With how quickly fraud is evolving due to AI, online identity now collects more data than ever. Privacy feels like an inevitable sacrifice. We don’t believe it has to be, so we built Relay. Relay verifies you are human, but keeps your activity private. Persona never sees who you share this proof with or what you’re doing online, and the website you’re trying to verify with never sees any of your personal information. Identity and privacy don’t have to be a tradeoff.

There are now more than 70 age verification laws proposed or enforced around the world, all with their own unique requirements. We built Atlas for: 1/ compliance teams to help stay up-to-date with the dizzying regulatory landscape 2/ the public to track emerging laws and engage with regulators to shape these laws for the better For the average company, non-compliance is a non-starter. The largest of these fines can be up to 10% of a company’s global revenue or $250,000 per violation per minor. For the public, an overreaching law mandates overly-intrusive forms of verification from apps and individuals who shouldn’t be impacted, fueling concern and conspiracy around its true motivation.

CEO of identity company probably shouldn’t conspiracy-post about the source of age verification laws but this is my actual unironic take > election year in politically polarized countries > conservatives think adult content is bad for kids > progressives think social media is bad for kids > everyone on red alert for grooming > age verification weirdly bipartisan issue > politicians want to be reelected > governments scared to be seen as ineffective > every state/country passes one age verification law to solve everything > mfw using one legal framework for totally different problems > big tech legal departments don’t want liability > big tech call lobbyists, “make this not my problem” > big tech write blank checks > some tech write blanker checks > some laws move from platform to distributors > linux has no checks > some laws move to OS > nobody happy because laws are different everywhere > nothing makes sense > chaos ensues My thoughts on how things could be better: 1/ Split requirements for access to 18 content vs. community safety 2/ Access to 18 content should be determined by parental controls when possible 3/ Community safety should be treated as a fraud problem 4/ Platforms should determine the best anti-fraud tools to use based off what problems they're trying to solve (learning from @vxunderground on how to format tweets)

I believe there’s so much unnecessary confusion, frustration, and debate around age verification because we're treating two very different problems as one: 1/ Stopping kids from seeing inappropriate content 2/ Stopping adults from pretending to be kids I get why these are discussed together. Too much of (2) increases the risk of (1). But not all platforms face both challenges and certainly not at the same level, and treating them as the same problem leads to the wrong solutions and the wrong tradeoffs. I’m not a policy maker, but from our work at Persona, I’ve seen that the challenges, risks, and solutions for each of these problems are wildly different. Keeping kids from inappropriate content is a household-level problem. I don’t want to downplay the risks of social media or exposure to adult content. However, sacrificing broad privacy to solve what is fundamentally a parental controls problem doesn’t feel like a great bargain. Stopping adults from impersonating kids is a platform-level problem. It jeopardizes the safety and integrity of the community and at its core, it's fraud where adults have far more resources than kids. Unfortunately, the challenge is that more effective solutions tend to compromise more privacy. The best approaches evaluate how much of a tradeoff is worthwhile given the risks. When the risks of a technology don’t match the benefits of the problem it solves, public concern is justified. Applying fraud prevention techniques to what should be a parental controls problem is overreach. And a half-baked solution to adult impersonation is possibly worse. It’s security theatre where privacy is sacrificed but minimal assurance is gained. The more I work on this and the more I hear from all of you, the more I believe that if some privacy must be lost, some privacy should be gained elsewhere in return. The right framework is one that splits knowledge to prevent abuse. No single organization should know both: 1/ who you are 2/ what you are doing If Persona has to know who you are, we should make sure we don’t know what you’re doing or what app you’re using. And if a platform knows what you’re doing, they shouldn’t know who you are. This is not where the world is at today, and this framework is by no means perfect. But I think it’s better, and I’d love your feedback as we build it.

Been reading the @withpersona incident write up as a bunch of people have asked “will the data be going into @haveibeenpwned?” Easy answer: no, because there’s no data: withpersona.com/blog/post-in…

celeste has published the 2nd part of their research. It has been delightful communicating with them, even with all of the stress, noise, and chaos. We are still committed to responding to the rest of their questions, but I would encourage reading their subsequent findings here

They were right. I should have listened. The internet is just too powerful. I caved to the pressure. I don't want to be a hypocrite anymore.