Holy dystopian f*k. So not only does ChatGPT record all interactions, it actually leaks them to the press when they see fit?

If you still needed a reason to look into self hosted models, it'd be tough to find a better one than this.

Reposting a comment I made on an earlier thread on this.

We need to be super careful with how legislation around this is passed and implemented. As it currently stands, I can totally see this as a backdoor to surveillance and government overreach.

If social media platforms are required by law to categorize content as AI generated, this means they need to check with the public "AI generation" providers. And since there is no agreed upon (public) standard for imperceptible watermarks hashing that means the content (image, video, audio) in its entirety needs to be uploaded to the various providers to check if it's AI generated.

Yes, it sounds crazy, but that's the plan; imagine every image you post on Facebook/X/Reddit/Whatsapp/whatever gets uploaded to Google / Microsoft / OpenAI / UnnamedGovernmentEntity / etc. to "check if it's AI". That's what the current law in Korea and the upcoming laws in California and EU (for August 2026) require :(

Windows 11 LTSC still has the old school notepad.exe (and calc.exe) instead of this UWP abomination. Also: https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...

Is LTSC still impossible to get as someone who doesn't want to run cracked software or "license unlockers" on the same machine they do their banking on? I never found a way of buying it that didn't involve having to survive an interrogation by a sales team.

It is unfortunately. I have access to a MSDN Subscription (or VS Essentials or whatever it's called nowadays) that comes with some "test" licenses.

Let's just say I haven't concluded my testing yet, it's ongoing :)

You can get LTSC. It's a bit of a quest, but it's possible.

You need to buy 5 regular Windows licenses and then you'll be able to unlock the LTSC option. It works out to about $300.

Haha, I always guess whether or not there will be an LTSC comment before checking the comments. These days it's always there, even early after posting.

Where can we learn more about your architecture?

Someone brought up the need for device attestation for trust purposes (to avoid token smuggling for example). That would surely defeat the purpose (and make things much much worse for freedom overall). If you have a solution that doesn't require device attestation, how does that solve the smuggling issue (are tokens time-gated, is there a limit to token generation, other things)?

We do not require an attestation and things like token smuggling is still a problem we need to solve. We have a system that prioritizes unlinkability. So an issuer cannot track the attribute they give you. And a verifier cannot link multiple disclosures with the same attribute. This privacy really helps things like token smuggling however. Time-gated tokens may increase the difficulty, but will probably not make it impossible. Making it illegal to verify someone else's qr codes could also help of course.

It's this I believe: https://www.w3.org/TR/vc-data-model-2.0/

A Verifiable Credential fundamentally doesn't solve the problem of "sharing", "smuggling". All it takes is one verified adult to "leak" their VC somewhere, and millions of underage people would be able to use it to "prove" they are over 18.

This would only work with something like MS TPM 2 / Apple Secure Enclave (device attestation), which is anti-freedom by design. I was curious if they found a way around that (maybe with time/rate limits, or some actual useful use of blockchain tech).

You could use an oblivious pairwise pseudonym, and then you do not require hardware attestation. But that does essentially limit one ID to one account per service.

Besides the privacy argument (the claim that the UID can't be used for tracking via derivation is shaky at best, and not much different than MS's EK), there is the freedom argument: as in, who owns the device - the user, or Apple?

If Apple can remotely lock the device that an user bought mistakenly (for example because some corporation somewhere fat-fingers some entries), that fundamentally means the user doesn't own the device they bought and paid for. Add on top DRM and all the other evil that comes along with attestation.

Plus, you can still disable TPM2 (if you don't want to run Windows on your machine), you can never disable Apple's implementation.

I'd like to add we are discussing communication over the internet. It is an open standard. I should be allowed to build my own pcb without a secure element and talk to anyone over http so long as I am abiding by the correct rfcs.

I have read a variation of this headline once every 2 years since the early 2000s, yet never seen it turn into something real (that a consumer / enterprise can buy).

It's clear these "age verification" bills will just keep coming and it's a losing battle to try and oppose each individually.

Instead (or rather in addition to) activism we should go at it from the other end and request the introduction of a verifiably independent authority and zero knowledge protocol that will deliver a cryptographically secure boolean bit (isOver18) with no way to correlate from either end the ID or which website the bit is used for.

The alternative is IDs get collected by all these horrendous privacy fiends and sold / leaked / monetized across the board, which sounds like a dystopian nightmare.

Solutions based on zero-knowledge-proofs would solve the privacy aspect at the massive cost of killing general purpose computing as we know it today, by mandating the use of remote device attestation (as that is the only way to guarantee an otherwise fully anonymous token is not being sniffed and passed onto someone else). That would be in my opinion significantly more dystopian than every service having a copy of my ID, as it would lay the groundwork for corporations and governments to be able to dictate what you can and cannot do exactly with any internet-connected device.

It's not hard for instance to imagine that once every computing device available to the general public is locked down and cannot be jailbroken without also losing the ability to log into any online service, a law would be introduced requiring client-side scanning of all files to check for CSAM, evidence of political dissent or even just plain old movie piracy. The technology to implement this exists (see what Apple tried to do a few years ago) and the exact same legislation is currently being pushed in the 3D printing space, so these fears are not unfounded.

In the farthest along systems, such as the one the EU has been working on for a few years and is now field testing, you only need to have one secure device to store your digital ID, which in the first version will be a smart phone. If you want to use a site that requires proof of age from some other device like a desktop computer or a public computer in a library you can do the age verification on your phone.

I'm not an expert in this area, but I thought blockchain and things like zk-SNARKs solved this.

I agree that if remote device attestation comes bundled in, it's worse overall.

But are we just SOL then? How long before Cloudflare integrates, and then ISPs? What is left of the internet? Are we all going to run pirate LoRa nodes and other such things to get some free (as in freedom) internet?

> Are we all going to run pirate LoRa nodes and other such things to get some free (as in freedom) internet?

I will, if it comes down to it. I wouldn’t love to return to the 1980s with pirate BBSes and floppynet, but I already lived through it and survived. There would be a certain romance to it, like old hacker movies, maybe it would even make cyberpunk cool again.

(To be clear, it would still suck and we should fight this. But even if we lose a battle, the war is eternal.)

Your 2nd paragraph is a foreign language to US representatives. A bunch of senators, like Graham and Turtle Man, brag about not using email.

It's clear "age verification" is not something we'll get rid of, so I think instead we should push for a publicly verifiable double-blind (zero-knowledge proof) solution that can ensure it only gives the websites a boolean and doesn't allow correlation from either side.

The alternative is having to give your ID to Facebook, Google, Microsoft, and all the other bad actors...

That is still signal that the email address is valid. I'd prefer something like the server immediately sending a SMTP 550 5.1.1 (unknown recipient error), for anything that's immediately recognized as spam (or marked as spam in the past by the user). That gives no signal at all and might even persuade some scammers to remove your email address from their list.

If you don’t follow spam links, then it lets the spammer probe your spam filter, and try stuff until you follow links.

A better approach is to follow all links always (even to non-existent recipients) if you must play this game.

That reminds me: I should make sure all my mail clients are still set to plain text rendering.

I hereby remind you of a bet you lost: https://news.ycombinator.com/item?id=39186555 :)

my contact info is in my profile to arrange settlement

Ooh, I might consider actually buying Bose products now. Way to go!

I'm sure if Apple keeps innovating and adopting some of the Web standards they'll outcompete other engines. But let's be realistic, they 100% are blocking other engines and not adopting standards in their own because they want that sweet sweet 30% cut when developers can't publish PWAs and are forced into the "app" model.

WebKit's progress has been significant in recent years, it's just been more focused on things like improving CSS instead of things like an API that tells the developer how many beers the user has in their fridge.