Hacker News

>Gotta give it to Zuck.

if "it" is the middle finger, for sure. "terrifying" is a great choice of word for it.

It's the US, all you have to do is drive a truckload of cash into Mar-A-Lago and you'll get whatever you want.

Well, I certainly prefer if big tech fight each other instead of the user as sometimes there might even come something good out of it - like elevated privacy in Apple's ATT case.

Overall, that's the reason anti-trust laws must be applied rigorously, otherwise the normal population has no chance.

Idk the low road is generally the easier one.

That law is perhaps an annoyance for Apple, but it can't cost them billions, can it? I seriously doubt that it would cost Apple more than the several hundred million dollars Meta still needs to funnel in order to get those laws passed in more states.

Plus, Apple gets to be the gatekeeper for Meta and other apps which can't be good for meta, and Apple gets to know the age of its users, which in itself is monetizable.

Some of these are also just like really weak? One of them for example seems to be some random employee at FB donating ~$1k to a politician and calling that a link.

> A Meta employee (Jake Levine, Product Manager) contributed $1,175 to ASAA sponsor Matt Ball's campaign apparatus on June 2, 2025. Source: Colorado TRACER bulk data.

I agree. I tried reading some of the documents and they're full of this:

> LIMITATION: Direct PDF downloads returned 403 errors. ProPublica Schedule I viewer loads data dynamically (JavaScript), preventing extraction via WebFetch. The 2024 public disclosure copy on sixteenthirtyfund.org was also blocked.

> Tech Transparency Project report: The article "Inside Meta's Spin Machine on Kids and Social Media" at techtransparencyproject.org likely contains detailed ConnectSafely/Meta funding analysis but was blocked (403)

The least they could have done is read their own reports and then provided the documents to the LLM. Instead they just let it run and propose connections, asked it to generate some graphs, and then hit publish.

> The only way to stop this from happening is half the country refuse to buy any tech that implements OS age verification

No, the way to stop it is to talk to your representatives.

You have the power. You just have to pick up a phone, and ask your friends, relatives, neighbors, to do the same. (They will, because it affects all of them.) Tell your reps to remove the legislation or you're voting them out. They don't want to lose their jobs. They will change if you tell them to. But only if you tell them. That is your power. Use it or lose it.

> The only way to stop this from happening is half the country refuse to buy any tech that implements OS age verification.

You have consumer activist brain. Next you're going to suggest that we complain to the manager or start our own government and compete in the marketplace.

> The only thing that talks is money

No, the only thing that is talking is money. Money wants this. You're busy pretending like you're going to do a boycott; they're going to boycott you.

Complain about the internet? They'll just blacklist you from it. Complain about the phone? Well now you can't use one; try smoke signals. Complain about the landlord? They'll settle the case, kick you out on the street, and blacklist you among all private equity landlords and the management companies that service small landlords. You'll just go to a small landlord that doesn't use one of the management companies? Well they won't have access to a bunch of vendors that have exclusive contracts with and share ownership with the management companies; now they can't make any money and have to sell to private equity.

You've been fooled into thinking that being victimized is a moral failure of the victim. The perpetrators taught you that. They taught you that the only appropriate action is to beg and threaten to leave, and they shut down customer service and monopolized the market. But, again, the worst thing they trained you to do is to blame the victim.

Nobody stops the government from sending goons to your door right now for a snarky comment. Some govts in fact do it today. It is also cheaper than ai rocket and more precise too

Not just governments, though.

I've wondered if FaceID and the Android counterpart are actively creating an extraordinary labeled dataset for facial expressions at the point of sale.

With users trained to scan their face before every transaction, tech companies could correlate transactions to facial expressions, facial expressions to emotions, and emotions to device content. I can imagine algorithms that subtly curate the user experience, selectively showing notifications, content, advertising to coax users towards "retail therapy".

“This isn’t freedom, this is fear”

Cpt America in the Winter Soldier

The application has access to your entire home folder, isn't that enough information?

Indeed. They hate us for our freedoms.

Interesting points! I see what you mean about age verification being used as a foundation for more signals in the OS. I think the tricky part is balancing privacy and verification — making sure applications can verify identity or age without over-collecting sensitive data. Biometric verification could be useful, but it also raises questions about how much control users have over their personal information. Curious to hear how you’d design it in a way that’s secure but respects user privacy.

>Age signals from the OS? Need to provide a channel of information available to applications. Applications already talk to servers with unchecked commonality.

This is a non-issue because it's almost certainly going to be gated behind a permission prompt. There are more invasive things sites/apps can ask for, and we seem to be doing fine, eg. location. Moreover is it really that much of a privacy loss if you go on steam, it asks you to verify you're over 18, and the OS says you're actually over 18?

>Biometric data? Today it unlocks your private key. Tomorrow it's used to verify you are the same person that was used during sign-up -- the same that was "age-verified".

Given touch id was introduced over a decade ago, and the associated doom-mongering predilections did not come to pass, I think it's fair to conclude it's a dud.

I believe CFAA talks about exceeding authorization, not just typing in things that are not true.

Did that link just get taken down?

> I'm not sure I fully grok the hypothesis that Meta is materially advantaged by pushing for OS-level age verification.

These laws, that attempt to move "age verification" into the OS, 100% absolve Meta (and all the Meta owned "properties") from any legal liability so long as all of Meta's app's follow the law's required "ask the OS for the age signal of the user".

Any "bad stuff" which then gets shown to "underage users" then becomes "not Meta's fault, they followed the legally proscribed way to check the age of the user, and the OS said this user was 'old enough'" and Apple/Google then get to shoulder the liability (and pay out for the class action lawsuits) for failing to provide a proper age signal.

That's the "material advantage" gained by Meta by pushing these laws.

We're all going to have to use service accounts created on Windows Server 2003 or RHEL 4, otherwise they won't be old enough and will require manual login from an of-age administrator

In the CA bill, "User" means child. It's pretty clear that non-human users aren't covered and don't have to participate. E.g. the API can return N/A or any other value for non-humans. If there is a way to make the API applicable only to human children users, then it doesn't even need to be callable for other entities. E.g. on android, each app gets its own uid, so the unix user doesn't correspond to a child, so the API will instead (probably) be associated with another entity (e.g. their Google account, an android profile, or an android (non-unix) user)

Honestly what I hope is that if these bills pass, sysadmins just turn off any server that doesn't have attestation and go off to the beach to collect shells.

A comment someone made on the post about OpenAi lobbying the DOD against Anthropic to mind: "Not only are the whores - they are cheap ones too".

I probably don't have all the info on the various laws across the US and EU that are being pushed, but I'm confused why Linux distros don't just update their licensing and add a notice on the installation screen that it is illegal to run their OS in places where these laws exist?

Heck, Linus Torvalds should just add an amendment to the next release of the Linux Kernel that makes it illegal to use in any jurisdiction that requires age verification laws.

This would obviously cause such a massive disruption (especially in California) that the age laws would have to be rolled back immediately.

This seems like a no-brainer to me but I am admittedly ignorant on this situation. I'm sure there's a good reason why this isn't happening if anyone cares to explain.

> should turn itself off

If this was somehow introduced without anyone noticing and deployed, imagine the damage it would cause.

If we're fantasizing here, I like to imagine two major OS makers trying to comply these laws, fail miserably, and let FOSS OSes and kernels more recognition in the desktop market.

Honestly, like the Left-pad incident [1], getting things to go suddenly dark is extremely effective at getting people to drop everything else to fix an issue.

Ideally, getting these servers to auto turn off the day this goes into effect ("In compliance with this new law, Linux is now temporarily unusable. Please <call to action>.") would be glorious for getting the bill staved off, or killed.

It would hurt some productivity, but that is a risk these lawmakers taking donations are probably willing to make.

1 - https://en.wikipedia.org/wiki/Npm_left-pad_incident

Someone would just submit a patch overriding this

> Every single Linux kernel currently operating within the borders of any of these states should turn itself off and refuse to boot

What exactly do you think Linux is? I would say that Linux would be forked in like 2 seconds, a bunch of different companies would start offering "attested Linux," and all you'd have to do was change your repos and update.

I would say that, but what would really happen is that we'd find out that Canonical, Red Hat, and a bunch of other distributions had been talking to the government for a year behind closed doors and they're already ready to roll out attested Linux. Debian would argue about it for six months, and then do the same thing. Hell, systemd will require age attestation as a dependency. Devuan and any other stubborn distribution would face 9000 federal lawsuits, while having domain names blocked, and the Chinese hardware necessary to run them seized at the ports with the receivers locked up on terrorism charges.

I have no idea where the confidence of the IT tech comes from. You (we) are something between a mechanic and a highly-skilled janitor.

Microsoft would love that.

Obviously not a serious proposal, but I do like the alt mentioned below:

Update the terms to indicate that you can do what you want, but this OS is probably not compliant with states run by evil dipshits.

This was the thing the saws-all (or whatever it was called, the brake that stops you from cutting your fingers off with the table saw) tried, right? I don't know if it succeeded but the idea was a government mandate for an otherwise good idea. Everyone then pays more.

The wayback machine got it: https://web.archive.org/web/20260313090844/https://www.reddi...

that goes against the goals of the professional media organizations.

I wonder what made them do it. The conspiracy theorists are really going to enjoy this.

Christ on a crutch, had they donated $25k or something you'd figure it was just a rounding error, but why this much from a company that isn't profitable? This is doing nothing to disabuse me of my theory 90% of "Startup Culture" is just an excuse for rich people to move money around. "Need to get your stoned mope of a C student a head-start on a resume that will let him stay gainfully employed? Well, I just brokered a VC deal for these kids that want to throw micro-concerts in parking spaces, we'll get your boy in as Senior Music Programmer."

Scott Alexander had a few posts about that ("why is there so little money in politics?"): https://www.astralcodexten.com/p/tech-pacs-are-closing-in-on...

The Internet thinks that lobbying is bribery. If you wanted a bribery like vehicle, you'd just donate to a PAC or more recently, the new ballroom. Lobbying is just paying people to speak to politicians. After a company has said everything that wanted to every politician that can possibly support their cause, there isn't anything left for them to do.

"Emails from October 2005 show that after Mandelson complained to Epstein about a lack of British Airways air miles, Epstein offered to pay for his plane tickets to the Caribbean."[1]

The biggest shocker to me has been just how "cheap" a lot of people are to buy off. Mandelson is complaining about air miles FFS. So much of this is a few thousand here, some fancy tickets there, a jet ride elsewhere, etc. In my mind it was always much, much bigger sums that people were selling their countries & souls out for, sadly, it turns out a lot of people, even in really high positions, are shockingly cheap.

[1] https://en.wikipedia.org/wiki/Relationship_of_Peter_Mandelso...

Knowing what we know about the current environment, each company is going to start selling everything they know about you to anybody who's willing to pay. Enforcing privacy is hard not because it's not possible, but companies have greater financial incentives to just breach your privacy to track and manipulate us.

Download the source code and ISOs of distros without age gating and put them on durable media. Tell your friends about the issue and its implications (legislating how an OS works is a huge deal, is likely unconstitutional, and opens up the door to all kinds of future abusive laws). Find like minded people so if the worst happens you will have mutual support and can work together on circumvention of any future restrictions. Work on your C skills.

That is the most serious thing you can do, and the most effective.

Do you know how democracy works? There are these people called representatives. They are hired by you. They pass laws. They only get to continue having a job if people like you vote for them. When you tell them "I don't like the law you are passing", they are hearing "the people who hire me are angry with me". The more people that are angry at what they're doing, the more their job is at risk.

They do what the lobbyists say because somebody else is doing the work, and they get paid (by the lobbyist). But they won't have a job to get paid for if the voters don't vote for them again. So your entire defense against tyranny and bad laws is you speaking out. If you never talk to your reps (or vote), you're telling them you don't care what kind of government it is, and they really will do whatever they want.

You have to tell them how you feel, along with all the rest of us. That's the only power we have.

In addition to that, tell everyone you know. Your friends, family, coworkers, the dude running the local gas station. Explain to them why government-mandated surveillance of everything they do on a computer is a bad idea. Ask them to talk to their reps.

Do your homework, vote, and help inform other people so they vote too.

Isn't eIDAS the same technology stack that would put the government in total control of what websites you can view & what ones you can't?

https://en.wikipedia.org/wiki/Qualified_website_authenticati...

> Just another reminder of how we need to protect what we have in the EU (not a guarantee, but at least a chance of fair dealing and a sustained commitment to civic values).

What you have in the EU is this: https://noyb.eu/en/project/dpa/dpc-ireland

> Now that the mask has fully fallen, we have to take every step possible to root out American influence.

You have literal rogue states in your union that neutralize the entirety of it, as the above shows. It's a joke. The EU is a joke. A single country is enough to mean US tech can do whatever it wants, similarly a single other country is enough to mean Russia can largely do what it wants.

The others are of course in on it too. Which is why for all the empty EU talk on US big tech you've never heard them talk about the Irish DPA and what they all enable. Strange right? Would think that this would be a priority. But it shows that even if the rest weren't in on it, just one country would be enough. And it could even be a tiny place like Luxembourg.

Laws and regulations aren't worth the paper they're written on if they're not enforced. The current ones aren't enforced at all, why would any new ones be? Did you know that there was a long period where hosting European citizens' PII on US-controlled servers (like Amazon instances in Europe) was illegal, after the "Privacy Shield" was deemed unlawful? No one cared. Did you know that this is currently the case again, because the thing that replaced it has once again had its basis ripped out from under it by Trump? Once again, no one cares, and indeed EU governments and corporations are _still_ making migrations _to_ US clouds.

Not that it matters, within a few years RN will be running France and AfD will be running Germany and you don't have to pretend any more as the "mask will have fallen" just as much.

> I don't understand why nobody in the comments is freaked out about this.

Because it's hopeless? It's been proven time and time again there's nothing the average person can do to fight this sort of thing.

It's just better to sit back and watch as everything gets ruined.

Because they’re not really trying to protect kids.

Do you have a child? Because I think the device makers haven't really done a good job, there are just too many workarounds.

When a megacorp funds a network of non-profits to lobby a bunch of politicians, draft legislation, and tell them to take it to committee, that can happen without much visibility, especially when it's been orchestrated at the state level, as this has. Where does any of this show up until there's a vote called on it? There's no open debate. No working "across the aisle" to address concerns. There's nothing left of the legislative process that started this country, or, indeed, any Western representative democracy. So someone has to be watching, see something on an agenda that raises the hairs on their necks, figure out what it is, and if there's a story there, and they're not going to get any help from anyone because everyone involved knows how the public is going to feel about it. And then, as the article indicates, even a place like Reddit is going to astroturf the effort to get the story out. (Which I've been trying to point out for YEARS, but which -- surprise, surprise! -- gets supressed.)

Mainstream media is largely captured by the same monied interests as discussed in the reddit post. Although the poster does mention an article from Bloomberg as evidence, most of their sources are local outlets or tech-focused. https://github.com/upper-up/meta-lobbying-and-other-findings...

27 years against software patents in the EU, feeling the same unfortunately.

But sometimes very few people can make a difference.

i felt that.

I think this is also a way of getting ahead of any “ban social media for teens and preteens” bills that might pop up in the US. They do not want repeats of Australia! By adding age verification into the operating system they can deflect responsibility but also respond to legislators with a scalpel rather than getting sledge-hammered.

I want age verification but not at the OS level.

Time and time again it amazes me how incredibly cheap lobbied politicians are. They may be earning big sums for an individual, but if you go full corruption[1] to sell out a state or a country - sell it for a fair price.

I remember from peak net neutrality discussions during trump 1 maybe around 2017-2018 ant saw an article on theverge.com (that cannot find now) and biggest sum to individual politician was around $200k, when median values were much much lower.

Politicians are selling tens of billions of dollars (if not hundreds of billions) worth of revenue to ISPs for couple or dozen million. Literally 1000x return on investment (if successful).

I remember local politician (I am not from US) got caught taking 100k bribe from a company for helping with alleged highway construction procurement. Project was valued ~1B - 10 000x return on investment (if they wouldn't have been caught).

[1] I am sorry, not "corruption", but "lobbying".

We should ask ourselves why we continue to participate and perpetuate economic systems that result in levels of inequality so vast that they threaten control of our democracy.

To me it feels that the age verfication (adult de-anonymisation) push, at least in Europe, is coming more from the increasingly-authoritarian left as a reaction to the rise of the online right and Musk's Twitter.

(Maybe some unspoken element of concern over social media bots, too - as they evolve from spamming copy+pasted comments to being near-indistinguisable from actual human accounts?)

Heritage has been laying waste to America my whole life. They basically planned all of Reagan's legislative agenda, too, just like Project 2025 is doing today. In very real ways, they and their vision are America (a system is what it does, not what it says it does).

Best they can do is only arrest maxwell.

That's what Washington and Brussels are about: lobbying capitals and buying influence over how laws are made.

> This isn't age verification at the point of accessing restricted content. This is a persistent age-broadcasting service baked into the operating system itself, queryable by every installed application.

You're not missing anything. It's just an AI generated summary of the original GitHub link https://github.com/upper-up/meta-lobbying-and-other-findings

I found the original article much easier to read anyways

https://web.archive.org/web/20260313125244/https://old.reddi...

They linked to this GitHub project: https://github.com/upper-up/meta-lobbying-and-other-findings

Also curious why it would be removed.

Your take in this entire ends up with you blaming Bill Gates like some MAGA tinhat? The GOP are literally the cabal of pedophilic, privacy ending, freedom crushing elites you’re looking for and this is somehow your perspective?

It is interesting isn't it? Most of Europe has better internet access than the US for similar reasons: sensible regulation led to high competition.

Donate a phone call. You aren't gonna win the bribing war against people who own a machine that turns your worthless data into millions of dollars.

If everybody who cared to and lived in the affected districts called they would kill the bill just to clear their phone-lines.

Luckily it was archived: https://web.archive.org/web/20260313125244/https://old.reddi...

Also on the wayback machine: https://web.archive.org/web/20260313090844/https://www.reddi...

Ok thanks, we've repointed the URL to the GitHub page.

I am from EU, and contrary to age verification laws in general.

My stance is that if somebody is a minor, his/her/their parents/tutors/legal guardian are responsible for what they can/cannot do online, and that the mechanism to enforce that is parental control on devices.

Having said that, open-source zero-knowledge proofs are infinitely less evil (I refuse to say "better") than commercial cloud-based age monitoring baked into every OS

Even with ZKP this is still highly problematic, it create difficulty for undocumented people to access the web, create ton of phishing opportunity, reinforce censorship on most site (as they will now all need to be minor compliant or need age verification), reinforce the chilling effect and make the web even less crawlable/archivable (or you need to give a valid citizen ID to your crawler/archiver).

With no proof it will protect anyone from proven harm.

No, the way to go is the California way. The device owner (root user) can enter the age of the user. Restrictions are applied based on that. Nothing is verified.

Though the EU is at large keeping it's composure with this. My only criticism towards the EU as an EU citizen is how slow and bureaucratic the EU is and that decisions that should be made on the fly are dragged on forever.

That said, government agencies have been doing a terrible job at keeping the private information of citizens safe. But it is nowhere nearly as bad as the US. My best childhood friend died in very questionable circumstances in 2009 in the US in very questionable circumstances. He had a US citizenship and we never really found out what had happened(to the point where we never really got any definitive proof that he had died). But that didn't stop me from trying and I was blown away by the fact that I could log into a US government website, register with a burner mail, pay 2 bucks with an anonymous gift credit/debit card and get a scanned copy of his death certificate in my email. And I didn't even have to provide his passport/id/anything. Just his name.

Point is, the US has been terrible at privacy for as long as I can remember. It is probably worse now with Facebook and Ellison holding TikTok.

Zero-knowledge proofs are only anonymous in theory if you ignore the issue of requiring a third party, and the issue of implementations.

And according to the EU Identity Wallet's documentation, the EU's planned system requires highly invasive age verification to obtain 30 single use, easily trackable tokens that expire after 3 months. It also bans jailbreaking/rooting your device, and requires GooglePlay Services/IOS equivalent be installed to "prevent tampering". You have to blindly trust that the tokens will not be tracked, which is a total no-go for privacy.

These massive privacy issues have all been raised on their Github, and the team behind the wallet have been ignoring them.

Zero-knowledge proofs are unworkable for age verification because they can't prevent use of somebody else's credentials.

You are missing the point. The real purpose is to control the Internet and free speech. They've been trying this for ages. Now the excuse is protecting children. Soon terrorism will be back. And don't forget aոtisеmіtism, too.

Not exactly a good moment for this particular caste of politicians/elites to pretend they care about children's well-being!

The way to go for this kind of thing is to not go for this kind of thing at all.

Seeming as this affect everyone .. Is there anything like and Open Collective .. grassroots consortium, to put together strong sensible zero-knowledge proof based policy examples that could be given to law-makers instead of this shadowy surveillance Trojan horse nonsense?

Two billion in lobbying. And the conclusion is that regulation is the problem?

> Zero-knowledge proofs are the way to go for this type of thing,

The benefit of zero-knowledge proofs is that the hide information about the ID and who it belongs to.

That’s also a limitation for how useful they are as an ID check mechanism. At the extreme, it reduces to “this user has access to an ID of someone 18+”. If there is truly a zero-knowledge construction using cryptographic primitives then the obvious next step is for someone to create an ad-supported web site where you click a button and they generate a zero-knowledge token from their ID for you to use. Zero knowledge means it can’t be traced back to them. The entire system is defeated.

This always attracts the rebuttal of “there will always be abuse, so what?” but when abuse becomes 1-click and accessible to every child who can Google, it’s not a little bit of abuse. It’s just security theater.

So the real cryptographic ID implementations make compromises to try to prevent this abuse. You might be limited to 3 tokens at a time and you have to request them from a central government mechanism which can log requests for rate limiting purposes. That’s better but the zero-knowledge part is starting to be weakened and now your interactions with private services require an interaction with a government server.

It’s just not a simple problem that can be solved with cryptographic primitives while also achieving the actual ID goals of these laws.

it's not about protecting children. that's only the PR.

once you get this you stop asking why the tech details are the way they are.

"how terrible EU regulation is"

Judges in other countries (Texas) found out this kind of law was a violation of the Free Speech.

Since when Free Speech do not apply to -16y old?

Made laws are made, then killed by courts later one.

Not sure what the Gruber thing is about. I guess I lack context. But on ZKP, I will agree but add this:

The only authority that can be trusted to do age verification is the government.

You know, those people who give you birth certificates, passports, SSNs, driver's licenses, etc.

The idea that parental supervision here is sufficient has been shown to be wholly inadequate. I'm sorry but that train has sailed. Age verification is coming. It's just a question of who does it and what form it takes.

Take Youtube, for example. I think it should work like this:

1. If you're not of sufficient age, you simply don't see comments. At all;

2. Minors shouldn't see ads. At all;

3. Videos deemed to have age-restricted content should be visible;

4. If you're not logged in, you're treated as an age-restricted user; and

5. Viewing via a VPN means you need age verification regardless of your country of origin.

It's not perfect. It doesn't have to be.

Which is strange, because it is widely known a large amount of their advertising revenue comes from fake accounts.

AI companies are also donating tens of millions to these PACs and others that are promoting age verification laws, it lets them sell AI content rating systems using their models.

I’m curious why Meta would benefit. Meta seems wholly unnecessary, the verification can be done at the OS level, completely in the hands of Apple/Alphabet and maybe Microsoft.

If anything, Meta’s utility would seem to shrink if the OS handles proof of being a real person.