Diligesker IT/AI Digest

Tag: Privacy

  • Social media age verification is becoming an internet ID layer

    Social media age verification is becoming an internet ID layer

    Social media age verification is being sold as a child safety measure, but the current policy push is starting to look like a broader identity layer for the internet. Mullvad’s June 2026 analysis argues that many age checks require users to identify themselves to a website, a platform, a third party, an app store, or an operating system before they can read, post, or install.

    The short version

    • Mullvad says social media age verification is spreading across Australia, Brazil, Indonesia, Europe, and the United States, with many systems functioning closer to identity verification than a simple age check.
    • The risk is not limited to social platforms. Policymakers are already discussing VPNs, app stores, browsers, and operating systems as places where age controls could be enforced.
    • One concrete example in Mullvad’s piece is Apple’s UK iPhone change on March 24, 2026, which the article says pushed 35 million British users toward credit-card or government-ID checks to avoid device restrictions.
    • Zero knowledge proofs could reduce the tracking risk, but Mullvad argues the EU’s age verification app can still fall back to a non-ZKP model.
    • The practical question for builders is whether they can prove age without creating a reusable identity trail.

    What happened

    Mullvad published a long privacy critique of online age checks on June 1, 2026. The company starts with social media bans and restrictions for minors, then follows the enforcement logic outward: if children can bypass a platform rule with a VPN, a foreign app store account, Tor, an eSIM, or a browser, regulators may try to control those layers too.

    The article names several countries that have adopted, approved, or debated social media restrictions for minors, including Australia, Indonesia, Brazil, Denmark, Portugal, Malaysia, France, Spain, Turkey, Germany, and Sweden. It also says roughly half of US states have either pending or introduced age-restriction laws for inappropriate content, social media, or both.

    Mullvad’s central claim is blunt: most age verification systems ask every user to identify themselves to someone. That someone might be the platform, an identity vendor, an issuer, an app store, or an operating system provider. Once that check is tied to a visit, post, app install, or device account, the system can expose more than age.

    For more privacy and platform-policy coverage, the IT & AI archive tracks similar questions around regulation, app distribution, and digital identity.

    Why social media age verification is worth watching

    Social media age verification is worth watching because age checks can become durable identity infrastructure. A website may only need to know that a user is over 16 or over 18. A poorly designed system can reveal the user’s legal identity, the sites they visit, the apps they install, or the accounts they use to speak in public.

    That matters for more than adult-content access. Anonymous and pseudonymous use protects whistleblowers, activists, journalists, dissidents, teenagers exploring sensitive topics, and people who do not want every health, sexuality, political, or religious query tied to a name. Mullvad points to the chilling effect: if users believe a future government, platform, or vendor can connect posts back to them, they may stop speaking before anyone orders censorship.

    The most important policy detail is enforcement location. If verification happens only at one website, users can still choose another service or privacy tool. If verification moves into app stores, operating systems, browsers, or VPN access, the control point becomes harder to avoid and easier to reuse for other categories of content.

    What does social media age verification change for builders?

    Social media age verification changes the product requirement from “check an age” to “decide what identity data the product is willing to collect, store, outsource, and expose.” Developers building social apps, marketplaces, gaming communities, browsers, VPNs, and app-store integrations may soon face age-gating rules that were originally aimed at large platforms.

    The safer design pattern is data minimization. A service should prefer one-time credentials, narrow age assertions, short retention windows, independent audits, and clear separation between the credential issuer and the site using the proof. If a product stores identity documents, logs which credential opened which account, or shares checks across services, it may create a privacy liability even when the law frames the feature as safety.

    App builders should also watch where the obligation lands. If age checks move to Apple, Google, or OS-level APIs, smaller developers may inherit platform decisions they cannot negotiate. That affects app discovery, onboarding, parental-control flows, and whether privacy tools are treated as normal user protection or as circumvention.

    What the discussion is missing

    There was no reliable Hacker News discussion attached to the source at the time of this brief, so the missing debate is the engineering trade-off. Policy arguments often collapse into two camps: protect minors or protect privacy. Product teams need a more specific question: what proof is required, who sees it, how long it survives, and whether it can be linked across services.

    The strongest unanswered point is practical enforcement. If a jurisdiction requires age checks but users can switch VPNs, app stores, accounts, browsers, or operating systems, regulators may keep moving the checkpoint deeper into the stack. That is the path Mullvad warns about. The counterpoint is that platforms already classify users by age for advertising, safety, and recommendation systems, so lawmakers may argue that formal age gates are less invasive than today’s behavioral profiling. That argument only works if the legal system forbids reusable identity trails.

    The technical question is also unsettled. Zero knowledge proofs can prove an age threshold without revealing a birth date or identity to the relying website. They do not solve every problem: people without ID documents can still be excluded, issuers can be pressured, and fallback modes can remove the privacy property that made the design acceptable.

    The practical read

    Treat social media age verification as an identity-system decision, not a compliance checkbox. If a law or platform rule requires an age check, the first review should ask whether the product can verify an age threshold without learning the user’s name, storing an ID document, or letting an issuer reconstruct where the credential was used.

    For developers, the near-term work is threat modeling. Map the verifier, issuer, platform, and storage layer. Check whether logs connect credentials to accounts or IP addresses. Test what happens when users are underage, undocumented, traveling, using a VPN, or using a privacy-focused browser. If the only working path requires a government ID and a persistent account, the product has built an identity gate.

    For policymakers, the useful line is narrower than “age checks are good” or “age checks are bad.” Require data minimization, ban credential reuse for tracking, mandate privacy-preserving proof where possible, and block attempts to turn VPNs or browsers into identity checkpoints. Child safety rules should not quietly become an ID card for the open web.

    Sources

  • Connected car data is becoming an insurance problem

    Connected car data is becoming an insurance problem

    Connected car data is no longer a small diagnostic trail that stays with the vehicle. Modern cars can record where you go, how you drive, who may be in the cabin, and whether your behavior looks risky to an insurer. The uncomfortable part is that many drivers meet this system through a discount offer, a companion app, or a checkbox on a dashboard screen.

    The short version

    • BBC Future reports that cars can collect precise location, driving behavior, cabin sensor signals, infotainment choices, and clues about passengers.
    • A cited driver found about 130 pages of LexisNexis driving and movement records, then saw an auto insurance quote rise by 21%.
    • The FTC finalized an order over GM and OnStar’s handling of geolocation and driving behavior data, including a 5-year bar on sharing certain sensitive data with consumer reporting agencies.
    • Hacker News readers focused less on the headline shock and more on practical defenses: pulling cellular modules, disabling telemetry, and buying older cars.
    • The useful test is simple: if a car feature sends connected car data off the vehicle, drivers should know who receives it, how long it is kept, and whether it can affect pricing.

    What happened

    BBC Future framed the modern car as a rolling computer that can collect a startling amount of personal information. The piece points to data categories that go beyond mileage and fault codes: precise location, acceleration, hard braking, seatbelt use, radio choices, cabin camera signals, and in some systems clues about weight, age, facial expression, or impairment.

    The insurance angle makes the privacy issue concrete. Telematics programs are sold as a way to reward safer driving, but the outcome is not always a discount. BBC cited a Maryland analysis in which 31% of participants received lower rates, 24% received higher rates, and 45% saw no change.

    Regulators are already treating this as more than a hypothetical risk. In January 2026, the FTC finalized an order settling allegations that GM and OnStar collected and sold precise geolocation and driving behavior data without adequate consumer consent. Under the order, GM cannot provide certain sensitive location and driving behavior data to consumer reporting agencies for 5 years.

    How connected car data reaches insurers

    The path is rarely visible from the driver’s seat. A vehicle can send telematics through a built-in modem, a manufacturer account, a dealer service system, a phone app, or an insurance program. Once connected car data leaves that stack, it can be packaged into risk signals that feel far removed from the screen where the driver first tapped accept.

    Why this is worth watching

    Connected car data is unusually intimate because it ties behavior to place. A phone location trail can be sensitive, but a vehicle trail can also reveal school runs, medical visits, religious services, shift work, passengers, and driving style. When that data enters insurance or consumer reporting systems, the driver may not know what record exists until a price changes.

    Mozilla’s car privacy review adds another reason to take the issue seriously. It found that many car brands claim broad rights to collect and use personal information, including location, driving behavior, financial details, and in some policies more sensitive categories. That does not mean every car records every possible field. It does mean the paper permissions are often wider than a buyer expects when signing up for a vehicle app or connected service.

    This also matters for product teams building around vehicles. A mobility app, insurer app, fleet dashboard, or driver monitoring feature may feel like a narrow utility, but users experience it as part of the car. If the privacy model is vague, the product inherits the mistrust aimed at automakers and brokers. For more coverage of privacy-heavy technology stories, see the IT & AI archive.

    What Hacker News readers are arguing about

    The Hacker News discussion was more practical than ideological. Some readers joked that they prefer old cars with no networked electronics. Others described real attempts to take newer cars offline, including removing a cellular bridge, pulling a fuse, or using model-specific tools to disable telemetry.

    The strongest technical objection was that disconnecting the modem may not be enough. Several commenters pointed out that a car can store data while offline and upload it later, either when connectivity returns or when a service tool touches the vehicle. That turns “just pull the module” into a partial fix rather than a clean answer.

    The more useful builder point is that the privacy boundary is hard to explain to normal drivers. A car has internal networks, external connectivity, dealer diagnostic tools, manufacturer apps, insurer programs, and third-party data brokers. A privacy screen that says “connected services” does not tell a driver which of those systems still has a path to their data.

    The practical read

    Drivers do not need to panic, but they should stop treating connected services as free extras. Before enabling an automaker app, a usage-based insurance program, or a driver monitoring feature, check whether the service shares connected car data with insurers, consumer reporting agencies, affiliates, or marketing partners.

    The best first pass is boring and useful: review the vehicle’s privacy settings, the manufacturer app, any insurance telematics app, and the data request or opt-out forms offered in your region. EFF maintains a guide for finding out what a car may know about you and how to opt out when the manufacturer allows it.

    For automakers and app builders, the lesson is harsher. Consent cannot be buried in a setup flow and still feel legitimate when the result may affect insurance prices. If a feature needs cabin, location, or driving behavior data, say so plainly, limit the use, and make deletion or sharing controls easy to find.

    Sources

  • DuckDuckGo AI-free search is the real Google AI backlash signal

    DuckDuckGo AI-free search is the real Google AI backlash signal

    DuckDuckGo AI-free search traffic rose after Google pushed AI Mode and AI Overviews harder into the search experience. The numbers are still small next to Google’s market share, but the reaction points to a product problem: some people want AI answers, and some people want search results without a model stepping in first.

    The short version

    • Visits to DuckDuckGo’s AI-free search page reportedly rose by an average of 22.7% week over week from May 20 to May 25, peaking at 27.7% on May 24.
    • TechCrunch reported that DuckDuckGo mobile app installs in the US rose 18.1% on average over the same stretch, with a 30.5% peak on May 25.
    • This does not make DuckDuckGo a near-term threat to Google Search, which still has a much larger share of the US search market.
    • The useful signal is product fatigue: users are reacting less to AI itself than to AI being treated as the default layer in search.

    What happened

    PC Gamer reported that DuckDuckGo saw a sharp bump in usage around its AI-free search surface after Google kept promoting AI Mode as a direction users supposedly like. DuckDuckGo’s noai page, which gives people a cleaner path to search without AI answers, saw visits rise 22.7% on average week over week from May 20 through May 25. The peak was 27.7% on May 24.

    TechCrunch reported a related app-store signal. DuckDuckGo mobile app installs in the US rose 18.1% on average over the same six-day window, and the increase peaked at 30.5% on May 25. Those figures are not a market-share earthquake. They are a behavior change worth watching because they happened around a visible product dispute: Google putting AI answers closer to the center of search, and some users looking for a way around it.

    Google has a business reason to keep going. In Alphabet’s Q1 2026 remarks, Sundar Pichai said Search revenue rose 19% year over year and tied part of Google’s momentum to AI experiences such as AI Overviews and AI Mode. From Google’s side, AI search is a growth story. From the user’s side, it can feel like a familiar utility changing its rules without asking.

    Why this is worth watching

    Search is not a side feature. It is the front door to the web for a lot of people. When AI answers sit above links, the search engine is no longer only helping users find pages. It is deciding when a synthesized answer should come before the open web.

    That can be useful. Plenty of queries are simple enough that an answer box saves time. The friction starts when a user wants links, source comparison, official pages, forum threads, product documentation, or a plain list of results. In those moments, an AI answer can feel like an obstacle rather than a shortcut.

    The privacy angle also gives DuckDuckGo a cleaner message. DuckDuckGo is not anti-AI across the board. It offers AI chat and summaries in other contexts. Its pitch is closer to control: let the user choose how much AI they want, and do not turn search logs or chats into training material. For people already uneasy about data collection, that distinction is easy to understand.

    There is also a lesson for anyone building AI into consumer products. If a feature changes a daily habit, opt-out controls are part of the product, not a settings afterthought. For more coverage of search, AI products, and platform shifts, see the IT & AI archive.

    DuckDuckGo AI-free search and user control

    DuckDuckGo AI-free search is a useful phrase because it names the demand more clearly than “anti-AI search.” The demand is not for a web frozen in 2015. It is for a visible choice between answer generation and ordinary results.

    What Hacker News readers are arguing about

    The Hacker News thread was split in a useful way. Some readers had already moved to DuckDuckGo or were trying alternatives because they disliked seeing AI answers in ordinary search. A repeated complaint was not that AI is useless, but that Google Search is where they go for links. If they want a chatbot, they would rather open a dedicated AI product.

    Another group defended Google AI Mode. They said it is fast, convenient from the address bar, and good enough for quick factual checks. That camp is not imaginary; it explains why Google’s internal metrics may look positive even while a visible group of users complains loudly.

    The strongest skeptical point was about the denominator. A 28% increase sounds large, but DuckDuckGo starts from a much smaller base than Google. Several commenters argued that the headline could overstate the competitive impact if readers treat a relative increase as proof of a broad search migration.

    The more practical thread was about controls. Readers kept coming back to the same distinction: AI can be useful when asked for, annoying when forced, and worrying when it changes what counts as a search result. That is the part product teams should notice.

    The practical read

    DuckDuckGo is not suddenly replacing Google Search. The safer read is that AI search has entered the backlash phase that most default-on product changes eventually face.

    For Google, the risk is not that every frustrated user leaves tomorrow. The risk is training people to keep a second search engine nearby for cases where AI gets in the way. That is a small habit change at first, but it weakens the assumption that Google is the only search box worth using.

    For DuckDuckGo and other search apps, the opening is clear but narrow. Privacy and AI opt-out messaging can bring people in. The hard part is keeping them when results quality, local search, maps, shopping, and vertical search matter. A search engine can win a protest click and still lose the daily habit.

    For builders, the rule is simple enough: do not confuse adoption with consent. If an AI feature is genuinely useful, people will use it when the path is clear. If they have to fight the interface to get back to the old behavior, the alternative with a simple off switch starts to look better.

    Sources