Skip to content(if available)orjump to list(if available)

Users claim Discord's age verification can be tricked with video game characters

Users claim Discord's age verification can be tricked with video game characters

65 comments

·July 26, 2025
Visit

jhgg

    > government passes law that requires companies to age verify users
    > said government provides no way to actually verify a human's age
    > hilarity ensues

2OEH8eoCRo0

Why should the govt provide a way to verify? They should fine companies that violate. Companies will figure it out.

dom96

This really deserves a digital solution. Let me get a government account and generate tokens that websites can ingest to confirm I'm an adult (and other optional details about me).

Having to use passports or poor solutions like face scanning isn't good enough. I guess the reason they don't do this is because they fear the cost, anything governments price up these days seems to be in the billion range. So the politicians who don't understand how cheap it is to build software assume it's way out of their price range.

parsimo2010

When you place all the requirements on a software product like what the government has to, then it’s going to be expensive. Anyone who thinks that the total cost of a privacy protecting, government accredited, widely available, reliable, audited, and domestically produced age verification system isn’t going to be in the hundreds of millions has never actually shipped something comparable.

It is literally illegal to slap a few lines of glue code and say “there’s your age verification, look how cheap it is.” The public would be happy about saving money right up until there’s a massive privacy breach and all the ways you cut corners are exposed.

I don’t know if leaving the standards unspecified is the right thing to do (it’s probably not), but don’t pretend like a government verified solution could ever be cheap when dealing with citizens’ identities.

criley2

I disagree. This is exactly what happened with the initial launch of Healthcare.gov after the Affordable Care Act. The government spent hundreds of millions contracting a large firm that completely botched the site, it couldn't even handle a few hundred users at launch.

Then a small team of highly skilled engineers from Google/Facebook etc were brought in to fix it. They stabilized and relaunched the system in weeks at a fraction of the original cost. It showed that the problem wasn't the complexity or the standards, it was how the project was managed and who was building it.

cedws

That's exactly what pisses me off about it. The government could have at least devised a technical solution to verify the age of people privately. Data breaches happen all the time, do they just not care about the consequences when millions of peoples' porn watching habits are inevitably leaked?

progbits

Because that's their goal. Make you scared about using things that are even legal but private/embarrassing.

Telemakhos

It's a great first step toward making criticism of the government scary. Porn, hate speech, and other "legal but private/embarrassing" speech are the sharp end of the spear. When it's okay to restrict those, it becomes more easier to restrict political opposition.

brogufaw

It’s intentional to give them wiggle room to define truth as needed case by case.

Not saying it’s good or bad. Just that it’s intentional.

Culonavirus

My bank has an API endpoint that (basically) returns your name and age (in this use case). It can return more for signing electronic docs etc. and is basically your digital ID.

https://en.wikipedia.org/wiki/BankID

Need to buy "toys", vape products, alcohol... anything adult online?

There's a 3rd party web app (you rightfully don't trust) as an age check in the shopping cart / user account of any of these adult shops, and this has multiple ways of verifying your age - and one of them is the bank's api, you pick it, your bank's identity sharing page loads, you log in, it shows exactly what information will be shared in a bullet point list, you tap OK, immediately a request like "this app wants to know your age, please verify" pops up in your smart banking app on your phone, you tap ok, fingerprint scan, DONE.

Problem solved. The 3rd party app knows just what it needs to. All of this takes maybe a minute and your personal info is perfectly safe (unless you don't trust your bank at which point you have bigger problems to worry about...)

dfghjk4

Identity shouldn’t be tied to a private institution that requires you to have a bank account to login.

Two of the well-used solutions to identity in the U.S. are login.gov (government-managed) and id.me (private, but used by government). Basically to get setup, at some point you have to have physical presence to get an actual government-approved physical ID, which can still be a barrier to some, but it doesn’t require a bank account.

Just don’t implement your own like Discourse and Tea.app.

W3zzy

This is the way. Belgian banks joined forces years ago to create such a platform for identity verification and private companies can get granular acces when needed and after they are vetted. It's all based on the 2014 eIDAS regulation.

https://en.m.wikipedia.org/wiki/EIDAS

cronin101

As a Brit that relocated to Norway a decade ago, trust me when I say you cannot fathom the lack of organization around identity that the UK (somewhat intentionally) has. (It’s constantly used for political Godwin’s-law fear-mongering)

There is no centralized ID number, the closest is your social security number but this is basically only outbound for PAYE tax and haphazardly correlated to your pension payments in late life.

Everything operates on a “trust system” where you often present paper (!) with whatever address you claim to be living at as proof you are real (e.g. opening bank accounts).

Passport loss is rectified by seeking out “professionals” with government-approved occupations that are not related to you that can vouch you are actually the person you are trying to replace a passport for.

The entire thing is a mess and living in digital-identity-native Europe is a dream come true that you should be extremely thankful for.

W3zzy

Actually, they could release a platform quite easily that only delivers age verification, without anything else.

For example, our id's have a qr on it that contains some basic info. Why not provide a platform for age checks with that qr? Anyway, fuck them. Education goes a lot further than trying to force identity verification on private companies when there is no real life threat in play.

Hamuko

EU is also gonna require companies to verify ages but there's a white label application that EU member states can use.

https://ageverification.dev/

If I've understood it correctly, Pornhub can't see anything except that you've turned 18 (no names, no date of births, nothing) and your local government can't see that you've signed up for Pornhub using the app.

stavros

Yes, this is correct. As I understand it, the server asks the application some questions ("is the user above 18?" "are they a resident of country X?" or whatever), you confirm that you want to share the answer, and the application just gets "yes" or "no" to each question.

hhh

I think the way discords setup works is reasonable. It’s an on-device model that only submits the outcome of the scan to the platform.

I hope they just improve that performance, rather than see this and back out of it entirely and require ID checks.

edm0nd

I think this is the correct way too.

Some of the age verification systems that use digital ids (mDLs) do the same thing but people freak out about how they work because I think they misunderstand the tech.

They system basically asks the mDL via an api call "is this user above the age of 18/21" and the app only responds with a yes or no. It doesn't pass the users fulls details over or anything like that.

MattPalmer1086

Do these systems prevent linkability or allow the use of pseudonyms?

As in, if I repeatedly ask for age verification to the same service, does it know:

1) the identity of the user making the request, and 2) whether repeated requests comes from the same user (even if they don't know who it is?)

rumblefrog

Could you point to the source of the on-device model? Moreso for curiosity.

michaelt

No, but I can tell you that the moment you open the browser console, it stops scanning and marks the scan as failed.

The vendor is https://www.k-id.com in Discord's case

a2128

That just seems like a standard anti-tampering measure, I don't think it necessarily means the model is local or anything

moritonal

The fact another story on the front page is about a User Verification site having a massive leak is pretty relevant (https://news.ycombinator.com/item?id=44684373)

userbinator

Ironic that this comes at a time when AI-generated pictures are getting better and better.

Personally, I will never use Discord and they just gave me another reason not to.

silisili

Maybe I'm old. Well, no, I am relatively old.

Either way, when I see a person or business advertise a Discord link, I immediately think of either as immature.

I miss the days of forums, and wish something like them could thrive again instead of rather private, but importantly ephemeral chats.

michaelt

> I miss the days of forums, and wish something like them could thrive again instead of rather private, but importantly ephemeral chats.

Open source projects have long had ephemeral chats, private to the people in the chat at that moment - it just used to be called IRC.

ekianjo

its seems even more self defeating when its a FOSS project whose only way to connect with the community is a Discord space.

DecoySalamander

If this story reflects poorly on anyone, it's on Britain, not Discord.

dylan604

If it works for video game characters, why not just any random actor? There's going to be plenty of footage available of them in various positions to get around the can't use just one image "security" feature.

ethan_smith

The fundamental issue is that these verification models are trained on datasets containing fictional characters and celebrities, so they're essentially being asked to distinguish between inputs that were part of their own training distribution.

dylan604

Yet TFA shows the character used to beat the verification is a game character based on the likeness of an actor famous for the role he pays the game character is based. So you’re saying what, that the system isn’t aware it was trained on this person, the training isn’t looking that person is known to the training, or the system just doesn’t work as advertised?

nottorp

The one good thing about the stupid age verification is it stimulates thinking outside the box in kids :)

pacifika

Several articles say that Ofcom has said platforms must not host, share, or permit content encouraging the use of VPNs to bypass age checks, adding that parents should be aware of how VPNs can be used to bypass the Act.

makerofthings

All those parents that couldn’t use parental controls to limit what their children see in a browser are not suddenly going to start policing VPNs. This is terrible legislation wrapped in terrible advice.

ndsipa_pomu

That annoys me as the VPN isn't necessarily bypassing the age check, but instead is allowing the person to pretend that they don't live in a country with stupid laws. I mean, Ofcom might as well warn parents about cheap holiday websites that encourage people to bypass the age checks by flying to a sane country.

avodonosov

Who can think submitting biometrics online is in user's interest?

mgaunard

I've seen formerly free content platforms now require a payment of 2 GBP to prove your age.

Ridiculous.

can16358p

Am I the only one who sees website appear for a split second and become completely blank white?

(iOS Safari)

Okay turning off content blockers did the trick. AdGuard was blocking the whole site for some reason.

jimbobthemighty

No - on a chromebook as well

inquirerGeneral

[dead]

pmg101

[flagged]

W3zzy

The banning guns is easier when you control the sales part.

Preventing children from accessing certain websites is not working at all. It also is a cop out. I have children aged 15 and 17. They received their forest smartphone at age 12. The phones were restricted in a certain way and they didn't get unlimited use. We educated them about proper use and at age 15 restrictions were lifted. They allready know how to use VPN's because they're on my paid account. I see it no different from sexual education.

I don't need a government to make a private company collecting my personal identification. The best guardrail against data loss is not collecting any.

DecoySalamander

The idea that some countries have managed to block children from accessing adult content is laughable. But are there countries that have banned guns? A quick Wikipedia check shows that, in 2025, more people were killed in school shootings in Europe than in the U.S.

tmtvl

Which is weird considering there have been over 10 times the amount of school shootings in the U.S. compared to Europe... including an incident where a gun went off in the backpack of a second grader at an elementary school.

Europe: 4 shootings distributed across 4 countries - <https://en.wikipedia.org/wiki/List_of_school_shootings_in_Eu...>

U.S.: 41 shootings across 19 states - <https://en.wikipedia.org/wiki/List_of_school_shootings_in_th...>