Cloudflare starts blocking pirate sites for UK users

Shouldn't surprise absolutely nobody, once you become the gatekeeper of the Internet, you're going to gatekeep.

Now it's torrent sites and next it's going to be other things the party in charge doesn't like.

About a decade ago, there were proposals for a "driver's license for the internet."

Nowadays... I actually think it might be a lesser evil. Picture such an ID, if there were a standard for it, enrolled into your computer.

If it were properly built, your computer could provide proof of age, identity, or other verified attributes on approval. The ID could also have micro-transaction support, for allowing convenient pay-as-you-go 10 cents per article instead of paywalls, advertising, and subscriptions everywhere. Websites could just block all non-human traffic; awfully convenient in this era of growing spam, malware, AI slop, revenge porn, etc. Website operators, such as those of small forums, would have far less moderation and abuse prevention overhead.

Theoretically, it would also massively improve cybersecurity, if websites didn't actually need your credit card number and unique identity anymore. Theoretically, if it was tied to your ID, it's like Privacy.com but for every website; much lower transaction friction but much higher security.

I think that's the future at this rate. The only question is who decides how it is implemented.

Right, it's only natural; they MitM 20% of the internet.

Similarly, I struggle to believe they're not providing much of the data they collect to the CIA.

This is so naive. Big tech would be the first to get various exceptions to train their greedy AIs. They would lobby so hard to lock down personal computers, just to make sure you are not tampering with your digital passport. Google would finally have their wet dream of locked down PCs that have no adblock.

Politicians would be salivating at the idea of getting the real identities of dissenters, and religious fucks would finally have their way of banning porn and contraceptives.

You're assuming this isn't already in the works; I simply see it as we can make the standard now, or let the standard be dictated.

We're already seeing it piecemeal, with Cloudflare supporting skipping CAPTCHAs on verified iOS and macOS devices; mobile driver's license enrollment options on iOS; age verification rollouts for websites with no-doubt people thinking how to streamline things; etc.

I personally think we are one big cyberattack from the whole concept returning fast. One big cyberattack from governments (and people in general) saying they've had enough of the free-for-all status quo. This isn't a good place to be.

oh good, and your authoritarian government can know you're in the closet and trying to figure out how to leave the country, too!

no, fuck this idea so hard. if this is inevitable, our duty is to build technology that defeats it

Local ID Proofs =/= Surveillance

I'm in favour of A) a restricted internet with an encryption scheme based on state controlled hardware devices, like Estonia has, that's accessible by default from browsers, and B) an unrestricted internet that's available to anyone who clicks through a few scary browser warnings, but is generally regarded as weird, dangerous, and not commercially viable except for weird or dangerous stuff.

CIA front like snapchat with all on camera access. Nothing surprising

it absolutely will mean surveillance, unless you were born yesterday. governments will implement what you're describing in a way that is not privacy preserving

this is supposed to be HACKER news, not fucking bootlicker news

Yes, and we're losing. Why do you think the internet is covered in ads, 25% Cloudflare, infested with CAPTCHAs and IP blocking, and the problem gets worse every year?

There are real problems that haven't been fixed; the driver's license concept correctly implemented might be better than continuing down this path. I view it as we can make a good standard; or let a bad standard be dictated.

And then wait for when the well-funded and publicly supported A decides that B is evil and needs to be taken down.

German national ID has this built-in; you can cryptographically prove that you are currently in possession of an ID (and its PIN) over a certain age, for example, without revealing your date of birth. It's just not in widespread use.

You can create an ID card system that reliably verifies some sort of personal attribute (such as age) without revealing other personal information or a validation request being sent to the government which shares what sites you may or may not have been browsing

> Shouldn't surprise absolutely nobody...

...because this is far from the first time this has happened with Cloudflare.

Thank you for sharing this. I have been frustrated about the lack of chip and pin for IDs for years. We have had digital IDs in the form of debit/credit card since the 90s, and yet the governments have been agonizingly slow to adopt this (at least to me) painfully obvious idea. So good job Germany!

I think the point is that "can" is not the same as "will".

the number of people who work for (or defend those who work for) firms like raytheon, northrop grumman, palantir, meta, amazon, microsoft, alphabet, flock et al leads me to believe there are not enough people left to care about building this technology. we're cooked. too many developers lack the moral position necessary to turn the tide in a meaningfully widespread way - at best, it's "if not me, someone else will do this work anyways, so i might as well be the one collecting the paycheck/stock options." at worst, it's "i think it's a good thing to create tools to surveil/manipulate/kill people."

mourn the loss of the internet we knew and be ready to sacrifice ease of use to return to lower-tech/still-underground options.

Because only people who are engaging in cynicism can predict the future.

These are possible, there are zero-knowledge proof (ZKP) algorithms and whatnot, but it is not going to happen.

Chip and PIN is almost how electronic passports already work - it's just that the 'PIN' is printed in the passport itself, so in order for anybody to communicate with the chip, it has to see the page which has it printed in order to scan for it first.

> Yes, and we're losing. Why do you think

Obviously. Why do YOU think I'm angry-posting about it on the orange shithole site with the username "dingnuts" ?

CA DMV app lets me add my driver's license to my mobile wallet (which works with NFC).

Of course, it doesn't eliminate my legal responsibility to carry my driver's license while driving, and while the printed piece of plastic lasts five years and my passport booklet is legal I.D. for 10 years at a time, the mobile driver's license needs to be updated every 30 days.

The drivers license id doesn't solve anything but adds a layer of nonsense on top.

That doesn't stop cloudflares marketshare takeover. It doesn't stop CAPTCHA which will filter out bots using these ids. It provides an easy method for hackers to use. It filters out the curious kids.

In the end it solves nothing and creates more problems.

The level of discourse has drop here.

Someone steals your id creds and uses them as you is the simplest. The methods will range from stealing ids to breaking into auth servers to mitm attacks or fake ids and rogue auth servers. Everything works so well with video game protection methods now.. no one will be able to crack anything?

Cynicism wins the day because negative outcomes are easier to plan for than positive outcomes. Humans defaulting to optimistic outcomes of the future often end up littering the ground with externalities that they failed to consider. And we also only have a single model for infinite growth (cancer) that always leads to destruction, so relentless optimism as a biological organism means a need for infinite growth, which we only know to be a path to destruction.

The answer, therefore, is not bitching on the internet about all the wet blankets who only see negative outcomes, but acknowledging that everything we know needs to end eventually including ourselves, and balancing optimism for the short term with cynicism for the long term. And thus discovering that a healthy cynicism for the future predictions is probably appropriate, unless you truly want to live forever and have infinite energy for everything. But that's a god.

Most ads that I see these days are from Big Tech megacorps. Do you seriously think that having a "driver license for the Internet" would mean that the likes of Google and Meta would stop?

The recipes and tools for bypassing these kinds of blocks (and far worse ones as well - compared to what Russia and China are doing, this is child play) are one search away. The only thing necessary is the desire to actually do it.

Realistically, the moment the two are decoupled, B) is going to be banned and blocked outright - and the more they are decoupled, the easier it would be to ban. By and large, the only reason why it's still possible to access "dark" content online is because it's so intermeshed with the more mundane stuff on infrastructure level that the most efficient blocking methods have unacceptably high levels of collateral damage.

Easier to plan for is an interesting lens to look through, can't immediately discard it for sure.

From my perspective, negative expectations do have a higher chance of turning out real, but because negative expectations most often are just code for human misalignment. We have some philosophical, instinctual, or aesthetic (etc.) preferences, but then reality is always going to be broader than that. So you're bound to hit things that are in misalignment. It takes active effort to cultivate the world to be whatever particular way. But this is also why I find simple pleas to cynicism particularly hollow. It comes off as resignation, exactly where the opposite is what would be most required.

Some of us learn from experience and make predictions based on past actions by the governments.

That's a fair counter argument, and I do genuinely believe (not know) that everyone needs a balance of cynicism and optimism to function optimally as a human. I also believe the resignation you feel from cynicism is rampant exactly because as humans we've become very good at basic survival and beyond that it's not totally clear what our targets for living should be. Certainly we can all agree that trying to harness ever more energy and growing forever can't be the target. But that's all we've done for two millennia now. How to we avoid becoming a cancer to our planet (or any other environment we find ourselves in)?

First, while there's research on the math for things like ZNP, there is a shocking lack of research on security vulnerabilities for the actual implementations of such age verification systems which should make anyone using them extremely nervous.

Second, if a porn website, social media, video game or whatever other thing regulators want to discourage people visiting kicks you off into an age verification takes requires you to some system/site, even an independent one, that requires you upload your ID, a fair number of people will simply refuse simply due to lack of understanding in how it works and trust that it actually is anonymous.

Third, every implementation I've seen doesn't work for some/all non-citizens/tourists.

And finally and more importantly, the ease at bypassing those systems means it's unlikely to stop anyone underage and ultimately is no better than existing parental control software, so all one is doing is restricting speech for adults.

Those are trivial problems compared to an internet linked to your identity.

Clicking through some captchas and installing an adblocker just isn't the hard life you're trying to claim it is.

To the surprise of many, Google recently announced it is already integrating ZK-proof-of-age into Google Wallet with those kinds of properties, open sourcing the underlying libraries, and working with governments to encourage their ZKP system's adoption for exactly this sort of problem.

- [2025-04-29] https://blog.google/products/google-pay/google-wallet-age-id...

- [2025-07-03] https://blog.google/technology/safety-security/opening-up-ze...

- [2025-06-11] https://zeroknowledge.fm/podcast/363/

The rich and powerful have always worked very hard to keep their position. They have vastly more resources than the rest of us to throw at the problem. It's not cynicism to predict that every tool will be used to make our lives worse unless it helps them get richer and more powerful.

Trauma sufferers also just learned from experience.

At least in the current system, there are some websites where you don't have to prove your real identity. Hacker News, for example.

In an internet driver's license system, remember that your computer would have to be locked down, and only able to access government-approved websites using government-approved clients - something like they have in China, or like using an iPhone but worse.

Once the ability for any site to verify your identity was set up, all sites would have to verify your identity, or lose their own verification, under one of many standard excuses like protecting the children.

I'm aware that this might very well be "in the works", what's your point with that? Who is this "we" you are talking about? Are you going to publish a repository on github about what you believe is the ethical way to do this, and you expect Google to follow, or ???

What is this "one big cyberattack away" that you are talking about? Large sites get hacked all the time, and _nobody_ in power gives a single flying fuck. There are zero people held responsible for storing passwords in plaintext, or the admin password set to "123456" or passwords left as the default.

Seriously, what are you talking about?

Is it? When did it happen before?

I don't see how you'd decouple one from the other, given that it's essentially just giving the user their own encryption certificate. Have the EU pass legislation saying that you can't request that the user sign anything unless they're in the process of making an account.

Why have the digital version of you need the plastic copy still?

> You're assuming this isn't already in the works; I simply see it as we can make the standard now, or let the standard be dictated.

The difference is we've grandfathered in a lot of older technology - x86, old desktop operating systems like Windows and Linux, old browsers, BIOS, etc. So the existing tools we have for censorship have to work around these existing platforms.

These platforms were created in a time where user control was paramount and security was an afterthought. They often do not have the mechanisms required to lock down the boot loader 100% of the time, or give a verified boot chain, or make sure the display signal isn't being intercepted. Our DRM and censorship, then, is very limited. I mean, even with secure boot - I can just turn that off. I can just turn on legacy MBR BIOS mode too. What now?

On other, newer, platforms, like your smartphone or smart TV, you'll notice the DRM is much stronger. Try changing out your OS on an iPhone. These platforms are ripe for the picking when it comes to censorship you can't circumvent.

So long as these older platforms exist, the usecases must be supported. Sure, we can "streamline" things on DRM heavy platforms like iOS - but we need to keep a trapdoor. Who is going to alienate Windows? Or x86 as a whole?

Making things secure and private is hard. There's a lot of hoops to jump through.

Naive implementations are easy and cheap. And, if these tools and their entire software tree is not open-source, we cannot verify it's security.

We just have to trust that the developers are good at what they're doing. When every company under the sun has had multiple data breeches, I'm not too keen to do that.

Open-source the entire stack, show me a few white papers proving it's cryptographically sound, then I'll consider it. Until then, we should do with these tools what they deserve: being shoved up the government's ass.

I, for one, would publically publish my credentials so that others could use them.

The problem is national security consequences of it. Handing out nation-backed ID card tied to secure identity undermines sovereignty of the nation, because it means Walmart and likes can (illegally) exert political influence by silently or openly classing and discriminating you.

It is important that personal ID is only transparent and spoof-proof to legitimate government the individual identifies with, and that soft ID databases that private entities may build have limitations in its completeness.

That's not trivial to do right, especially through bureaucratic government processes.

No, just no. The Internet was at its best when it was centralized and anonymous. Let's keep it that way.