Users claim Discord's age verification can be tricked with video game characters (thepinknews.com)
100 points by mediumdeviation 13 hours ago
jhgg 11 hours ago
> government passes law that requires companies to age verify users
> said government provides no way to actually verify a human's age
> hilarity ensuesdom96 4 hours ago
This really deserves a digital solution. Let me get a government account and generate tokens that websites can ingest to confirm I'm an adult (and other optional details about me).
Having to use passports or poor solutions like face scanning isn't good enough. I guess the reason they don't do this is because they fear the cost, anything governments price up these days seems to be in the billion range. So the politicians who don't understand how cheap it is to build software assume it's way out of their price range.
parsimo2010 4 hours ago
When you place all the requirements on a software product like what the government has to, then it’s going to be expensive. Anyone who thinks that the total cost of a privacy protecting, government accredited, widely available, reliable, audited, and domestically produced age verification system isn’t going to be in the hundreds of millions has never actually shipped something comparable.
It is literally illegal to slap a few lines of glue code and say “there’s your age verification, look how cheap it is.” The public would be happy about saving money right up until there’s a massive privacy breach and all the ways you cut corners are exposed.
I don’t know if leaving the standards unspecified is the right thing to do (it’s probably not), but don’t pretend like a government verified solution could ever be cheap when dealing with citizens’ identities.
kingstnap 2 hours ago
criley2 3 hours ago
Spivak 14 minutes ago
Alifatisk 2 hours ago
Tim Berners lee thought about this solidproject.org
immibis an hour ago
Problem: the millisecond this system is rolled out, personal data will be attached to it, not least because I'm just going to generate unlimited 18+ tokens and sell them for $10 apiece
Larrikin an hour ago
anon7000 2 hours ago
Oh no, then the government will know how old I am!! (/s)
wood_spirit 2 hours ago
cedws 7 hours ago
That's exactly what pisses me off about it. The government could have at least devised a technical solution to verify the age of people privately. Data breaches happen all the time, do they just not care about the consequences when millions of peoples' porn watching habits are inevitably leaked?
progbits 7 hours ago
Because that's their goal. Make you scared about using things that are even legal but private/embarrassing.
Telemakhos 5 hours ago
brogufaw 9 hours ago
It’s intentional to give them wiggle room to define truth as needed case by case.
Not saying it’s good or bad. Just that it’s intentional.
Culonavirus 9 hours ago
My bank has an API endpoint that (basically) returns your name and age (in this use case). It can return more for signing electronic docs etc. and is basically your digital ID.
https://en.wikipedia.org/wiki/BankID
Need to buy "toys", vape products, alcohol... anything adult online?
There's a 3rd party web app (you rightfully don't trust) as an age check in the shopping cart / user account of any of these adult shops, and this has multiple ways of verifying your age - and one of them is the bank's api, you pick it, your bank's identity sharing page loads, you log in, it shows exactly what information will be shared in a bullet point list, you tap OK, immediately a request like "this app wants to know your age, please verify" pops up in your smart banking app on your phone, you tap ok, fingerprint scan, DONE.
Problem solved. The 3rd party app knows just what it needs to. All of this takes maybe a minute and your personal info is perfectly safe (unless you don't trust your bank at which point you have bigger problems to worry about...)
dfghjk4 8 hours ago
cronin101 8 hours ago
W3zzy 8 hours ago
Hamuko 5 hours ago
EU is also gonna require companies to verify ages but there's a white label application that EU member states can use.
If I've understood it correctly, Pornhub can't see anything except that you've turned 18 (no names, no date of births, nothing) and your local government can't see that you've signed up for Pornhub using the app.
Xelbair 28 minutes ago
Yet it is still not a perfect solution. Arguably worse, for possible freedom of speech aspects, than current state.
https://www.eff.org/deeplinks/2025/04/age-verification-europ...
stavros 3 hours ago
Yes, this is correct. As I understand it, the server asks the application some questions ("is the user above 18?" "are they a resident of country X?" or whatever), you confirm that you want to share the answer, and the application just gets "yes" or "no" to each question.
W3zzy 8 hours ago
Actually, they could release a platform quite easily that only delivers age verification, without anything else.
For example, our id's have a qr on it that contains some basic info. Why not provide a platform for age checks with that qr? Anyway, fuck them. Education goes a lot further than trying to force identity verification on private companies when there is no real life threat in play.
2OEH8eoCRo0 3 hours ago
Why should the govt provide a way to verify? They should fine companies that violate. Companies will figure how to comply because they don't want to be fined.
DaSHacka an hour ago
Because then you get situations like OP and that happened with Tea?
vidarh an hour ago
The problem is that said companies have no interest in doing more than the barest minimum to keep the details safe.
hhh 10 hours ago
I think the way discords setup works is reasonable. It’s an on-device model that only submits the outcome of the scan to the platform.
I hope they just improve that performance, rather than see this and back out of it entirely and require ID checks.
amoshi 2 hours ago
>It’s an on-device model that only submits the outcome of the scan to the platform.
And that's why it's been bypassed already
Retr0id 3 hours ago
On-device models are excellent for privacy, but they are fundamentally broken from a security perspective. Preventing people from spoofing the results would involve locking them out of their own devices, via DRM.
subscribed 42 minutes ago
Hardware attestation would be enough to clamp down on almost anything, ensuring the hardware and the os guarantee the outcome is not manipulated.
Not the broken anti-competitive Google play store integrity (which is passing for any handset not patched for the last 8 years but with Google buttplug in it, effectively nullifying assurances from the attestation), but a proper hw attestation.
hhh 2 hours ago
I understand, and think that there’s an acceptance criteria for some level of fraud tbh.
immibis an hour ago
You're treating this as a computer security problem when it's actually a political problem. It doesn't have to work to be mandated. It doesn't even have to work, for everyone to get a pat on the back and a raise for implementing it. Keeping minors away from porn isn't the point, the point is more like to scare people about being surveilled so they voluntarily won't watch it.
edm0nd 9 hours ago
I think this is the correct way too.
Some of the age verification systems that use digital ids (mDLs) do the same thing but people freak out about how they work because I think they misunderstand the tech.
They system basically asks the mDL via an api call "is this user above the age of 18/21" and the app only responds with a yes or no. It doesn't pass the users fulls details over or anything like that.
MattPalmer1086 8 hours ago
Do these systems prevent linkability or allow the use of pseudonyms?
As in, if I repeatedly ask for age verification to the same service, does it know:
1) the identity of the user making the request, and 2) whether repeated requests comes from the same user (even if they don't know who it is?)
rumblefrog 9 hours ago
Could you point to the source of the on-device model? Moreso for curiosity.
michaelt 8 hours ago
No, but I can tell you that the moment you open the browser console, it stops scanning and marks the scan as failed.
The vendor is https://www.k-id.com in Discord's case
a2128 7 hours ago
moritonal 11 hours ago
The fact another story on the front page is about a User Verification site having a massive leak is pretty relevant (https://news.ycombinator.com/item?id=44684373)
nottorp 10 hours ago
The one good thing about the stupid age verification is it stimulates thinking outside the box in kids :)
userbinator 9 hours ago
Ironic that this comes at a time when AI-generated pictures are getting better and better.
Personally, I will never use Discord and they just gave me another reason not to.
silisili 9 hours ago
Maybe I'm old. Well, no, I am relatively old.
Either way, when I see a person or business advertise a Discord link, I immediately think of either as immature.
I miss the days of forums, and wish something like them could thrive again instead of rather private, but importantly ephemeral chats.
michaelt 7 hours ago
> I miss the days of forums, and wish something like them could thrive again instead of rather private, but importantly ephemeral chats.
Open source projects have long had ephemeral chats, private to the people in the chat at that moment - it just used to be called IRC.
macintux 28 minutes ago
soulofmischief an hour ago
I've been hired and have hired people through the Discord community. It's no different than Hacker News in this respect, where I've done the same. Professionalism is orthogonal, though I will agree that ephemeral chats have serious drawbacks for project-oriented communities.
ekianjo 8 hours ago
its seems even more self defeating when its a FOSS project whose only way to connect with the community is a Discord space.
DecoySalamander 8 hours ago
If this story reflects poorly on anyone, it's on Britain, not Discord.
pacifika 8 hours ago
Several articles say that Ofcom has said platforms must not host, share, or permit content encouraging the use of VPNs to bypass age checks, adding that parents should be aware of how VPNs can be used to bypass the Act.
makerofthings 8 hours ago
All those parents that couldn’t use parental controls to limit what their children see in a browser are not suddenly going to start policing VPNs. This is terrible legislation wrapped in terrible advice.
ndsipa_pomu 4 hours ago
That annoys me as the VPN isn't necessarily bypassing the age check, but instead is allowing the person to pretend that they don't live in a country with stupid laws. I mean, Ofcom might as well warn parents about cheap holiday websites that encourage people to bypass the age checks by flying to a sane country.
immibis an hour ago
Yes? I expect that "take a weekend to France to bypass age verification" and "subscribe to NordVPN to bypass age verification" are both legal while "take a weekend to France to see the Eiffel tower" and "use NordVPN to increase your security" are both legal.
Did you never wonder why VPN ads don't really list any actual use cases, yet they're wildly popular? If you know what you need it for, the ad doesn't have to tell you - just has to tell you which company to give your money to.
jrockway an hour ago
dylan604 11 hours ago
If it works for video game characters, why not just any random actor? There's going to be plenty of footage available of them in various positions to get around the can't use just one image "security" feature.
ethan_smith 5 hours ago
The fundamental issue is that these verification models are trained on datasets containing fictional characters and celebrities, so they're essentially being asked to distinguish between inputs that were part of their own training distribution.
dylan604 4 hours ago
Yet TFA shows the character used to beat the verification is a game character based on the likeness of an actor famous for the role he pays the game character is based. So you’re saying what, that the system isn’t aware it was trained on this person, the training isn’t looking that person is known to the training, or the system just doesn’t work as advertised?
avodonosov 10 hours ago
Who can think submitting biometrics online is in user's interest?
mgaunard 8 hours ago
I've seen formerly free content platforms now require a payment of 2 GBP to prove your age.
Ridiculous.
johnisgood 6 minutes ago
Pocket change. :D
And yeah, absurd.
2OEH8eoCRo0 3 hours ago
Something that's occurred to me is that we are already deanonymized and tracked everywhere online but most people are fine with it because it's done secretly and transparently (you don't notice). Age verification w/ something like a license online brings the issue front and center. It's not hidden that you are not anonymous online and people freak out.
can16358p 10 hours ago
Am I the only one who sees website appear for a split second and become completely blank white?
(iOS Safari)
Okay turning off content blockers did the trick. AdGuard was blocking the whole site for some reason.
jimbobthemighty 9 hours ago
No - on a chromebook as well
Yeul 9 hours ago
I'm not a loli I'm actually 900 years old!
codedokode 10 hours ago
Age verification should be made on OS or firmware level when buying a device. And not by sending your passport scan to random companies with dubious data collection practices.
A law must mandate that an "adult" version of OS (or device) may be sold only to adult users. It is not difficult for Microsoft/Apple to implement this yet they do not want to for some reason.
This would allow more reliable age verification, without revealing identity of account owners. Well, maybe the govt wants exactly the opposite.
herbst 10 hours ago
I can tell how this would be implemented. Microsoft rolls their own awkward standard nobody asked for. Other major companies try to use a somewhat common standard.
The Industrie enforces new rules and suddenly it costs $150000 and has awkward requirements to get your OS certified adult.
For the years to come only the most recent windows versions and customer devices like phones will work. No Linux will pay to get a standard they haven't asked for. Embed devices will stop working as more and more stuff gets simply flagged "adult only"
Just don't ... :)
Edit:// see Silverlight, or why it took years until something like Netflix was even legally technically possible
valenterry 9 hours ago
Listen to that guy!
valenterry 9 hours ago
Oh god no. We need to absolutely stop making OSs more restrictive than they already are. There are better solutions.
codedokode an hour ago
Uploading your passport to a random company is a worse solution, and it is being rolled out now.
snerbles 8 hours ago
The California legislature is already working on forcing operating systems to attest the age of the user at the account level. See the recent gut-and-amend of AB1043 [0], which was a privacy bill [1] just a few months ago:
> This bill would require, among other things related to age verification on the internet, a covered manufacturer to provide an accessible interface at account setup that requires an account holder, as defined, to indicate the birth date, age, or both, of the user of that device for the sole purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store and to provide a developer, as defined, who has requested a signal with respect to a particular user with a digital signal via a real-time application programming interface regarding whether a user is in any of several age brackets, as prescribed. The bill would define “covered manufacturer” to mean a person who is a manufacturer of a device, an operating system for a device, or a covered application store. The bill would require a developer to request a signal with respect to a particular user from a covered manufacturer when that user requests to download an application.
> This bill would punish noncompliance with a civil penalty to be enforced by the Attorney General, as prescribed.
[0] https://legiscan.com/CA/text/AB1043/2025 [1] https://legiscan.com/CA/text/AB1043/id/3134744
If you want to know more about this lovely bait-and-switch tactic used by the Golden State's legislature, see here: https://californiaglobe.com/uncategorized/gut-and-amend-bill...
supriyo-biswas 5 hours ago
codedokode an hour ago
PartiallyTyped 10 hours ago
Denmark does it by sending you to a government-owned website, which then uses two factor authentication and responds back verifying one’s identity.
I don’t understand why other countries can’t do the same.
codedokode 42 minutes ago
This is a first step to shutting down anonymous accounts - here in Russia for example the account must be linked at least to a phone number or to a government ID and I see no reason why other governments don't want to do the same.
maccard 8 hours ago
The UK doesn’t have any form of identity that can be used like this. There’s a very very vocal group of people who oppose the idea to the point that it hasn’t gained traction.
zarzavat 2 hours ago
ndsipa_pomu 4 hours ago
Yeul 9 hours ago
The Netherlands has this system but it is ripe for abuse. We still have a few Christ clowns and there's a big fascist party at the moment.
How about we don't make lists of people visiting porn sites? How about we accept that children are part of society and not try to put them in little cages like songbirds?