Untitled attachment

Notices where this attachment appears

1. Embed this notice
   Doughnut Lollipop 【記録係】:blobfoxgooglymlem: (tk@bbs.kawa-kun.com)'s status on Saturday, 18-Apr-2026 03:11:51 JST Doughnut Lollipop 【記録係】:blobfoxgooglymlem:

   Hackers Expose The Massive Surveillance Stack Hiding Inside Your “Age Verification” Check — TechDirt

   A couple weeks ago, Discord announced it would launch “teen-by-default” settings for its global audience, meaning all users would be shunted into a restricted experience unless they verified their age through biometric scanning. The internet, predictably, was not thrilled. But while many users were busy venting their frustration, a group of security researchers decided to do something more useful: they took a look under the hood at Persona, one of the companies Discord was using for verification (specifically for users in the UK).

   What they found, according to The Rage, was exactly what we would predict:

   Together with two other researchers, they set out to look into Persona, the San Francisco-based startup that’s used by Discord for biometric identity verification – and found a Persona frontend exposed to the open internet on a US government authorized server.

   In 2,456 publicly accessible files, the code revealed the extensive surveillance Persona software performs on its users, bundled in an interface that pairs facial recognition with financial reporting – and a parallel implementation that appears designed to serve federal agencies.

   Let me say that again: 2,456 publicly accessible files sitting on a government-authorized server, exposed to the open internet. Files that revealed a system performing not a simple age check, but a ton of potentially intrusive checks:

   Once a user verifies their identity with Persona, the software performs 269 distinct verification checks and scours the internet and government sources for potential matches, such as by matching your face to politically exposed persons (PEPs), and generating risk and similarity scores for each individual. IP addresses, browser fingerprints, device fingerprints, government ID numbers, phone numbers, names, faces, and even selfie backgrounds are analyzed and retained for up to three years.

   The information the software evaluates on the images themselves includes “Selfie Suspicious Entity Detection,” a “Selfie Age Inconsistency Comparison,” similar background detection, which appears to be matched to other users in the database, and a “Selfie Pose Repeated Detection,” which seems to be used to determine whether you are using the same pose as in previous pictures.

   This was the same company checking whether a teenager should be allowed to use voice chat on a gaming platform.

   Beyond offering simple services to estimate your age, Persona’s exposed code compares your selfie to watchlist photos using facial recognition, screens you against 14 categories of adverse media from mentions of terrorism to espionage, and tags reports with codenames from active intelligence programs consisting of public-private partnerships to combat online child exploitative material, cannabis trafficking, fentanyl trafficking, romance fraud, money laundering, and illegal wildlife trade.

   So you wanted to verify you’re old enough to use voice chat, and now there’s a permanent risk score somewhere documenting whether you might be involved in illegal wildlife trafficking.

2. Embed this notice
   silverpill (silverpill@mitra.social)'s status on Wednesday, 17-Sep-2025 21:29:06 JST silverpill

   in reply to

   @adiz That's correct, Mitra FE is a lightweight client and doesn't produce ActivityPub messages. This is the responsibility of the server.

   In FEP-ae97 the relationship is inverse: clients generate ActivityPub messages and the server only relays them.

   So in order to make it all work, I need to somehow insert FEP-ae97 client between Mitra and Mitra FE.

3. Embed this notice
   Alice Averlong🏳️‍⚧️ (foone@digipres.club)'s status on Sunday, 26-Jan-2025 11:07:33 JST Alice Averlong🏳️‍⚧️

   in reply to

   fun fact about this era of the ICQ protocol: It's apparently entirely UDP based, and I think it does UDP directly between users as well, rather than the server.

   In other words, it's exactly the kind of internet program that only made sense in 1996-1999 before NAT was a widespread thing

4. Embed this notice
   it's a me (me@mastodon.kurumah.dev)'s status on Friday, 08-Nov-2024 01:40:38 JST it's a me

   I'm having some sort of federation issue, for some servers [like mas.to, mastodon.social, mastodon.online or cyberplace.social], I get `"https://mas.to/inbox returned code 401"` in my logs if I toot or try to follow someone. Other servers are still fine with my server.

   In env, I have

   LOCAL_DOMAIN=kurumah.dev
   WEB_DOMAIN=mastodon.kurumah.dev

   I think the webfinger is fine.

   I guess if you see this toot that means your server is also fine with mine.

   Does anyone have any clue what it could be?

5. Embed this notice
   clongclongmoo.org (clongclongmoo@social.bau-ha.us)'s status on Monday, 14-Oct-2024 15:44:53 JST clongclongmoo.org

   The current outage of archive.org's services shows us once again that the only centralized storage and provision of music by just one major provider is fragile. This also affects clongclongmoo. For example, all MouseMixes have disappeared until further notice. I think we need to think in a more decentralized way. Perhaps it would be a solution to at least store the current releases on a “dedicated” server.

   In the meantime, all good @internetarchive Get back on your feet soon!

6. Embed this notice
   Erlend Sogge Heggen (erlend@writing.exchange)'s status on Thursday, 27-Jun-2024 05:57:50 JST Erlend Sogge Heggen

   in reply to

   (…) on a personal website), which in turn enables service providers to offer their users a “BYO (Bring Your Own) domain name” feature.

   That’s really all I ever needed from the notion of a ‘single-user instance’. All I want to manage on my own is my identity, not a full AP server.

   In this paradigm, someone’s tiny personal website could also be their Actor-ID Provider, and nothing more. That ID could in turn be used to as a (reasonably nomadic) account on any FEP-7952 compatible instance.