The real and robust method will be generating artificial video input instead of the real webcam. I really don’t think any platform will be able to counter this. If they start requiring to use a phone with harder to spoof camera input, you will simply be able to put the camera in front of a high resolution screen. The cat and mouse game will not last long.
> I really don’t think any platform will be able to counter this.
Do platforms want to counter it?
Seems to me with an unreliable video selfie age verification:
* Reasonable people with common sense don't need to upload scans of their driving licenses and passports
* The platform gets to retain users without too much hassle
* Porn site users are forced to create accounts; this enables tracking, boosting ad revenue and growth numbers.
* Politicians get to announce that they have introduced age controls.
* People who claimed age checks wouldn't invade people's privacy don't get proven wrong
* Teens can sidestep the age checks and retain their access; teens trying to hide their porn from their parents is an age-old tradition.
* Parents don't see their teens accessing porn. They feel reassured without having to have any awkward conversations or figure out any baffling smartphone parental controls.
It depends. If the law says "you must perform such-and-such steps to verify age" then no, they don't care if you can counter it. If the law says "you must use an approach that is at least x% effective" then yes they do care if enough people counter it.
We already had a half-assed solution, where websites would require you to press the button that says "I am over 18". Clearly somebody decided that wasn't good enough. That person is not going to stop until good enough is achieved.
Don't Windows Hello camera devices have some kind of hardware attestation? I'm sure verification schemes like this will eventually go down that path soon.
My guess is that's probably one of the reasons Google tried to push for Play Store only apps, provide a measurable/verifiable software chain for stuff like this.
You're not wrong, but I have had to do video verification over a phone once, and it seemed quite advanced. It would flash through a number of colors and settings and take probably 30 frames of you. I presume they're checking for "this came from a screen and not a human", but of course I have no idea how it works, so I don't know if it's truly sophisticated or not.
As I understand it, 'Windows Hello' requires a near-IR image alongside the RGB image.
It's not the fancy structured light of phone-style Face ID, but it still protects against the more common ways of fooling biometrics, like holding up a photo or wearing a simple paper mask.
That’s not how they work. They emit structured light in the form of an array of infrared dots and they measure the time of flight to where the dots strike something.
Maybe new ones are different but that’s how they used to be. Little Kinect devices, really, for sensing faces instead of whole people.
They already support ID checks as an alternative to face scanning, if the latter proves to be untenable then it's literally a case of flipping a switch to mandate ID instead.
The long term solution would have to be some kind of integration with a government platform where the platform doesn’t see your ID and the government doesn’t see what you are signing up for.
I don’t this will happen in the US but I can see it in more privacy responding countries.
Apple and Google may also add some kind of “child flag” parents can enable which tells websites and apps this user is a child and all age checks should immediately fail.
I do like the idea of the “this is a child” taint (ok, terrible name but I really think it should be a near-unremovable thing on a platform like Apple’s that’s so locked down/crypto signed etc).
Like, you’d enroll it by adding a DOB and the computer/phone/etc would just intentionally fail all compatible age checks until that date is 18 years in the past. To remove it (e.g. reuse a device for a non-child), an adult would need to show ID in person at Apple.
Government IDs could be used to do completely privacy preserving, basically OpenID Connect but with no identifying property, just an “isEighteenOrMore” property. However, i agree it’ll never happen in the US because “regular” people still don’t know how identity providers can attest without identifying, and thus would never agree to use their government ID to sign into a pornsite. And on top of all that yeah nobody trusts the government, basically in either party, so they’d be convinced the government was secretly keeping a record of which porn sites they use. Which to be fair is not entirely unlikely. Heck, they’d probably even do it by incompetence via logs or something and then have people get blackmailed!
When I played an MMOG, if the admins found out that a child was underage, it was customary for them to suspend their account until their 13th birthday. I thought this was a clever policy, but I just can't understand the reverse of authenticating someone's age based on that of their account...
ID checks aren't very worthwhile if anyone can use any ID with no consequences.
How long would it take for someone's 18 year old brother to realize they can charge everyone $10 to "verify" everyone's accounts with their ID, because it doesn't matter whose ID is used?
Ok, at which point an adult has taken responsibility for giving them access.
The older brother could also rent an R (or x) rated movie, buy cigarettes, lighters, dry ice, and give them to the kids. The point of the age check is to prevent kids from getting access without an adult in the loop, not to prevent an adult from providing kids access
this is already how the EU infrastructure for digital ID works, basically. Using public/private keys on your national id, the government functions as a root authority that you (and other trusted verifiers downstream) can identify you with and commercial platforms only get a yes/no when you want to identify yourself but have no access to any data.
South Korea also has had various versions of this even going back to ~2004 I think.
Age verification requires a document that can be matched to your ID, such as by the photo on your ID card.
Credit cards don't have photos.
> How many Americans wouldn't be able to present a CC or ID?
The number of Americans who don't have a government issued photo ID is estimated around 1%. The number gets larger if you start going by technicalities like having an expired ID that hasn't been renewed yet.
The intersection between the 1% of 18+ Americans who don't have an ID and those who want to fully verify their Discord accounts is probably a very small number.
> At least in Australia you absolutely can have a debit card under 18
Same in the UK, but Steam uses credit cards for age verification there and refuses if you provide a debit card instead. Evidently the payment backends can tell credit and debit apart.
> Nearly 21 million voting-age U.S. citizens do not have a current (non-expired) driver’s
license. Just under 9%, or 20.76 million people, who are U.S. citizens aged 18 or older
do not have a non-expired driver’s license. Another 12% (28.6 million) have a non-
expired license, but it does not have both their current address and current name. For
these individuals, a mismatched address is the largest issue. Ninety-six percent of
those with some discrepancy have a license that does not have their current address,
1.5% have their current address but not their current name, and just over 2% do not have
their current address or current name on their license. Additionally, just over 1% of adult
U.S. citizens do not have any form of government-issued photo identification, which
amounts to nearly 2.6 million people.
That seems like a good citation, but it supports the 99% number above
> Additionally, just over 1% of adult U.S. citizens do not have any form of government-issued photo identification, which amounts to nearly 2.6 million people.
The rest of the statistic is about driver's licenses specifically, including technicalities like expiration dates and address changes. The online ID check for age verification don't care about the address part anyway, in my experience.
If someone has an expired drivers' license or they changed their name and haven't updated their IDs, they have bigger problems than age-verifying their Discord accounts.
My driver's license was expired for 8 years until last year. I wasn't driving so the pressure to renew it was very low.
I actually only renewed it to get medical care and because renewing the license was only a little more expensive than getting an ID-only card.
It did prevent me from using some porn sites because my state requires ID verification but many sites just ignore the requirement so I just didn't use the sites that required ID.
wat. the majority of Americans have a DL, ID, or Passport. What a silly thing to say.
For DL alone:
>Data indicates that approximately 84% to 91% of all Americans hold a driver's license, with roughly 237.7 million licensed drivers in the U.S. as of 2023.
Add in an ID and Passport and we are likely closer to 99%
Personal Identity Verification (PIV) and Common Access Card (CAC) credentials used by US government & military via NFC already work on web browsers. States should just move to digital IDs stored on smartphones, with chain of trust up through the secure element...
This is extremely dangerous, and would only work with hardware/software that is nonfree (i.e., not under the user's control, or any attestation could be spoofed).
> Personal Identity Verification (PIV) and Common Access Card (CAC) credentials used by US government & military via NFC already work on web browsers. States should just move to digital IDs stored on smartphones, with chain of trust up through the secure element...
I think you're... missing the point of the pushback. People DO NOT WANT to be identified online, for fear for different types of persecution.
In functioning states, the ID contains a chip with a private key that can be used to sign a message, and ID verification would not be an image of the ID card, but rather holding your phone's NFC reader to the card and signing a message from the site.
In Japan, there are already multiple apps which use something like this to verify user's age via the "my number card" + the smartphone's NFC reader.
It's more or less impossible to forge without stealing the government's private keys, or infiltrating the government and issuing a fraudulent card.
Of course, the US isn't a functioning state, the people don't trust it with their identity and security and would rather simply give all their information to private companies instead.
When I had to prove my passport for my bank over a video call they told me to rotate it around in the sunlight to show that it had the holo-whatever ink. So I wouldn't put it past them.
And it's not like Discord actually cares. They just care about appearing like they care. Something to keep the heat off of them from regulators and angry parents.
A “video call” perhaps requires a human, but the type of test described need not be a video call. One can imagine a network trained to distinguish a fake id card from real one from a video recorded where the user is asked to move the card such that the holograph is glinting in the sunlight.
Is there any data on what kind of hits to enrollment were taken by facebook, gmail etc when they added requirements like a phone #? Maybe it's buried in their sec filings. Anyway, this "cat and mouse" game is probably irrelevant. They're not looking for and don't need a perfect system. Bc 99% of the public couldn't care less about handing over their information.
Is there any data on what kind of hits to enrollment were taken by facebook, gmail etc when they added requirements like a phone #? Maybe it's buried in their sec filings.
I think you massively overestimate how many people actually care.
My guess is that 95% or more of all Discord users do not care and simply upload their selfie or ID card and be done with it. I know I will (although they did say that they expect 80%+ to not require verification since they can somehow infer their age from other parameters)
Are you a minority, LGBTQ+, etc or of a "different" political persuasion that might have any reason to be distrustful of the US government? If so, you probably wouldn't just "be done with it".
They're getting worse with attested and validated environments. This one of the reasons that google is trying to kill sideloaded apps and checking for root access.
Weird thing.. the people who want this validation fully expect for you to pay for, maintain, keep it valid, and pay for upkeep/service for their desires. Honestly, this is something that SHOULD get very aggressive pushback.. but most people accept for no reason.
They could do what a bank does and run everyone's ID through chexsystems. It's really hard to defeat this. Fake identities don't exist in the system and stolen ones would get flagged by geographic, time of use and velocity rules.
Doesn't work for places like Australia, where the social media ban applies only to under-16s. Teenagers rarely have ID, especially in countries where the minimum driving age is higher than 16 (read: most of the world outside the US).
The concept of identity doesn't necessarily have to be embodied by a piece of physical plastic that goes into a wallet.
Ad-hoc identification can occur via other means like dynamic knowledge based authentication. The sources of this mechanism can be literally anything. Social media itself being one obvious source for the target cohort.
You can walk into many US financial institutions without an ID and still get really far using KBA workflows. The back office will hassle you for a proper scan of a physical ID, but you can often get an account open and funded with just KBA.
Unix and Windows and MacOS and every computer since 1970 has relied on knowledge-based authentication, so let's cool the hyperbole.
In the nomenclature of Multi-Factor Authentication, "something you know" is one factor. So if you know a password and you have a hardware token, that's 2 factors and combining different types is the key to MFA.
Many "knowledge based authentication" tries to string together "things you know" without a different type, and that's a weakness.
However, it can be strengthened through various techniques. If a human is authenticating you in real-time, they may choose a factoid that an impostor is unlikely to know which may be agreed in advance. For example, the security questions combined with other challenges, or a "curve ball" that may elicit a stutter, pause, or prevarication. This is a dynamic method that bob refers to.
In fact, knowledge-based quizzes are used routinely by credit reporting agencies -- the big ones like Experian. And they've been presented by background check services, too. They work like this: they scrape your credit reports and public records in a deep dive for your old addresses, employers, contact info, a whole smorgasbord of stuff. Maybe attackers know some of it. But it's multiple choice: "which of these did you live at? None of the above? All of them?" "Which one of these wasn't your employer?" And the attacker would need to have the same list of public records, and also know the wrong answers! Knowing the wrong answers is the "curve ball" here! How many attackers know that I didn't work for Acme, Inc, and I never lived in San Antonio?
It's also worth pointing out that I've opened at least 3 bank accounts without setting foot in a bank. Even if yours is brick-and-mortar, they probably have a flow on their website for account creation and funding. It is not difficult to satisfy their ID requirements. If they glitch, then you're just flagged a bit, and you follow up as instructed. I've also authenticated identity to the federal government agencies, and accessed several DMV services, using only the apps and websites.
People may feel reticent about establishing their identity online, but isn't it better that you do it first before someone else does? If your identity is known and registered and builds up data points that correspond to you, aren't you less likely to be a victim of fraud or identity theft when things don't add up?
Remind me again, why do people need government approved ids to access discord in the first place? Everyone in this thread is solutioning how we could make government ids work, but no one seems to be asking if that’s a good idea.
you put a flickering light, pwm creating artifacts in the video and have it apologize for it, to hopefully break some watermarks. my led light started acting up since yesterday, i have no other bulb.
You require a human to identity proof in real life and bind that to a digital identity with a strong authenticator. Anti fraud detection systems can suspend or ban if evasion attempts are detected. Perfect is not the target, it doesn’t have to be.
See: Login.gov (USPS offline proofing) and other national identity systems.
>You require a human to identity proof in real life and bind that to a digital identity
That's going to be a no from me, dawg. I'm sympathetic to ID checks like if you're buying beer or whatever, but not linking my real life identity to discord or whatever.
There are laws, but in many countries they are not strictly enforced. In Japan, buying beer in the self checkout lane will just give you an “are you over 20?” prompt, no verification: https://news.ycombinator.com/item?id=46227987
I don't know how it works where you live, but in many jurisdictions around the world (including the one I live in), you have to provide ID to prove that you're of drinking age.
Which is by nature transient. There are many more and quite dangerous strings attached to doing this online. You never know if all parties involved in the verification are trustworthy.
Actually, there are many ways. For example they change colors on your screen and check in real time how it reflects on your face, eyes, etc. Very hard for a model to be trained to respond this quickly to what's on the screen.
They also have you move your head in multiple directions.
You could always generate a random face model with real time rendering with enough details to trick any AI detector (or even human) and then you can do real time animation to orders or screen light tricks. You could also simply use some face filter on your face and these ones are really convincing these days (like on Snapchat and such).
It would be interesting to see a model completely indistinguishable from a real human in behavior, as well as real-time reflection off different surfaces, etc.
The next step would be to make a complete digital clone of a person based on surreptitiously recording them with hidden cameras. I doubt it's possible.
The pieces are there. If you're not modifying everything in the image all the time, there's no reason to run it through a visual model. Generate it once (we have it), transform into textured 3d model (we have it), animate and map to movements with vtuber software (we have it). Adding screen colour reflection is trivial. We just need a pipeline for this.
We had facerig for over a decade now. Facefilter recently. It's not hard anymore.
This is doable using high end stuff like Runway with a draft quality.
Your better bet would be to generate a face as an image and then you can easily generate that same face in different expected poses and conditions. You can then use existing models where you get to select the starting image and the ending image. Add some filters and noise to just make it look like normal crappy low light camera.
As for the color that's another expected condition and can be overlayed or pre-generated.
Persona is the same company oftentimes used for the "show your ID to get in the bar and also we'll data harvest you... and share your data with various people if asked". Go ahead and google search on them for more insight.
Highly recommend wrapping the code to drop into the console in a immediately-invoked function expression; as it stands, it doesn't work in macOS Safari without an IIFE because top-level await is not supported in any version of Safari yet https://caniuse.com/wf-top-level-await.
Worked for me as well. Hopefully my account of 11+ years isn't penalized because of this. Not like it matters because I'll quit anyways if forced to send my face or ID.
You probably won't even have to validate then. I guess they can safely assume that you didn't create your account when you were 7 years or younger. They said they expect 80% of users or so to be auto-verified by some other means (account age, typing statistics, whatever)
I don't understand why (mostly) young people put so much effort into remaining customers of a service that is actively hostile against them and that they do not like. Does the convenience of remaining on a service you don't like the management of outweigh the mild effort to find an alternative solution?
> the mild effort to find an alternative solution?
Calling it a "mild effort" assumes skills that older generations took for granted but many young people seem to have been actively trained out of. We're past the era where I take for granted that aspiring programmers need to have the basics of a terminal or shell explained to them, into one where they might need an explanation for the basics of a file system and paths. I wouldn't be surprised to hear that hardly any of them could touch-type, either. (I wonder what the speed record is for cell phone text input...)
Yes, they can query a search engine (kind of) or, I guess nowadays, ask ChatGPT. But there's going to be more to setting up an alternative than that. And they need to have the idea that an alternative might exist. (After all, they're asking ChatGPT, not some alternative offering from a company that provides alternatives to Google services....)
I don't think it's beyond their comprehension to ask: "how can I have a chat system that I personally control?" The rest will be taken care of.
Look at the Amnezia VPN. It's an app that helps you buy a VPS from a range of cloud provides, then sets it up, completely from the phone, as an exit node under user control.
I don't see why a chat server cannot be set up and managed this way. It only takes one dedicated developer to produce.
Even considering that one can personally control their own chat service is already a pretty big leap in technical knowledge. Many, many average users don't even know that's an option, nevermind how it's even done.
Now we're having an event when networks would be shedding kids en masse, all at approximately the same time. It the best possible time for switching, when clinging to the old discord / snapchat / other centralized blackbox becomes hard or impossible.
You’re ignoring the obvious reason, aside from the network effect: there are no alternative solutions. Some people are building Discord alternatives but they are far from production-ready, often lacking critical features (e.g. Matrix not being able to delete rooms, or still having trouble with decrypting messages). It is simply the case at this point in time that Discord is factually the least bad option for many many use cases.
I don't control most of the discord communities I'm in. Some have been going a long time, and every platform migration sheds and shreds members. The 'mild effort' to move an old community to a new platform more often than not killed the community
> and every platform migration sheds and shreds members.
What's the problem? You're filtering out people who don't really care about participation in whatever group or society is there. People who want to participate will move to an acceptable service and those who feel that is too much effort probably weren't participating much (if at all) anyway - in that case the only difference is the visible list of people with accounts going down, not the actual "users".
The people will just recreate the same community on the same platform without you as the owner. They don’t care about you running it.
It’s also a futile effort since age checks for adult content is becoming the law around the world so soon any platform you move to will have the same checks.
I disagree with this sentiment. It is entirely possible that there will be people who are regulars on one platform who are just unable (actually unable or perceives themselves unable) to migrate and the morale lost from losing their regulars is huge. Or a subset who insist on staying, forming their own sub-community, and neither the migrating group nor the people who insist on staying produce enough engagement for the members and so the community as a whole fizzles out. This is all squishiness. There is a reason why deplatforming appears to work in reducing the effectiveness of political groups, even if the people who remain in the community post-deplatforming are hardened in their loyalty to the political policy of the group.
>You're filtering out people who don't really care about participation in whatever group or society is there.
You underestimate how many people would rather do nothing than be inconvenienced, sadly. If you're not the personality that the community is rotating around, you'll find the migration pretty lonely.
Heck, even esablished personalities can only do so much. Remember that Microsoft paid top Twitch streamers 10s of milllions to move to Mixer for exclusive streaming. Even that wasn't enough to give a leg up.
Why do middle aged people still use Facebook marketplace rather than another platform? Because even if you put in the effort to use something different, you’ll be the only one there.
The effort to coordinate everyone to move at the same time is bordering on impossible.
Most people don’t really care that their privacy is violated, at least not any more than a superficial “oh well it’s obvious they’re doing that, but what can you do about it!”, no point switching platform if there’s no one there to talk to.
When I was a kid, we'd host the pics we want to post on forums on geocities and rename the file extensions to .txt to get past its "no hotlinking images" policy. So it's not like much has changed.
There are a lot of barriers between kids and better solutions, one of which is that anything needs a domain and a server, and that means a credit card.
The network effect as seen in the other comments plays a big part, but also discord offers a useful service that really nobody else does well. there's a lot wrong with it but you can still create a community in a few clicks and you have text messages, photos, videos, gifs, voice chats, screenshare, a comprehensive permission/role system, tons of bots.. all for free and without needing to be too tech savvy, that's pretty damn cool.
No other chat platform has as many seamless features and such a big userbase. The friction of verifying the identity for a random person that doesn't care about privacy is not really a big deal compared to the downgrade that migrating to another platform would be.
I think for a lot of people (me included) Discord isn't just a chat service like WhatsApp but more of a "home base" where you can hang out with all your friends, make new friends, share media, chat, play games together, stream games to each other, etc.
In the gaming sphere it's so universally used that all the friends you've ever made while gaming are on it, as well as all your chat history, and the entire history of whatever server you met them on. And if you want to make new friends, say to play a particular game, it's incredibly easy to find the official game server and start talking to people and forming lobbies with them.
My main friend group in particular has a server that we've had running since we were teenagers (all in our mid-20s now) which is a central place for all of the conversations we've ever had, all of the pictures we've ever sent each other, all the videos we've ever shared, and so on. That's something I search back through frequently looking for stuff we talked about years ago.
So I'm not saying it's impossible to move, but understand that it would require:
- Intentionally separating from the entire gaming sphere, making it so, so much harder to make new friends or talk to people.
- Getting every single one of your friends that you play games with to agree to downloading and signing up for this new service (in my case that would be approx. a dozen people)
- Accepting that this huge repository of history will be wiped out when moving to the new service (I suppose you could always log back in and scroll through it, but it's at least _harder_ to access, and is separated from all your new history)
On top of this, every time I've looked for capable alternatives to Discord I've come up empty-handed. Nothing else, as far as I can tell supports free servers, the ability to be in multiple servers, text chat divided into separate channels, optional threaded communication, voice chat joinable at any time with customizable audio setup (voice gate, push-to-talk, etc), game streaming from the voice chat at any time, and some "friend" system so that DMs and private calls can be made with each other. And even if I found one, then again I can't express enough that in the gaming sphere effectively _zero_ people use it or even know what it is.
Anyways, I'm not saying that nothing could make me abandon Discord, I'm just saying that doing so is a tremendous effort, and the result at the end will be a significantly worse online social life. So not a mild inconvienence.
Getting everyone to switch away from Discord has been hard because getting everyone to spontaneously switch with no clear benefit hasn't worked. They want to just keep using the app and get back into a game with their friend.
It's different to lock a door and task users with getting the key to come back in. This is more similar to an MMORPG that kills their audience because they cause the core group to stop playing and then all of the other players experiences get worse, which causes a downward trend that avalanches.
> getting everyone to spontaneously switch with no clear benefit hasn't worked
Somehow Discord pulled it off. It really didn't have much of an edge over the other chat apps at launch, just was slightly easier to use because it was simpler. A new site launching now could easily have that over Discord.
>remaining customers of a service that is actively hostile against them
because that's not how they view it. For most Gen Z users and younger their digital identity already is their identity and they have no problem verifying it because the idea of being anonymous on a social network defeats the purpose of being there in the first place.
Universalising any group is dangerous, but this isn't true for even the least informed young people I know.
They grew up being watched. They know what these data harvesting operations are and how dangerous this is. They've got front row seats to the dystopia. The difference is that they can't / couldn't do anything about it.
They think the world is broken and that you broke it. They're pissed off. And powerless. Not a good combination
Even McKinsey is now reporting on it,
Some Gen Zers push back on a lack of privacy, creating online subcultures that fantasize about anonymity: the pastoral “cottagecore” aesthetic, inspired by tiny cabins and homegrown greens, was one of Gen Z’s first major trends.
Some opt out; the New York Times recently reported on a group of self-described Luddite teens who found community by kicking smart devices in favor of the humble flip phone.
Even if you don’t go that far, many young people are veering away from “everyone knows everything” social media to curate a close group of friends and carefully monitor how much they put online.
sorry but the source for the wave of discontent is... a new york times op-ed on kids with flip phones? How many of them are there? I think universalizing is appropriate because unlike previous generations there isn't even a meaningful counter-culture. Even the luddites in all likelihood get more traction as a story on Instagram than the actual thing, where do you think they go to get their cottage core fix? I haven't seen a resurgence in self-hosted blogs. The sentence "cottage core is a major trend" is in itself hilarious. Where was it trending?
Looking at the numbers that TikTok or Meta are doing I think you can unequivocally say that the vast majority of young people do not care, at all, the 'luddite teen' is the digital version of, and about as real, as the Gen Z 'trad wife'.
If you're going to a CCC event you're much more likely to see resistance in the form of someone like Cory Doctorow, an actually angry middle aged guy who to my knowledge has not converted to flip phone cottage core to stick it to the man.
Nothing more "adversarial" than continuing to allow a service to leach on whatever information you're giving to it despite it kicking you in the face at every opportunity.
Well, it’s a clever idea. Discord seems to have intentionally softened its age-verification steps so it can tell regulators, “we’re doing something to protect children,” while still leaving enough wiggle room that technically savvy users can work around it.
But in practice, this only holds if regulators are either inattentive or satisfied with checkbox compliance. If a government is competent and motivated, this approach won’t hold up—and it may even antagonize regulators by looking like bad-faith compliance.
I’ve also heard that some governments are already pushing for much stricter age-verification protocols, precisely because people can bypass weaker checks—for example, by using a webcam with partial face covering to confuse ID/face matching. I can’t name specific vendors, but some providers are responding by deploying stronger liveness checks that are significantly harder to game. And many services are moving age verification into mobile apps, where simple JavaScript-based tricks are less likely to work.
the cat-and-mouse game of digital age verification is such a massive compliance headache. if these guards are this easy to bypass the platforms are basically just checking a box to satisfy regulators while leaving the actual liability wide open. it’s hard to underwrite trust when the verification layer is this brittle.
It seems unlikely that "is user adult" is not already easily modeled by any of these companies to within a very high degree of confidence. Even 15 or 20 years ago Google search could bracket your age pretty effectively. It doesn't seem like this adds metadata that wasn't already there.
Except that in the legal sense, "is user adult" flips from false to true overnight, and there isn't an easy way to account for that in any model that doesn't include verified ID. Same reason many liquor stores ID anyone who looks younger than 40.
It was never going to be perfect. I suspect the goal with things like these is to add additional friction to the process, to make it much harder for the general population to bypass them.
I suspected something along these lines was possible when I looked at this provider a couple months ago.
If I recall, I had a fairly decent view of their various checks because it was delivered completely unminified, including a couple amusing sections and unimplemented features. (A gesture detector with the middle finger gesture in the enumerable commented out, for example...)
Another attack vector that I speculated upon was intercepting and replacing their tflite model with ones own, returning whatever results required.
Additionally, I believe they had a check for virtual camera names in place, as checks would quietly fail with a generic message in the interface, but show the reason as being virtual camera within responses. (Camera names are mutable though, so...)
The comments so far assume that Discord / Twitch / Snapchat don't care as entities that people will start bypassing their age verification systems. I believe the rank-and-file think that's the case. I think even the engineers and PMs think that's the case. But that's not the game.
There are many ways in which such a system could be implemented. They could have asked people to use a credit card. Adult entertainment services have been using this as a way to do tacit age verification for a very long time now. Or, they could have made a new zero-knowledge proof system. Or, ideally, they could have told the authorities to get bent.
Tech is hardly the first industry to face significant (justifiable or unjustifiable) government backlash. I am hesitant to use them as examples as they're a net harm, whereas this is about preventing a societal net harm, but the fossil fuel and tobacco industries fought their governments for decades and straight up changed the political system to suit them.
FAANG are richer than they ever were. Even Discord can raise more and deploy more capital than most of the tobacco industry at the time. It's also a righteous cause. A cause most people can get behind (see: privacy as a selling point for Apple and the backlash to Ring). But they're not fighting this. They're leaning into it.
Let's take a look at what they're asking from people for a second, the face scan,
If you choose Facial Age Estimation, you’ll be prompted to record a short video selfie of your face. The Facial Age Estimation technology runs entirely on your device in real time when you are performing the verification. That means that facial scans never leave your device, and Discord and vendors never receive it. We only get your age group.
Their specific ask is to try and get depth data by moving the phone back and forth. This is not just "take a selfie" – they're getting the user to move the device laterally to extract facial structure. The "face scan" (how is that defined??) never leaves the device, but that doesn't mean the biometric data isn't extracted and sent to their third-party supplier, k-Id. From the article,
k-id, the age verification provider discord uses doesn't store or send your face to the server. instead, it sends a bunch of metadata about your face and general process details.
The author assumes that "this [approach] is good for your privacy." It's not. If you give me the depth data for a face, you've given me the fingerprint for that face. A machine doesn't need pictures; "a bunch of metadata" will do just fine.
Discord is also doing profiling along vectors (presumably behavioral and demographic features) which the author describes as,
after some trial and error, we narrowed the checked part to the prediction arrays, which are outputs, primaryOutputs and raws.
turns out, both outputs and primaryOutputs are generated from raws. basically, the raw numbers are mapped to age outputs, and then the outliers get removed with z-score (once for primaryOutputs and twice for outputs).
Discord plugs into games and allows people to share what they're doing with their friends. For example, Discord can automatically share which song a user is listening on Spotify with their friends (who can join in), the game they're playing, whether they're streaming on Twitch etc. In general, Discord seems to have fairly reliable data about the other applications the user is running. Discord also has data about your voice (which they say they may store) and now your face.
Is some or all of this data being turned into features that are being fed to this third-party k-ID? https://www.k-id.com/
k-ID is (at first glance) extracting fairly similar data from Snapchat, Twitch etc. With ID documents added into the mix, this certainly seems like a very interesting global profiling dataset backstopped with government documentation as ground truth. :)
You're assuming discord or twitch actually care. I doubt they actually do. It's there to preempt the regulatory hammer, and the presence of clunky workarounds like this doesn't affect it if it doesn't reach the mainstream. If it does, they can just patch it.
Age verification itself isn't such a bad thing. I feel most people are more angry about having to verify their actual identity. Every ad provider knows your address and complete identity every time you log into anything though. I guess its the illusion of anonymity that's so popular.
Is this not easily patched by the provider encrypting and signing the whole payload? I would have thought that would be table stakes for an identity provider.
This is just an ideological / political reaction. It's not that big of a deal.
Just comply. You wouldn't fight if a policeman told you to assume the position (some people did that when it was first implemented and they eventually gave in).
The real and robust method will be generating artificial video input instead of the real webcam. I really don’t think any platform will be able to counter this. If they start requiring to use a phone with harder to spoof camera input, you will simply be able to put the camera in front of a high resolution screen. The cat and mouse game will not last long.
> I really don’t think any platform will be able to counter this.
Do platforms want to counter it?
Seems to me with an unreliable video selfie age verification:
* Reasonable people with common sense don't need to upload scans of their driving licenses and passports
* The platform gets to retain users without too much hassle
* Porn site users are forced to create accounts; this enables tracking, boosting ad revenue and growth numbers.
* Politicians get to announce that they have introduced age controls.
* People who claimed age checks wouldn't invade people's privacy don't get proven wrong
* Teens can sidestep the age checks and retain their access; teens trying to hide their porn from their parents is an age-old tradition.
* Parents don't see their teens accessing porn. They feel reassured without having to have any awkward conversations or figure out any baffling smartphone parental controls.
Everyone wins.
It depends. If the law says "you must perform such-and-such steps to verify age" then no, they don't care if you can counter it. If the law says "you must use an approach that is at least x% effective" then yes they do care if enough people counter it.
We already had a half-assed solution, where websites would require you to press the button that says "I am over 18". Clearly somebody decided that wasn't good enough. That person is not going to stop until good enough is achieved.
Until somebody (likely a politician or anti-porn advocacy group) decides to poke the bear and ruin it
Don't Windows Hello camera devices have some kind of hardware attestation? I'm sure verification schemes like this will eventually go down that path soon.
My guess is that's probably one of the reasons Google tried to push for Play Store only apps, provide a measurable/verifiable software chain for stuff like this.
That the camera is real doesn't imply the thing it's viewing is real.
You're not wrong, but I have had to do video verification over a phone once, and it seemed quite advanced. It would flash through a number of colors and settings and take probably 30 frames of you. I presume they're checking for "this came from a screen and not a human", but of course I have no idea how it works, so I don't know if it's truly sophisticated or not.
As I understand it, 'Windows Hello' requires a near-IR image alongside the RGB image.
It's not the fancy structured light of phone-style Face ID, but it still protects against the more common ways of fooling biometrics, like holding up a photo or wearing a simple paper mask.
Fair enough. That removes the virtual option, and you'll be forced to point the camera at your older brother.
Windows Hello cameras are all "depth" cameras so a flat photo won't pass muster.
Two flat images, one for each of the sensor's camera
That’s not how they work. They emit structured light in the form of an array of infrared dots and they measure the time of flight to where the dots strike something.
Maybe new ones are different but that’s how they used to be. Little Kinect devices, really, for sensing faces instead of whole people.
Yes they do. Part of the reason why you can't use certain webcams that are Windows Hello compatible (I.e. with IR) in recent versions of Windows.
They already support ID checks as an alternative to face scanning, if the latter proves to be untenable then it's literally a case of flipping a switch to mandate ID instead.
The long term solution would have to be some kind of integration with a government platform where the platform doesn’t see your ID and the government doesn’t see what you are signing up for.
I don’t this will happen in the US but I can see it in more privacy responding countries.
Apple and Google may also add some kind of “child flag” parents can enable which tells websites and apps this user is a child and all age checks should immediately fail.
I do like the idea of the “this is a child” taint (ok, terrible name but I really think it should be a near-unremovable thing on a platform like Apple’s that’s so locked down/crypto signed etc).
Like, you’d enroll it by adding a DOB and the computer/phone/etc would just intentionally fail all compatible age checks until that date is 18 years in the past. To remove it (e.g. reuse a device for a non-child), an adult would need to show ID in person at Apple.
Government IDs could be used to do completely privacy preserving, basically OpenID Connect but with no identifying property, just an “isEighteenOrMore” property. However, i agree it’ll never happen in the US because “regular” people still don’t know how identity providers can attest without identifying, and thus would never agree to use their government ID to sign into a pornsite. And on top of all that yeah nobody trusts the government, basically in either party, so they’d be convinced the government was secretly keeping a record of which porn sites they use. Which to be fair is not entirely unlikely. Heck, they’d probably even do it by incompetence via logs or something and then have people get blackmailed!
When I played an MMOG, if the admins found out that a child was underage, it was customary for them to suspend their account until their 13th birthday. I thought this was a clever policy, but I just can't understand the reverse of authenticating someone's age based on that of their account...
> where the platform doesn’t see your ID
ID checks aren't very worthwhile if anyone can use any ID with no consequences.
How long would it take for someone's 18 year old brother to realize they can charge everyone $10 to "verify" everyone's accounts with their ID, because it doesn't matter whose ID is used?
Ok, at which point an adult has taken responsibility for giving them access.
The older brother could also rent an R (or x) rated movie, buy cigarettes, lighters, dry ice, and give them to the kids. The point of the age check is to prevent kids from getting access without an adult in the loop, not to prevent an adult from providing kids access
The system doesn’t have to be bulletproof. It just has to be better than the free for all it is today.
Better?..
this is already how the EU infrastructure for digital ID works, basically. Using public/private keys on your national id, the government functions as a root authority that you (and other trusted verifiers downstream) can identify you with and commercial platforms only get a yes/no when you want to identify yourself but have no access to any data.
South Korea also has had various versions of this even going back to ~2004 I think.
They can't feasibly do this in the US since many people don't have drivers licenses or passports.
Don't you have to be over 18 to get a credit card in the US? How many wouldn't be able to present a CC or ID?
Age verification requires a document that can be matched to your ID, such as by the photo on your ID card.
Credit cards don't have photos.
> How many Americans wouldn't be able to present a CC or ID?
The number of Americans who don't have a government issued photo ID is estimated around 1%. The number gets larger if you start going by technicalities like having an expired ID that hasn't been renewed yet.
The intersection between the 1% of 18+ Americans who don't have an ID and those who want to fully verify their Discord accounts is probably a very small number.
Only to have your own card. You can be an authorized user on a credit card even if you're under 18.
Ah right. That's no use for verification then, unless there's a way for payment gateways to distinguish the primary user from their authorized users.
At least in Australia you absolutely can have a debit card under 18 and it’s extremely common for adults to not have a credit card.
> At least in Australia you absolutely can have a debit card under 18
Same in the UK, but Steam uses credit cards for age verification there and refuses if you provide a debit card instead. Evidently the payment backends can tell credit and debit apart.
Those without driver's licenses or passports can get a state ID card instead, if I'm not mistaken. A pain, but an option.
Yeah that’s not true. It’s a lie. And we all know why it’s a lie. Adults in the US with ID is 99%
Somehow they don’t have trouble getting an ID when they want to buy alcohol
*Citation needed
> Nearly 21 million voting-age U.S. citizens do not have a current (non-expired) driver’s license. Just under 9%, or 20.76 million people, who are U.S. citizens aged 18 or older do not have a non-expired driver’s license. Another 12% (28.6 million) have a non- expired license, but it does not have both their current address and current name. For these individuals, a mismatched address is the largest issue. Ninety-six percent of those with some discrepancy have a license that does not have their current address, 1.5% have their current address but not their current name, and just over 2% do not have their current address or current name on their license. Additionally, just over 1% of adult U.S. citizens do not have any form of government-issued photo identification, which amounts to nearly 2.6 million people.
From https://cdce.umd.edu/sites/cdce.umd.edu/files/pubs/Voter%20I...
That seems like a good citation, but it supports the 99% number above
> Additionally, just over 1% of adult U.S. citizens do not have any form of government-issued photo identification, which amounts to nearly 2.6 million people.
The rest of the statistic is about driver's licenses specifically, including technicalities like expiration dates and address changes. The online ID check for age verification don't care about the address part anyway, in my experience.
If someone has an expired drivers' license or they changed their name and haven't updated their IDs, they have bigger problems than age-verifying their Discord accounts.
My driver's license was expired for 8 years until last year. I wasn't driving so the pressure to renew it was very low.
I actually only renewed it to get medical care and because renewing the license was only a little more expensive than getting an ID-only card.
It did prevent me from using some porn sites because my state requires ID verification but many sites just ignore the requirement so I just didn't use the sites that required ID.
wat. the majority of Americans have a DL, ID, or Passport. What a silly thing to say.
For DL alone:
>Data indicates that approximately 84% to 91% of all Americans hold a driver's license, with roughly 237.7 million licensed drivers in the U.S. as of 2023.
Add in an ID and Passport and we are likely closer to 99%
Personal Identity Verification (PIV) and Common Access Card (CAC) credentials used by US government & military via NFC already work on web browsers. States should just move to digital IDs stored on smartphones, with chain of trust up through the secure element...
This is extremely dangerous, and would only work with hardware/software that is nonfree (i.e., not under the user's control, or any attestation could be spoofed).
> Personal Identity Verification (PIV) and Common Access Card (CAC) credentials used by US government & military via NFC already work on web browsers. States should just move to digital IDs stored on smartphones, with chain of trust up through the secure element...
I think you're... missing the point of the pushback. People DO NOT WANT to be identified online, for fear for different types of persecution.
ID is much easier to forge, it's just a flat 2-d shape. None of the physical security features come through in images.
In functioning states, the ID contains a chip with a private key that can be used to sign a message, and ID verification would not be an image of the ID card, but rather holding your phone's NFC reader to the card and signing a message from the site.
In Japan, there are already multiple apps which use something like this to verify user's age via the "my number card" + the smartphone's NFC reader.
It's more or less impossible to forge without stealing the government's private keys, or infiltrating the government and issuing a fraudulent card.
Of course, the US isn't a functioning state, the people don't trust it with their identity and security and would rather simply give all their information to private companies instead.
> In Japan, there are already multiple apps which use something like this to verify user's age via the "my number card" + the smartphone's NFC reader.
Does this also leak your identity to the app?
There is not a way to share just your date of birth. After providing your PIN it can read more than just your date of birth.
When I had to prove my passport for my bank over a video call they told me to rotate it around in the sunlight to show that it had the holo-whatever ink. So I wouldn't put it past them.
A call requires a human, which is inherently not scalable. And even humans have trouble distinguishing AI content these days.
And it's not like Discord actually cares. They just care about appearing like they care. Something to keep the heat off of them from regulators and angry parents.
A “video call” perhaps requires a human, but the type of test described need not be a video call. One can imagine a network trained to distinguish a fake id card from real one from a video recorded where the user is asked to move the card such that the holograph is glinting in the sunlight.
And lose every user in the process
Is there any data on what kind of hits to enrollment were taken by facebook, gmail etc when they added requirements like a phone #? Maybe it's buried in their sec filings. Anyway, this "cat and mouse" game is probably irrelevant. They're not looking for and don't need a perfect system. Bc 99% of the public couldn't care less about handing over their information.
Google does not require a phone number. They may ask for one and tell you it's for your own good, but you can skip the request.
Is there any data on what kind of hits to enrollment were taken by facebook, gmail etc when they added requirements like a phone #? Maybe it's buried in their sec filings.
I think you massively overestimate how many people actually care.
My guess is that 95% or more of all Discord users do not care and simply upload their selfie or ID card and be done with it. I know I will (although they did say that they expect 80%+ to not require verification since they can somehow infer their age from other parameters)
Those 5% are the unusual sorts that separate Discord from Facebook.
> I know I will
Are you a minority, LGBTQ+, etc or of a "different" political persuasion that might have any reason to be distrustful of the US government? If so, you probably wouldn't just "be done with it".
Most people under the driving age don’t have ID’s, at least in the US.
> The cat and mouse game will not last long.
Yes but for completely different reasons: I will not bother to play the game and stop using the platform.
you counter this by using an id verified service like login.gov or okta verify.
That's the endgame and what the EU really wants. No poasting unless they can arrest you for inconvenient memes.
Yes this is spot on. Apple & Google mobile platforms are locked down tight for this reason. Try installing okta verify on graphene OS. You cannot.
They're getting worse with attested and validated environments. This one of the reasons that google is trying to kill sideloaded apps and checking for root access.
Weird thing.. the people who want this validation fully expect for you to pay for, maintain, keep it valid, and pay for upkeep/service for their desires. Honestly, this is something that SHOULD get very aggressive pushback.. but most people accept for no reason.
Wow. The EU.
yes, avoiding EU fines and ensuring availability there is most likely the motivating factor behind the change.
They could do what a bank does and run everyone's ID through chexsystems. It's really hard to defeat this. Fake identities don't exist in the system and stolen ones would get flagged by geographic, time of use and velocity rules.
Doesn't work for places like Australia, where the social media ban applies only to under-16s. Teenagers rarely have ID, especially in countries where the minimum driving age is higher than 16 (read: most of the world outside the US).
The concept of identity doesn't necessarily have to be embodied by a piece of physical plastic that goes into a wallet.
Ad-hoc identification can occur via other means like dynamic knowledge based authentication. The sources of this mechanism can be literally anything. Social media itself being one obvious source for the target cohort.
You can walk into many US financial institutions without an ID and still get really far using KBA workflows. The back office will hassle you for a proper scan of a physical ID, but you can often get an account open and funded with just KBA.
Knowledge-based authentication is a joke - it doesn't work at all.
This basically only gets used for businesses that need a fig leaf for regulatory purposes. You know, $30 loans for uber eats and tiny loans like that.
Unix and Windows and MacOS and every computer since 1970 has relied on knowledge-based authentication, so let's cool the hyperbole.
In the nomenclature of Multi-Factor Authentication, "something you know" is one factor. So if you know a password and you have a hardware token, that's 2 factors and combining different types is the key to MFA.
Many "knowledge based authentication" tries to string together "things you know" without a different type, and that's a weakness.
However, it can be strengthened through various techniques. If a human is authenticating you in real-time, they may choose a factoid that an impostor is unlikely to know which may be agreed in advance. For example, the security questions combined with other challenges, or a "curve ball" that may elicit a stutter, pause, or prevarication. This is a dynamic method that bob refers to.
In fact, knowledge-based quizzes are used routinely by credit reporting agencies -- the big ones like Experian. And they've been presented by background check services, too. They work like this: they scrape your credit reports and public records in a deep dive for your old addresses, employers, contact info, a whole smorgasbord of stuff. Maybe attackers know some of it. But it's multiple choice: "which of these did you live at? None of the above? All of them?" "Which one of these wasn't your employer?" And the attacker would need to have the same list of public records, and also know the wrong answers! Knowing the wrong answers is the "curve ball" here! How many attackers know that I didn't work for Acme, Inc, and I never lived in San Antonio?
It's also worth pointing out that I've opened at least 3 bank accounts without setting foot in a bank. Even if yours is brick-and-mortar, they probably have a flow on their website for account creation and funding. It is not difficult to satisfy their ID requirements. If they glitch, then you're just flagged a bit, and you follow up as instructed. I've also authenticated identity to the federal government agencies, and accessed several DMV services, using only the apps and websites.
People may feel reticent about establishing their identity online, but isn't it better that you do it first before someone else does? If your identity is known and registered and builds up data points that correspond to you, aren't you less likely to be a victim of fraud or identity theft when things don't add up?
There is an easy solution to this - require a government ID, and only permit government IDs that can be verified with the state's government.
There are a lot of countries and US states where such validation is possible.
Given the state is mandating these checks, it only makes sense that the state should be responsible for making it possible to perform these checks.
Remind me again, why do people need government approved ids to access discord in the first place? Everyone in this thread is solutioning how we could make government ids work, but no one seems to be asking if that’s a good idea.
Because governments really want people to think about children with naughty stuff.
Gross.
(I'm not verifying anywhere unless required for official business. Still have my non-KYC sim for people)
Manufacturing consent at work
Alternatively, hand someone $20 and your phone and have them do the verification for you.
This is just what I did, and plan to continue to do.
You can just use a video from YouTube there are people that do it that just don't care
you put a flickering light, pwm creating artifacts in the video and have it apologize for it, to hopefully break some watermarks. my led light started acting up since yesterday, i have no other bulb.
I did this with OBS Virtual Camera for a thing in Oregon and it worked.
Death Stranding 2 photo-mode works well for this.
You require a human to identity proof in real life and bind that to a digital identity with a strong authenticator. Anti fraud detection systems can suspend or ban if evasion attempts are detected. Perfect is not the target, it doesn’t have to be.
See: Login.gov (USPS offline proofing) and other national identity systems.
(digital identity is a component of my work)
>You require a human to identity proof in real life and bind that to a digital identity
That's going to be a no from me, dawg. I'm sympathetic to ID checks like if you're buying beer or whatever, but not linking my real life identity to discord or whatever.
Not my call, it’ll be the law of the land. Some may leave, but most won’t, and that’s good enough for corporate and enterprise value purposes.
Pornhub is fighting state age verification and keeps losing state by state, for example.
You have to show ID to buy beer?
If you aren't obviously adult then yeah. Where do you live so there are no laws on selling the alcohol to children?
There are laws, but in many countries they are not strictly enforced. In Japan, buying beer in the self checkout lane will just give you an “are you over 20?” prompt, no verification: https://news.ycombinator.com/item?id=46227987
Store doesn't get to photograph your ID, share it with 548 of their advertising partners, and leak it to 7 different hacker groups.
Why should anyone inclined to want to buy beer have to show ID to do it?
I don't know how it works where you live, but in many jurisdictions around the world (including the one I live in), you have to provide ID to prove that you're of drinking age.
Because you’re required to in all 50 states to prove you’re over 21.
I don't think that's true? Rather, stores must not sell to anyone under 21. I'm almost 40 and rarely get carded these days.
Which is by nature transient. There are many more and quite dangerous strings attached to doing this online. You never know if all parties involved in the verification are trustworthy.
Actually, there are many ways. For example they change colors on your screen and check in real time how it reflects on your face, eyes, etc. Very hard for a model to be trained to respond this quickly to what's on the screen.
They also have you move your head in multiple directions.
You could always generate a random face model with real time rendering with enough details to trick any AI detector (or even human) and then you can do real time animation to orders or screen light tricks. You could also simply use some face filter on your face and these ones are really convincing these days (like on Snapchat and such).
Show me such a model.
It would be interesting to see a model completely indistinguishable from a real human in behavior, as well as real-time reflection off different surfaces, etc.
The next step would be to make a complete digital clone of a person based on surreptitiously recording them with hidden cameras. I doubt it's possible.
The pieces are there. If you're not modifying everything in the image all the time, there's no reason to run it through a visual model. Generate it once (we have it), transform into textured 3d model (we have it), animate and map to movements with vtuber software (we have it). Adding screen colour reflection is trivial. We just need a pipeline for this.
We had facerig for over a decade now. Facefilter recently. It's not hard anymore.
This is doable using high end stuff like Runway with a draft quality.
Your better bet would be to generate a face as an image and then you can easily generate that same face in different expected poses and conditions. You can then use existing models where you get to select the starting image and the ending image. Add some filters and noise to just make it look like normal crappy low light camera.
As for the color that's another expected condition and can be overlayed or pre-generated.
Hm, when attempting it I get redirected to https://age-verifier.kibty.town/webview?url=null, which says:
{"error":"error parsing webview url"}
Edit: Apparently my discord account is in some kind of A/B feature test that uses a different verification provider, Persona
Persona is the same company oftentimes used for the "show your ID to get in the bar and also we'll data harvest you... and share your data with various people if asked". Go ahead and google search on them for more insight.
https://x.com/xyz3va/status/2021734252505604108
Hopefully your comment gets pushed to the top. Would like the security guys from the blog to see it.
It only works because the other provider has a more private implementation compounded with bad security.
Highly recommend wrapping the code to drop into the console in a immediately-invoked function expression; as it stands, it doesn't work in macOS Safari without an IIFE because top-level await is not supported in any version of Safari yet https://caniuse.com/wf-top-level-await.
Recent and related:
Discord will require a face scan or ID for full access next month - https://news.ycombinator.com/item?id=46945663 - Feb 2026 (1999 comments)
Discord Alternatives, Ranked - https://news.ycombinator.com/item?id=46949564 - Feb 2026 (456 comments)
Discord faces backlash over age checks after data breach exposed 70k IDs - https://news.ycombinator.com/item?id=46951999 - Feb 2026 (21 comments)
It does appear to work. I received a message from Discord saying "We determined you're in the adult group. <learn more>"
narrator> And that's when he discovers his account has now been hacked...
;)
Worked for me as well. Hopefully my account of 11+ years isn't penalized because of this. Not like it matters because I'll quit anyways if forced to send my face or ID.
You probably won't even have to validate then. I guess they can safely assume that you didn't create your account when you were 7 years or younger. They said they expect 80% of users or so to be auto-verified by some other means (account age, typing statistics, whatever)
Unfortunately I wouldn’t be so sure that there aren’t any 7 year old Discord users
My account is almost a decade old and discord is still asking me to complete age verification.
Are they rolling this out in stages? I haven't been asked to prove the age of my account.
I'm in the UK (where the law allows them to use heuristics).
So VPN to the UK?
What?
Wonderful. Hopefully I'm not retroactively banned for things I said when I was fourteen on servers long gone.
This isn't as fun as using the g-man from half life to verify
i changed the password later just to be sure.
I don't understand why (mostly) young people put so much effort into remaining customers of a service that is actively hostile against them and that they do not like. Does the convenience of remaining on a service you don't like the management of outweigh the mild effort to find an alternative solution?
> the mild effort to find an alternative solution?
Calling it a "mild effort" assumes skills that older generations took for granted but many young people seem to have been actively trained out of. We're past the era where I take for granted that aspiring programmers need to have the basics of a terminal or shell explained to them, into one where they might need an explanation for the basics of a file system and paths. I wouldn't be surprised to hear that hardly any of them could touch-type, either. (I wonder what the speed record is for cell phone text input...)
Yes, they can query a search engine (kind of) or, I guess nowadays, ask ChatGPT. But there's going to be more to setting up an alternative than that. And they need to have the idea that an alternative might exist. (After all, they're asking ChatGPT, not some alternative offering from a company that provides alternatives to Google services....)
I don't think it's beyond their comprehension to ask: "how can I have a chat system that I personally control?" The rest will be taken care of.
Look at the Amnezia VPN. It's an app that helps you buy a VPS from a range of cloud provides, then sets it up, completely from the phone, as an exit node under user control.
I don't see why a chat server cannot be set up and managed this way. It only takes one dedicated developer to produce.
Even considering that one can personally control their own chat service is already a pretty big leap in technical knowledge. Many, many average users don't even know that's an option, nevermind how it's even done.
>The rest will be taken care of.
by a system with a incentive to keep them in centralized black boxes, yes.
>The rest will be taken care of.
It's never the tech hat's hard, but the networks. If people were able to just jump on a whim a lot of dynamics of modern corruption would fall apart.
Now we're having an event when networks would be shedding kids en masse, all at approximately the same time. It the best possible time for switching, when clinging to the old discord / snapchat / other centralized blackbox becomes hard or impossible.
You’re ignoring the obvious reason, aside from the network effect: there are no alternative solutions. Some people are building Discord alternatives but they are far from production-ready, often lacking critical features (e.g. Matrix not being able to delete rooms, or still having trouble with decrypting messages). It is simply the case at this point in time that Discord is factually the least bad option for many many use cases.
> I don't understand why (mostly) young people put so much effort into remaining customers of a service that is actively hostile against them
The Network Effect.
That's it. Their friends are there so they're there.
I don't control most of the discord communities I'm in. Some have been going a long time, and every platform migration sheds and shreds members. The 'mild effort' to move an old community to a new platform more often than not killed the community
> and every platform migration sheds and shreds members.
What's the problem? You're filtering out people who don't really care about participation in whatever group or society is there. People who want to participate will move to an acceptable service and those who feel that is too much effort probably weren't participating much (if at all) anyway - in that case the only difference is the visible list of people with accounts going down, not the actual "users".
In most cases, I would like to speak with those people and would miss them if I lost regular contact because they didn't want to change platforms.
Most people just care about being able to talk to each other, not their devotion to some "group or society".
The people will just recreate the same community on the same platform without you as the owner. They don’t care about you running it.
It’s also a futile effort since age checks for adult content is becoming the law around the world so soon any platform you move to will have the same checks.
I disagree with this sentiment. It is entirely possible that there will be people who are regulars on one platform who are just unable (actually unable or perceives themselves unable) to migrate and the morale lost from losing their regulars is huge. Or a subset who insist on staying, forming their own sub-community, and neither the migrating group nor the people who insist on staying produce enough engagement for the members and so the community as a whole fizzles out. This is all squishiness. There is a reason why deplatforming appears to work in reducing the effectiveness of political groups, even if the people who remain in the community post-deplatforming are hardened in their loyalty to the political policy of the group.
>You're filtering out people who don't really care about participation in whatever group or society is there.
You underestimate how many people would rather do nothing than be inconvenienced, sadly. If you're not the personality that the community is rotating around, you'll find the migration pretty lonely.
Heck, even esablished personalities can only do so much. Remember that Microsoft paid top Twitch streamers 10s of milllions to move to Mixer for exclusive streaming. Even that wasn't enough to give a leg up.
Why do middle aged people still use Facebook marketplace rather than another platform? Because even if you put in the effort to use something different, you’ll be the only one there.
The effort to coordinate everyone to move at the same time is bordering on impossible.
First mover advantage with network effects
I'm the first and only one of my friend group on my IRC server. It's an elite claim, I know.
Exactly. And discord is _the_ platform for others.
Most people don’t really care that their privacy is violated, at least not any more than a superficial “oh well it’s obvious they’re doing that, but what can you do about it!”, no point switching platform if there’s no one there to talk to.
When I was a kid, we'd host the pics we want to post on forums on geocities and rename the file extensions to .txt to get past its "no hotlinking images" policy. So it's not like much has changed.
There are a lot of barriers between kids and better solutions, one of which is that anything needs a domain and a server, and that means a credit card.
The network effect as seen in the other comments plays a big part, but also discord offers a useful service that really nobody else does well. there's a lot wrong with it but you can still create a community in a few clicks and you have text messages, photos, videos, gifs, voice chats, screenshare, a comprehensive permission/role system, tons of bots.. all for free and without needing to be too tech savvy, that's pretty damn cool.
No other chat platform has as many seamless features and such a big userbase. The friction of verifying the identity for a random person that doesn't care about privacy is not really a big deal compared to the downgrade that migrating to another platform would be.
I think for a lot of people (me included) Discord isn't just a chat service like WhatsApp but more of a "home base" where you can hang out with all your friends, make new friends, share media, chat, play games together, stream games to each other, etc.
In the gaming sphere it's so universally used that all the friends you've ever made while gaming are on it, as well as all your chat history, and the entire history of whatever server you met them on. And if you want to make new friends, say to play a particular game, it's incredibly easy to find the official game server and start talking to people and forming lobbies with them.
My main friend group in particular has a server that we've had running since we were teenagers (all in our mid-20s now) which is a central place for all of the conversations we've ever had, all of the pictures we've ever sent each other, all the videos we've ever shared, and so on. That's something I search back through frequently looking for stuff we talked about years ago.
So I'm not saying it's impossible to move, but understand that it would require:
- Intentionally separating from the entire gaming sphere, making it so, so much harder to make new friends or talk to people. - Getting every single one of your friends that you play games with to agree to downloading and signing up for this new service (in my case that would be approx. a dozen people) - Accepting that this huge repository of history will be wiped out when moving to the new service (I suppose you could always log back in and scroll through it, but it's at least _harder_ to access, and is separated from all your new history)
On top of this, every time I've looked for capable alternatives to Discord I've come up empty-handed. Nothing else, as far as I can tell supports free servers, the ability to be in multiple servers, text chat divided into separate channels, optional threaded communication, voice chat joinable at any time with customizable audio setup (voice gate, push-to-talk, etc), game streaming from the voice chat at any time, and some "friend" system so that DMs and private calls can be made with each other. And even if I found one, then again I can't express enough that in the gaming sphere effectively _zero_ people use it or even know what it is.
Anyways, I'm not saying that nothing could make me abandon Discord, I'm just saying that doing so is a tremendous effort, and the result at the end will be a significantly worse online social life. So not a mild inconvienence.
Because they are used to follow limitations since the day they were born, and have all the time in the world
> remaining customers of a service that is actively hostile against them and that they do not like
And yet here we all are, still in an uproar every time GitHub goes down. Change is slow, we can't all leave GitHub in a day. Same with Discord users.
I think the Discord situation is a bit different.
Getting everyone to switch away from Discord has been hard because getting everyone to spontaneously switch with no clear benefit hasn't worked. They want to just keep using the app and get back into a game with their friend.
It's different to lock a door and task users with getting the key to come back in. This is more similar to an MMORPG that kills their audience because they cause the core group to stop playing and then all of the other players experiences get worse, which causes a downward trend that avalanches.
> getting everyone to spontaneously switch with no clear benefit hasn't worked
Somehow Discord pulled it off. It really didn't have much of an edge over the other chat apps at launch, just was slightly easier to use because it was simpler. A new site launching now could easily have that over Discord.
>remaining customers of a service that is actively hostile against them
because that's not how they view it. For most Gen Z users and younger their digital identity already is their identity and they have no problem verifying it because the idea of being anonymous on a social network defeats the purpose of being there in the first place.
Universalising any group is dangerous, but this isn't true for even the least informed young people I know.
They grew up being watched. They know what these data harvesting operations are and how dangerous this is. They've got front row seats to the dystopia. The difference is that they can't / couldn't do anything about it.
They think the world is broken and that you broke it. They're pissed off. And powerless. Not a good combination
Even McKinsey is now reporting on it,
https://www.mckinsey.com/~/media/mckinsey/email/genz/2023/01...sorry but the source for the wave of discontent is... a new york times op-ed on kids with flip phones? How many of them are there? I think universalizing is appropriate because unlike previous generations there isn't even a meaningful counter-culture. Even the luddites in all likelihood get more traction as a story on Instagram than the actual thing, where do you think they go to get their cottage core fix? I haven't seen a resurgence in self-hosted blogs. The sentence "cottage core is a major trend" is in itself hilarious. Where was it trending?
Looking at the numbers that TikTok or Meta are doing I think you can unequivocally say that the vast majority of young people do not care, at all, the 'luddite teen' is the digital version of, and about as real, as the Gen Z 'trad wife'.
If you're going to a CCC event you're much more likely to see resistance in the form of someone like Cory Doctorow, an actually angry middle aged guy who to my knowledge has not converted to flip phone cottage core to stick it to the man.
I'm more than ready to leave if push really comes to shove. Wouldn't be the first time.
From experience, I know if I leave that few of my friends will follow. So I understand the resistance.
I mean, it's called a social network
I am sure that is part of the appeal to the developing mind, the adversarial nature.
Nothing more "adversarial" than continuing to allow a service to leach on whatever information you're giving to it despite it kicking you in the face at every opportunity.
Key word is developing
Well, it’s a clever idea. Discord seems to have intentionally softened its age-verification steps so it can tell regulators, “we’re doing something to protect children,” while still leaving enough wiggle room that technically savvy users can work around it.
But in practice, this only holds if regulators are either inattentive or satisfied with checkbox compliance. If a government is competent and motivated, this approach won’t hold up—and it may even antagonize regulators by looking like bad-faith compliance.
I’ve also heard that some governments are already pushing for much stricter age-verification protocols, precisely because people can bypass weaker checks—for example, by using a webcam with partial face covering to confuse ID/face matching. I can’t name specific vendors, but some providers are responding by deploying stronger liveness checks that are significantly harder to game. And many services are moving age verification into mobile apps, where simple JavaScript-based tricks are less likely to work.
On Discord, I got the captcha, but then after it redirected, I got a page saying:
I'm very much an adult, this whole thing is ridiculous. Ban me, I don't care.I got this, but then refreshing that page made it work for me
The text with the code shows another step.
I tried it a couple more times, and it worked on the third try and showed me the green successfully verified message.
the cat-and-mouse game of digital age verification is such a massive compliance headache. if these guards are this easy to bypass the platforms are basically just checking a box to satisfy regulators while leaving the actual liability wide open. it’s hard to underwrite trust when the verification layer is this brittle.
There is a way to do this, where nearly everyone is fine.[0]
However, the orgs don’t get to capture verified adult user identity to pad the value of their user data profiles…
[0] https://blog.google/company-news/inside-google/around-the-gl...
It seems unlikely that "is user adult" is not already easily modeled by any of these companies to within a very high degree of confidence. Even 15 or 20 years ago Google search could bracket your age pretty effectively. It doesn't seem like this adds metadata that wasn't already there.
Google prompts me to verify my age on my account I created in 2004. They’re not trying too hard.
If they admit this, they wouldn't be able to advertise to children anymore without breaking many rules.
Except that in the legal sense, "is user adult" flips from false to true overnight, and there isn't an easy way to account for that in any model that doesn't include verified ID. Same reason many liquor stores ID anyone who looks younger than 40.
It was never going to be perfect. I suspect the goal with things like these is to add additional friction to the process, to make it much harder for the general population to bypass them.
Never trust user input wins again... on one hand, discord never sees your picture, on the other, you get this. :)
I suspected something along these lines was possible when I looked at this provider a couple months ago.
If I recall, I had a fairly decent view of their various checks because it was delivered completely unminified, including a couple amusing sections and unimplemented features. (A gesture detector with the middle finger gesture in the enumerable commented out, for example...)
Another attack vector that I speculated upon was intercepting and replacing their tflite model with ones own, returning whatever results required.
Additionally, I believe they had a check for virtual camera names in place, as checks would quietly fail with a generic message in the interface, but show the reason as being virtual camera within responses. (Camera names are mutable though, so...)
Wow that was a fun read, I never thought about the technical implementation of these verification systems.
The comments so far assume that Discord / Twitch / Snapchat don't care as entities that people will start bypassing their age verification systems. I believe the rank-and-file think that's the case. I think even the engineers and PMs think that's the case. But that's not the game.
There are many ways in which such a system could be implemented. They could have asked people to use a credit card. Adult entertainment services have been using this as a way to do tacit age verification for a very long time now. Or, they could have made a new zero-knowledge proof system. Or, ideally, they could have told the authorities to get bent.
Tech is hardly the first industry to face significant (justifiable or unjustifiable) government backlash. I am hesitant to use them as examples as they're a net harm, whereas this is about preventing a societal net harm, but the fossil fuel and tobacco industries fought their governments for decades and straight up changed the political system to suit them.
FAANG are richer than they ever were. Even Discord can raise more and deploy more capital than most of the tobacco industry at the time. It's also a righteous cause. A cause most people can get behind (see: privacy as a selling point for Apple and the backlash to Ring). But they're not fighting this. They're leaning into it.
Let's take a look at what they're asking from people for a second, the face scan,
Their specific ask is to try and get depth data by moving the phone back and forth. This is not just "take a selfie" – they're getting the user to move the device laterally to extract facial structure. The "face scan" (how is that defined??) never leaves the device, but that doesn't mean the biometric data isn't extracted and sent to their third-party supplier, k-Id. From the article, The author assumes that "this [approach] is good for your privacy." It's not. If you give me the depth data for a face, you've given me the fingerprint for that face. A machine doesn't need pictures; "a bunch of metadata" will do just fine.Discord is also doing profiling along vectors (presumably behavioral and demographic features) which the author describes as,
Discord plugs into games and allows people to share what they're doing with their friends. For example, Discord can automatically share which song a user is listening on Spotify with their friends (who can join in), the game they're playing, whether they're streaming on Twitch etc. In general, Discord seems to have fairly reliable data about the other applications the user is running. Discord also has data about your voice (which they say they may store) and now your face.Is some or all of this data being turned into features that are being fed to this third-party k-ID? https://www.k-id.com/
https://www.forbes.com/sites/mattgardner1/2024/06/25/k-id-cl...
https://www.techinasia.com/a16z-lightspeed-bet-singapore-par...
k-ID is (at first glance) extracting fairly similar data from Snapchat, Twitch etc. With ID documents added into the mix, this certainly seems like a very interesting global profiling dataset backstopped with government documentation as ground truth. :)
Your browser is not currently supported. Please use a recommended browser or learn more here.
Apparently Twitch doesn't like Mozilla Firefox...
This project is something that we would want to archive pretty quickly. I can see those service being upset over that being exposed.
You're assuming discord or twitch actually care. I doubt they actually do. It's there to preempt the regulatory hammer, and the presence of clunky workarounds like this doesn't affect it if it doesn't reach the mainstream. If it does, they can just patch it.
I do not believe in the necessity of identity verification
The governments making laws which mandate it feel otherwise.
Love that hackers are still using "greetz"
Came here to say the same, has been a long time since I've seen one of those in the wild!
I'm against workarounds. I'm pro "leaving them and only come back when Digital ID is not required anymore".
If only most people leave them and it affects their bottom line.
Except you don't get to choose where other people host their communities.
That code snippet for Discord is pretty brittle and will likely break with future updates.
That worked for me. Got a response on desktop discord client once it was done. Wonder how long before they lock this down.
Any chance this can be used to token-log people's accounts?
It looks like only k-id's session token is transmitted back to the site, which can't be used to authenticate to Discord.
You can also self-host the backend from https://github.com/xyzeva/k-id-age-verifier.
Alright, how long until they patch this? Anyone takin' bets?
Age verification itself isn't such a bad thing. I feel most people are more angry about having to verify their actual identity. Every ad provider knows your address and complete identity every time you log into anything though. I guess its the illusion of anonymity that's so popular.
Is this not easily patched by the provider encrypting and signing the whole payload? I would have thought that would be table stakes for an identity provider.
The identity provider is on-device and has to run on phones which don't do hardware attestation.
That’s only for selfies. If they use and id I’m pretty sure it is getting sent to a k-id server.
too late: I have already deleted my Discord account; Twitch is also going to enforce this? hmmm...
if you don't actively use discord, then this is probably the best solution, I agree
Worked, hopefully Discord will retroactively discover this and ban my account.
doesn't work - request times out.
worked here - as soon as i did it i heard a dm ping from the 'official' discord account...
"We determined you're in the adult age group."
That was fast.
This is just an ideological / political reaction. It's not that big of a deal.
Just comply. You wouldn't fight if a policeman told you to assume the position (some people did that when it was first implemented and they eventually gave in).
This is not the right hill to die on.
I’ll comply with a police officer because of their threat of violence. I will not comply with online bullshit, because Discord can’t shoot me.