They already support ID checks as an alternative to face scanning, if the latter proves to be untenable then it's literally a case of flipping a switch to mandate ID instead.
The long term solution would have to be some kind of integration with a government platform where the platform doesn’t see your ID and the government doesn’t see what you are signing up for.
I don’t this will happen in the US but I can see it in more privacy responding countries.
Apple and Google may also add some kind of “child flag” parents can enable which tells websites and apps this user is a child and all age checks should immediately fail.
I do like the idea of the “this is a child” taint (ok, terrible name but I really think it should be a near-unremovable thing on a platform like Apple’s that’s so locked down/crypto signed etc).
Like, you’d enroll it by adding a DOB and the computer/phone/etc would just intentionally fail all compatible age checks until that date is 18 years in the past. To remove it (e.g. reuse a device for a non-child), an adult would need to show ID in person at Apple.
Government IDs could be used to do completely privacy preserving, basically OpenID Connect but with no identifying property, just an “isEighteenOrMore” property. However, i agree it’ll never happen in the US because “regular” people still don’t know how identity providers can attest without identifying, and thus would never agree to use their government ID to sign into a pornsite. And on top of all that yeah nobody trusts the government, basically in either party, so they’d be convinced the government was secretly keeping a record of which porn sites they use. Which to be fair is not entirely unlikely. Heck, they’d probably even do it by incompetence via logs or something and then have people get blackmailed!
When I played an MMOG, if the admins found out that a child was underage, it was customary for them to suspend their account until their 13th birthday. I thought this was a clever policy, but I just can't understand the reverse of authenticating someone's age based on that of their account...
This assumes people are putting in their real birthdays, which IMO is a terrible practice to encourage.
I never put in my real birthday. It's just one more datapoint to leak in an inevitable hack and help scammers exploit me.
Just because a website sticks a field on a form, doesn't mean you need to fill it out.
I can think of maybe 1 website I use that has a legitimate use to know this info about me... and a dozen that use my fictious birthday for no other purpose than an excuse to market at me under the shallow guise of a 'Happy Birthday' email.
There are many websites that believe I was born on January 1st, in a year close to my actual birth year.
When it's actually required by some law or regulation (e.g. financial stuff) I give my actual birthday. But when some site is just wanting to comply with age verification? Yep, I'm over 30, so you don't need to see my identification. (Jedi hand wave).
Well, they would have the legal right to force-choke your account, or chain your partner to a golden bikini, when they discover that you weren't abiding by the Terms and Conditions which you agreed to. Seems fair.
IIRC, it went like this: the account creation screen prompted them for a birthdate. They entered a fictitious one and pretended to be over 13. (I saw my niece do this in front of me, and I just sighed a very heavy sigh. She was way more interested in Club Penguin.)
Then later, they let the cat out of the bag. They tell their friends "lol I'm only 10! Today's my birthday, so give me a hat!" or something. And so if they claimed they're 10 they got 3 years suspension.
I think there was never any verification done, and no verification was possible: think about it, under COPPA, a service in the USA cannot collect PII from children under 13, so what do you do when a kid gives you two contradicting datapoints? Err on the side of caution.
I gave Yahoo! a false birthdate when I signed up. I was 27, but I also just felt they weren't entitled to knowing it. However, I soon found that maintaining a fraudulent identity is tiresome and error-prone. And Yahoo! wouldn't let me simply change my birthdate as often as I wanted to.
I once had a conversation with a friend about cheating on IRS taxes. She said "can you lie to a piece of paper?" like fudging numbers wasn't like lying to an auditor's face. It was a rhetorical question, of course.
Exactly, that's the problem: with OIDC the ID provider gets to know which sites you visit. That is unavoidable given how the protocol works. And you don't want to give all that information to the government in the first place.
ID checks aren't very worthwhile if anyone can use any ID with no consequences.
How long would it take for someone's 18 year old brother to realize they can charge everyone $10 to "verify" everyone's accounts with their ID, because it doesn't matter whose ID is used?
Ok, at which point an adult has taken responsibility for giving them access.
The older brother could also rent an R (or x) rated movie, buy cigarettes, lighters, dry ice, and give them to the kids. The point of the age check is to prevent kids from getting access without an adult in the loop, not to prevent an adult from providing kids access
This is a good point. We could extend it to computing devices: An adult gives a child access to a device, and now the adult is in the loop and takes responsibility. If said adult (parent, most often) want to automatically restrict certain activities/content on the device they can use the parental controls available. No panopticon required.
this is already how the EU infrastructure for digital ID works, basically. Using public/private keys on your national id, the government functions as a root authority that you (and other trusted verifiers downstream) can identify you with and commercial platforms only get a yes/no when you want to identify yourself but have no access to any data.
South Korea also has had various versions of this even going back to ~2004 I think.
Yes, it has been possible for a long time to provide anonymous attestations. But somehow, they also always seem to require that you have something like Google play services running for you to ask for the attestation in the first place. And with PKI, even though they could do with just the public key, they somehow also always insist on generating the keys for you (so they have the private key as well).
Do all EU countries have that? I know our (German) ID works that way, using the FOSS AusweisApp, but I hadn’t heard of it being EU-wide (it should be, though).
Spanish ID cards have had an X. 509 cert inside them for more than 10 years, I use it all the time to sign documents and access government sites.
There is already legislation and a push for an EU-wide digital identity wallet that should be up and running this year, look up eidas 2.0 and the EUDI wallet.
That looks like it should make things like privacy compatible age verification "trivial".
I see this currently being pushed by some politicians in the EU. And I have a slight suspicion that some of these politicians are literally lobbyists.
The "oh my god, think of the children" is similar to "oh my god, think of the terrorists". I am not saying all of this is propaganda 1:1 or a lie, but a lot of it is and it is used as a rhetoric tool of influence by many politicians. Both seems to connect to many people who do not really think about who influences them.
In functioning states, the ID contains a chip with a private key that can be used to sign a message, and ID verification would not be an image of the ID card, but rather holding your phone's NFC reader to the card and signing a message from the site.
In Japan, there are already multiple apps which use something like this to verify user's age via the "my number card" + the smartphone's NFC reader.
It's more or less impossible to forge without stealing the government's private keys, or infiltrating the government and issuing a fraudulent card.
Of course, the US isn't a functioning state, the people don't trust it with their identity and security and would rather simply give all their information to private companies instead.
If you use the _digital_ MyNa card (e.g. the one in the Wallet.app; not the plastic one); the iOS SDK lets you only request the "is user more than XX years old" flag; without getting the actual identity: https://developer.apple.com/documentation/passkit/requesting...
Now, AFAICT nobody actually does this, but the technical ability is there.
When I had to prove my passport for my bank over a video call they told me to rotate it around in the sunlight to show that it had the holo-whatever ink. So I wouldn't put it past them.
And it's not like Discord actually cares. They just care about appearing like they care. Something to keep the heat off of them from regulators and angry parents.
A “video call” perhaps requires a human, but the type of test described need not be a video call. One can imagine a network trained to distinguish a fake id card from real one from a video recorded where the user is asked to move the card such that the holograph is glinting in the sunlight.
Age verification requires a document that can be matched to your ID, such as by the photo on your ID card.
Credit cards don't have photos.
> How many Americans wouldn't be able to present a CC or ID?
The number of Americans who don't have a government issued photo ID is estimated around 1%. The number gets larger if you start going by technicalities like having an expired ID that hasn't been renewed yet.
The intersection between the 1% of 18+ Americans who don't have an ID and those who want to fully verify their Discord accounts is probably a very small number.
> At least in Australia you absolutely can have a debit card under 18
Same in the UK, but Steam uses credit cards for age verification there and refuses if you provide a debit card instead. Evidently the payment backends can tell credit and debit apart.
It sometimes asks for my age for viewing a game and I can input any ol' date I want to. It doesn't even flinch if I input a different date every time.
I also don't recall them asking about my age when I was actually underage and paid using a PaySafeCard, but then again they didn't have porn on the platform at that point either.
They only enforce it in the "mature sexual content" category, which mainly applies to porn games. For everything else, including the "some sexual content" category, they still just take your word for it.
It's actually not a pain. It's the same process as getting a driver's license, minus the test. You go into the DMV and wait in the same lines (at least in California; I have a CA state ID, not a license)
> Nearly 21 million voting-age U.S. citizens do not have a current (non-expired) driver’s
license. Just under 9%, or 20.76 million people, who are U.S. citizens aged 18 or older
do not have a non-expired driver’s license. Another 12% (28.6 million) have a non-
expired license, but it does not have both their current address and current name. For
these individuals, a mismatched address is the largest issue. Ninety-six percent of
those with some discrepancy have a license that does not have their current address,
1.5% have their current address but not their current name, and just over 2% do not have
their current address or current name on their license. Additionally, just over 1% of adult
U.S. citizens do not have any form of government-issued photo identification, which
amounts to nearly 2.6 million people.
That seems like a good citation, but it supports the 99% number above
> Additionally, just over 1% of adult U.S. citizens do not have any form of government-issued photo identification, which amounts to nearly 2.6 million people.
The rest of the statistic is about driver's licenses specifically, including technicalities like expiration dates and address changes. The online ID check for age verification don't care about the address part anyway, in my experience.
If someone has an expired drivers' license or they changed their name and haven't updated their IDs, they have bigger problems than age-verifying their Discord accounts.
My driver's license was expired for 8 years until last year. I wasn't driving so the pressure to renew it was very low.
I actually only renewed it to get medical care and because renewing the license was only a little more expensive than getting an ID-only card.
It did prevent me from using some porn sites because my state requires ID verification but many sites just ignore the requirement so I just didn't use the sites that required ID.
wat. the majority of Americans have a DL, ID, or Passport. What a silly thing to say.
For DL alone:
>Data indicates that approximately 84% to 91% of all Americans hold a driver's license, with roughly 237.7 million licensed drivers in the U.S. as of 2023.
Add in an ID and Passport and we are likely closer to 99%
Yep. You basically cannot function in legal society without an ID. If you are an adult and don't have ID you are intentionally trying to live a cloaked life and it won't be very easy.
Personal Identity Verification (PIV) and Common Access Card (CAC) credentials used by US government & military via NFC already work on web browsers. States should just move to digital IDs stored on smartphones, with chain of trust up through the secure element...
This is extremely dangerous, and would only work with hardware/software that is nonfree (i.e., not under the user's control, or any attestation could be spoofed).
This is effectively PKI for personhood. The State DMV acts as the Certificate Authority (CA), signing a "leaf certificate" that is bound to the device's hardware Secure Element.
It’s less like a TLS handshake and more like OpenID for Verifiable Presentations (OID4VP). The "non-free" hardware requirement serves as Remote Attestation—it allows a verifier to cryptographically prove that the identity hasn't been cloned or spoofed by a script. The verification happens offline or via a standard web flow using the DMV’s public key to validate the data signature, ensuring the credential is authentic without requiring a phone-home to the issuer.
> Personal Identity Verification (PIV) and Common Access Card (CAC) credentials used by US government & military via NFC already work on web browsers. States should just move to digital IDs stored on smartphones, with chain of trust up through the secure element...
I think you're... missing the point of the pushback. People DO NOT WANT to be identified online, for fear for different types of persecution.
Is there any data on what kind of hits to enrollment were taken by facebook, gmail etc when they added requirements like a phone #? Maybe it's buried in their sec filings. Anyway, this "cat and mouse" game is probably irrelevant. They're not looking for and don't need a perfect system. Bc 99% of the public couldn't care less about handing over their information.
I think you massively overestimate how many people actually care.
My guess is that 95% or more of all Discord users do not care and simply upload their selfie or ID card and be done with it. I know I will (although they did say that they expect 80%+ to not require verification since they can somehow infer their age from other parameters)
I've already cancelled my Nitro account. I'm quite active on a ~5k member programming server and we're giving Zulip another try. I think it's unlikely we'll stay on Discord.
This whole thing being "for the safety of kids" is obviously a farce just to get more user data because Nitro users supposedly will have to do the ID check as well, but if you're paying with a CC/Paypal, you are obviously of sufficient age to not require an ID check.
Are you a minority, LGBTQ+, etc or of a "different" political persuasion that might have any reason to be distrustful of the US government? If so, you probably wouldn't just "be done with it".
No, I'm not, and I also don't live under an opressive government that tracks those people down. I simply don't care if the us government or some random US company knows about what I play, eat, talk about or who I sleep with. And my guess is that outside the US LGBTQ+ and "different political view" bubble, most people also don't care. And that bubble makes up maybe 5% of Discord's user base
Is there any data on what kind of hits to enrollment were taken by facebook, gmail etc when they added requirements like a phone #? Maybe it's buried in their sec filings.
