Anyone reading this purely as a child safety or campaign finance story might miss the broader architectural war happening here. If you zoom out a little, this is the inevitable, scorched-earth retaliation for Apple's ATT rollout from a few years back.
Apple cost Meta billions by cutting off their data pipeline at the OS level, justifying it with a unilateral privacy moral high ground. Now, Meta is returning the favor. By astroturfing the App Store Accountability Act through digital childhood alliance, Meta is forcing Apple to build, maintain and also bear the legal liability for a wildly complex state-by-state identity verification API.
Gotta give it to Zuck. Standing up a fully-fledged advocacy website 24 hours after domain registration and pushing a bill from a godaddy registration to a signed Utah law in just 77 days is terrifyingly efficient lobbying.
Arabella Advisors provided some of the funding for Chat Control lobbying, alongside the Hopewell Fund, Oak Foundation, and Children’s Investment Fund Foundation (CIFF).
I was equally impressed/terrified by Apple's marketing blitz around client-side-scanning. So many people got paid to advocate for that, and the community barely convinced them it was a bad idea. There's not much hope left for any of FAANG deliberately resisting surveillance.
Well they can profit from that so why resist if ordinary user usually cares only about colors being pretty and Instagram/tiktok/x/your slop generator of choice working properly.
That law is perhaps an annoyance for Apple, but it can't cost them billions, can it? I seriously doubt that it would cost Apple more than the several hundred million dollars Meta still needs to funnel in order to get those laws passed in more states.
Plus, Apple gets to be the gatekeeper for Meta and other apps which can't be good for meta, and Apple gets to know the age of its users, which in itself is monetizable.
> That law is perhaps an annoyance for Apple, but it can't cost them billions, can it?
The CEO has 24h in the day, and he/she is asked to be deposed (laws and legal system has that power), it chips away from grand visions. It isnt just money, you cant just stand up a team and be done with it. Everybody will be coming at you.
Expect to see a lot "Y alleges Apple didnt do enough to protect kids" and the burden of proof will be on Apple to make their executives available.
But didnt Apple fire the first shot with ATT? Apple was never against ads (see ads.apple.com or numerous ads on App Store) they were against Facebook's ads.
Well, I certainly prefer if big tech fight each other instead of the user as sometimes there might even come something good out of it - like elevated privacy in Apple's ATT case.
Overall, that's the reason anti-trust laws must be applied rigorously, otherwise the normal population has no chance.
I'm incredibly dubious of the conclusions of this researcher. Claude Opus was used to gather and analyze all of the data.
I am not skeptical of any of the research, the sources seem to be cited properly. I am skeptical that this researcher has thought through or verified their conclusions in a systematic and reliable fashion. This part gives it away: "Research period: 2026-03-11 to present." This individual dropped his investigative report two days after beginning research!
Yes, AI is an incredibly good research assistant and can help speed up the tasks of finding sources and indexing sources. The person behind this investigation has not actually done their due diligence to grok and analyze this data on their own, and therefore I can't trust that the AI analysis isn't poisoned by the prompters implicit biases.
I know most of this affects only the US, but I'm wondering where this will go in the EU if the Age Verification Tech goes ahead in America. There's been lots of efforts to increase surveillance disguised as protection for kids in the EU and UK.
The Swiss implementation of eID may be hint that governments may/will take the responsibility to implement and maintain the tech, but the multiple intrusions and lobbying by Palantir and friends in the EU gives me the ick.
Apparently most of the “original” report was done by Claude (https://news.ycombinator.com/item?id=47366804). And now paraphrased on various ad-space (and in this case affiliate link) sellers, probably also by Claude. Claude is the only real journalist here.
Personally I’d rather not see reposts of posts this recent, especially LLM posts.
These discussions remind me so much of the US discussions about federal ID documents as verification.
There's a vocal portion of people which opposes any solution because "privacy, government overreach, surveillance ...". So instead of a solution like e.g. zero-proof age verification, that tries to minimize intrusions on privacy, the result is the worst of all worlds, maximum surveillance (but I guess it's ok if it is not the federal government, but meta), with minimum utility. Just look at the freaking mess that is trying to proof your identity in the US.
Does this surprise anyone, just over a decade ago there was a whistleblower who said the government was spying on its own citizens. The president and half the country called him a traitor. The only way to stop this from happening is half the country refuse to buy any tech that implements OS age verification. That includes working any job that also requires the use of that tech(Basically all jobs). The only thing that talks is money and when half your workforce is not working(or buying anything because they aren't working) then things will get changed real quick. But most people don't want to do that because no one is willing to suffer short term for long term gains. The govt and 1% know this that's why they increment it slowly overtime with generic causes like "save the children"
These bills also need to be opposed on a legal/political level.
Something I realized last night is that people who lie about their age to send false signals may inadvertently open themselves up to CFAA liability (a felony). So this is a serious matter for users who want to maintain anonymity.
The question I keep coming back to regarding the recent debate around age verification is "Why now?"
I'm 47, and I started using the internet in my early teens through BBS gateways. I've seen every age of the Internet, and there's always been widely available pornographic materials. Why all of a sudden is this a crisis?
Age verification is merely the background task to set up infrastructure for OS to provide many many other signals about who's using the device.
Age signals from the OS? Need to provide a channel of information available to applications. Applications already talk to servers with unchecked commonality.
Biometric data? Today it unlocks your private key. Tomorrow it's used to verify you are the same person that was used during sign-up -- the same that was "age-verified".
Next year, the application needs to "double-check" your identity. That missile that's coming to you? Definitely not AI-controlled, definitely not coming to destroy the "verified" person who posted a threatening comment about the AI system's god complex. Nope, it's coming to deliver freedom verification.
Did Meta spend around 60Mn lobbying for age verification to be forcibly added to every OS install ?
If not, who has been paying to lobby for these age verification laws ?
That seems a question that we should have an answer to.
Forcing an age check upon linux install seems anti-competitive, and a violation of freedom of speech allowed by the Constitution.
Also impractical and ineffective, unless they plan on some sort of bio-metric confirmation of age.
Will they outlaw computation itself, or constrain a personal quota so that only corporations can access approved LLMs and certainly not run a local AGI ?
As with the insane "encryption is a weapon and cant be exported" policy of the 80s, this will surely force innovation to migrate outside the US.
Why can't we handle this the same way we handle knives, guns and chainsaws: require adults to secure the device before letting minors near them? All the devices need is the ability to create limited access profiles. A human adult performs age verification by only providing the minor with creditals to a limited profile. Trying to perform that verification so far away from the minor, after they have got to the last gate, seems like the worst way to do it.
I don’t know why this isn’t a very simple Internet standard. The browsers on devices that have a child lock turned on could send an http header. People who have websites that are adult-only could configure their web server to check for that header and do something appropriate.
That requires cooperation, but since most adult websites don’t want children to be visiting them, cooperation shouldn’t be hard to get. Governments can pass a law and businesses can set a config flag. For uncooperative websites, child-locked devices can check a blacklist.
Then it’s up to parents to make sure their kids only have child-locked devices and for stores to not sell unlocked devices to kids. It’s never going to perfect, but it doesn’t doesn’t have to be to change community norms.
What I'm confused about is how the proposed bills would apply to servers.
Like, in general, a software change to add an "age class" attribute to user accounts and a syscall "what's this attribute for the current user account" would satisfy the California bill and that's a relatively minor change (the bad part is the NY bill that allegedly requires technical verification of whatever the user claimed).
The weird issue is how should that attribute be filled for the 'root' or 'www-data' user of a linux machine I have on the cloud. Or, to put aside open source for that matter, the Administrator account on a Windows Active Directory system.
Because "user accounts" don't necessarily have any mapping (much less a 1-to-1 mapping) to a person; many user accounts are personal but many are not.
> the sponsor of Louisiana's HB-570, publicly confirmed that a Meta lobbyist brought the legislative language directly to her. The bill as drafted required only app stores (Apple, Google) to verify user ages. It did not require social media platforms to do anything.
Thing is, when these “make the websites collect your ID” proposals come up, the overwhelming sentiment here is “this is terrible and we need to do it lower in the stack”. I think the OS is a better place than the website. (Let security conscious folks use a standalone device too if desired.)
The astroturfing stuff is obviously sus, I don’t have a feel for whether this is egregious by the standards of $T companies or just par.
Every single Linux kernel currently operating within the borders of any of these states should turn itself off and refuse to boot until an update is installed after these bills are rolled back.
We should also update all FOSS license terms to explicitly exclude Meta or any affilites from using any software licensed under them.
1052 comments
Apple cost Meta billions by cutting off their data pipeline at the OS level, justifying it with a unilateral privacy moral high ground. Now, Meta is returning the favor. By astroturfing the App Store Accountability Act through digital childhood alliance, Meta is forcing Apple to build, maintain and also bear the legal liability for a wildly complex state-by-state identity verification API.
Gotta give it to Zuck. Standing up a fully-fledged advocacy website 24 hours after domain registration and pushing a bill from a godaddy registration to a signed Utah law in just 77 days is terrifyingly efficient lobbying.
>
Gotta give it to Zuck.if "it" is the middle finger, for sure. "terrifying" is a great choice of word for it.
Plus, Apple gets to be the gatekeeper for Meta and other apps which can't be good for meta, and Apple gets to know the age of its users, which in itself is monetizable.
> That law is perhaps an annoyance for Apple, but it can't cost them billions, can it?
The CEO has 24h in the day, and he/she is asked to be deposed (laws and legal system has that power), it chips away from grand visions. It isnt just money, you cant just stand up a team and be done with it. Everybody will be coming at you.
Expect to see a lot "Y alleges Apple didnt do enough to protect kids" and the burden of proof will be on Apple to make their executives available.
Overall, that's the reason anti-trust laws must be applied rigorously, otherwise the normal population has no chance.
The methodology appears to be LLM driven, and the contextual framing which the conclusions are couched in, drive conclusions to a specific direction.
It does not clarify between two readings
1) Meta is driving Age verification efforts
2) Meta is being opportunistic with age verification efforts to further its own goals
The larger macro picture is that voters globally are tired of Tech firms and want something done about it.
The second macro trend is the inability of governments to handle/control tech, and are looking for reasons to bring tech to heel.
That’s context results in a sufficiently different degree of culpability and eventual path to resisting privacy reducing regulations.
I am not skeptical of any of the research, the sources seem to be cited properly. I am skeptical that this researcher has thought through or verified their conclusions in a systematic and reliable fashion. This part gives it away: "Research period: 2026-03-11 to present." This individual dropped his investigative report two days after beginning research!
Yes, AI is an incredibly good research assistant and can help speed up the tasks of finding sources and indexing sources. The person behind this investigation has not actually done their due diligence to grok and analyze this data on their own, and therefore I can't trust that the AI analysis isn't poisoned by the prompters implicit biases.
The Swiss implementation of eID may be hint that governments may/will take the responsibility to implement and maintain the tech, but the multiple intrusions and lobbying by Palantir and friends in the EU gives me the ick.
Personally I’d rather not see reposts of posts this recent, especially LLM posts.
There's a vocal portion of people which opposes any solution because "privacy, government overreach, surveillance ...". So instead of a solution like e.g. zero-proof age verification, that tries to minimize intrusions on privacy, the result is the worst of all worlds, maximum surveillance (but I guess it's ok if it is not the federal government, but meta), with minimum utility. Just look at the freaking mess that is trying to proof your identity in the US.
These bills also need to be opposed on a legal/political level.
Something I realized last night is that people who lie about their age to send false signals may inadvertently open themselves up to CFAA liability (a felony). So this is a serious matter for users who want to maintain anonymity.
I'm 47, and I started using the internet in my early teens through BBS gateways. I've seen every age of the Internet, and there's always been widely available pornographic materials. Why all of a sudden is this a crisis?
Perhaps I'm missing something?
Age signals from the OS? Need to provide a channel of information available to applications. Applications already talk to servers with unchecked commonality.
Biometric data? Today it unlocks your private key. Tomorrow it's used to verify you are the same person that was used during sign-up -- the same that was "age-verified".
Next year, the application needs to "double-check" your identity. That missile that's coming to you? Definitely not AI-controlled, definitely not coming to destroy the "verified" person who posted a threatening comment about the AI system's god complex. Nope, it's coming to deliver freedom verification.
If not, who has been paying to lobby for these age verification laws ?
That seems a question that we should have an answer to.
Forcing an age check upon linux install seems anti-competitive, and a violation of freedom of speech allowed by the Constitution.
Also impractical and ineffective, unless they plan on some sort of bio-metric confirmation of age.
Will they outlaw computation itself, or constrain a personal quota so that only corporations can access approved LLMs and certainly not run a local AGI ?
As with the insane "encryption is a weapon and cant be exported" policy of the 80s, this will surely force innovation to migrate outside the US.
That requires cooperation, but since most adult websites don’t want children to be visiting them, cooperation shouldn’t be hard to get. Governments can pass a law and businesses can set a config flag. For uncooperative websites, child-locked devices can check a blacklist.
Then it’s up to parents to make sure their kids only have child-locked devices and for stores to not sell unlocked devices to kids. It’s never going to perfect, but it doesn’t doesn’t have to be to change community norms.
Like, in general, a software change to add an "age class" attribute to user accounts and a syscall "what's this attribute for the current user account" would satisfy the California bill and that's a relatively minor change (the bad part is the NY bill that allegedly requires technical verification of whatever the user claimed).
The weird issue is how should that attribute be filled for the 'root' or 'www-data' user of a linux machine I have on the cloud. Or, to put aside open source for that matter, the Administrator account on a Windows Active Directory system.
Because "user accounts" don't necessarily have any mapping (much less a 1-to-1 mapping) to a person; many user accounts are personal but many are not.
> the sponsor of Louisiana's HB-570, publicly confirmed that a Meta lobbyist brought the legislative language directly to her. The bill as drafted required only app stores (Apple, Google) to verify user ages. It did not require social media platforms to do anything.
Thing is, when these “make the websites collect your ID” proposals come up, the overwhelming sentiment here is “this is terrible and we need to do it lower in the stack”. I think the OS is a better place than the website. (Let security conscious folks use a standalone device too if desired.)
The astroturfing stuff is obviously sus, I don’t have a feel for whether this is egregious by the standards of $T companies or just par.
Of course, the EU option of using proper ZK proofs etc sounds way better as portrayed in the OP. But when you actually dig in, doesn’t the EU effectively mandate OS support too, eg https://eudi.dev/1.7.1/architecture-and-reference-framework-..., https://github.com/eu-digital-identity-wallet/eudi-doc-archi... ? Maybe this isn’t set yet but it seems a likely direction at least.
We should also update all FOSS license terms to explicitly exclude Meta or any affilites from using any software licensed under them.