Kidding - abuse of age‑verification, attestation, and content‑filtering processes (such as malicious postings and file uploads).

  • It is an attack vector that disrupts services, deanonymizes contributors, coerces maintainers, and erodes the public open internet.
  • exploits age-verification, attestation, and content-filter systems to shape who gains access, who is visible, and who can participate. This attack vector is used alongside mandatory age checks and centralized market control.

Seriously, this topic is impacting technology at all levels, which means it is also ripe for abuse, even right now. I’d like to name the malicious use of Age Verification for market control and censorship, so it can be discussed as an attack. Think of it in relation to Swatting, because both weaponize institutional responses:

  • Swatting is an immediate physical‑safety attack
  • Kidding is scalable, automatable, creates persistent attestation/data trails, and produces long‑term structural harms through censorship and market control. It is usable against users, administrators, service providers, companies, project repositories, public websites, federation, self-hosting, solo operators, decentralization, anonymization, the rss standard, public forums and wikis, volunteer groups, collaboration, open source, foss, and completely sidesteps copyleft licensing.

Example Attacks

  • False complaints: mass “underage” reports to a package registry cause automatic delisting.

  • Verification flooding: scripted bogus attestations swamp a small forum’s moderation queue, forcing signups off.

  • Malicious uploads/posts: attackers upload age‑restricted or borderline files to trigger automated quarantine or account suspension.

  • Mirror takedown: a host suspends a maintainer account after complaints, removing the primary mirror.

  • Deanonymization leak: an attestation vendor is breached or subpoenaed, revealing mappings from pseudonymous maintainers to real‑world identities.

  • Self-hosters and small projects cannot afford legal defense, nor can they hold themselves to the same standards as the corporate entities defining these laws.

  • License rights don’t compel third‑party registries/hosts to serve content; providers can suspend access pending review.

  • Procedural takedowns and vendor risk‑avoidance create de‑facto censorship long before any legal victory.

  • Deanonymization from attestation chains exposes maintainers AGPL can’t protect. Volunteer maintainers are vulnerable to economic and social coercion; Legal defense is slow and costly

  • Friction between AGPL project parent companies and community contributors maintaining their projects will only increase hostility, especially through forking.

  • OAuth/OIDC centralization and corporate-level attack mechanics

    • Consolidation: dominant identity/attestation providers expand OAuth/OIDC with age/verified claims, concentrating power.
    • Abusable levers: selective attestation revocation, targeted rate‑limits/QoS, policy‑driven claim filtering, API/price changes.
    • Corporate abuse: throttling or denying attestations to rivals, using attestation logs for profiling/coercion, or forcing proprietary integrations.

My hope is this spurs honest conversation! This is a real problem, which comes with age verification being difficult to define + free and open source projects being unable to respond to it, or even be recognized.