Human Check on Gander: Not waiting for things to go sideways.

Ben Waldman

There’s been a ton of conversation as of late about Canada implementing age verification laws for social media.

In fact, at a recent question period a lovely young student asked the Prime Minister about it and managed to weave it into a little plug for Gander.

We swear we didn’t know about it ahead of time. Sorry, Mr. Carney.

Not to disappoint the young folks there in the audience, but we decided long ago we’d be implementing human and age checks for anyone who wants to post, comment or chat on Gander–regardless of any laws that might get passed.

TL; DR;

  • Gander is taking a proactive approach: stop bots, bad actors, and kids before they can interact (not after).

  • You can browse freely, but posting, commenting, and chatting require “Human Check.” Human Check = verify you’re a real adult human (18+).

  • Gander does not store your ID or personal identity data.

  • Primary method: Canada Post Identity+ (verifies you, deletes data, only returns yes/no).

  • Other options planned: institutional emails (school/work), domain verification, etc.

  • Goal: protect users, reduce bots/AI, and keep kids safe without compromising privacy.

  • Tradeoff: the extra friction is worth it if it means Gander is safer.

  • This is a deliberate product decision, not just a response to potential laws.

Protecting our communities, our democracy and our kids.

There are a few decisions we made early when planning to build Gander.

We knew we wanted to give people agency under Canadian laws. Protect our cultures, reduce misinfo, tackle trolling, and keep bullying at bay. 

You know… just try to solve all of the little things that have plagued social media for over a decade.

We also knew we didn’t want a network swarmed by bots and AI, and we’d have to protect kids.

To be clear, anyone over 18 can create an account and check it out, but we all know the little “I’m over 18” checkbox doesn’t do a whole lot to prove human-adult-ness. So, if you want to play in our little corner of the internet, you’ll be going through our verification process.

Was it an easy decision? Kinda.

Do people like it? Not all of them. That’s for sure.

But there are some levels of friction that are worth it. And really, not optional for us.

From there, our challenge was pretty clear: how do we do that when the internet is at least 50% bad actors, bots and AI, and we have to navigate entire nation-states who want to control the dialogue in our country?

The not-so-easy options?

  1. Use AI to find the baddies (and spot kids) or
  2. Don’t let them in to begin with

Let’s dig in while I wait for everyone who knows better to tell me via foreign-owned platforms that we’re wrong…


Going reactive: Using AI to find the baddies (and spot kids).

Building AI to detect AI, bots, bad actors and kids sounds like a logical option, right?

How hard could it be?

You just leave Gander open for all activity, like everyone expects, and build monitoring that checks for patterns that indicate non-human behaviour. Or kids. 

Then wait for them to do something that matches a pattern and flag and/or remove their account(s).

Great, in theory. Not so great when you have a limited budget, a promise of data sovereignty, and a whole social platform to build and grow.

It’s also a reactive approach that leaves open some serious challenges.

For one, we don’t really want to wait for bad things to happen en masse. If we can help it.

Then there’s managing bots that are there to do good, and identifying with some level of certainty that an account is actually non-human. Or that someone is a child rather than simply child-like.

Because really, have you met AI lately? It’s just getting more and more convincing. There’s no way our little company would win in an endless AI vs AI battle.

And people come in all shapes and sizes. Guesstimating someone’s age seems a little unfair and rife with opportunities for human rights violations.

Not to mention… this leaves all sorts of room for error. I really don’t want to wake up one day to the news that our platform has become a vector for child grooming. 

No thanks.

Will we have to monitor behaviour? Sure. But that can’t be our first line of defence.

Going proactive: Don’t let them in to begin with.

So since AI vs AI isn’t an option, what about keeping bad actors out from the get-go?

We consistently hear from plenty of folks who are pro-id-verification. From parents for one, and from people who get harassed or are verbally abused online on a regular basis. Those who, understandably, want more protections and accountability. 

To them, “just check ID” sounds like a logical path. Like you would at a pub.

Unfortunately Gander isn’t a pub (working on it), and there are a TON of issues to solve:

  1. Privacy
  2. Accessibility
  3. Sovereignty
  4. Data security

Oh, and then there’s the fact that plenty of folks hate it.

Like, really hate it.

And it’s understandable. There are very real and worrisome knock-ons to everyone throwing their ID around online willy-nilly.

Granted, we usually hear about it from people posting on the very platforms that have been collecting our most intimate details since the dawn of social media, but that doesn’t change the fact that it’s a worthwhile concern.

And really, why on EARTH should you trust Gander with your ID? 

The answer is, you shouldn’t

And frankly, we don’t want it.

There would be no point in Gander protecting users from bad actors only to become a vector for a data breach.

So we looked for solutions that would be as trustworthy, non-invasive, secure and as sovereign as possible.

And despite Canada being a bit behind in homegrown tech these past couple of decades, we actually found some pretty good options to do it. As well as some alternatives to ID verification that are far less difficult to digest.

The ID verification players.

There are no shortage of ID verification tools out there. And a decent number of Canadian ones.

The problem is: trust. It’s already no small thing to ask people to scan their ID and/or face and send it over the internet. Asking them to send it to an unknown tech company is bigger still.

So that meant crossing quite a few off the list, but still left some pretty good options…

Interac

https://www.interac.ca/en/verification/personal/verify-yourself-using-your-financial-institution/

At first, we considered the idea of having people just send us a toonie via Interac. It proves you’re human, Canadian, and an adult (or most likely).

Elegant… but a heck of a thing to manage. There are no good options for automating the process, and email isn’t exactly the most secure way to do this. Also, the app stores aren’t keen on it.

That, and some folks thought it was a cash grab

If only they knew what it actually costs to do all of this.

But I digress…

While the toonie idea wasn’t going to fly, Interac does also offer a verification service that uses no ID at all. Instead, you sign in using your bank credentials. Anyone logging into Service Canada or filling their own taxes with the CRA is probably familiar with it. 

The good? It’s Canadian and uses info you’ve already voluntarily given to the bank. Plus, we’d never get your personal info. 

The bad? Not everyone has a bank account, and plenty of people can’t wrap their heads around logging into an app that way. 

Admittedly, it is scary, even though it’s pretty darned secure.

Canada Post Identity+

https://www.canadapost-postescanada.ca/cpc/en/commercial/identity-plus.page

If you’ve been following along at all, you’ll know this is where we landed for our first verification partner.

Gander app screen showing “A place for actual humans” and a Human Check prompt verifying adult users via Canada Post Identity+ before posting.
A place for actual humans. Verified before you post.


Why Canada Post?

Because they’re a (largely) trusted Canadian institution: It’s not out of the ordinary for them to have your address etc. Basically, if you get mail, you kinda expect them to have it.

But more importantly, they offer two things that others don’t: ID verification that happens between you and them–not us–and in-person verification at any of the thousands of locations across Canada. Which is a huge accessibility win. 

Canada Post’s Identity+ is a standalone app on your phone. After you verify your ID with them, the data is deleted from their servers. All we receive at Gander are two pieces of information: you’re a human, and you’re an adult.

Brilliant. 

Is it perfect? No. 

  • You have to download another app. 
  • It may fail if your ID card is old and tattered. 
  • And it’s generally a piece of friction that many won’t love.  

The solution? Offer more options.

ID? Where we’re going we don’t need ID.

Or as little as possible, anyway.

In hunting for solutions to our problem, we came to realize that there is plenty of ID verification that goes on in real life that can help us skip the whole ID/human thing to begin with.

They’re also not 100% foolproof, but they’re pretty darned good while allowing users to keep their privacy to themselves, and their IDs away from their phone cameras.

School, work and institutional email

If you have an email address at any one of the dozens of universities in Canada, there’s a strong chance you’re over 18. Yes, you may be 17, possibly even 16. But there’s very little chance you’re, say, 12.

The same goes for emails at professional associations, unions, government agencies and more.

And the thing is, those institutions will have checked your ID. They know you’re human. If you control that email address, then we don’t have to do it again unless we suspect you went all robot on us, or you’re behaving like a child. Which we would do anyway.

This means you can sign in with your personal email, and then just verify your human-adultness using one of dozens of possible professional/higher-ed emails. 

Your account still stays under the email of your choice.

Pretty slick.

Your CIRA .ca membership

This one is for the techie folks out there. 

We’ve been talking to CIRA for some time now about verifying yourself using your CIRA membership and a DNS record on your .ca domain.

Conveniently, CIRA checks the ID of their members, and we’re working on a way to verify with them.

It’s a little bit more involved as an approach, but if you are used to managing domains it should be a no-brainer for you. 

Plus, you will be able to use your domain as part of your username, which is pretty cool.

And who doesn’t love a Canadian tech love story where people walk away with vanity usernames?

What does this mean for privacy on Gander?

We’re all about choice. You can sign up with any email (and soon, phone and passkey), set your display name to whatever you like, and decide whether you want to post, connect or just… lurk.

And if you do decide to jump into conversations, your identity info never lives on our servers–no matter which Human Check method you use.

But what about the laws?

Yeah. New laws may not be on our side when it comes to any options outside of ID verification. 

So we’ll see. Probably before the House of Commons rises in June. And regardless, this is our decision, not one that was legislated. 

We’ll keep being vocal about it, and who knows? Maybe another young person will come along to Question Period to protect our privacy while making the internet a safer place.

Stranger things have happened.

In fact they happened just the other day in Parliament.

Ben Waldman Avatar
Ben Waldman is the CEO and co-founder of Gander social. For 25 years, he’s worked at the intersection of design, technology, and social impact, helping public institutions, non-profits, and mission-driven orgs tell better stories, serve their communities, and navigate digital transformation.