22 KiB
Title: I traced the global age verification lobby across 470 sources. The same people write the laws, set the standards, run the certification, and sell the tools. Here is what I found.
This is a summary of a 16-file open source investigation into age verification laws being passed worldwide. Every claim links to a public source. The full investigation, with 470 sources across government databases, court records, corporate registries, legislative records, and investigative journalism, is published at https://tboteproject.com/findings/
I am not claiming child exploitation is fake. It is real. I am not claiming the people involved have evil intentions. Many sincerely believe they are protecting children. What the investigation documents is that the system being built to protect children doubles as mass surveillance infrastructure, shaped by people with financial and political conflicts of interest, and no democratic process in any affected country has considered these connections because no one had mapped them before.
The children are real. The exploitation is real. The protection is not what it appears to be.
One person wrote the template
A British filmmaker turned baroness named Beeban Kidron wrote the UK's Age Appropriate Design Code. Her foundation, 5Rights, then got it copied into California law. A US government FARA filing confirmed that her UK-based foundation directly lobbied California legislators, wrote materials for elected officials, and negotiated bill language. FARA filing. 5Rights hired the former chief consultant to the California committee considering the bill.
Her foundation then spent three years campaigning to pass a similar law in Brazil. The same template is being pushed in Australia, the EU, Indonesia, Canada, and other countries.
Kidron also co-led the technical standard (IEEE 2089.1) that age verification companies must meet. The person running the certification program for that standard simultaneously heads the age verification industry trade group, the AVPA. So the same network writes the law, writes the standard, runs the certification, and sells the compliance tools.
"Consultation is the playground of the tech lobbyist and inaction is the most powerful tool in politics." - Baroness Kidron, House of Lords debate, January 21, 2026
2022 was the global inflection point. In one calendar year, the EU signed the Digital Services Act, the UK introduced the Online Safety Bill, the US Senate received KOSA, Brazil introduced PL 2628, California signed the AADC, Louisiana passed the first US state age verification law, and the EU unveiled Chat Control. Thorn (Ashton Kutcher's organization) spent $630K+ lobbying the EU for Chat Control while its CEO sat on WeProtect's board and its own technology could enforce the laws it lobbied for. By 2026, Australia, France, Malaysia, Indonesia, Italy, and multiple US states had followed.
The same organizations appear across every jurisdiction.
The same funders pay for all of it
Pierre Omidyar (eBay founder) funds advocacy groups pushing these laws in both the US and Brazil simultaneously. His Luminate arm gave $500K to Data Privacy Brasil. His Imaginable Futures arm partners with Instituto Alana. Omidyar Network itself funds Common Sense Media, the primary US organization behind KOSA.
In Brazil, two branches of one banking family (the Itau/Setubal dynasty, controlling Latin America's largest bank) fund different advocacy groups that all pushed for the same law. Ana Lucia Villela (Itau board member, ~$1.5B net worth) founded Instituto Alana and its US arm ($8.15M in grants in 2022). Jose Luiz Setubal (Itau heir) founded Fundacao JLES, which directly funds the child protection coalition.
Oak Foundation (Switzerland) funds 5Rights, ECPAT, SaferNet Brasil, and sits on the board of WeProtect, a 100-country alliance pushing the same agenda.
What happened in Brazil
Brazil passed its age verification law (the Digital ECA, Lei 15.211/2025) in September 2025. It took effect March 17, 2026. The law requires not just websites but phone operating systems (Android, iOS, Windows, Linux) to verify your age. Linux distributions including Arch Linux 32 and MidnightBSD began geoblocking Brazil because volunteer projects without legal representation cannot comply. Both blocks remain in place as of this writing. Source
The lawmaker who shaped the final text was Jadyel Alencar, the official rapporteur. He has a criminal conviction for receiving stolen medical supplies (upheld by the TRF1 appeals court). He is a defendant in an active fraud case involving R$48 million in suspected money laundering during COVID. His company raised mask prices from R$11 to R$189 during the pandemic. He declared R$107.5 million in personal assets but had a court order for prison because he failed to pay R$6,306.48 in child support. He has 93 judicial processes on record. Conviction | Child support arrest
The rapporteur of Brazil's child protection law had a prison order for failing to support his own children. No media outlet questioned his designation.
Meta's ghost-authored amendments
Meta (Facebook/Instagram) had a lobbyist who secretly wrote amendments to weaken the bill. These amendments were filed under a different politician's name, Fernando Maximo. The secret authorship was discovered because the lobbyist forgot to remove his name from the document metadata. Intercept Brasil
One amendment eliminated content moderation reporting obligations. The other removed fines and criminal sanctions. Maximo is under Federal Police investigation for R$3.2 million in ambulance fraud with R$30M+ in shell company bank movements. He is currently leading Senate polls at 46.1%. The attorney general's office has been completely silent on the ghost-authorship complaint for seven months.
The investigation cross-referenced five separate news reports and found that every single politician Meta was documented meeting on the day the law was voted is either under criminal investigation or has been convicted. One was indicted for embezzlement through a fake charity that listed a baby as a board member. Another had R$469,700 in cash seized by police, then backdated a property sale to explain it. Gayer indictment | Cavalcante cash
Alencar removed the duty of care from the bill, its strongest structural obligation, at the request of Meta and Google. His substitute text was entered into the system 47 seconds before the session opened.
Meta also manufactured a fake document claiming that a different regulation bill (PL 2630) would ban Bible passages. Three internal Meta sources confirmed this to Agencia Publica. The document was delivered on paper "to leave no traces." A trade group whose members include Meta publicly took the blame after exposure. The entire Evangelical Caucus mobilized against the bill, which was pulled from the agenda. Source
The revolving door to the Finance Ministry
Five days before this investigation was compiled, Brazil's president appointed Dario Durigan as Finance Minister. Durigan ran WhatsApp's public policy division (a Meta subsidiary) from 2020 to 2023. He moved into the Finance Ministry in 2023 as Executive Secretary. He was named minister on March 19, 2026.
The Finance Ministry oversees SECOM advertising budgets, tax policy for tech companies, and the SPA that signed a cooperation agreement with Conselho Digital (the tech lobby group). SECOM spent R$35.8 million on Meta platforms in 2025. R$129.6 million on internet advertising total, a national record. Appointment
A former Meta executive controls the ministry that pays Meta tens of millions in advertising while overseeing the regulatory framework for Meta's industry.
Conselho Digital, the lobbying vehicle for Google, Meta, Amazon, TikTok, Discord, and others, has R$0 in declared capital, a single registered officer, and publishes no financial statements. No audit exists. No lawmaker has requested transparency. Brazil has no lobbying disclosure law.
Who actually checks your age
Private companies verify your identity under these laws. Not the government. Several of these companies have troubling backgrounds.
Persona, backed by billionaire Peter Thiel's Founders Fund and valued at $2 billion, was caught running 269 separate surveillance checks on every person it verifies. These checks include scanning faces against government watchlists, screening for "adverse media" in 14 categories, and filing automatic reports with US and Canadian financial intelligence agencies. Internal project codenames: "Project SHADOW" and "Project LEGION." Persona has a direct partnership with Serpro, Brazil's government data processing service. Persona exposure | Persona-Serpro partnership
AU10TIX handles identity verification for X (Twitter), TikTok, and Uber. It was founded by veterans of Israel's internal security agency, Shin Bet. Confirmed Unit 8200 staff are on payroll. The company suffered an 18-month data breach where admin credentials were posted publicly on Telegram and still worked when researchers tested them months later. AU10TIX breach | Intel links
Meta uses Yoti for Instagram age verification. Yoti is certified under the IEEE standard that Kidron co-led. Yoti's revenue grew 62% in 2025, driven significantly by the Instagram contract. The money flows from the law Kidron wrote, through the standard she co-chairs, to the company certified under that standard, paid for by Meta.
Where does your data go
In Brazil, verification data flows through Serpro, a government data processor holding biometric records on 85 million citizens. Serpro keeps query logs showing which company checked which citizen's identity and when. Once the Digital ECA drives mass verification, Serpro will hold a map of which citizens use which services.
Brazil's intelligence agency (ABIN) previously requested access to 76 million citizens' records through Serpro. Source. The federal highway police bought a copy of the entire 80-million-person biometric database for R$205,722.80 without publishing the purchase in any transparency portal. Source. In February 2026, a Serpro employee was caught accessing Supreme Court justices' tax records.
Serpro's "sovereign cloud" runs on Amazon Web Services hardware. The deal was arranged by an AWS executive named Sean Roche, who previously served as vice-director of the CIA's technology division. The US CLOUD Act allows American courts to compel any US company to hand over data stored anywhere in the world. CIA-AWS-Serpro connection
ANPD itself found that Serpro's Datavalid service operates without full legal basis under Brazil's data protection law (LGPD). The case challenging Datavalid has been pending at the TCU for six years.
The UK dimension: VPN bans and device scanning
On January 21, 2026, the UK House of Lords passed Amendment 92 in the Children's Wellbeing and Schools Bill by 207 to 159. The amendment, authored by Lord Nash (Conservative venture capitalist linked to GBP 3.8 billion in government contracts through 75 company interests), would ban VPN services for anyone under 18 in the UK. The only way to verify that a user is not a minor is to verify everyone.
Amendment 93 (withdrawn but still alive) would require "tamper-proof system software" on all smartphones and tablets that scans for child abuse material in real time, covering recording, transmitting including livestreaming, and viewing. This goes further than Apple's abandoned NeuralHash system, which only covered iCloud uploads before Apple killed it in 2022 after nearly 100 rights groups objected. Germany's equivalent device scanning system showed a 48.3% false positive rate.
Signal President Meredith Whittaker said Signal "would absolutely, 100% walk" from the UK rather than implement scanning. WhatsApp threatened to pull the app.
The House of Commons rejected the Lords VPN ban on March 9, 2026, 307 to 173. But they replaced it with "amendments in lieu" granting the Secretary of State broad discretionary powers to restrict VPNs, ban social media for certain ages, and modify GDPR provisions without new legislation. Open Rights Group warned that these powers are potentially more dangerous because they bypass parliamentary debate. ORG titled their response "MPs give ministers powers to restrict entire Internet." ORG
VPN usage surged 1,400% in the UK following these debates. Brazil saw a 250% surge when the Digital ECA took effect. A protest Linux distribution called "Ageless Linux" was launched.
France's digital affairs minister declared "VPNs are next on my list." The EU flagged VPNs for regulatory attention. Michigan proposed ISP-level VPN blocking with $500K fines.
The financial layer
Barclays, one of the UK's largest banks, holds approximately $2 billion in Palantir shares. Peter Thiel co-founded Palantir with CIA venture capital money. Palantir was just awarded a trial contract to process data for the UK Financial Conduct Authority, the regulator that oversees Barclays. A bank holds shares in the company processing its own regulator's data. Palantir FCA contract | Barclays Palantir shares
Thiel is the connective tissue. He co-founded Palantir (surveillance). His Founders Fund backed Persona (age verification, 269 checks per user). He sat on Meta's board from 2005 to 2022.
UNICEF hosts the main global fund pushing these laws ($83 million+). UNICEF lobbied Brazil to pass the Digital ECA. But UNICEF's own December 2025 policy paper states that "age estimation measures using biometric data pose an unacceptable risk and should not be used." The organization that lobbied for the law says the methods the law requires are unacceptably risky. UNICEF lobbying | UNICEF warning
What Meta actually wants
Meta trial documents from February 2026 reveal internal communications. A 2018 document: "If we wanna win big with teens, we must bring them in as tweens." Approximately 4 million children under 13 were on the platform. 216 million users had an "unknown" age. Nick Clegg described age restrictions as "practically impossible to enforce" in an internal email. Trial
Meta spent $26.3 million on US federal lobbying in 2025 pushing for age verification laws that require phone operating systems to check ages, not Meta's platforms. Meta funds the child safety groups that advocate for these laws (through the Tech Coalition) while also funding NetChoice, which sues to block the same laws in at least 27 US states. NetChoice revenue grew from $3M to $34M since 2020. Lobbying spend | Two Faces of Big Tech
CNBC and US News (March 2026) reported that tech companies "tacitly supported age verification as a less threatening alternative" to algorithmic regulation. The reporting described this as "regulatory capture disguised as compromise."
The pattern
The investigation maps one architecture operating across jurisdictions.
One foundation writes the laws and co-chairs the technical standard. A trade body head chairs the certification. Verification companies sell compliance. Government data brokers retain query logs. Intelligence agencies have documented access to those brokers. The cloud infrastructure is subject to the CLOUD Act. Philanthropic funders pay for advocacy in multiple countries simultaneously. No transparency mechanism in any country captures any of these flows.
The law creates the identity requirement. VPN restrictions close the last circumvention path. The same companies that verify ages on platforms would verify ages for VPN access.
A note on Reddit suppression
Earlier versions of this investigation were posted to r/linux by u/Ok_Lingonberry3296. The original post ("I traced $2 billion in nonprofit grants and 45 states of lobbying records to figure out who's behind the age verification bills") reached 14,289 points with a 99% upvote ratio. It survived after a temporary automod removal.
Every follow-up post was killed. The UPDATE post linking to tboteproject.com hit 505 points with a 98% upvote ratio before mass reports triggered automod removal. Mods were notified. They never restored it. A post documenting Amutable's German Handelsregister corporate filings was removed the same way. Cross-posts to r/privacy and r/opensource were manually removed by moderators. The poster was banned from r/opensource.
The stickied replacement post was written by u/Quiet-Owl9220, a 4-month-old account with zero r/linux comment history. Their activity is almost entirely in r/AustralianPolitics. How a 4-month-old Australian politics account became a moderator of a 1M+ subscriber Linux subreddit is unexplained. Their post was also automod-removed but was restored and pinned. Investigation posts by regular users were left dead.
The pattern is clear. General discussion about age verification survives on r/linux. Posts containing primary-source evidence (IRS filings, Handelsregister documents, lobbying records, corporate affiliation maps, funding flows) get mass-reported and left removed. Facts are suppressed. Opinions are permitted.
PullPush archive searches return zero results for "birthDate," "amutable," and "tboteproject" across all of Reddit. The topic has been effectively memory-holed from Reddit's archival infrastructure.
Community members noticed. Users described "malicious mass reporting" and asked why mods were "censoring" the posts. Lunduke covered the censorship on his Substack. Level1Techs covered it on their forum. The suppression became a story in itself.
I am posting this knowing the same thing will likely happen again. If this post disappears, the full investigation is permanently published outside Reddit at the links below.
The full investigation (16 files, 470 sources, all public records) is published at: https://tboteproject.com/findings/
Source repository: https://tboteproject.com/git/hekate/surveillance-findings
Reddit suppression documentation: https://tboteproject.com/git/hekate/reddit-findings
This investigation was compiled on March 24, 2026. If you want to verify any claim, every source link is in the published files. Read the sources yourself. Draw your own conclusions.
Supporting this work
TBOTE has future projects planned that go deeper than what we have published so far. Mirrors, protest-ware, guides, new websites and applications for the community. All of it runs on infrastructure that costs money and cannot be funded through conventional channels.
Future servers and projects require privacy-respecting providers that accept cryptocurrency and do not require personal information. Providers in separate jurisdictions, VPNs, various tools, and disposable research infrastructure add up. Contributors to this project also maintain personal security measures: hardware security keys, burner devices for research, VPN subscriptions, encrypted communication tools, and in most cases physical security equipment. These are not optional expenses when investigating organizations with the resources to identify and retaliate against researchers.
Every dollar goes directly to keeping the infrastructure online and the people behind it safe. We do not run ads, collect data, or accept sponsorship from any organization we might investigate.
A Monero address to donate to can be found at https://tboteproject.com/donate/