GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Tech I've just verified my age on XHamster... Serious question.

cerulean · 07-20-2025, 12:40 PM

Age verification, right now, is a mess for both the site operator (as you mentioned,) and the user. I know it seems painless at the moment, especially with the method you used, but there are a lot of implications at play, and none of this is really comfortable when you peel back the first layer.

When you purchase a regulated vice in person, or through delivery, you need to show both your identification (which may be scanned) and your face. This is so that someone can look at the ID, confirm that it's real (which places the risk on the employer,) and then confirm you are on that ID. This is painless in person because it can happen in a matter of moments, and it's not like the employee's mind is being recorded. Worst case scenario, you're on CCTV, which is localized to the store you bought from.

But now replace the employee with a robot that uses cameras. They scan your face, make an imprint of you, and match it to your ID. Suddenly there's a new implication of you being tracked--your likeness being recorded. Of course you're being tracked by your phone, but it's not really the same thing as being digitized by a private company. Are you more or less comfortable with a robot recording everything that you're doing, who you are, and the vice you've selected?

Now, alcohol is much more accepted in society, but adult content really isn't. Especially if your fetish is niche.

When you do this with the IRS, you do it through a regulated company that needs to meet government litmus tests. I am not suggesting these are inherently better than other private companies, but id.me at least is based in the United States and has to answer for any crimes here.

Let's talk about the solutions that we have right now. You used age estimation through AI. First, how much do you care that your face is being digitized? Or that it might be used later? Are you afraid of xhamster using it, or the person who provided the technology getting hacked, leaking it, or selling it to the highest bidder? You may not be personally concerned about this, but there are legitimate issues with this, especially for wealthy paying customers.

Everyone in web programming will tell you that there is no such thing as a perfectly secure system. I do not doubt that these companies have good intentions, but there could be a 0-day exploit yet uncovered.

On AI age estimation, I've posted about this before, but I think it's a huge red flag. We're using an AI model, with unknown training data, to identify whether someone based, on their likeness, is over the age of majority. Not to mention we're getting people used to this concept, which is, in my opinion, risky. One day someone is going to release a whitepaper detailing how they were able to bypass age estimation and then AGs are going to pounce on that.

Yoti is the only one I've seen who has put a whitepaper out defending the technology, and it's encouraging that they're willing to do it (and I trust them more for it,) but it's also discouraging technology based on the data. If you are required to set a threshold age of 30 to be sure that someone is of age, then we have a lot of implications about accuracy and risk.

Face-api.js is the most popular open source library for these things, and reportedly uses IMDB. Paired with Tesseract.js, it can read text from an ID, but neither of these things can confirm that you aren't an AI yourself being projected as input. Who is actually checking that the ID isn't fake?

I wouldn't want to be the insurance provider for age estimation via AI.

Any solution that involves a real person, to me, is the only risk-averse solution. But no one is employing that because it's costly. iDenfy is the only KYC that I know of that has a real person as part of the process, but it's much more costly for the site operator, and much more invasive for the user, than someone like VerifyMy or Yoti.

I think that the government, if they are going to require age verification, should build a solution, like id.me, that lets you zero-proof knowledge identify your age to their requirements and let it be saved in an mDL or OpenID format. Then you just need to supply the encrypted token and have a centralized API to confirm it. The government does this with id.me, but our industry doesn't.

We are *stuck* with age verification, whether we like it or not. I think a lot of people are convinced "free" and "low cost" age verifications are the solution because this industry does not want to take on additional costs; but at what cost of risk?

07-20-2025, 12:40 PM
cerulean Web & App Development Industry Role: Join Date: Oct 2023 Location: United States Posts: 144	Age verification, right now, is a mess for both the site operator (as you mentioned,) and the user. I know it seems painless at the moment, especially with the method you used, but there are a lot of implications at play, and none of this is really comfortable when you peel back the first layer. When you purchase a regulated vice in person, or through delivery, you need to show both your identification (which may be scanned) and your face. This is so that someone can look at the ID, confirm that it's real (which places the risk on the employer,) and then confirm you are on that ID. This is painless in person because it can happen in a matter of moments, and it's not like the employee's mind is being recorded. Worst case scenario, you're on CCTV, which is localized to the store you bought from. But now replace the employee with a robot that uses cameras. They scan your face, make an imprint of you, and match it to your ID. Suddenly there's a new implication of you being tracked--your likeness being recorded. Of course you're being tracked by your phone, but it's not really the same thing as being digitized by a private company. Are you more or less comfortable with a robot recording everything that you're doing, who you are, and the vice you've selected? Now, alcohol is much more accepted in society, but adult content really isn't. Especially if your fetish is niche. When you do this with the IRS, you do it through a regulated company that needs to meet government litmus tests. I am not suggesting these are inherently better than other private companies, but id.me at least is based in the United States and has to answer for any crimes here. Let's talk about the solutions that we have right now. You used age estimation through AI. First, how much do you care that your face is being digitized? Or that it might be used later? Are you afraid of xhamster using it, or the person who provided the technology getting hacked, leaking it, or selling it to the highest bidder? You may not be personally concerned about this, but there are legitimate issues with this, especially for wealthy paying customers. Everyone in web programming will tell you that there is no such thing as a perfectly secure system. I do not doubt that these companies have good intentions, but there could be a 0-day exploit yet uncovered. On AI age estimation, I've posted about this before, but I think it's a huge red flag. We're using an AI model, with unknown training data, to identify whether someone based, on their likeness, is over the age of majority. Not to mention we're getting people used to this concept, which is, in my opinion, risky. One day someone is going to release a whitepaper detailing how they were able to bypass age estimation and then AGs are going to pounce on that. Yoti is the only one I've seen who has put a whitepaper out defending the technology, and it's encouraging that they're willing to do it (and I trust them more for it,) but it's also discouraging technology based on the data. If you are required to set a threshold age of 30 to be sure that someone is of age, then we have a lot of implications about accuracy and risk. Face-api.js is the most popular open source library for these things, and reportedly uses IMDB. Paired with Tesseract.js, it can read text from an ID, but neither of these things can confirm that you aren't an AI yourself being projected as input. Who is actually checking that the ID isn't fake? I wouldn't want to be the insurance provider for age estimation via AI. Any solution that involves a real person, to me, is the only risk-averse solution. But no one is employing that because it's costly. iDenfy is the only KYC that I know of that has a real person as part of the process, but it's much more costly for the site operator, and much more invasive for the user, than someone like VerifyMy or Yoti. I think that the government, if they are going to require age verification, should build a solution, like id.me, that lets you zero-proof knowledge identify your age to their requirements and let it be saved in an mDL or OpenID format. Then you just need to supply the encrypted token and have a centralized API to confirm it. The government does this with id.me, but our industry doesn't. We are stuck with age verification, whether we like it or not. I think a lot of people are convinced "free" and "low cost" age verifications are the solution because this industry does not want to take on additional costs; but at what cost of risk? __________________ Cerulean Software Specializes in Website and App Development. Email me today! Keep Your Business and Members Area Secure with LoginBlue Password and Content Protection