The absolute joy they had when I showed them how to set up 1.1.1.1 on their Android TV, phones, and laptops… so they could watch unrestricted gay porn in their heavily censored and state-controlled slice of the World Wide Web…

I still get a virtual greeting card from them once in a while.

I just want to mention a few things: Fallback, other DNSs like 1.* and Mullvad's free DNS with more options

    # Standard
    1.1.1.1
    1.0.0.1
    2606:4700:4700::1111
    2606:4700:4700::1001

    # Block Malware 
    1.1.1.2
    1.0.0.2
    2606:4700:4700::1112
    2606:4700:4700::1002
    
    # Block Malware & Adult Content (not useful for this case)
    1.1.1.3
    1.0.0.3
    2606:4700:4700::1113
    2606:4700:4700::1003

Mullvad also offers *free* DNS[1], which also supports encrypted DNS

    # DoH is port 443 and DoT is port 853
    # Standard
    dns.mullvad.net
    194.242.2.2
    2a07:e340::2

    # Block Trackers
    adblock.dns.mullvad.net
    194.242.2.3
    2a07:e340::3

    # Block Trackers + Malware
    base.dns.mullvad.net
    194.242.2.4
    2a07:e340::4

I should also mention, as this frustrated me a bit, that your browser may implement its own DNS and so just setting these in your router (or pihole) may not completely resolve the issue. In Firefox, go to Settings > Privacy & Security > (scroll all the way down) Enable DNS over HTTPS using > then under either "Increased Protection" or "Max Protection" you can set a DNS resolver (or turn it off). They have defaults for Cloudflare (default!) and NextDNS. While you're there, also check your settings at the top of that page about "Enhanced Tracking Protection"

I am *NOT* a network/security person and would greatly appreciate replies to this comment with additional information. Especially about setting up things like piholes, TVs, browsers, encrypted DNS (especially this!), host files, and so on. Technical forum, so let's get technical and learn ^__^

[0] - https://developers.cloudflare.com/1.1.1.1/ip-addresses/ - https://developers.cloudflare.com/1.1.1.1/setup/#dns-over-ht...

[1] https://mullvad.net/en/help/dns-over-https-and-dns-over-tls

Plain DNS:

  # Default servers
  # AdGuard DNS will block ads and trackers.
  IPv4:
  94.140.14.14
  94.140.15.15
  IPv6:
  2a10:50c0::ad1:ff
  2a10:50c0::ad2:ff

  # Non-filtering servers
  # AdGuard DNS will not block ads, trackers, or any other DNS requests.
  IPv4:
  94.140.14.140
  94.140.14.141
  IPv6:
  2a10:50c0::1:ff
  2a10:50c0::2:ff

  # Family protection servers
  # AdGuard DNS will block ads, trackers, adult content,
  # and enable Safe Search and Safe Mode, where possible.
  IPv4:
  94.140.14.15
  94.140.15.16
  IPv6:
  2a10:50c0::bad1:ff
  2a10:50c0::bad2:ff

  # Default server
  # AdGuard DNS will block ads and trackers.
  https://dns.adguard-dns.com/dns-query

  # Non-filtering server
  # AdGuard DNS will not block ads, trackers, or any other DNS requests.
  https://unfiltered.adguard-dns.com/dns-query

  # Family protection server
  # AdGuard DNS will block ads, trackers, adult content,
  # and enable Safe Search and Safe Mode, where possible.
  https://family.adguard-dns.com/dns-query

  # Default server
  # AdGuard DNS will block ads and trackers.
  tls://dns.adguard-dns.com

  # Non-filtering server
  # AdGuard DNS will not block ads, trackers, or any other DNS requests.
  tls://unfiltered.adguard-dns.com

  # Family protection server
  # AdGuard DNS will block ads, trackers, adult content,
  # and enable Safe Search and Safe Mode, where possible.
  tls://family.adguard-dns.com

This has resulted in the Turkish military having a very large collection of amateur gay porn.

> The system has been undergoing change for the past few years: Lambda Istanbul's lawyer Fırat Söyle stated in 2012 that the rectal examinations, and the photographic evidence of anal intercourse have been dismissed as requirements when they gained worldwide and national media attention.

— https://en.m.wikipedia.org/wiki/Pink_certificate

But from when it did happen, it sounds... bad.

> "With the picture it was a bit difficult. The face had to be recognizable as well as the penis and the ass. To put all this into a square was a bit complicated. Twice I got cramps because of the position. […] I also got humiliated at the selection, before they announce it [the final diagnosis]. There are about 12 military people, big ones, with uniforms and everything. […] They all looked one by one at the pictures and I had to bring ten pictures, ten different positions there. This is the difficulty of course, but I managed to do it. And at every single picture they looked and compared it with me. I was standing in the middle. And then they asked me questions. For example which positions I like and if I use this position they see regularly. Questions like that." — Irlenkauser, Julian. "Gender Identities and the Turkish Military." Thesis. European University Viadrina / Istanbul Bilgi University, 2012.

But I think most people would rate non-consensual sex as significantly worse than a non-consensual day job.

So if you say the sex on camera is not consensual, you're implying a very different kind of consent violation than is actually happening.

The argument here is non-consensual. No work is totally consensual, since you need to survive. You accept a life-long inconvenience in exchange for a beautiful house. Can we make sex consensual in exchange for a large enough inconvenience? The response lies in an experiment: Propose a menial job to prostitutes. Even at the same rate, most prefer their occupation. Therefore it’s consensual.

A funny quirk about non-consensual work is that the 1930’s ILO convention against slavery and forced work… excluded able-bodied men in age of working (article 11). Which kind of defeats the purpose of the convention.

This article was only abolished in 1957.

But compulsory military service still exists in probably half of the world countries.

I would also guess that the number of men who submitted to anal intercourse on camera with someone they wouldn't normally have sex with is approximately zero, so it qualifies as consensual in the ordinary sense. I'm not sure calling the result "amateur gay porn" is the ideal way to put it, but it is in fact all of amateur, pornographic, and gay.

Do you think adult actors agreeing to engage in sexual activity in front of a camera, but only because they have chosen to do that for a living when other viable employment alternatives were available, is also “non-consensual”?

Consensual means without coercion and being of sound mind.

Let's put it this way, do you consider a quid-pro-quo scenario where a boss will promote or give a raise to a female employee if she has sex with him "consensual?" Obviously this is arguable in both directions (as we could say that this is a contract between two adults, but then again, prostitution is illegal). What about if we change this to "Have sex with your boss or be fired?" The latter case is less ambiguous, but both cases would generally be considered non-consensual in Western legal systems and has been that way for quite some time. This is nothing new...

If you understand the above but fail to think "You *must* enter the military service, for 3 years, and are likely to go to combat and have a high risk of being killed or seriously injured (physically or even more likely mentally), or you can go to jail, OR put your dick in some guy's ass" I think you can understand how that constitutes significant cohesion. If you are unable to understand this, I am here to inform you that you are overfit and not robust to general problems.

Definite coercion as stated.

But if the boss is already set on firing everyone in the department, but lets one or two people stay on if they have sex with him, I consider that to be a roundabout method of quid-pro-quo prostitution. Plus embezzlement. There's no retaliation if they say no, they go home like everyone else.

And the military example is similar, there's no retaliation, most men are doing the service. The offer of an alternate option, one that very few take, is not the problem here.

But we'd still call this coercion. The "dual" of this is "have sex with me or be fired." Just because not everyone gets to have that opportunity does not mean it is not the same question stated differently.

> And the military example is similar, there's no retaliation, most men are doing the service.

There is retaliation, it's called jail.

Just because others are doing it doesn't make it any less of a coercion. This scales too.

To me, it matters significantly if refusing is retaliated against or is neutral.

If having sex with the boss is the difference between 0 firings and 1 firing, that's retaliation. If it's the difference between 95% fired and 100% fired, that's not retaliation.

Also we can say everyone gets the offer if that matters.

-

The other "dual" of this is a version where some employees have already been offered money for sex, but by a completely unrelated party. So if they want they can go take that offer now that they have more free time and only so much severance pay. (Also I am assuming they can get a new job easily enough; there are no destitution-based consent problems in this hypothetical.)

Does consent hinge on who is making the offer?

> There is retaliation, it's called jail.

You misunderstand me. There is no retaliation for not doing the gay sex thing. The default expectation is that you won't do it.

Retaliation for refusing to serve in the military is a different matter. And also why I think the mandatory service is where the actual consent issues are.

At its core, it's about whether you're trying to pressure them into sex with you.

I should have specifically said everyone gets the offer, to keep it simple. If the expectation is that basically everyone refuses, then it's not very different from walking around town and telling random people you'll hire them if they have sex with you. Which is just prostitution, not coercion.

Whether someone feels pressured is a difficult communication problem. It's hard to reduce to a simple thought experiment.

There would be some serious issues with 3 if 1 was a fake threat meant to push you into 3, but it's not. The vast majority go along with 1.

You may feel differently if you feel that men's bodies belong to the state to be used in wars.

The consent issues are all in the forced service itself, and apply to every man equally, whether or not they take the gay proof exemption.

There's an old saying about two people of different nationalities:

  The difference between you and me is smaller than the difference between us and our respective leaders.

If you opt not to take the gay sex exemption, your fate is the same as if you had never been asked.

I'm unconvinced and be hard pressed to be.

> your fate is the same as if you had never been asked.

This is absolutely not true and is literally the entire reason people go to great lengths to do it. Not understanding this is probably why you're not understanding the rest. I'm not sure how you don't get it because if you're gay you're not going to military service and you're not going to jail. If you're not gay (or not faking) your choice is military service or jail. That's not "the same" no matter how you put it.

The leaders do bad things whether or not a few gay people join or get exemptions. Why are you not convinced of that?

> This is absolutely not true and is literally the entire reason people go to great lengths to do it.

I said if you don't take the gay option, your fate is the same as if you had never been asked. You do military service or go to jail, like everyone else.

You're talking about taking it. Of course it's different if you take it.

I'm convinced of this. But this is not what you said.

In fact, that's kinda the theme of this conversation and the one you're having with others

I thought it was reasonably clear I was talking about how this gay exemption plays out, not the entire world of possibilities.

And for the line that says "your fate is the same", I made that very direct and explicit and you somehow skipped half of the sentence to interpret it in an entirely different way. That one is definitely not my fault.

I'd be very careful giving security advice to someone in that situation - in fact, I probably wouldn't do it, even though I am an experienced professional who knows more than most people in IT.

Think about accuracy, which is correctness, completeness, and consistency:

Giving security advice to buddies trying to watch out-of-country sporting events has a much different accuracy requirement than advice for someone whose liberty, life, or pursuit of happiness (assets) are at stake. If your advice is incorrect, incomplete (you don't know or account for the entire picture), or inconsistent (different pieces of your advice don't line up) - these people don't miss their favorite team, the might go to jail, get tortured, lose their children, their careers, etc.

When I give professional security advice, I spend a lot of time on it. I make sure I know the whole picture, my advice is correct - rechecking old understandings, testing and retesting, etc. - and it's consistent. These people are trusting me. And then if I'm not sure of those things, I find someone who knows better than I do. I don't have time to do that at the Airbnb.

In this case, it seems to risk incorrectness and incompleteness: It may be incorrect because setting up DNS lookups so there are no leaks is tricky - I'm not even sure how to do it reliably. For example, some apps and OSes have DNS servers hardcoded; IME some just bypass your configuration (maybe the dev just didn't care to integrate with the system DNS settings); IIRC some have hardcoded fallbacks; sometimes the client overrides your config with the local gateway or the servers it supplies; also, DNS has a complex federated infrastructure. (My first stab at secure DNS is a secure VPN that doesn't leak - that seems much easier).

It's incomplete: the authorities might not see the DNS lookups but they will clearly see the IPs that the user accesses, including those of the porn websites.

These people are trusting you and you told them they could safely look at porn. Yikes, I would not want that responsibility without some serious work.

I do know that being LGBTQ+ is persecuted in many places, even in the US; I know what is overlooked now can be persecuted later, even many years later; I know that in most places Internet usage is recorded and is used to build detailed profiles of users, and that those records are retained indefinitely.

Blocking is step 1. Monitoring step 2. After that it starts getting into physical danger territory.

Given Cloudflare's logging policy (https://developers.cloudflare.com/1.1.1.1/privacy/public-dns...) and data disclosure practices, the only way US authorities would get anything worthwhile is if they had a specific individual target and a valid legal process. Cloudflare, like most of the big tech companies, is actually very good on this front; they have robust processes and are transparent (https://cf-assets.www.cloudflare.com/slt3lc6tev37/Q1INAiyBub...) about the limited cases in which they do hand over any user data.

(I don't work at Cloudflare, but do work on these issues for another big US tech company.)

> Pornography, manifested today in the omnipresent propagation of transgender ideology and sexualization of children, for instance, is not a political Gordian knot inextricably binding up disparate claims about free speech, property rights, sexual liberation, and child welfare. It has no claim to First Amendment protection. Its purveyors are child predators and misogynistic exploiters of women. Their product is as addictive as any illicit drug and as psychologically destructive as any crime. Pornography should be outlawed. The people who produce and distribute it should be imprisoned. Educators and public librarians who purvey it should be classed as registered sex offenders. And telecommunications and technology firms that facilitate its spread should be shuttered.

Even in a Conservative-majority court this kind of ban would likely be ruled unconstitutional very quickly, but we should be clear when talking about this kind of thing where it is that a substantial number of Conservative foundations would like to go (https://www.project2025.org/about/advisory-board/). There is a non-trivial Conservative movement to to ban porn.

> [a] couple in the South-Eastern very conservative Turkish city of Mersin

https://en.wikipedia.org/wiki/Server_Name_Indication

Server Name Indication payload is not encrypted, thus the hostname of the server the client tries to connect to is visible to a passive eavesdropper. This protocol weakness was exploited by security software for network filtering and monitoring[4][5][6] and governments to implement censorship.[7] Presently, there are multiple technologies attempting to hide Server Name Indication.

Also some countries may mandate users to install and trust government's CA certificate which is then used to MITM HTTPS traffic

https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_a...

If you have installed a root cert to allow the government to MITM, then there isn't really anything you can do...

dont forget that if certain SNI is detected, your ISP/government may try to force downgrade TLS or replace server-hello with their own cert - meaning you will need to install government certificate to browse certain websites and 99% of users will do that to get access

https://kotaku.com/on-pornhub-math-teacher-makes-his-mark-te...

https://news.ycombinator.com/item?id=28934711

> going to pornhub.com or definitelynotgayporn.net would arouse suspicion in a government that is banning such behavior

dns blocking doesn't mean adults are banned from visiting porn sites. You start by contradicting your initial concession of assuming this is 100% accurate.

> and could cause a person to be under higher scrutiny. So even if you're right that the DNS bypass isn't what would technically get them in trouble, I think you can understand the motivation to encrypt your DNS traffic to ensure that you don't get a target painted on your back.

This is a prime example of Fear and uncertainty.

> And given this, I hope how you can understand that your comment does very little to contribute to the actual conversation and can even potentially mislead others. A lot of communication is implicit (otherwise it'd be incredibly cumbersome)

And this is doubt. Never fails to accompany the other two.

Those idiots tried to block google docs once.

It didn't go well as you might imagine. ERs, research institutes and several government facilities responded with cordial letters about the court's mental state. Then it was unblocked.

The reason they get to keep the porn bans is because it isn't enforced upon adults, and it does serve as a thin layer of protection against minors.

I use Zen which has no such restriction. Though for safety all my illegal activity is done via VPN because this is still a Five Eyes country.

EDIT: or is it Three? I can never remember which company provided the last "burner" SIM I got for each trip to the UK.

I actually switched to EE and they have no such restriction.

> If all Internet access providers were subject to retention notices, wouldn’t it be easier to say that? There would be no need to dance around issues of secrecy, or explain why the list of notice recipients cannot be published. The fact that the Home Office chooses to take this approach undermines the claim that all providers have notices.

This source appears to be engaging in wishful thinking.

I don’t keep much data at work for that long

If it is a thing it’s either a massive conspiracy across thousands of network engineers or you could point to some technical details on how it’s implemented.

That’s by definition a conspiracy

DNS queries still leak the domain unless the client is using DoH.

1. Gay porn is not specifically blocked in Turkey, porn is; so gay porn watchers would be mostly indistinguishable from any porn watchers via their evasion techniques

2. Not that it matters as you are free to be gay in Turkey

3. Not that it matters again, because access to blocked content is never prosecuted. No one ever receives letters from their ISP even for pirating

4. Calling the internet state controlled is a bit far imo, smaller ISPs don’t even apply some blocks and comparatively USDoJ can do domain seizures which is not too different from what happens there (websites being blocked via court orders and “administrative preventative measures”). Although I’d agree that the line for blocking is drawn too close.

5. I also wouldn’t call Mersin very conservative, the left CHP just won the municipal election with ~60% of the votes

One last thing, ISPs have moved on to using DPI to block websites so you might wanna suggest something like green-tunnel so they can up their game.

Not to be overly suspicious, but it sounds very much like government-sponsored astroturfing.

Everything is not ok in Turkey, there’s lots and lots of stuff that needs to be fixed re: gay rights and acceptance in general public plus millions more of other things which led me to leave the country; but having to hide gay porn habits from the government/my isp was not one of them. Again, it’s not Iran or Russia.

    ssh -NL 8080:localhost:8080 user@host

At the religious private high school I attended, all it took to make a student a “hacker” was popping open Internet Options on the computer lab’s XP boxes and disabling the proxy they were using. Had to sneakily do this sometimes not to view blocked stuff, but to just have a working internet connection to complete assignments with because the proxy service was provided by some terribly run local company that must’ve been three Staples special Celeron Compaq Presarios and a Linksys router in a shack somewhere, because they were constantly having outages.

That was a thing even back in my day, when LTE availability was not a given and cellular packages were much less generous.

I've "only" ever used it for as much as 1 or 2TB in a month, though -- which is a ton for most individuals. (And only occasionally. It Isn't my primary connection, but sometimes it is a very useful connection.)

(They do attempt to throttle it, but that's been solvable for me with just a TTL hack on a client/router or a PDANet fix on my particular devices.)

There's ways to get this done (at least here in the US) for those who are sufficiently motivated.

I should not need to resorting TTL „unsupported hacks“ which also say company will ban me for.

I absolutely do get what I pay for, and I absolutely do what I want with it, and let me tell you: I am not paying very much. I have nothing to complain about here.

But I am not alone when I occasionally extend that to more than one device (using a router), and/or using TTL mangling to negate the 5Mbps limit. I've never witnessed anyone being banned for this (and I've paid close-enough attention to the noises people make that if banning were a common thing, I'd have seen the screaming at least one time by now).

Indeed, some people (in some areas, with some devices) don't seem to have either 5Mbps nor 1-device limits on their phone's built-in hotspot -- without any hacks at all.

And while I have used it (and hacks to improve it) rather extensively at various times and for various reasons, I don't typically use it as a primary Internet connection at home:

While my (also inexpensive) DOCSIS connectivity at home is often slower than what my phone can provide on a given day, I prefer the stability and consistent latency of DOCSIS compared to using my phone's hotspot, and I like having my home LAN always-connected regardless of whether I am at home or not, and also I enjoy having my phone's battery last for days instead of hours between charges (wifi hotspot is a huge battery suck on a phone).

In terms of visiting the States: I don't know what to tell you. I've lived here my whole life so I don't ever travel to the US, but this service is not really intended for visitors. It can probably be made to happen with the help of a friend who does live here, but I don't think anyone but you was ever trying to address any issues of visiting the US here in these threads.

Is there a particular aspect about that concept that you'd like to more-thoroughly address?

I can answer questions.

[1]: Everything has limits, and bandwidth cannot ever be infinite, so "unlimited" is with a grain of salt.

Specific details depend on what that client device uses for an operating system, and this makes it impossible to neatly summarize.

But it can be done fairly easily with things like OpenWRT or Mikrotik's RouterOS, or a regular stand-alone Linux box, and IIRC it's a simple one-liner on a Windows machine.

Because it can't be easily summarized, Google is your friend here. Generally, you want the TTL of all packets leaving the client (router, tablet, laptop, or whatever) to be set to 65 -- which is one more than the Android default of 64.

That's all the information you need to know to Google up instructions that work with your particular devices.

(I may or may not keep a Mikrotik-based hotspot-abuser in my work truck as a problem solver.)

But! That intermediary device could be something like a Raspberry Pi Zero.

It isn't "low power" by the strictest definitions, but it is also not particularly expensive power-wise -- it can be powered with USB OTG from a smartphone from the past decade or so. And it is very small, which also counts.

It can obviously run a real Linux distro (or just parts of one), but can also run OpenWRT -- which by nature tends to tolerate intermittent power very well.

It's theoretical, but (again in theory): A Zero W running OpenWRT might be a relatively simple path for a portable hotspot abuser.

First, dump OpenWRT onto an SD card, plug it in an and get in there with a browser -- however that is done.

Second: Create an interface or two for getting hotspot data into it: Maybe one of them via wifi, and another via USB tethering from the connected phone.

Third: Test. At least the Pi itself should have Internet connectivity by this point.

Fourth: Set it up as a wifi access point (I think that chipset can do both at once in OpenWRT), and get NAT going.

Fifth: Utter the well-documented incantations for mangling TTL on all of the hotspot interfaces.

Sixth: Wrap it in nice 3M Super 33+ electrical tape for posterity and a minimum of protection for those tiny SMD parts.

Seventh: ???

Eighth: Profit!!! Or, better: Push the resulting SD card image to the usual places, with correct attribution and license compliance, so that others can benefit more-easily.

Seems doable. To use, just power it on/plug it in, and turn tethering/hotspot on with the donor phone. And then connect other phones to the WiFi AP provided by the Pi.

It'll eat phone batteries pretty quick, but it might last long enough to get someone else out of a jam. (It'll also work well on a portable power bank, and those are also cheap.)

Granted, today, if it was just getting around general network restrictions via blacklist, then tethering is very convenient.

(asking for a friend, obvs)

PulsedMedia (Finland), IHostArt (Romania) and many other seedbox server providers exist and will not shut you down.

I tried AlphaVPS and another and I had no luck with the traffic routing out of the VPS. Went with a droplet in DigitalOcean in the end that's managed through Portainer. Works a treat and equivalently cheap.

payable with Monero

Maybe it's just where my head is at, but I look at something like the GP's post and go "cool!" and then realize that such a property would be a prime example of a honeypot. Do I think there are individuals interested in offering low-margin "privacy" VPS services that accept crypto? Yes. But also, I suspect there's plenty of intelligence outfits that would spin up such a project as a fun side project to spy on guest VMs. :| Unbounded money goes a long way. And while I like to cosplay paranoia, I just have to assume that clients of such services are seeking anonymity for Reasons.

Shielded VMs + monero payments would at least move the bar up to "you need to be a target worth leaning on AMD/Intel for shielded-vm compromise".

Granted, I think you could also create infra architecture that allows you to treat these cannon-fodder, but I digress.

I feel this statement in my bones.

We have one side making all the laws, the other side doing away with laws, both of them acting solely for political points.

No one in the middle is “radical” enough (by definition) to push back. Hard to see how that doesn’t end in major conflict with a single winner, as you say.

It is absolutely a liberating force.

It's uniquely liberating right now since over half of all free/open sourced AI models have an NSFW or unaligned focus (nearly the majority in the diffusion model world).

Without the power of Waifus/booru websites ran by hentai aficionados, a solid amount of the generative AI revolution in the context of text to image models simply would not have happened.

The problem is the government telling people what to do, period.

A: What is sin?

B: Anything that destroys and leads to misery.

A: Do X or Y actually destroy or lead to misery, or is it moral panic, pseudoscience, misery more caused by socially enforced guilt caused by the belief that X or Y is bad, some combination of the above?

[B and A engage in an interminable discussion, and eventually B's Heritage Foundation links are exhausted]

A: it doesn't seem clear that any of these things "destroy" anything, or inherently cause misery.

B: Well X or Y must be bad, because they're sin, so they seem gross and bad to me. There must be hidden detriments that scientists are unwilling to admit, or just haven't gotten around to proving yet. Just wait, when you grow up you'll think just like me.

A: maybe.

https://news.ycombinator.com/item?id=36113215

They also work with Tailscale which makes per-device setup easier: https://mullvad.net/en/blog/tailscale-has-partnered-with-mul.... Tailscale was using a bit too much of my iPhone battery last I tried it out, but they're at least aware of it.

Our iOS users also report random delays turning it on, sometimes half a minute to connect. Sometimes full restarts are needed before connect.

And random ask -- could you enable a toggle for video conferencing to stay outside the tailnet? Teams, Zoom, WebEx, etc... You'd have to take on maintaining the IP lists, so users didn't have to. (This can be done today with features you have, but most users and even IT admins don't realize that.)

They have a good record of responding to various restrictive legislation around the world (eg pulling out of Italy after they passed an overly broad 'anti-piracy' law) and also haven't had any open scandals. That's about as good as I can really expect considering that I'm mostly just not interested in my local ISP knowing what I'm up to, and am not doing anything hugely illegal or pirating at a large scale.

For reference, the VPN I used before then offered no real controls besides a limited country selection and a randomly assigned port forward. It was bought up by a company owned by a guy known for running scams, after which I switched out. Now having seen all the customization I was missing out on, I can't really go back to a simpler VPN.

I set up wireguard and unbound on VPS in Amsterdam and share with 10-15 people by posting wireguard config in private telegram channel.

Ironically enough, but I block porn access using StevenBlack hosts converted into Unbound config by awk script, so porhhub dot com will return REFUSE dns response from unbound.

I know, that is not impressive idea of how to utilize computing power of the VPS, but I also used it for running tor snowflake (disabled because of eating too much ram), running tor obfs4_proxy (would also eat much ram, but that can be adjusted, I don't remember clearly why I disabled it at one point) and I used it as a server for Postgres that I tried to use for uni's coursework on databases.

Maybe I am too lazy to setup tools like zapret for bypassing deep packet inspection locally on my laptop or on router. But still there should be a ton of things that can be done on the same vps.

For bypassing Sharia-state firewalls like Texas', any VPN provider should be good enough, but GP is asking for recommendations for providers who can be trusted to ensure privacy.

If it is for more regular use or if the occasionally slowness/vpn blocking is too much, I would likely pick mullvad but I have not used their services. They do seem to spend some money on pro-privacy activism, so that is at least a point in their favor.

I set up an OpenVPN server on DigitalOcean for a friend visiting China. It took 10 minutes with the template in the DO marketplace.

It even allows downloading a client with the parameters baked in.

It’s not for every use case, but it’s helpful for me.

I am wondering how this can even be implemented with static html pages, I am guessing if a site was php there would be some session id kind of thing that could connect with a third party API..

If anyone wants to build some verify things I see a small side business brewing here, perhaps we should make a couple of things to implement,

even though I think these laws will be thrown out one they hit the supreme court, the tech could be used for other things like sales of age restricted things.

Is this vpn provider trustworthy?

No one forces anyone to gamble.

It's as close to Sugar, Nicotine or Alcohol in terms of addiction as you can get without being chemical.

Same reason we ban certain ads targeting kids.

for a second, i was really happy because i thought the office was finally available in my region.

Good thing these laws specifically ban them from storing that information that they don't want to store.

The implication here is so strange. Kids generally don't have a way to buy VPN services (I suppose they could mail cash to mullvad), so mission accomplished?

> Some of the anti-porn laws, like the one enacted in Utah, already possess language explicitly prohibiting online platforms from letting minors “change or bypass restrictions on access.”

That's a social media law, not a porn law, and it's about parental controls that the parent set up on an account that's been marked as a child account (so only the parent account can modify controls on the child account: duh!).

Absolutely garbage article. Didn't even link to the actual laws. And people complain that no one will pay for "journalism" like this.

Literal, delayed gratification.

Well... companies. They don't ban government agencies from retaining that data if they get access to it. But ignore that and assume for a second that they do.

The problem is that the laws kind of contradict themselves: "don't collect information that compromises privacy" and also "do this in a way that basically could only work if you collect information that compromises privacy."

Most of the bills I've read ban companies from saving this data, but require them to collect it presumably in some way that's auditable? They also provide no real mechanisms for guaranteeing that data won't be stored or will be transmitted securely between services. In Louisiana's bill (https://legis.la.gov/legis/ViewDocument.aspx?d=1289498) there is no penalty for retaining data other than that users can sue for "damages". But historically, proving damages from retained data tends to be difficult to do.

Of course the laws do not clarify how age verification is supposed to work under these restrictions, just that documents will be verified somehow: Texas's "example" of age verification explicitly refers to digital identification as information "stored on a digital network" (https://capitol.texas.gov/tlodocs/88R/billtext/pdf/HB01181F....). But sure, also make sure you don't store anything! /s

Presumably this all means that the information should be stored and transmitted until identification is done and then immediately deleted leaving no record of that identification other than that it happened (which hopefully will be sufficient evidence if the government ever accuses you of using a faulty verification method). But eventual deletion doesn't mean the information isn't still getting temporarily stored or that it's not passing between multiple hands, any of which could have rogue employees or leaks, or which could be storing "anonymized" data that turns out to later-on be identifiable.

----

One might argue that since the majority of these laws are proposed and backed by anti-porn organizations, the contradictions might kind of be advantageous to the goals of the backers -- if the law is functionally impossible to comply with and companies are forced to leave the state, well... that's exactly what these groups want anyway. Texas's AG is up-front about being pleased that porn companies are blocking the state. And despite the regular claim that this isn't about restricting porn generally, the vast majority of these bills have ties to religiously conservative groups that have public positions that porn should be banned for everyone.

But that's all besides the point: the point is it's just outright false to say that these laws don't require at least the transmission and collection of this data -- they just tack on "don't store it for too long, delete it afterwards." But that doesn't really mean anything: regular identity transmission over the web carries security and privacy risks even if companies could be trusted to reliably delete this data -- which in many cases, they can't. Advocates of these bills ignore that security researchers have an issue with collection and transmission of sensitive data in addition to storage, and so advocates point to narrow, non-specific language about long-term retention as if that solves all of the issues. It doesn't.

And to the extent that these laws include any real teeth like actual fines for data leakage, they don't really explain how companies can safely avoid those fines while still proving that their users aren't minors. It's a no-win situation.

Note as well, I'm leaving off the accusation I've seen online that this identification would need to be provided per-login/access, because I don't see any language in the bills that would suggest that to me. But of course if that were true, there would be obvious security risks from users providing that information repeatedly as part of regular access.

----

> That's a social media law, not a porn law

The law in question explicitly exempts art sharing sites unless they allow specifically porn (https://le.utah.gov/xcode/Title13/Chapter63/C13-63_202305032...):

> (H) a professional creative network for showcasing and discovering artistic content, if the content is required to be non-pornographic;

Notably, general content harmful to minors like gore, hate-speech, etc is included in that exemption. So your creative gallery site doesn't count as social media and isn't subject to these child-restrictions if you allow nazi emblems or violent imagery, it's only a problem if you allow porn.

I will concede on this that conflating the exact language of "change or bypass restrictions on access" is a straightforward misreading of the bill, bad on the article for that. But I think it's being a little coy to act like there's no overlap between Chapter 63 and SB 287. Chapter 63 clearly views pornographic content differently than it views other content that is similarly harmful to minors.

SB 287 includes language that seems (to me) to explicitly protect VPN and network providers from liability, but it is not clear whether that kind of language will continue to appear in future bills: the majority of these bills so far have been largely copy-paste templates of each other, and in other Internet restriction debates states have expressed interest in going after actors that they deem to be "enabling" illegal actions. Notably, the copy-paste template that most states have been using doesn't protect sites that allow VPN access, they just protect the VPNs themselves. It's not clear to me from the text of the bills that states wouldn't view a porn site refusing to block all VPN connections as a violation of the law if they were ever interested in pushing enforcement past state lines (which again, in other Internet speech debates states have expressed interest in pushing enforcement across state lines).

The article's example of VPN restrictions is misleading and misrepresents the bills it's talking about -- but the general concern that VPN restrictions might come in the future (most likely through targeting companies that do not block VPNs from accessing their services) is a real concern, just poorly presented in this article.

There's literally no reason to have e.g. a knowledge based auth or signed id request hit disk. It doesn't need to be saved for a "short time". It doesn't need to be saved on permanent storage at all.

"Let's assume for a moment that the law says the opposite of what it actually says". But it doesn't.

It's easy for the government to investigate whether you check IDs: open the site and see if you request ID information. Present fake info and see if you accept it. Just like they do in person.

First off, always good to be clear that there are multiple laws here, even if many of them are templates of each other; there's not "the law". Secondly, this is hiding behind ambiguity in many of these laws' language; it's easy to claim that a law doesn't specifically require that companies retain information about their efforts, but I guarantee you in any court case about this, requests for that information would come up.

It is painfully naive to assume that any company would feel safe implementing a legally required system that does not provide them with any evidence to prove that their system works or has worked in the past. The ambiguity about what many of these bills mean when they call for a "reasonable method" of identity verification is exactly the kind of contradicting language that I'm talking about above. "We didn't ask you to do X, we just put you in a situation where not doing X would be extremely dangerous."

I would argue that a State going to a company and saying, "do something 'reasonable'" with no legal guarantee or precedent about what will and won't be reasonable, and then additionally adding restrictions that make it practically impossible for any existing ID verification system online that I'm aware of to fit that requirement -- I would argue that is tantamount to an attempt to ban porn. It's a system that can't really be safely complied with. Of course companies being able to provide documentation and evidence of their prior verifications is a practical requirement for them operating in that kind of environment.

> There's literally no reason to have e.g. a knowledge based auth or signed id request hit disk. It doesn't need to be saved for a "short time". It doesn't need to be saved on permanent storage at all.

I don't see any indication in the laws I've read that this would be sufficient; where are you getting this idea from? In fact (I'll remind you), Texas's law explicitly refers to digital identification as something that gets stored and accessed as proof of identity. The bill's own language does not support the idea that identification would be completely transient and instantaneous.

So it is completely reasonable for critics to question these requirements given that nothing in the law would prevent the government from making a case that completely transient identification is insufficient. And even if it was sufficient, from a purely technical perspective it is not clear to me how this magically transient identification would work. Information transmitted between parties gets stored, that's how this stuff works -- what ID verification system are you imagining that can happen instantaneously without referencing any stored information and without any information leaving RAM? I'm not aware of one.

> "Let's assume for a moment that the law says the opposite of what it actually says". But it doesn't.

What? Every single law I referenced requires the transmission of this data and explicitly suggests sharing it with 3rd-party verification services. That's not me reading into the laws, it's just fact.

> It's easy for the government to investigate whether you check IDs: open the site and see if you request ID information. Present fake info and see if you accept it.

What system for instant ID verification that does not rely on storing or accessing stored, indexed information about an identity works like this? How do you propose that sites detect fake info without referencing that info against stored identifying information? Because advocates for these laws keep on saying this is easy and then describing systems that as far as I can tell, do not exist.

-----

I'm accommodating a little bit of a rabbit hole above, but I do need to loop back around to the more relevant point:

> There's literally no reason to have e.g. a knowledge based auth or signed id request hit disk.

Regular, consistent transmission and collection of ID information online presents security risks that are unique to remote identity verification and that are not present in physical spaces like shops and stores. Even if there existed a system that allowed this verification to happen entirely in RAM, that would not address the security points that professionals have raised. And even that magical system would necessarily require storing that information in more places -- on user phones and browsers in an easily transmissible format. It would necessarily require users to become more comfortable sharing information online that they should not be comfortable sharing online.

I'll repeat the same point I made in my previous comment:

> Advocates of these bills ignore that security researchers have an issue with collection and transmission of sensitive data in addition to storage, and so advocates point to narrow, non-specific language about long-term retention as if that solves all of the issues. It doesn't.

Pointing to retention as the only security risk in these laws misrepresents the concerns of security professionals. Ambiguous language that is inadequately explained or elaborated on within bills and that (theoretically) addresses one part of security researchers' concerns is not sufficient to dismiss their overall concerns. Regular uploading and transmitting of ID information to 3rd-parties over the Internet is more dangerous than showing your ID in a liquor store; transmission of that data necessarily requires copying that data, putting it in the hands of multiple parties, verifying their trustworthiness, and interacting with extremely complicated systems that have larger attack surfaces than a cashier looking at your face.

It's just not accurate to act like they're the same.

Identity verification is not that mysterious. If these sites are afraid to do it themselves, there are turnkey vendors for that, which e.g. banks or docusign use. All the laws I've read say sites can use third party verification services. The Utah law specifically mentions

> verification through an independent, third-party age verification service that compares the personal information entered by the individual who is seeking access to the material that is available from a commercially available database, or aggregate of databases, that is regularly used by government agencies and businesses for the purpose of age and identity verification;

i.e. KBA, which is already a thing. These companies already know facts about everyone. You claim you're person X. They ask you to tell them a fact they already know. They check your answer against their database. They don't need to store anything you tell them. I'm sure they can tweak their service to only tell the requesting site you are over 18 and not keep any records. These services know how to deal with a highly regulated environment.

The Utah law also allows the user to present a "data file from a state agency or an authorized agent of a state agency that contains all of the data elements visible on the face and back of a license or identification card and displays the current status of the license or identification card."

No need for the site to save anything. Just check the signature and age.

I don't see what makes porn sites unique vs. any other e-commerce business that requires customers to identify themselves wrt. security. Typically those actually store and sell your info.

Also many grocery stores do scan IDs when you hand them to the cashier. Who knows what they're doing with that info. Wouldn't surprise me if they retain and sell it.

The laws are template laws, but do occasionally differ in important ways. You've mentioned before that Texas includes a financial penalty for retaining user IDs beyond verification. You didn't mention that Texas is pretty much the only state that does this, and the majority of the other bills only allow for suing for harm and attorney's fees. Harm can be difficult to prove for information retention, and these provisions rely on individual action for enforcement.

You mention later in this comment that Utah includes provisions for ID-only verification. You don't mention that Utah is (as far as I can tell) one of the only states that offers this kind of detail, most merely mentioning that "government identification" could be used for verification.

These things matter. When we treat these bills as a single unit, we run the risk of building a composite bill that theoretically addresses every concern, even though that composite bill doesn't actually exist anywhere.

----

> Identity verification is not that mysterious.

Agreed. Do you believe that the security professionals who are intimately familiar with identity verification services and who know how the current services work are just... lying? Like, what do you think is happening here? This is not something complicated where there are a bunch of debates about how ID verification can work, we know how the ID verification services today work. And security professionals are saying there's a security risk.

Does the Texas AG know something that they don't? Is there some secret new ID verification system that only lawmakers know about? Like you say, this isn't that mysterious, ID verification online exposes users to privacy and security risks. It's straightforward, this is a known risk.

The fact is, there are no identity verification services I'm aware of that I think are secure enough enough to use for this level of transaction -- and every 3rd-party ID service I'm aware of works by retaining and accessing stored information about users.

The people talking about the security risks know how existing identity verification services work. They're not that complicated. They work by collecting and transmitting and cross-referencing personally identifying data, and that process is vulnerable to attack and data misuse.

----

> i.e. KBA, which is already a thing. These companies already know facts about everyone. You claim you're person X. They ask you to tell them a fact they already know. They check your answer against their database. They don't need to store anything you tell them.

Okay, are you listening to yourself?

> They check your answer against their database.

So personally identifying information is collected and stored. And that information is linked to requests to access potentially compromising or embarrassing material on a level of granularity where those requests, if intercepted, can be used to link personal identities back to those requests. By your own admission.

I don't know, you're agreeing with me and then saying "see, that means that data doesn't have to be stored." No, you just described data getting stored and held by a 3rd-party (notably, a set of 3rd-parties that have had historically awful security and have regularly been irresponsible with those databases) and then cross-referenced with individual access requests in a way that would necessarily require personally identifying to these data brokers which individuals were interacting with which companies.

Sure, those services don't need to store your newly uploaded ID -- they already have it! But what comfort is that? They still have the ID either way. You are describing a system that can only exist by hoovering up and retaining huge amounts of data on individuals, and you're advocating that this system should be expanded.

And while we're on this subject, none of the laws I've read ban retaining records of this access or selling information about which individuals' identities are verified, even though that could be compromising or personal information. More PII and data is created during this process than just the ID you transmit, and I don't think a single law that I've read addresses that fact. But sure, the data broker that already has your ID won't store the image you sent them. That'll be a huge comfort to Texas users when those sites get hacked and leak access information about which users had their IDs verified for which services.

What you're describing is not a privacy-respecting system.

----

> The Utah law also allows the user to present a "data file from a state agency or an authorized agent of a state agency that contains all of the data elements visible on the face and back of a license or identification card and displays the current status of the license or identification card."

I avoided pushing this point too hard before, but reminder that there is no requirement in any of the laws I've read for state agents or authorized agents of the state to delete records of that request or to avoid linking those requests to individual services. The laws as written do not block government agencies from using this information to build detailed records of who accesses which services.

> No need for the site to save anything. Just check the signature and age.

This would not pass a check for fake IDs. Nor would it prevent shared IDs. The laws I've read provide no guarantee that a system that was trivially bypassed would be sufficient to ward off State action. Again with the ambiguity about what "reasonable" means, which is a major problem in these bills. "Don't violate privacy, but it has to work." Well, if all you're doing is OCR on a license and you're not cross-referencing that data or storing information about attempts, that is not a system that is hard to bypass.

Also as I mentioned above, there isn't just one law. Other laws do not go into this level of detail about what kinds of IDs are accepted or how they could be verified. Great that Utah does (although Utah's example is not sufficient to address concerns) -- that just leaves all of the other bills.

> I don't see what makes porn sites unique vs. any other e-commerce business that requires customers to identify themselves wrt. security.

Multiple things:

A) not all porn sites are e-commerce businesses, and not all platforms affected by these bills are porn sites. These bills are not typically restricted to commercial transactions -- merely accessing commercial sites requires verification, even without a business relationship.

B) e-commerce businesses with traditional verification requirements typically do not allow for anonymous usage in the first place. Many of them have extensive "know your customer" rules and are not concerned with protecting the privacy of their users -- quite the opposite, many of them are required to retain information about their users.

C) Security-wise they're not that different, and the criticism of these bills directly extends from knowledge about the security risks and bad practices of many of those e-commerce sites. Whether or not you understand the security implications, I promise you the organizations and security experts that are pushing back on these bills already understand that Flowroute exists.

Note that the theoretical instant, private identification that you seem to be proposing sites will implement doesn't exist for the companies that are relying on this verification today. Once again, I'm left pointing out that you're describing a happy-path scenario that isn't the case for any online identification system I can find. As far as I can tell, these services all store data about their users' individual identities.

----

> Also many grocery stores do scan IDs when you hand them to the cashier. Who knows what they're doing with that info. Wouldn't surprise me if they retain and sell it.

Shouldn't you check up on that before advocating that Internet ID verification is fine because it's just like local verification? Me personally, before I compared digital ID verification to local ID verification, I might make sure that local verification isn't retaining and selling all of your data, because otherwise the comparison would look awful. Have you checked to see whether security professionals have also raised alarms about local storage of ID information? Because... they have, for the exact same reasons :)

Local ID verification ideally should not involve scanning an ID, and the fact that it sometimes does anyway is worrisome. It doesn't bode well for expanded digital ID verification.

If your point is "local verification doesn't require sending information to multiple parties across the Internet and yet companies still do it anyway, and we still don't know what's happening to your data in that scenario" then... I mean, you have to understand that's not something that is likely to make anybody feel more charitable to your argument, right? That's not something that makes online ID verification seem like a good idea.

----

Once again, I'll repeat:

- Texas's own language refers to these systems as storing user information.

- There are no ID verification systems that I'm aware of for online services that work without maintaining and storing information about users.

- Addressing long-term retention of submitted information is not sufficient to address the privacy and security concerns that researchers have brought up.

- None of the bills I've read are clear that an unverifiable zero-retention policy would be sufficient to avoid liability, this seems to be something you're just reading into the text as an assumption of good will.

What you're suggesting above about retention practices and the ability of ID verification services to do this without storing customer data isn't true -- but even if it was true (which it's not) it changes nothing. Regular transmission of this kind of information is dangerous, users should not be trained to submit this kind of information casually, especially not to sites that they don't have business relationships with. The transmission and collection of this information exposes users to risks to both privacy and security.

At the end of the day, I agree we should have stronger data protection and retention regulations, federally even. That's an orthogonal issue to whether adult services online should require some validation that the customer is an adult. It's not the first solution I'd reach for (I'd prefer requiring metadata to make client filtering easier), but the more I think about it, the more reasonable it seems. No one throws a fit when instacart scans your ID for alcohol orders. Buying a gun online has even more stringent requirements where you need to go visit an FFL to pick up. Likewise in my area, marijuana is legal (modulo federal illegality), but delivery is not; you basically can't buy it online.

I don't see why porn is special here. The law has always banned distribution to minors before the web existed. By default, sites (commercial ones at the very least) should be criminally liable for breaking the law if they distribute to minors, just like in-person stores are. They should be proposing systems that they believe are reasonable to meet their obligation, but they are not. Instead, they've gone from at least requiring credit cards to... absolutely nothing. They've frankly brought this on themselves.

The obvious elephant in the room to me is that none of this would even be controversial if sites hadn't moved to an ad-supported model. If you're paying for it, of course they need to know who you are for billing. Again, the more I think about it, the more reasonable it seems to me that if you're going to have that business model, then fine, but you need to at least do the checks you would've otherwise done during billing.

So perhaps the issue is

> sites that they don't have business relationships with

Is simply not a good model. If a business doesn't want to establish itself as credible to its customers such that they can trust it to professionally handle their information, then maybe they shouldn't be in an adult restricted industry where they need to handle that information. If they don't want to handle that information, perhaps they can propose a system where they don't need to (I've commented elsewhere on HN[0] about an oauth-like system where the government could provide age gate tokens without knowing who the token is being issued to or even if the age required is over 18 or over 21. It's not that complicated. Why do we have no one in these industries making such a proposal to lawmakers? They've had 30 years to do it.).

[0] https://news.ycombinator.com/item?id=39183486

https://news.ycombinator.com/item?id=39191568

You don't believe that people who study security for a living might know more about it? Certainly software security experts should be given more credibility about software security than politicians should be given. I'm not sure I've ever run into the view before that security research is a pseudoscience.

> At the end of the day, I agree we should have stronger data protection and retention regulations, federally even. That's an orthogonal issue to whether adult services online should require some validation that the customer is an adult.

In what way is that orthogonal? The lack of data protection and retention regulations is a big part of why this stuff is dangerous. This is a little silly, you agree that the existing standards and services are not sufficient, but you don't think that's relevant to whether or not their use should be massively expanded under the direction of the government?

Of course it's relevant.

----

> No one throws a fit when instacart scans your ID for alcohol orders. Buying a gun online has even more stringent requirements where you need to go visit an FFL to pick up.

I already talked about this, not all of these sites are transactional. Also, note that porn is tied into normal political and social speech in a way that it could never be fully transactional and commercial without restricting a large portion of that speech.

Also, people do throw a fit about data privacy and about at the very least improving security for ID verification. To your point:

> I don't see why porn is special here.

It's not. These debates happen in other areas too; attempts to clamp down on hate speech, propaganda, to restrict information flow across state lines, to track copyright violations, to access E2EE messaging, etc, etc. What you're seeing is completely normal consumer advocacy for privacy, security, and free speech, but because the US is so conditioned to think that porn is some kind of special category, advocacy that probably wouldn't make you blink in other situations feels weird to you now. You may not be aware about debates in other areas of customer tracking, but even with that lack of awareness porn jumps out and you are aware of that specific debate... because everyone thinks porn is some special category.

Data scientists and security experts ruining a legislator's day by pointing out that the systems they imagine actually have huge security holes is normal. It only feels different to you because this time it's about porn.

----

> They should be proposing systems that they believe are reasonable to meet their obligation, but they are not.

So here's an interesting thing to research: they are. Every single one of these sites labels content in a way that it could be intercepted and blocked at the router layer or by parental controls on devices. They all self-identify, even in areas where they're not legally required to.

If you think that porn companies are sitting around and doing nothing, you really have not done much research in this space. They have made plenty of proposals about how to make filtering easier, but states have largely ignored those proposals because:

A) they would require pushing companies like Apple to develop competent parental controls, and that doesn't poll as well among Conservative voters,

B) the majority of these laws have backing from explicitly anti-porn advocacy groups who do not want parental controls, they want to ban porn.

----

> The obvious elephant in the room to me is that none of this would even be controversial if sites hadn't moved to an ad-supported model.

I would advise doing more research on this, there are controversies about this kind of ID requirement even for purely transactional data because it does expose people to privacy risks. I will also note that pushing an entire category of speech to require a transactional relationship would very likely be a violation of the 1st Amendment.

----

You have a couple of accusations here that are just straight-up false. Pornhub specifically called out the lack of government-backed ID services as a partial reason for their opposition for these bills, and has lobbied for states to build such a service. More importantly, Pornhub already does what you're advocating is your preferred solution: "I'd prefer requiring metadata to make client filtering easier".

Pornhub is pushing out metadata today. There's a full-on standard for it and everything (https://www.rtalabel.org/).

What is actually happening is that Apple, Android, and routers don't provide sufficient parental controls to act on that metadata. But commercial porn sites are not in charge of what Apple and Android build. The argument that these commercial sites have made is not that they should be allowed to market harmful content to children, but that when states ignore a workable solution to a problem in favor of a less practical solution with greater security, privacy, and free speech implications -- that is not a good use of legislation.

If this is the first time you're hearing about this -- I mean, I'm not surprised, like I mentioned above porn is a weird category of protected speech and as a result coverage gets weird around it. And the lobbying groups behind these bills have worked very hard to act as if porn sites are simply throwing content online or even deliberately targeting children. So it's not unexpected that you largely get one side of the story. Texas doesn't advertise that it outright ignored calls to legislate better parental controls. Louisiana doesn't advertise that there exists a labeling standard in use today that they are actively ignoring. I don't expect someone just now looking at the text of these bills to know that.

But knowing that now, you should do some deeper research on this and figure out what the status quo actually is. Unlike buying alcohol, porn is very directly speech and has been affirmed by the Supreme Court to be speech on multiple occasions. Porn is not always directly transactional content, it gets mixed into normal speech -- and a proposal to get rid of an entire monetization category is extreme. But people feel comfortable proposing restrictions that wouldn't really fly in any other speech category, because they're conditioned to believe that porn is something special and that porn companies are just sitting around happily showing dicks to kids or something.

----

You've advocated elsewhere that router-level blocks are sufficient to handle blocking for VPNs, foreign sites, etc... What porn companies are (and have been) proposing is exactly what you want. Require routers to offer parental controls that can act on the metadata that porn companies will happily attach to the content they serve. Legislate that this metadata must be attached to pornographic content. This would not only be a more private and secure solution, it would also be more effective. It would do a better job of protecting kids than a random OCR check on a drivers license.

Now that you know that, do you find it at all odd that all of these states have completely ignored that proposal and are instead pushing a solution that has obvious privacy and security risks and that is observably pushing websites to block their states? Does knowing this information help you understand what I mean when I say that these laws are less about protecting kids and more about banning porn?

I'm well aware of RTA labels. I've pointed them out on similar threads. They're also not ideal (given that they're basically "yes/no" which will necessarily lead to arguments about what should be classified), but like I said, I'm inclined to prefer that kind of approach. Something like mandate commercial sites and commercial browsers (which is every major one) to implement it or something like it, with criminal liability for commercial porn sites that fail to do so.

That said, not all sites do implement it. e.g. reddit and redgifs do not, and reddit also hosts forums specifically targeted at children. Those two sites are very high traffic and are completely negligent here. Also, content can't be blocked at the router level if it's using TLS, which of course almost all of these sites do (you could potentially do SNI sniffing against a host blacklist, but even that will go away with ECH). Perhaps the "evil bit" could be used for that purpose at the IP layer so it works with TLS.

Generally, the more I think about it, it does seem "reasonable" to just say businesses dealing in adult restricted materials are liable for determining their customer is an adult (to a standard that a reasonable person would believe), and websites are not an exception unless it was e.g. a defacement. Let them figure out how to do it, and if the government can collect evidence that they failed to do so, they can charge them with distribution to minors. The sites can come up with their own system according to their risk tolerance. Basically, just raise (or introduce) the bar for negligence.

Alcohol distributors don't seem to have a problem doing this. Perhaps porn distributors can ask them for help.

We can not have secure ID checking without data protection laws. They're not orthogonal. This is the same conversation that comes up every time the government tries to mandate secure backdoors into encryption. You can't massively expand usage of an insecure technology and when it's pointed out that the current technology is insecure say, "well that's a separate issue, we don't have to worry about that right now." It's not a separate issue, you're massively expanding a technology that is currently insecure, just own it.

> I'm well aware of RTA labels.

Then why did you claim that porn industries weren't doing anything? I mean, I'm trying to be charitable here, it would be very reasonable for you not to be aware of those efforts, most people aren't aware of them. But you're saying you were?

You're telling me that when you said:

> They should be proposing systems that they believe are reasonable to meet their obligation, but they are not. Instead, they've gone from at least requiring credit cards to... absolutely nothing.

You knew that this was false -- like literally just straight-up wrong? When you commented that porn industries had 30 years to propose government ID systems to avoid handling this data themselves and hadn't... you knew that porn industries had actually proposed and lobbied for government ID systems?

So why did you say otherwise?

> They're also not ideal (given that they're basically "yes/no"

Come on, this is obviously not an issue for you because if it was, you wouldn't be supporting the current bills, which all implement binary "yes/no" classifications. We could debate whether or not broad classifications that refuse to distinguish between types of porn are good or bad, but you are currently arguing in favor of a binary classification for the purposes of liability, so I don't think that discussion would be a good use of time. Obviously you're OK with binary classification for age-verification, so this is not a real objection.

> reddit and redgifs do not

It's not clear that Reddit is liable under all of the laws proposed. Reddit hasn't pulled out of any of these states or added ID checks. Your argument against the proposal of labeling is a site who's content isn't addressed under the proposed laws.

Also, if you don't like that Reddit doesn't currently use the unlegislated standard... legislate it. Pornhub isn't lobbying to block labeling laws. You can require Reddit to use a labeling standard.

> Also content can't be blocked at the router level if it's using TLS

My sibling in Christ, you proposed blocking sites and VPNs at the router level. This was your solution to foreign porn sites that aren't covered by these laws. Now suddenly that's not sufficient?

Regardless, we use per-page metadata all over the place on platforms like iOS and Android to enable functionality based on page contents -- from device support to PWA indicators. There is no reason why these platforms can't work those same indicators into content blocking tools. And the presence of headers on landing pages for sites like Pornhub can be used at the network level to block these sites entirely, which again... you proposed doing!

Blocking per-page content is just a bonus, the current bills don't address that concern. It's a mark of the superiority of labeling that it allows a level of granularity that current bills don't.

> Alcohol distributors don't seem to have a problem doing this.

I'll repeat, porn isn't always transactional and porn is rolled into normal political and social speech in a way that prevents making it purely transactional without limiting large categories of speech. It's not the same as alcohol.

Alcohol also isn't speech. Porn is.

> Generally the more I think about it, it does seem "reasonable" to just say businesses dealing in adult restricted materials are liable...

You're allowed to think it's reasonable. The problem is if you spread misinformation while defending that position. To summarize where this thread has gone, you've suggested:

- People shouldn't worry about data collection because the laws prevent it. This is false, many of the laws have limited liability and recourse for data collection, and most only target retention of ID information, not aggregate data collection about users' browsing habits. Additionally, none of the laws limit government collection of data.

- The laws are close enough to each other that they can be read interchangeably. This is false, although the laws are templates of each other they often differ on details, and the presence of a provision in one bill does not solve problems for other bills.

- Information does not need to be stored or collected to implement 3rd-party ID checks. This is false, there are no 3rd-party ID checking services that I'm aware of that do not collect and store information about users.

- Retention laws would solve the security problems. This is false and a misrepresentation of security professionals' criticism of the bills. Retention is one part of the security and privacy risk.

- Porn companies have not proposed any alternatives. This is false, they have -- both ID systems and labeling systems. What's wild about this one is that you're suggesting you knew that this was false when you said it, which is not something I would have suggested.

- Porn verification is identical to alcohol/gun verification. This is false, most porn consumption online is not via a transactional relationship.

----

Like I said, I don't care if you support the bills, that's fine. It's a free country, you can support whatever you want. Just don't spread misinformation while you're doing so.

Like I said several times and have said in other similar threads, I'm inclined to think RTA headers are a "better" approach. Currently they're not consistently implemented on either end (e.g. Firefox doesn't support them, sites I mentioned don't send them), but it'd be a quick win to mandate that in commercial contexts, which would include Firefox.

But you don't have to look far to find people who think the filtering problem is entirely intractable (they're in this thread). I think it's worth trying the metadata approach more with commercial mandates to implement something along those lines. I can see why people could argue that's been tried enough (filters have existed for over 20 years, and access for children is still easy), and they need something more. It's not clear that they're even wrong, though I'd like to see us try still. But the more I consider it, it really doesn't seem like that big of a deal to just do ID checks. Presumably you'd do it once to establish an account that's above the age limit. Not the end of the world.

Maybe I'm wrong about these sites' lobbying efforts. Maybe most of them have been posting on their front page big banners asking people to tell their representatives to support mandatory metadata processing/filter enablement laws. I sort of doubt it, but it could be. I do know that some major sites (e.g. reddit) don't implement the metadata or any other controls.

It's not clear what the "percent of content" in these laws means, but when I looked at dumps last year, reddit looked to be ~40% porn by posts (obviously not if you consider comments to be content for counting). It is (or was, as of last year, if dumps are accurate) pretty close to being more porn than not. Certainly for a discussion about how porn sites behave, they are a major porn site with millions of users, and they do exactly nothing to turn away minors (in fact they obviously target them) or segregate the site.

I pointed out elsewhere that routers can block common VPN protocols (e.g. ipsec or wireguard). Of course they can do almost nothing to block something going over TLS:443, and soon they won't be able to do SNI sniffing either. So network filtering of sites is not possible anymore unless they stop using TLS.

Anyway, my point about worrying about data collection and retention is that people should worry about it to the same extent they do with eBay or some small shopify-based site. They should worry about it! But they shouldn't specifically worry about porn sites. And the laws here seem to all ban retention, which is good. Perhaps they could have higher penalties, but they do ban it. Generally e-commerce sites don't have retention regulations.

It's not clear to me how governments would get any records to retain, but sure they should disallow it.

3rd parties already store data that can be used for verification. I don't see KYC laws being undone anytime soon. There's no need to record any information about a verification occurring. I'm sure companies offering KYC services who are already used to operating in regulated environments can deal with not retaining submitted information.

I don't really understand your point about "transactional" relationships. If you have a business providing a service, they can follow relevant laws for their industry. If total wine decided to place an unmonitored "free beer" keg out front where children could get to it, they'd almost certainly end up in legal trouble.

Or perhaps a more direct analogy would be if you opened an adult theater with an automated ticket machine so no one checked who was coming in. Or a Redbox that took cash and rented adult movies with no checks. That business would never fly in person. Why is it different online?

Seriously? By that logic the bills themselves are orthogonal to porn, since sites can just institute ID requirements without being required to do it. There are no 3rd-party ID services that have good privacy handling or refuse to retain information. And in the absence of government-sponsored alternatives (which companies have asked for) this is a de-facto requirement to use 3rd-party ID services that put customer data at risk.

> Here though, the laws I've looked at all specify that they must not retain it. They could have higher penalties, but they already explicitly forbid it.

False. I already covered this:

> many of the laws have limited liability and recourse for data collection, and most only target retention of ID information, not aggregate data collection about users' browsing habits. Additionally, none of the laws limit government collection of data.

----

> I can see why people could argue that's been tried enough (filters have existed for over 20 years, and access for children is still easy)

People can argue a lot of stuff, that doesn't make any of it correct. If someone argues we've tried mandating labeling for online porn and legislating parental controls... we haven't. They're wrong. They can argue it if they want, but they're arguing fiction.

----

> Maybe I'm wrong about these sites' lobbying efforts. Maybe most of them have been posting on their front page big banners asking people to tell their representatives to support mandatory metadata processing/filter enablement laws.

Pornhub has in fact literally placed large banners in certain states lobbying about this topic and asking customers to go to their representatives and get involved. I've never seen a response from the company to any porn bill in which they don't put forward the idea of device-based filtering. They are constantly qualifying their responses with stuff like "of course, we also want to keep kids safe, so that's why we support local filtering and labeling laws".

It is strictly inaccurate to claim that these bills are the result of inaction from porn companies, or that porn companies have not proposed alternatives. You claimed that these companies had done nothing; but in reality they literally built a standard for the government. And pushed for government ID verification too as an alternative to 3rd-party services! :)

----

> It's not clear what the "percent of content" in these laws means

ie, the laws are over-ambiguous and don't clarify liability to an acceptable degree. A lot of things aren't clear in these laws. It's not clear what "reasonable" means. It's not clear what "damages" are for data retention. It's not clear what "retention" means in these laws!

They're badly written laws.

> Certainly for a discussion about how porn sites behave, they [Reddit] are a major porn site with millions of users, and they do exactly nothing to turn away minors (in fact they obviously target them) or segregate the site.

Multiple of these laws have taken effect in states already. Reddit requires an ID in none of those states. No politician I'm aware of has talked about suing Reddit. If you have a problem with Reddit's handling of porn, these bills aren't doing anything about it.

Because of course they aren't, no AG is going to be so foolish as to try and force an ID requirement in order to view Reddit posts. But you know what would allow blocking porn on Reddit? Labeling requirements.

You want to know who else isn't covered by these laws? Non-commercial sites -- because placing these kinds of restrictions on non-commercial hobby sites would be far more likely to raise 1st Amendment questions (not that the laws as they exist don't already raise 1st Amendment questions). But you want to know how you could legislate filtering for smaller sites without raising those questions? Labeling requirements.

----

> I pointed out elsewhere that routers can block common VPN protocols (e.g. ipsec or wireguard). Of course they can do almost nothing to block something going over TLS:443

From https://news.ycombinator.com/item?id=39957264

> "But what about sites outside of US jurisdiction (e.g. Russia)?" Require ISPs to have a setting for customers to opt into blocking them.

Well tbf, Russian sites famously never use TLS ever ;)

Look, routers do block websites all the time, including encrypted ones. Sites can be blocked via IP, but the more direct way is to block using DNS. TLS doesn't stop 1.1.1.3 from working, and even once ECH comes in, any device that is capable of supporting ECH is also going to support setting custom DNS servers, including a local resolver managed by a router.

But maybe you don't want to use a router, fine. Maybe DNS is too hacky for you. That doesn't mean that iOS and Android devices can't also implement this kind of blocking.

----

> And the laws here seem to all ban retention, which is good. Perhaps they could have higher penalties, but they do ban it.

See above, this is false. I covered this already.

> It's not clear to me how governments would get any records to retain, but sure they should disallow it.

But they don't disallow it, do they? :) I'd like a lot of things in a theoretical version of the legislation, but unfortunately we're talking about the legislation that exists -- and the legislation that exists does not appear to bar indexing of consumer internet habits by the government (or by private businesses).

> Generally e-commerce sites don't have retention regulations.

Any site that accepts payments has defacto retention regulations, at the very least for taxes -- in practice at least. Given how ambiguous most of these laws are about enforcement and what "reasonable" means, there is a heavy incentive for sites to retain at least some user metadata even if they can't retain actual ID documents.

Also bear in mind that 3rd-party verification necessarily requires the collection and retention of information about every single person who can be verified through that service. Whether they retain the specific documents submitted or not, this is still an expansion of user surveillance -- and of course, the laws do not clearly ban collection of metadata and identifying information about user requests outside of the ID information itself -- at least, I don't think the laws couldn't be argued in a court not to cover that information.

----

> I don't really understand your point about "transactional" relationships.

Not all porn is part of a transaction at all. Porn isn't always something you buy, it's not like alcohol. It's not a purely commercial product, it's not always tied to accounts, it's not always a thing you buy or order. And forcing it into that category would hamper a lot of speech -- because porn is intrinsically tied up alongside political and social speech. Particularly where user content is concerned, porn can be extremely political, and the history of porn/decency laws in the US demonstrates that concept over and over again. Porn can not be reduced to a singular transaction in the vein of buying a beer -- not just because it may not involve an exchange of money but also because porn is speech, it is communicative, it is a thing that happens alongside and inside protected communication. Buying a beer is not like that.

Where the Internet is concerned it is actually a good thing that people can read Reddit and Twitter anonymously without making accounts and logging in. We don't want an Internet where every single site is a walled garden that requires a user account. It is a good thing that people can set up Mastodon servers that openly federate -- something that would be practically impossible if they required ID verification in order for anyone to view posts on the service. And again, it's not as simple as saying "well, but we'd only require it for porn." If you're requiring it for porn, you are requiring it for protected political speech. The implications are the same.

What people don't really acknowledge when talking about porn is that things can be inappropriate and harmful to children and also protected political and social speech that should not be restrained between adults. It cannot be reduced to a purely transactional "I would like to buy a smutty magazine" framework.

> Or a Redbox that took cash and rented adult movies with no checks.

As a sidenote, I strongly suspect that a Redbox that took cash and rented out R-rated movies would be legal in nearly every state. Did you know that it's not illegal for a parent to take a child to an R-rated movie, even one that contains sexual content? I wouldn't advise doing so, children shouldn't watch R-rated movies, that kind of content can be very harmful to them. But nobody will arrest you for it.

Did you know that compliance with movie ratings isn't legally mandated? Movie theaters actually have no legal obligation to keep children out of R-rated movies (and certainly no requirement to ask for IDs) -- the whole thing is a completely voluntary standard. Just a fun fact.

But to your broader question:

> Why is it different online?

Because mediums affect security risks and liabilities. Because it's online. Because asking for an ID to be uploaded before you look at a Reddit post has bigger security and privacy implications and as a result bigger speech implications than asking for an ID before you physically buy a beer from a liquor store. Because they're not the same thing.

There's a lot of stuff we do online that we don't do in physical spaces. In physical spaces I don't need to encrypt every single message I hand to someone else. On the Internet, we use TLS. Because mediums affect things. They always have affected things and they always will. And this is not new, newer mediums have been affecting how we write laws and regulate communication since the founding of this country.

----

We cycle back around to my previous point: you can think these laws are reasonable, it's a free country, you can think whatever you want. My problem is not whether or not you think the laws are reasonable, my problem is that you're spreading misinformation when talking about the laws.

I'm still waiting for an explanation of why you said that porn companies have done "absolutely nothing" and had proposed no standards when you apparently knew that was straight-up false and that porn companies had in fact proposed standards and advocated for them.

You're allowed to think that online IDs are no big deal; just don't say things that are provably untrue, that's all I'm asking.