This is a good way to test if a service is actually federated: Does this affect people using other servers? If people using other servers can communicate with each other and not care what policies the central bsky server sets, then it's actually federated.
The way Bluesky works, there's a "personal data server/PDS" (which is how you host your own posts) and an "app server" (which queries everyone else's posts to create the whole app interface). You'd have to host both (the PDS is easy, the app server is hard) to avoid the Bluesky policies.
That said, since it is still quite possible to do so, I think Bluesky is on the right side of that tradeoff.
I think the important question here is: once they've got your face or ID, do they store it? Is this effectively forbidding pseudonymity?
It's worth thinking twice about this in a country that is actively censoring mainstream political speech in its media.
> once they've got your face or ID, do they store it?
I work at a place that uses Yoti[0] for age verification and we definitely don't store any facial images[1]. Yoti also claim they don't store any images once they've delivered the age estimation back to the caller[2] (but obviously that's something unverifiable from outside.)
[0] Who provide the facial image age verification for KWS.
[1] Unless the client team have gone rogue and done something weird, I suppose? I can confidently assert that the backend doesn't store them though.
[2] https://support.yoti.com/yotisupport/s/article/Is-facial-age...
The claim is that the data is "deleted", but there is no way to actually verify it is in fact being deleted (and the chances are data itself might be stored in say AWS which may have its own way of "deleting" data, such as in backups, caches, multiple regions etc (however they have their own legal process which may not allow data to be deleted in the event of a law enforcement request, and there's no way for anyone using the service to understand who is actually handling the data as it passes by their servers, which could be suspectable to interception etc)). Truth is, the data is much too valuable, and is useful for long term storage to know what somebody looked like or who they were when accessing content online. The UK has the RIPA so they could serve a technology notice for data to be retained and prevent disclosure of that fact. Apple was recently involved in such a request to disable advanced data protection, and the UK government is disgusted by E2EE and the very idea they cannot access every piece of data they like on demand, and wanted the entire thing held in secret.
So the reality is, assume everything on the internet is being archived, including any scans you do, and adjust the threat model accordingly. The UK government will absolutely be able to access this information and know all about what you've been doing if you're foolish enough to actually submit legitimate information.
> So the reality is, assume everything on the internet is being archived, including any scans you do, and adjust the threat model accordingly.
OK, but what would the practical conclusion of this be? A lot of services will require those scans to be made. So, just get used to the fact that your face scans will be stored beyond your control?
Or stop using any large online services, I guess.
I believe you can just VPN around this for now because it's not very rigorous too?
Have fun doing that if half of your contacts are on there. People didn't quit Facebook after learning what kind of stuff they are doing with their data, I don't see why they would quit now.
Also, I don't know the law in detail, but wouldn't it apply for all online services, no matter how large or small?
We are in a community of hackers. There are tools such as VPNs which are effective at bypassing these requirements. That will likely change in a few years as the government will want to crack down on circumvention techniqus. The law is incidious enough to actually suggested that educating people on how to bypass the checks is not allowed - I sincerely hope no court ever upholds that otherwise the very act of education is at threat.
So the end result is using tools such as VPNs or fake videos to bypass the system. Or creating new communities which do not have such restrictions (but they won't be able to be big platforms anymore as they will fall into scope).
So you could have 1000's of smaller bulletin boards. Once they get large enough they'd need to shut down and restart in order to not be within scope.
Alternatively there could be some legal challenges on the way to define the scope of their powers (so far there's not been any enforcement conclusions to challenge, although there are some investigations by OFCOM ongoing)
Are you suggesting that the entire population of the UK switch to using VPNs?
> So you could have 1000's of smaller bulletin boards. Once they get large enough they'd need to shut down and restart in order to not be within scope.
This will work until the moment some actual pedos run some of those small message bords and use it to groom kids and politicians will have the necessary munition to shut down those sorts of exceptions to the law.
Yes, because that's how the internet is designed to work, a VPN just routes packets to another location with the nice side effect of being able to use another IP address.
Countries have tried to enforce censorship but even places like China have gaps that are exploitable if you have the right tools and knowledge.
Everyone should be learning about how to bypass state overreach, it's an obligation of its people.
My question is: who protects Children against the UK Government?
Governments are very dangerous institutions. They hold a lot of power and can abuse it.
Case in point: what's happening to trans kids in the UK at the moment.
If you don't think this technology will be used to keep kids from connecting with peers like themselves, or learning or reading about themselves, because of some trans panic, you haven't been paying attention.
Politicians all over the world have put forth legislation like this with the explicit purpose of preventing LGBT kids from connecting with peers or learning anything related to their identities[1]:
> A co-sponsor of a bipartisan bill intended to protect children from the dangers of social media and other online content appeared to suggest in March that the measure could be used to steer kids away from seeing transgender content online.
> In a video recently published by the conservative group Family Policy Alliance, Sen. Marsha Blackburn, R-Tenn., said “protecting minor children from the transgender in this culture” should be among the top priorities of conservative lawmakers.
[1] https://www.nbcnews.com/nbc-out/out-politics-and-policy/sena...
UK Voters or no one, depending on which half of the glass you focus on.
Sovereign power is scary af, but in theory also kept in check by voters. The problem is that no matter what form of government you have, it is still downstream from culture, and if this kind of policy is what UK voters want or can be talked into wanting, then this is what the King’s subjects shall get.
It's just so tragic to read it like that but, that's exactly how it is.
> Governments are very dangerous institutions.
Could be.
Having said that US culture vs the rest of Western Nation culture mindset imho.
Majority of Europeans and Canadians don't see Governments as a Monster.
Well, in the US, we invented this cool thing called an amendment which gave everyone in theory the ability to hold a government accountable the hard way, and we invented it after a long history of knowing what the UK was like...
This has made a lot of people very angry and been widely regarded as a bad move. /s
Here's what you want to know:
https://dev.epicgames.com/docs/kids-web-services/pv-service/...
> Parents in all regions except the USA and the Republic of Korea can verify their age using face scan. KWS prompts the parent to hold their device in front of their face. A machine-learning algorithm estimates the parent’s age using the device’s camera.
> Face scan verification is provided by Yoti (yoti.com).
They have an app:
https://play.google.com/store/apps/details?id=com.yoti.mobil...
I installed it but there's no direct interface - it needs to be opened via some intent and I can't be bothered to figure that out.
I would put a lot of money on it not being able to detect you pointing your phone at a Veo3 video of an old person though. Maybe on iPhones where you reliably have a depth camera? Doubtful on Android though.
It only takes one smart kid to beat this, and there are plenty of those.
> I would put a lot of money on it not being able to detect you pointing your phone at a Veo3 video of an old person though.
I recently had to verify my identity for UK government company registration purposes.
I had to use my phone to scan my biometric passport, then it did facial recognition while flashing the screen between red, green and blue. Presumably doing... something... hoping to detect fake faces.
(as well as the biometric passport and modern phone, it also needed an e-mail address, password, TOTP code, verifying the e-mail address, full name and address, and year I moved into the address, and I had to log in about 5 times...)
> flashing the screen between red, green and blue
Ah that's actually pretty clever. It'll detect reflective surfaces instead of emissive ones. Still possible to defeat but significantly harder. I imagine there are still some smart kids that could do it. Definitely fewer though.
> Presumably doing... something... hoping to detect fake faces.
I'd assume they were checking that your face reflected the light properly. If you were using a fake face on another screen being held up to the camera, it'd be more emissive than reflective.
Can't speak about this one in particular, but the face scans for banking that I know of also includes liveness checks to avoid AI impersonation (and presumably dead bodies).
What kind of liveness checks?
The app asks you to move the camera or change your expression throughout the verification.
I'm not familiar with how it works on the implementation side. A ML conference that I attended had a presenter working on this area and beating AI impersonation was their #1 priority (along with other trivial approaches).
For what it's worth, this might also be just a security theater from the banks, though.
> The app asks you to move the camera or change your expression throughout the verification.
The Natwest app will sometimes ask you to say words / numbers when doing a verification for e.g. a large transfer. Probably beatable by decent OCR feeding into voice synthesis with facial animation though (they don't have voice prints to check against that I'm aware of but even if they did...)
This will be a lot of fun. I regularly get clocked as being a teenager, despite not being one for a long time. I've been kicked out of bars, get carded buying cough medicine, etc. If I'm lucky, the only thing that gets me out of those situations is my government ID with my birthday on it.
Something tells me people who don't look exactly their age are going to get caught up in these automated systems.
> Something tells me people who don't look exactly their age are going to get caught up in these automated systems.
But then you just verify with a different method like government ID or credit card.
Bluesky will block adult content and DMs for age-unverified users in the UK until they verify themselves using Epic's "Kids Web Services" system.
Maybe the screenshots just don't show it, but I'm missing the "I'm under 18, just don't verfify me and dismiss the notifications" flow. Or are you just supposed to ignore constant nag screens if you can't verify?
Laws such as these are dangerous because it normalizes the idea that you should submit your most personal data - and the risks that come with that - in order to access a service. In the real world, as another commenter has said, we don't retain that information beyond the confirmation.
Just like the Ashley Madison leak, data will be leaked, and companies hide behind "third party" to limit their own liability. I would like to know who these third parties are however, and they should be required to identify themselves (with their names, addresses, photos being made public).
However, I actually welcome changes like this. And they are healthy and good for the internet.
Because when draconian laws such as these are passed it's our obligation to express our displeasure and disobedience. So we'll use proxies, VPNs and other tools we may not have even invented yet just to make it clear they are not welcome to control access to content, they can try, but must never succeed.
They will try to block such tools, and we'll need to make new ones, and, as a community of hackers, it's vital free access to information is protected at all costs.
So we need more of this, it should be the law in every country, because only then will there be a motivation to ensure such laws are not enforceable on a technical level.
Statements like this one by bluesky:
> Working with the UK Government to Protect Children Online
Make me think of one word:
Collaborators
The company is happy to strip people from their privacy, for the sake of children, terrorists, or whatever other excuse governments use to justify their excessive intrusion into people's lives.
Working with the UK government and other mass surveillance lovers to create the forcible use of digital I'd identity to be online, which so many lobby companies are creaming at the idea of getting the concracts for.
Protecting the children in the UK would actually be pushing for less wars, lowering taxes and improving healthcare and education. Providing good community centers and paths to economic independence.
These "think of the children" excuses are the same as "oh no the terrorists/drug kingpins" and all those other threats.
The threat is plutocracy and concentration of power.
The UK is in the middle of a huge scandal that prompted a national enquiry regarding actual physical harm done to countless teenage girls: in the hundreds for sure, probably in the thousands:
"PM announces national inquiry into grooming gangs"
https://www.bbc.com/news/articles/c7872pngj2qo
Note that the PM eventually bowed and launched a national enquire due to pressure: it's not as if he's a white knight here.
For it was all covered up by local politicians and police (some of which whom, for sure, also abused the girls) for fear of showing certain communities in a bad light (that's the official statement of several police officers as to why the countless reports of rape weren't followed).
It's great to "think about the children" but the UK should first look into why the number of rapes in the UK went 10x from 2000 to now. Ten fold. 10x. In a quarter of a century. What happened to the UK?
So the UK protecting children: remains to be seen.
As a sidenote there feels like there's an hint of posing here by BlueSky too: many call that social network "PedoSky" and the reason for it is many people with very dubious behaviour who couldn't silence their critics on Twitter/X moved to BlueSky. You know which kind of people: those who'll say it's acceptable to be attracted by children as long you don't physically do anything to them, those men wearing women outfit and dancing salaciously under the pretext that it's "art". They are on BlueSky, that's a fact. Hence, maybe, the posturing by BlueSky now.
I see that announcement as a safe haven for pedos teaming up with a government actively involved in the coverup of massive rape rings operation.
But I take it we should all applaud because it's all done in very good faith?
It's Orwellian stuff.
Privacy is very important to me. And having to verify your age/identity in anyway online seems very risky, open to abuse, blackmail etc. The privacy conscious can work-around the verification or decide not to access restricted websites anymore.
It's hard to deny the negative impact that unfettered access to inappropriate material has had on the younger generations. Some sort of verification seems like a net-positive for society.
The problem is that bypassing it whether via VPN's or accessing sites that don't comply will be so easy that the whole thing will be ineffective to a large degree. But maybe a little effectiveness is enough. If it helps prevent very young kids from accidentally stumbling upon inappropriate content maybe that will have a meaningful impact.
I also strongly value privacy and honestly this kind of scheme always rubs me wrong. In the physical world, we have IDs, provided by the government, a business is only required to do a brief check and often does not have to retain information. This means that you can retain a fair bit of privacy for the individual, and the burden on the business is fairly low. And yet, for some reason, online we get the worst of both worlds: businesses have to figure out how implement cumbersome verification measures (which means small businesses/ hobbyists will struggle to comply) AND there is basically no privacy. How did we get there?
We got here because adults cannot stop using the internet to victimize children. Education failed. Enforcement has largely failed. A loss of privacy is the next logical step until adults stop victimizing children. I use my nine year olds accounts fairly regularly and I’ve gotta tell ya mate, the number of dudes I meet who are pretending to be 9 and 10 year olds girls is pretty shocking. A loss of privacy stinks but at some point, society as a whole pays for the actions of very few. It’s the dark side of laws - they restrict freedom for everyone because a select few cannot be trusted with the tools we have at our disposal.
My thought on this is that parents shouldn't be giving 9 year olds accounts on any online service. But that doesn't seem to be something that is manageable for parents (no judgement). Would it make more sense for the government to completely ban children under x years from using phones/tablets? The internet? It sounds ridiculous but if an adult provided a child with alcohol or tobacco they would face consequences and therefore those things are controlled to a large extent. Could we do something similar in the digital world? Banning it at the website level is futile so maybe taking a step back to the devices themselves is the solution.
Yeah this particular system doesn't sound great. It seems like Epic are storing the fact you're verified and your email. I've definitely seen systems where they verify you and immediately delete the data.
Makes me wonder: why do we not have a government provided service? IDing people has, traditionally been a responsibility of the government. Even the private verification services ultimately rely on you showing your government issued ID at some point. If the governments want online verification, they should provide the tools and make sure they are accessible to all.
> Makes me wonder: why do we not have a government provided service?
Because every UKGOV since about 1980 has had an obsession with small government and farming out as much as they can to private contractors[0] regardless of consequences.
[0] Until those contractors fail to perform / go bust at which point the government steps in, things get better (shockingly) for a while, and then the government farms it out to another bunch of idiots who have ~bribed~ lobbied hard and the cycle repeats.
It sounds like a good idea to me and given the quality of some of the government tech services now in the UK I'm sure they could do a good job of it. But people are still against ID cards. Telling the government directly that you're viewing content on specific sites seems like something that would never be accepted.
[deleted]
I used to be vehemently against this.
But now I really do think we need to reel in the youth having unfettered access to attention grabbing algorithms. I know this isn't really what this is for but it's a step.
That being said, I wish these verification services would be provided by the government (with ridged watchdogs for storage) and not by private companies.
I think the youth's parents should be reeling them in, not the government or third parties at the expense of everyone else's freedom.
I think we're ten years beyond that point now.
Ideally, sure. In practice, that hasn't worked well. I was a youth fairly recently and I can assure you my mother lacked the knowledge to meaningfully enforce any content restrictions on my devices short of physically going through my phone. Incognito windows and deleting texts isn't exactly out of reach for children.
Why does that make that everyone else’s problem?
What I'm hearing is "I would rather let millions of kids get victimized than allow even the remote possibility of being held accountable for what I say on the internet."
In my mind it's all of our problems that children are getting groomed and manipulated online and the downside is minimal here. Like the worst case scenario is we have to assume people know who we are when we tweet... which doesn't even sound like a downside to me.
The death of anonymity on the internet is not worth making parents feel better about not parenting their kids.
So your alternative is teaching millions of 40+ year olds how the internet works so they can implement dns blocks on their home routers? Service side age restriction seems much more effective than mandatory parenting classes.
My alternative is not falling head first into a moral panic and destroying the last vestiges of free speech we have because people don't like the idea of other people's kids using the internet.
Even if I was sympathetic to that argument, "let's just let unaccountable companies scan and store your face and sensitive biometrics that they promise they won't lose" is possibly the laziest solution that can be dreamt up and screams ulterior motives to me.
I'm not sure anonymity online is "the last vestiges of free speech." Free speech existed before the internet.
I'm not sure there's an effective solution that's easier and imo the downside here is minimal anyway. Honestly, eliminating anonymity online might be a good thing. Maybe the crazy polarized rhetoric would stop and people would talk to each other in person more. Sounds great.
Or just use your iPhone and set up your kids iPhone as a kids iPhone and set restrictions on what apps to download. It’s really not that hard.
Conveniently you're no longer affected by the restriction you want to impose on others. How about you police your kids if you have them instead of trying to police other peoples?
Screw your mass surveillance