from the back-on-the-practice-squad dept

Border Patrol commander Greg Bovino has been sent back to the border after making himself the Nazi scum face of the Trump administration’s brutal efforts to purge this country of as many non-white people as possible.

Bovino made it clear what team he really wanted to play for before Trump was even sworn in for the second time. After Trump’s election win (but before Trump actually took office), Bovino self-authorized an expansive anti-migrant operation without bothering to check in with DHS leadership to make sure he was cleared to do this.

Trump is always capable of recognizing opportunistic thugs whose dark hearts are as corroded as his own. Bovino was swiftly elevated to an unappointed position as the nominal head of Trump’s many inland invasions of cities run by the opposing political party. Bovino embraced the role of shitheel thug, leading directly to court orders that attempted to restrain his brutal actions. Bovino appeared willing to ignore most court orders he was hit with, increasing his brutality and his public contempt of not only court orders, but the judges themselves, who he insulted during public statements to journalists.

After two murders in three weeks, the Trump administration started to realize it has lost the “hearts and minds” battle with most US citizens and residents. While ICE operations continue to be indistinguishable from kidnapping and the DHS is still ambushing migrants attempting to follow the terms of their supervised release agreements, Bovino has become the now-unacceptable personification of the administration’s bigoted war on migrants.

Bovino has been sent back down to the minors, so to speak. He’s been removed from high-profile surges in Chicago and Minneapolis and remanded to his former patrol area, which is much, much closer to the US border where there’s nearly no immigration activity happening thanks to the ongoing war on migrants.

Insubordination is fine as long as it doesn’t create friction Trump may have to eventually deal with. Bovino, however, is just as incapable of picking his battles as the president himself. Too many cocks spoil the broth, as the saying (almost) goes.

Thanks to a leaked email shared with NBC, we now know more about Bovino’s resistance to anyone anywhere who attempted to tell him what to do.

Bovino wanted to conduct large-scale immigration sweeps during an operation in Chicago in September, but the acting director of Immigration and Customs Enforcement, Todd Lyons, told him the focus was to conduct “targeted operations,” arresting only of people known to federal agents ahead of time for their violations of immigration law or other laws, according to the correspondence.

“Mr. Lyons seemed intent that CBP conduct targeted operations for at least two weeks before transitioning to full scale immigration enforcement,” Bovino wrote in an email to Department of Homeland Security leaders in Washington, referring to Customs and Border Protection, which oversees Border Patrol agents. “I declined his suggestion. We ended the conversation shortly thereafter.”

Advertisement

Keep in mind that Bovino is a Border Patrol commander who was working nowhere near the border. Also, keep in mind that ICE is the lead agency in any immigration enforcement efforts because… well, it’s in the name: Immigration and Customs Enforcement. This is Bovino not only giving the finger to the chain of command, but also insisting his agency (along with the CBP) take the lead in Midwestern apprehensions, despite neither agency having much in the terms of training for inland operations.

Speaking of chain of command, the commander of an agency that’s a component of the DHS made it clear he believed he didn’t have to answer to the DHS either, as Leigh Kimmons reports in their article for the Daily Beast:

The email also revealed a rather bizarre chain of command, with Bovino saying he reported to Noem’s aide, Corey Lewandowski, and appearing to defy Lyons’ authority. “Mr. Lyons said he was in charge, and I corrected him saying I report to Corey Lewandowski,” Bovino reportedly said of the unpaid special government employee.

This email makes one thing perfectly clear: Bovino appeared to believe he answered to no one. And he would only “report” to people he felt wouldn’t push back against his confrontational, rights-violating efforts. This probably would have never been a problem, but Bovino consistently crossed lines that even Trump’s high-level sycophantic bigots were hesitant to cross.

And now he’s the one who is experiencing the “find out” part that usually follows the “fucking around.” He’s been sidelined, perhaps permanently. Acting ICE director Todd Lyons is the new face of Trump’s inland invasions. Kristi Noem herself seems to be on the list of potential cuts, should the administration continue its on-again, off-again pivot to a less outwardly racist agenda when it comes to immigration enforcement.

But I’m not here to damn with faint praise or even damn with faint damnation. I hope Bovino’s last years as a Border Patrol commander are as terrible as his haircut. I hope Todd Lyons veers so far to the middle that Trump shitcans him. I hope Noem is on the path to private sector employment, tainted with the scarlet “T” that means any future version of MAGA won’t even bother to check in with her now that the only people she can make miserable are her own children. Adios, Bovino. Sleep badly.

Filed Under: cbp, chicago, dhs, gregory bovino, ice, kristi noem, leaks, mass deportation, minneapolis, minnesota, todd lyons, trump administration

Microsoft has announced Windows 11 26H1, but it’s not for existing PCs. Instead, it will ship on devices with Snapdragon X2 processors and possibly other rumored ARM chips.

Microsoft insists Windows 11 is still following an annual update cadence, which means Windows 11 26H2 is likely on track.

According to Microsoft, Windows 11 26H1 is based on a new platform release to support the upcoming ARM chips.

In a press release, Microsoft says it worked with OEMs and IHVs to support new device innovations and development via a new Windows Update.

“That means that this release is not being made available through broad channels but is only intended for those who purchase these new devices. At this time, devices with Qualcomm Snapdragon® X2 Series processors will come with Windows 11, version 26H1,” Microsoft noted.

“Organizations should continue to purchase, deploy, and manage devices running broadly released versions of Windows 11 (e.g. versions 24H2 and 25H2) with confidence.”

Microsoft also has an FAQ that clarifies version 26H1 is not a feature update for version 25H2, and that “there is no need to pause device purchases or OS deployments, and no changes are required to existing enterprise rollout plans.”

Devices running Windows 11 26H1 won’t get specific new features, as changes will be shared across platform releases, but version 26H1 should offer better performance or battery life on new ARM PCs.

All other PCs should get Windows 11 26H2 later this year, but Microsoft hasn’t confirmed the fall release yet.

Modern IT infrastructure moves faster than manual workflows can handle.

In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.

Get the guide

RAG isn’t always fast enough or intelligent enough for modern agentic AI workflows. As teams move from short-lived chatbots to long-running, tool-heavy agents embedded in production systems, those limitations are becoming harder to work around.

In response, teams are experimenting with alternative memory architectures — sometimes called contextual memory or agentic memory — that prioritize persistence and stability over dynamic retrieval.

One of the more recent implementations of this approach is “observational memory,” an open-source technology developed by Mastra, which was founded by the engineers who previously built and sold the Gatsby framework to Netlify.

Unlike RAG systems that retrieve context dynamically, observational memory uses two background agents (Observer and Reflector) to compress conversation history into a dated observation log. The compressed observations stay in context, eliminating retrieval entirely. For text content, the system achieves 3-6x compression. For tool-heavy agent workloads generating large outputs, compression ratios hit 5-40x.

The tradeoff is that observational memory prioritizes what the agent has already seen and decided over searching a broader external corpus, making it less suitable for open-ended knowledge discovery or compliance-heavy recall use cases.

The system scored 94.87% on LongMemEval using GPT-5-mini, while maintaining a completely stable, cacheable context window. On the standard GPT-4o model, observational memory scored 84.23% compared to Mastra’s own RAG implementation at 80.05%.

“It has this great characteristic of being both simpler and it is more powerful, like it scores better on the benchmarks,” Sam Bhagwat, co-founder and CEO of Mastra, told VentureBeat.

How it works: Two agents compress history into observations

The architecture is simpler than traditional memory systems but delivers better results. 

Observational memory divides the context window into two blocks. The first contains observations — compressed, dated notes extracted from previous conversations. The second holds raw message history from the current session.

Two background agents manage the compression process. When unobserved messages hit 30,000 tokens (configurable), the Observer agent compresses them into new observations and appends them to the first block. The original messages get dropped. When observations reach 40,000 tokens (also configurable), the Reflector agent restructures and condenses the observation log, combining related items and removing superseded information.

“The way that you’re sort of compressing these messages over time is you’re actually just sort of getting messages, and then you have an agent sort of say, ‘OK, so what are the key things to remember from this set of messages?’” Bhagwat said. “You kind of compress it, and then you get in another 30,000 tokens, and you compress that.”

The format is text-based, not structured objects. No vector databases or graph databases required.

Stable context windows cut token costs up to 10x

The economics of observational memory come from prompt caching. Anthropic, OpenAI, and other providers reduce token costs by 4-10x for cached prompts versus those that are uncached. Most memory systems can’t take advantage of this because they change the prompt every turn by injecting dynamically retrieved context, which invalidates the cache. For production teams, that instability translates directly into unpredictable cost curves and harder-to-budget agent workloads.

Observational memory keeps the context stable. The observation block is append-only until reflection runs, which means the system prompt and existing observations form a consistent prefix that can be cached across many turns. Messages keep getting appended to the raw history block until the 30,000 token threshold hits. Every turn before that is a full cache hit.

When observation runs, messages are replaced with new observations appended to the existing observation block. The observation prefix stays consistent, so the system still gets a partial cache hit. Only during reflection (which runs infrequently) is the entire cache invalidated.

The average context window size for Mastra’s LongMemEval benchmark run was around 30,000 tokens, far smaller than the full conversation history would require.

Why this differs from traditional compaction

Most coding agents use compaction to manage long context. Compaction lets the context window fill all the way up, then compresses the entire history into a summary when it’s about to overflow. The agent continues, the window fills again, and the process repeats.

Compaction produces documentation-style summaries. It captures the gist of what happened but loses specific events, decisions and details. The compression happens in large batches, which makes each pass computationally expensive. That works for human readability, but it often strips out the specific decisions and tool interactions agents need to act consistently over time.

The Observer, on the other hand, runs more frequently, processing smaller chunks. Instead of summarizing the conversation, it produces an event-based decision log — a structured list of dated, prioritized observations about what specifically happened. Each observation cycle handles less context and compresses it more efficiently.

The log never gets summarized into a blob. Even during reflection, the Reflector reorganizes and condenses the observations to find connections and drop redundant data. But the event-based structure persists. The result reads like a log of decisions and actions, not documentation.

Enterprise use cases: Long-running agent conversations

Mastra’s customers span several categories. Some build in-app chatbots for CMS platforms like Sanity or Contentful. Others create AI SRE systems that help engineering teams triage alerts. Document processing agents handle paperwork for traditional businesses moving toward automation.

What these use cases share is the need for long-running conversations that maintain context across weeks or months. An agent embedded in a content management system needs to remember that three weeks ago the user asked for a specific report format. An SRE agent needs to track which alerts were investigated and what decisions were made.

“One of the big goals for 2025 and 2026 has been building an agent inside their web app,” Bhagwat said about B2B SaaS companies. “That agent needs to be able to remember that, like, three weeks ago, you asked me about this thing, or you said you wanted a report on this kind of content type, or views segmented by this metric.”

In those scenarios, memory stops being an optimization and becomes a product requirement — users notice immediately when agents forget prior decisions or preferences.

Observational memory keeps months of conversation history present and accessible. The agent can respond while remembering the full context, without requiring the user to re-explain preferences or previous decisions.

The system shipped as part of Mastra 1.0 and is available now. The team released plug-ins this week for LangChain, Vercel’s AI SDK, and other frameworks, enabling developers to use observational memory outside the Mastra ecosystem.

What it means for production AI systems

Observational memory offers a different architectural approach than the vector database and RAG pipelines that dominate current implementations. The simpler architecture (text-based, no specialized databases) makes it easier to debug and maintain. The stable context window enables aggressive caching that cuts costs. The benchmark performance suggests that the approach can work at scale.

For enterprise teams evaluating memory approaches, the key questions are:

• How much context do your agents need to maintain across sessions?

• What’s your tolerance for lossy compression versus full-corpus search?

• Do you need the dynamic retrieval that RAG provides, or would stable context work better?

• Are your agents tool-heavy, generating large amounts of output that needs compression?

The answers determine whether observational memory fits your use case. Bhagwat positions memory as one of the top primitives needed for high-performing agents, alongside tool use, workflow orchestration, observability, and guardrails. For enterprise agents embedded in products, forgetting context between sessions is unacceptable. Users expect agents to remember their preferences, previous decisions and ongoing work.

“The hardest thing for teams building agents is the production, which can take time,” Bhagwat said. “Memory is a really important bit in that, because it’s just jarring if you use any sort of agentic tool and you sort of told it something and then it just kind of forgot it.”

As agents move from experiments to embedded systems of record, how teams design memory may matter as much as which model they choose.

from the getting-around-the-age-gate dept

EFF is against age gating and age verification mandates, and we hope we’ll win in getting existing ones overturned and new ones prevented. But mandates are already in effect, and every day many people are asked to verify their age across the web, despite prominent cases of sensitive data getting leaked in the process.

At some point, you may have been faced with the decision yourself: should I continue to use this service if I have to verify my age? And if so, how can I do that with the least risk to my personal information? This is our guide to navigating those decisions, with information on what questions to ask about the age verification options you’re presented with, and answers to those questions for some of the top most popular social media sites. Even though there’s no way to implement mandated age gates in a way that fully protects speech and privacy rights, our goal here is to help you minimize the infringement of your rights as you manage this awful situation.

Follow the Data

Since we know that leaks happen despite the best efforts of software engineers, we generally recommend submitting the absolute least amount of data possible. Unfortunately, that’s not going to be possible for everyone. Even facial age estimation solutions where pictures of your face never leave your device, offering some protection against data leakage, are not a good option for all users: facial age estimation works less well for people of color, trans and nonbinary people, and people with disabilities. There are some systems that use fancy cryptography so that a digital ID saved to your device won’t tell the website anything more than if you meet the age requirement, but access to that digital ID isn’t available to everyone or for all platforms. You may also not want to register for a digital ID and save it to your phone, if you don’t want to take the chance of all the information on it being exposed upon request of an over-zealous verifier, or you simply don’t want to be a part of a digital ID system

If you’re given the option of selecting a verification method and are deciding which to use, we recommend considering the following questions for each process allowed by each vendor:

• Data: What info does each method require?
• Access: Who can see the data during the course of the verification process?
• Retention: Who will hold onto that data after the verification process, and for how long?
• Audits: How sure are we that the stated claims will happen in practice? For example, are there external audits confirming that data is not accidentally leaked to another site along the way? Ideally these will be in-depth, security-focused audits by specialized auditors like NCC Group or Trail of Bits, instead of audits that merely certify adherence to standards. 
• Visibility: Who will be aware that you’re attempting to verify your age, and will they know which platform you’re trying to verify for?

We attempt to provide answers to these questions below. To begin, there are two major factors to consider when answering these questions: the tools each platform uses, and the overall system those tools are part of.

In general, most platforms offer age estimation options like face scans as a first line of age assurance. These vary in intrusiveness, but their main problem is inaccuracy, particularly for marginalized users. Third-party age verification vendors Private ID and k-ID offer on-device facial age estimation, but another common vendor, Yoti, sends the image to their servers during age checks by some of the biggest platforms. This risks leaking the images themselves, and also the fact that you’re using that particular website, to the third party. 

Then, there’s the document-based verification services, which require you to submit a hard identifier like a government-issued ID. This method thus requires you to prove both your age and your identity. A platform can do this in-house through a designated dataflow, or by sending that data to a third party. We’ve already seen examples of how this can fail. For example, Discord routed users’ ID data through its general customer service workflow so that a third-party vendor could perform manual review of verification appeals. No one involved ever deleted users’ data, so when the system was breached, Discord had to apologize for the catastrophic disclosure of nearly 70,000 photos of users’ ID documents. Overly long retention periods expose documents to risk of breaches and historical data requests. Some document verifiers have retention periods that are needlessly long. This is the case with Incode, which provides ID verification for Tiktok. Incode holds onto images forever by default, though TikTok should automatically start the deletion process on your behalf.

Some platforms offer alternatives, like proving that you own a credit card, or asking for your email to check if it appears in databases associated with adulthood (like home mortgage databases). These tend to involve less risk when it comes to the sensitivity of the data itself, especially since credit cards can be replaced, but in general still undermine anonymity and pseudonymity and pose a risk of tracking your online activity. We’d prefer to see more assurances across the board about how information is handled.

Each site offers users a menu of age assurance options to choose from. We’ve chosen to present these options in the rough order that we expect most people to prefer. Jump directly to a platform to learn more about its age checks:

Meta – Facebook, Instagram, WhatsApp, Messenger, Threads

If Meta can guess your age, you may never even see an age verification screen. Meta, which runs Facebook, Threads, Instagram, Messenger, and WhatsApp, first tries to use information you’ve posted to guess your age, like looking at “Happy birthday!” messages. It’s a creepy reminder that they already have quite a lot of information about you.

If Meta cannot guess your age, or if Meta infers you’re too young, it will next ask you to verify your age using either facial age estimation, or by uploading your photo ID. 

Face Scan

If you choose to use facial age estimation, you’ll be sent to Yoti, a third-party verification service. Your photo will be uploaded to their servers during this process. Yoti claims that “as soon as an age has been estimated, the facial image is immediately and permanently deleted.” Though it’s not as good as not having that data in the first place, Yoti’s security measures include a bug bounty program and annual penetration testing. Researchers from Mint Secure found that Yoti’s app and website are filled with trackers, so the fact that you’re verifying your age could be not only shared to Yoti, but leaked to third-party data brokers as well. 

You may not want to use this option if you’re worried about third parties potentially being able to know you’re trying to verify your age with Meta. You also might not want to use this if you’re worried about a current picture of your face accidentally leaking—for example, if elements in the background of your selfie might reveal your current location. On the other hand, if you consider a selfie to be less sensitive than a photograph of your ID, this option might be better. If you do choose (or are forced to) use the face check system, be sure to snap your selfie without anything you’d be concerned with identifying your location or embarrassing you in the background in case the image leaks.

Upload ID

If Yoti’s age estimation decides your face looks too young, or if you opt out of facial age estimation, your next recourse is to send Meta a photo of your ID. Meta sends that photo to Yoti to verify the ID. Meta says it will hold onto that ID image for 30 days, then delete it. Meanwhile, Yoti claims it will delete the image immediately after verification. Of course, bugs and process oversights exist, such as accidentally replicating information in logs or support queues, but at least they have stated processes. Your ID contains sensitive information such as your full legal name and home address. Using this option not only runs the (hopefully small, but never nonexistent) risk of that data getting leaked through errors or hacking, but it also lets Meta see the information needed to tie your profile to your identity—which you may not want. If you don’t want Meta to know your name and where you live, or rely on both Meta and Yoti to keep to their deletion promises, this option may not be right for you.

Google – Gmail, YouTube 

If Google can guess your age, you may never even see an age verification screen. Your Google account is typically connected to your YouTube account, so if (like mine) your YouTube account is old enough to vote, you may not need to verify your Google account at all. Google first uses information it already knows to try to guess your age, like how long you’ve had the account and your YouTube viewing habits. It’s yet another creepy reminder of how much information these corporations have on you, but at least in this case they aren’t likely to ask for even more identifying data.

If Google cannot guess your age, or decides you’re too young, Google will next ask you to verify your age. You’ll be given a variety of options for how to do so, with availability that will depend on your location and your age.

Google’s methods to assure your age include ID verification, facial age estimation, verification by proxy, and digital ID. To prove you’re over 18, you may be able to use facial age estimation, give Google your credit card information, or tell a third-party provider your email address.

Face Scan

If you choose to use facial age estimation, you’ll be sent to a website run by Private ID, a third-party verification service. The website will load Private ID’s verifier within the page—this means that your selfie will be checked without any images leaving your device. If the system decides you’re over 18, it will let Google know that, and only that. Of course, no technology is perfect—should Private ID be mandated to target you specifically, there’s nothing to stop it from sending down code that does in fact upload your image, and you probably won’t notice. But unless your threat model includes being specifically targeted by a state actor or Private ID, that’s unlikely to be something you need to worry about. For most people, no one else will see your image during this process. Private ID will, however, be told that your device is trying to verify your age with Google and Google will still find out if Private ID thinks that you’re under 18.

If Private ID’s age estimation decides your face looks too young, you may next be able to decide if you’d rather let Google verify your age by giving it your credit card information, photo ID, or digital ID, or by letting Google send your email address to a third-party verifier.

Email Usage

If you choose to provide your email address, Google sends it on to a company called VerifyMy. VerifyMy will use your email address to see if you’ve done things like get a mortgage or paid for utilities using that email address. If you use Gmail as your email provider, this may be a privacy-protective option with respect to Google, as Google will then already know the email address associated with the account. But it does tell VerifyMy and its third-party partners that the person behind this email address is looking to verify their age, which you may not want them to know. VerifyMy uses “proprietary algorithms and external data sources” that involve sending your email address to “trusted third parties, such as data aggregators.” It claims to “ensure that such third parties are contractually bound to meet these requirements,” but you’ll have to trust it on that one—we haven’t seen any mention of who those parties are, so you’ll have no way to check up on their practices and security. On the bright side, VerifyMy and its partners do claim to delete your information as soon as the check is completed.

Credit Card Verification

If you choose to let Google use your credit card information, you’ll be asked to set up a Google Payments account. Note that debit cards won’t be accepted, since it’s much easier for many debit cards to be issued to people under 18. Google will then charge a small amount to the card, and refund it once it goes through. If you choose this method, you’ll have to tell Google your credit card info, but the fact that it’s done through Google Payments (their regular card-processing system) means that at least your credit card information won’t be sitting around in some unsecured system. Even if your credit card information happens to accidentally be leaked, this is a relatively low-risk option, since credit cards come with solid fraud protection. If your credit card info gets leaked, you should easily be able to dispute fraudulent charges and replace the card.

Digital ID

If the option is available to you, you may be able to use your digital ID to verify your age with Google. In some regions, you’ll be given the option to use your digital ID. In some cases, it’s possible to only reveal your age information when you use a digital ID. If you’re given that choice, it can be a good privacy-preserving option. Depending on the implementation, there’s a chance that the verification step will “phone home” to the ID provider (usually a government) to let them know the service asked for your age. It’s a complicated and varied topic that you can learn more about by visiting EFF’s page on digital identity.

Upload ID

Should none of these options work for you, your final recourse is to send Google a photo of your ID. Here, you’ll be asked to take a photo of an acceptable ID and send it to Google. Though the help page only states that your ID “will be stored securely,” the verification process page says ID “will be deleted after your date of birth is successfully verified.” Acceptable IDs vary by country, but are generally government-issued photo IDs. We like that it’s deleted immediately, though we have questions about what Google means when it says your ID will be used to “improve [its] verification services for Google products and protect against fraud and abuse.” No system is perfect, and we can only hope that Google schedules outside audits regularly.

TikTok

If TikTok can guess your age, you may never even see an age verification notification. TikTok first tries to use information you’ve posted to estimate your age, looking through your videos and photos to analyze your face and listen to your voice. By uploading any videos, TikTok believes you’ve given it consent to try to guess how old you look and sound.

If TikTok decides you’re too young, appeal to revoke their age decision before the deadline passes. If TikTok cannot guess your age, or decides you’re too young, it will automatically revoke your access based on age—including either restricting features or deleting your account. To get your access and account back, you’ll have a limited amount of time to verify your age. As soon as you see the notification that your account is restricted, you’ll want to act fast because in some places you’ll have as little as 23 days before the deadline passes.

When you get that notification, you’re given various options to verify your age based on your location.

Face Scan

If you’re given the option to use facial age estimation, you’ll be sent to Yoti, a third-party verification service. Your photo will be uploaded to their servers during this process. Yoti claims that “as soon as an age has been estimated, the facial image is immediately and permanently deleted.” Though it’s not as good as not having that data in the first place, Yoti’s security measures include a bug bounty program and annual penetration testing. However, researchers from Mint Secure found that Yoti’s app and website are filled with trackers, so the fact that you’re verifying your age could be leaked not only to Yoti, but to third-party data brokers as well.

You may not want to use this option if you’re worried about third parties potentially being able to know you’re trying to verify your age with TikTok. You also might not want to use this if you’re worried about a current picture of your face accidentally leaking—for example, if elements in the background of your selfie might reveal your current location. On the other hand, if you consider a selfie to be less sensitive than a photograph of your ID or your credit card information, this option might be better. If you do choose (or are forced to) use the face check system, be sure to snap your selfie without anything you’d be concerned with identifying your location or embarrassing you in the background in case the image leaks.

Credit Card Verification

If you have a credit card in your name, TikTok will accept that as proof that you’re over 18. Note that debit cards won’t be accepted, since it’s much easier for many debit cards to be issued to people under 18. TikTok will charge a small amount to the credit card, and refund it once it goes through. It’s unclear if this goes through their regular payment process, or if your credit card information will be sent through and stored in a separate, less secure system. Luckily, these days credit cards come with solid fraud protection, so if your credit card gets leaked, you should easily be able to dispute fraudulent charges and replace the card. That said, we’d rather TikTok provide assurances that the information will be processed securely.

Credit Card Verification of a Parent or Guardian

Sometimes, if you’re between 13 and 17, you’ll be given the option to let your parent or guardian confirm your age. You’ll tell TikTok their email address, and TikTok will send your parent or guardian an email asking them (a) to confirm your date of birth, and (b) to verify their own age by proving that they own a valid credit card. This option doesn’t always seem to be offered, and in the one case we could find, it’s possible that TikTok never followed up with the parent. So it’s unclear how or if TikTok verifies that the adult whose email you provide is your parent or guardian. If you want to use credit card verification but you’re not old enough to have a credit card, and you’re ok with letting an adult know you use TikTok, this option may be reasonable to try.

Photo with a Random Adult?

Bizarrely, if you’re between 13 and 17, TikTok claims to offer the option to take a photo with literally any random adult to confirm your age. Its help page says that any trusted adult over 25 can be chosen, as long as they’re holding a piece of paper with the code on it that TikTok provides. It also mentions that a third-party provider is used here, but doesn’t say which one. We haven’t found any evidence of this verification method being offered. Please do let us know if you’ve used this method to verify your age on TikTok!

Photo ID and Face Comparison

If you aren’t offered or have failed the other options, you’ll have to verify your age by submitting a copy of your ID and matching photo of your face. You’ll be sent to Incode, a third-party verification service. In a disappointing failure to meet the industry standard, Incode itself doesn’t automatically delete the data you give it once the process is complete, but TikTok does claim to “start the process to delete the information you submitted,” which should include telling Incode to delete your data once the process is done. If you want to be sure, you can ask Incode to delete that data yourself. Incode tells TikTok that you met the age threshold without providing your exact date of birth, but then TikTok wants to know the exact date anyway, so it’ll ask for your date of birth even after your age has been verified.

TikTok itself might not see your actual ID depending on its implementation choices, but Incode will. Your ID contains sensitive information such as your full legal name and home address. Using this option not only runs the (hopefully small, but never nonexistent) risk of that data getting accidentally leaked through errors or hacking. If you don’t want TikTok or Incode to know your name, what you look like, and where you live—or if you don’t want to rely on both TikTok and Incode to keep to their deletion promises—then this option may not be right for you.

Everywhere Else

We’ve covered the major providers here, but age verification is unfortunately being required of many other services that you might use as well. While the providers and processes may vary, the same general principles will apply. If you’re trying to choose what information to provide to continue to use a service, consider the “follow the data” questions mentioned above, and try to find out how the company will store and process the data you give it. The less sensitive information, the fewer people have access to it, and the more quickly it will be deleted, the better. You may even come to recognize popular names in the age verification industry: Spotify and OnlyFans use Yoti (just like Meta and Tiktok), Quora and Discord use k-ID, and so on. 

Unfortunately, it should be clear by now that none of the age verification options are perfect in terms of protecting information, providing access to everyone, and safely handling sensitive data. That’s just one of the reasons that EFF is against age-gating mandates, and is working to stop and overturn them across the United States and around the world.

Republished from the EFF’s Deeplinks blog.

Filed Under: age gating, age verification, credit cards, face scans, id, privacy

Companies: facebook, google, instagram, meta, tiktok, whatsapp, youtube

Samsung sent out invites Tuesday to its next Galaxy Unpacked event, scheduled for February 25 in San Francisco, where the company is expected to launch its Galaxy 26 series of smartphones.

AI features will be at the forefront again, as the company said the upcoming phones are “built to simplify everyday interactions, inspire confidence and make Galaxy AI feel seamlessly integrated from the moment it’s in hand.”

A standout feature the company has teased is a privacy display expected to debut on the Galaxy S26 Ultra.This feature will allow users to hide certain areas of the phone’s screen from onlookers to protect sensitive information. For instance, users will be able to hide the notification area from prying eyes.

Reports suggest that the top phone in the lineup will run Qualcomm’s latest Snapdragon Elite Gen 5 processor in the U.S. and China. Samsung will likely opt for its own Exynos 2600 processor in other regions. The distinction matters, but increasingly less so. Snapdragon processors have historically outperformed Samsung’s Exynos chips in benchmarks and thermal efficiency, but the performance gap has been narrowing.

According to a report from the tech site SamMobile, the S26 will also have a 5,100 mAh (milliamp-hour, a standard unit of battery capacity) battery and will support 60W wired charging along and 25W wireless charging.

In addition to phones, Samsung is likely to release updated Galaxy Buds 4 wireless earbuds. The company plans to update the design from the previous generation, which drew widespread comparisons to Apple’s AirPods.

The event will begin at 10 AM PT/ 1 PM ET/ 7 PM CET, and will be streamed live on Samsung’s website and its YouTube channel.

Samsung is offering a $30 promotional credit to anyone who pre-registers interest it its upcoming devices. Pre-registering is merely an expression of interest; consumers will still get the credit as a discount toward other Samsung products even if they don’t end up buying the new devices. If you pre-register and then pre-order one of the devices, the company will increase that to a $150 credit — no trade-in required.