I provide whatever I think is useful for the discussion.

I heard Codeberg already struggles with spammers, so I get that. But letting big surveillence data companies like the credit card companies solve this, seems like one of the worst ideas. I’ve seen e.g. discourse use a gradual trust system, there likely are other ways.

I wasn’t arguing against Passkeys, just pointing out how they are often perceived.

I was definitely arguing against TPMs, however. https://gist.github.com/osy/45e612345376a65c56d0678834535166 https://pluralistic.net/2024/01/18/descartes-delenda-est/#self-destruct-sequence-initiated https://www.elevenforum.com/t/tpm-2-0-is-a-must-they-said-it-will-improve-windows-security-they-said.13222/ https://scispace.com/pdf/tpm-2-0-uefi-and-their-impact-on-security-and-users-freedom-2e1ldhodqq.pdf https://www.gnu.org/philosophy/can-you-trust.en.html (But Passkeys apparently don’t need them, see my KeepassXC mention before.)

Passkeys seem to be advertised in ways that puts people off (edit: not saying that makes them bad):

• TPMs, Secure Enclaves, etc. are deeply closed-source and security by obscurity. Until there is an open TPM implementation available, many users may prefer not to rely on them. It seems like KeepassXC allows circumventing TPM for Passkeys, but most people probably don’t know that.

• Too much “trust me bro, my cloud is safe” advertising from big Passkey advocates like Google to try to get people to use their invasive services.

• A classic hardware key may be indistinguishable from a normal password being entered. But Google has announced they want to push passkeys against user’s wishes here: “Is opting-into passkey mandatory? No, […]. However, over time, as users become more accustomed to passkeys, we might limit where we allow passwords to be used because they’re less secure than passkeys.” Again, not a great look.

• Collecting biometric data is always dangerous, too many attack vectors during processing. I’m aware that Passkeys can be used without that, but many people may be put off by that push.

I think that’s why Passkeys have poor adoption among privacy advocates, even though most problems seem fixable.

Caring about privacy and caring about the details of a security protocol are distinct. You’d be surprised how many people who care about privacy are deeply wary of passkeys because of the biometric factor, which is unfortunat

Gitlab.com has similar problems, sadly. Meanwhile, I haven’t ever heard of Codeberg doing somethign similar, but who knows I guess.

Gitlab has a horrible UI when you have a smaller screen or lower end device, and I heard also not really great server-side performance compared to forgejo and gitea.

Also, the gitlab.com instance randomly blocks people or demands their credit card data.

It is shocking that this (apparently???) doesn’t seem to be illegal.

AGI talk seems for now to be merely hype to get investors.

LLMs seem likely to be dead end for any logical thought: https://www.forbes.com/sites/corneliawalther/2025/06/09/intelligence-illusion-what-apples-ai-study-reveals-about-reasoning/ This means at the end of the day you just get a sloppy illusion with no useful coherence as soon as it exceeds the complexity of a literal lazy copy&paste job: https://fortune.com/2025/08/18/mit-report-95-percent-generative-ai-pilots-at-companies-failing-cfo/

There is currently no technological innovation to fix this. Instead, AI progress seems to be stalling: https://futurism.com/artificial-intelligence/experts-concerned-ai-progress-wall

LLMs seem likely to be dead end for any logical thought: https://www.forbes.com/sites/corneliawalther/2025/06/09/intelligence-illusion-what-apples-ai-study-reveals-about-reasoning/ This means at the end of the day you just get a sloppy illusion with no useful coherence as soon as it exceeds the complexity of a literal lazy copy&paste job: https://fortune.com/2025/08/18/mit-report-95-percent-generative-ai-pilots-at-companies-failing-cfo/

There is currently no technological innovation to fix this. Instead, AI progress seems to be stalling: https://futurism.com/artificial-intelligence/experts-concerned-ai-progress-wall

Therefore, it’s not naive to assume it may go nowhere until proven otherwise.

Seems like part of the problem is that once they identify AI being involved in a contribution, they’re not rejecting it immediately.

I disagree TPM is a good candidate.

And I think many of us reject the premise we should submit to any central id provider for half of the internet in the first place. There are less risky approaches: https://www.politico.com/news/2025/10/13/california-law-online-age-checks-00606115

Here are my sources:

1. https://pluralistic.net/2025/08/14/bellovin/ (I don’t agree with every bit of that article.)

   In practice, the security and privacy guarantees of the CL protocol require two different kinds of wholly independent institutions: identity providers (who verify your documents), and certificate authorities (who issue cryptographic certificates based on those documents). If these two functions take place under one roof, the privacy guarantees of the system immediately evaporate.

   (“CL” seems to refer to a common zero knowledge proof algorithm.)

2. https://github.com/eu-digital-identity-wallet/av-doc-technical-specification/blob/main/docs/architecture-and-technical-specifications.md#332-enrolment-methods-without-existing-identification

   Technical Requirements: An Age Verification App shall support the following: […] Request from the operating system a tamper-evident attestation of AVI properties

   (As far as I know, they mean device attestation with this where you no longer fully control your device.)

3. https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui/issues/20

   The EUDI Wallet team is participating in a wider, EU-wide collective sleepwalk into a serious trap: You, along with the entire EU Digital-Identity movement, are hard-wiring the EU’s civic governance to Apple and Google’s hardware and software stack.

4. https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui/issues/15

   Requires accepting “Terms of Service” to access basic functions of being a citizen. Your demo video shows you requiring accepting “Terms of Service” and “Data Protection Information” which I guess should really be “Privacy Policy”.

Feel free to share your sources.

I am referring to the EU Wallet age verification app: https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui/ Sorry that I forgot to link it.

And just because it might beat PostIdent, doesn’t mean it’s sane to give up online anonymity for age checks everywhere. The EU claims the wallet will allow anonymous age checks, but if they ever tracked you, pretty sure you wouldn’t know.

Sorry if I misread your post, but hopefully this comment of mine is relevant:

In my humble opinion, the digital wallet is horrible, because as far as I can tell 1. it requires Google device attestation so all custom ROMs are out and to be a citizen you can apparently no longer own your device, 2. unless you use iOS or Android you’re apparently not a citizen and you can’t e.g. purely use Linux (this is as far as I know not the case with the German AusweisApp), 3. once everyone is used to using some citizen app like that, I feel like a fascist government could easily tie it to a social score or other authoritarian measures bewyond the age verification. 4. There is a privacy friendly alternative approach for age verification anyway, that most governments seem to conveniently be ignoring: https://www.politico.com/news/2025/10/13/california-law-online-age-checks-00606115

Also see here on the EU apparently trying to make this mandatory: https://leminal.space/post/31858818/21120139

The EU has apparently decided that this has to be done for most public platforms by July 2026, so Discord may not have much of a choice and other platforms will likely follow: (Edit: I forgot, the EU strict age verification stuff seems to be limited to EU DSA’s definition of “platforms” so as a text messenger I’m not sure Discord is part of it. But this’ll still likely be coming to more services near you and perhaps Discord is just voluntarily joining the chaos…)

I could be wrong I’m not a lawyer, assume everything I write from here is bullshit, but see here:

https://www.mlex.com/mlex/articles/2368265/online-services-get-up-to-12-months-to-apply-age-verification-eu-guidelines-say “Online services get up to 12 months to apply age verification, EU guidelines say” This was in July 2025.

EU guidelines in question seem to be: https://digital-strategy.ec.europa.eu/en/library/commission-publishes-guidelines-protection-minors + https://ec.europa.eu/newsroom/dae/redirection/document/118226 Quotes:

“[…] the Union legislature enacted Article 28 of Regulation (EU) 2022/2065 of the European Parliament and the Council (6). Paragraph 1 of this provision obliges providers of online platforms […] to ensure a high level of privacy, safety, and security of minors, […]”

“Self-declaration is not considered to be an appropriate age-assurance measure as further explained below.”

“In the following circumstances, […] the Commission considers the use of access restrictions supported by age verification methods an appropriate and proportionate measure to ensure a high level of privacy, safety, and security of minors: […] an online platform accessible to minors has identified risks to minors’ privacy, safety, or security, including content, conduct and consumer risks as well as contact risks (e.g., arising from features such as live chat, image/video sharing, anonymous messaging)”

“Age estimation methods can complement age verification technologies and can be used in addition to the former,” (AKA the alternative to a literal gov ID check seems to be big data AI sucking up all user data to estimate user age.)

The in my opinion horrible solution the EU seems to have found to avoid sharing the physical ID for services that don’t want to request one, is apparently this app: https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui Which from what I can tell 1. it requires Google device attestation so all custom ROMs are out and to be a citizen you can apparently no longer own your device, 2. unless you use iOS or Android you’re apparently not a citizen, 3. once everyone is used to using some citizen app like that, I feel like a fascist government could easily tie it to a social score or other authoritarian measures bewyond the age verification. 4. There is a privacy friendly alternative approach anyway, that most governments seem to conveniently be ignoring: https://www.politico.com/news/2025/10/13/california-law-online-age-checks-00606115

Anyway, I’m not a lawyer and this isn’t legal advice. But spread the word, somehow press seems to be ignoring this.

https://economictimes.indiatimes.com/news/international/us/us-stock-market-crashes-today-why-are-dow-sp-500-nasdaq-down-today-tesla-meta-microsoft-in-red/articleshow/127780471.cms This isn’t investment advice, I just thought this might be interesting to read! (Additional angle of same story)

I posted this before, but it doesn’t even seem to be voluntary at all, from what I can tell from the draft:

“Upon that notification, the provider shall, in cooperation with the EU Centre pursuant to Article 50(1a), take the necessary measures to effectively contribute to the development of the relevant technologies to mitigate the risk of child sexual abuse identified on their services. […]”

“In order to prevent and combat online child sexual abuse effectively, providers of hosting services and providers of publicly available interpersonal communications services should take all reasonable measures to mitigate the risk of their services being misused for such abuse […]”

These quotes sound mandatory, not voluntary. And let’s look what these technologies referenced are:

“In order to facilitate the providers’ voluntary activities under Regulation (EU) 2021/1232 compliance with the detection obligations, the EU Centre should make available to providers detection technologies […]”

“The EU Centre should provide reliable information on which activities can reasonably be considered to constitute online child sexual abuse, so as to enable the detection […] Therefore, the EU Centre should generate accurate and reliable indicators,[…] These indicators should allow technologies to detect the dissemination of either the same material (known material) or of different new child sexual abuse material (new material), […]”

Oops, it sounds again like mandatory scanning.

Source: https://cdn.netzpolitik.org/wp-upload/2025/11/2025-11-06_Council_Presidency_LEWP_CSA-R_Presidency-compromise-texts_14092.pdf

The new draft seems to pretend better to look less mandatory, but it still looks mandatory to me. Feel free to correct me if somebody can figure out that I’m wrong.

It doesn’t seem to be voluntary at all, from what I can tell from the draft:

“Upon that notification, the provider shall, in cooperation with the EU Centre pursuant to Article 50(1a), take the necessary measures to effectively contribute to the development of the relevant technologies to mitigate the risk of child sexual abuse identified on their services. […]”

“In order to prevent and combat online child sexual abuse effectively, providers of hosting services and providers of publicly available interpersonal communications services should take all reasonable measures to mitigate the risk of their services being misused for such abuse […]”

These quotes sound mandatory, not voluntary. And let’s look what these technologies referenced are:

“In order to facilitate the providers’ voluntary activities under Regulation (EU) 2021/1232 compliance with the detection obligations, the EU Centre should make available to providers detection technologies […]”

“The EU Centre should provide reliable information on which activities can reasonably be considered to constitute online child sexual abuse, so as to enable the detection […] Therefore, the EU Centre should generate accurate and reliable indicators,[…] These indicators should allow technologies to detect the dissemination of either the same material (known material) or of different new child sexual abuse material (new material), […]”

Oops, it sounds again like mandatory scanning.

Source: https://cdn.netzpolitik.org/wp-upload/2025/11/2025-11-06_Council_Presidency_LEWP_CSA-R_Presidency-compromise-texts_14092.pdf

The new draft seems to pretend better to look less mandatory, but it still looks mandatory to me. Feel free to correct me if somebody can figure out that I’m wrong.

I continue to believe the risk is real and supported by my links and quotes. You might notice some people in the linked discussions who seem to be thinking it’s not entirely baseless. You’re free to disagree. I’m not a lawyer anyway.