I wish people would stop sharing this website, their research is massively written by LLMs and looks good at a glance, but it goes in every direction at the same time and lacks logical connections. And the claims don't really match their sources.
Their initial publication was backed by a Git repository with hundreds of pages of documents written in just three days (https://web.archive.org/web/20260314224623/https://tboteproj...). It also contained nonsense like an "anomaly report" with recommendations from the LLM agent to itself, which covers an analysis of contributors to Linux's BPF, Android's Gerrit, and parser errors in using legislative databases. https://web.archive.org/web/20260314103202/https://tboteproj... . The repository was rewritten since, though.
This post follows their usual pattern. The second source they link to has been a dead link for 11 months (https://web.archive.org/web/20250501000000*/https://www.pala...). There's a lot about Persona's design, MCPs, vulnerabilities, data leaks, but nothing proving they use it for mass surveillance. The entire case for it being mass surveillance rests on two points: that they interact with AI companies and they offer MCP endpoints (section titled "Persona's Surveillance Architecture")
I support a rule to ban AI-generated/edited posts.
Initially I thought they'd be fine, because AI-generated isn't intrinsically an issue and the comments can be good. But in practice, the AI posts tend to be slop, and usually there's a better human-written source for the same topic (for example, one of the many other recent "age verification is mass surveillance" posts here).
Part of this was written by AI, but with a human in "charge" who
explained which part of AI was used here. Would that also be a
bannable example for you? I am not so convinced that this is
bannable per se. Perhaps it may be different if the AI-slop was
not announced, but when it was announced and explained?
> one of the many other recent "age verification is mass surveillance"
> posts here
Well, it actually is. It taps very much into other similar laws
e. g. "chat control", aka chat sniffing.
I should've said "guideline". I think posts can include AI if it's reasonable and/or they're good, while the guideline gives a reason to flag AI posts that are generally bad.
> It taps very much into other similar laws e. g. "chat control", aka chat sniffing.
There are many recent Chat Control posts here too. I agree Chat Control is bad, and poorly-implemented age verification is bad (though it can be implemented in privacy-preserving ways, albeit ineffectively; I commented about this 42 days ago at https://news.ycombinator.com/item?id=47123507, and it was stale then). I don't want to hear anymore about it. Maybe I need a filter myself, for the lucky 10,000. But the problem even for them, is that the repeated posts (without links to previous posts) have mostly low-effort comments, because people who made high-effort comments can't/won't keep repeating them.
> In the meantime a FOSS maintainer who is just trying to put the pieces in place to comply with the law (as written) got doxxed and harassed.
In my experience, when a country like Britain passes a censorship law, people in other countries like America don't enjoy being given the tools to comply with it, even if the tools are entirely optional.
Thank you. Investigative journalism is so important and I would happily believe some of the claims made here, but when I encounter even just a few sentences that sound LLM-written, suddenly I don't trust any of the statements in the source anymore. This site goes way beyond that, with a vibe-coded UI and generated articles. There might be value in what's reported here, but currently it requires a lot of work from the reader.
The earlier you realize how little IQ and "knows a lot" means the person actually know what they're talking about, the easier life becomes. "Smart" people are wrong all the time, some say how they became smart in the first place.
> There's a lot about Persona's design, MCPs, vulnerabilities, data leaks, but nothing proving they use it for mass surveillance.
And this is where I'd say I disagree. There's nothing about Peter Thiel, and his current business focus, that shows anyone he's not in the business of surveillance. Look at the company he keeps and then align that with many of the things Peter and who he surrounds himself with have said publicly. Thiel is tied to Palantir and Alex Karp. That relationship alone should tell you very clearly that, even if Thiel wasn't actually in the game of surveillance (opinion: he is) he would be very much associated with supporting it.
Karp said: “I love the idea of getting a drone and having light fentanyl-laced urine spraying on analysts that tried to screw us.”
Yeah, sure... I mean I can't imagine the fact that Thiel is tied at the hip to Palantir that he doesn't have an agenda with it other than data analytics and, what, ad rev? Right.
Thiel said, publicly, that everyone should be concerned about surveillance AI [0]. Let's call spade a spade. Thiel is in the business of surveillance whether or not there's some poor LLM generated sites stating that is the case, but then using that as the basis to give Thiel a pass on this because: not enough evidence here.
Thiel is a big part of what's wrong with his class. He's worried about something that he wants to control. He's not actually worried about you or I though. He's worried about someone else having the full surveillance view and so he's aimed to build and be part of that. So, maybe, we shouldn't give Thiel a pass just because he hasn't fully proven himself to be the person that the world paints him into a picture of.
That's cute, but they've taken his money. To say they've never interacted with him is disingenuous. And... Are we really going to default to a perspective of trust from Persona? Nobody should trust them by default as they've proven nothing to the public with regard to trustworthiness.
I wonder if not private age verification could not be solved with the right cryptographic protocol.
You would have to register using a digital ID with a government agency, to get a age certificate. Most European countries already have digital IDs, used for all sorts of things: such as taxes, online banking etc.
Then that certificate could be used in some sort of challenge-response protocol with web sites to verify your age, creating a new user ID in each session but without divulging anything that identifies that particular certificate.
I'm afraid that the alternative would be that social media would instead require login with the digital ID directly.
Always with the increasing government control. Heaven forbid people go online without training wheels. We need safety nets everywhere - a grazed knee means the state failed.
Agreed. But would mean having to educate people on security, privacy and computing in general… Pretty sure most government like having most people uneducated on such things
That's what I did with my Austrian goverment ID during the COVID times. Had to go the embassy to identify myself. Those times the Deutschland ticket was still cheap, so no problem.
And what exactly would be the purpose of age verification? Because defining someone "mature" based on their age is pretty hit-and-miss: we have plenty of adults, even of a certain age, who it's hard to imagine have ever finished adolescence, for instance. On paper, they are absolutely of age. We also had a certain Alexander the Great, emperor of a large part of the planet at 20. We had 13-year-old Pharaohs active in government.
We also have gazillions of examples of apparently innocent rules being used to boil Chomsky's frog, one small temperature rise at a time. For the first time in a long while, I'm starting to sense a certain fanaticism on this topic here on HN, which sounds very much like the molecular agitation when water starts to boil.
> And what exactly would be the purpose of age verification? Because defining someone "mature" based on their age is pretty hit-and-miss: we have plenty of adults, even of a certain age, who it's hard to imagine have ever finished adolescence, for instance. On paper, they are absolutely of age. We also had a certain Alexander the Great, emperor of a large part of the planet at 20. We had 13-year-old Pharaohs active in government.
That's really no different than age of consent laws. In the majority of US states (33+DC) that age of consent for sex is 16, 17 in 6 states, and 18 in 11 states.
In Europe it is 14 in 14 countries, 15 in 12 countries, 16 in 20 countries, 17 in 2 countries, and 18 in 3 countries.
All of those are somewhat arbitrary. There are many people over 18 who lack whatever maturity age of consent laws are trying to ensure people have before they can consent.
Going the other way there are people who are under the age of consent in most of those countries or states who are mature enough that there would be no harm in letting them consent.
Any particular population wide age of consent in a state or country then cannot simultaneously protect everyone who needs protection and avoid forcing protection on people who do not need it.
It would in theory be possible to make the age of consent an individual thing where you have to be psychologically evaluated and if you pass you get your consent license. (A hybrid approach might also be possible--a high automatic age of consent like 21, with people under that able to apply for a lower age. Probably also combined with "Romeo and Juliet" laws so people under 21 who just want to fool around with people close to their own age can do so without having to be psychologically evaluated first).
I expect that very very few people would be in favor of replacing the one size fits all approach to age of consent with such an individualized system.
I prefer no filters instead, for one simple reason: who watches the watchmen? If we had a digital identity on a national blockchain run by open-hardware home servers and FLOSS software, where every node exists by virtue of digital identity, meaning there's no risk of a 51% attack and everyone is forced to play with their cards on the table, I might accept a ZK proof. But that's not the case, and the privacy guarantees of private entities and the very subjects pushing for this verification make me say, quite simply, NEVER.
Because we know perfectly well that it's the precursor to mandatory SSO for everything, South Korea style, which is unacceptable and incompatible with Democracy.
In your proposed scheme, it is in the best interest of web sites to store the certificates from users indefinitely, since it's the only evidence they have that prove that their users are not minors.
Since authorities have the power of accessing that data and identify the user who created the certificate, this scheme is not anonymous.
Authorities can access that data via court orders today, or via a global automatic mandatory data sharing law in the future.
In the example of USA, even if for some reason people still trust the current Government (although ICE already accessed private medical records to track and arrest people), I don't see why they should trust all future Governments which will have retroactive access to all that data.
So let's make it illegal to keep the tokens more than e.g 6 months.
We should not underestimate the power of the legal system to enforce freedom and anonymity. And on the flip side, it's hard to create a technical system which can actually withstand the force of the government if it chooses to come after you.
I believe the correct battlefield for freedom is the political one, in the end it decides everything. And neither guns nor technical tricks can secure freedom against a tyrannical state.
Wuth that said, it does tickle the curiosity to think about! A technical-political solution could be to introduce a new actor, the broker. It sits between the webpage and the age-verifier, receiving the age-verification, but then giving it's own proofs to the webpage (so acting as a trusted middleman). Now to match up visitors with identities you need to get the data from both the webpage, the broker and the age-verifier.
You could imagine that the broker were in a different jurisdiction, maybe even one without a close cooperation with the government. Maybe people could even choose their own brokers (among certified ones).
So let's trust all future Governments to never remove the 6-month law?
Once the whole technical system is implemented, it will be trivial to remove that bureaucratic limitation, and somehow it will be sold as better protection for the children.
You misunderstand. The child protection angle is just a cover story. The actual reason for this legislation is to ban anonymous publishing; to ensure that every post on the internet can be linked back to an identity for retaliation.
Verified anonymous age credentials don’t allow for this, so they don’t matter.
The negative privacy implications are the primary features of these laws, not a bug. It is intentional.
> The child protection angle is just a cover story. The actual reason for this legislation is to ban anonymous publishing; to ensure that every post on the internet can be linked back to an identity for retaliation.
> Verified anonymous age credentials don’t allow for this, so they don’t matter.
> The negative privacy implications are the primary features of these laws, not a bug. It is intentional.
This is it. Perfect.
The amount of money pouring into surveillance of all kinds (led by companies like palantir and so many others). It's surveillance capitalism without the capitalism.
People create these illusions about a system, about a country and will fight to the end to defend those illusions. The reality of what actually exists beneath the shiny (propagandized) surface is so much darker.
I hate this approach to them problem, because it is not a technical problem.
Because it focuses on technical aspects and accepts the premise of 'age verification must be solved'. It doesn’t, and discretion what content and and what age children and teenagers can consume should be up to parents.
All you need is one authority which defines who can verify age threshold (government). Those who can verify age threshold need to know your age and identity (bank). Those who are bound to restrict access based on age only need to know in which country you live (website). Nothing else is needed eg. bank, identity and age is not known to the website, website is not known to your bank or government.
While this would solve the technical problem at hand. It lacks any safeguard against a very simple workaround of sharing your certificate or even posting for everyone to use.
We've already got age verification protocols (in the UK) with the sale of alcohol and tobacco. If we also use those shops to sell age verification tokens (e.g. something like a scratchcard) for a nominal amount, then people could reliably verify that they're an adult without the privacy concerns and without shoddy websites leaking credentials.
Yes - pretty much the same as supplying tobacco/alcohol to minors. My point is that we've got a system which more or less works already, so it's just a matter of extending it for adult website verification.
It can't be solved, but you can choose different loopholes and privacy trade-offs.
Untraceable-but-single-use proof-of-age tokens? Good for privacy, but now that 14-year-old can get tokens from an 18-year-old friend for cash.
Proof tokens that only last a few minutes, or a three-way handshake between user, government and website? Harder to trade, but now the government's got a good guess about who's opening pornhub.
Requiring sites to keep audit records, to prove they really did the verification procedure? Wildly insecure, we don't want them storing passport photos. Requiring them to not keep audit records? Then they can skip or half-ass the checks.
Camera-based age estimation? Once again the 14-year-old can have an 18-year-old pass the check for them. Or a video game character creator or something. Scanning a government ID card? Better hope Dad never leaves his wallet unattended for 5 minutes. And not everyone has a passport or driver's license.
Age attestation from an electronic driver's license, plus face id biometric validation, with a secure element, trusted execution environment and code attestation? Congrats, now you've handed your national ID database to the world's largest adtech/tracking company. Hope you weren't trying to distance your nation from US tech dominance.
Yes, it can be. Google has a zero-knowledge proof based system in Google Wallet that lets you store store signed credentials such as government ID and then prove to third parties that you have such a signed ID and to disclose to them facts of your choosing from that ID, with the third party gaining no information other than that you have such an ID and that it confirms those facts. This has been running in production for a few months.
They have opened source this [1][2].
This was designed to comply with eIDAS in Europe so that it could be incorporated into the EU Digital Identity wallet.
Current implementations depends on smartphones but it should be possible to make it runs on other devices that have similar cryptographic hardware.
It's easy-ish to verify someone is human and of-age without needing any intrusive agent. One big problem is that the folk pushing for surveillance via verification hate that model and have capital to crush the idea. Another is adoption of some system that works; where the perfect blocks what's good which results in no progress.
>Stores the user's birth date for age verification, as required by recent laws in California (AB-1043), Colorado (SB26-051), Brazil (Lei 15.211/2025), etc.
what do governments get out of this? Like I get it from ad/commercial perspective, but I don't see how this is highly unpopular from governments and still being implemented
Age Verification and "banning kids from social media" are two different things. The former being an overzealous method of achieving the latter.
Parental responsibility and better parental controls would be a MUCH better way of going about this.
Of course, the polling public is blissfully unaware of the wide ranging consequences of such an Age Verification implementation. People will continue to pave the road to fascist hell with good intentions.
What the public perceives it to be is the only thing that matters though. The OP question was asking how governments are getting this through, and the answer is the majority approve of what they see to be happening.
The average person is not thinking about the ability for journalists and whistleblowers to create anonymous Facebook accounts, they are thinking about Mark Zuckerberg trying to sell sex chatbots to their kids and discord pedo servers.
You have to understand children are only cute little extensions of their parents until they 18, but on that day they better be ready for the real world™. /s
Hold on a minute. Australians are for kids and teens social media ban. They have not been asked if their minors are all face catalogued by pop up companies that these social media companies externalise the verification process to.
Insta and others simply opened the need for such 3rd party verification services, it's a way to limit their liability and risk. For Insta and co it's not their problem if these new 3rd party services become the next identity database of minors.
I hate it.
Seems like even under young voters more people support it than being against it; 30% of people aged 18-23 are strongly in favor, 57% of people in that age group supports it.
I wonder why? Maybe these types of surveys don’t consider the implementation / what you need to give up in order to have age verification?
Because the internet, for all it's good, has caused society and individuals some pretty serious problems. I don't like the idea of mandatory age verification, but having unrestricted internet access as a kid was objectively bad for me and many of the people I know.
> That is your parent’s fault that it was bad for you. So don’t punish me or anyone else because you never learned control.
I think you're suffering from a lack of empathy. That doesn't mean OS age verification should be implemented or not, but that you're going to be insufferable and pretty ignorant about what's going on.
IMHO, the popularity of age-verification is due to the increasing awareness of the harms of much online activity, plus the impracticality of putting the whole burden of mitigating that for children onto the shoulders of parents. If you flippantly and contemptuously ignore those concerns, people will be happy to ignore your concerns.
And since you brought it up: honestly, I wouldn't feel bad "punishing" you with this policy, just because of the attitude displayed in your comment. It's needlessly aggressive and making contemptuous assumptions. Your comment actually shoots your position in the foot.
Perhaps the voting population should first be made acutely aware of the extent of surveillance they are under, and how much age verification would expand that surveillance, and then be asked again.
They'll claim they already "know", but watch their opinion change after they get paper mail with a list of recently visited websites, or their words written on public or unencrypted chats, or their movement history thanks to phone spyware.
That's likely, but only if it's possible to materially articulate some specific negative ways in which age verification data is actually being used.
You and I can strongly suspect that there's a significant downside to these providers having so much sensitive personal data but, until that is proven, the voting population will only see the upside.
The death of online anonymity isn't negative and specific enough?
People understand this intuitively - hire someone to obviously follow them everywhere, record everything they do (or only as much as current surveillance records), and they'll want to put a quick stop to it. Do the same thing, but out of sight, out of mind, and their correctly evolved instincts fail to carry over.
I don't think surveys like this are a meaningful indicator of societal attitudes.
"age verification" is not unlike "DEI" in that everyone will have different schemas about what it is and how it will be assumed to be implemented. We're not learning anything about the public unless we try to pose the question more directly.
Disclaimer: talking about functioning democratic governments (obviously authoritarian governments are different).
We do regulate a lot of things to protect the people, especially the children. It's common to make it illegal for children to drink alcohol, smoke stuff and drive vehicles, and it seems completely natural for many of us. We usually don't say "it should be legal for a schools to sell cigarettes and whisky to kids, because it's the responsibility of the parents to educate their kids".
The same applies to the Internet: just like we don't want children to be able to buy porn in a store, we don't want them to be able to access porn on the Internet. Or, more recently, social media. So the obvious idea to prevent that is to do what we do in store: age verification.
The problem on the Internet is mass surveillance, and done incorrectly, age verification adds to that. Technically, we can do age verification in a privacy-preserving way, but:
- Politicians are generally not competent to understand "the right technical way", and the tech giants do benefit from surveillance. Even if they mean well, it's hard for them to take the right decision out of incompetence.
- In some big countries that tend to set the technical norms (e.g. the US), many people completely distrust the government. But private companies have no interest in implementing the privacy-preserving solution, so the only viable way is with the help of government regulations (I would argue that the government should be the ones owning the service).
- The vast majority of people, including the vast majority of politicians, do not understand and do not give a damn about surveillance capitalism. It just does not exist for them. And in those conditions, there is of course no reason to even consider a privacy-preserving solution, because it is technically more complex.
I strongly believe that in many countries they mean to do well. They are just not competent to understand the problem, and they turn to tech giants who do understand it, but have an interest in making sure that the politicians implement it wrongly.
In the case of government representatives' role, I think you've reached for Hanlon's razor incorrectly. Malice better explains what is happening here than ignorance. The actual representatives are cardboard with makeup - they each have a whole team of folks doing the detailed diligence on this stuff. That team knows there's a privacy-preserving way to do this. There's a reason those solutions are not the ones on offer. Corporate regulatory capture is behind all of this.
> I think you've reached for Hanlon's razor incorrectly. Malice better explains what is happening here than ignorance.
Well, I think you reach for it incorrectly, then :-).
> That team knows there's a privacy-preserving way to do this.
Do you have any experience with those people who advise the representatives, and with those representatives? I have anecdotal experience, and I can tell you that for the few I have seen, you vastly overestimate their competences.
Should society help the child, by making it more difficult for them to access harmful material, in the same way we age verify alcohol?
What if the parent is responsible, but finds themselves in a situation where they don't have the time/ability to either educate or set up robust controls? Should we make their responsibilities easier?
What a nice vanilla view of the world. It's way to simple as an answer and lacking links to reality.
If not before but with high school kids will need access to a computer and also the internet in many schools and countries.
I get that parents are responsible but parents have limited resources. Even the best parenthood will not keep kids from wanting to engage with peers. Even the best filter or block by parents will not cover the www and their millions of websites and services.
LLM feedback loops are scary because they self-reinforce by training over their own data drift and vulnerable people interface with the noise and follow the downward spiral.
There have been pushes to implement similar instances of this for a while now. If this turns out to not be successful, expect futher efforts in a similar guise
the internet is not the same as it was 20 years ago. the average person is now online, but they werent before. they dont understand where they are and need protection. there is still space on the internet, or whatever the next place will be, for the enthusiasts and other minorities. if we lose internet, something new will pop up. also, 20 years ago i didnt care so much about privacy on the internet, i just needed a cultural filter for the community im engaging with. privacy has always been a game of cat and mouse. 0 chance things stay the same for long
This makes a lot more sense than merely assuming
that Meta pushes for it. There are several actors
here and none of them have the good of the people
in mind. This is why Age Sniffing, labeled "Age
Verification", must be abolished. It's an entry
door of evil actors here. It has nothing to do
with age "verification" yet alone "protecting the
chilren" - that's just a lie. I am noticing this
more and more, e. g. if you claim to want to protect
children, but then you have underage people on youtube
create content? So how does that make sense if you want
to restrict them on the one hand (or, everyone else,
in addition to that) but then let the de-facto censorship
here be "loose"? In fact - why are any children viewable
on youtube to begin with? That contradicts those age
sniffing entities.
It’s good that for non SFW stuff you do the need the internet anymore, just 72GB VRAM for all modalities. Public internet only for news/payments. Everything else can be offline, no more npm or React garbage needed either for frontend.
I wish people would stop sharing this website, their research is massively written by LLMs and looks good at a glance, but it goes in every direction at the same time and lacks logical connections. And the claims don't really match their sources.
Their initial publication was backed by a Git repository with hundreds of pages of documents written in just three days (https://web.archive.org/web/20260314224623/https://tboteproj...). It also contained nonsense like an "anomaly report" with recommendations from the LLM agent to itself, which covers an analysis of contributors to Linux's BPF, Android's Gerrit, and parser errors in using legislative databases. https://web.archive.org/web/20260314103202/https://tboteproj... . The repository was rewritten since, though.
This post follows their usual pattern. The second source they link to has been a dead link for 11 months (https://web.archive.org/web/20250501000000*/https://www.pala...). There's a lot about Persona's design, MCPs, vulnerabilities, data leaks, but nothing proving they use it for mass surveillance. The entire case for it being mass surveillance rests on two points: that they interact with AI companies and they offer MCP endpoints (section titled "Persona's Surveillance Architecture")
It's currently #1 on the front page too. HN drowning in AI slop, what a sight to behold.
It seems like there are a few stories HN will really bite on:
- age verification
- chat control
- RTO vs. remote work
- AI bubble
- ditching American tech
I support a rule to ban AI-generated/edited posts.
Initially I thought they'd be fine, because AI-generated isn't intrinsically an issue and the comments can be good. But in practice, the AI posts tend to be slop, and usually there's a better human-written source for the same topic (for example, one of the many other recent "age verification is mass surveillance" posts here).
It is not so easy to distinguish this with 100% accuracy though.
For instance, a recent example from yesterday:
https://bugs.ruby-lang.org/issues/21982
Part of this was written by AI, but with a human in "charge" who explained which part of AI was used here. Would that also be a bannable example for you? I am not so convinced that this is bannable per se. Perhaps it may be different if the AI-slop was not announced, but when it was announced and explained?
> one of the many other recent "age verification is mass surveillance" > posts here
Well, it actually is. It taps very much into other similar laws e. g. "chat control", aka chat sniffing.
I should've said "guideline". I think posts can include AI if it's reasonable and/or they're good, while the guideline gives a reason to flag AI posts that are generally bad.
> It taps very much into other similar laws e. g. "chat control", aka chat sniffing.
There are many recent Chat Control posts here too. I agree Chat Control is bad, and poorly-implemented age verification is bad (though it can be implemented in privacy-preserving ways, albeit ineffectively; I commented about this 42 days ago at https://news.ycombinator.com/item?id=47123507, and it was stale then). I don't want to hear anymore about it. Maybe I need a filter myself, for the lucky 10,000. But the problem even for them, is that the repeated posts (without links to previous posts) have mostly low-effort comments, because people who made high-effort comments can't/won't keep repeating them.
The vast majority of HN commentors react to the headline and don't bother to click through.
seems a lot of people already consumed this as truth.
In the meantime a FOSS maintainer who is just trying to put the pieces in place to comply with the law (as written) got doxxed and harassed.
I hate it here
> In the meantime a FOSS maintainer who is just trying to put the pieces in place to comply with the law (as written) got doxxed and harassed.
In my experience, when a country like Britain passes a censorship law, people in other countries like America don't enjoy being given the tools to comply with it, even if the tools are entirely optional.
The main thing that caused this ruckus was law passed in California not the UK
not that it matters because doxxing and harassing developers is not acceptable.
Thank you. Investigative journalism is so important and I would happily believe some of the claims made here, but when I encounter even just a few sentences that sound LLM-written, suddenly I don't trust any of the statements in the source anymore. This site goes way beyond that, with a vibe-coded UI and generated articles. There might be value in what's reported here, but currently it requires a lot of work from the reader.
You dont trust LLM's, writers with an IQ and knowledge much higher than ours? /s
I was told LLMs were at least as smart as Ph.D graduates
The earlier you realize how little IQ and "knows a lot" means the person actually know what they're talking about, the easier life becomes. "Smart" people are wrong all the time, some say how they became smart in the first place.
Yes, and HN isn't a place to submit things that require work from the reader. Or at least that seems to be the consensus by reporting it.
Quite disappointing tbh.
> There's a lot about Persona's design, MCPs, vulnerabilities, data leaks, but nothing proving they use it for mass surveillance.
And this is where I'd say I disagree. There's nothing about Peter Thiel, and his current business focus, that shows anyone he's not in the business of surveillance. Look at the company he keeps and then align that with many of the things Peter and who he surrounds himself with have said publicly. Thiel is tied to Palantir and Alex Karp. That relationship alone should tell you very clearly that, even if Thiel wasn't actually in the game of surveillance (opinion: he is) he would be very much associated with supporting it.
Karp said: “I love the idea of getting a drone and having light fentanyl-laced urine spraying on analysts that tried to screw us.”
Yeah, sure... I mean I can't imagine the fact that Thiel is tied at the hip to Palantir that he doesn't have an agenda with it other than data analytics and, what, ad rev? Right.
Thiel said, publicly, that everyone should be concerned about surveillance AI [0]. Let's call spade a spade. Thiel is in the business of surveillance whether or not there's some poor LLM generated sites stating that is the case, but then using that as the basis to give Thiel a pass on this because: not enough evidence here.
Thiel is a big part of what's wrong with his class. He's worried about something that he wants to control. He's not actually worried about you or I though. He's worried about someone else having the full surveillance view and so he's aimed to build and be part of that. So, maybe, we shouldn't give Thiel a pass just because he hasn't fully proven himself to be the person that the world paints him into a picture of.
[0] https://www.cnbc.com/2021/10/22/palantirs-peter-thiel-survei...
For what it’s worth, Persona claims to not work or interact with Thiel.
https://vmfunc.re/blog/persona-2
That's cute, but they've taken his money. To say they've never interacted with him is disingenuous. And... Are we really going to default to a perspective of trust from Persona? Nobody should trust them by default as they've proven nothing to the public with regard to trustworthiness.
It's written by a bot to avoid fingerprinting.
https://tboteproject.com/git/hekate/surveillancefindings-new...
Stylometry avoidance is not a valid excuse for factual omissions, fabrications, and "DYOR dumping" (bullshit asymmetry).
Thanks for flagging this. I still think the headline is right, so where are the good sources and articles and outcries?
I wonder if not private age verification could not be solved with the right cryptographic protocol.
You would have to register using a digital ID with a government agency, to get a age certificate. Most European countries already have digital IDs, used for all sorts of things: such as taxes, online banking etc.
Then that certificate could be used in some sort of challenge-response protocol with web sites to verify your age, creating a new user ID in each session but without divulging anything that identifies that particular certificate.
I'm afraid that the alternative would be that social media would instead require login with the digital ID directly.
Always with the increasing government control. Heaven forbid people go online without training wheels. We need safety nets everywhere - a grazed knee means the state failed.
In my opinion public private key is the base of all identification should be done.
You keep your own private key and the government has your public key.
Agreed. But would mean having to educate people on security, privacy and computing in general… Pretty sure most government like having most people uneducated on such things
I feel like you could do it in an app or a card with an NFC chip.
People don't have to know security or cryptography to do their banking online.
Either way it would be infinitely better than the current social security number situation we have.
Agreed. Not saying there are no ways to ease the process but someone has to put some effort
On which hw? Because a smart-card (if open hardware and FLOSS) might be safe, certainly not a smartphone.
That's what I did with my Austrian goverment ID during the COVID times. Had to go the embassy to identify myself. Those times the Deutschland ticket was still cheap, so no problem.
This is what Verifiable Credentials are for.
https://walt.id/verifiable-credentials
And what exactly would be the purpose of age verification? Because defining someone "mature" based on their age is pretty hit-and-miss: we have plenty of adults, even of a certain age, who it's hard to imagine have ever finished adolescence, for instance. On paper, they are absolutely of age. We also had a certain Alexander the Great, emperor of a large part of the planet at 20. We had 13-year-old Pharaohs active in government.
We also have gazillions of examples of apparently innocent rules being used to boil Chomsky's frog, one small temperature rise at a time. For the first time in a long while, I'm starting to sense a certain fanaticism on this topic here on HN, which sounds very much like the molecular agitation when water starts to boil.
> And what exactly would be the purpose of age verification? Because defining someone "mature" based on their age is pretty hit-and-miss: we have plenty of adults, even of a certain age, who it's hard to imagine have ever finished adolescence, for instance. On paper, they are absolutely of age. We also had a certain Alexander the Great, emperor of a large part of the planet at 20. We had 13-year-old Pharaohs active in government.
That's really no different than age of consent laws. In the majority of US states (33+DC) that age of consent for sex is 16, 17 in 6 states, and 18 in 11 states.
In Europe it is 14 in 14 countries, 15 in 12 countries, 16 in 20 countries, 17 in 2 countries, and 18 in 3 countries.
All of those are somewhat arbitrary. There are many people over 18 who lack whatever maturity age of consent laws are trying to ensure people have before they can consent.
Going the other way there are people who are under the age of consent in most of those countries or states who are mature enough that there would be no harm in letting them consent.
Any particular population wide age of consent in a state or country then cannot simultaneously protect everyone who needs protection and avoid forcing protection on people who do not need it.
It would in theory be possible to make the age of consent an individual thing where you have to be psychologically evaluated and if you pass you get your consent license. (A hybrid approach might also be possible--a high automatic age of consent like 21, with people under that able to apply for a lower age. Probably also combined with "Romeo and Juliet" laws so people under 21 who just want to fool around with people close to their own age can do so without having to be psychologically evaluated first).
I expect that very very few people would be in favor of replacing the one size fits all approach to age of consent with such an individualized system.
I prefer no filters instead, for one simple reason: who watches the watchmen? If we had a digital identity on a national blockchain run by open-hardware home servers and FLOSS software, where every node exists by virtue of digital identity, meaning there's no risk of a 51% attack and everyone is forced to play with their cards on the table, I might accept a ZK proof. But that's not the case, and the privacy guarantees of private entities and the very subjects pushing for this verification make me say, quite simply, NEVER.
Because we know perfectly well that it's the precursor to mandatory SSO for everything, South Korea style, which is unacceptable and incompatible with Democracy.
In your proposed scheme, it is in the best interest of web sites to store the certificates from users indefinitely, since it's the only evidence they have that prove that their users are not minors.
Since authorities have the power of accessing that data and identify the user who created the certificate, this scheme is not anonymous.
Authorities can access that data via court orders today, or via a global automatic mandatory data sharing law in the future.
In the example of USA, even if for some reason people still trust the current Government (although ICE already accessed private medical records to track and arrest people), I don't see why they should trust all future Governments which will have retroactive access to all that data.
So let's make it illegal to keep the tokens more than e.g 6 months.
We should not underestimate the power of the legal system to enforce freedom and anonymity. And on the flip side, it's hard to create a technical system which can actually withstand the force of the government if it chooses to come after you.
I believe the correct battlefield for freedom is the political one, in the end it decides everything. And neither guns nor technical tricks can secure freedom against a tyrannical state.
Wuth that said, it does tickle the curiosity to think about! A technical-political solution could be to introduce a new actor, the broker. It sits between the webpage and the age-verifier, receiving the age-verification, but then giving it's own proofs to the webpage (so acting as a trusted middleman). Now to match up visitors with identities you need to get the data from both the webpage, the broker and the age-verifier.
You could imagine that the broker were in a different jurisdiction, maybe even one without a close cooperation with the government. Maybe people could even choose their own brokers (among certified ones).
So let's trust all future Governments to never remove the 6-month law?
Once the whole technical system is implemented, it will be trivial to remove that bureaucratic limitation, and somehow it will be sold as better protection for the children.
You misunderstand. The child protection angle is just a cover story. The actual reason for this legislation is to ban anonymous publishing; to ensure that every post on the internet can be linked back to an identity for retaliation.
Verified anonymous age credentials don’t allow for this, so they don’t matter.
The negative privacy implications are the primary features of these laws, not a bug. It is intentional.
> The child protection angle is just a cover story. The actual reason for this legislation is to ban anonymous publishing; to ensure that every post on the internet can be linked back to an identity for retaliation.
> Verified anonymous age credentials don’t allow for this, so they don’t matter.
> The negative privacy implications are the primary features of these laws, not a bug. It is intentional.
This is it. Perfect.
The amount of money pouring into surveillance of all kinds (led by companies like palantir and so many others). It's surveillance capitalism without the capitalism.
People create these illusions about a system, about a country and will fight to the end to defend those illusions. The reality of what actually exists beneath the shiny (propagandized) surface is so much darker.
I hate this approach to them problem, because it is not a technical problem.
Because it focuses on technical aspects and accepts the premise of 'age verification must be solved'. It doesn’t, and discretion what content and and what age children and teenagers can consume should be up to parents.
Not government, nor corporations.
"but we can't trust the parents to protect the children!"
You don’t need anything this elaborate.
Set parental controls on set up, pass a single flag to websites and apps, similar to the Global Privacy Control.
No privacy is lost. Control is handed to the device owner, and implementation is technically trivial.
Would it not be trivial to make a webpage which proxies sites but with the headers removed, bypassing the whole thing?
Can't set local proxy because of parental controls, can't setup cloud proxy because of ... Being a kid.
That's essentially the approach California is taking.
All you need is one authority which defines who can verify age threshold (government). Those who can verify age threshold need to know your age and identity (bank). Those who are bound to restrict access based on age only need to know in which country you live (website). Nothing else is needed eg. bank, identity and age is not known to the website, website is not known to your bank or government.
While this would solve the technical problem at hand. It lacks any safeguard against a very simple workaround of sharing your certificate or even posting for everyone to use.
Fullly anonymous + untraceable attestation --> unlimited certificate sharing
We've already got age verification protocols (in the UK) with the sale of alcohol and tobacco. If we also use those shops to sell age verification tokens (e.g. something like a scratchcard) for a nominal amount, then people could reliably verify that they're an adult without the privacy concerns and without shoddy websites leaking credentials.
Then you can give the tokens to whoever you want
that does happen with alcohol but it’s rare because well people don’t wanna go to jail for giving alcohol to a minor
So your proposal would have to come with liability towards the individual
Yes - pretty much the same as supplying tobacco/alcohol to minors. My point is that we've got a system which more or less works already, so it's just a matter of extending it for adult website verification.
It can't be solved, but you can choose different loopholes and privacy trade-offs.
Untraceable-but-single-use proof-of-age tokens? Good for privacy, but now that 14-year-old can get tokens from an 18-year-old friend for cash.
Proof tokens that only last a few minutes, or a three-way handshake between user, government and website? Harder to trade, but now the government's got a good guess about who's opening pornhub.
Requiring sites to keep audit records, to prove they really did the verification procedure? Wildly insecure, we don't want them storing passport photos. Requiring them to not keep audit records? Then they can skip or half-ass the checks.
Camera-based age estimation? Once again the 14-year-old can have an 18-year-old pass the check for them. Or a video game character creator or something. Scanning a government ID card? Better hope Dad never leaves his wallet unattended for 5 minutes. And not everyone has a passport or driver's license.
Age attestation from an electronic driver's license, plus face id biometric validation, with a secure element, trusted execution environment and code attestation? Congrats, now you've handed your national ID database to the world's largest adtech/tracking company. Hope you weren't trying to distance your nation from US tech dominance.
Yes, it can be. Google has a zero-knowledge proof based system in Google Wallet that lets you store store signed credentials such as government ID and then prove to third parties that you have such a signed ID and to disclose to them facts of your choosing from that ID, with the third party gaining no information other than that you have such an ID and that it confirms those facts. This has been running in production for a few months.
They have opened source this [1][2].
This was designed to comply with eIDAS in Europe so that it could be incorporated into the EU Digital Identity wallet.
Current implementations depends on smartphones but it should be possible to make it runs on other devices that have similar cryptographic hardware.
[1] https://blog.google/innovation-and-ai/technology/safety-secu...
[2] https://github.com/google/longfellow-zk
It's easy-ish to verify someone is human and of-age without needing any intrusive agent. One big problem is that the folk pushing for surveillance via verification hate that model and have capital to crush the idea. Another is adoption of some system that works; where the perfect blocks what's good which results in no progress.
The root password to the Constitution is “ITs4daChildren!”
So to avoid it all I have to do is stop using social media? LGTM
And operating systems...
....and email....
Creeping normalcy into the substrate:
>Stores the user's birth date for age verification, as required by recent laws in California (AB-1043), Colorado (SB26-051), Brazil (Lei 15.211/2025), etc.
[MERGED]
https://www.theregister.com/2026/03/24/foss_age_verification...
As a parent: the hard-won lesson is that most of this threat surface shrinks when you're genuinely present (listen/talk/educate).
While I agree with you to a very much degree, the last thing teens usually do is listen to their parents. It’s not that simple.
See also: 'Euphoria'
Share an attribute, not an identifier, https://yivi.app/en/for_developers/
This is what I think a gov org should offer, not yet another corporate entity.
what do governments get out of this? Like I get it from ad/commercial perspective, but I don't see how this is highly unpopular from governments and still being implemented
It depends on the type of government. A totalitarian government gets control out of it.
The normalization of the nanny state.
It’s not highly unpopular. When polled, the Australian public were in favour of banning kids from social media.
The harms of big tech, social media, and addiction mechanics are a lot more tangible to the average person than the anonymity aspect.
Age Verification and "banning kids from social media" are two different things. The former being an overzealous method of achieving the latter.
Parental responsibility and better parental controls would be a MUCH better way of going about this.
Of course, the polling public is blissfully unaware of the wide ranging consequences of such an Age Verification implementation. People will continue to pave the road to fascist hell with good intentions.
What the public perceives it to be is the only thing that matters though. The OP question was asking how governments are getting this through, and the answer is the majority approve of what they see to be happening.
The average person is not thinking about the ability for journalists and whistleblowers to create anonymous Facebook accounts, they are thinking about Mark Zuckerberg trying to sell sex chatbots to their kids and discord pedo servers.
> Parental responsibility and better parental controls would be a MUCH better way of going about this.
Call we do all three?
Also, what about the irresponsible parents, or parents who don't have time/opportunity to be responsible over this issue?
You have to understand children are only cute little extensions of their parents until they 18, but on that day they better be ready for the real world™. /s
Hold on a minute. Australians are for kids and teens social media ban. They have not been asked if their minors are all face catalogued by pop up companies that these social media companies externalise the verification process to. Insta and others simply opened the need for such 3rd party verification services, it's a way to limit their liability and risk. For Insta and co it's not their problem if these new 3rd party services become the next identity database of minors. I hate it.
Age verification is highly unpopular amongst heavily online users, but the voting population overall is in favour: https://yougov.com/en-gb/daily-results/20250731-91334-2
Seems like even under young voters more people support it than being against it; 30% of people aged 18-23 are strongly in favor, 57% of people in that age group supports it.
I wonder why? Maybe these types of surveys don’t consider the implementation / what you need to give up in order to have age verification?
> I wonder why?
Because the internet, for all it's good, has caused society and individuals some pretty serious problems. I don't like the idea of mandatory age verification, but having unrestricted internet access as a kid was objectively bad for me and many of the people I know.
That is your parent’s fault that it was bad for you. So don’t punish me or anyone else because you never learned control.
> That is your parent’s fault that it was bad for you. So don’t punish me or anyone else because you never learned control.
I think you're suffering from a lack of empathy. That doesn't mean OS age verification should be implemented or not, but that you're going to be insufferable and pretty ignorant about what's going on.
IMHO, the popularity of age-verification is due to the increasing awareness of the harms of much online activity, plus the impracticality of putting the whole burden of mitigating that for children onto the shoulders of parents. If you flippantly and contemptuously ignore those concerns, people will be happy to ignore your concerns.
And since you brought it up: honestly, I wouldn't feel bad "punishing" you with this policy, just because of the attitude displayed in your comment. It's needlessly aggressive and making contemptuous assumptions. Your comment actually shoots your position in the foot.
Perhaps the voting population should first be made acutely aware of the extent of surveillance they are under, and how much age verification would expand that surveillance, and then be asked again.
They'll claim they already "know", but watch their opinion change after they get paper mail with a list of recently visited websites, or their words written on public or unencrypted chats, or their movement history thanks to phone spyware.
That's likely, but only if it's possible to materially articulate some specific negative ways in which age verification data is actually being used.
You and I can strongly suspect that there's a significant downside to these providers having so much sensitive personal data but, until that is proven, the voting population will only see the upside.
The death of online anonymity isn't negative and specific enough?
People understand this intuitively - hire someone to obviously follow them everywhere, record everything they do (or only as much as current surveillance records), and they'll want to put a quick stop to it. Do the same thing, but out of sight, out of mind, and their correctly evolved instincts fail to carry over.
Yp, similarly how gambling and smoking restrictions aren't popular among gamblers and smokers.
I don't think surveys like this are a meaningful indicator of societal attitudes.
"age verification" is not unlike "DEI" in that everyone will have different schemas about what it is and how it will be assumed to be implemented. We're not learning anything about the public unless we try to pose the question more directly.
https://yougov.com/about/methodology
Disclaimer: talking about functioning democratic governments (obviously authoritarian governments are different).
We do regulate a lot of things to protect the people, especially the children. It's common to make it illegal for children to drink alcohol, smoke stuff and drive vehicles, and it seems completely natural for many of us. We usually don't say "it should be legal for a schools to sell cigarettes and whisky to kids, because it's the responsibility of the parents to educate their kids".
The same applies to the Internet: just like we don't want children to be able to buy porn in a store, we don't want them to be able to access porn on the Internet. Or, more recently, social media. So the obvious idea to prevent that is to do what we do in store: age verification.
The problem on the Internet is mass surveillance, and done incorrectly, age verification adds to that. Technically, we can do age verification in a privacy-preserving way, but:
- Politicians are generally not competent to understand "the right technical way", and the tech giants do benefit from surveillance. Even if they mean well, it's hard for them to take the right decision out of incompetence.
- In some big countries that tend to set the technical norms (e.g. the US), many people completely distrust the government. But private companies have no interest in implementing the privacy-preserving solution, so the only viable way is with the help of government regulations (I would argue that the government should be the ones owning the service).
- The vast majority of people, including the vast majority of politicians, do not understand and do not give a damn about surveillance capitalism. It just does not exist for them. And in those conditions, there is of course no reason to even consider a privacy-preserving solution, because it is technically more complex.
I strongly believe that in many countries they mean to do well. They are just not competent to understand the problem, and they turn to tech giants who do understand it, but have an interest in making sure that the politicians implement it wrongly.
In the case of government representatives' role, I think you've reached for Hanlon's razor incorrectly. Malice better explains what is happening here than ignorance. The actual representatives are cardboard with makeup - they each have a whole team of folks doing the detailed diligence on this stuff. That team knows there's a privacy-preserving way to do this. There's a reason those solutions are not the ones on offer. Corporate regulatory capture is behind all of this.
> I think you've reached for Hanlon's razor incorrectly. Malice better explains what is happening here than ignorance.
Well, I think you reach for it incorrectly, then :-).
> That team knows there's a privacy-preserving way to do this.
Do you have any experience with those people who advise the representatives, and with those representatives? I have anecdotal experience, and I can tell you that for the few I have seen, you vastly overestimate their competences.
This is highly unpopular... on HN. Which heuristically implies it's popular in the real world.
There is a very simple alternative to age verification
WHO IS PROVIDING INTERNET TO A CHILD
they are liable
there's no such thing as free open access internet without someone paying the bill
unless it can be demonstrated the child stole internet somehow, hacking, etc.
then the person providing the internet is liable for the child's activity
Same if you aren't going to supervise your child and they come home for hours after school and watch porn on the TV
They don't age verify to get cable TV
If you have a credit card, you are an adult
Someone is paying the bill, they are the adult, they are responsible
What if the parent is not responsible?
Should society help the child, by making it more difficult for them to access harmful material, in the same way we age verify alcohol?
What if the parent is responsible, but finds themselves in a situation where they don't have the time/ability to either educate or set up robust controls? Should we make their responsibilities easier?
With this line of reasoning you can just take away any agency from individuals and put it into the hands of the state, which leads to totalitarianism.
Public policy seems tricky if we must take every line of reasoning to its extreme.
The idea that the state should decide which way of parenting is responsible is extreme.
What a nice vanilla view of the world. It's way to simple as an answer and lacking links to reality.
If not before but with high school kids will need access to a computer and also the internet in many schools and countries.
I get that parents are responsible but parents have limited resources. Even the best parenthood will not keep kids from wanting to engage with peers. Even the best filter or block by parents will not cover the www and their millions of websites and services.
LLM feedback loops are scary because they self-reinforce by training over their own data drift and vulnerable people interface with the noise and follow the downward spiral.
There have been pushes to implement similar instances of this for a while now. If this turns out to not be successful, expect futher efforts in a similar guise
Don't confuse the passport ID check with the "are you over 18?" checkbox. Both types of laws exist.
the internet is not the same as it was 20 years ago. the average person is now online, but they werent before. they dont understand where they are and need protection. there is still space on the internet, or whatever the next place will be, for the enthusiasts and other minorities. if we lose internet, something new will pop up. also, 20 years ago i didnt care so much about privacy on the internet, i just needed a cultural filter for the community im engaging with. privacy has always been a game of cat and mouse. 0 chance things stay the same for long
Thanks for sharing
This makes a lot more sense than merely assuming that Meta pushes for it. There are several actors here and none of them have the good of the people in mind. This is why Age Sniffing, labeled "Age Verification", must be abolished. It's an entry door of evil actors here. It has nothing to do with age "verification" yet alone "protecting the chilren" - that's just a lie. I am noticing this more and more, e. g. if you claim to want to protect children, but then you have underage people on youtube create content? So how does that make sense if you want to restrict them on the one hand (or, everyone else, in addition to that) but then let the de-facto censorship here be "loose"? In fact - why are any children viewable on youtube to begin with? That contradicts those age sniffing entities.
> Every copy of the Persona SDK contains a hardcoded AES-256-GCM encryption key in TrackingEventUtilsKt.java line 22
Seems like a pretty big fuck up, if so. I wonder why did they not use asymmetric encryption.
To ban 16 and younger from social media will require every user to be identified.
The social media also cant just do it themselves with a box, "are you over 16, yes no" they will require to identify against the government.
Essentially this makes it so that every user's actual ID is being tracked. Fully intended to control speech online.
More slop. To think this site used to be extremely high signal to noise
It’s good that for non SFW stuff you do the need the internet anymore, just 72GB VRAM for all modalities. Public internet only for news/payments. Everything else can be offline, no more npm or React garbage needed either for frontend.