Political Attacks

There’s something strangely surreal about watching two adult platforms square off against one of the most powerful regulatory bodies in Europe. It’s like seeing the quiet kid in class suddenly challenge the teacher on the grading rubric — bold, a little chaotic, and honestly pretty fascinating. That’s what played out this week in Luxembourg, where attorneys for Pornhub and Stripchat told the EU’s General Court that the European Commission misjudged them based on shaky data.

Both cases — Aylo Freesites v. Commission for Pornhub and Technius v. Commission for Stripchat — orbit around the same issue: whether these sites really belong in the Digital Services Act’s “very large online platform” category, the VLOP bucket reserved for players with at least 45 million monthly EU users. It’s a label that comes with heavy regulatory weight, not to mention a fee structure that can make a CFO sweat.

But on Friday, according to reporting from MLex, something interesting happened. Christopher Thomas, Aylo’s lawyer, basically asked the court the digital equivalent of: Why are you trusting the substitute teacher but not the person who actually runs the classroom? He questioned why the commission brushed off Pornhub’s own methodology as noncompliant with DSA rules — yet readily accepted Similarweb’s data, even though no one seemed to know “what underlying data Similarweb used, or the maths applied.”

Pornhub’s internal numbers reportedly fell below the VLOP threshold. Similarweb’s outside numbers? Above it.

A small difference in theory, a massive difference in regulatory reality.

Thomas drove the point home with a simple comparison:

“If a provider said they had purchased an estimate below 45 million, but didn’t know the data or methodology on which that was based and couldn’t explain it to the commission, it would obviously be unacceptable.”

It’s one of those arguments that’s hard to un-hear once it’s been said.

From the commission’s side, attorney Paul-John Loewenthal offered something that sounded like a quiet confession about the digital universe we all live in. He acknowledged that user counts are, at the end of the day, approximations. There is “no golden method to calculate user numbers; it’s not possible.”

And with that, the case hung in the air — unresolved, unsettled, and oddly revealing.

Stripchat’s situation wasn’t far off. Their VLOP label also came from Similarweb data, which originally pinned the site above the 45-million mark. Then came the twist: Similarweb later revised the estimate downward, dropping Stripchat below the threshold entirely.

On Thursday, Stripchat operator Technius asked the court to go back and undo the European Commission’s 2023 ruling that labeled them a VLOP in the first place — not just reversed going forward, but retroactively scrapped. And even though the commission already revoked the VLOP status earlier this year, Technius still has reasons to chase a clean erasure.

According to MLex, attorney Tobias Bosch explained that a retroactive annulment could do more than tidy the record. It could help Stripchat recover the supervisory fee it paid. It could shift the jurisdiction over who gets to police them. And it could influence an active investigation into whether the platform violated the DSA in the past.

It’s wild how much hinges on something as mundane-sounding as user-count methodology. But maybe that’s the real tension here — in a world obsessed with data, the people interpreting the numbers often have more power than the numbers themselves.

Ben Suroeste opines on a new age verification service. Here’s a summary:

Brady Mills Agency just rolled out AgeWallet, their shiny new age-verification system they say will help small adult-sector merchants survive the avalanche of new compliance rules. They’re leaning hard on the idea that the Supreme Court’s FSC v. Paxton ruling kicked the industry into fast-forward, and honestly, they’re not wrong—tools like this are going to keep popping up like mushrooms after rain.

What stands out, though, is the quieter warning baked into the announcement: the beginning of a serious crackdown on VPNs. AgeWallet claims it can detect proxies, masked locations, all of it—and force users to re-verify if anything looks off. Great for merchants trying to stay legal. Not so great if you’re living under a government that already decides what you’re allowed to read or watch. For those of us who remember the scrappy, boundary-free internet, this feels less like progress and more like another brick in the wall.

YNOT NEWS | Open The Age Verification Floodgates!

ATLANTA, Ga. – Earlier this week, the Brady Mills Agency, an Atlanta-based technology firm, announced the launch of AgeWallet,

Read More

www.ynot.com

Over on Forbes.com right now, there’s an article making the point that when you read somewhere that traffic from the UK to Pornhub is down 77%, you might want to take that figure with a grain of salt. Or maybe a pillar of the stuff.

Writing for Forbes, Zak Doffman goes further still, suggesting “you can completely ignore” such a claim because “it’s not true.”

“What’s actually happening is that U.K. adults are turning to VPNs to mask their locations,” Doffman writes. “Just as residents of U.S. states affecting bans now pretend to be someplace else. Pornhub makes this as easy as possible.”

The article goes on to cite (perhaps accurately – I’m certainly no expert on VPNs) a variety of reasons why this sudden expansion in VPN use may not be a good thing, including the eye-catching assertion that “VPNs are dangerous.”

“You are trusting all your content to a third-party provider who can see where you are and the websites you visit,” Duffman writes. “At a minimum. There are plenty of reports of rogue VPNs doing much worse than that. In particular, you must avoid free VPNs and Chinese VPNs. Stick to bluechip options.”

Duffman is probably right and his advice on sticking to the name brand VPNs probably makes good sense. But as a guy who misses the era of what people call the “open internet” my concern isn’t so much rogue VPN operators as it is rogue legislators.

As I read Duffman’s piece, I couldn’t help but imagine some elected official somewhere reading the same piece and saying to himself/herself: “OH. MY. GOD. This VPN thing MUST be stopped, whatever it is.” The manner of legislation that follows this sort of epiphany typically tries to solve one problem by creating another. Or maybe several others.

The thing is, it’s not Duffman’s warning about the potential dangers of VPN use that will drive the concern of my hypothetical legislator, not the potential security threat or the nefarious actors out there offering free VPNs.

No, what will get the legislators all fired up and ready to wield their pens again will be the part about the ease of using VPNs to get around their precious, legally mandated age verification walls.

I don’t expect too many legislators will seek to ban VPN use altogether, although doubtlessly there will be some bright bulb somewhere who proposes exactly that. More likely, what they’ll do is add something to an existing age verification statute that prohibits “facilitating the use of technology to circumvent state law” on the part of the adult site, or mandating that adult sites have to do what a lot of paywalled sites do for their own reasons, which is try to detect and defeat VPN use.

As Duffman notes, websites can “look at your browser settings or cellular settings or recognize you from previous visits…. That’s why it’s harder to watch live sports from your usual provider when you’re away from home, their market restrictions try to catch you out. Porn sites do not.”

For the sake of adults in the UK and elsewhere who would rather not hand over their sensitive personal information to a third party just to exercise their right to look at sexually explicit images, here’s hoping porn sites aren’t soon forced to do what they’re currently choosing not to do.

There’s been a lot of discussion of AI-generated porn lately, particularly in the days since OpenAI announced that starting in December, the firm would allow “mature content” to be generated by ChatGPT users who have verified their age on the platform. Understandably, much of that discussion has centered on consent—or the lack of such—in the context of AI content generation, given the proliferation of “deepfake” content in recent years.

Concern over publicly available images being used to create AI porn without the consent of the people being depicted is also driving legislative bodies everywhere to consider passing new laws that specifically forbid the practice. In South Dakota, for example, Attorney General Marty Jackley wants the legislature to craft a new law making it a felony to create AI-generated porn from an image of a non-consenting adult, which would mirror a law passed in the state last year making it a crime to do so using images of a minor.

You can certainly understand why this sort of law appeals to people, even if there are some potentially tricky First Amendment questions raised by such a prohibition. I don’t think any of us like the idea of someone grabbing our old yearbook photos and creating ‘porn doubles’ of us to be distributed willy nilly on the internet. But that very understandable and sensible concern doesn’t make the potential First Amendment questions magically disappear.

For one, if it’s not possible to make it illegal to create, say, a painting of a public figure without that person’s permission (and it isn’t), can it be made illegal to use AI to create an image of that same person? If it’s OK to create a non-pornographic image of that person, can a pornographic image of them be illegal only if it is also considered legally “obscene”?

While a lot of the questions around AI porn pertain to its potential for abuse, there’s a flipside to it, as well. For example, if one’s primary objection to the creation of pornography is rooted in its impact on the performers—the risks to their health and safety, the oft-cited potential for human trafficking being involved, etc.—then isn’t it better if the only “actors” involved are entirely digital beings?

On the other hand, if you’re someone who creates adult content, particular in a performing capacity, the prospect of being replaced by a competitor who doesn’t need to travel, sleep, undergo STD screening or pay any bills is a frightening one, I should think—particularly if there’s no legal mechanism preventing unscrupulous third parties from profiting by effectively pirating your very likeness. Getting replaced in a job by anyone sucks; just imagine what it would be like to get replaced by a counterfeit of yourself!

To sort all this out and craft effective legislation and regulation of AI porn is going to take a lot of careful, deliberate, rational thought. Unfortunately, I’m not sure there’s a lot of that to be found within the halls of Congress or any other legislative body. So, in all likelihood, states around the country and countries around the world will continue to struggle to get their heads wrapped around AI porn (and AI more generally) the same way they’ve struggled with the internet itself for the last several decades.

In the meantime, the rest of us will try to muddle through, as best we can. Personally, I have no plans to either create or consume AI porn… but will I even know I’m doing so, if it happens?

Add that to the list of thorny questions, I suppose.

There’s a quiet rule that’s floated around cybersecurity circles for years: don’t hold onto more data than you’re capable of protecting. Simple, elegant, almost parental in its logic — if you can’t safeguard it, don’t collect it.

But the world doesn’t care about that rule anymore.

Laws around identity and age verification are spreading fast, and they’re forcing companies—whether they’re ready or not—to gather and store the most intimate, high-risk documents a person can hand over. Passports. Driver’s licenses. National IDs. All the things you’d rather keep in your own pocket, not scattered across the servers of whoever happens to run the website you’re using.

And then something like the Discord breach happens.

In early October 2025, The recent data breach involving Discord. Not Discord’s internal systems—one of the partners handling support. Hackers got access to support-ticket data: names, emails, IP addresses, billing info, conversation logs… the usual mess. But tucked inside that mess was something far more sensitive: government-issued IDs.

These were collected for one reason: to prove a user was old enough to be there. To appeal an underage ban. And suddenly, the private documents people reluctantly handed over “just to get their account back,” were sitting in someone else’s hands entirely.

The Trap These Laws Create

Discord didn’t wake up one day deciding it wanted a folder full of driver’s licenses. Companies aren’t hungry for that kind of liability. But regulators have been ramping up age-verification mandates, and the penalties for non-compliance are steep enough to make anyone comply.

You can see the logic in the laws. Protect kids. Keep platforms accountable. Reasonable goals.

But look closely at the side effects:

We’ve built a system where organizations must stockpile some of the most breach-sensitive personal data in existence — even when they have no business storing it, no infrastructure built to protect it, and no desire to be holding it at all.

The old rule of “collect as little as possible” dies the moment a legal mandate requires collecting everything.

One Breach Becomes Everyone’s Problem

And once a company becomes responsible for storing IDs, the risk spreads. Healthcare portals, schools, banks, e-commerce shops, SaaS platforms — anyone providing service to the general public could end up in the same situation.

Every new database of passport scans is a future headline waiting to happen.

And when it happens, the fallout isn’t just personal. It’s financial. Legal. Reputational. You lose customer trust once — and you don’t get it back.

For small companies, one breach can simply end the business.

The MSPs Get Pulled Into the Storm

Managed service providers—MSPs—don’t get to sit this one out. They inherit the problem from every client they support. One MSP breach doesn’t just hit one organization. It hits all of them at the same time.

And the typical MSP environment? It’s a patchwork quilt of tools stitched together over time:

• One for backups

• One for endpoint protection

• Another for vulnerability scanning

• A different one for patching

• Another for monitoring

• And maybe one more to try and tie it all together

Every tool is another doorway. Another password. Another integration that can fail silently. Another shadow corner where data can slip unencrypted or unmonitored.

In an age when MSPs are being asked to guard government IDs, medical files, financial records, and entire networks—you can’t afford those shadows.

The Fix Isn’t “More Tools” — It’s Fewer

The only real path forward is simplification.

Not by removing security controls, but by merging them. Consolidation. Native integration. One platform where backup, protection, monitoring, and recovery exist inside the same ecosystem, speaking the same language, managed from the same place.

When everything runs through a single agent with one control plane:

• There are fewer gaps.

• There are fewer weak handoffs.

• There are fewer places for attackers to slip in unnoticed.

• And the attack surface shrinks dramatically.

You trade chaos for clarity.

You trade complexity for protection.

The New Reality

That old cybersecurity rule—don’t collect more data than you can protect—wasn’t wrong. It’s just not optional anymore.

The Discord breach isn’t a one-off story. It’s a preview. A warning shot.

Organizations are being legally pushed into storing the exact type of data that attracts attackers the most. And MSPs are being put in charge of securing it at scale.

So the question shifts:

If you no longer get to choose how much data you collect…

you have to be very deliberate about how you protect it.

And that means rethinking the entire structure of how we secure systems—not by addition, but by alignment.

Because now the stakes aren’t abstract. They are literal: your identity, my identity, everyone’s identity.

And someone is always watching for the first loose thread.

Adult Attorney Corey Silverstein talks about how to stay legally protected as an adult website owner. Here’s a summary of the article:

It feels like the adult industry just hit a hard reset. Age verification laws are no longer theoretical — they’re real, enforced, and expensive to ignore. And because every region wants something slightly different, the once-standard “one policy fits everywhere” approach is basically dead. If a site can’t explain exactly how it keeps minors out, it’s already behind.

At the same time, regulators and payment processors are demanding proof that every bit of content is consensual and monitored. The Aylo case didn’t accuse anyone of new wrongdoing, but it sent a clear message: it’s not enough to say you have safeguards — you need documentation, systems, records, and the ability to show them working. Old blanket model releases aren’t enough anymore. Consent now has to be specific, traceable, and ongoing.

And hanging over all of this is data privacy — the silent one that can shut a company down overnight. GDPR and CPRA require clear deletion rights, consent controls, and minimal data collection. Most adult sites still haven’t updated. The takeaway is simple: the old shortcuts are now risks. The companies that survive will be the ones who update before they’re forced to — not after.

How to Stay Legally Protected When Policies Get Outdated

The adult industry has long operated in a complex legal environment subject to rapid change. Now, a confluence of age verification laws, lawsuits, credit card processing and data privacy rules has created an urgent need for all industry participants — from major platforms to independent creators — to review and potentially overhaul their legal and operational policies.

Read More

www.xbiz.com

There’s something almost surreal about the idea of a phone interrupting a teenager’s late-night scrolling to say, Hey, maybe this isn’t great for your brain. That’s what Colorado’s new law is aiming for: gentle on-screen nudges when minors have been on a platform for more than an hour, or when they’re using it between 10 p.m. and 6 a.m. The warnings would have to reference research on brain development and repeat every thirty minutes. It’s the kind of thing that could become background noise — or maybe it could give someone a moment to pause. Hard to say. The provision is supposed to roll out on January 1.

But before any pop-ups appear, the law is already tied up in court. NetChoice, a group representing major social media platforms, has filed a lawsuit arguing that Colorado can’t require companies to deliver the government’s message on their own services. Their point is that social media isn’t just a product — it’s a place where communication happens, where speech happens — and the First Amendment doesn’t let the government compel speech, even in the name of public health. They note that other media industries have voluntary systems for guidance — movie ratings, for example — and that forcing platforms to present specific warnings crosses constitutional lines.

Supporters of the law say the goal is simply to help protect kids, especially given widespread concern about youth mental health. They argue that many parents want something in place to help guard against endless scrolling or disrupted sleep. Opponents respond that the science around social media’s effects is still developing — not nonexistent, but varied, with impacts that differ depending on the individual. Some researchers point to small but measurable effects; others note that social media can be a source of support, identity, creativity, or connection. So the debate becomes less about whether social media is “good” or “bad” and more about who gets to decide how platforms communicate risk — the state, the companies, or families themselves.

Similar legal battles are unfolding in other states, and courts haven’t landed on one clear answer yet. Some laws have been paused, others allowed to proceed while the challenges continue. Colorado’s case will likely turn on some very old constitutional questions — about speech, autonomy, and the limits of state power — applied to a very modern situation. And maybe that’s what makes this moment feel so unsettled: the technology is new, the stakes feel personal, and the rules are still being written.

Spiked’s Adam Edwards opines on the Online Safety Act in the UK.

The story centers on U.S. lawyer Preston Byrne, who represents the message board 4chan and is openly defying the UK’s Online Safety Act. When the UK regulator Ofcom issued 4chan a £20,000 fine, Byrne publicly mocked the demand and argued that British law has no legal power over companies and citizens who have no operations or assets in the UK. He views the Online Safety Act as an overreaching censorship regime and says Ofcom is trying to enforce rules outside its jurisdiction by sending threatening letters instead of going through proper international legal channels.

The Online Safety Act requires any online platform accessed by UK users—regardless of where the company is based—to submit risk assessments, reports, and censorship plans, under threat of fines or even jail for executives. While 4chan has refused to comply and likely faces no real consequences because it has no UK presence, larger American companies like Meta and Google do have substantial assets in Britain, making potential enforcement far more serious. This has sparked broader questions about sovereignty, free speech, and whether a foreign government can compel U.S. companies to restrict or monitor content.

To counter the UK’s moves, Byrne has launched both a legal challenge in U.S. federal court and proposed new U.S. legislation called the GRANITE Act, which would allow American companies to sue foreign regulators like Ofcom if they attempt to impose fines or censorship demands. If passed, it could effectively block foreign censorship attempts and even allow U.S. courts to seize foreign government assets in retaliation. Byrne argues that if the UK cannot force U.S. firms to comply, British lawmakers may eventually be forced to reconsider the Online Safety Act altogether.

Why is Ofcom trying to censor Americans?

The UK’s communications quango is sticking its beak into America.

Read More

www.spiked-online.com

Something’s always shifting in the world of compliance — especially when it comes to how adult sites handle age verification. The Free Speech Coalition (FSC), the legal advocacy nonprofit that often ends up doing the industry’s heavy lifting, just rolled out an updated version of its Compliance With U.S. Age Verification Laws: A Toolkit for Adult Websites.

The group explained on its website that the updates were necessary, given how quickly the legal ground keeps moving. What used to be “best practices” a few months ago can suddenly look outdated once new state laws or attorney general actions land on the table.

“Today, we are releasing an updated edition reflecting new legal developments and feedback from stakeholders who’ve put the toolkit into practice,” the post read.

And it’s not a light revision, either. “The key updates in this version include the final language and analysis of the Missouri age verification regulation taking effect November 30th and inclusion of recently-filed attorney-general actions, regulatory notices, and litigation related to age-verification laws,” FSC added.

That sense of urgency runs through every line of the update. “FSC’s guidance to our members continues to develop as state requirements and enforcement actions evolve,” said Alison Boden, executive director of the Free Speech Coalition. “Staying up-to-date is vital as companies make decisions about compliance.”

For those who actually need to keep their sites out of trouble (and their users protected), the new version of Compliance With U.S. Age Verification Laws: A Toolkit for Adult Websites is available for download at FreeSpeechCoalition.com/toolkit