I think the primary issue is not the "send your face" (face info) to a server. The problem is that private entities are greedy for user data, in this case tying facial recognition to activities related to interacting with other people, most of them probably real people. So this creates a huge database - it is no surprise that greedy state actors and private companies want that data. You can use it for many things, including targeted ads.

For me the "must verify" is clearly a lie. They can make it "sound logical" but that does not convince me in the slightest. Back in the age of IRC (I started with mIRC in the 1990s, when I was using windows still), the thought of requiring others to show their faces never occurred to me at all. There were eventually video-related formats but to me it felt largely unnecessary for the most part. Discord is (again to me) nothing but a fancier IRC variant that is controlled by a private (and evidently greedy) actor.

So while it is good to have the information how to bypass anything there, my biggest gripe is that people should not think about it in this way. Meaning, bypassing is not what I would do in this case; I would simply abandon the private platform altogether. People made Discord big; people should make Discord small again if they sniff after them.

"The metadata includes in particular the approximate red, green and blue components of pixels of the photo of your face that we swear we transmit in a lossy format that doesn't allow building a highly accurate 3D model of you face."

Yeah... which metadata? That sentence doesn't mean much.

(not an actual citation, of course, that's sarcasm)

I know you meant as a service provider, but as a avid IRC (and an online game that conventionally alt-tabbed into a irc-like chat window) chatter as a young preteen in the 90s and 00s, I made a lot of online friends that I would not discover what they looked like IRL for decades, some never. People I was gaming with in the 90s, for the first time, I would see what they looked like over FB in a group made for the now-almost-dead game in the 10s. It was like "swordfish - man, where are you now? I don't even know your real name to find ya. shardz - you look exactly like I would picture ya!."

Just some musings.

Since there were no other websites like that back then, it was eventually overrun by non-IRC-users and transformed into what we'd now call a more generic social media platform. Something like the eternal September I guess. People started calling the gallery "IRC" as shorthand, which royally pissed off the original userbase. Fun times.

Then Facebook appeared and everyone moved there.

It's still up, but it's more of a historical relic these days. Not sure who, if anyone, still uses it: https://irc-galleria.net/

Wikipedia: https://en.wikipedia.org/wiki/IRC-Galleria

Poland's social media of choice was "Nasza Klasa" (lit. "Our Class"), the American alternative was called "Classmates" as far as I know. It was intended as a service that let you re-unite with your old classmates, designed with the way the Polish school system worked in mind. It was used for far more than that though, and was quite popular among kids who were still at school.

We're still in that era with messaging apps somehow. WHile the local alternatives have mostly died out, the world is now a patchwork of WhatsApp, Messenger and Telegram, with islands of iMessage, Line, KakaoTalk and WeChat thrown into the mix. Most countries have basically standardized on one of these, but they can't agree on which one.

As another 90s preteen, sure, but the internet today has a lot more pedos and groomers online than in the 90s, and preteens today easily share footage of themselves to those adult weirdos, which didn't happen in the 90s because mostly limitations of technology.

BUt if you look at tiktok live it's full of preteen girls dancing, and creepy old men donating them money to the point where tiktok live is basically a preteen strip club. We can't ignore these obvious problems just because we grew up with internet in the 90s and turned out alright.

We have to separate kids from adults on the internet somehow even though i distrust age-verifications systems as they basically remove your anonymity but a solution is inevitable even though it will be faulty and unpopular and people will try to bypass it.

I think it's technically possible to build a privacy-preserving age verification. I also think it should be done by the government, because the government already has this information.

If laws need to be made about something it should be to punish those parents who neglect to safeguard their children using the tools already available to them.

If the parental controls currently provided aren’t sufficient then they should be modified to be so - in addition to filtering, they should probably send a header to websites and a flag to apps giving an age/rating.

This is a stopgap at best, and to be blunt, it's naive. They can go on their friends' phones, or go to a shop and buy a cheap smartphone to circumvent the parental controls. If the internet is locked down, they'll use one of many "free" VPN services, or just go to school / library / a friend's place for unrestricted network access.

Parents can only do so much, realistically. The other parties that need to be involved are the social media companies, ISPs, and most importantly the children themselves. You can't stop them, but they need to be educated. And even if they're educated and know all about the dangers of the internet, they may still seek it out because it's exciting / arousing / etc.

I wish I knew less about this.

Not if the rule includes easy rule circumvention. For example, if you could parent-control lock the camera roll to a white list of apps.

Want to post on social media so your friends would see? No can do, but you can send it to them through chat apps. Want to watch tik-tok? Go ahead. Want to post on tik-tok? It's easier to ask parent to allow it on the list, then circumvent, and then the parent would know that their child has a tik-tok presence, and — if necessary — could help the child by monitoring it.

The current options for parent control are very limited indeed. You can't switch most apps to readonly, even if you are okay with your child reading them — it's posting you are worried about.

But in ideal world there would be better options that would provide more privacy and security for the child, while helping parents restrict options if they fell their child isn't ready to use some of the functions.

It's weird how radicalized people get about banning books compared to banning the internet.

I don't think asking for age verification is the same as banning something. Which connection do you see between requiring age and free speech?

There isn't any way to achieve the same digitally.

I hope this becomes more widespread / standardized; the precursor for iDIN is iDEAL which is for payments, that's being expanded and rebranded as Wero across Europe at the moment (https://en.wikipedia.org/wiki/Wero_(payment)), in part to reduce dependency on American payment processors.

I'm personally more interested in the intuition people have when it comes to squaring rejecting age verification online while also accepting it in a multitude of other situations (both online and offline)

Personally I'm still trying to figure out where my position is when it comes to this whole debate because both camps have obvious pros and cons.

Secondly the parents need some similar education, either face-to-face education or information material sent home.

It will not prevent everything, but at least we cannot expect kids and parents to know about parental control features, ublock origin type tools or what dangers are out there.

We have to trust parents and kids to protect themselves, but to do that they need knowledge.

Of course some parents and kids don't care or do not understand or want to bypass any filters and protections, but at leaast a more informed society is for the better and a first step.

Yeah but many parents are stupid and want the government to force everyone to wear oven mitts to protect their kids from their poor/lack of parenting. What do you do then?

Remember how since a lot of men died in WW2 so kids were growing up in fatherless homes which led to a rise in juvenile delinquency, and the government and parents instead of admitting fatherless homes are the issue, the "researchers" then blamed it on the violent comic books being the issue, so the government with support from parents introduced the Comics Code Authority regulations.

People and governments are more than happy to offload the blame for societal issues messing up their kids onto external factors: be it comic books, rock music, MTV, shooter videogames, now the internet platforms, etc.

Without some data analysis I honestly don't know. Even before Internet (ex: FidoNet) there was plenty of very bad stuff out there, I don't see any clear reason why the pedos and groomers would have avoided it.

> We have to separate kids from adults on the internet somehow

I think what is much worse than in other mediums is the actual lack of a community that observes. In real life, for many cases, you would have multiple people noticing interactions between kids and adults (sports, schools, parks, shops, etc.), so actions might be taken when/before things get strange. On some of the social networks on the internet it is too much one-to-one communication which avoids any oversight.

So, for me, the idea of "more separation" seems to generate on the long term even more problems, because of lack of (healthy) interactions and a community.

There were not fewer pedos and groomers online in the 90s, you were just lucky to have avoided it.

Nowadays with the number of users of the internet converging slowly to the total populations, the percentages are probably converging as well.

The challenge with "protect the children" is not only evildoers targeting them, but targets actively seeking things out. They'll be the first ones looking for ways to circumvent age verification.

That said, I don't expect this to happen, switching is very hard for many reasons.

Historical precedent: prohibition.

Alternate future: the big websites start losing billions because people just use the internet less or not at all because it's a hassle with no return, and tax revenue drops. Then the politicians start to worry.

Even in the absence of democracy, public opinion affects politics.

US tech companies are constantly under FTC audit relating to how they use user data. This is certainly not something that needs to be seriously worried about, certainly less so than say the way in which cameras placed all over cities are used to track all sorts of people or storing GPS locations attached to a specific devices UUID.

So they moved away from collecting IDs because collecting IDs is a liability, and moved toward a system that's bypassable because it doesn't collect enough to verify. This isn't solvable without hardware attestation (App Attest, Play Integrity), which kills the browser flow and still doesn't prevent pointing the camera at a screen.

Age verification as a concept requires either trusting the client (spoofable), collecting sensitive data (breach liability), or binding to attested hardware (excludes platforms and users). Pick your poison. Every vendor in this space is just choosing which failure mode they prefer.

Using a government issued eID system. The EU is going to rollout eID in a way that a site can just ask “is this person > age xy?”. The answer is cryptographically secure in the sense that this person really is this age, but no other information about you has to be known by the site owner.

Which is the actual correct way to do it.

I don’t understand why all the sites go crazy with flawed age verification schemes right now, instead of waiting a until the eID rollout is done.

EDIT: I forgot to mention that it’s only the correct way if the implementation doesn’t give away to your government on which sites you browse… Which I believe is correctly done in the upcoming EU eID but I could be wrong about it.

Do they? The UK’s population is more than double of Australia’s and some websites (e.g. imgur) are outright blocking the UK.

While it's not without faults (services do not always support alternative authentication which may support foreigners having the right to live in the country), it has been quite reliable for so many years.

So just to say, you can have successful alternatives to a government controlled system as many actors may decide it is quite valuable to develop and maintain such a system and that it aligns with their interest, and then have it become a de-facto standard.

Do platforms want to counter it?

Seems to me with an unreliable video selfie age verification:

* Reasonable people with common sense don't need to upload scans of their driving licenses and passports

* The platform gets to retain users without too much hassle

* Porn site users are forced to create accounts; this enables tracking, boosting ad revenue and growth numbers.

* Politicians get to announce that they have introduced age controls.

* People who claimed age checks wouldn't invade people's privacy don't get proven wrong

* Teens can sidestep the age checks and retain their access; teens trying to hide their porn from their parents is an age-old tradition.

* Parents don't see their teens accessing porn. They feel reassured without having to have any awkward conversations or figure out any baffling smartphone parental controls.

Everyone wins.

* authorities get to selectively crack down on sites for not implementing "proper" age verification. The sites never had a widespread problem with grooming to begin with but just so happened to have a lot of other activity that the authorities didn't like.

Having everyone operate in a gray area is dangerous and threatens the rule of law.

It wouldn't be hard to imagine a situation where social media sites leaning towards the government (e.g. Truth Social, X or the like) will be getting a free pass on using age verification methods which are easy to bypass while social media sites that are more critical (e.g. Reddit) will be sanctioned into implementing the strictest and most privacy invading measures. The end result is that people choosing the path of least resistance will be lead to the government-leaning sites.

We already had a half-assed solution, where websites would require you to press the button that says "I am over 18". Clearly somebody decided that wasn't good enough. That person is not going to stop until good enough is achieved.

They're designed destroy anonymity to give the in group pretext to persecute the out group. It will be propagandized as accountability but it will be anything but.

The US is repealing section 230, and it appears to be a pretext for shutting down platforms that don't block anti–Trump speech. Australia has an age verification law that seems to actually be about keeping kids off social media.

Only if the lawmakers agreed.

> Reasonable people with common sense don't need to upload scans of their driving licenses and passports

Cue random bans.

> People who claimed age checks wouldn't invade people's privacy don't get proven wrong

And? Is that supposed to change anything?

I'm curious the sites that enforce this like 'your state has banned...' what traffic loss they have. Because I'm not gonna sign up for a porn site lmao, the stigma

My guess is that's probably one of the reasons Google tried to push for Play Store only apps, provide a measurable/verifiable software chain for stuff like this.

It's not the fancy structured light of phone-style Face ID, but it still protects against the more common ways of fooling biometrics, like holding up a photo or wearing a simple paper mask.

Maybe new ones are different but that’s how they used to be. Little Kinect devices, really, for sensing faces instead of whole people.

https://learn.microsoft.com/en-us/windows-hardware/design/de...

These cameras are considered a "secure biometric" device and AFAIK nobody has faked them. I've flagged the poster who said "try two flat images"

Hello there! It appears you are misapplying the flagging system. While the suggestion may be incorrect, it is not an "egregious comment".

In addition, your comment doesn't follow the Hacker News Guidelines:

https://news.ycombinator.com/newsguidelines.html

Don't feed egregious comments by replying; flag them instead. If you flag, please don't also comment that you did.

Have a great day!

I don’t this will happen in the US but I can see it in more privacy responding countries.

Apple and Google may also add some kind of “child flag” parents can enable which tells websites and apps this user is a child and all age checks should immediately fail.

Like, you’d enroll it by adding a DOB and the computer/phone/etc would just intentionally fail all compatible age checks until that date is 18 years in the past. To remove it (e.g. reuse a device for a non-child), an adult would need to show ID in person at Apple.

Government IDs could be used to do completely privacy preserving, basically OpenID Connect but with no identifying property, just an “isEighteenOrMore” property. However, i agree it’ll never happen in the US because “regular” people still don’t know how identity providers can attest without identifying, and thus would never agree to use their government ID to sign into a pornsite. And on top of all that yeah nobody trusts the government, basically in either party, so they’d be convinced the government was secretly keeping a record of which porn sites they use. Which to be fair is not entirely unlikely. Heck, they’d probably even do it by incompetence via logs or something and then have people get blackmailed!

I never put in my real birthday. It's just one more datapoint to leak in an inevitable hack and help scammers exploit me.

Just because a website sticks a field on a form, doesn't mean you need to fill it out.

I can think of maybe 1 website I use that has a legitimate use to know this info about me... and a dozen that use my fictious birthday for no other purpose than an excuse to market at me under the shallow guise of a 'Happy Birthday' email.

When it's actually required by some law or regulation (e.g. financial stuff) I give my actual birthday. But when some site is just wanting to comply with age verification? Yep, I'm over 30, so you don't need to see my identification. (Jedi hand wave).

IIRC, it went like this: the account creation screen prompted them for a birthdate. They entered a fictitious one and pretended to be over 13. (I saw my niece do this in front of me, and I just sighed a very heavy sigh. She was way more interested in Club Penguin.)

Then later, they let the cat out of the bag. They tell their friends "lol I'm only 10! Today's my birthday, so give me a hat!" or something. And so if they claimed they're 10 they got 3 years suspension.

I think there was never any verification done, and no verification was possible: think about it, under COPPA, a service in the USA cannot collect PII from children under 13, so what do you do when a kid gives you two contradicting datapoints? Err on the side of caution.

I gave Yahoo! a false birthdate when I signed up. I was 27, but I also just felt they weren't entitled to knowing it. However, I soon found that maintaining a fraudulent identity is tiresome and error-prone. And Yahoo! wouldn't let me simply change my birthdate as often as I wanted to.

I once had a conversation with a friend about cheating on IRS taxes. She said "can you lie to a piece of paper?" like fudging numbers wasn't like lying to an auditor's face. It was a rhetorical question, of course.

ID checks aren't very worthwhile if anyone can use any ID with no consequences.

How long would it take for someone's 18 year old brother to realize they can charge everyone $10 to "verify" everyone's accounts with their ID, because it doesn't matter whose ID is used?

The older brother could also rent an R (or x) rated movie, buy cigarettes, lighters, dry ice, and give them to the kids. The point of the age check is to prevent kids from getting access without an adult in the loop, not to prevent an adult from providing kids access

The "oh my god, think of the children" is similar to "oh my god, think of the terrorists". I am not saying all of this is propaganda 1:1 or a lie, but a lot of it is and it is used as a rhetoric tool of influence by many politicians. Both seems to connect to many people who do not really think about who influences them.

South Korea also has had various versions of this even going back to ~2004 I think.

That looks like it should make things like privacy compatible age verification "trivial".

In Japan, there are already multiple apps which use something like this to verify user's age via the "my number card" + the smartphone's NFC reader.

It's more or less impossible to forge without stealing the government's private keys, or infiltrating the government and issuing a fraudulent card.

Of course, the US isn't a functioning state, the people don't trust it with their identity and security and would rather simply give all their information to private companies instead.

Does this also leak your identity to the app?

If you use the _digital_ MyNa card (e.g. the one in the Wallet.app; not the plastic one); the iOS SDK lets you only request the "is user more than XX years old" flag; without getting the actual identity: https://developer.apple.com/documentation/passkit/requesting...

Now, AFAICT nobody actually does this, but the technical ability is there.

Credit cards don't have photos.

> How many Americans wouldn't be able to present a CC or ID?

The number of Americans who don't have a government issued photo ID is estimated around 1%. The number gets larger if you start going by technicalities like having an expired ID that hasn't been renewed yet.

The intersection between the 1% of 18+ Americans who don't have an ID and those who want to fully verify their Discord accounts is probably a very small number.

Same in the UK, but Steam uses credit cards for age verification there and refuses if you provide a debit card instead. Evidently the payment backends can tell credit and debit apart.

It sometimes asks for my age for viewing a game and I can input any ol' date I want to. It doesn't even flinch if I input a different date every time.

I also don't recall them asking about my age when I was actually underage and paid using a PaySafeCard, but then again they didn't have porn on the platform at that point either.

They only enforce it on the "mature sexual content" category, which mainly applies to porn games. For everything else, including the "some sexual content" category, they still just take your word for it.

Yeah those are parallel systems for reasons that amount to technical debt.

For DL alone:

>Data indicates that approximately 84% to 91% of all Americans hold a driver's license, with roughly 237.7 million licensed drivers in the U.S. as of 2023.

Add in an ID and Passport and we are likely closer to 99%

> Nearly 21 million voting-age U.S. citizens do not have a current (non-expired) driver’s license. Just under 9%, or 20.76 million people, who are U.S. citizens aged 18 or older do not have a non-expired driver’s license. Another 12% (28.6 million) have a non- expired license, but it does not have both their current address and current name. For these individuals, a mismatched address is the largest issue. Ninety-six percent of those with some discrepancy have a license that does not have their current address, 1.5% have their current address but not their current name, and just over 2% do not have their current address or current name on their license. Additionally, just over 1% of adult U.S. citizens do not have any form of government-issued photo identification, which amounts to nearly 2.6 million people.

From https://cdce.umd.edu/sites/cdce.umd.edu/files/pubs/Voter%20I...

> Additionally, just over 1% of adult U.S. citizens do not have any form of government-issued photo identification, which amounts to nearly 2.6 million people.

The rest of the statistic is about driver's licenses specifically, including technicalities like expiration dates and address changes. The online ID check for age verification don't care about the address part anyway, in my experience.

If someone has an expired drivers' license or they changed their name and haven't updated their IDs, they have bigger problems than age-verifying their Discord accounts.

I actually only renewed it to get medical care and because renewing the license was only a little more expensive than getting an ID-only card.

It did prevent me from using some porn sites because my state requires ID verification but many sites just ignore the requirement so I just didn't use the sites that required ID.

It’s less like a TLS handshake and more like OpenID for Verifiable Presentations (OID4VP). The "non-free" hardware requirement serves as Remote Attestation—it allows a verifier to cryptographically prove that the identity hasn't been cloned or spoofed by a script. The verification happens offline or via a standard web flow using the DMV’s public key to validate the data signature, ensuring the credential is authentic without requiring a phone-home to the issuer.

I think you're... missing the point of the pushback. People DO NOT WANT to be identified online, for fear for different types of persecution.

My guess is that 95% or more of all Discord users do not care and simply upload their selfie or ID card and be done with it. I know I will (although they did say that they expect 80%+ to not require verification since they can somehow infer their age from other parameters)

I've already cancelled my Nitro account. I'm quite active on a ~5k member programming server and we're giving Zulip another try. I think it's unlikely we'll stay on Discord.

Obviously anecdotal, but eventually this adds up.

This whole thing being "for the safety of kids" is obviously a farce just to get more user data because Nitro users supposedly will have to do the ID check as well, but if you're paying with a CC/Paypal, you are obviously of sufficient age to not require an ID check.

Are you a minority, LGBTQ+, etc or of a "different" political persuasion that might have any reason to be distrustful of the US government? If so, you probably wouldn't just "be done with it".

Yes but for completely different reasons: I will not bother to play the game and stop using the platform.

That's the endgame and what the EU really wants. No poasting unless they can arrest you for inconvenient memes.

Weird thing.. the people who want this validation fully expect for you to pay for, maintain, keep it valid, and pay for upkeep/service for their desires. Honestly, this is something that SHOULD get very aggressive pushback.. but most people accept for no reason.

Also, they will probably find that out, and the moment people do so, they become suspicious to state actors. I understand the rationale behind the work around you described; I just don't think it will be a huge factor. I see this elsewhere too - for instance, I use ublock origin a lot. But how many people world wide use it? I think never above 30%, most likely significantly fewer (or perhaps all anti-advertisement extensions, I think it most definitely is below 50% and probably below 30% too).

Ad-hoc identification can occur via other means like dynamic knowledge based authentication. The sources of this mechanism can be literally anything. Social media itself being one obvious source for the target cohort.

You can walk into many US financial institutions without an ID and still get really far using KBA workflows. The back office will hassle you for a proper scan of a physical ID, but you can often get an account open and funded with just KBA.

This basically only gets used for businesses that need a fig leaf for regulatory purposes. You know, $30 loans for uber eats and tiny loans like that.

In the nomenclature of Multi-Factor Authentication, "something you know" is one factor. So if you know a password and you have a hardware token, that's 2 factors and combining different types is the key to MFA.

Many "knowledge based authentication" tries to string together "things you know" without a different type, and that's a weakness.

However, it can be strengthened through various techniques. If a human is authenticating you in real-time, they may choose a factoid that an impostor is unlikely to know which may be agreed in advance. For example, the security questions combined with other challenges, or a "curve ball" that may elicit a stutter, pause, or prevarication. This is a dynamic method that bob refers to.

In fact, knowledge-based quizzes are used routinely by credit reporting agencies -- the big ones like Experian. And they've been presented by background check services, too. They work like this: they scrape your credit reports and public records in a deep dive for your old addresses, employers, contact info, a whole smorgasbord of stuff. Maybe attackers know some of it. But it's multiple choice: "which of these did you live at? None of the above? All of them?" "Which one of these wasn't your employer?" And the attacker would need to have the same list of public records, and also know the wrong answers! Knowing the wrong answers is the "curve ball" here! How many attackers know that I didn't work for Acme, Inc, and I never lived in San Antonio?

It's also worth pointing out that I've opened at least 3 bank accounts without setting foot in a bank. Even if yours is brick-and-mortar, they probably have a flow on their website for account creation and funding. It is not difficult to satisfy their ID requirements. If they glitch, then you're just flagged a bit, and you follow up as instructed. I've also authenticated identity to the federal government agencies, and accessed several DMV services, using only the apps and websites.

People may feel reticent about establishing their identity online, but isn't it better that you do it first before someone else does? If your identity is known and registered and builds up data points that correspond to you, aren't you less likely to be a victim of fraud or identity theft when things don't add up?

Yes - and they don't work.

> They work like this: they scrape your credit reports and public records in a deep dive for your old addresses, employers, contact info, a whole smorgasbord of stuff.

Most of which don't work on an 18-year-old. No credit history, no past employers, no bill payments, no history of moving houses, address is their parents' house.

There is no smorgasbord. There's name, date of birth, parents' address - all of which are widely known matters of public record (which is why the credit rating agency has them in the first place).

> But it's multiple choice: "which of these did you live at? None of the above? All of them?" "Which one of these wasn't your employer?"

Fantastic, the credit rating agency has just told the fraudster several of your past addresses, and your past employers.

Sure, there's a phony or two in the list - but the fraudster can try as many times as they want, comparing employer and address lists between different credit applications.

There are a lot of countries and US states where such validation is possible.

Given the state is mandating these checks, it only makes sense that the state should be responsible for making it possible to perform these checks.

Gross.

(I'm not verifying anywhere unless required for official business. Still have my non-KYC sim for people)

The issue is that age verifiers (like Discord) are not really trying.

See: Login.gov (USPS offline proofing) and other national identity systems.

(digital identity is a component of my work)

That's going to be a no from me, dawg. I'm sympathetic to ID checks like if you're buying beer or whatever, but not linking my real life identity to discord or whatever.

Pornhub is fighting state age verification and keeps losing state by state, for example.

They also have you move your head in multiple directions.

It would be interesting to see a model completely indistinguishable from a real human in behavior, as well as real-time reflection off different surfaces, etc.

The next step would be to make a complete digital clone of a person based on surreptitiously recording them with hidden cameras. I doubt it's possible.

We had facerig for over a decade now. Facefilter recently. It's not hard anymore.

Your better bet would be to generate a face as an image and then you can easily generate that same face in different expected poses and conditions. You can then use existing models where you get to select the starting image and the ending image. Add some filters and noise to just make it look like normal crappy low light camera.

As for the color that's another expected condition and can be overlayed or pre-generated.

{"error":"error parsing webview url"}

Edit: Apparently my discord account is in some kind of A/B feature test that uses a different verification provider, Persona

There is no alternative for Discord for bigger groups.

If there was, I still couldn’t move multiple social circles to it, no matter how much I evangelised.

The “just don’t use the less morally aligned platform” argument has always been valid only for those without a strong need for it, whether it’s X or Discord.

Are you saying that people who don't talk to their friends over Discord don't have friends?

Is that a statement you genuinely find reasonable?

Signal for direct messaging and calls

1. Removes the pain of age verification, encouraging some people to stay in the proprietary walled garden when everyone would be better served by open platforms (and network effects).

2. Provides a pretext for more invasive age verification and identification, because "the privacy-respecting way is too easily circumvented".

3. Encourages people to run arbitrary code from a random Web site in connection with their accounts, which is bad practice, even if this one isn't malware and is fully secure.

The code was released, therefore it is not arbitrary (problem #3). Should companies react with more invasive techniques (problem #2), users can always move to other platforms (problem #1).

Oh cool, which ones?!

…aaaand there's the problem.

There are multiple open-source tools that do everything Discord does. There are few-to-none that offer everything Discord does, and certainly none that are centralized, network-effect-capture-ready.

Short term:

* Small group chats with known friends: Signal, whatsapp, IRC, Matrix

* Community chat: Zulip, Rocket.chat

* Community voice: Mumble, Teamspeak

* Video / screen sharing and voice chat: Zoom, BigBlueButton, Jitsi

I've heard about Stoat but haven't read up on it.

But in practice, this only holds if regulators are either inattentive or satisfied with checkbox compliance. If a government is competent and motivated, this approach won’t hold up—and it may even antagonize regulators by looking like bad-faith compliance.

I’ve also heard that some governments are already pushing for much stricter age-verification protocols, precisely because people can bypass weaker checks—for example, by using a webcam with partial face covering to confuse ID/face matching. I can’t name specific vendors, but some providers are responding by deploying stronger liveness checks that are significantly harder to game. And many services are moving age verification into mobile apps, where simple JavaScript-based tricks are less likely to work.

...source?

I sincerely doubt that Discord's lawyers advocated for age verification that was hackable by tech savvy users.

It seems more likely that they are trying to balance two things:

1. Age verification requirements

2. Not storing or sending photos of people's (children's) faces

Both of these are very important, legally, to protect the company. It is highly unlikely that anyone in Discord's leadership, let alone compliance, is advocating for backdoors (at least for us.)

narrator> And that's when he discovers his account has now been hacked...

;)