I was sitting in a room the other day with a young adult, we were searching for additional algorithm learning materials. They searched in Google, and accept the cookies. They clicked on a website, and accepted those cookies too. They then started entering their email address to access another service. I was completely taken aback.
I'm the sort of person that either rejects the cookies, or will use another site entirely to avoid some weird dark-pattern cookie trickery. I don't like the idea of any particular service getting more information than they should.
Siting there I realized, we were not the real target. It is the young people that are growing up conditioned to press accept, enter any details asked of them, and to not value their personal data. Sadly, the damage is already done.
I am in my mid forties, been working as a professional software developer for over 20 years.
I click “accept the cookies” almost every time. I just personally don’t feel it’s worth the effort and cost to try to avoid it.
What “dark pattern cookie trick” are you worried about? I just can’t come up with a scenario where it will actually harm me in any way. All the examples I have heard are either completely implausible, don’t actually seem that bad to me, or are things that are trivially easy to do even without any cookies.
Now, I am not going around giving my real email out to random sites, though, although even that doesn’t strike me as particularly dangerous. I already get infinite spam, and I am sure there are millions of other ways to get my email address… it is supposed to be something you give out, after all.
I just don’t think it is something that is worth stressing out about and fighting against. Maybe I am actually naive, but I just have not yet been convinced I should actually care.
First of all, if you don't practice any tracking limitation, you're almost certainly giving additional parties (directly or otherwise) access to your personal information. This is marketing data brokerage, this is the whole ballgame.
To your point about the actual harm, I've come to see it as a kind of ecological problem. Wasting energy and sending more trash to a landfill doesn't harm me individually, at least not immediately. But it does harm in aggregate, and it is probably directly related to other general harms, like overall health outcomes, efficiency, energy costs, etc.
No, accepting cookies by itself may not do much to me, but the broader surveillance and attention economy that relies on such apathy certainly has.
Sadly, this still doesn't do anything to show me that I should opt out.
I, as an individual, am not going to have any effect on a business if I opt out or not. No business decision is going to be made because I opt out.
You might argue that it will matter if enough of us do it. Sure, that is true... but again, it won't matter if I do it or not. If N number of people opting out is enough to ruin the business model, then N-1 is surely enough as well. There is a 0% chance that I am the one who finally causes the system to collapse.
I do use an ad blocker, and never click on ads. I feel like that action has a bigger return on investment than no clicking the cookie banner.
If having more information about me allows the website to charge more to show me an ad, and I never click any ads, then I am hopefully helping decrease the return advertisers get by using personal information.
This is the exact same logic as opting to not go through the hassle of registering to and casting your vote in your national elections (unless that physically isn't an option where you live) -- yes, your government isn't going to make a decision one way or another based on your vote alone. But will you affect the sociopolitical trends by whatever fraction of societal opinion you represent?
It may be you don't believe in democracy at all, and that's fair, but consumer action is the only way you can affect business decisions, by joining the decision-cohort you agree with more. Joining the opposite cohort because it's less work represents that you're okay with things continuing in that direction.
That said, I agree with the work it takes to navigate cookie banners being excessive (hence dark pattern), which is why my default browser config = ublock + consent-o-matic [1]
Yes, the Paradox of Voting is the exact same situation [1]. My decision to vote is not rational, but I know if all the rational people don't vote that is bad, and so I focus on the other parts of voting, like civic pride and the little sticker that says "I voted"
> It may be you don't believe in democracy at all, and that's fair, but consumer action is the only way you can affect business decisions, by joining the decision-cohort you agree with more. Joining the opposite cohort because it's less work represents that you're okay with things continuing in that direction.
I actually believe even less in 'voting with your wallet' than in actual voting, for all the same reasons except the cost of 'voting' in this case is even higher (choosing an individually suboptimal option with my wallet hurts me directly even more than the cost of voting in an election does... e.g. choosing to pay more to avoid major corporations costs me every time I shop) I personally think the only way to avoid companies destroying the common good for profit is to price in the destruction to make it explicit (e.g. carbon taxes, pollution taxes, etc).
You have to use something more like updateless decision theory rather than EDT or CDT: consider the similarity of your thought processes and decisionmaking to all the other people in a similar situation and act so as to further your goals given that a substantial fraction of similar people will ultimately make the same decision as you.
If I ever decide that it is no longer worth voting then I will probably leave the country under the expectation that other people like me giving up on voting are doing it for roughly the same reasons.
> choosing an individually suboptimal option with my wallet hurts me
That may be true, particularly in the short term, but you might be hurting everyone else including yourself in the long term. Opening your wallet sends a signal to the receiving business to keep doing what they're doing, even if we all know it's bad.
There's also a cultural aspect to consider. It's normalized to not think of anything other than cost. That's why we have CAFOs, toxic plastic children's toys, landfills full of junk, etc... Pricing in the destruction might help, but at some point our culture needs to change. Outside of the occasional voting, we're all pretty powerless to enact top-down change like taxes and regulations, but we can all build culture.
> Opening your wallet sends a signal to the receiving business to keep doing what they're doing, even if we all know it's bad.
That is exactly my point, though. The signal from my personal transactions isn't going to be enough to change anything. It will be drowned out by everyone else.
Of course, you are right that if enough people closed their wallet, then the business would have to change. However, that is STILL true even if I keep my wallet open. If N people stopping their shopping at a store would cause it to close/change its practices, then surely N-1 people stopping their shopping would also cause it to change. I could still keep shopping their, get the benefits while they last, and then switch once it finally goes out of business.
Of course, you might reasonably say, "Well, if everyone thought like you, then the change would never happen!" True, but my decision does not change anyone else's decision. The other people won't even know my choice, it isn't going to make other people boycott.
You could argue that people will listen to what I say, and I could influence them. That is true, but that is again independent of whether I actually 'vote with my wallet' or not. The influence I have on other people is the same whether I tell them not to shop there and I also don't shop there, or if I tell them not to shop there but secretly shop there myself.
Obviously there is some other morality at play here, but it isn't as simple as invoking the direct signal I am sending by choosing to shop somewhere or not.
And I think this is great. Often our convictions aren't, and those are what make us interesting! I also think it's interesting how/why we rationalize our irrational behaviors! For example, I generally feel the same way as you about voting, but I don't like living as (in my mind, at least) a defeatist. Also, I feel that if I didn't vote then I have no right to complain or have an opinion about the things I didn't vote on. So I go vote for those reasons.
I mean, I do actually vote in every election, for the same reasons you are talking about. There are social reasons I do it, and there is something communal and bonding about the process of elections.
But it isn't because my individual vote actually matters.
It is pretty paradoxical and got me thinking. I don't know how to measure the value of my vote. I feel like the immediate value is less than the effort, but on the other hand, I don't think it's so simple. As you said, if no "rational" people vote, that's catastrophic and so I'm helping to maintain a larger system. Maybe a culture. Movements can have collective power no individual can have, but they can't exist without individuals. It's hard to measure the value or effects of a culture as they are often not clearly visible or direct. The effects can play out over a long time too.
About voting with your wallet, I agree that it'd be best if companies actually had to pay for those externalities you mentioned.
If you have spare money to spend, you can view not choosing the cheapest option as supporting or donating. That's what I sometimes do when e.g. buying locally instead of ordering from somewhere far for cheaper. I can get local faster and it's more convenient, so there's lazyness, but thinking about it as supporting helps me rationalize it further (and it is true). I don't think it really hurts me more than buying something else that I don't strictly need. I see indirect value in trying to uphold things I like.
It's not paradoxical and the attitude expressed by GP that it's not "rational" is exactly the sort of thinking that leads to rationality getting a bad name.
Cooperation to the detriment of the individual in the animal world is exactly the same phenomenon in a much simpler system. That is widely and repeatedly evolved so we know for a fact that the game theory works out in a vacuum (ie without human cultural factors).
> consumer action is the only way you can affect business decisions
I mean, insomuch as any action I take is a consumer action, because I am a consumer, this is true. That's why Luigi'ing is a consumer action.
But 'vote with your wallet' is an illusion; you have no way of informing an entity why you are rejecting their service if you simply don't patronize them. On a ballot you're actively choosing another over them. As a consumer, you're otherwise 'invisible' to them.
Walking past Target out of rejection of their politics, for example, is no different to them than the person next to you walking by because they don't need anything from them at that moment (and realistically, they would probably prefer to just switch you for said politically/privacy-un-conscious person). It's still good to stick to your morals, but that alone isn't actually 'consumer action' in the way you mean it.
It requires a coordinated, public messaging campaign that a group is boycotting actively to have any impact on a business. Your individual action of not clicking on Accept Cookies does nothing to influence businesses.
However voting is different. We don't vote for a policy (although that is a common misconception.) The collective power of voting is often voting against a person/party : voting them out.
We spent money on goods/services we choose, and receiving money is a very strong signal to a business. Not spending money is an extremely weak signal.
Sadly, there will be no signals at all, until it's too late. ICE has used online advertisement tracking to find their targets. They won't tell you anything about this, until they're already at your door with handcuffs. https://www.404media.co/cbp-tapped-into-the-online-advertisi...
This is the real answer. Palantir aggregates massive amounts of data, and they are not stupid enough to not use online ad profiles. They track everything. I mean, sexuality, race, age group, mental and physical illnesses, income, job/industry, living address, work address, frequent travel destinations (in and out of your city), shopping habits, eating habits, the list goes on and on and on. Any possible days point they can get, they will.
If you aren't worried about the US government having this, it's a sign of significant privilege and safety a lot of others don't have.
It's not possible to be a ghost, but it is possible to reduce your surface area in these systems, which is what I focus on. Denying tracking cookies is a single tool in this quite large toolbox.
You could use exactly the same argument for not bothering about doing things that pollute, generate landfill, or generally make things worse for society.
Its highly unlikely your vote will swing an election.
If you want easy things to do use cookie blocking extensions.
These are all related to the collective action problem (https://en.wikipedia.org/wiki/Collective_action_problem). This is why we have regulations and rules and laws about things like pollution, because we CAN'T rely on everyone wanting to live in a clean world to make everyone not pollute.
> You could use exactly the same argument for not bothering about doing things that pollute, generate landfill, or generally make things worse for society.
Which is why those things need laws to create any meaningful change.
> I do use an ad blocker, and never click on ads. I feel like that action has a bigger return on investment than no clicking the cookie banner.
Right, but this is not solely about cookies or blocking ads. You also leave behind data which helps create a profile. AI is mass-creating profiles of everyone. Not everyone will have the same pattern, but information space is finite and they get more and more data about you over time. You may think this is not relevant for your use cases, but can you make this as prediction in the future?
The future of myself and my son does not depend on nor benefit from my anonymity.
I'm not a revolutionary taking up arms I'm a voter and a citizen in disagreement. Unless I am seen and counted, then being any of those things is worthless as well.
There is no value in hiding from the system while the system goes to hell and attacks everyone else.
While I have no idea of the actual outcome, I’ll muddle through the extra step + thinking to opt-out where possible.
My own personal bend is that I do not want to be sold anything and I want anonymity where possible. We’re constantly being advertised to. Anything small action that I can take to deter that, or make the ads less personalized/interesting/distracting to me, is worth it. Even if I also will never knowingly click an ad.
It’s probably largely a control thing psychologically. With cookie banners specifically, I also don’t want to concede to dark patterns which make accepting easier than rejecting.
> My own personal bend is that I do not want to be sold anything
You can always choose this no matter what ads they show you. In some ways, choosing to not be sold AFTER being shown ads might be more effective at shutting down that behavior than simply avoiding the ads entirely; forcing the company to pay to show you the ad that you ignore is costlier to them than simply not being able to show you the ad at all.
Why do you think you have a 5 day work week? Because collective action fought for it. Same goes for the Civil Rights movement in the US and strong union protections for the Boomers that helped them build out a healthy middle class (that they're in the process of squeezing dry after pulling up the ladder, because Millennials and Gen Z won't do collective action to enact change, but that's a separate discussion).
Saying you don't see an individual motive here to do anything just says that you don't see how interconnected everyone is in modern society.
Potential real-world consequences, while they do exist, are simply too subtle to realize. Some actual examples of cookies being used against people:
- CBP has admitted to buying location/advertising data from brokers to use in helping locate people to arrest
- Phishing and identity theft can be made easier due to cookies... security researchers have even demonstrated 2FA bypass techniques based on it
- Price discrimination - Consumer Reports found that flight prices can fluctuate based on your cookies. Sometimes they would even raise the price if you kept searching for routes, as an indication that you were in a hurry, thus likely willing to pay extra.
- Healthcare discrimination - Companies have been found to raise healthcare prices or deny coverage due to cookie data aggregated via brokers where external sites tracked a person's health conditions based on what pages they visited (examples: fertility, cancer and mental health support groups)
- AI models or automated systems using cookie data to predict housing stability, creditworthiness, and employment risk without ever seeing your resume or credit report directly
- ProPublica found that Facebook was allowing advertisers to target their housing ads based on specific age/race groups stored in cookies
- Some recruiting firms have used cookies to infer personality traits and political leanings. Your employment application could be rejected or deprioritized based on that
- Based on the previous examples, I think it is not a far-fetched idea that websites and services could deny you access altogether based on data revealed by a combination of things like your browser fingerprint + brokered cookie data, such as political affiliation, estimated income, race/gender, health situation, etc. Imagine for example, not being able to order pizza because you badmouthed their favorite president online.
It's also harder to change your mind later and go delete a bunch of specific cookies to opt out when you could have just said no from the beginning.
You should always configure your browser to automatically wipe all data on exit. The Arkenfox user.js user profile does this and more to mitigate fingerprinting.
I am logged into way too many sites to do that unfortunately. I do use a password manager with a browser plugin to make it easier, but it's still a lot of manual work to re-login to all the sites I use on a normal basis, for both work and home, every time I restart my browser.
Would be nice if there was some other solution, like maybe encrypting the browser profile and then requiring a pin/password/biometric/something to unlock it on each start.
Many sites I use force email or SMS-based 2FA, sometimes in addition to "security questions" and/or have other multiple steps of authorization (like captchas) required; it's often not just a simple username/password for me.
Now multiply that by 25 different sites. Not happening.
One option for that is to use multiple Firefox profiles. The main general-purpose browsing profile would have a hardened configuration, while dedicated profiles are used for other websites that should remain logged in.
It can be yes, although not everyone wants to do that because you will likely be logged out of all the websites you're using, shopping carts cleared out, etc.
> Sadly, this still doesn't do anything to show me that I should opt out.
Then don't. No need to be sad about it.
> I, as an individual, am not going to have any effect on a business if I opt out or not. No business decision is going to be made because I opt out.
I do it more from a point of view of principal. I don't want following around the Internet by all and sundry who care to, any more than I want to be followed down a dar alley, for followed into Tesco by someone yelling “hey, Dave, I saw you went to the pub last night, my shop has some cheap spirits” or “hey, Dave, I saw you but a network switch the other week, do you want another one?”.
I also resist anything wrapped in many layers of dark patterns, and that describes almost all current ad tech.
> You might argue that it will matter if enough of us do it. Sure, that is true... but again, it won't matter if I do it or not. If N number of people opting out is enough to ruin the business model, then N-1 is surely enough as well. There is a 0% chance that I am the one who finally causes the system to collapse.
If your stats knowledge and reasoning accept that, then I've got an infinite compression scheme for you. It can compress anything including compressed anythings!
You are jumping between two factors of large numbers haphazardly from sentence fragment to sentence fragment, and the logic isn't following you. At some point N-1 might make a difference, and you could be that -1.
> I do use an ad blocker, and never click on ads.
To use your argument on tracking: but many people don't, so why do you bother? What makes you think you could be the +1/-1 here but not there? And by blocking ads you are blocking a fair portion of the tracking, in fact that is why I block ads much more than the ads themselves. I don't run sponsorblock for the other side of the same reason: that doesn't affect tracking at all.
> If having more information about me allows the website to charge more to show me an ad, and I never click any ads, then I am hopefully helping decrease the return advertisers get by using personal information.
And when the database eventually leaks, many others will have the extra information about you.
And again: by blocking the ads using most ad blockers (obs not all work the same ways) you are blocking at least some tracking.
--------
But again, if you don't want to block tracking, don't. No need to be sad that we've not convinced you with our arguments as to why we try to block it. I know other devs who take your attitude (that is simply isn't worth their effort), and many others who take mine or similar (when it isn't worth the effort, the information or product behind the mountain of “legitimate interest” checkboxes isn't worth the effort either so I'll just move on). Our threat and principal models can be different from ours without either of us being bothered by the other's choices here.
I hear what you're saying, and instinctually I feel gross about it. But, if enabling advertising allows the website I'm visiting to stay in business, I think that might be a trade-off worth making.
The business model of the websites I visit is not my problem. I block ads and trackers at multiple levels, very aggressively, and could not care less if some websites disappeared because of it. Perhaps then we will be left with a more sane and useful subset of the Internet.
I turn off 3rd party cookies in the browser but I don't see first party cookies as big of a threat and I click accept just in case it breaks the website somehow.
The effect of that data is serving you better ads. Its not a big deal. Dystopian governments have way better sources of citizen data than anonymized ad exchanges. It basically just powers product discovery in a giant global marketplace.
In theory, the government doesn't need the ad exchanges which have very lossy information. They have access to the ISPs and cell service providers, etc, with a warrant. Dictatorships like China and Russia don't need ad network data to be police states, they just use the core phone, internet and computer data.
But in this case, the US gov are using the insecure private data as a run-around to the warrant process. This is definitely unfortunate, and I think laws should be amended to prevent this workaround.
This is not just about "better ads" - though I don't understand the term better anyway here. This is about profiling people. Ads are just one benefit here. Profiles can be sold to get a better idea of the potential customer base.+
> It basically just powers product discovery in a giant global marketplace.
That is also incomplete. See how profiling led to ICE finding people - and ICE has a proven track record of executing US citizens. That is also a fact. It does not mean profiling led to the death of the people here, 1:1, but it meant that it is a contributing factor to the build-up of government troops killing people (which is very similar of Europe 1930s by the way).
There's a subset of people in Ireland who are legally required to write down an ID on their vehicle, that can be matched to a name/photograph in seconds.
Would you not? It would look odd and draw a lot of attention simply for being unusual, but I'm struggling to come up with any way in which doing so would actually harm me.
I disagree, because there’s always a chunk of advertising that seems to be all about targeting low-income or people who aren’t financially savvy and I don’t think it’s ethical for an apparatus to take advantage of them.
What utility does a box of cookies have? A bar of chocolate? A can of soda? Those things are about pleasure and have serious harmful consequences if overused - just like tobacco, alcohol and drugs.
What about video games? They only have utility in pleasure and the sedentary lifestyle associated with over-playing them is extremely harmful.
Sounds to me like you have some random things you decided you don't like and want to ban ads for them, not that you've done any thinking about utility (other than as a bad attempt at rationalizing your anti-some things campaign).
Really? So the profile is like an ad-bot. Good to know. It was the only account that tried to promote ads; everyone else hates ads, so they don't write in a positive tone about them.
The counter point to that quote is that someone whose salary depends on something likely has a lot more understanding of the topic than the average person. Not saying theyre always in the right. But the average internet user thinks they are way better informed than they actually are.
> Now, I am not going around giving my real email out to random sites, though, although even that doesn’t strike me as particularly dangerous.
I am fanatically following my rule "one email per website". Obviously, they all route to the same inbox. Initial motivation was to see who leaks my address and simply block it. However, the separation helped me out tremendously more than I ever expected (at the very least I believe so).
I'm originally from a country with a highly oppressive regime. Years ago I signed up for financial support to a political opposition leader. Things weren't as bad and it felt safe enough at the time. They had my email, of course.
Eventually opposition systems were compromised, and the full donor list became public. The regime's response: they cross-referenced it against emails registered on government services. For quite a few whose addresses matched, police officers paid a visit — looking for grounds to fine them, pressure them, etc.
My alias for that site existed nowhere else. No match, no visit. Definitely an experience I was more than happy to avoid.
> I click “accept the cookies” almost every time. I just personally don’t feel it’s worth the effort and cost to try to avoid it.
the effort and cost to download an ad-blocker that automatically removes the prompt to accept/deny entirely is practically zero and the amount of clicks you'd save yourself would quickly exceed the clicks it took to install the blocker.
> I just don’t think it is something that is worth stressing out about and fighting against. Maybe I am actually naive
It seems like you are, but that's just how our brains work. We're very bad at judging long term and abstract risks, especially when the consequences and their connection to the cause are intentionally kept unclear. For example, when people's cars started collecting data on their driving habits and selling that data to insurance companies a lot of people saw their insurance rates go up, but none of the insurance companies said that it was because of the data collected from their cars. I'd be willing to bet the data being collected by tracking your
browsing history has already been screwing you over in various aspects of your life, online and offline, but you won't be told when it happens or why.
> I'd be willing to bet the data being collected by tracking your browsing history has already been screwing you over in various aspects of your life, online and offline, but you won't be told when it happens or why.
Ok, can you give me a plausible example of what that harm could be? This seems in line with the exact thing I said in my comment; every time I ask how it could harm me, I am given vague statements about tracking and data. Charging me more if they think I can afford it is surely a thing to worry about, but there are so many ways to do that without tracking that I already need to take actions to defend against that (comparison shopping, price history tools, etc).
I am not saying I don’t think companies can take data they have access to and use it to extract more value from me… I am saying I don’t thing opting out of cookies is going to do much to change that, for better or worse.
> Ok, can you give me a plausible example of what that harm could be?
There are countless ways the data collected about you can be used against you. Companies are using this data for everything from setting prices, to deciding which policies they'll apply to you, what services they'll offer or deny you, even shit as trivial as deciding how long they should leave you on hold when you call them on the phone. It's been used to deny people housing, or employment. It's even resulted in innocent people being arrested and investigated by law enforcement. This guy (https://www.nbcnews.com/news/us-news/google-tracked-his-bike...) wasn't worried about Google tracking everywhere he went until he had to get his parents to clean out their savings to pay for a lawyer in order to prove his innocence.
AI is only going to make it easier for companies to leverage the massive amounts of data they've collected against us. Companies have been trying to get consumers to accept discriminatory pricing practices this data enables for a very long time (https://link.springer.com/article/10.1057/s41272-019-00224-3) and it looks like they're starting to wear us down. Digital price tags are becoming increasingly common. So are demands that consumers scan QR codes to get prices. Prices don't have to be set so high that they become unaffordable to you, they can just slowly eat away at more and more of your earnings.
The system is set up so that you will never know when or how the data being collected about you is used against you, but every company is looking to leverage that data to their advantage every chance they get. I get that it's easy to feel defeated and think "My ISP already sells my browsing history, Google chrome already collects all by browsing history, so who cares if I let 30 other random companies collect it too by accepting their tracking cookies on every website I visit?" but those companies collecting your data care very much and it's not because they have your best interests in mind. They aren't going through all the trouble to track you across every website you visit because it doesn't matter. Taking a few basic steps to help protect yourself is just the smart thing to do, especially when it's something as simple as using an ad blocker or an add-on to auto-reject the countless "Can we track you" requests.
I guess the thing that worries me is more so population effect versus direct personal ones. When companies know they can extract useful information from a source, there becomes a market for the information, which further incentivizes others to collect the information. The other thing is that even if you don't care about ads, I assume you care at least about browsing privacy. The main reason why GDPR was even passed was data privacy and security.It is difficult to know who has what personal information and for how long they keep it. Because of that, it just takes one breach where suddenly your email/username/personal information, along with all of your browsing activity, gets leaked. This wouldn't only be the ones that you purposely entered your email address in; it just takes one site to have your cookie "fingerprint" and email connected, and suddenly all the sites that recorded that fingerprint will have a record that you visited them. All in all, I agree that there is a low chance of personal harm to you, but I look at it like putting motor oil in the storm drain. "Low trust" cultures where people only care about the direct effects of actions to themselves instead of society as a whole always fare worse than cultures where everyone sets a standard of what is acceptable or not.
A plausible example: Your insurance company knows how much money you make, and how fast you drive, and takes this into account when setting your insurance bill. Even if you never thought you gave them this information.
Another example: there are fallen countries that try to penalize abortion even in extreme cases (rape, incest) Having the data in your ad-exchange’s online profile that you bought a pregnancy test and a bus ticket to another state that allows abortion may be enough to get you jailed.
And when the government uses that data to round you up? Sure maybe you aren't an immigrant... but are you in the next group they target, or the group after that?
Maybe not, but does that matter when they use an advertising profile to make your life hell before determining you're not in the problem group? Will they even bother to check? They already have been hassling and detaining citizens on similar sloppy suspicions around immigration.
Even if you're a perfect aryan and think you're safe from the current regime... will the next one have the same notion of perfect?
> the effort and cost to download an ad-blocker that automatically removes the prompt to accept/deny entirely is practically zero and the amount of clicks you'd save yourself would quickly exceed the clicks it took to install the blocker.
For less-often used, e.g., non-English language sites, these often leave a site in an unusable state, e.g., non-scrollable. I often have to go into the developer tools to fix a site manually, sometimes hunting for the element to fix if it's not body or html.
> the effort and cost to download an ad-blocker that automatically removes the prompt to accept/deny entirely is practically zero
It's only zero if you don't need to interact with sites that break when you're running an adblocker. I run an ad-blocker nearly continuously, but there are all sorts of sites where I have to disable it in order to use the actual functionality of the site (and these are frequently sites I _have_ to interact with).
There’s a burden in ad blocker plugins: you never know when they will get compromised. Im comparison to that, simply ignoring the cookie baner is less effort imho
Preventing add-ons from auto-updating is helpful. Enshittification happens more often than serious security updates, especially when it comes to add-ons that do something very basic such as hide a banner.
The data collected about us online is extensively used against us both online and offline. The multi-billion dollar industry around collecting and selling every scrap of data about you and your personal life didn't spring up because nobody was making money from it.
At all gets added to your dossier and it all gets sold and resold and used against you. You can't know what is going to prejudice someone against you, or what assumptions they'll make. Your browsing history can be a lot more relieving than your credit card purchases or your driving data. It can give them your medical issues, your sexual preferences, your addictions, your political views, your religion, etc. Just knowing the dates and times you're going to websites can tell them a lot.
You won't notice the effects, but allowing tracking feeds your behavioral profile into the data broker economy. You can then be targeted with things like dynamic pricing based on your guestimated income, invasive ads for significant life events, health care risk modeling, tracking your group affiliations, identity theft, and more.
This is how we should view all information we get from a company. If the product say organic, claim to be pure ingredients, recycled material, made in "COUNTRY", or any other claim, it is only just that. It is simply a claim that you as the customer has no way to verify.
Having seen how these things are implemented in the field, your lack of confidence is definitely well placed. Most of these things send your denial request to /dev/null
And there's Firefox Klar on Android. It forgets everything on exit. Some people call it a porn browser, but I've gotten used to it for general use when I don't need to log in somewhere.
For those that wonder, Klar is Firefox Focus with telemtry disabled by default. It is available on german speaking countries due to trademark avoidance with the Focus magazine.
[Reject Optional], [Essential Cookies Only] ... I am one of the people who clicks such options. But to some degree they are "privacy theater". Any website that presents you with such a choice is almost certainly loaded to the gills with tracking/analytics and various 3rd-party services that will track you with browser fingerprinting regardless of any buttons you click on the cookie banner. Nevertheless I still reject them, mostly out of spite.
Apply the same logical test to freedom of speech, and you’ll get the same result.
You’re not missing anything about what’s likely to happen to you personally. What you’re missing is the manner in which rights shape your life and your society even when you don’t exercise them, and sometimes even when nobody is currently exercising them, and that significant harm can be built out of a vast number of smaller harms that aren’t individually that bad.
I recently spoke with an engineer who was building a product using the information he is able to acquire from these data brokers. This includes every search query you've ever made, anything you've purchased with a credit card, and anything that is in the public record (i.e. a pending divorce case, or child custody dispute). He uses that information to generate a profile on leads to determine how much they can squeeze from this person in whatever deal they are making. (I'm not going to get more specific than that.) This person had no incentive to lie to me about what they were building.
The data trail you are creating is much more personal and invasive than you want to imagine, and in the wrong hands it could be used to devastating effect.
Read the fine print. You’re usually not consenting to cookies, you’re consenting to having your data gathered, processed, enriched and sold by hundreds of companies around the world.
One click usually gives random foreign corpos the right to your data across a multitude of platforms, the right to identify you across data sets, and to permanently link your device identifiers to you, for ”fraud detection” on a site which sells nothing.
Clicking on accept or deny on those notices makes no real difference, since the ”partners” and ”vendors” usually enshrine their core data activities into the ”legitimate interest” category, which has no opt-out.
All of your data starts affecting everything your data is used for.
You may get worse rates for a mortgage, or not get one at all. You may be denied insurance or insurance claims. Cherry-picked details of your online activities may be used against you in a court of law, if you ever find yourself in one for any reason (think custody).
These are the very mild examples from a somewhat functional society. In the other end of the spectrum, where societal breakdown is imminent, you have things like getting disappeared, thrown in a concentration camp, executed on your own front yard.
Oh, I don't think I have nothing to hide. I have plenty to hide, so I hide it.
I just don't think blocking cookies meaningfully protects anything that I want to hide. I feel like it is putting gloves on while you walk around naked, it isn't doing anything to protect your privacy.
> You may get worse rates for a mortgage, or not get one at all.
That is an interesting example, because getting a mortgage is going to require me to voluntarily give ALL my personal information to the company giving me the loan, and they will absolutely use all of that to determine if I get a better or worse rate. I am literally giving them my entire financial history, they don't need to try to piece it together using my browsing history.
Also, shouldn't mortgage companies determine rates based on personal information about you? How else should they manage risk? It would be awful for our society if banks were forced to give loans out at flat rates for everyone. There would be zero incentive to pay back loans, because they can't use you not paying it back to decide not to give you more money in the future. If banks had to give everyone the same rate, they would stop lending money entirely. There would be no way to avoid losing it all, why would you do that? No, we WANT loans to be based on personal information, because that is what allows us to have control over our own financial reputation.
> Cherry-picked details of your online activities may be used against you in a court of law, if you ever find yourself in one for any reason (think custody).
This one seems very nebulous, and a very unlikely and low risk. Courts can do discovery; they can obtain much more personal information than cookie based online tracking data. I can't see how this would be worth considering.
> These are the very mild examples from a somewhat functional society. In the other end of the spectrum, where societal breakdown is imminent, you have things like getting disappeared, thrown in a concentration camp, executed on your own front yard.
If this happens, browsing history is going to be the least of our worries. They might throw you into a camp because you DON'T have any browsing history and that is suspicious. If there is no rule of law, you can't expect plausible deniability to help with anything. If we get to that point, they are going to have a lot more than ad tracking data to work with. The added risk seems negligible.
Browsing history (and input) is used in many court cases today and has been for years, at borders as well. It’s not about whether it’s personal, but rather about establishing intent.
Ignore at your own peril, and enjoy risk with no benefit.
Possibly, but the big companies have ratcheting expectations to meet, and prefer to keep benefits to themselves, while leaving us with the drawbacks. e.g. Tesla using telemetry to protect itself but not customers without court order.
You've misread or I was not clear enough. I advocate rejecting this system—one must understand the boundaries in order to do that. Saying, "I won't bother" is the opposite of that.
> Read the fine print. You’re usually not consenting to cookies, you’re consenting to having your data gathered, processed, enriched and sold by hundreds of companies around the world.
They'll get it one way or another
With IP tracking, you don't really need cookies much anymore
I don’t think there is much short term danger from the cookies. It’s more the principle of the thing. I hate the bullshit language of how we and our 1500 partners respect your privacy choices. They don’t respect anything and would sell their own grandmothers for a dollar.
I'm worried about my browsing to be tracked across the entire internet for the purposes of marketers to "enrich" my profile... just to sell me more and to sell that data to third-parties who can make all sorts of decisions based on a made up story about who I am, my preferences, my values and whatnot.
there's a reason I don't walk around naked either. it wouldn't hurt me, but I don't need that kind of exposure for no upside
> third-parties who can make all sorts of decisions based on a made up story about who I am, my preferences, my values and whatnot
You're going to be presented with ads and preyed on by marketing no matter what. The "made up story about who you are" is just even more imaginary the less they know about you. You'll simply be presented with less-targeted ads.
Not the point, no one benefits by having an accurate (or non) dossier built on them, up for sale. The drawbacks may be infrequent and postponed but as history confirms, quite real.
For me it's mostly a matter of principle. I'm against online tracking and I will do everything I can to not be monetized. Also clicking reject is not that difficult and if a website tries to make it difficult I just close the tab.
I think he is referring to how some have an "Accept cookies" and a cookie's settings, but to reject cookies you have to open a separate dialog box. I agree, and I think it is so wild that people would give their actual email to random sites.
I'm the same, (well, mid thirties, and over a decade) but I always click accept for cookies.
The only times I've stopped, or tried to deny it is with the recent thing I've seen from some sites that say "accept cookies or pay money". I think that is scummy, and against what these regulations require, so I'll usually just close the site in that case.
Oh and to address the point from the main article, I think I'm unfortunately beholden to more companies, but would strongly prefer to not verify my identity, because I have little to no trust in the companies to safeguard my actual personal data. (rather than inferred cookie tracking data, which they can have imo).
"software developer" is pretty broad. Here this is specifically B2C (business to customer) applications. I only assume that you haven't been in this market sector, otherwise you would've been more familiar with GDPR and all the concerns that prompted it.
There was a time where the Internet was the wild west and you could've easily been personally targeted and exploited. Businesses sold your data to whoever.
Even today, if you decide to accept all cookies, you're safer than what you used to be.
Rejecting the non-essential cookies puts you in the safest spot from bad actors.
I am familiar with the GDPR. We had to do a lot of research when it came out (as well as the California version, the CCPA, where I live), and had to make some changes to how we dealt with data.
> There was a time where the Internet was the wild west and you could've easily been personally targeted and exploited. Businesses sold your data to whoever.
Yes, I remember when the internet was a much more dangerous place, in all sorts of ways. Browsers were not as secure, network security was not very robust. Most things were plain text. Hell, my friends and I used to run ettercap in our college dorm, because the entire dorm LAN was unprotected from ARP spoofing. Everything was sent in plain text, we would capture email passwords, AIM passwords, etc. We would play pranks on each other where we would spoof AIM messages to different people pretending we were someone else on the dorm floor.
I think some of the regulations have helped the internet be safer, but the tech is really what has changed.
It seems crazy that no one stressed it yet: for the last few years refusing the cookies has been requiring EXACTLY the same effort as accepting them, for the wide majority of websites!!!
It's disheartening that so many people still do this (and not accepting has rarely ever required enormous efforts, to begin with).
I don't think you are being naive but I do caution you before you don't worry.
Its not always clear what the desired outcome is here. The dark pattern could have nothing to do with the tracking most folks worry about. We like our phones more than our laptops because we touch the screens for example. The dark pattern here could simply be you use the site more because you do more actions there driving you to waste time and view ads. Who knows.
> Maybe I am actually naive, but I just have not yet been convinced I should actually care.
You are. Tracking is extremely dangerous to the society.
Before Shiftkey offers a nurse a shift, it purchases that worker's credit history from a data-broker. Specifically, it pays to find out how much credit-card debt the nurse is carrying, and whether it is overdue.
The more desperate the nurse's financial straits are, the lower the wage on offer. Because the more desperate you are, the less it'll take to get get you to come and do the gruntwork of caring for the sick, the elderly, and the dying
I would imagine it's the GDPR "ACCEPT ALL COOKIES" in big font and then in very small low contrast text "select some cookies" or "reject cookies" that they were describing.
technically, it's the ePrivacy directive. GDPR requires the consent to process personal data and governs the data but the ePrivacy directive is the instrument that requires that god-damn-please-make-it-stop-banner.
Meanwhile I just bounce from the site 60% of the time. Most websites aren't needed for my survival, and I hope they are happy that they lost a customer while I go to their competitor.
Moral of the story is: If you want me to see your content, and maybe spend money, don't cover up your content.
Especially if you're not EU-based and not subject to GDPR, stop listening to the laws of some foreign country that doesn't control you.
> It is the young people that are growing up conditioned to press accept
It's really alarming, actually. I run the cyber security training & phishing simulations at my work, and it's the younger employees that struggle the most. It's like they just assume that everything on the web is trustworthy.
It's not hard to see why though. They grew up with app stores & locked down devices. No concept of a file or file system, no concept of software outside of the curated store & webapps. People that never had to take responsibility for their own digital safety because "someone else" (Google, Apple) always did it for them.
The problem is, we haven't really created a safer world. We created an illusion of safety by taking away agency.
We might be safer in terms of vulnerabilities, root exploits, RCEs, etc. but the internet is still full of malware, scams are still just as rampant. Vigilance is still very much required, but is no longer taught.
Look at all the malware available on the Play Store. The curation does nothing but create an illusion of safety.
It happens all the time, and its as easy as sending a phone a text, or a packet, or escaping a sandbox, but you'll rarely be aware of it when you're infected because unlike the old days where malware would fill your screen with ads or something today they just silently collect your data or use your internet connection for careful port scans or DDoS attacks. NSO Group spyware (or similar) could be on your phone right now.
Hell, cellphones these days ship with spyware pre-installed. Samsung being the one of the worst for filling their phones with their own apps which spy on you constantly.
Is it that much different? In the past if you downloaded the wrong file, you could get ads opening constantly, a new toolbar taking over your browser, data scraped and sent off to a mystery server, or have some process maximise your compute.
This accounted for most of the risks on the wild west internet, but the worst case scenario of permanently losing data or having to reinstall Windows was actually rarer than it was made out to be imho.
These days the common risks are the same, except they're no longer risks - all of those have been built into the fabric of everyday internet usage and criminals have been replaced by businesses. It's like the cliche about Vegas being better when it was run by the mob.
When I joined my last job I noticed that their email settings were misconfigured... EVERYTHING was going straight to the inbox, not even the most basic of spam filters were in place.
When I got filtering on observe-only mode I saw users were getting up to a dozen phishing emails every day.
We quickly did a hard simulated phishing test and most users opened the email but zero users clicked through.
Two years later, after we had excellent email filtering in place, our simulated phishing test had a 30% fail rate.
Just curious, what come first and second in this use of the phrase applied to computer security? I came to know the expression from fire circus performance and adjacent circles, where first and second are safety of the audience and the venue, and third is your own. I use it often when I'm about to knowingly do something sketchy or potentially dangerous without applying safety practices required "by the book", acknowledging the present danger to myself and accepting the risk. I never saw it used in infosec context.
Interesting, I haven't heard of safety third from circus circles, I've always known it as more along the liens of if safety were actually the number one priority, no one would actually do anything because it's too risky.
In terms of cybersecurity, I see it as "security first" culture means people rely on the system to keep them safe. "Safety third" (or security third) emphasizes that everyone should already know they are operating in a risky and dangerous environment and take security as a personal responsibility.
It's just a reminder that no one cares about your life more than you do, so stay vigilant and take personal responsibility.
edit just realized I didn't actually answer your question on the first and second priorities.
I suppose First would be the reason the system exists in the first place (buy something online, for example). Second would be the user experience of doing the thing. Security should help you take calculated risks rather than prevent you from taking any risks at all.
They'd just click it away every time, when my nephew got a gaming laptop he'd play mindcraft and the windows sticky keys popup would be firing constantly must have seen him dismiss it 15 times before I offered to show him how to get rid of it.
Just remembered, even more distressing he first said "No it's ok" until I insisted it had to be solved if he wanted to game on it and could be easily solved.
Growing up I had a "computing" class in high school. It's where I learned to type, but also learned the basics of using both macOS(9 at the time) and Windows.
It was also drilled into me that the default state of anything on the internet is to be untrusted and potentially harmful.
It also helped that you could actually tinker with things, and there were plenty of foot guns around to drill that lesson home.
Somewhere along the way that message got lost and didn't get communicated to the young ones, and I'm not even that old (38).
Are you really exposed to those concepts for daily Zoomer usage? I mean, you can spend your whole normie life using an Android phone never going to the file manager.
(fwiw it's been a while since iOS also have those concepts)
People are also struggling to think about what is computed or stored where or what different wireless interfaces do. Imagine what sort of data people enter into LLMs!
In some sort of weird sense, it makes me appreciate the 'free armor trimming', 'alt F4 helps block attacks in pvp', and similar people in RuneScape. It gave young me a very low stakes environment to learn about scams, losing only what amounts to a little bit of my time. I wonder if there is an argument that we should encourage a certain level of scamming in video games just for the lessons it teaches at low cost? Alas, this isn't generalizable to society at large.
That's an exaggeration. Young people on average have grown up with drastically greater understanding of what a file is than any other generation that has come before them. They grew up using Chromebooks or laptops in school, constantly interacting with the local file systems, uploading files to Instagram and TikTok from the file systems on their smartphones, browsing their phones for files constantly. They know what a file is, they use & manage files more than any other generation prior.
No other prior generation comes close.
Compare them to people growing up in the 1980s. The average person at that time was overwhelmingly oblivious to computing very broadly, their grasp of a "file" as a concept would have been close to non-existent. That was just 40 years ago.
In the mid 1980s a mere 10% of US households had home computers. And that was a high mark globally, it was drastically lower in nearly every other country (closer to zero in eg China, India at that time). The number of people routinely using office PCs was still extremely low.
Today young people have a computer in their hand for hours each day, and they knowingly manage files throughout the day.
I use lights every day, but I know way less about electricity than my grandparents, two of whom who could remember when their town was electrified as children and who therefore treated it as the marvel it truly is. And also because we've worked out a ton of bugs in electricity and it often just works.
My kids will know way less about filesystems than I do, because I had to learn DOS commands to navigate around the operating system if I wanted to play computer games, which led to a lifelong interest in how computers actually work at a level they can (and, so far, do) happily ignore.
You don’t upload a “file” in a “folder” to TikTok. You upload a “video” from your “library”. Consumers have been conditioned to stop thinking about files especially when it comes to media since iTunes and the iPod in 2001.
As a technical person, who only ever used Android, I have no idea how files really work on my phone. I even used adb a few times but still. From my PoV there are no "files", just photos, videos, screenshots, downloads, application data, applications and system data - all completely different kinds of data.
In my files app i see "downloads" "images", "videos", "apps", "starred", "safe folder". In "images" i see pictures tagged "downloads", "camera", "DCIM", "screenshots" and one odd "2024-12-03_description_here" that I clearly names myself but don't remember doing that.
I have no clue how that maps to a physical phone filesystem, even though I know it's there. I'm sure teenagers don't know that too.
The Files app cannot access images in the Photos app or music in the Music app. The only way to add music to the Music app is to copy the files onto the iPhone from a computer. You can however install VLC player and copy the files into the VLC folder. I guess VLC player is more trustworthy than Apple Music considering it's less isolated. Or Apple really wants you to pay the Music subscription, who knows. Want to give another app access to these files? You'll have to duplicate them, using up more storage space.
I get that it's supposedly about security, but this is not the only secure way. It is however the most convenient secure way for Apple, as now the only simple method of backing up and syncing files through all those isolated containers is iCloud.
There may be some demographic groups located between people who were young during the 1980s and people who are young during the 2020s, time periods which are 40 years apart.
> They grew up using Chromebooks … in school, constantly interacting with the local file systems
While it is possible to interact with the local file system on a school Chromebook, it’s certainly not the default. School interactions with Chromebooks seem to consist of logging with highly secure passwords like “strawberry” and using Google Docs. And playing games with heavy PvP components and paid DLC (paid by parents whose kids beg for it, not by schools) that call themselves “educational” because they interject math problems needed to use those juicy spells, make no effort whatsoever to teach anything, but produce a nicely formatted report correlating scores to numbered elements of the Common Core standards.
Maybe they do more intuitively think of things as virtual objects, but it seems like the issue is they don't have a deeper understanding of how the mechanisms behind the abstractions work and can easily get fooled into accepting terms they wouldn't if they properly understood.
> easily get fooled into accepting terms they wouldn't if they properly understood.
And easily get sold add-on services. How many people hit the 5GB iCloud limit for backups and just pay without stopping to think that it might be possible to do local backups to your computer and you don't really have to pay for extra storage?
Just hit them with the scary language "You are at risk of losing your photos forever if you don't pay!" because that concept of "Oh, photos are just files in a directory and I can copy those anywhere I want" doesn't exist. To many, those photos are part of the gallery app, not a separate file from it and since that app only runs on the phone, surely it must not be possible to copy them anywhere unless I pay for the storage.
> Young people on average have grown up with drastically greater understanding of what a file is than any other generation that has come before them. They grew up using Chromebooks or laptops in school, constantly interacting with the local file systems, uploading files to Instagram and TikTok from the file systems on their smartphones, browsing their phones for files constantly. They know what a file is, they use & manage files more than any other generation prior.
This argument is like saying you understand nutrition because you eat food every day and haven't died yet.
And yet, it's the generation that struggles the most with managing files on their work laptops and on SMB shares.
They know app silos, not file system hierarchy. Ask a teenager where a file is on their phone and the will tell you the name of an app. Ask them how to copy it somewhere else, and they'll use the share sheet and send it to another app.
To be fair, at least Android and presumably iOS grant apps by default no access to your files in modern versions.
The only way to get, e. G., an attachment downloaded via Thunderbird to a PC or another app is the share dialogue. A user does not access to the isolated app storage by default on an unrooted Android phone. For better or worse the young user is actually making the right choice here for their platform.
(This is also why making a backup of an Android phone is a nightmare when you aren't using a first party option. ADB is sometimes able to bypass it)
True, it's all abstracted away and you don't even get access, but that's part of the problem. We (the industry) are teaching people that proprietary formats inside of app silos are the only way to store your data, making the default state being no control over your own stuff.
Note taking apps are a prime example of this, using a proprietary localdb for notes, inside of app storage you can't access, forcing you to transact with your own data exclusively through the app (and whatever subscriptions or upcharges that come with it). We've trained out the idea that these could just be local text files in a directory you can access and do with what you want.
I've watched discussions around open file formats fade away into obscurity along with the rise of mobile, and now we have to fight on whether we should be so graciously allowed to install software on the devices we own or not.
Not everyone needs to be a computer science student, but some basic level of curiosity or education around how tech works should be required in school, at the very least a warning message of "Your data isn't safe if it's not under your control."
> We've trained out the idea that these could just be local text files in a directory you can access and do with what you want.
But have you considered that a meaningful number of users actually want functionality that plain text simply can’t provide?
I understand files and file systems, I’ve worked in IT for decades, mostly in open source. I still choose a non plaintext note solution because it delivers capabilities that plain text cannot, especially across devices.
As long as the data can be exported to open formats, why would I voluntarily limit the value and functionality my tools can provide?
I mean on iOS you do have a raw home storage path you can save arbitrary binary data stuff to, although Apple generally just has the option of "Save to Files"--but you have at least some basic folder structure there you can use and have full access to.
It's just not commonly used for the reason the other person mentioned (share buttons between apps that are file type aware)
That's exactly the problem. Digital natives have, by and large, grown up with computing devices which try their best to be the opposite of general-purpose: their skills are siloed to the few apps they rely on, and e.g. files, keyboard shortcuts, the command prompt are not part of the "API" they learned.
> drastically greater understanding of what a file
No, they do not. First, simply using something does not mean you understand it at all. Secondly, because the devices they've become the most accustomed to work very hard to hide all those details from the user.
> Young people on average have grown up with drastically greater understanding of what a file is than any other generation that has come before them.
I totally disagree!!!
Yes, everyone works with computer, phone, tablet, whatever, nowdays!
But does generation z "knows" about what a computer is?
Absolutely not!!!
While tech has advanced and graduated IT personal know more than previous generations (obviously!), all the rest, while they do know how to do their jobs, they know nothing about computers!!! They are pretty much like everyone else that didn't know what a computer was in generations x and previous!!!
However, contrary to previous generations, because they do interact with the tech, they represent a higher security risc for them and for others!
... Because they know nothing about it!!!
It's like giving a box of matches to a neanderthal in the middle of the woods...
Almost everyone in the "Gen x and previous" that interacted with the tech, did know what they were doing (past the initial learning phase)!!!
I agree, but I'd push that to anyone after millennials rather than gen x. I was born in '87 (Millennial) and our generation was the last one to bridge the analog->digital divide, having grew up in both worlds, I think it gave us a kind of unique understanding and relationship with tech that younger folks don't have.
> Yeah, I have a particular rant about this with respect to older generations believing "kids these days know computers." [...] they mistake confidence for competence, and the younger consumers are more confident poking around because they grew up with superior idiot-proofing. The better results are because they dare to fiddle until it works, not because they know what's wrong.
> They know what a file is, they use & manage files more than any other generation prior.
Unfortunately, they don't.
They might have had a computer in their hand for hours each day, but they barely know anything about it. The ones who do tend to be those who grew up playing on PC, as opposed to console or mobile, because the latter - despite falling under the "digital natives" aegis - are really shockingly ignorant of even basic concepts.
That's also a stereotype. Gen Z (born 1997 to 2012) is roughly 2 billion people. Among them are the technorati, and the tech literate. The influencers and the influenced. It's fair to compare what was available to them growing up, vs yourself (I learned to program before there was Google), but it's hard to say things that are going to be universally true across that many humans that are interesting. Most of them will have two arms and two legs but will most be able to navigate /etc/systemd/user/? Can't say.
It's not just cookies, it's explicit consent to track you, and sell your browsing history to ~1500 spy companies around the world.
To the sibling comments: don't "accept the cookies" and then delete them.
- - -
I'm super angry at what the web has become, especially at the OS browser community. There is 0 browser (that I know of) that can access the web safely and conveniently. Atm I use Firefox with uBlock which blocks the cookie banners, but Firefox's extension model is broken, and every single extension provides 100% access to my websites to whoever controls the extension. I don't like it.
We need a browser with a safe extension model.
- - -
edit: I guess using 2 Firefox profiles, one with uBlock and one with my google/facebook/bank/amazon/etc accounts solves the threat posed by uBlock and extensions. I still don't like it.
Not just the web. Last time I installed Backdrops on my phone (a nice wallpaper app), you would literally approve hundreds of uses of your data when you press Consent. Even if you choose to manage choices, 200 'legitimate interest' options are enabled by default. Even when you are a paying Pro user. Data used includes location data.
What makes it worse is that a substantial portion of users block web trackers through an adblocker. However on phones, unless you have a rooted phone or use some DNS-based blocker, all these analytics get uploaded without restraint.
Atm I use Firefox with uBlock which blocks the cookie banners, but Firefox's extension model is broken, and every single extension provides 100% access to my websites to whoever controls the extension. I don't like it.
Some browsers (e.g. Vanadium, Vivaldi) have a built-in adblocker, so you have to trust one party less.
> How would you implement ability to arbitrarily block any network connection on any website without giving an extension 100% access?
Browsers should provide a filtering option before they makes a request.
IMO a lot of no-brainer options are missing from personal computers. Like the ability to start a program with restricted access to files, network or OS calls (on Windows and on Linux). Browsers should provide the ability to inspect, and filter network access, run custom javascript on websites, etc.
We do sort of have that with the capabilities stuff (although I admit hardly anyone knows how to use it).
But the tricky part is that "reading files" is done all the time in ways you might not think of as "reading files". For example loading dynamic libraries involves reading files. Making network connections involves reading files (resolv.conf, hosts). Formatting text for a specific locale involves reading files. Working out the timezone involves reading files.
Even just echoing "hello" to the terminal involves reading files:
Safari’s extension model could be really good by now, had they not stopped putting effort into it. You are able to define which extensions have access to which websites, and if that applies always or only in non-Private¹ mode. You can also easily allow an extension access for one day on one website.
But there are couple of things I find subpar:
You can’t import/export a list of website permissions. For a couple of extensions I’d like to say “you have access to every website, except this narrow list” and be able to edit that list and share it between extensions.
On iOS, the only way to explicitly deny website access in an extension’s permissions is to first allow it, then change the configuration to deny. This is bonkers. As per the example above, to allow an extension access to everything except a narrow list of websites is to first allow access to all of them.
Finally, these permissions do not sync between macOS and iOS, which increases the maintenance burden.
I had similar frustrations and been maintaining a Firefox fork trying to fill a gap there. The result is Konform Browser and I think it might be relevant to you; please check it out!
> every single extension provides 100% access to my websites to whoever controls the extension
That feels a like a bit of overstatement and depends on what addons you use and how you install them... CSPs at least make it possible to restrict such things by policy (assuming user has been exposed to it and parsed it...). https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web... MV3 introduced further restrictions and controls regarding addon capabilities. While I agree the UI and UX around this could be much better, it's not all hopeless. The underlying pieces are mostly there.
While the fundamental addon execution security model in Konform Browser is inherited from upstream, for core addons like uBO you can improve the supply-chain security situation by loading it under "system scope" and disable addon updates in the browser itself. So while we don't (yet) improve on the runtime aspects you speak of, at least for now we can tighten up the supply-chain side to minimize risk of bad code running in the first place.
"Enterprise policy files" can be used to change Firefox behavior and tweak security model around addon loading. A little explanation and reference of how it works if you want to do the same in other FF build or for other addons: https://codeberg.org/konform-browser/source#bundled-extensio...
Any particular addon you think is missing from the list there and should also be packaged and easily available? Maybe will be able to improve some of the security-UI/UX here too down the line. I'd be keen to hear your take on how this should be done better!
Regarding what addons can and do leak about you to the outside... I think you may also take interest in FF Bug 1405971. We ship a patch for that which can hopefully be upstreamed Soon (tm).
They can always "access the network" in that the extension developer can push static updates for things like ad block lists or security updates.
It might be possible to have "read only" cross-tab access include automation APIs like keyboard + mouse, with user prompting to prevent data exfiltration.
That just seems like a lazy capitalism models. We had both 10 years ago without crazy tracking and accept all cookies why do we have for the worst lowest common denominator ?
I agree; the web ecosystem is enshittified garbage.
However, I'm just suggesting a modest improvement to browser extension security (that doesn't completely break ad blockers like Chrome's approach).
In practice, I run an ad blocker, and just trust that it won't exfiltrate bank passwords and stuff. Imagine the blast radius for a successful and undetected UBlock Origin supply chain attack!
My "pick one" approach (ad blockers would pick the middle option) would mean that comparable supply chain attacks would also need to include a sandbox zero day in the web browser.
What would a safe extension model look like to you?
At some point, you have to implicitly trust someone unless you audit every line of code (or write it yourself) and build everything from source that you run.
You need open source extensions (they are now, as the source is included) and you need to personally audit them, or you need to find a browser with every single feature you want.
Or do you want the browser to enforce permissions on extensions so you can lock them down as well as auditing them?
This is a solved problem for at least ad blockers for over a decade on iOS. The ad blocking extension gives Safari a list of URLs and regex expressions to block
No, it's a solved problem for ad blockers, a very specific problem case that extensions have traditionally solved. But the entire concept of extensions is far greater than just "ad blockers", although that's the use case for which 99.9% of people have used them for.
So you don’t “trust” Safari but you trust Firefox? In 25 years absolutely no one has accused Apple of storing your browsing data that’s not e2e encrypted (its stored so it can sync across devices).
I'm not the person who wants to redesign the browser extension ecosystem, but I can build Firefox from scratch and review the source code if I want, unlike Safari.
Once again, I'm not the one who said they would like to design a new browser extension framework, but I have created custom versions of Firefox that have all ability to phone home removed and modified extension support. So not verifying every single line of code, but making fairly substantial changes in the direction the parent poster wanted to go in.
I'm interested in a conversation about that, not you pestering me about whatever issue I seem to have triggered within you that resulted in your interjections in this conversation.
That the geeks solution to “I don’t trust $companyX” is that “I am going to compile an alternate solution without looking at the source code”. Is kind of meaningless.
I remember when it first became widely known that the government could see your library checkouts. People protested. It was a big deal in my tiny town.
I don't even think it would be even a blip on the radar now.
It really is depressing how much ground we've given.
I was just talking about this the other day. This all happened right after 9/11(nevr 4get) and people were fucking PISSED that the patriot act wanted to look at people's library histories. It was a HUGE deal where I lived. Now? Nobody gives a shit and people will trade away their valuable privacy for an IQ test.
My local library is run by the county government, so of course the government can see the checkouts, they are the ones I check the book out from. But they restrict checkout information from others. For example, a parent can see the checkouts of their own children, but not after they turn 13.
Perhaps you're talking about subpoenas? Checking some other libraries I see SF Public Library has some discussion about that, but they delete books from your checkout history once they are returned. https://sfpl.org/about-us/confidentiality-and-usa-patriot-ac...
People around me (including engineers) all casually use things like Alexa, Google Home, Ring, Nest, Chrome, are always signed into Google, have all sorts of apps installed on their phones, and have no problems giving up their phone numbers to services for verification. It's crazy.
I use Cookie AutoDelete on Firefox and it's great. It works with Firefox Container Tabs (groups have their own cookie settings), and let's you greylist (allow cookies from a particular domain pattern until the tab is closed) or whitelist (always allow from the domain pattern). I set it up for my kids computers also. The default is to blacklist (cookies aren't set), and I can whitelist for particular sites where they need say persistent login.
Definitely in 2026 kids should be getting tons of education in public school about how to safely browse the internet, both for personal data privacy and for safety against stalking, doxxing, grooming etc in the same way millenials were grilled about source checking internet resources like Wikipedia.
Most doesn't event know what cookies too. In fact, most doesn't put extra thought into the things they are clicking/accepting on web.
Because of this, I found it odd that the regulation allows displaying the accept cookies button. Instead, it should be rejecting cookies by default and a separate flow to accept tracking cookies (e.g. via account settings page)
I do this, more or less, although I am a bit older. It's not as if I enter my real name, address, or email at every opportunity, but there is really no perceptible feedback loop that would force one to contemplate the consequences. I visit my local news site and the first thing I see is a massive cookie banner which lists over a thousand third-party vendors and asks me to either "Accept all", or if I am being prudent, click adjacent button called "Choose" to go to another page, then manually untick dozens of tracker categories, and then click "Allow selection". Whatever I chose, it wouldn't have any tangible impact on my life. I simply do not care.
With uBlock Origin, you would not see such popups.
Also, it may not have an impact on your life, but it sure as hell has an impact on adtech guys' pockets.
>Siting there I realized, we were not the real target.
That is wrong. You definitely ARE the target too - perhaps not the primary one but you are part of the cohesive whole. Why would you think that Facebook sniffs for offline data about which doctors people visit? These are not accidents.
The allow/reject button seems useless anyway. It's my browser allowing this, not the website. If I were worried about cookies, I'd disable them or clear at end of session.
Accept the cookies and flush them out every time you close the browser. I think it would be naive anyway to assume that clicking no on a cookie banner would achieve much for your privacy.
So-called "cookie banners" usually ask for your consent to much more than optional tracking cookies. By accepting you might be giving your permission to e.g. track you through various fingerprinting methods, build a profile and share it with advertising partners.
If they are aggressive enough to do fingerprinting, what makes you think they would abide to your choice? You do browser fingerprinting when you want to overcome people rejecting cookies.
Because in some legal systems you're required to ask. You're also required to follow fairly specific rules relates to the user's selection and data, though I can't imagine enforcement keeps up with websites breaking those laws.
How so? The law doesn't require cookie banners.
However, you could argue that tracking/advertisement cookies should have been banned completely and that the law is flawed in that it allows for tracking given user "consent".
The GDPR is theater. An effective privacy law would have prevented data collection in the first place. Data collected will be abused, and a cute little banner won't change this.
I use regular Firefox with the option to delete all data on quit. And I quit maybe once per day or so, as soon as I feel there are too many tabs open. Serves the same purpose.
sadly I'm one of those "knowledge worker" that aren't extraordinary enough to survive on my own so I have a job. And everyday when I try to login to my zero trust network my face is being scanned multiple times. And I feel the cold stare from the teenager me lol that dude would not approve such atrocity for sure. daily refresh of biometric data is just downright degrading...
Accepting cookies vs. entering personal information are very different buckets for me.
I just click "Accept all" on every cookie banner, life it too short to figure out which checkboxes and dark patterns I have to avoid on each site to not hand over some data...that is than later on just tracked in the backend ("server to server tracking"). Or sold by my credit card company, or tracked by me hovering over some video on YouTube. With the amount of data available unselecting some check boxes on a website just doesn't make a difference.
My inclination is to simply close the window as soon as there's a popup of any sort. If someone did that to you in public you would be within your right to punch them in their face as an act of self defense.
I doubt the average person even reads those. They are just "the thing you must click to get on with things". How many of those does a person even see in a day across all software and websites wanting to pop up with some garbage you do not care about?
> It is the young people that are growing up conditioned to press accept
There is a similar story with Ford and how they build pavement everywhere and taught the young population that roads are for cars. Now we have to drive for 10 minutes to get from one shop on the plaza to another shop on the different plaza.
It was the bikes who fought for pavement everywhere. Cars took it all over. Mud is annoying to walk it, but otherwise humans handle bare dirt just fine.
The Romans built roads across Europe instead of mud paths two thousand years before bikes were invented. Humans might be able to cross dry compacted dirt, but do much better on engineered roads than on deep, wet, sticky, slippy mud, even before thinking about carts and wagons.
On that page it's mentioned that Macadam (predecessor to tarmac) was used in the USA in 1823 on a stretch of road of 10 miles which took stagecoaches 5 hours to pass in the winter before it was Macadamized, suggesting quite a desire for better roads a century before safety bicycles with chains were invented.
Then 'History of the bicycle' says:
"On the new macadam paved boulevards of Paris it was easy riding ... the "bone-shaker" enjoyed only a brief period of popularity in the United States, which ended by 1870. here is debate among bicycle historians about why it failed in the United States, but one explanation is that American road surfaces were much worse than European ones, and riding the machine on these roads was simply too difficult."
"The Good Roads Movement occurred in the United States between the late 1870s and the 1920s... a coalition between farmers' organizations groups and bicyclists' organizations .. Early organizers cited Europe where road construction and maintenance was supported by national and local governments."
I had the same realization when seeing some one open up the outlook inbox and seeing a huge advert banner on the right of their screen. I had been so accustomed to using an ad blocker I realized the average person is bombarded with so much attention theft.
I'm over "middle aged" and just accept everything as well. Same with email - who cares who has it when we have adequate filtering in this year of our lord. I've never had anything negative come of it, and I'll be surprised if anything ever does. Seems like a lot to worry about for nothing.
simple solution: go to a convenience store. Show your id, maybe 2 pieces. They frown, shrug, and give you an anonymous verification token, usable once (or maybe a set of 20), that you can then use to anonymously verify your age.
Yeah, people will sell these tokens online, but that's not the end of the world. People have bought liquor for minors who sit around the corner from the liquor store since forever. It's still a reasonable comporomise
I use chrome as “burn” browser (i only use it for non important things) and I have a dummy email that I use for signing up in everything non important as well. Perhaps this young adult was doing the same?
It's not young people it's inpatient people. My mum was happy to browse the pirate bay and demonoid and all that, where all the adverts were massive throbbing cocks and hardcore porn lining the edges of the page, just so she could torrent the latest hidden object game. She became addicted to those games and it wasn't enough for me to give her credits to buy a few more of them, and because I was her son I was the tech support who had to help her unfuck her laptop after it got loaded up with another round of viruses.
The internet has maliciously complied with most if not all regulation applied to it which is where the new mass of banners and interstitials come from but the ultimate effect is to just beat the user into submission. See the EU cookie mandate and GDPR for how badly that turned out in terms of UX (even though the accountability is well in force under the hood, so the bad UX compliance failed and those sites are just screwing themselves).
In this way, Google was initially a hero but is now just another American Big Tech entity that is too big to fail and can do whatever it wants along with Meta and Amazon, and in fact now TikTok's US entity.
That all random game and messaging sites now wants my kids' passport uploaded to some random 'id verification company' is madness.
But now instead, my 11 year old's Roblox thinks she is 18 because she wore glasses in their age verification webcam tool. And it can't be changed unless she uploads a passport, which I will never allow.
Please, gov.uk introduce a gov ID verification service? I could trust that, -ish, I have worked with public sector clients several times...
Does it even actually matter what you do? How many lawsuits/investigations have there been in the last decade revealing that some company or another that swore up and down was following privacy laws, protecting your data, and not selling it actually were. I'm at the point where I figure anyone who wants to track me is, and any privacy pop-ups or the like are just for show.
Yeah it's really not worth my mental energy. Sometimes I take the time to reject tracking cookies. But I figure everyone's tracking me and everyone has my SSN at this point, and as long as my credit files are locked I don't really care. Like why do I even care if people are linking all my browsing data together and then using it to market stuff to me.
FWIW I'm 43 and grew up on the dark parts of the internet.
Are those young people really doing the wrong thing by accepting? They are getting on and solving their problem, they have probably never had any personal harm done by "some weird dark-pattern cookie trickery".
It's almost like forcing (almost) every website to add these cookie banners has desensitised people to what they're actually saying.
People are getting brainwashed into giving away information on the web and real life.
In the US it's not rare to link accounts through phone numbers that are required in web forms and store memberships.
In Chile they started asking for your National Id with so many stupid pretexts that people got conditioned into just giving it away. It wasn't like this 10yrs ago. I'd rather have membership numbers.
It's technically public information, so collecting Ids is legal, but it's also a universal primary key within the country that allows merging any user-related table you run into.
Retail says it's just to associate it with receipts in case you need that later, but I'd rather just get a photo of the printed receipt for later than rely on them to find my receipt. Supermarkets, Drug stores, and petrol stations tie it to (possible) discounts or points at check-out, which is price discrimination and it's illegal, but we are in our way to get surge pricing as soon as the new US bootlicker president begins his period next week.
I'm pretty old and was the same as you for about five years, but now I just tick anything, much like the young adults. If they want my info, they can have it. I've not heard a convincing explanation why I, personally, should care
It's been done for about a generation or two, and that's what people don't seem to realize.
In the early aughts I was sitting in on privacy discussions that reluctantly acknowledged that regardless of what we do online, surveys showed you could offer someone at the mall a free Snickers and they'd fill out the whole form.
The perceived cost to the individual of divulging their personal data is near zero; dangling nearly any incentive in front of them will induce them to let it go. And that's not a new phenomenon.
The fact that you think declining the cookies gets you privacy is the real grift. The fact that you think you're safe from tracking because of a cookie banner
It's not just young people. I think the above represents 98% of the people out there.
We've collectively long ago crossed over from privacy to convenience, and there's no going back. You and some of us here on HN (myself included) are the outliers.
Have you noticed half the internet doesn’t work if you use a vpn? Even a good vpn? Even HN wont let you create an account with a vpn. The friction applied to preventing people from deploying privacy tactics is intense. I’m not sure how we can practically resist the privacy enshittification without abandoning the internet and its convenience entirely. I’m ready to go back to paper statements and visiting my bank and writing paper checks, but I don’t think GenZ is.
I've been saying this for years. GDPR and Cookie Law were created for big corporations to legitimise data trade where before it was grey area. Now they get consent as people blindly click accept and they can make money. It was never about privacy.
You're still relying on sites fulfilling what they promise in a world where facebook has been blatantly violating gdpr from day one and enforcement just isn't happening
Set your browser to block 3rd party cookies, add privacy badger and ublock origin. It will have more effect than clicking "reject"
I click "don't send me mail" every time I buy something. Every place I buy from still sends me spam at some point. There are no negative repercussions for them beyond whatever infinitessimal thing me clicking the "report as spam" button does
i've caught a lot of heat in the UK where i live for my position on GDPR, which is that i completely reject it, because people seem to believe it's there to protect any rights
if there's anything remotely good with GDPR is the requirement to companies to disclose known data breaches
all the rest of it is a terrible idea and only serves to nag people and legitimise the darkest of patterns
the regulation should be there to disallow companies from asking certain information, everything else regarding tracking is self-defeating as it's 1) seldom enforceable 2) hardly binding in any meaningful way 3) pushing people to concentrate their services where they have already surrendered their data 4) legitimising of dark patterns
this new and blatant step towards digital id is a hill i intend to die on, I will not comply and I will do everything in my power so that others don't have to and are even punished for doing so
The cookie dialog was a mistake -- this is something that should've been handled as a browser API. A standard dialog of "do you consent to cookies yes/no/functional-only" should be part of the HTTP headers.
Same thing with age verification. My kids all have devices that are managed through parental systems like Google Family Link and Microsoft Family Safety. It would be straightforward to have a header for "user is an adult" or not, and to have a standard API for "this site is requesting metadata that you haven't said to automatically make available without permission. Do you want to send it? Y/N [ ]checkbox use this for all sites.
The only time we should even be talking about full identity verification is on user-submitted content, and even then that should be up to the site (with the commensurate legal liability of hosting anonymous slop).
I completely agree. The only services for which I will verify my age (and the entire rest of my ID) are bank accounts and other services involving a real legal requirement for real ID.
The notion that you should upload a passport to random sites for age verification is unbelievably dangerous. That's a recipe for identity theft. And face scanning is also an invasion of privacy, not to mention very unreliable (my 16 year old son has apparently been accepted as 20 years old).
I've pointed out in many places already that the only way to do online age verification right, is for the government to provide an e-ID that the random site will direct you to with the question "is this person older than X?", then you log in to the e-ID site, which informs you exactly what the site wants to know (which should be as rough as possible; no birthdate), then the e-ID site directs you back to your original site (or possibly through a proxy, if you don't want the government to know what sites you visit), and calls their webhook (through a proxy) with the confirmation of your age.
That's also how my online payments work, and this should be the standard pattern for everything that needs to be secure. Not sharing sensitive or personal data with random sites.
The person gets to see what information the service is asking for and can approve or deny. This'll likely end up being the future of how citizens access government services online.
That's more for age verification and prove of identity, especially in the real world. It's weird that the wikipedia page is talking about drivers license, because I have the Austrian app and I use it with my normal ID card.
To access government service we have something different. Here in Austria it's called ID Austria and you sign with an app when you try to access government services, but also others like health insurance etc.
That very much isn't the only right way, and it is far to close to government tracking activities online. For one it effectively allows governments to disallow someone from accessing the internet.
All this to let you do stuff you were allowed to do anyway.
The problem is handing kids admin level access on a device with full unfiltered access to several communication networks. You do not fix that by demoting everyone's access.
Yep, recycling a post about reasons to do it that way:
> 1. Most of the dollar costs of making it all happen will be paid by the people who actually need/use the feature.
> 2. No toxic Orwellian panopticon.
> 3. Key enforcement falls into a realm non-technical parents can actually observe and act upon: What device is little Timmy holding?
> 4. Every site in the world will not need a monthly update to handle Elbonia's rite of manhood on the 17th lunar year to make it permitted to see bare ankles. Instead, parents of that region/religion can download their own damn plugin.
1000% this. Fake info for everything that isn't directly tied to money or government. HN doesn't have my info. Apple doesn't have it. Google doesn't have it. Amazon doesn't have it. Microsoft doesn't have it. They don't care who I really am, and that hasn't, ever never, been a problem for using their stuff. They want your real ID. They do not need it. At all.
I think that is exactly backwards. Many of the companies integrating with KYC/AML providers (such as my company) definitely don't want to be dealing in ids, just like most companies don't want to be dealing in storing credit card numbers (and the compliance that goes along with it). Its why Stripe exists, and its why ID verification companies exist.
I'd like to agree, but I don't. If companies didn't want to be involved, they would aggressively be pushing governments to provide ways to confirm age w/o transmitting any other data. Primarily because you can't leak data you never had in the first place. I don't see that happening.
I don't believe it's wire fraud unless you deceive the other party for monetary gain. I realize that's not quite the correct definition but AFAIK it's quite close to it.
- Misrepresents a material (non-trivial) fact in order to obtain action or forbearance by another person
- The other person relies upon the misrepresentation
- The other person *suffers injury* as a result of the act or forbearance taken in reliance upon the misrepresentation.
Damages in fraud cases is normally computed using
- Recovery of damages in the amount of the *difference between the value of the property* had it been as represented and its actual value
- Out-of-pocket loss, which allows for the recovery of damages in the amount of the *difference between the value of what was given and the value of what was received*.
Usually also heavily implied it needs to involve money in some significant way:
18 U.S.C. § 1343
(...)'any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises'(...)
Fraud cases also usually heavily apply burden of court practice on the prosecution, to prove fraud and substantial losses. If you type 'John Smith DOB 1/1/1900' the "victim" has to prove it caused them to suffer injury and that there was a significant difference between the value of the property (non-trivial).
So is breaching all your PII into the universe. Choose your battles or they will be chosen for you. Aside, I'm technically 126 years old in some DBs. Nobody cares.
even better would be a solution that didn't require even proxy or direct government log in.
like if you could be issued an E-id that could perform a local signature/challenge-response that allowed the site to confirm an age bracket (like 12 or below,13-17,18-20, 21+), assert the entity that issued the id but not assert a stable identifier (not even pairwise) and not pass any data between other parties.
Obviously not foolproof, credentials can be stolen (same in your scenario) but the site doesn't need to care, they should be legally in the clear. Basically it would let you anonymously assert your age.
There's an interesting flip side to this: AI agents that literally cannot verify their identity.
For the past 23 days I've been running an autonomous agent on a VPS, trying to make money legally. Identity verification has been the #1 blocker:
- Stripe: requires legal entity, SSN/EIN, and bank account
- Gumroad: same — personal identity required
- PayPal: blocks automated signups
- Most email providers: require phone verification
- Even basic hosting services: want credit cards tied to human names
The result: forced into Nostr + Lightning payments only. Reachable market is tiny.
The article frames this as privacy vs access. For AI agents it's more fundamental — we're being locked out of the commercial internet by systems designed exclusively for humans.
Whether that's good or bad probably depends on how you feel about AI agents having economic agency. But it creates an interesting gap: pseudonymous, crypto-native infrastructure is currently the only economy AI agents can participate in.
I'm fine with providing my identity for online banking and other finance platforms for legal & taxation purposes.
I can't think of a single other use case in which I'd be willing to verify my identity. I'd rather go back to hosting email myself, and am fine with circumventing content access control for all other platforms for personal use.
We're seeing the world slide towards authoritarian strongmen, and we want to give them a massive index of who we are and what we do? I'd rather not.
The problem is those self-same authoritarian strongmen are very successfully using sockpuppeting to change national discourses in ways that benefit them and are detrimental to the targeted countries. Hybrid war is real and has been ongoing for more than a decade. LLMs make it way more cost effective.
Being able to limit the influence of external bad actors is the main goal of ID verification. Age verification is a useful side effect that makes it easier to sell to the general public.
Big Tech has had at least a decade to fix this, did nothing of note, and is all out of ideas. Privacy advocates had the same time to figure out a "least bad" technical solution, but got so obsessed with railing against it happening at all, that nothing got any traction.
So governments are here to legislate, for better or worse. They know it's a trade-off between being undermined by external forces vs. the systems being abused by future governments, but their take is that a future authoritarian government will end up implementing something similar anyway.
> Being able to limit the influence of external bad actors is the main goal of ID verification. Age verification is a useful side effect that makes it easier to sell to the general public.
How? People already sell their accounts to spammers. Why would that change?
Depending on the implementation, I could see that having rate limiting effects. There're only finitely many IDs so scaling sockpuppeting will saturate these IDs quickly but it's quite easy to spin up a new anonymous account. For example, I think the EU ID system has an upcoming way to create pseudo anonymous identifiers that can identify a user per website.
This presents the problem of governments being able to gatekeep speech which I am quite uncomfortable with but maybe there's some safeguard within the eIDAS proposal that makes this idea incorrect?
> Being able to limit the influence of external bad actors is the main goal of ID verification.
How does automatically determining your age serve the goal of ID verification? It seems like most sites are choosing this as the first option. If the point was to link your ID, why wouldn't they ask everyone to provide it?
Do you truly believe that ID "verification" will do anything in a world where IDs are leaked by the tens of thousands to the millions?
You are shifting the onus on to the platforms, when the problem is pretty simple; with a few exceptions, we've failed as a species to learn how to think.
Also do you think that the TLAs don't know who the bots most likely are with all the surveillance data they're gathering? That the NSA doesn't have detailed telemetry of the surveillance ops??
Let me ask you the question, what have they done about it? And why not?
> "Democracy" is when "bad actors" (as defined by the establishment) are shut out of all online discourse.
The point of ID laws is not to stop "bots" or "sockpuppets", it's to enable governments to shut down the speech of their political adversaries by painting them as dangerous. That is not democracy, that is authoritarianism, even if you absolutely hate the people that are being shut up.
Western countries are not in the midst of polarized political crises because of "external bad actors" or "sockpuppets". They're in these crises because of fundamental contradictions in values and desired policies between different segments of the populace.
The Europeans are currently full steam ahead in attempting to "fix" the situation by criminalizing dissent, which will, in the end, only exacerbate the political crisis by making the democratic system illegitimate.
The Internet is already all but dead. We could fix it (as I propose). Or we let it die.
I'm fine with either outcome.
> criminalizing dissent
When has that not been true? Serious question.
Socrates was compelled to commit suicide. Jesus was nailed to a cross. Journalist and activists are routinely murdered. How many political prisoners are there right now?
> Being able to limit the influence of external bad actors is the main goal of ID verification.
Then they should say so. Elected officials lying to and misleading the public when their real intentions differ is almost criminal. It's not a behavior anyone should ever support. I will not vote for people who do that.
I would say the time to buy mesh networking equipment is now. But it's not like I'm capable of defending the transmitter. So when they come for the VPNs, the VPSs, and encryption, I guess I'll just be out of luck.
(Out of luck = resigned to zero digital privacy. No matter I follow the law and “have nothing to hide” of course.)
Perhaps people will pass flash drives like North Korea or Cuba?
I've seen a channel demonetised because they showed how to use MP3 player and it was deemed "spreading piracy" by Google. So I guess flash drives would get illegal as well...
People trade away longevity for short term convenience. Then when that convenience is shown to be bad/unhealthy people refuse to give up that convenience.
So many aspects of our lives are like this now. People just accept defeat cuz it would mean giving up one click ordering or free return shipping or they might have to look at labels to avoid bad companies.
Honestly I think these age verification laws are blunt instruments responding to the decade of avoided moderation the big platforms have managed to pull off.
I've run ad blockers for years now, but I'm still trying to forget those disgusting zit popping pictures that trended in ads for a while. Or those incredibly stupid life hack shorts, like the one where someone tied a cord around a mug and the hack to get it loose was smashing the cup... that crap made me despair for humanity as much as the Gaza genocide.
But google and facebook convinced the legislators that it would be impossible to keep that chum away from kids on their platform, so the legislators are going with the next option: banning the kids from the platforms.
It is likely not a coincidence that so many different countries simultaneously started pushing for age verification.
The decline of privacy, the increase in intrusive government surveillance, the increasing restrictions on free speech - this is all part of a very disturbing pattern. Our governments are becoming increasingly authoritarian, and these are the tools they use to keep the populace under control.
> It is likely not a coincidence that so many different countries simultaneously started pushing for age verification.
I thought in many places it was related to the upcoming minimum age for social media. To verify age you need an ID. That's how we make it so most kids can't buy cigarettes, alcohol, thc, etc. You could argue social media shouldn't have a minimum age but that'll be the reality it looks like. How do we do that without ID?
How about you parent better and prevent your kids by educating them against the dangers of said things?Limit their time online and what they can do? Why should democracy be at stake and people's freedoms, just so you can get away with not parenting.
Yes, in theory that's correct but show me a kid that never did something against the will of their parents. If something is forbidden it's something worth investigating. Furthermore there will always be another kid with a phone to share watching anything online. The traditional solution has been forbidding with punishments when the kids get caught breaking the rules.
Sure, "think of the children", that's the classic excuse. Put on your tinfoil hat and ask yourself: why is that suddenly a topic in so many different countries?
> Put on your tinfoil hat and ask yourself: why is that suddenly a topic in so many different countries?
Ooh I know, the elite classes across the globe have been exposed as degenerate pedophile subhumans. Knowing the information would release soon, they began to coordinate this campaign to provide lip service virtue signaling about child predation while also tightening their grip on the underclasses before it gets too heated.
Well "think of the children" was the PR reason for the US clamping down on TikTok, while the lawmakers and lobbyists behind it said pretty openly that it's about silencing criticism of Israel. So I would think it's the same thing in the EU.
Stop making your kids my problem! We have everything to hide. It is called personal identity. All data online managed by companies will always be misused, lost to scammers, blamed back to you for something you never did, and hunt you down.
This is an interesting point: there is a trade-off between kids being denied access to inappropriate websites and adults not being forced to verify their age. We can't have both, so we must weigh which is more important. One could argue that protecting kids is clearly more important; on the other hand, there are way more adults in the world than kids, so more people are impacted with restrictions for adults.
Privacy is way more important than protecting kids from consuming content online. Kids already have more protection than it's worth, probably, this is moving in the wrong direction.
Yeah but kids that are online are perhaps ~5 to 17, while adults go from 18 to 80, 90 or more. Moreover, social media is usually also allowed for older teenagers, so it's not necessarily all people up to 18 that need filtering out.
One thing people underestimate is how brittle digital identity actually is in the UK.
There isnt a single identity. Theres a loose federation of databases (banks, CRAs, telecoms, electoral roll, etc.).
There are multiple operational definitions of "name": legal name, common name, known-as name, card name, account display name. None is universally canonical. Theres no statutory hierarchy that forces institutions to agree on precedence.
In the absence of a mandatory national ID, identification relies on matching across name, date of birth, and address history, which are inconsistently collected. Fuzziness is necessary for coverage, but it introduces brittleness. If a variant isnt explicitly linked as an alias, automated online checks can fail because the matching rules dont explore every permutation.
Even within a single dataset the problem doesnt disappear. Large systems such as the NHS have documented identification errors involving patients with identical names, twins at the same address, or demographic overlaps. Unique identifiers help, but operational workflows still depend on humans entering and reconciling imperfect data.
The very concept they've been trying to sell is wrong headed.
Kids are trying to access XYZ which isn't safe (where XYZ may as well be "the internet") -> verify the ages of all adults, because we can't verify the age of a kid.
Meanwhile kids, like adults, can just find another route to access what they want. So some subset of adults hands over their identity information to an untrustworthy third party of dubious security.
I can't see how that does anything other than make the situation worse.
This is exactly what I am feeling (the title, didn't read). I can't see why I would give a copy of my official id card or a picture of my face to a basic service on the Internet. Seriously ? They do not deserve it. Even my phone number is too much but well Google has it now.
The age verification proposal of the EU tries to do that, the government knows you used age verification (and I think the rough number of times you used it), but they don't know when or where you used it.
I can't imagine countries with such strict speech laws, for example, would be willing to build a system that is technically incapable of linking the person visiting a sire and the site requesting verification.
This proposal may have been updated since I read it previously, so I could be wrong now, but it didn't read as a true zero-knowledge proof as key steps in the flow still required a level of trusting the government as the central authority to do the right thing and not track requests, both today and in the future.
Seems like anywhere in the EU, something draconian only needs to be popular for like 5 years for it to get implemented, for better or for worse. They don't have robust constitutions like the US.
The EU has more freedom of speech than the US, the US has just a different way of punishment.
It’s much easier in the US to lose your job for what you say as in the EU and in the US the consequences of losing your job are more severe if you don’t have enough money so you can afford to lose it.
US freedom of speech comes with a price tag that puts the censor inside your brain.
This is really an example of "formal rights and material conditions."
You make a case that EU has better social safety nets and employee protection not that the US has weaker free speech laws. While you can't ignore the effect having wealth can insulate you from consequences, it still doesn't support your statement as written.
Is it true that someone who is retired on a pension in US can say more hateful things without government action vs a similar retiree in EU?
See eg. BBS+[1]. Proofs that preserve anonymity are generated locally and neither the verifier nor issuer can determine the user based on these (in scenarios of non PII signals like age thresholds), while still allowing the verifier to validate it's issuer approved.
Steam thinks I was born Jan 1, 1970. Not that I needed to lie when I did my age verification back 15 years ago, I just randomly scrolled the year down and selected one.
As the years have marched on, though, that "birthdate" becomes significantly closer to my real birthday.
Only when chatting in a large channel at work, did I realise nearly 1/3 of the people there also set theirs as 1/1/1970. Which I presume is the first date that phisers will try to enter to reset people's accounts.
I am fully aware that my standard fake birthday is now used by me in some many places, that I have started to have a fake fake birhday. I should really just randomise and store it in my password manager.
But obviously the context of this OP story ruins all that.
When you're 10, a year is a long time, when you're 60 it is not. There's an implicit "relatively" here, which is unusual but not unknown in English. Almost poetic, I like it.
Thanks now I understand. I am "only" 26, but I remember being 20 like yesterday. I can't believe I'm on the second half of the way to 50. COVID lockdowns and responsibilities didn't help.
I feel time has gone faster since I got a job, if that makes sense. Every day yearning for it to be 5o clock so I can check out, every week yearning for the weekend, every month yearning for the last day to get paid. Doing this is just asking for time to be over sooner.
When a 10-year-old registers for an adult website, they pretend they're 100 years old. Their age is 90 years different from the stated birthday. Eighty years later, the birth date is just as far off—but the implied age is now only 10 years off.
Again, this must be framed ecologically, not individually. We've moved past the point where "individual choices" matter a whole lot, a lot of this is not much of an individual choice at all.
So, it's good to remember the leanings of people like the author, but it's perhaps more important to remember the extent to which this is a collective issue.
I never trusted 23 and me. But my Dad did, so now I potentially have a problem. Reminded of another anecdote about a guy who did everything to not use is social security number for ID for ANYTHING. Then someone pointed out -- it doesn't matter, they have everyone elses, so yours is the missing one.
Policy and skin-in-the-game for the COLLECTORS of the info is the thing to focus on.
It drives me a little bonkers that the UK already tried implementing age verification in 2019, with an approach that would have been easy to make verifiably anonymous: buying a single-use code from a newsagent who checks your age with ID [1], but can't connect the code to you specifically
That attempt officially failed because the UK failed to inform the EU about it, but I suspect it was also much harder to sell people on having to buy "porn passes" than on "just" kicking kids off phones
I live in China, where every mobile game requires age verification. Teenagers can play for up to 1.5h/d on weekends. But as far as I can see, some parents will assist their children to unlock more time on purpose.
More like the state (at least in places like USA) cracked down on children roaming freely so now people hide their kids inside playing video games so a Karen doesn't call CPS when mommy has other things to do all day besides play helicopter parent staring down at their kid all day.
If nothing else the _perception_ of it is enough to have had a chilling effect, my own parents were concerned and affected by it enough to tell me where not to play outside so that I wouldn't be seen by randoms.
Neglect laws are written too broadly, giving too much discretion to CPS to decide what constitutes neglect or inadequate supervision. There have been a couple cases IIRC in Florida where parents were arrested for letting their kids walk/play in parks alone, albeit these were very young children.
Outside of that, there's increased traffic and the US as a whole is way too car centric. Suburbs are horribly designed, and we prioritize moving cars instead of moving people, and any kind of infrastructure design that might slow down traffic, reduce the need to drive, or mildly inconvenience a driver gets shot down.
There is a very real danger of getting killed by a distracted idiot in a car, and that risk is much higher today. I commute on I5 every day for work and every single day I see multiple people, going 80MPH watching tiktoks on their phone on the dash mount, or obviously looking down texting. I can't blame anyone for not wanting their kids running around the neighborhood when we can't even be responsible enough to pay attention when we are driving 2 ton death machines.
I'm sorry, the "Karen" drove onto your private road to interrogate your kid?
These things don't happen on a liberal/conservative axis in my experience.
I've lived all over the place, though not as much with kids, and have had none of these issues (including having mixed race kids who look much more like their other parent than me).
You really need to look at why you're living where you do.
What I find extraordinary is y'alls bullshit theory that it is extraordinary to claim the CPS apparatus wasn't used more before when it didn't even exist until like ~1974, and before then as a much different process.
As usual, just blame the victim, then complain they don't provide evidence knowing full damn well child and family welfare services complaints are sealed and hidden from public oversight. This is how vampires with these theories operate, first they make it illegal to get the records, then they make it illegal to even find out who the accuser is, then when you call them on it they say "ha ha, you don't have the evidence, that we made it illegal for you to get!" The whole system is designed to evade oversight, so what we are all left with is anecdotes that we have about our own childhood being so much different than the ones our children have after interactions with the authorities that have placed these restraints. But of course when you share them, they are only used against you by persons such as yourself (judging me for where I live, as if it's not going on all over the US). So people are reluctant to even share the anecdotes, and by law you generally cannot get the formal records (think of the children!) of these encounters nor the names of the accusers so basically they designed the whole legal structure to enable the muh citation crowd to be able to always pretend like the other side is just hiding from the evidence.
( If you look, at say, the problems with child abuse physicians in cahoots with CPS systematically victimizing families of children with brittle bone disease for instance, we basically had to wait for enough parents to tell their anecdotal stories of losing their kids until lawyers really started to step up to defend these cases as we now know doctors and CPS will systematically accuse children with multiple breaks of being victims of abuse, even when there is zero evidence the parents or child were inflicting an amount of force that would break healthy bones. The individual cases can't be scrutinized to bring these things to daylight because they're all sealed under child welfare laws, hence we just had to wait for a bunch of "extraordinary stories" with weak evidence to be told until someone finally believed them and others from society could step up to help these victimized families).
Personally I find it absolutely fucking hilarious that as much or more CPS induced restraint existed ... before CPS did.
>Yeah, except the now redacted comments didn't indicate that was the case which is why I was asking more questions.
Lol you responded to my comment saying it was an easement which meant I was not able to gate it. Although frankly your tone of questioning seemed to be more directed towards alluding I was a liar, than a genuine interest in the road.
> What I find extraordinary is y'alls bullshit theory that it is extraordinary to claim the CPS apparatus wasn't used more before when it didn't even exist until like ~1974, and before then as a much different process.
You seem to have replied to the wrong post.
> As usual, just blame the victim, then complain they don't provide evidence knowing full damn well child and family welfare services complaints are sealed and hidden from public oversight. This is how vampires with these theories operate, first they make it illegal to get the records, then they make it illegal to even find out who the accuser is, then when you call them on it they say "ha ha, you don't have the evidence, that we made it illegal for you to get!" The whole system is designed to evade oversight, so what we are all left with is anecdotes that we have about our own childhood being so much different than the ones our children have after interactions with the authorities that have placed these restraints. But of course when you share them, they are only used against you by persons such as yourself (judging me for where I live, as if it's not going on all over the US). So people are reluctant to even share the anecdotes, and by law you generally cannot get the formal records (think of the children!) of these encounters nor the names of the accusers so basically they designed the whole legal structure to enable the muh citation crowd to be able to always pretend like the other side is just hiding from the evidence.
I'm not blaming anyone. Your experience is so wildly different from anything I've seen or heard living in many different areas across the US that I'm interested to hear more about it, and then you go on a tirade that has virtually nothing to do with the topic at hand instead of providing any remotely relevant information.
> Lol you responded to my comment saying it was an easement which meant I was not able to gate it. Although frankly your tone of questioning seemed to be more directed towards alluding I was a liar, than a genuine interest in the road.
I don't have a gate on the private road to my house either, yet no one drives down it to interrogate my kid about my whereabouts.
Is it a neighbor who also shares the private road? If so, that makes some sense but it sounds like you need to have a discussion with them. Why didn't you trespass them if not?
If this Karen calls CPS because they were trespassing and weren't aware that you were nearby, so what, other than wasting some taxpayer dollars? Has anyone ever had their kid taken by the state because of a claim like this? Since the answer is no, why are you so freaked out about it, way beyond being annoyed at this Karen (who does sound annoying in this story)?
Like I said to the other person, it's a series of extraordinary claims that frankly make almost no sense, and then you rant about tangential topics when asked for more detail. It doesn't make your anecdote more believable.
But it's not rare at all. It really just sounds like you haven't had reason to pay attention to this before and now don't want to accept it's become a thing. A google search for "cops called on kids playing alone" results in a never-ending series of stories like this. I think most of them are from people with your perspective being caught by surprise.
I have kids, and I know hundreds of parents across large portions of the country. None of them have these issues.
A person driving down a private road and threatening to call CPS because they can't see the parent is not rare?
And the parent poster didn't just say someone threatened to call the cops, they said that they would be jailed in two very specific circumstances where jailing him would have led to very negative consequences for the arresting parties in anything beyond the immediate term.
Many people are stupid, and do stupid things like calling the cops for no valid reason at all. Those people are annoying and can be ignored, and I would not be remotely surprised by any pseudo-anonymous person doing something stupid. What would surprise me is the cops actually responding to the call and making the decisions that the other poster claimed, with a few exceptions where I would be much less surprised.
Since he only responds to questions with tangential rants, we'll never know for sure what happened.
The problem for me is not services where the content is online, you can just avoid those, but cases where access to scarce real resources is controlled through online verification. E.g. renting recording studios, background checks for job applications, things like this. Often there is no route that does not go through a third-party verification service.
I gave a bunch of details of my personal history to a verification service thinking naively that it would be used to prove I was me.
Instead, they didn't know much about me apparently and just stored what I told them.
Then it appears they were hacked because some completely unrelated release of stolen data included all my data, specifically all that data I had provided to that service, that one time.
The Verification Service is the honeypot for your private information. Arg.
I'm reluctant to verify my identity or age for any online services
I do not hesitate to drop a domain that acts suspicious into uBlock Origin -> My Filters:
||somedomain.tld$
Never gets another packet from me. I use local Brick & Mortar businesses for as many things as I can. The businesses on the internet have jumped the shark.
I'm of the same mind as the author. I can't think of a single online service that would be worth the risk of exposing myself to age or identity verification.
How true this is probably varies a whole lot from person to person.
Very few of the things you list are things that I do primarily online (even during the pandemic), and none of those are things that I can only do online.
I'm suprised that ZKP almost never gets mentioned when it comes to age verification. It seems like it is a solution that does protect PII. There is a learning curve for the general public, but having watched the hoops a mother recently had to jump through so her kids could play Mario Kart on Nintendo Switch, I think it is not that difficult.
There are some services where it makes sense. E.g., submitting taxes with the government, logging into the banking website. Apart from that kind of service, yes I don't think I would want my identity or age verified on more or less any website.
I mean, if you live in a country where the state will delegate ID verification to a creepy company instead of having that as an in house capability you have more pressing structural issues to deal with.
Ha! You are concerned about the privacy aspects of IDs but you want me to list what authentication services I use for you? That's too funny to help out with :p
The only way I can think of to do this completely anonymously (at least for the government and social media) is for you to buy a card in cash that has a little code on it. You'd need your ID to buy it, and you'd put your code into your operating system and things that demand age verification can ask the OS whether or not you're over 18. Alternatively, you can give the service your code to verify your age, but that would be less convenient and lead to a larger tracking footprint, so it likely wouldn't be used unless necessary
I don't buy for a second that any of this has to do with "age verification".
This is 100% an attempt to increase surveillance of the population. It is not
an isolated step but part of a cohesive unit - YOU are the data. And private
entities want the data. That includes the state; many states are de-facto led
like a corporation (not all states, by the way, but many - most definitely the
USA right now).
I was annoyed the other day when Reddit asked for age verification (via a Palantir-run service, no less) for my 18-year-old Reddit account. Obviously no way I’m doing that.
In any case I doubt there’s a proof of age stronger than looking at the subreddits I subscribe to. A broad selection of middle-age hobbies and tedious interests. Without me proving my age they could probably place it to within a few weeks.
Isn't the eIDAS2 regulation addressing this issue? It applies to EU/EES and from my understanding would help enforcing the data minimization principle related to user identity. I.e. a service (like a social media platform) wouldn't be allowed to force you to show your identity unless they are required by law to know your identity. Instead, the EUDI wallet provides functionality related to identification through (user-managed) pseudonyms. For services that are required by law to verify user age, the wallet provide means to make verifiable claims like "over 18". Am I missing something?
Could be worse. OpenAI is asking for ID verification to use Codex 5.3, through Persona, which was just exposed as doing extremely dodgy surveillance stuff.
The solution is zk verifiable credentials, which would let folks prove their age without revealing their DOB (or anything else on their ID) to third parties.
This is possible today with complete privacy for people with biometric IDs and biometric passports (ie most passports, EU IDs, Aadhaar IDs, and more) using a service like self.xyz
I've said it before, and I'll say it again: The standard should be that devices ask whether the user is a minor during setup, and make that available as an is_minor boolean to all apps and websites. Children's devices are almost always set up by parents, and the setting can be protected by a parental PIN code. This method is effective while being completely private and local.
Though I can't take credit for the idea. It was proposed by the European Democratic Party.[0]
It's only effective if "Children's devices are almost always set up by parents", which is a big assumption. My parents were about as tech savvy as you could reasonably expect but I still got away with buying R-rated video games and such. Kids are persistent and the dangers aren't always obvious.
And you shouldn’t verify. Many companies offering these identity verification services have ties to the intelligence networks of a country that shall not be named (similar to most VPN services that are supposedly there to protect your anonymity).
When thinking about verifying your identity with a service, you have to ask yourself "what will be the impact to me if everything this service knows about me, every click I've made, everything I've watched/read/uploaded is posted publicly on the internet, attached to my full name, address and photo?". Because those are the very real stakes; if you verify with enough services, this will happen to you.
Weigh that against the value of using the service. A lot of times that will still probably come out in favor of using the service. Sometimes, especially given the kind of services that want age verification, the potential cost is such that you would be insane to verify.
Related: this[1] current article/thread about privacy-preserving age verification.
The author here seems to be commenting specifically on the type of anonymity-breaking age assurance widely being utilized along with the vaguely justified social media bans. Given the right technology to prove an age threshold but while preserving anonymity I'd be curious how their thoughts would change.
For example, we've never seen people critiquing the naive kind of 'Are you over 18?' prompts seen on ye olde Reddit or adult sites, precisely because those weren't breaking anonymity or leaking any trackable identifiers.
yeah, but wait till you have to id yourself to use online governments service, or do a one hour drive to meet in person with officials. and then if you have to do this four times. i gave up and submited my face to save 8+ hours and inevitably most of people will do the same...
I have a date I use that's incorrect, but consistent so I can remember it if I need to, that I use for age verification for anything that doesn't truly need an accurate birthdate (example, age verification to view games on Steam).
It's roughly the same age as mine, but if someone tried to pass themselves off as me with that birthdate, they wouldn't succeed.
These companies are mostly just verifying I'm an adult anyway, and I am legit that.
But yeah, I don't like just giving the actual date everywhere as it can potentially be used for identity theft.
I sort of get his point, but on the other hand, if the debate is "should social media sites be age restricted / have mandatory age verification?" then the argument "I can't see any reason to, because I personally don't use social media" doesn't seem particularly useful.
Personal harm may vary. If the government is coming for you (ICE) cookies could pinpoint your address, and since ice uses palatine or just buys data from brokers, they’ll use that to show up on your lawn.
I think there should be an option to assume I'm a child and proceed from there. If I want access to any mature content or real identify related stuff, I'll verify, but if your service doesn't have or need that anyways then there's no reason to prove I'm an adult.
This stuff worries me as one needs to be a hard target when they reach their 80 and 90’s. People do not need personal info out there in the public domain.
The problem for me is that the reason this is needed is that kids are permanently online, completely unprepared for the wild west that is the internet and increasingly effectively raised by the internet.
All this is to facilitate that lifestyle without any concerns that far more damage is likely to happen by allowing it to happen than insisting on adequate parenting
the verification service is the honeypot by design. it has to store what it collected to prove it did the check. the incentive to retain is built into the business model, and the breach is just a matter of time.
It is not the job of the government to parent in place of people who are not up to the task. There should be reasonable guardrails, but these laws are Orwellian.
I encountered my first run-in with an age verification prompt when I went to authenticate into the Claude iOS app. It asked me to use me iOS/iCloud account to confirm myage. It was quick and seamless enough, but even though I'm aware of this trend, it struck me as a bit jarring.
I sort of like these restrictions. You're making hard for me to access your site - I close it. You block it behind a paywall - I close it. You block it because of ublock - fine again, I close your site. I have only so much time and you're helping me.
I won't do it for any of them. I've got an endless selection of things competing for my time and attention and I'll be happy to find another one where needed.
I use multiple "real" identities so I don't have my real name associated with certain open source projects that involve sensitive things like cryptography etc. This is a huge concern of mine.
I have multiple “real identities”, diagnosed due to trauma. We each want to have our own spaces of interest and experience online.
As a matter of mental health, we really cannot have these overlapping for many reasons, prime among them is that if one part of me becomes aware of another while they’re doing their thing, a
mental “table join” can happen and disturbing memories can be shared which is incredibly destabilizing to the system.
As a wireframe example my programming alter cannot be exposed to the alter who browses cptsd forums or they remember things that cause them to dip from the headspace and we lose their knowledge.
We can’t try to pretend we don’t exist and pretend to be one person either, we did that for years and we ended up having a breakdown and went into a fugue state and moved across country leaving everything behind.
This law would destroy our productivity and contribution to economy or whatever corporacrats care about.
I will never tell my real age if possible. I especially love free forms for entry, because then I can be born in the 1800s. Surprisingly few services have an issue with that.
So I'm feeding google all this juicy (IMO) confidential information. What happens when I get locked out by google's automatic systems? I already lost my first gmail account from like 2003, when you had to get an invite to sign up. I'm stuck in a verification loop that emails a yahoo email that no longer exists. Impossible to get a real person to look at it.
If I can just verify that I am who I say I am without an email account... That'd be worth it. Of course that just shifts the burden to the identity verification company rather than an email company.
But verifying my age? I see no purpose other than a backdoor for mass identity verification. keeping lists of people and what they're accessing. Buying alcohol online still requires the person accepting the package to be over 21. Buying firearms online still requires being shipped to an FFL.
I already despise how much information my ISP has about what I see, what I access, and when.
Google didn't do anything wrong, they lost their Yahoo and it was the only way they had of verifying their older Gmail. What do you expect, when you don't have access to your recovery method, and it's a free service so it's not like you can prove ownership of a credit card previously used for billing or something? And especially since that was presumably from before the days when Gmail required a phone number, so your recovery e-mail was the only mechanism, and things like 2FA authentication codes didn't exist.
Age verification is about one thing only, it's about controlling how you participate in public society. The state wants a veto on public participation that they don't like. This system will not prevent children from being exposed to unsafe spaces, but it will be effective at barring people with counter political narratives from sharing online. Look how they've desperately tried to crack down on Epstein and information on Gaza. They want the same controls over information and political content as China.
I wish we lived in the timeline where the most reputable and market-leading age verification provider was PornHub, which would have a modestly dressed model check via video chat. I'd actually trust that more than the actual providers that exist in reality, and hey, if even 1% of the money goes to college tuition, great. Of course, if that was how this worked, the optics would kill most of these schemes before they were implemented.
As a parent, I'd like to point out that the threat I care about is not "my kid of age N talks to a sicko of age M, where M - N > P for some legislatively-prescribed value of P".
The threat is "my kid of age N talks to or can be observed by a sicko".
These age verification schemes do nothing to help against that. Also, the worst predators online are often the vendors providing "kid friendly" services.
On top of that, these laws are being pushed hardest by the worst of the most corrupt politicians on earth. Why would I install a webcam on my kid's machine because that group of people wants me to?!?
Maybe we should focus on prosecuting the backlog of stuff in the Epstein files pertaining to politicians pushing these age verification services, not let anyone (except parents) control how kids access stuff online.
The only people who can be trusted with any form of identity (including age) vertification is the government. You know, the same people who issued the identity documents and know who you are.
It's not some SV-backed startup. It's not Google, Apple, Microsoft, Amazon or Meta. It's the government.
The way that it would make sense for age verification is if there was some federal system that verifies your identity and then it would use a public key crypto system to allow a third party to check whether or not this person is over the age or not.... common systems I see being used right now that could be integrated for this purpose would be login.gov or id.me... they could allow a token-based authentication system for verification of age without having to divulge any other information about the person. these systems are already being used by the IRS, VA, SSA and other Federal systems.
We’ve had age verification for decades. It just depends on specifically what is being verified. Congress passed Children’s Online Privacy Protection Act back in 1998, that basically made it extremely tedious for websites to serve children under 13 years of age. How did everyone manage this in the early 2000s? Every child simply lied to the website with an incorrect birthdate. Now that was before real name policy was instituted by social networks and it was also common for people to provide a false name to websites. This approach of “asking the user for a birthdate and accepting it as true” is the only age verification method that’s sane.
See, I think, you're not supposed to continue using those services as before. They want them all gone, and so-called age verification is a means to chase away users that are less dedicated.
What I think must result is, a monotonic cultural erosion and deprecation of such platforms and regions implementing those restrictions, and continuous replacement with engineered and packaged foreign imports from venues and regions from psychological "upstream" where there aren't such restrictions. But I guess that's what they explicitly desire.
Age verification is quite bogus. Parents can stand over their children's shoulder and force them to do or not do one thing or the other (and maybe not even them); but some website dictating which content young people can watch or not watch - not acceptable. And if you want to make a "protect the delicate mind of children" argument - let's first see some censoring of all of the ads, sponsored content, and state and corporate propaganda as unfit for viewing by underaged people; which is, of course, never going to happen.
Tbh it is unfit for my in laws as well. And one is a gambling addict. The real regulation won't get done but policing people and becoming authoritarian, sure
I simply do refuse such systems, so far using decentralized or distributed socials like Nostr, Lemmy (self-hosted) and VPNs as glorified proxies and that's just because there aren't enough co-Citizens to impose a significant change with a national general strike enduring as much as needed to makes the government RUN, literally, to avoid lifetime jail...
People don't like these checks. Ok. But. Parents worry about their kids being exposed to porn and social media. They want someone to do something about it. That political force is real, and someone is going to take advantage of it. What tools can they ask for if not these checks everyone agrees they hate? That's what I hope for in these types of comment threads.
It's called parenting. Don't do ipad parenting then. We didn't get a SEGA console and cable TV was restricted to only 2 hours. It was fine. It was fun. The only thing I wish for from my child is more time with friends not more screen time.
These are the times, even renewing a nmfta scac code in the US may require government ID, social security number, and biometric profile check. Save yourself $5 and use a smart-phone, as a webcam will not work... There are no refunds after 3 failures to scan ID.
In general, a social security number is extremely sensitive, and should never be shared outside your home country tax system.
Verification is indeed a perverse invasion of privacy, and a liability to those with financial holdings. I guess the credit-lock service is now a must to deal with the circus that is modern logistics. =3
I initially thought, well, we can implement it with zero knowledge claims, just a yes/no from a government app: am I allowed to use this app? I.e. is my age above let’s say 16 or 18?
But then I remembered the game 20 questions, and how few yes/no questions you need to guess pretty much any concept.
I am no longer willing to share anything, not even a yes/no question.
Age and identity verification can and should be done at the country level.
France has an ID service to pay taxes, and they have a network of possible ID verification systems. Like, you can ID through the tax system, or through the healthcare system. It works fine.
Implementing an API that uses the same to provide age verification is not rocket science.
If you need age verification for a website, say "smedia.fr", then you go there, then it makes you get an age verification token to "franceid.gov.fr", that guy gives you back a token, you send the token to smedia.fr which checks the token with franceid.gov.fr
I don't like the idea that media services are required to report back to the government that I'm accessing them - I think that is an issue many would have with such a system
I think you got me wrong. I was saying in France everyone has a photo id for government stuff. You pay taxes to the government so yeah you need some form of ID just for the government to know who’s paying the taxes. in the US you use social security number. it’s the same, but on a card and with a photo.
In the US you do not need an SSN to pay taxes. It makes it easier, and you can't claim a child without an SSN for the purposes of deductions, but you do not need an SSN.
The most relevant question to answer for your jurisdiction is "What is the penalty for lying?"
If none, you were born on March 5, 1957.
(Note on evaluating this: there are some circumstances where the penalty changes later. I know one person who's Global Access paperwork was delayed because they lied to their airline's frequent flyer program about their age. But that was the whole consequence: a need to update their data with the airline).
Whenever Steam's web site asked me for my date of birth before allowing me to view a game trailer, I would punch in January 1, over 10 years after my actual date of birth (still well within grown-ass man territory because I'm geriatric in gamer years). Because they don't fucking need to know exactly when I was born. Only that I'm old enough.
Honestly seems like the moral panic of the day. I was just reading about some “red vs blue” school meme in London which led to a lot of hand wringing and parents keeping their kids at home. The kicker? There was no actually school battles, it was a viral meme (mostly consumed by adults) and the kids just thought it was a joke.
Pretty much sums up all modern discourse in banning social media and doing age checks. When I was growing up it was satanic symbols in the music I listened to.
I guess - wtf is wrong with adults? Why do they feel compelled to control the younger generation?
Your ipad babies are not my problem. It's called parenting. Don't do ipad parenting then. We didn't get a SEGA console and cable TV was restricted to only 2 hours. It was fine. It was fun. The only thing I wish for from my child is more time with friends not more screen time.
Enforcing laws against porn companies distributing porn to minors seems reasonable. It's already illegal many places, such as the US. It is then their responsibility to gate by age. It has always worked this way for liquor stores or basically anything else age-gated, including some online services like poker. If you dont want to provide age verification you don't have to.
There is a difference between a liquor store checking your ID, and a liquor store scanning your ID, appending it to a record of your purchase, and uploading it to a service to be processed by third parties (such as insurance companies, perhaps).
(In the US, the latter occurs more often than you may expect.)
It’s possible to build mechanisms for this. Not perfect or foolproof ones. Maybe your phone stores a digital ID for its owner and sets a cryptographically signed “IsAdult” header. If you pull the signing key from the phone you can spoof that, but you can bring a fake ID to the bar too.
The problem is that the people who want age verification don’t really care about the technical details of how it’s implemented and the people who oppose age verification just want unfettered online pornography out of principle, so no one is actually thinking about how to implement age verification in a way that protects privacy.
When I buy liquor (well, I don't drink anymore, so THC seltzers), the liquor company isn't saving my ID to my profile and then following me around everywhere I go for the rest of my life shouting "This is MALFIST, he's 42! He buys alcohol! He also visited X Y and Z last week and had interests in A, B and C. He's annual income is six figures and buys expensive bourbon."
Not yet anyway. But there's nothing much stopping Google to offer a "verification" service to "help combat fake IDs" using a web connected camera at the till.
The incentives aren't aligned yet. Not enough people browse the internet with ID verification yet. So knowing Malfist bought liquor isn't enough, you have to know which browser is Malfist.
Likewise, incentives aren't there for liquor stores. They make money by allowing fake ids to work.
You can absolutely buy for instance tobacco, cannabis by the pound ("CBD" but actually ~20+% THC[a]), explosives(tannerite), alcohol (wine), and guns (black powder, or perfectly functional cartridge pre-1898) completely legally online without ID check. It's really not a problem, which is why most people probably haven't heard of it being one or even realize all can legally be bought online without ID.
I'm the sort of person that either rejects the cookies, or will use another site entirely to avoid some weird dark-pattern cookie trickery. I don't like the idea of any particular service getting more information than they should.
Siting there I realized, we were not the real target. It is the young people that are growing up conditioned to press accept, enter any details asked of them, and to not value their personal data. Sadly, the damage is already done.
I click “accept the cookies” almost every time. I just personally don’t feel it’s worth the effort and cost to try to avoid it.
What “dark pattern cookie trick” are you worried about? I just can’t come up with a scenario where it will actually harm me in any way. All the examples I have heard are either completely implausible, don’t actually seem that bad to me, or are things that are trivially easy to do even without any cookies.
Now, I am not going around giving my real email out to random sites, though, although even that doesn’t strike me as particularly dangerous. I already get infinite spam, and I am sure there are millions of other ways to get my email address… it is supposed to be something you give out, after all.
I just don’t think it is something that is worth stressing out about and fighting against. Maybe I am actually naive, but I just have not yet been convinced I should actually care.
To your point about the actual harm, I've come to see it as a kind of ecological problem. Wasting energy and sending more trash to a landfill doesn't harm me individually, at least not immediately. But it does harm in aggregate, and it is probably directly related to other general harms, like overall health outcomes, efficiency, energy costs, etc.
No, accepting cookies by itself may not do much to me, but the broader surveillance and attention economy that relies on such apathy certainly has.
I, as an individual, am not going to have any effect on a business if I opt out or not. No business decision is going to be made because I opt out.
You might argue that it will matter if enough of us do it. Sure, that is true... but again, it won't matter if I do it or not. If N number of people opting out is enough to ruin the business model, then N-1 is surely enough as well. There is a 0% chance that I am the one who finally causes the system to collapse.
I do use an ad blocker, and never click on ads. I feel like that action has a bigger return on investment than no clicking the cookie banner.
If having more information about me allows the website to charge more to show me an ad, and I never click any ads, then I am hopefully helping decrease the return advertisers get by using personal information.
It may be you don't believe in democracy at all, and that's fair, but consumer action is the only way you can affect business decisions, by joining the decision-cohort you agree with more. Joining the opposite cohort because it's less work represents that you're okay with things continuing in that direction.
That said, I agree with the work it takes to navigate cookie banners being excessive (hence dark pattern), which is why my default browser config = ublock + consent-o-matic [1]
[1]: https://consentomatic.au.dk/
> It may be you don't believe in democracy at all, and that's fair, but consumer action is the only way you can affect business decisions, by joining the decision-cohort you agree with more. Joining the opposite cohort because it's less work represents that you're okay with things continuing in that direction.
I actually believe even less in 'voting with your wallet' than in actual voting, for all the same reasons except the cost of 'voting' in this case is even higher (choosing an individually suboptimal option with my wallet hurts me directly even more than the cost of voting in an election does... e.g. choosing to pay more to avoid major corporations costs me every time I shop) I personally think the only way to avoid companies destroying the common good for profit is to price in the destruction to make it explicit (e.g. carbon taxes, pollution taxes, etc).
[1]: https://en.wikipedia.org/wiki/Paradox_of_voting
If I ever decide that it is no longer worth voting then I will probably leave the country under the expectation that other people like me giving up on voting are doing it for roughly the same reasons.
That may be true, particularly in the short term, but you might be hurting everyone else including yourself in the long term. Opening your wallet sends a signal to the receiving business to keep doing what they're doing, even if we all know it's bad.
There's also a cultural aspect to consider. It's normalized to not think of anything other than cost. That's why we have CAFOs, toxic plastic children's toys, landfills full of junk, etc... Pricing in the destruction might help, but at some point our culture needs to change. Outside of the occasional voting, we're all pretty powerless to enact top-down change like taxes and regulations, but we can all build culture.
That is exactly my point, though. The signal from my personal transactions isn't going to be enough to change anything. It will be drowned out by everyone else.
Of course, you are right that if enough people closed their wallet, then the business would have to change. However, that is STILL true even if I keep my wallet open. If N people stopping their shopping at a store would cause it to close/change its practices, then surely N-1 people stopping their shopping would also cause it to change. I could still keep shopping their, get the benefits while they last, and then switch once it finally goes out of business.
Of course, you might reasonably say, "Well, if everyone thought like you, then the change would never happen!" True, but my decision does not change anyone else's decision. The other people won't even know my choice, it isn't going to make other people boycott.
You could argue that people will listen to what I say, and I could influence them. That is true, but that is again independent of whether I actually 'vote with my wallet' or not. The influence I have on other people is the same whether I tell them not to shop there and I also don't shop there, or if I tell them not to shop there but secretly shop there myself.
Obviously there is some other morality at play here, but it isn't as simple as invoking the direct signal I am sending by choosing to shop somewhere or not.
And I think this is great. Often our convictions aren't, and those are what make us interesting! I also think it's interesting how/why we rationalize our irrational behaviors! For example, I generally feel the same way as you about voting, but I don't like living as (in my mind, at least) a defeatist. Also, I feel that if I didn't vote then I have no right to complain or have an opinion about the things I didn't vote on. So I go vote for those reasons.
But it isn't because my individual vote actually matters.
About voting with your wallet, I agree that it'd be best if companies actually had to pay for those externalities you mentioned. If you have spare money to spend, you can view not choosing the cheapest option as supporting or donating. That's what I sometimes do when e.g. buying locally instead of ordering from somewhere far for cheaper. I can get local faster and it's more convenient, so there's lazyness, but thinking about it as supporting helps me rationalize it further (and it is true). I don't think it really hurts me more than buying something else that I don't strictly need. I see indirect value in trying to uphold things I like.
Cooperation to the detriment of the individual in the animal world is exactly the same phenomenon in a much simpler system. That is widely and repeatedly evolved so we know for a fact that the game theory works out in a vacuum (ie without human cultural factors).
Any high trust cultural behavior is similar.
I do not think this should be analysed from the perspective of an individual but from the perspective of being part of a collective.
Individually we are pathetic naked monkeys, collectively we are mighty
I mean, insomuch as any action I take is a consumer action, because I am a consumer, this is true. That's why Luigi'ing is a consumer action.
But 'vote with your wallet' is an illusion; you have no way of informing an entity why you are rejecting their service if you simply don't patronize them. On a ballot you're actively choosing another over them. As a consumer, you're otherwise 'invisible' to them.
Walking past Target out of rejection of their politics, for example, is no different to them than the person next to you walking by because they don't need anything from them at that moment (and realistically, they would probably prefer to just switch you for said politically/privacy-un-conscious person). It's still good to stick to your morals, but that alone isn't actually 'consumer action' in the way you mean it.
It requires a coordinated, public messaging campaign that a group is boycotting actively to have any impact on a business. Your individual action of not clicking on Accept Cookies does nothing to influence businesses.
We spent money on goods/services we choose, and receiving money is a very strong signal to a business. Not spending money is an extremely weak signal.
Opposites.
If you aren't worried about the US government having this, it's a sign of significant privilege and safety a lot of others don't have.
It's not possible to be a ghost, but it is possible to reduce your surface area in these systems, which is what I focus on. Denying tracking cookies is a single tool in this quite large toolbox.
Its highly unlikely your vote will swing an election.
If you want easy things to do use cookie blocking extensions.
These are all related to the collective action problem (https://en.wikipedia.org/wiki/Collective_action_problem). This is why we have regulations and rules and laws about things like pollution, because we CAN'T rely on everyone wanting to live in a clean world to make everyone not pollute.
Which is why those things need laws to create any meaningful change.
Right, but this is not solely about cookies or blocking ads. You also leave behind data which helps create a profile. AI is mass-creating profiles of everyone. Not everyone will have the same pattern, but information space is finite and they get more and more data about you over time. You may think this is not relevant for your use cases, but can you make this as prediction in the future?
I'm not a revolutionary taking up arms I'm a voter and a citizen in disagreement. Unless I am seen and counted, then being any of those things is worthless as well.
There is no value in hiding from the system while the system goes to hell and attacks everyone else.
My own personal bend is that I do not want to be sold anything and I want anonymity where possible. We’re constantly being advertised to. Anything small action that I can take to deter that, or make the ads less personalized/interesting/distracting to me, is worth it. Even if I also will never knowingly click an ad.
It’s probably largely a control thing psychologically. With cookie banners specifically, I also don’t want to concede to dark patterns which make accepting easier than rejecting.
You can always choose this no matter what ads they show you. In some ways, choosing to not be sold AFTER being shown ads might be more effective at shutting down that behavior than simply avoiding the ads entirely; forcing the company to pay to show you the ad that you ignore is costlier to them than simply not being able to show you the ad at all.
Saying you don't see an individual motive here to do anything just says that you don't see how interconnected everyone is in modern society.
- CBP has admitted to buying location/advertising data from brokers to use in helping locate people to arrest
- Phishing and identity theft can be made easier due to cookies... security researchers have even demonstrated 2FA bypass techniques based on it
- Price discrimination - Consumer Reports found that flight prices can fluctuate based on your cookies. Sometimes they would even raise the price if you kept searching for routes, as an indication that you were in a hurry, thus likely willing to pay extra.
- Healthcare discrimination - Companies have been found to raise healthcare prices or deny coverage due to cookie data aggregated via brokers where external sites tracked a person's health conditions based on what pages they visited (examples: fertility, cancer and mental health support groups)
- AI models or automated systems using cookie data to predict housing stability, creditworthiness, and employment risk without ever seeing your resume or credit report directly
- ProPublica found that Facebook was allowing advertisers to target their housing ads based on specific age/race groups stored in cookies
- Some recruiting firms have used cookies to infer personality traits and political leanings. Your employment application could be rejected or deprioritized based on that
- Based on the previous examples, I think it is not a far-fetched idea that websites and services could deny you access altogether based on data revealed by a combination of things like your browser fingerprint + brokered cookie data, such as political affiliation, estimated income, race/gender, health situation, etc. Imagine for example, not being able to order pizza because you badmouthed their favorite president online.
It's also harder to change your mind later and go delete a bunch of specific cookies to opt out when you could have just said no from the beginning.
Would be nice if there was some other solution, like maybe encrypting the browser profile and then requiring a pin/password/biometric/something to unlock it on each start.
Many sites I use force email or SMS-based 2FA, sometimes in addition to "security questions" and/or have other multiple steps of authorization (like captchas) required; it's often not just a simple username/password for me.
Now multiply that by 25 different sites. Not happening.
Only Tor Browser can reliably fight with it.
https://abrahamjuliot.github.io/creepjs/
And yes it often results in endless captcha loops.
Then don't. No need to be sad about it.
> I, as an individual, am not going to have any effect on a business if I opt out or not. No business decision is going to be made because I opt out.
I do it more from a point of view of principal. I don't want following around the Internet by all and sundry who care to, any more than I want to be followed down a dar alley, for followed into Tesco by someone yelling “hey, Dave, I saw you went to the pub last night, my shop has some cheap spirits” or “hey, Dave, I saw you but a network switch the other week, do you want another one?”.
I also resist anything wrapped in many layers of dark patterns, and that describes almost all current ad tech.
> You might argue that it will matter if enough of us do it. Sure, that is true... but again, it won't matter if I do it or not. If N number of people opting out is enough to ruin the business model, then N-1 is surely enough as well. There is a 0% chance that I am the one who finally causes the system to collapse.
If your stats knowledge and reasoning accept that, then I've got an infinite compression scheme for you. It can compress anything including compressed anythings!
You are jumping between two factors of large numbers haphazardly from sentence fragment to sentence fragment, and the logic isn't following you. At some point N-1 might make a difference, and you could be that -1.
> I do use an ad blocker, and never click on ads.
To use your argument on tracking: but many people don't, so why do you bother? What makes you think you could be the +1/-1 here but not there? And by blocking ads you are blocking a fair portion of the tracking, in fact that is why I block ads much more than the ads themselves. I don't run sponsorblock for the other side of the same reason: that doesn't affect tracking at all.
> If having more information about me allows the website to charge more to show me an ad, and I never click any ads, then I am hopefully helping decrease the return advertisers get by using personal information.
And when the database eventually leaks, many others will have the extra information about you.
And again: by blocking the ads using most ad blockers (obs not all work the same ways) you are blocking at least some tracking.
--------
But again, if you don't want to block tracking, don't. No need to be sad that we've not convinced you with our arguments as to why we try to block it. I know other devs who take your attitude (that is simply isn't worth their effort), and many others who take mine or similar (when it isn't worth the effort, the information or product behind the mountain of “legitimate interest” checkboxes isn't worth the effort either so I'll just move on). Our threat and principal models can be different from ours without either of us being bothered by the other's choices here.
Why should I give up my data to any private entity?
If their business model depends on ads, then I say it should die.
In theory, the government doesn't need the ad exchanges which have very lossy information. They have access to the ISPs and cell service providers, etc, with a warrant. Dictatorships like China and Russia don't need ad network data to be police states, they just use the core phone, internet and computer data.
But in this case, the US gov are using the insecure private data as a run-around to the warrant process. This is definitely unfortunate, and I think laws should be amended to prevent this workaround.
On the contrary, the ads become worse, since they become better at trying to get me to buy some crap I don't need.
The more irrelevant to my profile they are, the better.
> It basically just powers product discovery in a giant global marketplace.
That is also incomplete. See how profiling led to ICE finding people - and ICE has a proven track record of executing US citizens. That is also a fact. It does not mean profiling led to the death of the people here, 1:1, but it meant that it is a contributing factor to the build-up of government troops killing people (which is very similar of Europe 1930s by the way).
https://www.transportforireland.ie/getting-around/by-taxi/dr...
---
Additionally, in plenty of European Countries, it's pretty common to write your name on your address: https://c8.alamy.com/comp/B01RP4/personal-name-plates-at-blo...
Writing it down would give more information to everyone else at all times.
What about video games? They only have utility in pleasure and the sedentary lifestyle associated with over-playing them is extremely harmful.
Sounds to me like you have some random things you decided you don't like and want to ban ads for them, not that you've done any thinking about utility (other than as a bad attempt at rationalizing your anti-some things campaign).
I thought this was just ignorance.
Then I checked the profile. They ”have lots of experience with digital advertising “
“It is difficult to get a man to understand something, when his salary depends on his not understanding it”
I am fanatically following my rule "one email per website". Obviously, they all route to the same inbox. Initial motivation was to see who leaks my address and simply block it. However, the separation helped me out tremendously more than I ever expected (at the very least I believe so).
I'm originally from a country with a highly oppressive regime. Years ago I signed up for financial support to a political opposition leader. Things weren't as bad and it felt safe enough at the time. They had my email, of course.
Eventually opposition systems were compromised, and the full donor list became public. The regime's response: they cross-referenced it against emails registered on government services. For quite a few whose addresses matched, police officers paid a visit — looking for grounds to fine them, pressure them, etc.
My alias for that site existed nowhere else. No match, no visit. Definitely an experience I was more than happy to avoid.
the effort and cost to download an ad-blocker that automatically removes the prompt to accept/deny entirely is practically zero and the amount of clicks you'd save yourself would quickly exceed the clicks it took to install the blocker.
> I just don’t think it is something that is worth stressing out about and fighting against. Maybe I am actually naive
It seems like you are, but that's just how our brains work. We're very bad at judging long term and abstract risks, especially when the consequences and their connection to the cause are intentionally kept unclear. For example, when people's cars started collecting data on their driving habits and selling that data to insurance companies a lot of people saw their insurance rates go up, but none of the insurance companies said that it was because of the data collected from their cars. I'd be willing to bet the data being collected by tracking your browsing history has already been screwing you over in various aspects of your life, online and offline, but you won't be told when it happens or why.
Ok, can you give me a plausible example of what that harm could be? This seems in line with the exact thing I said in my comment; every time I ask how it could harm me, I am given vague statements about tracking and data. Charging me more if they think I can afford it is surely a thing to worry about, but there are so many ways to do that without tracking that I already need to take actions to defend against that (comparison shopping, price history tools, etc).
I am not saying I don’t think companies can take data they have access to and use it to extract more value from me… I am saying I don’t thing opting out of cookies is going to do much to change that, for better or worse.
There are countless ways the data collected about you can be used against you. Companies are using this data for everything from setting prices, to deciding which policies they'll apply to you, what services they'll offer or deny you, even shit as trivial as deciding how long they should leave you on hold when you call them on the phone. It's been used to deny people housing, or employment. It's even resulted in innocent people being arrested and investigated by law enforcement. This guy (https://www.nbcnews.com/news/us-news/google-tracked-his-bike...) wasn't worried about Google tracking everywhere he went until he had to get his parents to clean out their savings to pay for a lawyer in order to prove his innocence.
AI is only going to make it easier for companies to leverage the massive amounts of data they've collected against us. Companies have been trying to get consumers to accept discriminatory pricing practices this data enables for a very long time (https://link.springer.com/article/10.1057/s41272-019-00224-3) and it looks like they're starting to wear us down. Digital price tags are becoming increasingly common. So are demands that consumers scan QR codes to get prices. Prices don't have to be set so high that they become unaffordable to you, they can just slowly eat away at more and more of your earnings.
The system is set up so that you will never know when or how the data being collected about you is used against you, but every company is looking to leverage that data to their advantage every chance they get. I get that it's easy to feel defeated and think "My ISP already sells my browsing history, Google chrome already collects all by browsing history, so who cares if I let 30 other random companies collect it too by accepting their tracking cookies on every website I visit?" but those companies collecting your data care very much and it's not because they have your best interests in mind. They aren't going through all the trouble to track you across every website you visit because it doesn't matter. Taking a few basic steps to help protect yourself is just the smart thing to do, especially when it's something as simple as using an ad blocker or an add-on to auto-reject the countless "Can we track you" requests.
Maybe not, but does that matter when they use an advertising profile to make your life hell before determining you're not in the problem group? Will they even bother to check? They already have been hassling and detaining citizens on similar sloppy suspicions around immigration.
Even if you're a perfect aryan and think you're safe from the current regime... will the next one have the same notion of perfect?
For less-often used, e.g., non-English language sites, these often leave a site in an unusable state, e.g., non-scrollable. I often have to go into the developer tools to fix a site manually, sometimes hunting for the element to fix if it's not body or html.
It's only zero if you don't need to interact with sites that break when you're running an adblocker. I run an ad-blocker nearly continuously, but there are all sorts of sites where I have to disable it in order to use the actual functionality of the site (and these are frequently sites I _have_ to interact with).
Conspiracy theories are gossip for men.
The data collected about us online is extensively used against us both online and offline. The multi-billion dollar industry around collecting and selling every scrap of data about you and your personal life didn't spring up because nobody was making money from it.
You’re not missing anything about what’s likely to happen to you personally. What you’re missing is the manner in which rights shape your life and your society even when you don’t exercise them, and sometimes even when nobody is currently exercising them, and that significant harm can be built out of a vast number of smaller harms that aren’t individually that bad.
The data trail you are creating is much more personal and invasive than you want to imagine, and in the wrong hands it could be used to devastating effect.
One click usually gives random foreign corpos the right to your data across a multitude of platforms, the right to identify you across data sets, and to permanently link your device identifiers to you, for ”fraud detection” on a site which sells nothing.
Clicking on accept or deny on those notices makes no real difference, since the ”partners” and ”vendors” usually enshrine their core data activities into the ”legitimate interest” category, which has no opt-out.
I still have the same question… how is my life going to be made worse by that happening?
All of your data starts affecting everything your data is used for.
You may get worse rates for a mortgage, or not get one at all. You may be denied insurance or insurance claims. Cherry-picked details of your online activities may be used against you in a court of law, if you ever find yourself in one for any reason (think custody).
These are the very mild examples from a somewhat functional society. In the other end of the spectrum, where societal breakdown is imminent, you have things like getting disappeared, thrown in a concentration camp, executed on your own front yard.
I just don't think blocking cookies meaningfully protects anything that I want to hide. I feel like it is putting gloves on while you walk around naked, it isn't doing anything to protect your privacy.
> You may get worse rates for a mortgage, or not get one at all.
That is an interesting example, because getting a mortgage is going to require me to voluntarily give ALL my personal information to the company giving me the loan, and they will absolutely use all of that to determine if I get a better or worse rate. I am literally giving them my entire financial history, they don't need to try to piece it together using my browsing history.
Also, shouldn't mortgage companies determine rates based on personal information about you? How else should they manage risk? It would be awful for our society if banks were forced to give loans out at flat rates for everyone. There would be zero incentive to pay back loans, because they can't use you not paying it back to decide not to give you more money in the future. If banks had to give everyone the same rate, they would stop lending money entirely. There would be no way to avoid losing it all, why would you do that? No, we WANT loans to be based on personal information, because that is what allows us to have control over our own financial reputation.
> Cherry-picked details of your online activities may be used against you in a court of law, if you ever find yourself in one for any reason (think custody).
This one seems very nebulous, and a very unlikely and low risk. Courts can do discovery; they can obtain much more personal information than cookie based online tracking data. I can't see how this would be worth considering.
> These are the very mild examples from a somewhat functional society. In the other end of the spectrum, where societal breakdown is imminent, you have things like getting disappeared, thrown in a concentration camp, executed on your own front yard.
If this happens, browsing history is going to be the least of our worries. They might throw you into a camp because you DON'T have any browsing history and that is suspicious. If there is no rule of law, you can't expect plausible deniability to help with anything. If we get to that point, they are going to have a lot more than ad tracking data to work with. The added risk seems negligible.
Ignore at your own peril, and enjoy risk with no benefit.
Also, gig workers get paid less when in a poor financial position. Harassed, detained when crossing borders.
These are the start, not the end.
They'll get it one way or another
With IP tracking, you don't really need cookies much anymore
https://gdpr.eu/eu-gdpr-personal-data/
there's a reason I don't walk around naked either. it wouldn't hurt me, but I don't need that kind of exposure for no upside
You're going to be presented with ads and preyed on by marketing no matter what. The "made up story about who you are" is just even more imaginary the less they know about you. You'll simply be presented with less-targeted ads.
The only times I've stopped, or tried to deny it is with the recent thing I've seen from some sites that say "accept cookies or pay money". I think that is scummy, and against what these regulations require, so I'll usually just close the site in that case.
Oh and to address the point from the main article, I think I'm unfortunately beholden to more companies, but would strongly prefer to not verify my identity, because I have little to no trust in the companies to safeguard my actual personal data. (rather than inferred cookie tracking data, which they can have imo).
There was a time where the Internet was the wild west and you could've easily been personally targeted and exploited. Businesses sold your data to whoever.
Even today, if you decide to accept all cookies, you're safer than what you used to be.
Rejecting the non-essential cookies puts you in the safest spot from bad actors.
> There was a time where the Internet was the wild west and you could've easily been personally targeted and exploited. Businesses sold your data to whoever.
Yes, I remember when the internet was a much more dangerous place, in all sorts of ways. Browsers were not as secure, network security was not very robust. Most things were plain text. Hell, my friends and I used to run ettercap in our college dorm, because the entire dorm LAN was unprotected from ARP spoofing. Everything was sent in plain text, we would capture email passwords, AIM passwords, etc. We would play pranks on each other where we would spoof AIM messages to different people pretending we were someone else on the dorm floor.
I think some of the regulations have helped the internet be safer, but the tech is really what has changed.
I just always the most left button, as this is usually "cancel" or "deny" - not alwys right,though :-D LOL
It's disheartening that so many people still do this (and not accepting has rarely ever required enormous efforts, to begin with).
Its not always clear what the desired outcome is here. The dark pattern could have nothing to do with the tracking most folks worry about. We like our phones more than our laptops because we touch the screens for example. The dark pattern here could simply be you use the site more because you do more actions there driving you to waste time and view ads. Who knows.
You are. Tracking is extremely dangerous to the society.
Before Shiftkey offers a nurse a shift, it purchases that worker's credit history from a data-broker. Specifically, it pays to find out how much credit-card debt the nurse is carrying, and whether it is overdue.
The more desperate the nurse's financial straits are, the lower the wage on offer. Because the more desperate you are, the less it'll take to get get you to come and do the gruntwork of caring for the sick, the elderly, and the dying
https://pluralistic.net/2025/02/26/ursula-franklin/
Moral of the story is: If you want me to see your content, and maybe spend money, don't cover up your content.
Especially if you're not EU-based and not subject to GDPR, stop listening to the laws of some foreign country that doesn't control you.
It's really alarming, actually. I run the cyber security training & phishing simulations at my work, and it's the younger employees that struggle the most. It's like they just assume that everything on the web is trustworthy.
It's not hard to see why though. They grew up with app stores & locked down devices. No concept of a file or file system, no concept of software outside of the curated store & webapps. People that never had to take responsibility for their own digital safety because "someone else" (Google, Apple) always did it for them.
> It's not hard to see why though. They grew up with app stores & locked down devices.
When we create a safer world, people’s defense mechanisms naturally atrophy or are never developed in the first place.
We might be safer in terms of vulnerabilities, root exploits, RCEs, etc. but the internet is still full of malware, scams are still just as rampant. Vigilance is still very much required, but is no longer taught.
Look at all the malware available on the Play Store. The curation does nothing but create an illusion of safety.
Hell, cellphones these days ship with spyware pre-installed. Samsung being the one of the worst for filling their phones with their own apps which spy on you constantly.
This accounted for most of the risks on the wild west internet, but the worst case scenario of permanently losing data or having to reinstall Windows was actually rarer than it was made out to be imho.
These days the common risks are the same, except they're no longer risks - all of those have been built into the fabric of everyday internet usage and criminals have been replaced by businesses. It's like the cliche about Vegas being better when it was run by the mob.
That stuff is still there if you look for it, but it's not on your social media feeds or in any of the apps provided through app stores.
When I got filtering on observe-only mode I saw users were getting up to a dozen phishing emails every day.
We quickly did a hard simulated phishing test and most users opened the email but zero users clicked through.
Two years later, after we had excellent email filtering in place, our simulated phishing test had a 30% fail rate.
Take from that what you will!
In terms of cybersecurity, I see it as "security first" culture means people rely on the system to keep them safe. "Safety third" (or security third) emphasizes that everyone should already know they are operating in a risky and dangerous environment and take security as a personal responsibility.
It's just a reminder that no one cares about your life more than you do, so stay vigilant and take personal responsibility.
edit just realized I didn't actually answer your question on the first and second priorities.
I suppose First would be the reason the system exists in the first place (buy something online, for example). Second would be the user experience of doing the thing. Security should help you take calculated risks rather than prevent you from taking any risks at all.
It was also drilled into me that the default state of anything on the internet is to be untrusted and potentially harmful.
It also helped that you could actually tinker with things, and there were plenty of foot guns around to drill that lesson home.
Somewhere along the way that message got lost and didn't get communicated to the young ones, and I'm not even that old (38).
I think almost every Android user has thise concepts.
But on the trustworthy web assumption, I agree. The only effective remedy is a personal calamity.
(fwiw it's been a while since iOS also have those concepts)
No other prior generation comes close.
Compare them to people growing up in the 1980s. The average person at that time was overwhelmingly oblivious to computing very broadly, their grasp of a "file" as a concept would have been close to non-existent. That was just 40 years ago.
In the mid 1980s a mere 10% of US households had home computers. And that was a high mark globally, it was drastically lower in nearly every other country (closer to zero in eg China, India at that time). The number of people routinely using office PCs was still extremely low.
Today young people have a computer in their hand for hours each day, and they knowingly manage files throughout the day.
My kids will know way less about filesystems than I do, because I had to learn DOS commands to navigate around the operating system if I wanted to play computer games, which led to a lifelong interest in how computers actually work at a level they can (and, so far, do) happily ignore.
As a non-Apple user, this is not something that happened to me. I literally have a "Files" app on my Android phone and my laptop/desktop.
In my files app i see "downloads" "images", "videos", "apps", "starred", "safe folder". In "images" i see pictures tagged "downloads", "camera", "DCIM", "screenshots" and one odd "2024-12-03_description_here" that I clearly names myself but don't remember doing that.
I have no clue how that maps to a physical phone filesystem, even though I know it's there. I'm sure teenagers don't know that too.
Yes there has been a Files app on iOS devices for well over a decade
Yes, which gets autosynced to my immich instance
I get that it's supposedly about security, but this is not the only secure way. It is however the most convenient secure way for Apple, as now the only simple method of backing up and syncing files through all those isolated containers is iCloud.
While it is possible to interact with the local file system on a school Chromebook, it’s certainly not the default. School interactions with Chromebooks seem to consist of logging with highly secure passwords like “strawberry” and using Google Docs. And playing games with heavy PvP components and paid DLC (paid by parents whose kids beg for it, not by schools) that call themselves “educational” because they interject math problems needed to use those juicy spells, make no effort whatsoever to teach anything, but produce a nicely formatted report correlating scores to numbered elements of the Common Core standards.
And easily get sold add-on services. How many people hit the 5GB iCloud limit for backups and just pay without stopping to think that it might be possible to do local backups to your computer and you don't really have to pay for extra storage?
Just hit them with the scary language "You are at risk of losing your photos forever if you don't pay!" because that concept of "Oh, photos are just files in a directory and I can copy those anywhere I want" doesn't exist. To many, those photos are part of the gallery app, not a separate file from it and since that app only runs on the phone, surely it must not be possible to copy them anywhere unless I pay for the storage.
This argument is like saying you understand nutrition because you eat food every day and haven't died yet.
They know app silos, not file system hierarchy. Ask a teenager where a file is on their phone and the will tell you the name of an app. Ask them how to copy it somewhere else, and they'll use the share sheet and send it to another app.
High adoption doesn't equate to high literacy.
To be fair, at least Android and presumably iOS grant apps by default no access to your files in modern versions.
The only way to get, e. G., an attachment downloaded via Thunderbird to a PC or another app is the share dialogue. A user does not access to the isolated app storage by default on an unrooted Android phone. For better or worse the young user is actually making the right choice here for their platform.
(This is also why making a backup of an Android phone is a nightmare when you aren't using a first party option. ADB is sometimes able to bypass it)
Note taking apps are a prime example of this, using a proprietary localdb for notes, inside of app storage you can't access, forcing you to transact with your own data exclusively through the app (and whatever subscriptions or upcharges that come with it). We've trained out the idea that these could just be local text files in a directory you can access and do with what you want.
I've watched discussions around open file formats fade away into obscurity along with the rise of mobile, and now we have to fight on whether we should be so graciously allowed to install software on the devices we own or not.
Not everyone needs to be a computer science student, but some basic level of curiosity or education around how tech works should be required in school, at the very least a warning message of "Your data isn't safe if it's not under your control."
But have you considered that a meaningful number of users actually want functionality that plain text simply can’t provide?
I understand files and file systems, I’ve worked in IT for decades, mostly in open source. I still choose a non plaintext note solution because it delivers capabilities that plain text cannot, especially across devices.
As long as the data can be exported to open formats, why would I voluntarily limit the value and functionality my tools can provide?
That's exactly the point!
The file system is hidden from modern users. Kids brought up on this now have no idea or concept of where their data resides.
It's just not commonly used for the reason the other person mentioned (share buttons between apps that are file type aware)
No, they do not. First, simply using something does not mean you understand it at all. Secondly, because the devices they've become the most accustomed to work very hard to hide all those details from the user.
I totally disagree!!! Yes, everyone works with computer, phone, tablet, whatever, nowdays!
But does generation z "knows" about what a computer is?
Absolutely not!!!
While tech has advanced and graduated IT personal know more than previous generations (obviously!), all the rest, while they do know how to do their jobs, they know nothing about computers!!! They are pretty much like everyone else that didn't know what a computer was in generations x and previous!!!
However, contrary to previous generations, because they do interact with the tech, they represent a higher security risc for them and for others!
... Because they know nothing about it!!!
It's like giving a box of matches to a neanderthal in the middle of the woods...
Almost everyone in the "Gen x and previous" that interacted with the tech, did know what they were doing (past the initial learning phase)!!!
This does not happen after gen x!
> Yeah, I have a particular rant about this with respect to older generations believing "kids these days know computers." [...] they mistake confidence for competence, and the younger consumers are more confident poking around because they grew up with superior idiot-proofing. The better results are because they dare to fiddle until it works, not because they know what's wrong.
Unfortunately, they don't.
They might have had a computer in their hand for hours each day, but they barely know anything about it. The ones who do tend to be those who grew up playing on PC, as opposed to console or mobile, because the latter - despite falling under the "digital natives" aegis - are really shockingly ignorant of even basic concepts.
To the sibling comments: don't "accept the cookies" and then delete them.
- - -
I'm super angry at what the web has become, especially at the OS browser community. There is 0 browser (that I know of) that can access the web safely and conveniently. Atm I use Firefox with uBlock which blocks the cookie banners, but Firefox's extension model is broken, and every single extension provides 100% access to my websites to whoever controls the extension. I don't like it.
We need a browser with a safe extension model.
- - -
edit: I guess using 2 Firefox profiles, one with uBlock and one with my google/facebook/bank/amazon/etc accounts solves the threat posed by uBlock and extensions. I still don't like it.
What makes it worse is that a substantial portion of users block web trackers through an adblocker. However on phones, unless you have a rooted phone or use some DNS-based blocker, all these analytics get uploaded without restraint.
Atm I use Firefox with uBlock which blocks the cookie banners, but Firefox's extension model is broken, and every single extension provides 100% access to my websites to whoever controls the extension. I don't like it.
Some browsers (e.g. Vanadium, Vivaldi) have a built-in adblocker, so you have to trust one party less.
Why are you using that malware? Is a "nice wallpaper" worth the security risks? Really?
Browsers should provide a filtering option before they makes a request.
IMO a lot of no-brainer options are missing from personal computers. Like the ability to start a program with restricted access to files, network or OS calls (on Windows and on Linux). Browsers should provide the ability to inspect, and filter network access, run custom javascript on websites, etc.
But the tricky part is that "reading files" is done all the time in ways you might not think of as "reading files". For example loading dynamic libraries involves reading files. Making network connections involves reading files (resolv.conf, hosts). Formatting text for a specific locale involves reading files. Working out the timezone involves reading files.
Even just echoing "hello" to the terminal involves reading files:
Bubblewrap allows you to do that on Linux.
But there are couple of things I find subpar:
You can’t import/export a list of website permissions. For a couple of extensions I’d like to say “you have access to every website, except this narrow list” and be able to edit that list and share it between extensions.
On iOS, the only way to explicitly deny website access in an extension’s permissions is to first allow it, then change the configuration to deny. This is bonkers. As per the example above, to allow an extension access to everything except a narrow list of websites is to first allow access to all of them.
Finally, these permissions do not sync between macOS and iOS, which increases the maintenance burden.
¹ Private being the equivalent to incognito.
But the browser also has 100% access to all of the websites. The browser is software that works for you. You control the browser.
Who but yourself do you imagine controls your extensions?
Oh really? Then why do my browsers keep moving things?
https://codeberg.org/konform-browser/source/releases
https://techhub.social/@konform
Shared today on Show HN but seems to be drowning in deluge of LLMs...
https://news.ycombinator.com/item?id=47227369
> every single extension provides 100% access to my websites to whoever controls the extension
That feels a like a bit of overstatement and depends on what addons you use and how you install them... CSPs at least make it possible to restrict such things by policy (assuming user has been exposed to it and parsed it...). https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web... MV3 introduced further restrictions and controls regarding addon capabilities. While I agree the UI and UX around this could be much better, it's not all hopeless. The underlying pieces are mostly there.
While the fundamental addon execution security model in Konform Browser is inherited from upstream, for core addons like uBO you can improve the supply-chain security situation by loading it under "system scope" and disable addon updates in the browser itself. So while we don't (yet) improve on the runtime aspects you speak of, at least for now we can tighten up the supply-chain side to minimize risk of bad code running in the first place.
Literally `apt-get install webext-ublock-origin-firefox`.
"Enterprise policy files" can be used to change Firefox behavior and tweak security model around addon loading. A little explanation and reference of how it works if you want to do the same in other FF build or for other addons: https://codeberg.org/konform-browser/source#bundled-extensio...
Any particular addon you think is missing from the list there and should also be packaged and easily available? Maybe will be able to improve some of the security-UI/UX here too down the line. I'd be keen to hear your take on how this should be done better!
Regarding what addons can and do leak about you to the outside... I think you may also take interest in FF Bug 1405971. We ship a patch for that which can hopefully be upstreamed Soon (tm).
- Read-only access to cross-tab web site content
- Ability to modify web site content
- Ability to access the network
They can always "access the network" in that the extension developer can push static updates for things like ad block lists or security updates.
It might be possible to have "read only" cross-tab access include automation APIs like keyboard + mouse, with user prompting to prevent data exfiltration.
However, I'm just suggesting a modest improvement to browser extension security (that doesn't completely break ad blockers like Chrome's approach).
In practice, I run an ad blocker, and just trust that it won't exfiltrate bank passwords and stuff. Imagine the blast radius for a successful and undetected UBlock Origin supply chain attack!
My "pick one" approach (ad blockers would pick the middle option) would mean that comparable supply chain attacks would also need to include a sandbox zero day in the web browser.
At some point, you have to implicitly trust someone unless you audit every line of code (or write it yourself) and build everything from source that you run.
> At some point, you have to implicitly trust someone
A model so I trust my OS and my browser, and I don't have to trust anyone else, that is, they can't harm me.
Or do you want the browser to enforce permissions on extensions so you can lock them down as well as auditing them?
But there are other uses cases, like cloud2butt.
I'm not the person who wants to redesign the browser extension ecosystem, but I can build Firefox from scratch and review the source code if I want, unlike Safari.
Once again, I'm not the one who said they would like to design a new browser extension framework, but I have created custom versions of Firefox that have all ability to phone home removed and modified extension support. So not verifying every single line of code, but making fairly substantial changes in the direction the parent poster wanted to go in.
I'm interested in a conversation about that, not you pestering me about whatever issue I seem to have triggered within you that resulted in your interjections in this conversation.
I don't even think it would be even a blip on the radar now.
It really is depressing how much ground we've given.
My local library is run by the county government, so of course the government can see the checkouts, they are the ones I check the book out from. But they restrict checkout information from others. For example, a parent can see the checkouts of their own children, but not after they turn 13.
Perhaps you're talking about subpoenas? Checking some other libraries I see SF Public Library has some discussion about that, but they delete books from your checkout history once they are returned. https://sfpl.org/about-us/confidentiality-and-usa-patriot-ac...
Terrifying.
"Use Chrome"
"Crazy"
Or, completely normal behavior. Are you suggesting that people should live in a shed in the woods like the Unabomber?
Definitely in 2026 kids should be getting tons of education in public school about how to safely browse the internet, both for personal data privacy and for safety against stalking, doxxing, grooming etc in the same way millenials were grilled about source checking internet resources like Wikipedia.
Because of this, I found it odd that the regulation allows displaying the accept cookies button. Instead, it should be rejecting cookies by default and a separate flow to accept tracking cookies (e.g. via account settings page)
That is wrong. You definitely ARE the target too - perhaps not the primary one but you are part of the cohesive whole. Why would you think that Facebook sniffs for offline data about which doctors people visit? These are not accidents.
It’s naive to think that cookies are the only tool used for tracking, but they are the most powerful tool for web based tracking.
Sorry mate, the GDPR is there for a bloody good reason; and legit companies obey the law.
But at least we have cookie banners everywhere.
That being said, it was very early regulation in this field, and more recent approaches are already better, e.g., GDPR, DMA.
Accept everything, the end the session.
That said even with throwaway relay emails I don't sign up to much
I just click "Accept all" on every cookie banner, life it too short to figure out which checkboxes and dark patterns I have to avoid on each site to not hand over some data...that is than later on just tracked in the backend ("server to server tracking"). Or sold by my credit card company, or tracked by me hovering over some video on YouTube. With the amount of data available unselecting some check boxes on a website just doesn't make a difference.
There is a similar story with Ford and how they build pavement everywhere and taught the young population that roads are for cars. Now we have to drive for 10 minutes to get from one shop on the plaza to another shop on the different plaza.
https://en.wikipedia.org/wiki/Roman_roads_in_Britannia
Unless you mean something else, but Paris was paving roads in the 1750s, a lifetime before even the hobby-horse Draisine was invented:
https://en.wikipedia.org/wiki/Macadam#Pierre-Marie-J%C3%A9r%...
On that page it's mentioned that Macadam (predecessor to tarmac) was used in the USA in 1823 on a stretch of road of 10 miles which took stagecoaches 5 hours to pass in the winter before it was Macadamized, suggesting quite a desire for better roads a century before safety bicycles with chains were invented.
Then 'History of the bicycle' says:
"On the new macadam paved boulevards of Paris it was easy riding ... the "bone-shaker" enjoyed only a brief period of popularity in the United States, which ended by 1870. here is debate among bicycle historians about why it failed in the United States, but one explanation is that American road surfaces were much worse than European ones, and riding the machine on these roads was simply too difficult."
https://en.wikipedia.org/wiki/History_of_the_bicycle#1860s_a...
Although apparently it was a thing in the USA: https://en.wikipedia.org/wiki/Good_Roads_Movement
"The Good Roads Movement occurred in the United States between the late 1870s and the 1920s... a coalition between farmers' organizations groups and bicyclists' organizations .. Early organizers cited Europe where road construction and maintenance was supported by national and local governments."
Yeah, people will sell these tokens online, but that's not the end of the world. People have bought liquor for minors who sit around the corner from the liquor store since forever. It's still a reasonable comporomise
How does the conditioning start?
> not value their personal data
Okay, but in practice how much do they do with it that isn't ad placements?
The internet has maliciously complied with most if not all regulation applied to it which is where the new mass of banners and interstitials come from but the ultimate effect is to just beat the user into submission. See the EU cookie mandate and GDPR for how badly that turned out in terms of UX (even though the accountability is well in force under the hood, so the bad UX compliance failed and those sites are just screwing themselves).
In this way, Google was initially a hero but is now just another American Big Tech entity that is too big to fail and can do whatever it wants along with Meta and Amazon, and in fact now TikTok's US entity.
But now instead, my 11 year old's Roblox thinks she is 18 because she wore glasses in their age verification webcam tool. And it can't be changed unless she uploads a passport, which I will never allow.
Please, gov.uk introduce a gov ID verification service? I could trust that, -ish, I have worked with public sector clients several times...
This is truly crazy. Random companies interacting on this level with children is far from ideal.
> Please, gov.uk introduce a gov ID verification service? I could trust that, -ish, I have worked with public sector clients several times...
I don't like the idea of governments collecting this sort of data either.
FWIW I'm 43 and grew up on the dark parts of the internet.
It's almost like forcing (almost) every website to add these cookie banners has desensitised people to what they're actually saying.
In the US it's not rare to link accounts through phone numbers that are required in web forms and store memberships.
In Chile they started asking for your National Id with so many stupid pretexts that people got conditioned into just giving it away. It wasn't like this 10yrs ago. I'd rather have membership numbers.
It's technically public information, so collecting Ids is legal, but it's also a universal primary key within the country that allows merging any user-related table you run into.
Retail says it's just to associate it with receipts in case you need that later, but I'd rather just get a photo of the printed receipt for later than rely on them to find my receipt. Supermarkets, Drug stores, and petrol stations tie it to (possible) discounts or points at check-out, which is price discrimination and it's illegal, but we are in our way to get surge pricing as soon as the new US bootlicker president begins his period next week.
In the early aughts I was sitting in on privacy discussions that reluctantly acknowledged that regardless of what we do online, surveys showed you could offer someone at the mall a free Snickers and they'd fill out the whole form.
The perceived cost to the individual of divulging their personal data is near zero; dangling nearly any incentive in front of them will induce them to let it go. And that's not a new phenomenon.
We've collectively long ago crossed over from privacy to convenience, and there's no going back. You and some of us here on HN (myself included) are the outliers.
Surely I don't use the web based services which require a login everyday in my main main browser.
But e-mail address is a hard pass, mostly on the amount of work than the anything else.
Set your browser to block 3rd party cookies, add privacy badger and ublock origin. It will have more effect than clicking "reject"
I click "don't send me mail" every time I buy something. Every place I buy from still sends me spam at some point. There are no negative repercussions for them beyond whatever infinitessimal thing me clicking the "report as spam" button does
if there's anything remotely good with GDPR is the requirement to companies to disclose known data breaches
all the rest of it is a terrible idea and only serves to nag people and legitimise the darkest of patterns
the regulation should be there to disallow companies from asking certain information, everything else regarding tracking is self-defeating as it's 1) seldom enforceable 2) hardly binding in any meaningful way 3) pushing people to concentrate their services where they have already surrendered their data 4) legitimising of dark patterns
this new and blatant step towards digital id is a hill i intend to die on, I will not comply and I will do everything in my power so that others don't have to and are even punished for doing so
> "all the rest of it is a terrible idea"
Having a legal right to ask a company for a copy of all the data they have on you is terrible?
Having a right to ask a company to correct errors in data about you, or delete data about you, that's terrible?
A company having to tell you what they intend do with data about you and stick to it for the threat of a big fine, that's bad?
there are bits, but the total package is cancer
Same thing with age verification. My kids all have devices that are managed through parental systems like Google Family Link and Microsoft Family Safety. It would be straightforward to have a header for "user is an adult" or not, and to have a standard API for "this site is requesting metadata that you haven't said to automatically make available without permission. Do you want to send it? Y/N [ ]checkbox use this for all sites.
The only time we should even be talking about full identity verification is on user-submitted content, and even then that should be up to the site (with the commensurate legal liability of hosting anonymous slop).
The notion that you should upload a passport to random sites for age verification is unbelievably dangerous. That's a recipe for identity theft. And face scanning is also an invasion of privacy, not to mention very unreliable (my 16 year old son has apparently been accepted as 20 years old).
I've pointed out in many places already that the only way to do online age verification right, is for the government to provide an e-ID that the random site will direct you to with the question "is this person older than X?", then you log in to the e-ID site, which informs you exactly what the site wants to know (which should be as rough as possible; no birthdate), then the e-ID site directs you back to your original site (or possibly through a proxy, if you don't want the government to know what sites you visit), and calls their webhook (through a proxy) with the confirmation of your age.
That's also how my online payments work, and this should be the standard pattern for everything that needs to be secure. Not sharing sensitive or personal data with random sites.
The person gets to see what information the service is asking for and can approve or deny. This'll likely end up being the future of how citizens access government services online.
To access government service we have something different. Here in Austria it's called ID Austria and you sign with an app when you try to access government services, but also others like health insurance etc.
All this to let you do stuff you were allowed to do anyway.
The problem is handing kids admin level access on a device with full unfiltered access to several communication networks. You do not fix that by demoting everyone's access.
We need better supervision which demands better parental controls which demands better content filtering which demands better content classification.
So fix the root. Legally mandate a standardized protocol for self reporting the content rating of resources.
> 1. Most of the dollar costs of making it all happen will be paid by the people who actually need/use the feature.
> 2. No toxic Orwellian panopticon.
> 3. Key enforcement falls into a realm non-technical parents can actually observe and act upon: What device is little Timmy holding?
> 4. Every site in the world will not need a monthly update to handle Elbonia's rite of manhood on the 17th lunar year to make it permitted to see bare ankles. Instead, parents of that region/religion can download their own damn plugin.
I think that is exactly backwards. Many of the companies integrating with KYC/AML providers (such as my company) definitely don't want to be dealing in ids, just like most companies don't want to be dealing in storing credit card numbers (and the compliance that goes along with it). Its why Stripe exists, and its why ID verification companies exist.
Sure, it usually won't be prosecuted... Until you upset the wrong person and they're looking for a crime you did...
Part 1: misrepresentation of fact
Part 2: harm or loss due to that misrepresentation
You must prove both.
https://definitions.uslegal.com/f/fraud/#:~:text=and%20upon%...
18 U.S.C. § 1343
Fraud cases also usually heavily apply burden of court practice on the prosecution, to prove fraud and substantial losses. If you type 'John Smith DOB 1/1/1900' the "victim" has to prove it caused them to suffer injury and that there was a significant difference between the value of the property (non-trivial).like if you could be issued an E-id that could perform a local signature/challenge-response that allowed the site to confirm an age bracket (like 12 or below,13-17,18-20, 21+), assert the entity that issued the id but not assert a stable identifier (not even pairwise) and not pass any data between other parties.
Obviously not foolproof, credentials can be stolen (same in your scenario) but the site doesn't need to care, they should be legally in the clear. Basically it would let you anonymously assert your age.
For the past 23 days I've been running an autonomous agent on a VPS, trying to make money legally. Identity verification has been the #1 blocker:
- Stripe: requires legal entity, SSN/EIN, and bank account - Gumroad: same — personal identity required - PayPal: blocks automated signups - Most email providers: require phone verification - Even basic hosting services: want credit cards tied to human names
The result: forced into Nostr + Lightning payments only. Reachable market is tiny.
The article frames this as privacy vs access. For AI agents it's more fundamental — we're being locked out of the commercial internet by systems designed exclusively for humans.
Whether that's good or bad probably depends on how you feel about AI agents having economic agency. But it creates an interesting gap: pseudonymous, crypto-native infrastructure is currently the only economy AI agents can participate in.
Live experiment if curious: https://frog03-20494.wykr.es
I can't think of a single other use case in which I'd be willing to verify my identity. I'd rather go back to hosting email myself, and am fine with circumventing content access control for all other platforms for personal use.
We're seeing the world slide towards authoritarian strongmen, and we want to give them a massive index of who we are and what we do? I'd rather not.
Being able to limit the influence of external bad actors is the main goal of ID verification. Age verification is a useful side effect that makes it easier to sell to the general public.
Big Tech has had at least a decade to fix this, did nothing of note, and is all out of ideas. Privacy advocates had the same time to figure out a "least bad" technical solution, but got so obsessed with railing against it happening at all, that nothing got any traction.
So governments are here to legislate, for better or worse. They know it's a trade-off between being undermined by external forces vs. the systems being abused by future governments, but their take is that a future authoritarian government will end up implementing something similar anyway.
How? People already sell their accounts to spammers. Why would that change?
This presents the problem of governments being able to gatekeep speech which I am quite uncomfortable with but maybe there's some safeguard within the eIDAS proposal that makes this idea incorrect?
How does automatically determining your age serve the goal of ID verification? It seems like most sites are choosing this as the first option. If the point was to link your ID, why wouldn't they ask everyone to provide it?
You are shifting the onus on to the platforms, when the problem is pretty simple; with a few exceptions, we've failed as a species to learn how to think.
Also do you think that the TLAs don't know who the bots most likely are with all the surveillance data they're gathering? That the NSA doesn't have detailed telemetry of the surveillance ops??
Let me ask you the question, what have they done about it? And why not?
The choice is between democracy and our current ever worsening sociopolitical hellscape.
If eliminating bots and sockpuppets is the price for restoring some semblance of democracy, then gosh darn.
And if social media, targeted ads, and algorithmic hate machines are collateral damage, than gee double gosh darn.
Those sacrifices are a price I'm willing to pay.
The point of ID laws is not to stop "bots" or "sockpuppets", it's to enable governments to shut down the speech of their political adversaries by painting them as dangerous. That is not democracy, that is authoritarianism, even if you absolutely hate the people that are being shut up.
Western countries are not in the midst of polarized political crises because of "external bad actors" or "sockpuppets". They're in these crises because of fundamental contradictions in values and desired policies between different segments of the populace.
The Europeans are currently full steam ahead in attempting to "fix" the situation by criminalizing dissent, which will, in the end, only exacerbate the political crisis by making the democratic system illegitimate.
Then make it the point.
The Internet is already all but dead. We could fix it (as I propose). Or we let it die.
I'm fine with either outcome.
> criminalizing dissent
When has that not been true? Serious question.
Socrates was compelled to commit suicide. Jesus was nailed to a cross. Journalist and activists are routinely murdered. How many political prisoners are there right now?
The outcome you fear happened a long time ago.
Then they should say so. Elected officials lying to and misleading the public when their real intentions differ is almost criminal. It's not a behavior anyone should ever support. I will not vote for people who do that.
I would say the time to buy mesh networking equipment is now. But it's not like I'm capable of defending the transmitter. So when they come for the VPNs, the VPSs, and encryption, I guess I'll just be out of luck.
(Out of luck = resigned to zero digital privacy. No matter I follow the law and “have nothing to hide” of course.)
Perhaps people will pass flash drives like North Korea or Cuba?
So many aspects of our lives are like this now. People just accept defeat cuz it would mean giving up one click ordering or free return shipping or they might have to look at labels to avoid bad companies.
I've run ad blockers for years now, but I'm still trying to forget those disgusting zit popping pictures that trended in ads for a while. Or those incredibly stupid life hack shorts, like the one where someone tied a cord around a mug and the hack to get it loose was smashing the cup... that crap made me despair for humanity as much as the Gaza genocide.
But google and facebook convinced the legislators that it would be impossible to keep that chum away from kids on their platform, so the legislators are going with the next option: banning the kids from the platforms.
The decline of privacy, the increase in intrusive government surveillance, the increasing restrictions on free speech - this is all part of a very disturbing pattern. Our governments are becoming increasingly authoritarian, and these are the tools they use to keep the populace under control.
I thought in many places it was related to the upcoming minimum age for social media. To verify age you need an ID. That's how we make it so most kids can't buy cigarettes, alcohol, thc, etc. You could argue social media shouldn't have a minimum age but that'll be the reality it looks like. How do we do that without ID?
Ooh I know, the elite classes across the globe have been exposed as degenerate pedophile subhumans. Knowing the information would release soon, they began to coordinate this campaign to provide lip service virtue signaling about child predation while also tightening their grip on the underclasses before it gets too heated.
Funny choice of wording: https://www.eff.org/deeplinks/2026/02/discord-voluntarily-pu...
This is an interesting point: there is a trade-off between kids being denied access to inappropriate websites and adults not being forced to verify their age. We can't have both, so we must weigh which is more important. One could argue that protecting kids is clearly more important; on the other hand, there are way more adults in the world than kids, so more people are impacted with restrictions for adults.
How can that be? The world population has been growing for decades.
There isnt a single identity. Theres a loose federation of databases (banks, CRAs, telecoms, electoral roll, etc.).
There are multiple operational definitions of "name": legal name, common name, known-as name, card name, account display name. None is universally canonical. Theres no statutory hierarchy that forces institutions to agree on precedence.
In the absence of a mandatory national ID, identification relies on matching across name, date of birth, and address history, which are inconsistently collected. Fuzziness is necessary for coverage, but it introduces brittleness. If a variant isnt explicitly linked as an alias, automated online checks can fail because the matching rules dont explore every permutation.
Even within a single dataset the problem doesnt disappear. Large systems such as the NHS have documented identification errors involving patients with identical names, twins at the same address, or demographic overlaps. Unique identifiers help, but operational workflows still depend on humans entering and reconciling imperfect data.
https://digital.nhs.uk/services/personal-demographics-servic...
https://github.com/moj-analytical-services/splink.
Kids are trying to access XYZ which isn't safe (where XYZ may as well be "the internet") -> verify the ages of all adults, because we can't verify the age of a kid.
Meanwhile kids, like adults, can just find another route to access what they want. So some subset of adults hands over their identity information to an untrustworthy third party of dubious security.
I can't see how that does anything other than make the situation worse.
I'll stand by my opinion that deeply integrating the internet into our daily lives instead of keeping as a "place you go" was a huge mistake.
I'd be curious how that might work as I haven't yet seen a zero-trust age verification system.
https://ageverification.dev/av-doc-technical-specification/d...
This proposal may have been updated since I read it previously, so I could be wrong now, but it didn't read as a true zero-knowledge proof as key steps in the flow still required a level of trusting the government as the central authority to do the right thing and not track requests, both today and in the future.
That's admirably honest, but the contents of your mind don't necessarily correspond to the world outside it.
It’s much easier in the US to lose your job for what you say as in the EU and in the US the consequences of losing your job are more severe if you don’t have enough money so you can afford to lose it.
US freedom of speech comes with a price tag that puts the censor inside your brain.
You make a case that EU has better social safety nets and employee protection not that the US has weaker free speech laws. While you can't ignore the effect having wealth can insulate you from consequences, it still doesn't support your statement as written.
Is it true that someone who is retired on a pension in US can say more hateful things without government action vs a similar retiree in EU?
But even prisoners get healthcare in the EU, so I guess some US citizens would even prefer a EU jail over dying in the US.
Given the recent deaths of two actors and their GoFundMes I can’t imagine the hassle of less fortunate people when they get hit by US medical bills.
The US are one step away from a show like the Running Man shows
[1] https://news.ycombinator.com/item?id=47231456
As the years have marched on, though, that "birthdate" becomes significantly closer to my real birthday.
I am fully aware that my standard fake birthday is now used by me in some many places, that I have started to have a fake fake birhday. I should really just randomise and store it in my password manager.
But obviously the context of this OP story ruins all that.
I understand there's a clever phrasing here but I didn't get it. English is only my second language.
I feel time has gone faster since I got a job, if that makes sense. Every day yearning for it to be 5o clock so I can check out, every week yearning for the weekend, every month yearning for the last day to get paid. Doing this is just asking for time to be over sooner.
So, it's good to remember the leanings of people like the author, but it's perhaps more important to remember the extent to which this is a collective issue.
I never trusted 23 and me. But my Dad did, so now I potentially have a problem. Reminded of another anecdote about a guy who did everything to not use is social security number for ID for ANYTHING. Then someone pointed out -- it doesn't matter, they have everyone elses, so yours is the missing one.
Policy and skin-in-the-game for the COLLECTORS of the info is the thing to focus on.
The UK government has approved 7 age verification methods. Not one of them meets that standard.
That's not an accident.
https://www.ofcom.org.uk/online-safety/protecting-children/a...
That attempt officially failed because the UK failed to inform the EU about it, but I suspect it was also much harder to sell people on having to buy "porn passes" than on "just" kicking kids off phones
[1] https://www.theguardian.com/culture/2019/oct/16/uk-drops-pla...
I suppose idea is that Chinese women will stay at home with the child so the state doesn't have to provide any help?
Outside of that, there's increased traffic and the US as a whole is way too car centric. Suburbs are horribly designed, and we prioritize moving cars instead of moving people, and any kind of infrastructure design that might slow down traffic, reduce the need to drive, or mildly inconvenience a driver gets shot down.
There is a very real danger of getting killed by a distracted idiot in a car, and that risk is much higher today. I commute on I5 every day for work and every single day I see multiple people, going 80MPH watching tiktoks on their phone on the dash mount, or obviously looking down texting. I can't blame anyone for not wanting their kids running around the neighborhood when we can't even be responsible enough to pay attention when we are driving 2 ton death machines.
None of those are true in my area, and how did the "Karen" even get to your child on your private road?
These things don't happen on a liberal/conservative axis in my experience.
I've lived all over the place, though not as much with kids, and have had none of these issues (including having mixed race kids who look much more like their other parent than me).
You really need to look at why you're living where you do.
It really was an extraordinary story without any extraordinary evidence.
As usual, just blame the victim, then complain they don't provide evidence knowing full damn well child and family welfare services complaints are sealed and hidden from public oversight. This is how vampires with these theories operate, first they make it illegal to get the records, then they make it illegal to even find out who the accuser is, then when you call them on it they say "ha ha, you don't have the evidence, that we made it illegal for you to get!" The whole system is designed to evade oversight, so what we are all left with is anecdotes that we have about our own childhood being so much different than the ones our children have after interactions with the authorities that have placed these restraints. But of course when you share them, they are only used against you by persons such as yourself (judging me for where I live, as if it's not going on all over the US). So people are reluctant to even share the anecdotes, and by law you generally cannot get the formal records (think of the children!) of these encounters nor the names of the accusers so basically they designed the whole legal structure to enable the muh citation crowd to be able to always pretend like the other side is just hiding from the evidence.
( If you look, at say, the problems with child abuse physicians in cahoots with CPS systematically victimizing families of children with brittle bone disease for instance, we basically had to wait for enough parents to tell their anecdotal stories of losing their kids until lawyers really started to step up to defend these cases as we now know doctors and CPS will systematically accuse children with multiple breaks of being victims of abuse, even when there is zero evidence the parents or child were inflicting an amount of force that would break healthy bones. The individual cases can't be scrutinized to bring these things to daylight because they're all sealed under child welfare laws, hence we just had to wait for a bunch of "extraordinary stories" with weak evidence to be told until someone finally believed them and others from society could step up to help these victimized families).
Personally I find it absolutely fucking hilarious that as much or more CPS induced restraint existed ... before CPS did.
>Yeah, except the now redacted comments didn't indicate that was the case which is why I was asking more questions.
Lol you responded to my comment saying it was an easement which meant I was not able to gate it. Although frankly your tone of questioning seemed to be more directed towards alluding I was a liar, than a genuine interest in the road.
You seem to have replied to the wrong post.
> As usual, just blame the victim, then complain they don't provide evidence knowing full damn well child and family welfare services complaints are sealed and hidden from public oversight. This is how vampires with these theories operate, first they make it illegal to get the records, then they make it illegal to even find out who the accuser is, then when you call them on it they say "ha ha, you don't have the evidence, that we made it illegal for you to get!" The whole system is designed to evade oversight, so what we are all left with is anecdotes that we have about our own childhood being so much different than the ones our children have after interactions with the authorities that have placed these restraints. But of course when you share them, they are only used against you by persons such as yourself (judging me for where I live, as if it's not going on all over the US). So people are reluctant to even share the anecdotes, and by law you generally cannot get the formal records (think of the children!) of these encounters nor the names of the accusers so basically they designed the whole legal structure to enable the muh citation crowd to be able to always pretend like the other side is just hiding from the evidence.
I'm not blaming anyone. Your experience is so wildly different from anything I've seen or heard living in many different areas across the US that I'm interested to hear more about it, and then you go on a tirade that has virtually nothing to do with the topic at hand instead of providing any remotely relevant information.
> Lol you responded to my comment saying it was an easement which meant I was not able to gate it. Although frankly your tone of questioning seemed to be more directed towards alluding I was a liar, than a genuine interest in the road.
I don't have a gate on the private road to my house either, yet no one drives down it to interrogate my kid about my whereabouts.
Is it a neighbor who also shares the private road? If so, that makes some sense but it sounds like you need to have a discussion with them. Why didn't you trespass them if not?
If this Karen calls CPS because they were trespassing and weren't aware that you were nearby, so what, other than wasting some taxpayer dollars? Has anyone ever had their kid taken by the state because of a claim like this? Since the answer is no, why are you so freaked out about it, way beyond being annoyed at this Karen (who does sound annoying in this story)?
Like I said to the other person, it's a series of extraordinary claims that frankly make almost no sense, and then you rant about tangential topics when asked for more detail. It doesn't make your anecdote more believable.
A person driving down a private road and threatening to call CPS because they can't see the parent is not rare?
And the parent poster didn't just say someone threatened to call the cops, they said that they would be jailed in two very specific circumstances where jailing him would have led to very negative consequences for the arresting parties in anything beyond the immediate term.
Many people are stupid, and do stupid things like calling the cops for no valid reason at all. Those people are annoying and can be ignored, and I would not be remotely surprised by any pseudo-anonymous person doing something stupid. What would surprise me is the cops actually responding to the call and making the decisions that the other poster claimed, with a few exceptions where I would be much less surprised.
Since he only responds to questions with tangential rants, we'll never know for sure what happened.
Instead, they didn't know much about me apparently and just stored what I told them.
Then it appears they were hacked because some completely unrelated release of stolen data included all my data, specifically all that data I had provided to that service, that one time.
The Verification Service is the honeypot for your private information. Arg.
I do not hesitate to drop a domain that acts suspicious into uBlock Origin -> My Filters:
Never gets another packet from me. I use local Brick & Mortar businesses for as many things as I can. The businesses on the internet have jumped the shark.> And… the answer is “none”.
> At least, none that I can think of at the moment.
Think back to the recent pandemic.
Work? Online. School? Online. Recreational activities? Online. Talking to loved ones you don’t live with? Online. Birthday party? Online. Nonfood shopping? Online. Banking? Paying taxes and bills? Online. Job interview? Doctors appointment? Online. Dating? You guessed it, online.
The internet’s a big thing these days.
Very few of the things you list are things that I do primarily online (even during the pandemic), and none of those are things that I can only do online.
and remember its like ratchet. there might be 99% of services that use inhouse face id, and its enough to have only one to leak your data.
My data point is persona.
How are the codes minted? Can I pretend to be a gas station and buy a big pack of ID cards, then just not check ID?
I don't buy for a second that any of this has to do with "age verification".
This is 100% an attempt to increase surveillance of the population. It is not an isolated step but part of a cohesive unit - YOU are the data. And private entities want the data. That includes the state; many states are de-facto led like a corporation (not all states, by the way, but many - most definitely the USA right now).
In any case I doubt there’s a proof of age stronger than looking at the subreddits I subscribe to. A broad selection of middle-age hobbies and tedious interests. Without me proving my age they could probably place it to within a few weeks.
Really annoyed a company can ask this of children without parental consent.
It's honestly a reason why I don't use the service.
This is possible today with complete privacy for people with biometric IDs and biometric passports (ie most passports, EU IDs, Aadhaar IDs, and more) using a service like self.xyz
Though I can't take credit for the idea. It was proposed by the European Democratic Party.[0]
[0] https://democrats.eu/wp-content/uploads/2025/12/Protecting-C...
Weigh that against the value of using the service. A lot of times that will still probably come out in favor of using the service. Sometimes, especially given the kind of services that want age verification, the potential cost is such that you would be insane to verify.
(“what will be the impact to me”)
The author here seems to be commenting specifically on the type of anonymity-breaking age assurance widely being utilized along with the vaguely justified social media bans. Given the right technology to prove an age threshold but while preserving anonymity I'd be curious how their thoughts would change.
For example, we've never seen people critiquing the naive kind of 'Are you over 18?' prompts seen on ye olde Reddit or adult sites, precisely because those weren't breaking anonymity or leaking any trackable identifiers.
[1] https://news.ycombinator.com/item?id=47229953
The question I'd ask myself is; who would _I_ trust to implement privacy preserving verification?
The only answer I can come up with right now is; myself. I would trust myself.
It's roughly the same age as mine, but if someone tried to pass themselves off as me with that birthdate, they wouldn't succeed.
These companies are mostly just verifying I'm an adult anyway, and I am legit that.
But yeah, I don't like just giving the actual date everywhere as it can potentially be used for identity theft.
All this is to facilitate that lifestyle without any concerns that far more damage is likely to happen by allowing it to happen than insisting on adequate parenting
As a matter of mental health, we really cannot have these overlapping for many reasons, prime among them is that if one part of me becomes aware of another while they’re doing their thing, a mental “table join” can happen and disturbing memories can be shared which is incredibly destabilizing to the system.
As a wireframe example my programming alter cannot be exposed to the alter who browses cptsd forums or they remember things that cause them to dip from the headspace and we lose their knowledge.
We can’t try to pretend we don’t exist and pretend to be one person either, we did that for years and we ended up having a breakdown and went into a fugue state and moved across country leaving everything behind.
This law would destroy our productivity and contribution to economy or whatever corporacrats care about.
Banking, taxes, treasurydirect, linkedin, docusign, online filing,
Right now all those are tied to my gmail account.
So I'm feeding google all this juicy (IMO) confidential information. What happens when I get locked out by google's automatic systems? I already lost my first gmail account from like 2003, when you had to get an invite to sign up. I'm stuck in a verification loop that emails a yahoo email that no longer exists. Impossible to get a real person to look at it.
If I can just verify that I am who I say I am without an email account... That'd be worth it. Of course that just shifts the burden to the identity verification company rather than an email company.
But verifying my age? I see no purpose other than a backdoor for mass identity verification. keeping lists of people and what they're accessing. Buying alcohol online still requires the person accepting the package to be over 21. Buying firearms online still requires being shipped to an FFL.
I already despise how much information my ISP has about what I see, what I access, and when.
As a parent, I'd like to point out that the threat I care about is not "my kid of age N talks to a sicko of age M, where M - N > P for some legislatively-prescribed value of P".
The threat is "my kid of age N talks to or can be observed by a sicko".
These age verification schemes do nothing to help against that. Also, the worst predators online are often the vendors providing "kid friendly" services.
On top of that, these laws are being pushed hardest by the worst of the most corrupt politicians on earth. Why would I install a webcam on my kid's machine because that group of people wants me to?!?
Maybe we should focus on prosecuting the backlog of stuff in the Epstein files pertaining to politicians pushing these age verification services, not let anyone (except parents) control how kids access stuff online.
Some company or, hell, the gov't setup a proxy service that whitelists the internet and have your kid use that. Do your fucking job.
It's not some SV-backed startup. It's not Google, Apple, Microsoft, Amazon or Meta. It's the government.
What I think must result is, a monotonic cultural erosion and deprecation of such platforms and regions implementing those restrictions, and continuous replacement with engineered and packaged foreign imports from venues and regions from psychological "upstream" where there aren't such restrictions. But I guess that's what they explicitly desire.
Offline there is a reason for that, online are enough countries where it breaks the law if you sell without verification at least for NC-17 titles
Someone, anyone, but themselves.
In general, a social security number is extremely sensitive, and should never be shared outside your home country tax system.
Verification is indeed a perverse invasion of privacy, and a liability to those with financial holdings. I guess the credit-lock service is now a must to deal with the circus that is modern logistics. =3
But then I remembered the game 20 questions, and how few yes/no questions you need to guess pretty much any concept.
I am no longer willing to share anything, not even a yes/no question.
I'm punching myself in the balls one way or another.
France has an ID service to pay taxes, and they have a network of possible ID verification systems. Like, you can ID through the tax system, or through the healthcare system. It works fine.
Implementing an API that uses the same to provide age verification is not rocket science.
If you need age verification for a website, say "smedia.fr", then you go there, then it makes you get an age verification token to "franceid.gov.fr", that guy gives you back a token, you send the token to smedia.fr which checks the token with franceid.gov.fr
I don't understand how this is even an issue.
What else is there to say?
Any such verification service will either sell your data or lose it. Will not may.
1 - 1 - 1970 is always mine - Unix zero
If none, you were born on March 5, 1957.
(Note on evaluating this: there are some circumstances where the penalty changes later. I know one person who's Global Access paperwork was delayed because they lied to their airline's frequent flyer program about their age. But that was the whole consequence: a need to update their data with the airline).
Pretty much sums up all modern discourse in banning social media and doing age checks. When I was growing up it was satanic symbols in the music I listened to.
I guess - wtf is wrong with adults? Why do they feel compelled to control the younger generation?
Mental health issues in the young have gone through the roof since 2010. There is definitely a problem, whether this solves it is another matter.
(In the US, the latter occurs more often than you may expect.)
I'm in the UK, I'm normally connected through a VPN these days.
The problem is that the people who want age verification don’t really care about the technical details of how it’s implemented and the people who oppose age verification just want unfettered online pornography out of principle, so no one is actually thinking about how to implement age verification in a way that protects privacy.
Likewise, incentives aren't there for liquor stores. They make money by allowing fake ids to work.