Ultimately I think this is about as good of a response as they could have given without completely abandoning the concept -- and I think they're right to point out that they can't completely...
Ultimately I think this is about as good of a response as they could have given without completely abandoning the concept -- and I think they're right to point out that they can't completely abandon the concept of age verification due to the existence and proliferation of this type of legislation. Assuming they're telling the truth here, I think this is about the best I could expect from them (and I'm really glad they're publishing the technical details of their automatic age verification).
Seems sensible. Still, if Discord asks my name, I'm out. It's not like I'm using it very much anyway. I know it's a different thing for people whose communities live in Discord.
For 90%+ of users, nothing changes. Most users never access age-restricted content or change their default safety settings.
If you're among the less than 10% of users who do need to verify, we'll give you options, designed to tell us only your age and never your identity. And if you choose not to verify, here’s exactly what happens: you keep your account, your servers, your friends list, your DMs, and voice chat. The only thing that changes is you won't be able to access age-restricted content or change certain default safety settings designed to protect teens. Nothing else about your Discord experience changes.
Seems sensible. Still, if Discord asks my name, I'm out. It's not like I'm using it very much anyway. I know it's a different thing for people whose communities live in Discord.
Seems sensible until "age-restricted" starts to expand from "just porn" to "R rated media content" to "Tiktok filtering of 'foul' language that might hurt out ad revenue" to "LGBT stuff". This...
Seems sensible until "age-restricted" starts to expand from "just porn" to "R rated media content" to "Tiktok filtering of 'foul' language that might hurt out ad revenue" to "LGBT stuff". This stuff always escalates if you give it an inch.
I also do want to point out the notion here that this does in fact do nothing to "protect teens". Take Roblox for example; a person who would want to lure a teen into some chat room would not be impeded by age verification in the slightest.
This is true of everything though. It’s fine until you push it to the point where it’s not. So you just stop using it once it’s not instead of catastrophizing about how everything could...
This is true of everything though. It’s fine until you push it to the point where it’s not. So you just stop using it once it’s not instead of catastrophizing about how everything could potentially be a theoretical step towards doing something else that there isn’t much indication they’re doing.
It’s not even like they couldn’t just lock out LGBT content now if they wanted, that’s a control on the content rather than the identity of the viewers. All this would do is enable them to lock it out only for <18 users rather than globally.
I've been through this enough times that I'd rather take proactive steps early on to get off the train instead of riding it into the wreck. Especially in current times. I probably can't stop the...
Exemplary
It’s fine until you push it to the point where it’s not.
I've been through this enough times that I'd rather take proactive steps early on to get off the train instead of riding it into the wreck. Especially in current times. I probably can't stop the wreck, but I can tell others of how this has usually lead to one and hope some understand.
It's better to try and warn early because that lets other competition pop up before the market capture. Once the wreck happens and you have livelihoods and even governments relying on this platform, you are basically locked in, involuntarily. My local represenatives really shouldn't be relying on private platforms as their sole source of communicating with its citizens, but that's a much larger issue to tackle (meanwhile, we can't even get people to agree that CSAM is bad these days. It's going to be a while).
It’s not even like they couldn’t just lock out LGBT content now if they wanted, that’s a control on the content rather than the identity of the viewers.
They always boil the frog. They won't ever publicly announce such a thing.
All this would do is enable them to lock it out only for <18 users rather than globally.
Or anyone who may feel vulnerable to an oppressive government that does not want to give out data that they browse LGBT content.
The “proactive step” would have been not getting onto a centralized platform hosted on someone else’s computer in the first place. As soon as you do that you’re in basically a semi-public zone...
I've been through this enough times that I'd rather take proactive steps early on to get off the train instead of riding it into the wreck.
The “proactive step” would have been not getting onto a centralized platform hosted on someone else’s computer in the first place. As soon as you do that you’re in basically a semi-public zone where you don’t have much expectation of absolute privacy.
They always boil the frog. They won't ever publicly announce such a thing.
They don’t “always boil the frog” actually. If anything, they tend to try and move out way too aggressively, get way over their skis, and never fucking shut up about their plans to do evil for the sake of doing evil. The people wanting to do this stuff are clownish caricatures, not secret shadowy puppet-masters.
Or anyone who may feel vulnerable to an oppressive government that does not want to give out data that they browse LGBT content.
Age verification doesn’t meaningfully bring that any closer or farther away though. They literally can identify you right now if you’re a person of interest unless you’re taking pretty extreme measures to obfuscate your identity, which isn’t really something one would do on Discord in the first place.
Indeed. But network effects are a pain and I'm into such niche games that there's barely even subreddits about them. Discord, Twitter, and Facebook tend to be the only places reporting news on...
The “proactive step” would have been not getting onto a centralized platform hosted on someone else’s computer in the first place. As soon as you do that you’re in basically a semi-public zone where you don’t have much expectation of absolute privacy.
Indeed. But network effects are a pain and I'm into such niche games that there's barely even subreddits about them. Discord, Twitter, and Facebook tend to be the only places reporting news on such things. So, like political parties, I picked the least painful poison.
The other more painful end on my other IRL account is that Discord was my compromise (pre-bluesky) between the same 3 platforms for my local gamedev scene. Hopefully that one is slowly shifting.
If push comes to shove I can go back to being a hermit forgoing anything slightly mainstream. But I'm not sure if that phase of my life is the best for my social and mental health.
They don’t “always boil the frog” actually. If anything, they tend to try and move out way too aggressively
I suppose it's relative. If you're in tune with the news they are surprisingly vocal about plans. But it's more like they are taking steps bit by bit to eat away at their true endgoal. Here, Discord's endgame is to prepare for IPO, and this is likely not the last step taken to make that go smoothly (in their eyes).
They literally can identify you right now if you’re a person of interest unless you’re taking pretty extreme measures to obfuscate your identity,
I don't disagree. But I won't make it easy for them by simply handing them my ID. They'll need to work for it.
I suppose it's the same kind of separate as having a whois lookup (because, say, you run a business and you need to report some info) and having it on blast from some influence on social media. it isn't technically "doxxing" in the traditional sense, but 99%+ people won't take the steps to do that search to begin with. Many may not even know what whois is.
If you aren't and just want to use something to talk to friends, it can be very sudden hearing "hey we are going to do age verification" a few weeks back. Those really paying attention would see vague aspects of this coming when hearing of the change in management.
we really need a better form of verification that is not uploading your face or id directly to these companies… something through the government that gives a simple code that returns a list of...
we really need a better form of verification that is not uploading your face or id directly to these companies… something through the government that gives a simple code that returns a list of restrictions or not.
There’s been some decent conversation in cryptography circles about some kind of zero-knowledge proof system. It would require a trusted authority to verify your age one time, and they would issue...
There’s been some decent conversation in cryptography circles about some kind of zero-knowledge proof system. It would require a trusted authority to verify your age one time, and they would issue you a digital token. After that, the token could be used to answer a specific question like “is the bearer of this token older than X age?” and return an authenticated yes or no without leaking your birthdate or any other information to the asker.
By itself, it doesn’t solve the problem of guaranteeing the token-bearer is the person it was issued for, but it’s by far the most privacy-respecting option and makes all these face-scanning, ID-retaining startups look like overengineered ticking time bombs.
It seems like a really robust system could be built atop zk-SNARKs… and in the meantime I’m personally not comfortable with any alternatives to that.
In Portugal, this is how the age verification system is being implemented. We already have a system to sign in online with our real ID. They call it a digital key, and it basically lets a site...
In Portugal, this is how the age verification system is being implemented.
We already have a system to sign in online with our real ID. They call it a digital key, and it basically lets a site access certain legal information about you (what information is being shared is displayed to you before you press accept) to verify your real identity. This system is typically used by government sites and banks, since those are the two places that actually require strong verification.
What they're going to do for age verification is repurpose this already existing system (read: create a separate pipeline specifically just for age verification, so sites don't have the API permissions to request any other info) so that all a website gets when they check your age is a yes or no. They don't get the actual age, only a token. The government's database is the only one that has this info and never passes it along. They're the only ones allowed to keep your data, which you've already given them when you were born and registered as a citizen anyway.
As far as systems goes, this is the one that seems the most sensible and I'm glad I won't have to upload a photo of my ID to a random website, something I'll never do regardless.
The CMD-based legislation that they literally rushed through when everybody was busy dealing with a natural catastrophe is not great because almost no one is going to invest money into...
The CMD-based legislation that they literally rushed through when everybody was busy dealing with a natural catastrophe is not great because almost no one is going to invest money into implementing a system just for Portugal, especially when the EU-wide one is coming in 1-2 years. They will just geoblock the country.
That said, if Discord is set on allowing multiple competing identification providers that users can choose from by name, they just might be among the few platforms to implement ours too. It's one of the best things they seem intent on doing (unless they're lying about it), promoting transparency and competition in the space.
If they can't respect our privacy, let them block the country. It should not be one or the other. It should absolutely not be legal for websites, especially foreign ones, to ask for a photo of you...
If they can't respect our privacy, let them block the country. It should not be one or the other. It should absolutely not be legal for websites, especially foreign ones, to ask for a photo of you or your ID to prove you're an adult. This is highly sensitive information that at no point should be available in the pipeline, no matter how many promises of "everything is done locally" they make.
I understand there is inconvenience, but we should push back on this concept and only allow for zero-knowledge, privacy respecting options when it comes to the handling of our real data. EU-wide implementations should all follow these models too.
Sure, but they could also have respected our privacy by just not demanding any form of age verification whatsoever for another year while waiting for the EU solution, and then we could have kept...
Sure, but they could also have respected our privacy by just not demanding any form of age verification whatsoever for another year while waiting for the EU solution, and then we could have kept using the services in question!
Well, we'll see how it goes. Maybe the law just won't be enforced properly. These laws tend to be enforced mostly against very large coporations that are easy to extract billions in fines from.
Under that implementation, does your government get a request from the site you're attempting to access? i.e., is your privacy only being protected from corporations?
Under that implementation, does your government get a request from the site you're attempting to access? i.e., is your privacy only being protected from corporations?
The irony is that the American reflexive aversion to government data collection or identification of any kind ends up making our PII less secure as we yield up all the information to each and...
The irony is that the American reflexive aversion to government data collection or identification of any kind ends up making our PII less secure as we yield up all the information to each and every service provider who all sell it to the same handful of data brokers on the back end. But it’s not the government so it’s fine, it’s just Mark Zuckerberg. . .
. . .who sells it back to the government anyway with fewer data protections, transparency, audit, or oversight than if it was just done by a public agency.
As someone who formerly worked for a company that is pretty much a "overengineered ticking time bomb" I think it's just a hard problem to solve, especially in a reusable way.
As someone who formerly worked for a company that is pretty much a "overengineered ticking time bomb" I think it's just a hard problem to solve, especially in a reusable way.
shit -- better than the current systems. It seems like a fairly easy solution to a very compromising problem. It solves so many issues -- like the absolute gong show that is the social security...
shit -- better than the current systems. It seems like a fairly easy solution to a very compromising problem. It solves so many issues -- like the absolute gong show that is the social security numbers etc.
I'm definitely not an expert or knowledgeable in cryptography but just out of curiosity though, what's stopping someone from sharing said token with friends or having data brokers tie that token...
I'm definitely not an expert or knowledgeable in cryptography but just out of curiosity though, what's stopping someone from sharing said token with friends or having data brokers tie that token to an individual's identity?
Also what's stopping the "trusted authority" from tracking who's asking about ages and/or any leaks that happen as a result of that.
I'm not an expert either but as I understand it, the token would basically be like a private key, stored in an encrypted hardware vault on the user's device, probably a smartphone. You'd need to...
I'm not an expert either but as I understand it, the token would basically be like a private key, stored in an encrypted hardware vault on the user's device, probably a smartphone. You'd need to have the device on you to perform the age check, because the token can't be exported from it — or maybe there's some fancy device-to-device protocol for transferring it from one to another in a controlled way. The point is, you can't just copy-paste it in plaintext to your friends. But neither can a third-party read your token directly and use it to track you.
The actual age check would probably happen in your smartphone, in the wallet app you use to manage the token. I'm spitballing the details here, but I think the service that wants to check your age would probably display a special QR code that you scan with the wallet app. The wallet app would then do the check on your device in a verifiably tamper-proof way, and send the service the result. It would probably feel similar to registering for TOTP authentication using an app like Google Authenticator or Okta or Duo, if you're familiar with any of those.
The trusted authority would perform the role of a certificate authority, basically their job would be to vouch for the truthfulness of the age assertion, putting their own credibility (and accreditation, licenses, etc.) on the line. Every token they issue would be stamped with their certificate, so if word got out that one of them was being naughty they could have their privileges revoked and be put out of business (and all tokens previously stamped by them would stop working). So they have a good incentive to keep their noses clean. But even in that scenario, they would never be able to see whose age has been validated or by whom. The risk would be more like if, after they initially checked your ID to create the token, they secretly kept a copy of it somewhere. But that's more of a traditional threat than anything cryptography-related. More or less as risky as when you hand over your driver's license to the guy at the liquor store.
There are some downsides, firstly that it would require a compatible device and there will always be people who don't or can't have one. I imagine cheaper, smartphone-free alternatives could exist but I don't know what those would look like. Then there's the issue that you could just give your friend your phone so they can pass the age test with your token. I'm sure the wallet apps would have biometric locks on them, the same way contactless payment systems need to be unlocked with Face ID or a fingerprint (though I think those usually fallback to passcodes, which are shareable).
If someone's determined enough, there are always going to be ways to try to get around any system. The next invention after the ID was the fake ID and that's still not a solved problem. But IMHO this is the best sort of approach that's been proposed. I think it would be at least as effective as in-person POS age verification is right now, which most people seem to be satisfied with. And of course this doesn't come with any of the frankly horrific problems all these other emerging systems are sitting on.
Ironically, the age verification system that the EU proposed is something like that: https://digital-strategy.ec.europa.eu/en/policies/eu-age-verification I'm, on principle, not against age...
I'm, on principle, not against age verification. I'm part of a group that runs a very adult server, and we currently manually age verify people through an app called Yoti or, you guessed it, receiving selfies and ID photos. The discord server in question is very much pornographic and we need to be 100% sure that people participating are above 18.
I think age verification makes sense for spaces that can't be easily replicated, like social media. I think it makes very little sense to for porn sites, because porn is incredibly easy to find anywhere on the internet.
But the way I, as a EU citizen, am currently forced into using some random fuckoff US company with likely terrible data privacy is frankly speaking ridiculous. Unfortunately, these companies want to do the minimum they need to, so they want a global one size fits all solution instead of using the solutions that some countries already provide.
in my province we have an app for 2FA for a lot of government sites — no reason this couldn’t be extended. i’d be in favor of a universal standard but everybody running their own — like drivers...
in my province we have an app for 2FA for a lot of government sites — no reason this couldn’t be extended. i’d be in favor of a universal standard but everybody running their own — like drivers licenses.
i absolutely don’t want some US company being i. charge if the thing — or any company at all.
it’s scary how much personal information is not only compromised but never really re-privatized (eg dna)
The server is a writing and DnD server with an pornographic and kink focus. We maintain a whole homebrew system, but if you just want to write/roleplay, like me, then you are also very welcome! If...
The server is a writing and DnD server with an pornographic and kink focus. We maintain a whole homebrew system, but if you just want to write/roleplay, like me, then you are also very welcome! If that appeals to you I can DM you an invite link. :]
In the US a parent/guardian can add a minor to an account and they can have a credit card issued in the minor's name (since it's technically illegal to use a card not in your name). I imagine...
In the US a parent/guardian can add a minor to an account and they can have a credit card issued in the minor's name (since it's technically illegal to use a card not in your name). I imagine there are also provisions for emancipated minors. To a vendor, the minor appears as a valid credit card holder. A vendor would be unaware who is the primary account holder.
You can also open a bank account in most (all?) states at 16 with parental/guardian approval and be issued a debit card. Debit cards do appear as debit and not credit to a vendor, but they wouldn't be able to determine the age.
Things might have changed in the 20+ years since I was that age with a credit card and debit card though.
Many adults also may not be able to get credit cards if they have bad credit. It also still has the same issue of de-anonymization, which is the real point of all of this: monitoring and control...
Many adults also may not be able to get credit cards if they have bad credit. It also still has the same issue of de-anonymization, which is the real point of all of this: monitoring and control of speech for fascist ends.
This was never a problem that needed solving, merely a manufactured hysteria to ram though tools for controlling the public and further shaping public discourse.
discord can take CCs but not every adult has one. balooga's method really would solve the problem. It also takes the auth away from visa's near monopoly.
discord can take CCs but not every adult has one. balooga's method really would solve the problem. It also takes the auth away from visa's near monopoly.
It depends on the specific law whether or not that works. The UK’s OSA allows credit card existence as verification, but the laws from US states do not.
It depends on the specific law whether or not that works. The UK’s OSA allows credit card existence as verification, but the laws from US states do not.
Like sparkle said, children have cards in their name as authorized users of a parent's credit card. My son is less than a year old and has a card in his name (to give him a head start on building...
Like sparkle said, children have cards in their name as authorized users of a parent's credit card. My son is less than a year old and has a card in his name (to give him a head start on building credit, if you're wondering why.)
That's the silliest part of this all. I was paying for Nitro for some 4 years now, and they're happy to take money from me without verifying my age. I cancelled that, of course. clearly whatever...
That's the silliest part of this all. I was paying for Nitro for some 4 years now, and they're happy to take money from me without verifying my age.
I cancelled that, of course. clearly whatever data they get from this supersedes the losses from all the subscriptions being dropped. I guess having a surveillance system is more attractive for IPO than actual paying customers.
Well I think the pause is because the losses were more than they expected. Maybe with a little embarassment at Persona being breached. That said, they're probably hoping by waiting they can...
I cancelled that, of course. clearly whatever data they get from this supersedes the losses from all the subscriptions being dropped.
Well I think the pause is because the losses were more than they expected. Maybe with a little embarassment at Persona being breached.
That said, they're probably hoping by waiting they can eventually have their cake and eat it too.
I don’t want the government knowing that I am on an 18+ discord chat though. I don’t want the government knowing much about me really, unless there’s a pressing need. My online content consumption...
I don’t want the government knowing that I am on an 18+ discord chat though. I don’t want the government knowing much about me really, unless there’s a pressing need. My online content consumption is not a pressing need. It’s not a pressing need for my kids either, since I am actively parenting them.
well, yeah -- there are always communities that fly under the radar. I wouldn't even use discord for 18+ stuff now. Ultimately, we really do need a way to tumble IDs so we can have all the...
well, yeah -- there are always communities that fly under the radar. I wouldn't even use discord for 18+ stuff now.
Ultimately, we really do need a way to tumble IDs so we can have all the benefits of verification but retain the anonymity.
I'm not sure how interesting or meaningful this is, but I know a lot of people were discussing this before implementation, so I thought people might like to see this, although I don't know if it...
I'm not sure how interesting or meaningful this is, but I know a lot of people were discussing this before implementation, so I thought people might like to see this, although I don't know if it really resolves concerns, or just minimizes them.
I mean, in the end, it’s driven by laws written in the UK, many EU countries, Australia, many US states, with more being drafted. There’s no escaping from laws. The only way to stop such things is...
I mean, in the end, it’s driven by laws written in the UK, many EU countries, Australia, many US states, with more being drafted.
There’s no escaping from laws. The only way to stop such things is at the ballot box.
Any open source alternative would also be subject to things like the UK’s OSA. Just see large mastodon servers.
Discord wanted to be a good boy to get ahead of more laws (see: Reddit being fined by the UK for not doing ID verification of age), but this reversal will only be temporary. As a company, they have to follow laws.
Companies need to flex their influence and just start geoblocking areas with such legislation. Don't comply with the laws, take the toy away for everyone in the bad jurisdictions until people...
Companies need to flex their influence and just start geoblocking areas with such legislation. Don't comply with the laws, take the toy away for everyone in the bad jurisdictions until people remove those responsible for the legislation.
I agree because I disagree with internet identification. I also can't deny that it would set a bad precedent. There have been so many consumer friendly laws enforced by the EU that I benefit from,...
I agree because I disagree with internet identification. I also can't deny that it would set a bad precedent. There have been so many consumer friendly laws enforced by the EU that I benefit from, I'd hate for these companies to "just flex" and ignore those laws just cause they can.
If any and all international compliance breaks down there's nothing left.
The laws don't require to have a private citizen database on record. As long as none of these solutions are (legally) promising methods that can't be comproimised in a data leak (one that a third...
There’s no escaping from laws.
The laws don't require to have a private citizen database on record. As long as none of these solutions are (legally) promising methods that can't be comproimised in a data leak (one that a third party had a recently as 2 weeks ago), the true purpose of these methods are not for "protecting the children".
There's also no indication that such a thing is being built? Does it matter? You have to follow the laws of the country you're operating in. So far, none of the governments who passed and enforced...
The laws don't require to have a private citizen database on record.
There's also no indication that such a thing is being built?
As long as none of these solutions are (legally) promising methods that can't be comproimised in a data leak (one that a third party had a recently as 2 weeks ago), the true purpose of these methods are not for "protecting the children".
Does it matter? You have to follow the laws of the country you're operating in. So far, none of the governments who passed and enforced such laws have offered a secure way to validate identity. They just say you have to do it, or else (you get fined into oblivion). There's murmurings of a zero-proof system in the EU, but it doesn't exist yet, so somewhat of a moot point.
Countries are capable of passing bad laws. When it happens, I blame the governments for passing them and the voters who support it.
https://fortune.com/2026/02/24/discord-peter-thiel-backed-persona-identity-verification-breach/ Already built. Already hacked. I want reassurance that this will not be the case. Yes. Honesty and...
There's also no indication that such a thing is being built?
Already built. Already hacked. I want reassurance that this will not be the case.
Does it matter?
Yes. Honesty and integrity still matters to me, even if my country disagrees these days.
There's no federal law as of now and my state has no law. I'd like to keep it that way. But even if we were to go that way I will call out a slop job not living to the spirit of the law.
Countries are capable of passing bad laws
And companies don't need to enforce bad laws in countries without them.
Maybe it's time to admit that China was right and the internet experiment has failed. Without specific channels to communicate internationally we should just put up the borders we knew were coming. At some point it will be impossible to operate any mid-large site without such borders, so let's skip all the compromises.
That was neither a breach nor anything weird. All US companies have to file SARs per the BSA, and are actually prohibited by that same law from disclosing that they file for SARs. You will never...
That was neither a breach nor anything weird. All US companies have to file SARs per the BSA, and are actually prohibited by that same law from disclosing that they file for SARs.
You will never get this reassurance, because you cannot run or operate a company in the US and not be subject to the Banking Security Act. And not just that, companies are legally prohibited from disclosing that they are subject to the Banking Security Act.
"Breach" is definitely debatable when they leave the endpoint wide open like that.
"We didn’t even have to write or perform a single exploit, the entire architecture was just on the doorstep," claims the team.
but it goes well into "anything weird".
"53 megabytes of unprotected source maps on a FedRAMP government endpoint, exposing the entire codebase of a platform that files Suspicious Activity Reports with FinCEN, compares your selfie to watchlist photos using facial recognition, screens you against 14 categories of adverse media from terrorism to espionage, and tags reports with codenames from active intelligence programs.
Yes, all that is needed to make sure you are of age to look at pictures of naked people on a chat app.
You will never get this reassurance
Then they will never get my approval. Especially when in the span of 4-8 years, SARs can change to "I upvoted a comment on reddit back in 2018 that happened to disagree with the current party in power". I'll repeat that this is an app mostly for people chatting about video games, not a mission critical banking app.
I give Apple a lot of flak for their entire paradigm of software, but if nothing else they do (or did for a while) truly live up to their name of "security" in the face of federal scrutiny. The 4th amendment exists for a reason in my country.
It’s required to operate as a company in the US. If you take in KYC information, you have to file SARs when you see them. Who’s they? If it’s the US government, fair enough. If it’s discord, seems...
Yes, all that is needed to make sure you are of age to look at pictures of naked people on a chat app.
It’s required to operate as a company in the US. If you take in KYC information, you have to file SARs when you see them.
Then they will never get my approval.
Who’s they? If it’s the US government, fair enough. If it’s discord, seems like barking up the wrong tree?
And Discord doesn't need to KYC. The payment processor does for Nitro. But AFAIK that is a third party service. The government for trying to sneakily violate my rights, and Discord for trying to...
It’s required to operate as a company in the US.
And Discord doesn't need to KYC. The payment processor does for Nitro. But AFAIK that is a third party service.
Who’s they?
The government for trying to sneakily violate my rights, and Discord for trying to pre-emptively comply when there is no need to. 2025's shown me a lot of companies will happily do that.
Like I said, I'd rather skip the tiptoes and fully region lock the internet if this is going to be the next decade of cat and mouse. I'm just fine going to smaller, semi-anonymous platforms like Tildes if anything bigger needs to surrender to government survellance.
Yes.
In the end it boils down to “we’re waiting until we can try convince you to be less mad”. The same concerns still exist, and if their plan in the second half of the same year is to just try the...
In the end it boils down to “we’re waiting until we can try convince you to be less mad”. The same concerns still exist, and if their plan in the second half of the same year is to just try the same with more time spent on blog posts, I don’t see why the reaction should be different
This feature should also go a long way to help manage servers without age gating channels.
This feature should also go a long way to help manage servers without age gating channels.
A new spoiler channel option. We know many communities use age-restricted channels not for adult content, but for topics people prefer to engage with on their own terms: spoilers, politics, and heavier conversations. We’re building a dedicated spoiler channel option so communities don’t have to age-gate their server just to give members that choice.
I don't really understand why there needs to be a special feature for this. If you don't want to engage with a channel, you already have the ability to mute or hide it. Two different ways. Why do...
topics people prefer to engage with on their own terms
I don't really understand why there needs to be a special feature for this. If you don't want to engage with a channel, you already have the ability to mute or hide it. Two different ways. Why do we need a third?
At least one FFXIV server I'm on does this as a way to have a space to discuss upcoming events / recent story. Prior to age restrictions being rolled out, it was an easy way to separate out the...
At least one FFXIV server I'm on does this as a way to have a space to discuss upcoming events / recent story.
Prior to age restrictions being rolled out, it was an easy way to separate out the odd channel without introducing role bloat.
Again, we just have a channel called spoilers for this purpose. If users click on a channel called spoilers, that’s on them. If they click on a channel called “heavy topics” they can’t be...
Again, we just have a channel called spoilers for this purpose. If users click on a channel called spoilers, that’s on them. If they click on a channel called “heavy topics” they can’t be surprised when there’s triggering things in there. They don’t need any additional gating.
Of course I will use this feature if it works properly because why not, but I do think at a certain point people need to be responsible for their own online experience.
And, under the UK law, channels where self harm and eating disorders are discussed would need to also be age gated anyways.
Am I the only one who’s having a hard time seeing how these new age-verification laws actually protect minors? From what I understand, adults will still be able to access everything kids can. And...
Am I the only one who’s having a hard time seeing how these new age-verification laws actually protect minors?
From what I understand, adults will still be able to access everything kids can. And if verified spaces become adults-only, doesn't that just create a separate hangout for adults while pushing minors into fewer remaining spaces and potentially making those spaces more risky for them? I'm totally on board with keeping teens out of explicitly adult channels. I just don't see how this aproach tackles the real problem, unless I'm missing something.
Ultimately I think this is about as good of a response as they could have given without completely abandoning the concept -- and I think they're right to point out that they can't completely abandon the concept of age verification due to the existence and proliferation of this type of legislation. Assuming they're telling the truth here, I think this is about the best I could expect from them (and I'm really glad they're publishing the technical details of their automatic age verification).
Seems sensible. Still, if Discord asks my name, I'm out. It's not like I'm using it very much anyway. I know it's a different thing for people whose communities live in Discord.
Seems sensible until "age-restricted" starts to expand from "just porn" to "R rated media content" to "Tiktok filtering of 'foul' language that might hurt out ad revenue" to "LGBT stuff". This stuff always escalates if you give it an inch.
I also do want to point out the notion here that this does in fact do nothing to "protect teens". Take Roblox for example; a person who would want to lure a teen into some chat room would not be impeded by age verification in the slightest.
This is true of everything though. It’s fine until you push it to the point where it’s not. So you just stop using it once it’s not instead of catastrophizing about how everything could potentially be a theoretical step towards doing something else that there isn’t much indication they’re doing.
It’s not even like they couldn’t just lock out LGBT content now if they wanted, that’s a control on the content rather than the identity of the viewers. All this would do is enable them to lock it out only for <18 users rather than globally.
I've been through this enough times that I'd rather take proactive steps early on to get off the train instead of riding it into the wreck. Especially in current times. I probably can't stop the wreck, but I can tell others of how this has usually lead to one and hope some understand.
It's better to try and warn early because that lets other competition pop up before the market capture. Once the wreck happens and you have livelihoods and even governments relying on this platform, you are basically locked in, involuntarily. My local represenatives really shouldn't be relying on private platforms as their sole source of communicating with its citizens, but that's a much larger issue to tackle (meanwhile, we can't even get people to agree that CSAM is bad these days. It's going to be a while).
They always boil the frog. They won't ever publicly announce such a thing.
Or anyone who may feel vulnerable to an oppressive government that does not want to give out data that they browse LGBT content.
The “proactive step” would have been not getting onto a centralized platform hosted on someone else’s computer in the first place. As soon as you do that you’re in basically a semi-public zone where you don’t have much expectation of absolute privacy.
They don’t “always boil the frog” actually. If anything, they tend to try and move out way too aggressively, get way over their skis, and never fucking shut up about their plans to do evil for the sake of doing evil. The people wanting to do this stuff are clownish caricatures, not secret shadowy puppet-masters.
Age verification doesn’t meaningfully bring that any closer or farther away though. They literally can identify you right now if you’re a person of interest unless you’re taking pretty extreme measures to obfuscate your identity, which isn’t really something one would do on Discord in the first place.
Indeed. But network effects are a pain and I'm into such niche games that there's barely even subreddits about them. Discord, Twitter, and Facebook tend to be the only places reporting news on such things. So, like political parties, I picked the least painful poison.
The other more painful end on my other IRL account is that Discord was my compromise (pre-bluesky) between the same 3 platforms for my local gamedev scene. Hopefully that one is slowly shifting.
If push comes to shove I can go back to being a hermit forgoing anything slightly mainstream. But I'm not sure if that phase of my life is the best for my social and mental health.
I suppose it's relative. If you're in tune with the news they are surprisingly vocal about plans. But it's more like they are taking steps bit by bit to eat away at their true endgoal. Here, Discord's endgame is to prepare for IPO, and this is likely not the last step taken to make that go smoothly (in their eyes).
I don't disagree. But I won't make it easy for them by simply handing them my ID. They'll need to work for it.
I suppose it's the same kind of separate as having a whois lookup (because, say, you run a business and you need to report some info) and having it on blast from some influence on social media. it isn't technically "doxxing" in the traditional sense, but 99%+ people won't take the steps to do that search to begin with. Many may not even know what whois is.
If you aren't and just want to use something to talk to friends, it can be very sudden hearing "hey we are going to do age verification" a few weeks back. Those really paying attention would see vague aspects of this coming when hearing of the change in management.
we really need a better form of verification that is not uploading your face or id directly to these companies… something through the government that gives a simple code that returns a list of restrictions or not.
There’s been some decent conversation in cryptography circles about some kind of zero-knowledge proof system. It would require a trusted authority to verify your age one time, and they would issue you a digital token. After that, the token could be used to answer a specific question like “is the bearer of this token older than X age?” and return an authenticated yes or no without leaking your birthdate or any other information to the asker.
By itself, it doesn’t solve the problem of guaranteeing the token-bearer is the person it was issued for, but it’s by far the most privacy-respecting option and makes all these face-scanning, ID-retaining startups look like overengineered ticking time bombs.
It seems like a really robust system could be built atop zk-SNARKs… and in the meantime I’m personally not comfortable with any alternatives to that.
In Portugal, this is how the age verification system is being implemented.
We already have a system to sign in online with our real ID. They call it a digital key, and it basically lets a site access certain legal information about you (what information is being shared is displayed to you before you press accept) to verify your real identity. This system is typically used by government sites and banks, since those are the two places that actually require strong verification.
What they're going to do for age verification is repurpose this already existing system (read: create a separate pipeline specifically just for age verification, so sites don't have the API permissions to request any other info) so that all a website gets when they check your age is a yes or no. They don't get the actual age, only a token. The government's database is the only one that has this info and never passes it along. They're the only ones allowed to keep your data, which you've already given them when you were born and registered as a citizen anyway.
As far as systems goes, this is the one that seems the most sensible and I'm glad I won't have to upload a photo of my ID to a random website, something I'll never do regardless.
The CMD-based legislation that they literally rushed through when everybody was busy dealing with a natural catastrophe is not great because almost no one is going to invest money into implementing a system just for Portugal, especially when the EU-wide one is coming in 1-2 years. They will just geoblock the country.
That said, if Discord is set on allowing multiple competing identification providers that users can choose from by name, they just might be among the few platforms to implement ours too. It's one of the best things they seem intent on doing (unless they're lying about it), promoting transparency and competition in the space.
If they can't respect our privacy, let them block the country. It should not be one or the other. It should absolutely not be legal for websites, especially foreign ones, to ask for a photo of you or your ID to prove you're an adult. This is highly sensitive information that at no point should be available in the pipeline, no matter how many promises of "everything is done locally" they make.
I understand there is inconvenience, but we should push back on this concept and only allow for zero-knowledge, privacy respecting options when it comes to the handling of our real data. EU-wide implementations should all follow these models too.
Sure, but they could also have respected our privacy by just not demanding any form of age verification whatsoever for another year while waiting for the EU solution, and then we could have kept using the services in question!
Well, we'll see how it goes. Maybe the law just won't be enforced properly. These laws tend to be enforced mostly against very large coporations that are easy to extract billions in fines from.
Under that implementation, does your government get a request from the site you're attempting to access? i.e., is your privacy only being protected from corporations?
The irony is that the American reflexive aversion to government data collection or identification of any kind ends up making our PII less secure as we yield up all the information to each and every service provider who all sell it to the same handful of data brokers on the back end. But it’s not the government so it’s fine, it’s just Mark Zuckerberg. . .
. . .who sells it back to the government anyway with fewer data protections, transparency, audit, or oversight than if it was just done by a public agency.
As someone who formerly worked for a company that is pretty much a "overengineered ticking time bomb" I think it's just a hard problem to solve, especially in a reusable way.
shit -- better than the current systems. It seems like a fairly easy solution to a very compromising problem. It solves so many issues -- like the absolute gong show that is the social security numbers etc.
Please make this and get rich. :)
OAuth can definitely do this already, if a place like id.me (or whatever alternative) just exposed a purpose-built scope.
I'm definitely not an expert or knowledgeable in cryptography but just out of curiosity though, what's stopping someone from sharing said token with friends or having data brokers tie that token to an individual's identity?
Also what's stopping the "trusted authority" from tracking who's asking about ages and/or any leaks that happen as a result of that.
I'm not an expert either but as I understand it, the token would basically be like a private key, stored in an encrypted hardware vault on the user's device, probably a smartphone. You'd need to have the device on you to perform the age check, because the token can't be exported from it — or maybe there's some fancy device-to-device protocol for transferring it from one to another in a controlled way. The point is, you can't just copy-paste it in plaintext to your friends. But neither can a third-party read your token directly and use it to track you.
The actual age check would probably happen in your smartphone, in the wallet app you use to manage the token. I'm spitballing the details here, but I think the service that wants to check your age would probably display a special QR code that you scan with the wallet app. The wallet app would then do the check on your device in a verifiably tamper-proof way, and send the service the result. It would probably feel similar to registering for TOTP authentication using an app like Google Authenticator or Okta or Duo, if you're familiar with any of those.
The trusted authority would perform the role of a certificate authority, basically their job would be to vouch for the truthfulness of the age assertion, putting their own credibility (and accreditation, licenses, etc.) on the line. Every token they issue would be stamped with their certificate, so if word got out that one of them was being naughty they could have their privileges revoked and be put out of business (and all tokens previously stamped by them would stop working). So they have a good incentive to keep their noses clean. But even in that scenario, they would never be able to see whose age has been validated or by whom. The risk would be more like if, after they initially checked your ID to create the token, they secretly kept a copy of it somewhere. But that's more of a traditional threat than anything cryptography-related. More or less as risky as when you hand over your driver's license to the guy at the liquor store.
There are some downsides, firstly that it would require a compatible device and there will always be people who don't or can't have one. I imagine cheaper, smartphone-free alternatives could exist but I don't know what those would look like. Then there's the issue that you could just give your friend your phone so they can pass the age test with your token. I'm sure the wallet apps would have biometric locks on them, the same way contactless payment systems need to be unlocked with Face ID or a fingerprint (though I think those usually fallback to passcodes, which are shareable).
If someone's determined enough, there are always going to be ways to try to get around any system. The next invention after the ID was the fake ID and that's still not a solved problem. But IMHO this is the best sort of approach that's been proposed. I think it would be at least as effective as in-person POS age verification is right now, which most people seem to be satisfied with. And of course this doesn't come with any of the frankly horrific problems all these other emerging systems are sitting on.
Ironically, the age verification system that the EU proposed is something like that: https://digital-strategy.ec.europa.eu/en/policies/eu-age-verification
I'm, on principle, not against age verification. I'm part of a group that runs a very adult server, and we currently manually age verify people through an app called Yoti or, you guessed it, receiving selfies and ID photos. The discord server in question is very much pornographic and we need to be 100% sure that people participating are above 18.
I think age verification makes sense for spaces that can't be easily replicated, like social media. I think it makes very little sense to for porn sites, because porn is incredibly easy to find anywhere on the internet.
But the way I, as a EU citizen, am currently forced into using some random fuckoff US company with likely terrible data privacy is frankly speaking ridiculous. Unfortunately, these companies want to do the minimum they need to, so they want a global one size fits all solution instead of using the solutions that some countries already provide.
in my province we have an app for 2FA for a lot of government sites — no reason this couldn’t be extended. i’d be in favor of a universal standard but everybody running their own — like drivers licenses.
i absolutely don’t want some US company being i. charge if the thing — or any company at all.
it’s scary how much personal information is not only compromised but never really re-privatized (eg dna)
That's disgusting! What is this server so I can avoid it and make sure to never go there?
The server is a writing and DnD server with an pornographic and kink focus. We maintain a whole homebrew system, but if you just want to write/roleplay, like me, then you are also very welcome! If that appeals to you I can DM you an invite link. :]
Discord can accept credit cards, at least in the US, because they are only given to people over 18.
In the US a parent/guardian can add a minor to an account and they can have a credit card issued in the minor's name (since it's technically illegal to use a card not in your name). I imagine there are also provisions for emancipated minors. To a vendor, the minor appears as a valid credit card holder. A vendor would be unaware who is the primary account holder.
You can also open a bank account in most (all?) states at 16 with parental/guardian approval and be issued a debit card. Debit cards do appear as debit and not credit to a vendor, but they wouldn't be able to determine the age.
Things might have changed in the 20+ years since I was that age with a credit card and debit card though.
Many adults also may not be able to get credit cards if they have bad credit. It also still has the same issue of de-anonymization, which is the real point of all of this: monitoring and control of speech for fascist ends.
This was never a problem that needed solving, merely a manufactured hysteria to ram though tools for controlling the public and further shaping public discourse.
discord can take CCs but not every adult has one. balooga's method really would solve the problem. It also takes the auth away from visa's near monopoly.
It depends on the specific law whether or not that works. The UK’s OSA allows credit card existence as verification, but the laws from US states do not.
Like sparkle said, children have cards in their name as authorized users of a parent's credit card. My son is less than a year old and has a card in his name (to give him a head start on building credit, if you're wondering why.)
That's the silliest part of this all. I was paying for Nitro for some 4 years now, and they're happy to take money from me without verifying my age.
I cancelled that, of course. clearly whatever data they get from this supersedes the losses from all the subscriptions being dropped. I guess having a surveillance system is more attractive for IPO than actual paying customers.
Well I think the pause is because the losses were more than they expected. Maybe with a little embarassment at Persona being breached.
That said, they're probably hoping by waiting they can eventually have their cake and eat it too.
I don’t want the government knowing that I am on an 18+ discord chat though. I don’t want the government knowing much about me really, unless there’s a pressing need. My online content consumption is not a pressing need. It’s not a pressing need for my kids either, since I am actively parenting them.
well, yeah -- there are always communities that fly under the radar. I wouldn't even use discord for 18+ stuff now.
Ultimately, we really do need a way to tumble IDs so we can have all the benefits of verification but retain the anonymity.
I'm not sure how interesting or meaningful this is, but I know a lot of people were discussing this before implementation, so I thought people might like to see this, although I don't know if it really resolves concerns, or just minimizes them.
I mean, in the end, it’s driven by laws written in the UK, many EU countries, Australia, many US states, with more being drafted.
There’s no escaping from laws. The only way to stop such things is at the ballot box.
Any open source alternative would also be subject to things like the UK’s OSA. Just see large mastodon servers.
Discord wanted to be a good boy to get ahead of more laws (see: Reddit being fined by the UK for not doing ID verification of age), but this reversal will only be temporary. As a company, they have to follow laws.
Companies need to flex their influence and just start geoblocking areas with such legislation. Don't comply with the laws, take the toy away for everyone in the bad jurisdictions until people remove those responsible for the legislation.
I agree because I disagree with internet identification. I also can't deny that it would set a bad precedent. There have been so many consumer friendly laws enforced by the EU that I benefit from, I'd hate for these companies to "just flex" and ignore those laws just cause they can.
If any and all international compliance breaks down there's nothing left.
The laws don't require to have a private citizen database on record. As long as none of these solutions are (legally) promising methods that can't be comproimised in a data leak (one that a third party had a recently as 2 weeks ago), the true purpose of these methods are not for "protecting the children".
There's also no indication that such a thing is being built?
Does it matter? You have to follow the laws of the country you're operating in. So far, none of the governments who passed and enforced such laws have offered a secure way to validate identity. They just say you have to do it, or else (you get fined into oblivion). There's murmurings of a zero-proof system in the EU, but it doesn't exist yet, so somewhat of a moot point.
Countries are capable of passing bad laws. When it happens, I blame the governments for passing them and the voters who support it.
https://fortune.com/2026/02/24/discord-peter-thiel-backed-persona-identity-verification-breach/
Already built. Already hacked. I want reassurance that this will not be the case.
Yes. Honesty and integrity still matters to me, even if my country disagrees these days.
There's no federal law as of now and my state has no law. I'd like to keep it that way. But even if we were to go that way I will call out a slop job not living to the spirit of the law.
And companies don't need to enforce bad laws in countries without them.
Maybe it's time to admit that China was right and the internet experiment has failed. Without specific channels to communicate internationally we should just put up the borders we knew were coming. At some point it will be impossible to operate any mid-large site without such borders, so let's skip all the compromises.
That was neither a breach nor anything weird. All US companies have to file SARs per the BSA, and are actually prohibited by that same law from disclosing that they file for SARs.
You will never get this reassurance, because you cannot run or operate a company in the US and not be subject to the Banking Security Act. And not just that, companies are legally prohibited from disclosing that they are subject to the Banking Security Act.
I didn't realize that Fortune article was paywalled (it wasn't for me 10 minutes ago).
https://www.pcgamer.com/software/security/security-researchers-claim-persona-the-provider-behind-discords-uk-age-verification-experiment-performs-269-individual-verification-checks-on-user-data-including-those-for-terrorism-and-espionage/
"Breach" is definitely debatable when they leave the endpoint wide open like that.
but it goes well into "anything weird".
Yes, all that is needed to make sure you are of age to look at pictures of naked people on a chat app.
Then they will never get my approval. Especially when in the span of 4-8 years, SARs can change to "I upvoted a comment on reddit back in 2018 that happened to disagree with the current party in power". I'll repeat that this is an app mostly for people chatting about video games, not a mission critical banking app.
I give Apple a lot of flak for their entire paradigm of software, but if nothing else they do (or did for a while) truly live up to their name of "security" in the face of federal scrutiny. The 4th amendment exists for a reason in my country.
It’s required to operate as a company in the US. If you take in KYC information, you have to file SARs when you see them.
Who’s they? If it’s the US government, fair enough. If it’s discord, seems like barking up the wrong tree?
And Discord doesn't need to KYC. The payment processor does for Nitro. But AFAIK that is a third party service.
The government for trying to sneakily violate my rights, and Discord for trying to pre-emptively comply when there is no need to. 2025's shown me a lot of companies will happily do that.
Like I said, I'd rather skip the tiptoes and fully region lock the internet if this is going to be the next decade of cat and mouse. I'm just fine going to smaller, semi-anonymous platforms like Tildes if anything bigger needs to surrender to government survellance.
Yes.
In the end it boils down to “we’re waiting until we can try convince you to be less mad”. The same concerns still exist, and if their plan in the second half of the same year is to just try the same with more time spent on blog posts, I don’t see why the reaction should be different
This does nothing to resolve the main issues and they know it. They are just trying to minimize the backlash.
This feature should also go a long way to help manage servers without age gating channels.
I don't really understand why there needs to be a special feature for this. If you don't want to engage with a channel, you already have the ability to mute or hide it. Two different ways. Why do we need a third?
At least one FFXIV server I'm on does this as a way to have a space to discuss upcoming events / recent story.
Prior to age restrictions being rolled out, it was an easy way to separate out the odd channel without introducing role bloat.
Again, we just have a channel called spoilers for this purpose. If users click on a channel called spoilers, that’s on them. If they click on a channel called “heavy topics” they can’t be surprised when there’s triggering things in there. They don’t need any additional gating.
Of course I will use this feature if it works properly because why not, but I do think at a certain point people need to be responsible for their own online experience.
And, under the UK law, channels where self harm and eating disorders are discussed would need to also be age gated anyways.
Never heard of NSFW channels used that way. All the servers I use lock those sorts of channels with roles. So that feature will be nice!
I basically agree with everything else said, my only thought is maybe they missed a tech deadline as well and had to push anyways.
Am I the only one who’s having a hard time seeing how these new age-verification laws actually protect minors?
From what I understand, adults will still be able to access everything kids can. And if verified spaces become adults-only, doesn't that just create a separate hangout for adults while pushing minors into fewer remaining spaces and potentially making those spaces more risky for them? I'm totally on board with keeping teens out of explicitly adult channels. I just don't see how this aproach tackles the real problem, unless I'm missing something.
No. Because it's not meant to.