Never Give Them Your Face

Privacy
Regulation
Security
AI
Identity

The post is a broad warning against giving websites and platforms your face for “age verification.” Its core claim is simple: most of these systems are not merely checking whether someone is over 18. They are collecting identity documents, face scans, and persistent personal data that can later be repurposed for tracking, policing, or political control. The piece pushes a hard line of refusal, from porn sites to airports, on the theory that once biometric verification becomes normalized for low-stakes online access, it becomes easier to require it everywhere.

Most readers bought the premise that face-based age checks are a bad trade. What gave the conversation weight was not abstract privacy theory but piles of firsthand stories about systems that are already broken. People described Facebook, Instagram, LinkedIn, banks, government logins, airports, and ad platforms demanding face scans or IDs, then suspending accounts anyway, shadowbanning users, or offering no appeal at all. That pushed the discussion toward a practical objection: biometrics are uniquely bad credentials because they are immutable and because any bug in the trust system becomes permanent and hard to recover from. The strongest technical point was that age verification and identity verification are not the same problem, and current deployments often collapse them together because that is easier for platforms and more useful for data collection. Several comments noted that more privacy-preserving approaches exist in principle, including device-level age signals, digital credentials, or zero-knowledge style attestations, but confidence was low that large platforms or governments would choose those designs when richer identity data is available. The conversation also split on politics. Some saw a coordinated lobbying push, especially from Meta trying to shift compliance burden onto app stores and operating systems. Others said the bigger driver is a long-running moral panic about kids and social media, with politicians reaching for the most legible but worst-implemented tool. The dominant frustration was that resistance is now happening after facial and identity collection has already spread into travel, finance, telecom, and government services. That made the thread less about whether the warning is correct and more about where refusal is still realistic. Airports and random websites felt like places to push back. Banking, taxes, border control, and company registration looked more like areas where users have little leverage unless regulation changes. A separate, unusually loud theme was that the article itself read like Claude or ChatGPT output. People thought that undercut the credibility of a piece urging humans not to surrender agency to automated systems, even when they agreed with the underlying message.

Treat biometric checks as a product and policy choice, not an inevitability. If your company touches onboarding, moderation, payments, or identity, assume users increasingly care about revocability, appeal paths, and whether you can solve the problem without collecting immutable data.

June 22, 2026
nevergivethemyourface.com
Discuss on HN

Key insights

Biometrics make account recovery impossible

Using a face as a credential turns ordinary trust-and-safety bugs into dead ends. The Facebook signup stories show the failure mode clearly. A user can hand over a face scan, still get locked out, and then lose the one thing that usually makes broken systems survivable, the ability to start over with a new account and rebuild trust.

If you design identity systems, keep a revocable recovery path that does not depend on the same biometric you already rejected. For users, avoid services that combine irreversible identity binding with no meaningful appeals process.

Attribution:

__MatrixMan__ #1 #2
howard941 #1

Reputation systems are banning infrastructure, not people

A lot of these lockouts are not even about the face scan itself. They are caused by crude risk scoring on VPNs, IP ranges, device fingerprints, or opaque policy flags. That means users get pushed into stronger identity checks only because upstream heuristics are noisy and platforms want the cheapest way to reduce false negatives.

Watch for teams using biometric verification as a patch over broken abuse detection. Improving attribution and appeals may reduce pressure to collect stronger identity data in the first place.

Attribution:

jazzyjackson #1
a2128 #1
ranger_danger #1

Privacy tools only work when normal people use them

The Tor discussion landed on a blunt network effect point. An anonymity system protects users better when it is common enough that using it is unremarkable. The Harvard bomb-hoax example was cited as a case where unusual Tor usage itself became a clue, not a technical break of Tor. That same logic was applied to iCloud Private Relay, which helps by making IP obfuscation mainstream rather than niche.

If you want privacy-preserving infrastructure to matter, optimize for default or mass adoption, not just technical purity. Tools that only experts use can become self-identifying.

Attribution:

judge2020 #1
jupr #1
bronlund #1
john_strinlai #1

The policy demand is real even without a villain

Several comments cut through the all-purpose conspiracy framing. Parents, regulators, and many ordinary voters genuinely want stronger restrictions on kids' access to parts of the internet. The hard problem is that once you demand high-assurance online age gating, identity verification keeps sneaking back in because the weaker alternatives are easy to share, spoof, or route around.

Do not build your strategy on exposing bad motives alone. If you oppose mandatory age checks, you need a credible answer to the underlying child-safety demand, even if that answer is narrower device controls and better parental tools.

Attribution:

Aurornis #1
andrewla #1 #2

The leverage point is regulation and appeals

The practical fixes people kept reaching for were legal, not technical. The EU Digital Services Act was cited for requiring complaint and redress mechanisms. Others argued that the bigger gap is modern privacy law and limits on data brokers, plus rules forcing human contact and appeals when automated systems cut someone off from major platforms or markets.

If your business relies on automated identity or trust decisions, expect regulation to focus on process rights as much as data collection. Build explainability, escalation, and human review before they become mandatory.

Attribution:

lenerdenator #1
flipbrad #1
jkestner #1

Small business access is collateral damage

A recurring complaint was that Meta's verification and account integrity machinery is now bad enough to block legitimate businesses from creating pages, running ads, or even opening fresh accounts. The notable point is not just privacy harm. It is that identity friction is now directly suppressing commerce for people trying to give Meta money.

For platform operators, abusive-user controls that choke honest new entrants are a growth problem, not just a trust-and-safety problem. For founders, dependence on a single gatekeeper platform remains an operational risk.

Attribution:

chamomeal #1
ferngodfather #1
maaarghk #1
dd8601fn #1

Against the grain

Some identity checks are legitimate

Not every face or ID request belongs in the same bucket. Banks, brokers, governments, and border systems often do need strong identity because they are authorizing money movement, legal status, or state action. The sharper distinction is between high-stakes institutions with clear need and random websites adopting the same machinery for convenience or data capture.

Be precise when arguing against biometric collection. You will be more credible if you separate low-stakes age gating from contexts where strong identity is genuinely part of the service.

Attribution:

andai #1
nickelpro #1

Photo proof does not itself prove bad faith

The strongest pushback on the article's logic was that a bare document saying 'over 18' is useless unless the verifier can tell the holder is its rightful owner. In physical spaces, that is exactly why photo ID became the norm. The digital privacy risks are much worse, but that does not by itself prove that every request for a face match is secretly about surveillance rather than age.

When evaluating a verification flow, ask what assurance level the operator actually needs and whether the retained data matches that need. Bad policy often starts with a real authentication problem and then over-collects.

Attribution:

hennell #1

For many people the privacy breach already happened

A fatalist line ran through the comments that face collection is already everywhere. Phones, passports, airports, retail cameras, social networks, carriers, and mortgage systems already tie identity, location, and images together at scale. From that view, refusing one more facial check does little unless paired with broader limits on data brokerage, retention, and cross-system linkage.

If you work on privacy policy or product design, focus not just on collection events but on downstream use, retention, and interoperability. Stopping one scan matters less if every database can still be joined later.

Attribution:

SoftTalker #1
marcta #1
w4yai #1
schrodinger #1

Pure refusal is not a complete answer

Some readers thought the article loses force because it tells people to resist without offering a viable replacement for protecting children online. They argued that waving away the harms of social media or dumping the whole issue on parents will not persuade lawmakers who already see a real social problem. Opposition needs a concrete alternative, not just a veto.

If you are lobbying against age-verification mandates, pair the objection with implementable substitutes. Device controls, browser ratings, parental tooling, and limited-scope age signals are more persuasive than blanket rejection.

Attribution:

kspacewalk2 #1
sailfast #1

In plain english

digital credentials ↩

Cryptographically signed digital documents that can prove facts such as age or identity online.

Digital Services Act ↩

A European Union law that sets rules for online platforms, including moderation, complaints, and user protections.

EU ↩

European Union, the political and economic bloc of European countries.

iCloud Private Relay ↩

An Apple service that hides a user's IP address from websites by routing traffic through two separate internet relays.

IP ↩

Internet Protocol address, a network identifier often used to locate or classify a device on the internet.

Meta ↩

The company that owns Facebook, Instagram, WhatsApp, and other products.

Tor ↩

A privacy network that routes internet traffic through multiple volunteer-run servers to make it harder to trace a user's location or identity.

Reference links

Policy and regulation

EU Digital Services Act Article 20
Cited as an example of a law requiring complaint handling and redress for platform decisions.
EFF on age gating and control
Referenced as a policy argument against age-gating laws framed as child safety.
Reuters on Meta lobbying Congress over child harm laws
Used to support claims that Meta is actively pushing age or identity-related regulation.

Background on lobbying and coordination claims

The TBOTE Project archive
Shared as background for claims about coordinated lobbying around app store accountability and age verification.
Jamie Zawinski on the TBOTE Project archive
Backup link to a blog post discussing the same lobbying and coordination claims.
Meta Q1 2026 investor results
Cited to argue Meta is monetizing more aggressively as user growth and engagement plateau.

Privacy and verification tech

Wikipedia AI signs guide
Shared as a guide to common tells of AI-generated writing.
Humanizer content patterns guide
Linked as another resource for spotting or editing away AI-style writing patterns.
W3C Digital Credentials
Offered as a standards-based path to proving attributes like age without oversharing identity.
Zero-knowledge proof
Linked to explain cryptographic proofs that can verify a claim without revealing the underlying data.
Anthropic identity verification on Claude
Given as a current example of a mainstream AI service adding identity verification requirements.

Cases and examples

InformationWeek on the Harvard bomb hoax and Tor
Used to illustrate that unusual Tor usage patterns, not a break of Tor itself, can expose users.
Women in Technology on opting out of TSA facial recognition
Referenced as practical guidance for refusing airport face scans in the US.
Travel Europe EES data held by the Entry Exit System
Shared as an example of mandatory biometric collection at European borders.

Never Give Them Your Face

Discussion mood

Key insights

Against the grain

In plain english

Reference links

Policy and regulation

Background on lobbying and coordination claims

Privacy and verification tech

Cases and examples