The Tea Breach Just Keeps Getting Worse - The 404 Media Podcast

Summary6 min read

The 404 Media Podcast: "The Tea Breach Just Keeps Getting Worse"

Release Date: July 30, 2025

In the latest episode of The 404 Media Podcast, hosts Joseph, Sam Cole, Emanuel Mayberg, and Jason Kebler delve into the escalating data breaches of the women’s dating safety app, Tea (referred to as "T"), and explore the ramifications of the United Kingdom’s newly enacted Online Safety Act. This comprehensive summary captures the episode's key discussions, insights, and conclusions, complete with notable quotes and timestamps for reference.

1. Unveiling the First Tea Breach

Introduction to the Breach

The episode kicks off with Emmanuel Mayberg providing an overview of Yubikeys, emphasizing their role in preventing phishing attacks and securing user accounts. However, the primary focus swiftly shifts to a significant data breach involving the women’s dating safety app, Tea.

Receiving the Tip

At [04:17], Jason Kebler recounts how the team received an urgent tip about the breach:

"[04:17] Jason Kebler: ...someone had presented a major breach of Tea, where users' images and sensitive data were being made publicly accessible on 4chan."

Details of the Breach

Jason explains that Tea, designed to allow women to safely exchange information about potential dating partners, suffered a severe security lapse:

"[06:25] Joseph: Because it was exposed."

"[06:26] Jason Kebler: It was fully exposed. ... It was like open season. Everybody was in there and kind of gleefully taking advantage of it and making fun of the users." [06:26]

The breach involved the exposure of thousands of user selfies and identity documents stored on a Google Firebase instance. Due to inadequate authentication measures, malicious actors accessed and distributed this sensitive information, exacerbating the situation by mocking and harassing the affected users.

Propagation and Abuse

Joseph highlights the rapid spread and abuse of the leaked data:

"[07:08] Joseph: ... people were explaining to one another, hey, here's a script to rifle through the metadata of the files. It's just a series of attachments and that sort of thing." [07:08]

Jason details the extent of the data exposed:

"[07:08] Jason Kebler: ... tens of thousands of people's selfies and their identity documents." [07:08]

2. The Second Tea Breach: Exposing Private Conversations

Discovery of the Extended Breach

At [13:25], Emanuel Mayberg introduces the second, more alarming breach involving Tea’s database:

"[13:25] Emmanuel Mayberg: ... the main database of Tea was exposed, including over a million direct messages containing highly sensitive information such as discussions about abortions and cheating."

Verification Process

Jason explains the meticulous verification steps undertaken to confirm the authenticity of the breach:

"[14:43] Joseph: ... downloaded the entire dump once it was made available so I could verify. ... tried to make accounts on Tea with those usernames and in every single case, that was not possible because that username was already in use." [14:43]

This rigorous approach ensured the credibility of their findings, revealing the depth of personal and sensitive data compromised.

Impact and Response

The breach led to severe privacy concerns, prompting Tea to limit access to direct messages:

"[19:32] Joseph: ... Tea made a post on Instagram saying, oh, we've just learned actually the direct messages were exposed. We're turning off DMs now." [19:32]

3. Legal Repercussions: Class Action Lawsuit Against Tea

At [21:24], Jason Kebler announces the filing of a class action lawsuit against Tea:

"[21:24] Jason Kebler: ... a law firm specializing in data breaches has filed a class action against Tea." [21:24]

The lawsuit aims to hold Tea accountable for the mishandling of user data, with expectations of similar complaints joining the class action, seeking remediation for the affected users.

4. The UK’s Online Safety Act and Its Ripple Effects

Overview of the Online Safety Act

Transitioning to the second major topic, at [26:51], Sam Cole outlines the UK's new Online Safety Act:

"[26:51] Sam Cole: ... the Online Safety Act requires platforms to implement age verification measures to ensure users are 18 and over, primarily targeting the protection of children from harmful content."

Implications for Online Platforms

This legislation mandates platforms like Reddit to enforce stringent age verification processes, impacting not only adult content but also mature subreddits discussing sensitive topics such as war crimes:

"[30:15] Joseph: ... the headline is UK users need to post selfie or photo ID to view Reddit's r/IsraelCrimes r/UkraineWar footage." [26:51]

Challenges and Unintended Consequences

Jason Kebler expresses concerns over the broader implications of the law:

"[30:15] Jason Kebler: ... it's one of the most complicated subjects we cover... Censorship and platform governance is a very complicated subject... it's a huge mess." [30:15]

Sam Cole elaborates on the law's impact beyond pornography, affecting platforms hosting diverse content:

"[29:32] Sam Cole: ... Reddit is implementing age verification not just for porn but for any mature content, including graphic news communities." [29:32]

Censorship and Privacy Issues

Emanuel Mayberg critiques the legislation for undermining internet freedom and privacy:

"[36:52] Emmanuel Mayberg: ... this legislation fundamentally undermines the idea of having a free and open Internet... There’s a risk of sensitive data exposure similar to the Tea breach." [36:52]

The hosts discuss how these measures resemble authoritarian censorship, citing examples from other countries where similar laws led to excessive content restrictions and privacy invasions.

Lobbying and Political Influence

Sam Cole highlights the role of lobbying groups in pushing for such regulations:

"[44:10] Sam Cole: ... religiously affiliated conservative groups are a major force behind these regulations, often conflating all adult content with trafficking." [44:10]

These groups exert significant pressure on payment processors and legislators, leading to stringent policies that inadvertently stifle legitimate online expression and privacy.

5. Privacy Risks and Future Implications

Data Security Concerns

The discussion underscores the potential risks of centralized age verification systems, where the collection of personal IDs could lead to large-scale data breaches akin to Tea’s incident:

"[41:06] Emanuel Mayberg: ... various age verification services claim to delete IDs after verification, but the multitude of providers increases the risk of data leaks." [41:06]

Technological and Social Workarounds

The hosts anticipate that users will seek alternatives such as VPNs to bypass restrictions, mirroring past patterns observed in countries with strict internet controls:

"[49:02] Emmanuel Mayberg: ... similar to how Chinese restrictions led to grandparents logging in to play games, users will find ways around UK’s age verification." [49:02]

Broader Impact on Digital Freedom

Jason Kebler emphasizes the long-term negative effects on digital freedom and access to information:

"[53:50] Joseph: ... age verification makes accessing critical information more cumbersome and threatens the open nature of the internet." [53:50]

Conclusion

The episode of The 404 Media Podcast effectively highlights the intertwined issues of data security breaches and legislative overreach in online safety measures. Through detailed reporting and insightful discussions, the hosts illuminate the precarious balance between protecting vulnerable users and preserving digital freedoms. The Tea breaches serve as a stark reminder of the vulnerabilities inherent in digital platforms, while the UK's Online Safety Act exemplifies the complex consequences of governmental interventions in internet governance.

Listeners are left with a profound understanding of the challenges faced by both users and platforms in navigating the rapidly evolving landscape of digital security and online regulation.

For those interested in supporting independent journalism and accessing exclusive content, The 404 Media Podcast encourages subscriptions at 404media.co. Subscribers gain access to ad-free episodes, bonus content, and additional insights from the hosts.

Loading summary

Transcript47 lines

[00:00]
Emmanuel Mayberg
Yubikeys are made by Yubico, a company with Swedish roots and HQs and manufacturing centers in both Sweden and the United States. Yubikeys come in a variety of small form factors with Lightning and USB C connectors. They're small, sturdy and easy to use. They stop phishing attacks and account takeovers before they start using modern phishing resistant Multi Factor Authentication or mfa, which is just a fancy way of saying they're a proven security solution that cannot be bypassed by hackers or other malicious actors. Unlike basic forms of MFA such as sms, which is text messages one time passcodes and mobile authenticator apps, Yubikeys help businesses of all sizes stay ahead of evolving cyber threats and regulatory requirements. Protecting some of the world's largest banks, telcos and tech companies, critical manufacturers and energy concerns, and government agencies and non governmental organizations. Yubikeys are also great for regular people and everyday users. Yubikeys help people protect their email, financial and social media accounts, password managers, productivity tools, developer tools, and so much more. Learn more about how Yubikeys secure the applications, services and accounts that people and businesses of all sizes rely on every day@yubico.com that's y u bico.com.
[01:20]
Joseph
Hello and welcome to the 404 Media podcast where we bring you unparalleled access to hidden worlds, both online and IRL. 404 Media is a journalist founded company and needs your support. To subscribe, go to 404 Media Co, as well as bonus content every single week. Subscribers also get access to additional episodes where we respond to their best comments. Gain access to that content at 404 Media co. I'm your host, Joseph and with me are 404 Media co founders Sam Cole.
[01:50]
Sam Cole
Yep.
[01:51]
Joseph
Emmanuel Mayberg, Dave and Jason Kebler.
[01:55]
Jason Kebler
Hello. Hello.
[01:56]
Joseph
Okay, final reminder, last chance, literally, because if you're a subscriber, you get this early. I think you get this on Tuesdays. If you're a free listener, you get this the day after. That's another benefit of subscribing. You actually get it earlier than everybody else. July 30, Wednesday, 6pm at Rip Space in Los Angeles. We are having a live event. It's going to be me, Sam, Jason, and then we're also going to be joined, I believe, by Dexter Thomas. Right. Jason, do you just want to explain what we're going to be talking about and so what we're doing briefly?
[02:34]
Emmanuel Mayberg
Yeah. So we're going to be talking about our reporting on the technology that powers ice. We felt that was appropriate to do in Los Angeles because a lot of this technology is being deployed in la. And so our friend Dexter Thomas, who used to work with us at Vice and now has a podcast called Kill Switch, but also is an independent journalist like us, will be with us and talking about his reporting on the ground because he went to a lot of the protests and filmed at a lot of the protests in la. So we're gonna do that for like an hour. Ish. And then the rest is gonna be a party with the DJ and beer and wine and just hanging out and. Should be fun. Should be a good time. So if you're on the fence, please come. It will be fun. You can find tickets at bit ly404rip space or on our website. And if, again, if you're a subscriber, you get free tickets. So on our website, there's a code. Just scroll back to where we posted about the event. You can find the code.
[03:40]
Joseph
Yes. All right, that all sounds good. Looking forward to seeing everybody there. Let's get straight into this week's stories. The first one, Emmanuel's, the first byline, and I helped out on it as well. But Emmanuel, the headline is women dating service app t breached users IDs posted to 4chan. I guess, first of all, Emmanuel, how did you get this tip? This was on Friday, I believe, and it was pretty fast moving. Can you walk us through when and how you got that tip and what happened next?
[04:18]
Jason Kebler
Yeah, sorry, I have to correct you. You call it a dating service app. I think it's a dating safety app, which is an important distinction. It's like an app where women are invited to they thought safely exchange information about men that they want to date or are dating. And the way this happens, I believe this was Friday morning and I just get a call on my phone and I can see that it's to my Google voice number, which is kind of the number that I've shared previously for people who want to send us tips. And I don't always pick that up, but I picked it up for whatever reason that morning. And it was like a Good Samaritan. I would say somebody who is his day job is like, it adjacent. And he sounded pretty frazzled and panicked. And he was like, hey, there's something going on with 4chan. You have to see it. I'm sending you some links. And I was like, I couldn't really understand. But then I went to 4chan, and by the time I got there, it was obvious that this app called TEA had a major breach that people could get users images, which the app asks people to upload selfies or previously photos of their ID in order to prove that they're women. Because it's an app for women. And people could get their hands on thousands and thousands of those images, some messages and some other data. And we can get into all of that. And not only was it clear that it was available, people were already making it available off their app. So it's like when I got there, people like anybody could go there, can get into the cloud computing. It was a Google service that the app used to deploy the app. People, people could like write through that, but people.
[06:25]
Joseph
Because it was exposed.
[06:26]
Jason Kebler
It was fully exposed. Yeah, but people were already like archiving it and using the images and mocking these women. It was like the vibe was like, oh my God, this is really bad. And it's already like way too late. It's like, as you know, Joe, it's like you can discover a hack at several stages. You know, it's like it could be a researcher and they disclose it responsibly and then the company closes it. Or you can find it as a journalist because of a tip and then you tell the company. Or it could be like a little known vulnerability or one that only certain hackers are exploiting. This was like open season. Everybody was in there and kind of gleefully taking advantage of it and making fun of the users.
[07:08]
Joseph
Yeah, I mean, one of the quotes maybe from the original poster, I believe. Yeah, I think it was them. I mean, their direct quote was in all caps saying driver's licenses and face pics. Get the F in here before they shut it down. It was, as you say, open season. And it wasn't just a quietly posted link. It was people explaining to one another, hey, here's a script to rifle through the metadata of the files. It's just a series of attachments and that sort of thing. And then people were using scripts to download those images in bulk and then making them available. And of course I ended up downloading some of these, or I think all of them. I downloaded the entire dump once it was made available so I could verify. And I mean, it's a lot of data, it's a lot of images. And t later confirmed it was tens of thousands of people's selfies and their identity documents. Just to back up a little bit, Emmanuel explained what the app is, but Sam, you've covered these. Are we dating the same man? Facebook groups. And this essentially is the apified version of this. Or it came from this. Is that fair? And can you tell us sort of what those groups are a little bit more broadly? Because it's kind of the same thing, right?
[08:35]
Sam Cole
Yeah. I mean, I didn't get to use T before it went down, so I don't know exactly what, like, if it's exactly one to one the same thing, but it's the same idea. It's definitely like, so the. Are we dating the same guy groups. Women would post a picture of a guy usually, or maybe a description of a guy, but usually a picture and say, hey, I'm going on a date, for example. I'm going on a date with this guy tonight. Does anybody have any red flags? And it's like red flags are like the code for don't go, or like, we have information for you on Facebook. This was happening with full names, obviously people attached to it, so more risky. But the groups were closed, so ideally you wouldn't be able to get in if you were a bad actor. But yeah, it's like a vetting thing where, like, you know, you could say, oh, yeah, this. This guy I've been on four dates with. Does anybody else know him? And someone's like, that's my husband. You know, it's like, that's an extreme case. But, like, that does happen plenty. And that's the idea with the are we dating the same guy? Ones and then. And men get super, super pissed about the existence of those. Those groups themselves and just are enraged that they're on them. And then obviously, I think a lot of that rage is what we saw happen with the T hack.
[10:02]
Joseph
Yeah. I mean, can you just briefly elaborate on that? And I know I'm not really asking you to put yourself in the mind of a 4chan user necessarily, but you see, I mean, it's an obvious question, but I'm going to ask it anyway. You see a correlation there between some men getting Ray Ray angry when, say, their face is posted into one of these Facebook groups and 4chan users rifling through this database. Is that sort of like one in the same thing? Almost. Obviously one's a lot more extreme than the other ones. But is it sort of the same sort of behavior? What do you think?
[10:37]
Sam Cole
Yeah, and I don't. I mean, it's. It's just different. It's not really more extreme. I mean, it's. What's extreme is, like, guys suing these groups and like, the administrators of these groups on Facebook and saying, you know, I'm suing you for libel or whatever, like defamation of which they've done my image which they've done. Which is obviously a pretty serious reaction to having your picture put on Facebook by someone else. But, yeah, I mean, it's. We saw it, like, with tea in general. People were like, T went a little bit viral earlier in the week, last week, and people were talking about it even though it's been around for a while. And then a lot of people were, like, posting, like, these, like, satire or like, maybe they were real, I don't know, like, fake apps that were like, like, the flip side, like, really being, like, really derogatory toward women and like, saying, like, we're going to put, you know, your faces in here. And after the tea hack, we saw, like, tea spill, which is like a hot or not game based on the hack images. It's just. It's all, like, proving the point a little bit. It's. Yeah, like, you know, women were warning each other about you, and this is your response to be, you know, horrible back at them. It's just like that's. It's kind of like, okay, no wonder. But that was. I do feel like it's. It's all kind of connected and it's all coming from, like, this online dating world of, like, you know, guys are dangerous to go on dates with. Very often women are, you know, the victims of violence on online dates quite often. So it's understandable that this exists. But the hack is definitely, I feel, kind of a response to that.
[12:28]
Joseph
Yeah. And that website you mentioned, it was somebody had taken those exposed tens of thousands of images, and you're shown two images, I think, and you have to select one based on their perceived attractiveness, as you sort of hinted at, almost like the very early Facebook site from Zuckerberg, and that's got tens of thousands of rankings or something like that. So already the information is being abused in various ways. So that all happens. There's the media firestorm. We reveal and first report this data exposure. Then it gets worse. And the headline of this one is a second T breach reveals users DMs about abortions and cheating. Jason, it was actually you that got this tip. How did that come about?
[13:26]
Emmanuel Mayberg
Yeah, so a researcher who we had done a story with back at Motherboard, like, all the way back in 2016, reached back out to me and was like, it's not just this initial hack or this initial, like, exposed database. The actual, like, main database of T was exposed as well, which included, you know, like, presumably or seemingly all of the dms, including things like usernames, you know, it was searchable to some Extent. So they were able to show us there was like women talking about abortions that they had sought or that they had had, talking about, you know, cheating situations, like really intense situations that they had with their partners. Like, it was very, very, very sensitive information. And so, you know, since you and Emmanuel had been reporting on this for a while, I passed it off to you to actually do the reporting and confirm the story because you were already very deep in it. But basically this person is really good at decompiling information and sort of found that there was an exposed database, like a further exposed database that made the hack, like way worse than we initially thought.
[14:43]
Joseph
Yeah. Whereas the first one was a Firebase instance. Again, while Manuel was talking about Firebase is this like app development platform by Google. And it seems that you didn't need any sort of real authentication to go in and get those selfies and ID photos, that sort of thing. The way it was described to us by this researcher for this second data exposure was that any user's API key, you make an account with your username and password or whatever and you're given an API key. That's just how apps generally work. Right. The way it was described was that any user's API key could query the entire database. So basically you had almost like admin level access, even though you're a random person who just downloaded the app. And that's not good. Obviously that's really, really not ideal when anybody can access all of that sort of information. So the researcher sent us over all these screenshots and they were very interesting. But we need the data, you know, to verify what is going on here. Of their own accord, they had already downloaded this information, sent it over to us and kind of selfishly, I very much enjoy these reporting puzzles of we have this data and we have to figure out and verify and prove it came from a certain service. For the first one with the driver license photos, I downloaded the apk, I decompiled the Android app and I found that. Oh yeah, that exposed database in there, the same URL is in the app. So that was pretty good verification for this one with the more than 1 million messages we went through. Did get some phone numbers texted, some alleged users in there. One eventually got back to me and confirmed, yes, I am a user of T. But that was actually after we published how we verified this one was that we took the usernames from the million messages, not all of them, just a random snapshot. And then I tried to make accounts on T with those usernames and in Every single case that was not possible because that username was already in use, indicating that, yes, these are million messages have come actually from the T app. So whenever we get data like that and whenever we can verify it like that, I'm always supremely confident in the veracity of what we've got. Jason touched on this, but Emmanuel, you also went through some of the messages and we didn't quote really any directly. Can you just explain a little bit more about why we didn't do that and maybe just a bit more on the sensitivity of these messages that you saw when you were scrolling through?
[17:47]
Jason Kebler
So we didn't quote anything because it is possible to word search the data that we got. And I was trying to explain this to my wife because I was talking to her while we were reporting the story, and she was like, who hacked into Tea? And that's an understandable question. And I guess the answer is like, nominally, I don't know some bad people who have four chan accounts. But that is not the question. Or like, that is not the problem. It's not that somebody. The story is not that somebody broke into tea. It's that I don't know if T was a bank. They just like, left the vault door wide open. And that's the real. That's the real offense here. And because of that, we don't know who else got their hands on this information. And we don't want to give specifics because we don't want to make that stuff easy to find. And we don't want to have that stuff easy to find because my poking around the messages, it took me like two minutes to identify someone because people are dming each other. Like, that's the kind of conversation that's in the data. And they're being very real. And they're sharing real names and phone numbers and social media handles. So somebody is talking about the person they're dating being someone else's husband and them cheating. And some people were talking about abortions, and it just, it was incredibly easy to find those people in the real world, just given the context of the conversation.
[19:33]
Joseph
Yeah, so we do that. I contact T for comment about the exposed direct messages on Saturday. I tell them explicitly, hey, this research has found this also found apparently the ability to send push notifications to more than a million people, which is kind of crazy. That's like, we don't even. We barely even mention that. But that's also wild. And I contact T, as I said on Saturday, they don't comment specifically. Just like, we're Continuing to investigate and we're not going to share more information at this time. We then publish on Monday. And then very soon after they make a post on Instagram saying, oh, we've just learned actually the direct messages were exposed. We're turning off DMs now. And then sent that statement to CBS News or various other people as well. To be clear, they did know since at least Saturday. And also to clarify, the researcher said their access to that database was cut off sometime late last week. If the access was still live, at least to our understanding, you know, we may not have published at that time. We don't just find a vulnerability or get told about a vulnerability and then go, okay, cool, and then just publish an article because that's going to potentially actually lead to more data exposure as the best. To our knowledge, it was closed. And I think T just turned off DMs as an extra precaution as well. Very briefly, just last thing, Emmanuel, just before we were recording, I think we just published about a class action lawsuit. Do you just want to mention what that is briefly? I feel like that just happens now. Right? That's just normal.
[21:24]
Jason Kebler
Yeah. Unsurprising, I think. But a law firm that specializes in data breaches has reached out and told us that they filed a class action against T. And, yeah, I think that doesn't guarantee that that will go anywhere or that they'll be successful. But I'm not at all surprised that the complaint has been filed. They're expecting other complaints to be filed and they hope to kind of take the lead on that and have all those other lawsuits join them in the class action.
[21:58]
Joseph
Yeah, very, very standard. All right, we'll leave that there. I'm sure we'll continue to cover T, even though, no, none of us had heard of this app until last week. It's a really significant data breach. So we'll definitely be following that. We'll leave that there and we'll be right back after this to talk about. I mean, it's complicated. You're just going to see. Okay, we'll be right back after this.
[22:37]
Emmanuel Mayberg
We all spent years working for a big company where we had no control over the business, its priorities, or whether we'd have a job that next week. We all took a big step by striking out our own, and now we couldn't be happier. We thought starting our own business would be overwhelming and confusing, but we found smart tools like Shopify, which have made things easy along the way. Shopify is the commerce platform behind millions of businesses around the world. And 10% of all E commerce in the US. From household names like Mattel and Gymshark to brands that want to be household names like 404 Media, Shopify's got you from the get go with beautiful ready to go templates to match your brand style. Their easy to use backend helps you manage your store's inventory and makes creating an attractive shop for your customers really simple. They also help you find your customers with easy to run email and social media campaigns. And if you get stuck, Shopify is always around to share advice with their award winning 24. 7 customer support. Turn those dreams into and give them the best shot at success with Shopify. Sign up for your $1 per month trial and start selling today at shopify.com media. Go to shopify.com media shopify.com media this limited edition inbound September 3rd through 5th brings attendees to San Francisco for a one time only west coast event with insights they won't find anywhere else. Just revealed the inbound 2025 agenda is now live from the agent AI workshop. From idea to agent and Dwarkesh on AI's future research backed bold predictions with Dwarkesh Patel. Explore 200 plus sessions all created for your growth. Get fresh perspectives on innovation from a dynamic lineup including Sean Evans, the host of Hot Ones, Creative force Amy Poehler, tech reviewer Marcus Brownlee and AI pioneer Dario Almade. They'll bring their unique approaches and expertise to inbound 2025. Cut through the noise with focused, actionable takeaways on the latest marketing, sales and AI trends that give businesses a competitive edge in today's rapidly changing landscape. Network with decision makers in San Francisco's AI Powered Ecosystem where innovative technologies are creating entirely new approaches to business experience. Firsthand how San Francisco's technology ecosystem is revolutionizing content creation, distribution and monetization through AI and innovative tech solutions. Secure your spot@inbound.com register and if you want the VIP experience at Inbound, don't wait. VIP tickets are almost sold out. Get exclusive perks that help you make the most of every moment, including a welcome party, exclusive networking opportunities and early registration. Access to limited capacity sessions. Registration for limited capacity sessions begins in August. Don't miss this opportunity to secure your ticket in advance. Start favoriting your must sees and be ready when reservations Open session reservations for VIP ticket holders begin August 5th and GA opens August 12th.
[25:58]
Joseph
All right, and we're back. Honestly. Okay, I'm going to read out the first headline, then I'm going to go to Sam and ask her about the UK Age Verification law. And then I think Emmanuel has some sort of weird diagram that he's going to describe or something and maybe we'll upload it on the show notes or something. But okay, so the headline is UK users need to post selfie or photo ID to view Reddit's R Israel crimes r Ukraine war footage. This is about the UK's new age verification law and some unintended but maybe foreseen consequences of that. Sam, what is this law that just passed in the UK about age verification?
[26:52]
Sam Cole
Yeah, so this past or it went into effect last week, which is why we're talking about it and everyone's talking about it this week and last week it's called the Online Safety Act. It's really similar to a lot of the HR laws that we've talked about on this podcast a thousand times and written about quite a bit in the us. Basically it's like a protect the children type law. It requires. So it does a lot, it does a handful of things including like, like adjusting algorithms so that kids can't see, you know, things organically in their feed that would be harmful or like considered harmful and a bunch of different like regulation requirements for platforms. But the big one is that it's requiring platforms to, to get, to keep operating in the uk. They have to implement age verification to check whether users are 18 and over. So far we've seen that mostly look like selfies or IDs, which is very coincidental I guess, considering what we just talked about, that all these platforms will be holding IDs or, you know, I think in most cases third parties will be handling the verification. So on Reddit it's like something called Persona, I think. Um, and there are, there are a bunch of different third party agency platforms that will do this. But like at the end of the day you're going to have to show and you currently, if you're in the UK and not using a VPN, you have to show that you're 18 using like a valid driver's license or some kind of like government issued ID or like biometric data. So it would like scan your face and determine whether or not you're 18 or use these things in conjunction with one another. And not complying is like an $18 million fine or something. It's huge to not comply with this. It's not a risk that platforms are going to take. So already we're seeing lots of different subreddits which we'll get into going behind an age verification wall, porn sites that want to comply with the law are doing it this way. Just certain discord communities are requiring nature application. I think Xbox just announced today that they're gonna start doing this too. It's just like the guy. Yeah, the gamers. Yeah, yeah. Which actually is, I would assume probably quite a bit of harmful content.
[29:32]
Joseph
Roblox and Minecraft, not the best places all the time.
[29:36]
Sam Cole
Yeah, exactly. So yeah, that's in a nutshell what it is. And obviously it has these like massive repercussions that. Sure, we'll get into.
[29:44]
Joseph
Yeah. So it's mostly, I mean in my eyes it's mostly about porn. It's mostly about online pornography sites like pornhub, that sort of thing. But then as Emmanuel's story gets into it is impacting all these other websites. Emmanuel, how do you want to do this? Do you want to Talk about this? Reddit1first, then get into the payment processes. Is that what you want to do?
[30:11]
Jason Kebler
Here's what we'll do.
[30:12]
Joseph
Good. Because I don't know.
[30:14]
Jason Kebler
Yeah, no, I don't either.
[30:15]
Joseph
It's really, it's really complicated.
[30:17]
Jason Kebler
I asked. I don't usually like feel very strongly about like what we talk about in the podcast, but I really wanted to talk about this because I don't know, I wanted everyone to check in and I want to see how, how everyone else is thinking about this. I find this to be one of the most complicated subjects that we cover and I kind of switch how I feel all the time and like, surprise, surprise. Censorship and platform governance is like a very complicated subject. We all know that. But it is changing and evolving now in a way that we talked about for years, but is now actually happening. And it's just a mess. It's a huge mess. So Sam, I don't know if you saw in the podcast room, I just like posted this word cloud of like all the different entities that are involved in this. So.
[31:11]
Sam Cole
Well, I guess I'll back up like white wall craziness happening right now.
[31:15]
Jason Kebler
It's like to back up, there's like, just to like run through a few things that have happened in the past like month. So we talked about Civitai, this AI model sharing platform that was used to create non consensual pornography. They got pressured by credit card companies to change their policy in a way that completely changed the nature of the platform and remove a bunch of those models that we found were really harmful. Then a few weeks later, Steam, which is like the default way of buying PC games online, they changed their policy, they said explicitly to come in line with what Credit companies want and removed a bunch of sex games on Steam. Steam, in case you didn't know, for years has allowed sexually themed games. And there's been a lot of spam and low quality games flooding the platform every day since. They've done that. And they didn't remove all of it, but they removed a bunch of incest related games and very violent, very graphic games. And that happened. And then I think later that week or the week after Itch IO, which is this huge platform mainly for independent game developers and students to share their work because it's easier to upload your games there and you can also be more flexible about how you charge for the game. So you can charge nothing. You can decide what the split is between your game and what Itch IO makes as a platform. And they just like took this really radical action probably because the credit card companies were threatening to shut them down any minute and just like de index all their not safe for work games, all their sex games made a few of them unavailable in a way that people found really shocking. Like if you're in this indie dev game community, a lot of your favorite games, award winning games fall under those not safe for war categories and they were like disappeared from the platform and that really rocked people. And now that this law came into effect, right. Reddit is also forced to use age verification because of this law in the uk and as you said, Joe, mostly people think of it in terms of pornography and not letting kids access that type of content. And the way they do it is, it's like because of this law, it's Reddit's responsibility as a platform to verify that every user who accesses that type of content is an adult. And in order to do that, they have like an age check, which much like the other story we just talked about, you upload a picture of yourself or a picture of your ID and this company called Persona verifies that you're of age. But it doesn't only do that for subreddits with sexual content, but like anything that is mature, which can be any subreddit that is about the news, but in a very graphic and like immediate way. So as you said, Israel Crimes, which is a community that mostly focuses on, you know, war crimes that Israel is committing in Gaza that has an age check. And that subreddit is filled with like very graphic horrible content and like movie videos and, and images of real people dying. But it also has like normal discussion about the politics of this and why it's wrong and people organizing and just like sharing their opinions about why they think this is wrong. And also like normal news articles. Right. It's just a community that has this perspective that is willing to show that type of content that now in order to see it in the uk, you have to jump through all these hoops and potentially jeopardize your privacy in order to participate. That's kind of like a few things that have happened recently. And as you can see, I oscillate between. We're in the media, our company is very focused on getting impact. So when we expose that Civitai is enabling this really bad behavior and credit card companies respond by saying, hey, you have to change your policies or we're going to not work with you in a way that will completely end your business, I would consider that like a positive impact or like a good result. But when the same exact mechanism is used to nuke, you know, thousands of games that are people's personal art and expression of who they are, and you know, things that I enjoy that don't intend or I think you could even reasonably argue cause harm to anyone. Right. Those are nuked by the exact same mechanism and sometimes by the same interest groups. I think that is awful. And it's just like all these platforms are forced to make all these decisions right now. And I think some of them are probably positive. A lot of them are horrible. And it just like, it's just a very complicated landscape.
[36:53]
Emmanuel Mayberg
I think it's a very complicated landscape. But I think that the, this like legislation in the UK and the age verification laws that we've seen in states in the United States about porn are pretty like definitively censorship and are not the type of intervention that you want to see from the government. I think Sam has written a lot about this. We've all touched it in some way. I think Mike Masnik at techdirt has done really good work on this. But it's like using a hammer to fix something that you would prefer a finer tooth comb to mix my metaphors there. But it's just like it's a super messy thing and it fundamentally undermines the idea of having a free and open Internet. And then as you said, you have like payment processor and credit card companies putting pressure and stress on the entire situation. And you also have a lot of these like anti porn nonprofit type vibes that are putting pressure on the credit card companies that are, that are lobbying for a lot of these laws. And especially like in the US in some of these states, these states are like pretty captured by one political party and and therefore it's like, it's pretty easy to push through some of these laws. And it's like you have states that are essentially adding this censorship layer to the entire Internet without like understanding what they're doing. And then, or maybe they do understand what they're doing, but they don't care. And then on top of it, it's like you have tons of like VPN companies that's like VPN downloads in the UK are through the roof. So people like do find ways around this. But it's very similar to what you'd expect from like authoritarian regimes. It is very similar to like I went to Indonesia last year and there were many, many, many websites that I could not access without a vpn. And it, it was, there was almost like no rhyme or reason to which websites were and which were not. And it's like, I believe it was an anti porn law. But Reddit was blocked, 404 Media was blocked. Like random things are blocked. And it was very hard to tell what was blocked and for what reasons. And then we haven't talked about this yet, but it's like the sites that are complying with this are adding a layer, like an ID verification layer that, you know, Sam has written about, I've written about. There's like a bunch of different companies that are offering these services where you have to upload your ID to access these different websites. And it's like there's a variety of different ways that this is being implemented. And so like, many of the services that are offering age verification services say that they are deleting your IDs after like a certain amount of time, or they say that they're encrypted or they say that they, they maybe delete them immediately after verifying who you are and your age and that sort of thing. But it's like, we don't know, like there's so many different services that do this and different websites are picking which services they're going to use. And it's like we just spent a half hour talking about tea and people's IDs being leaked on the Internet. And it's very easy to imagine a future where one of these ID verification companies gets hacked or where their security isn't perfect and, and you know, pretty sensitive data like ends up on the Internet. So I, I think that the problem that they're trying to solve is a very difficult one. And one of the reasons that it's gone unsolved for so long is because the like, quote unquote, Solutions to it are often worse than the problem itself, or, like, create more complicated situations that undermine the idea of, like, having a free Internet.
[41:07]
Jason Kebler
I think, first of all, Persona, which does this for Reddit, says they keep your images for seven days, which I guess is better than keeping them forever. But it's not as if nothing can happen to that data in seven days, and it presumably could be millions of images. So another way in which, like, I think this is very complicated is I wrote this story about Reddit and I was like, hey, I don't think. I don't even vouch for these subreddits, and I don't think that they are necessarily, like, the most productive places in the world or anything. Or at least I can't say that they are. It just like, it did not seem positive or good to me that now in order to see that stuff, whether you're a minor or an adult, you have to show your face to Reddit or show your ID to Reddit. That seems like a hurdle that overall has the effect of making the news more cleaned up than it is in reality. And people were responding to me on bluesky being like, what do you think? You think kids have to watch other dead kids? And it's like, obviously, no, obviously, I don't think you have to force kids to watch, like, Frontline footage from the war in Ukraine. That's crazy. And I'm not saying that in the article, but that stuff is going to be harder for anyone else to see. And sometimes that is the stuff that radicalizes people or makes them change their position, or that historically, how Americans felt about Vietnam, how Americans felt about the Iraq War, how Americans felt about the Holocaust, a lot of that had to do with what kind of images were in their heads. And policymakers in the UK just decided for their citizens that that stuff is gonna be harder for them to access. I don't know how you police that. I don't know how Reddit should manage that, but it seems clear to me that while the problem is real, this kind of policy is not the solution. As Jason, we're trying to solve a problem with the wrong tools. Also, sorry, I wanted to. The whole thing reminds me of our journey with trafficking. Hub and Exodus cry. Sam, I don't know if you wanted to talk about that. Where it's like, we were reporting about pornhub for so long that I think they and organizations like Encoves thought that we were like allies or that we had the same interests. But then our reporting shifted from reporting on pornhub to reporting on, on those organizations. Did you want to talk about like.
[44:11]
Joseph
Well maybe who, maybe who those organizations are Because I don't think everybody which.
[44:15]
Jason Kebler
Are involved in the steam by the way, it's like Exodus Cry is like behind some of the activism that led to Steam and Itch IO to change their policies.
[44:24]
Sam Cole
Yeah, yeah. I mean these are religiously affiliated current or past conservative I would say groups that hold up anti trafficking as their like mission. But and that's how they get non profit status is they want to you know, save trafficking victims. But the problem is they define trafficking as porn. All porn, all sex work. Anyone in the adult industry is like a victim of self trafficking. And they're the ones behind a ton of this pressure that gets put on payment processors. They're the ones behind a lot of the pressure that gets put on politicians which the pressure needed there is like a pinky finger push. It's like all you have to do is slide a bill in front of a Republican politician and that says save the children and they'll sign it immediately. Not read it. That's something that we know for a fact. A lot of these bills don't get read before they're voted on. So yeah, they're the ones that kind of are a big force for a lot of the changes that you see. And now at this point it's like the administration is like welcoming this type of rhetoric in very actively in the US I guess in the UK too. I don't know a ton of other UK politics but it's a very much one to one comparison there. What happens there and what happens here are kind of in tandem. So if you consider all that as being like this is like extremely well funded lobbying groups whose full time job is to moralize what we do on the Internet. I don't know if like, I don't, I don't particularly know if like the CEO of MasterCard like really gives that much of a fuck but like the lobbying groups do and they have a lot of money and a lot of pressure and people behind these campaigns. I think like the, I guess it's funny that everybody's talking about this right now because it's something that sex workers have been talking about for seven years to, to 30. If you take the long range. I think the way you know that this isn't necessarily like we talk about unintended consequences. It's like, I don't know, it's like whether they intended these consequences or not, I think is aside from the point, I think we know that the actual meaning and purpose of a lot of these bills is not necessarily to protect kids because we know for a fact it doesn't work. There's such studies for this. There's research behind this. It doesn't work. We see it happen every time. People just do VPNs. People go to worse and worse, more dangerous sites. What we know works. Governments refuse to actually put any power behind. It's like, we know that device based age, like parental controls and verification works. We know that kids probably shouldn't be handed an iPhone completely without restrictions at age three or whatever. Um, that's probably a recipe for disaster. And yet we do it every day. We know that like sex education and like age appropriate discussions about consent works as far as media literacy and also just like understanding what you're consuming on the Internet, what you're seeing. But there's no push for any of that in any level of government. It's just these conversations about platform regulation, which I've always thought is the wrong way to go about it. Platforms are motivated by profit and engagement. That's not their duty to parent your kids. But now the government's involved and now they're gonna crack down on content that like legal adults should be allowed to access without a problem. But because there are a lot of kids in these countries without any supervision online, this is what we have to deal with, which I think sucks. I think the stuff going on with Steam and Itch and that you have to show your idea beyond Blue sky in the UK is probably not good.
[49:03]
Emmanuel Mayberg
Yeah, I think to expand on that a little bit, it's like how these things play out in practice is as Sam said, it's like if you are in a state that has an age verification law right now, it's like pornhub is blocked because pornhub has decided to block itself rather than comply with these laws. And so you can't access pornhub in a lot of states in the US and so people in these states either use a VPN or they use other websites that simply don't comply with the age verification law. And like, a lot of those sites are based in places that have like very poor laws around things like copyright. Like, a lot of it ends up being like pirated content, like quasi legal content, like, who knows what's going on. And we know that this is happening because, like, if you look like I've seen conversations on Reddit on other places, like, hey, can you share this without a pornhub link for those of us in Texas, like, can you? Can you give us a link to X videos or like a different website that you know is not complying with the law. And so that's going to happen in the UK if it hasn't happened already. And then even, even in places that have like really authoritarian governments, like China, China has a lot or had a lot. I don't know the current state of it and like the specifics here might be slightly wrong, but basically they were trying to limit how much children were gaming. And so I think they had like a one hour a week gaming limit for kids. And what ended up happening was kids were taking their grandparents IDs and they were just using them to log into, you know, the game server or whatever. And so you had these like 80, 90 year old people playing like dozens of hours a week of different video games. It's like that is probably going to happen. It kind of rocks. It's like people are going to find ways around it, first of all. Second of all, you know, this is sort of, I just want to stress again, it's like, it's not just blocking like, like distasteful, violent, whatever, like news because the world is a bad place and there's bad news, but it's also blocking like consensual porn that adults want to access. And like there are reasons why an adult who wants to look at porn, like might not want to upload their ID to tell a random company so that random company can tell Reddit or pornhub or whatever that this person is an adult. Like there are many, many, many people who just like don't want to do that. And it's a similar problem to the ones with like Facebook's real name policy and things like this, where it's just like anonymity is important on the Internet. It's been important on the Internet since the beginning of the Internet. And we are like kind of just throwing that away for like, like because people have gotten better at lobbying essentially.
[52:11]
Jason Kebler
I think to crystallize what makes me feel like yucky about the whole situation is like our journey.
[52:21]
Emmanuel Mayberg
It's just as a dad, comma, as a father.
[52:25]
Jason Kebler
No, not even close.
[52:26]
Emmanuel Mayberg
Okay.
[52:27]
Jason Kebler
We spent so long reporting on how bad Pornhub is. And at some point around 2020, I guess a bunch of politicians and interest groups were like, you're right, pornhub is banned. Let's ban porn. Right? And we're like, no, like that is. That wasn't the point at all. And now that we spend a bunch of time talking about like non consensual AI content on the Internet. You know, the UK is like, so let's age verify the whole Internet. Or we spend a bunch of time talking about people live streaming mass shootings on Twitch. So it's like, oh, age verify that or don't allow violent content on Facebook. It's like, no, that's not what we're saying. So it's like, it's the way that our reporting is being leveraged to justify these like puritanical, censorious politicians and interest groups. That really like rubs me the wrong way. And I guess all we can do is just like keep reporting what is actually happening. I don't know. And like we never have, but, but, but like never advocate for like these type of solutions. Like these overbearing, terrible solutions. I think a lot of the time people assume, you know, we hear this a lot about like our AI reporting. People assume that that is what you want. You know, it's like, oh, you want to like censor Twitter or you want to censor like social media? It's like, no, not at all.
[53:50]
Joseph
Yeah, I think that's a really, really good clarification. You're right. Okay, we will leave that there. If you're listening to the free version of the podcast on now, play us out. But if you are a paying 404 media subscriber, we are going to talk about Lebron James and how he is not pregnant. As far as I know, you can subscribe and gain access to that content@404 media code. As a reminder, 404 Media is journalist founded and supported by subscribers. If you do wish to subscribe to 404 Media and directly support our work, please go to 404 Media co. You'll get unlimited access to our articles and an ad free version of this podcast. You also get to listen to the subscribers only section where we talk about a bonus story each week. This podcast is made in partnership with Kaleidoscope Scope. Another way to support us is by leaving a five star rating and review for the podcast. That stuff does really genuinely help us out. If you could do that. This has been 404 Media. We'll see you again next week.