opt-out "legitimate interest" shit

Honestly that main concern should be two main concerns.

You/your kid/your wife goes to hàckernews.com and is prompted for age verification again, evidently the other information has expired based on the message. So they submit their details. Oops, that was typosquatting and now who the hell knows has your information. Good luck.

I’ve been noodling on this idea for a while but I think getting commercial acceptance would be hard. People have tried it with crypto albeit with lukewarm results. I think to have the network effects required to be successful in such an endeavor, it would have to come from a vendor like apple or google unfortunately.

You kind of want an mTLS for the masses with a chain of trust that makes sense.

Yes. In fact the 3rd party doesn't even need to know who you are.

https://news.ycombinator.com/item?id=46447282

I'm more interested in a business that reliably provides fraudulent IDs to services that unnecessarily want IDs that I cannot avoid for some reason.

The article does go into this and gives lip service to the idea that a secure third party could expose age without exposing identity. Ultimately, there's still the problem that even if point of verification can be done in a zero trust way, you are still entrusting very sensitive information to a third party which is subject to data breach.

The question is: why would services like Google and others want to use such privacy-preserving identity solutions? They wouldn't gain anything from a non-invasive, user-friendly system, so I don't think they'd use it. They want more data, so they are going for it.

This is how Swiss e-ID was proposed to work: https://www.eid.admin.ch/en

Yeah, I didn't notice where the article was located at first, and I thought that's what it was going to be about also.

saw a recent screenshot of someone doing it yesterday, so I think it still is a thing.

Phone’s have these settings already. I don’t know if people know how or bother to use them.

https://support.apple.com/en-us/105121

Basically every government on the planet has laws that apply specifically to children. The term "age discrimination" typically refers to disadvantaging someone for being of old age.

The ones I have used do not accept photos, they require real-time video with the front-facing camera and they prompt you to move your head to face different directions on command. Not impossible to attack, I'm certain, but it's tougher than simply uploading a photo.

> So do extremely simple systems like selling age-verification scratchcards in grocery stores

Which stores sell age-verification scratchcards? How do you make sure they can't be traced back to the person who paid for them or where they were purchased from? How would a website know the person using the card is the same person who paid for them? It may be a simple system, but it still sounds ineffective, dangerous, and unnecessary.

> I don't want to google it because I don't want to be put on a list

Of all the controversial things out there we've become afraid to even google in order to learn more about the world around us, this one strikes me as not all that controversial.

But you're not wrong, just making a comment about how sad the world has become.

>I don't want to google it because I don't want to be put on a list

You might think about using something like the Tor Browser for anonymous web surfing:

https://www.torproject.org/download/

...If you are worried about getting on a list by downloading the Tor browser, then take a trip to the next-town-over public library and download it from there. I guess your ISP could still guess that you were using Tor, and you might end up on a list of people using Tor. Also: If everyone is on the list, then no one is on the list.

That’s an interesting question.

Actually, a follow up. PII leaks are so common, I guess there must be millions of identities out there up for grabs. This makes me wonder: we’ve got various jurisdictions where sites are legally required to verify the age of users. And everybody (including the people running these sites) knows that tons of identities are out there on the internet waiting to be used.

How does a site do due diligence in this context? I guess just asking for a scan of somebody’s easily fabricated ID shouldn’t be sufficient legal cover…

It would probably flag that multiple people are using the same photo or same persons name/ id, but I expect you could get away with doing using someone known to you. iirc the reason people are using game screenshots is because it's not going to match any image that the recogniser has seen before. Use tor for the things you don't want to google and have associated with you.

Netflix has been checking accounts against public IP addresses and local networks for ages, at least in The Netherlands. if I use my Dad's account, I get flagged as being "not on the same home network" immediately. I think that using a VPN and Netflix detecting that would only make matters worse, like termination of service.

Last time I tried I could find a photo ID just with a basic image search. It is an unavoidable consequence of teaching people that scanning an ID is not utterly insane.

Ironically there was no way to report the image anonymously to the service hosting it.

I'd imagine it is because several of the obvious options for "lying" here may violate criminal law. And also because the EFF is an civil liberties advocacy group, they want to change the law, not circumvent it.

For real. This should be an article about circumvention, not compliance.

I would say that normalizing giving random websites photos of yourself is harmful to children.

Against what? How much struggle and pain are we actually seeing in the world because children have unrestricted internet access?

Think back to when you were a child. Did age verification ever stop you from doing anything? The automated, technologically-implemented age-verification is even less interested in properly verifying anything than the ID-checking bouncers at a bar. None of these things protect kids, they just annoy them and teach them that authority is stupid and lying is a convenient way to deal with stupid people.

Call your ISP and ban any NSFW/NSFL access by DNS, both in your children's phones and your home connection. Problem solved.