New feature digs into the age check tech that Discord endorsed following widespread backlash.
Bottom line: On-device checks—if they work as they claim—are more privacy-preserving, but privacy advocates still don't think age verification laws are effective enough to justify any of it:
For more details on our lab's research (reported on in @ashleybelanger.bsky.social fantastic article):
bsky.app/profile/did:...
For context, the privacy concerns we found, as well as the compliance, and spill over effects directly contravene the logic in the recent Thomas's FSC v Paxton Supreme Court decision.
3. Yoti, the dominant provider in the US, collects significant private information. Data is sent to 3rd, 4th, or even 5th parties, including (in at least one case) the original site the user came from.
4. Yoti's security claims are... interesting
TL;DR:
1. Compliance is low: for sites that admit to age verification, roughly 15% deploy age verification in covered states
2. There's a spill-over effect: quite a few sites require verification in NY, despite there being no law there.
(also with the fantastic @harryoppy.bsky.social and @pearce.bsky.social)
We performed the first large-scale analysis of age verification providers on the web.
We scanned the top 1m sites from states with age verification laws (GA & TX) and one without (NY), and then RE'd the top provider.
Excited that my grad student @shreyasminocha.me's work on Age Verification has been accepted to IEEE S&P!
You can read about it in Ars Technica: arstechnica.com/tech-policy/...
Preprint: mikespecter.com/assets/pdf/A...
And thanks for the kind words, it means a lot!
Stay tuned, this is 1/4 papers on crowdsourced location tracking that we have in various stages of completeness.
BTW, happy to announce that this was accepted to Usenix Security '26.
When we talk about the problems with Bluetooth-enabled physical trackers, we usually talk about AirTags, but let us save some rage for Tile, powered by this paper discussing Tile's privacy, security, and accountability problems: arxiv.org/abs/2510.003...
I'm the last author on the work, thanks for the boost! Happy to answer any questions folks have.
Also, don't miss Akshaya (lead author's) presentation at Real World Crypto!
To the lawyers that came up with compliance training:
I hope you step on a lego. Once a day, for all eternity.
Watch today's episode of #ElectionScienceOfficeHours with Host @rmichaelalvarez.bsky.social - Beyond the Hype: A Research Driven Look at Claims About New Voting - with guests Georgia Tech's @mikespecter.com & Delaney Gomen - on the @caltechlcssp.bsky.social's YouTube channel: youtu.be/tbL1dlFT0NM.
#ElectionGeeks: This will be a really interesting conversation on voting system usability and accessibility between @caltechlcssp.bsky.social Co-Director @rmichaelalvarez.bsky.social & Georgia Tech's @mikespecter.com, including discussion on Professor Specter's latest research.
The accepted talks for Real World Crypto 2026 are now online: rwc.iacr.org/2026/accepte...
Thanks to everyone who submitted, and we look forward to the discussions at the symposium.
I’m begging here: elections officials should be proactively asking for help from security researchers in calls like this.
Analysis should be done, and the system should be public before announcing adoption.
Doing it this way forces bad press that I don’t want to give. It’s bad for democracy.
In any case this system should have been published before a launch was announced.
If I take a look and find vulnerabilities, will Alaska stop the deployment? Can they? Or would doing so cause too much harm and reputational risk?
Second, for elections, an attacker’s goal might be different than just causing a secret change in outcome
Perhaps it’s stopping a certain population from voting.
Or the goal may be causing chaos and weakening trust. E.g. What would happen if the system were just knocked offline on Election Day?
The article also quotes, unchallenged, Estonia’s election director: “can you compromise it in such a way that the monitoring you’ve got in place wouldn’t detect it”
First, vulns often would not have been detectable. Whatever this system is, it’s likely got flaws. Most deployed systems do.
I am aware of no advances in “cloud technology” that fix inherent problems in internet voting.
“Paper backups” also fail to fix much of anything—a malicious or broken into system can ignore the voter’s selections and print whatever it wants.
Time and again, Internet voting in practice has been shown to introduce significant vulnerabilities in elections.
To my count, there have been five systems piloted in real world elections.
Once researchers examined them, all have had significant flaws that would overturn the election.
“Security experts say that while nothing on the internet can be completely impenetrable from hacking, advances in cloud-based technology, as well as linking mobile voting to a paper backup system, could help alleviate some of the concerns”
This is incorrect, and no security expert was quoted.
The NYT just published an article largely hyping internet voting in Alaska.
I do not agree, and argue that the article has significant problems. Let’s look at a few of them 🧵
www.nytimes.com/2025/11/13/u...
We are alarmed by reports that Germany is on the verge of a catastrophic about-face, reversing its longstanding and principled opposition to the EU’s Chat Control proposal which, if passed, could spell the end of the right to privacy in Europe. signal.org/blog/pdfs/ge...
“We use the UK form “factorise” here in place of the US variants “factorize” or “factor” in order to avoid the 40%
tariff on the US term.”
“...We refer to an abacus as “an abacus” rather than a digital computer, despite the fact that it relies on digital manipulation to effect its computations. Finally, we refer to a dog as “a dog” because even the most strenuous mental gymnastics can’t really make it sound like it’s a computer.”
Probably the best troll paper of the year:
“Replication of Quantum Factorisation Records with an 8-bit Home Computer, an Abacus, and a Dog”
eprint.iacr.org/2025/1237.pdf
I will never forgive these AI companies for making em-dashes impossible to use without being accused of using AI.
I miss the em-dash.