I don’t like to shill for companies, but I’m glad System76 made a statement. The addendum does feel like their legal team made them add it though:
> Some of these laws impose requirements on System76 and Linux distributions in general. The California law, and Colorado law modeled after it, were agreed in concert with major operating system providers. Should this method of age attestation become the standard, apps and websites will not assume liability when a signal is not provided and assume the lowest age bracket. Any Linux distribution that does not provide an age bracket signal will result in a nerfed internet for their users.
> We are accustomed to adding operating system features to comply with laws. Accessibility features for ADA, and power efficiency settings for Energy Star regulations are two examples. We are a part of this world and we believe in the rule of law. We still hope these laws will be recognized for the folly they are and removed from the books or found unconstitutional.
Anyways, it feels like all sides of the political spectrum are trying to strip away any semblance of anonymity or privacy online both in the US and abroad. No one should have to provide any personal details to use any general computing device. Otherwise, given the pervasive tracking done by corporations and the rise of constant surveillance outdoors, there will be nowhere for people to safely gather and express themselves freely and privately.
> No one should have to provide any personal details to use any general computing device
I agree. I also agree with S76 that some laws regarding how an operating system intended for wide use should function are acceptable. How would you react to this law if the requirement was only that the operating system had to ask the user what age bracket it should report to sites? You get to pick it, it isn't mandatory that it be checked, and it doesn't need to be a date, just the bucket. Is that still too onerous?
I ask because I feel like if we don't do something, the trajectory is that ~every website and app is going to either voluntarily or compulsorily do face scans, AI behavior analysis, and ID checks for their users, and I really don't want to live in that world.
The main problem with the "report your age to the website" proposals is that they're backwards. You shouldn't be leaking your age to the service.
Instead, the service should be telling your device the nature of the content. Then, if the content is for adults and you're not one, your parents can configure your device not to display it.
Heh that's already what parental controls do (granted, the website don't report the content, and it's based on blacklists), but they are trivial to bypass. Even the article mention it:
> The child can install a virtual machine, create an account on the virtual machine and set the age to 18 or over
It's precisely how I worked around the parental control my parents put on my computer when I was ~12. Get Virtualbox, get a Kubuntu ISO, and voilà! The funniest is, I did not want to access adult content, but the software had thepiratebay on its blacklist, which I did want.
In the end, I proudly showed them (look ma!), and they promptly removed the control from the computer, as you can't fight a motivated kid.
That's assuming the parental controls allow the kid to create a virtual machine. And then that the kid knows how to create a virtual machine, which is already at the level of difficulty as getting the high school senior who is already 18 to loan you their ID.
None of this stuff is ever going to be Fort Knox. Locks are for keeping honest people honest.
It may often times be trickier than that - content often mixed of course. My 10 y/o hit me with a request yesterday to play Among Us where the age verification system wanted my full name, address, email, AND the last 4 digits of my SSN. I refused.
> if we don't do something, the trajectory is that ~every website and app is going to either voluntarily or compulsorily do face scans, AI behavior analysis, and ID checks for their users
You're going to get that, anyway. Platforms want to sell their userbases as real monetizable humans. Governments want to know who says and reads what online. AI companies want your face to train their systems they sell to the government, and they want to the be the gatekeepers that rank internet content for age appropriateness and use that content as free training material.
Age verification across platforms is already implemented as AI face and ID scans. This is where we're already at.
I am well aware of the alignment of interests and the dismal state of things. I'm of the opinion that the only way to divert is radical legal action that shatters the defense industry and social media titans, and it sure as hell won't be Gavin Newsom who delivers it.
> How would you react to this law if the requirement was only that the operating system had to ask the user what age bracket it should report to sites? You get to pick it, it isn't mandatory that it be checked, and it doesn't need to be a date, just the bucket. Is that still too onerous?
Unfortunately no. There's a requirement that the OS disregard the user-indicated age if it has reason to think they're lying. Presumably this creates the obligation to monitor the user for such indicators.
I assume this is less "if they're lying" and more "if you've independently collected this data". It doesn't require you to challenge the user-indicated age, it requires you to use your own signal before that of the OS.
As a silly example, tax software probably has your full birthday, including year, which is more precise. Many social networks collected this data, as did a lot of major tech companies that implemented parental controls already.
Almost. Technically an adult must create an account for any non–adult who wants to use the computer, and configure it with the appropriate age category.
Honestly it’s the dumbest thing ever. Best just not to play that game.
What makes you think this is going to stave off that world? More likely you'll get both, since I doubt this API is going to satisfy other states' age verification requirements.
Sometimes a token effort or theater is sufficient to quell public sentiment. Like the oft-ignored and ineffective speed limits on roads, or the security theater at airports. That only handles the sentiment angle though. You still have to do something about would-be autocrats who want censorship and surveillance tools, and the oligarchs who want tracking and targeting data.
The problem is that the comparison falls flat. ADA does not sniff for birth date and surrender that data to others. One has to look at things at a cohesive unit, e. g. insecure bootloaders by Microsoft surrendering data to others. It seems as if they try to make computers spy-devices. That in itself is suspicious. Why should we support any such move? Some laws are clearly written by lobbyists.
> Anyways, it feels like all sides of the political spectrum are trying to strip away any semblance of anonymity or privacy online both in the US and abroad.
It's not this or that political party, your neighbors simply don't share your values. Maybe you don't agree with their values either — like to what degree we should be ceding privacy in favor of fighting child exploitation on the internet. Child protection arguments work because it is a compass to the true feelings of your neighbors.
The problem with this argument is that everyone agrees with protecting children.
"Think of the children" arguments are the legislator's fallacy: Something must be done, this is something, therefore we must do this.
In reality there are alternative means to accomplish any given goal, and the debate is about what should be done, because no one benefits from using methods that cost more than they're worth.
Well, almost no one. The opportunists who drape themselves in the cloak of "safety" when they want to have the government mandate the use of their services or use it as an excuse to monopolize markets or establish a chokepoint for surveillance and censorship do benefit from the machinations that allow them to screw the majority of the population. But the majority of the population doesn't.
It is as Aristotle said, the average person is a natural born slave (to their emotions, and thus to the rhetoriticians most skilled in changing them). That is why democracy always fails in the end. Americans just had such good geographic and historic luck to delay this reckoning by a century or two.
If you see politics through this lens then the 'democratic backsliding' that has been universal across the world for the past two decades is entirely unsurprising.
Makes sense, these laws are great for the establishment. Difficult to adhere to for newcomers or smaller parties. Compliance to this madness eats away a much larger proportion of thin profits.
Comparing today's internet to the 90s is hardly fair. It has become extremely predatory, and most places youth gravitate towards are controlled by algorithms with the goal of getting them hooked on the platforms to make them available for manipulation by the platform's customers.
Of course, there will be stories of smart kids doing amazing things with access to vast troves of information, but the average story is much sadder.
The EU is working on a type of digital ID that an age-restricted platform would ask for, which only gives the platform the age information and no further PII.
Companies (not talking about system76) amazingly always find the shittyest interpretations of their obligations to make sure to destroy the regulations intention as much as they can. The cookie popups should have been an option in the browser asking the user whether they want to be tracked and platforms were meant to respect this flag. Not every site asking individually, not all this dark pattern annoyance. It's mind-blowing that that was tanked so hard.
> Throwing them into the deep end when they’re 16 or 18 is too late.
I saw this a lot in college. Kids that didn’t have any freedom or autonomy while living at home went wild in college. They had no idea how to self-regulate. A lot of them failed out. Those who didn’t had some rough years. Sheltering kids for too long seems to do more harm than good. At least if they run into issues while still children, their parents can be there to help them through it so they can better navigate on their own once they move out.
12 is the magic number when things start going to shit. I'm sorry for what happened to you but maybe you should start a counselling service for clueless parents and tell them what should they do and what they shouldn't to correctly shelter the children. Because sheltering is an art. I think about it all the time. I always wish some one would take a bit of money but tell me how to guide or not guide my child to be independent in the rough world and to take decisions independently
This law feels like a battle in The Coming War on General Computation, as Cory Doctorow put it:
> I can see that there will be programs that run on general purpose computers and peripherals that will even freak me out. So I can believe that people who advocate for limiting general purpose computers will find receptive audience for their positions. But just as we saw with the copyright wars, banning certain instructions, or protocols, or messages, will be wholly ineffective as a means of prevention and remedy; and as we saw in the copyright wars, all attempts at controlling PCs will converge on rootkits; all attempts at controlling the Internet will converge on surveillance and censorship, which is why all this stuff matters.
So much for freedom and democracy lectured by Americans and westerners to the rest of the world. This is just censorship of every form of freedom of speech. This got nothing to do with children or youth. They will eventually censor and track everyone.
I'm surprised by the complete lack of dissent or even nuance in the discussion here. I'm much more ambivalent on this: the historical record for prohibition is not good, but instagram and the like are uniquely and disastrously harmful and the companies pushing them on children are powerful in a way that has no real historical precedent. In the balance, anything the reduces the power those companies have over our lives (and our politics) has to be at least considered. In other words, I don't think this is necessarily the right measure - but I'm desperate.
California may be able to target companies like System76, but it will be completely powerless against modular and decentralized distros like Debian and Arch.
I can't fathom all the rage and confusion here about these laws. It's been a well-known effect since forever that when a government deems that something needs to be done, they'll go for the first "something-shaped" solution.
This all could've been avoided. Governments all over the world have been ringing the alarm bells about lack of self-regulation in tech and social media. And instead of doing even a minimum of regulation, anything to calm or assuage the governments, the entire industry went balls-to-the-wall "line go up" mode. We, collectively, only have ourselves to blame, and now it's too late.
If you look back, it didn't have to be this way:
- Governments told game publishers to find a system to handle age rating or else. The industry developed the ESRB (and other local systems), and no "or else" happened.
- Governments told phone and smart device manufacturers to collectively standardize on a charging standard, almost everyone agreed on USB-C and only many years later did the government step in and force the lone outlier to play ball. If that one hadn't been stubborn, there wouldn't have been a law.
The industry had a chance to do something practical, the industry chose not to, and now something impractical (but you better find a way anyway, or else) will be forced upon them. And I won't shed a tear for the poor companies finally having to do something.
> We, collectively, only have ourselves to blame, and now it's too late.
Why would we have to be blamed for a law written by some lobbyists? That makes no sense at all. There are of course some folks that are in favour of this because "of the children" but their rationale does not apply to me nor to many other people. Why should they be able to force people to surrender their data, with the operating system becoming a sniffer giving out private data to everyone else? That makes no sense.
The invocation of "lobbyists" in this context is meaningless. People lobby for all kinds of things. Doesn't really matter once it becomes a law anyway.
If people could just say I don't agree with this law, it "makes no sense" and it's written by "lobbyists" and the government should not "be able to force" me to comply then we don't have a society anymore.
You had better come up with some better arguments otherwise it just seems like the typical sad case of the losing side suddenly griping about the referee's monopoly of force when it's no longer going their way...
The comment you replied to rightly pointed out one way of getting ahead of said monopoly of force is addressing problems with the status quo before the state takes an interest. It didn't happen, and now you will probably get some heavy handed intervention. But ignoring this basic point to ask why oh why suggests an ignorance of the very nature of the society that is and has been constantly regulating you.
If you only happened to notice now you should consider yourself a rather lucky specimen in the long line of human history, full of those remarking "this makes no sense" as they are nonetheless compelled to comply.
> We, collectively, only have ourselves to blame, and now it's too late.
Can't believe I'm reading this. I don't want age verification at all, whether it's self-imposed or not. I should be free to use whatever tools I want however I want.
> The industry had a chance to do something practical, the industry chose not to
Wrong. There was no choice. Any type of identification technology causes more problems than it solves. The right choice is to look for different approaches than identification technology for solving the problems. And as the article points out, the problems are best tackled with education and not with tech.
I'm probably missing something, but when I read the California statute I didn't understand it to be anything like "computers enforcing age" - more like, when you create an account it needs to ask your age, and then provide a system API by which apps can ask what bracket the account holder is in. This seems better than the current solution of every app asking independently?
Again, I'm probably missing something but it strikes me as pretty trivial to comply with?
The government really shouldn't be telling us how/what we can compute at all.
But on this specific point - It's a bellwether. They're doing this to lay the groundwork and test the waters for compulsory identification and/or age verification. Getting MacOS and Windows and Linux and etc to implement this WILL be used as evidence that compulsory identity verification for computer use is legally workable.
Being "trivial to comply with" is completely disjunct and not at all an argument against "this type of law is fundamentally at odds with the liberty and self-determination that open source projects require and should protect." It's a shot across the bow to open-source, it's literally the government telling you what code your computer has to run. It is gesturing in the direction of existential threat for Free software and I am not exaggerating. It's purposefully "trivial" so you don't notice or protest too much that this is the first time the State is forcing you to include something purely of their own disturbed ideation in your creative work.
If that’s true, I think the law is fine. There are good solutions for anonymous disclosure of information about you, the most mature being Verifiable Credentials, which is an open standard: https://en.wikipedia.org/wiki/Verifiable_credentials
You can disclose just a subset of a credential, and that can be a derived value (eg age bracket instead of date of birth), and a derived key is used so that its cryptographically impossible to track you. I wish more people discussed using that, but I suspect that it’s a bit too secure for their real intentions.
It doesn't even need to be that complicated. OS asks you your birthday at setup time. Stores it. Later, an app asks whether the user falls into one of the following brackets:
* under 13 years of age.\n
* at least 13 years of age and under 16 years of age.
* at least 16 years of age and under 18 years of age.
* at least 18 years of age.
that's it. The OS can decide how it wants to implement that, but personally I'd literally just do get_age_bracket_enum(now() - get_user_birthday());
In general, any proposal to use government ID for "age verification" over the internet is going to end in someone using it for mass surveillance, and it's probably not wrong to suspect that as the intention to begin with.
There is no benefit in doing that because parents already know how old their kid is. They don't need the government to certify it to them, and then they can configure the kid's device not to display adult content.
Involving government ID is pointless because the parent, along with the large majority of the general population, has an adult ID, and therefore has the ability to configure the kid's device to display adult content or not even in the presence of an ID requirement if that's what they want to do. At which point an ID requirement is nothing but a footgun to "accidentally" compromise everyone's privacy. Unless that was the point.
>We, collectively, only have ourselves to blame, and now it's too late.
No, "we" really don't. I wrote software. It's free. You're welcome to use it, or not. Nobody is forcing my software on you. You are not allowed to tell me that the software I wrote, for free, and gave to you, for free, needs to have features that I don't care about.
You have an LLM now. I'm obsolete now, right? Do it. Build your nerfed distro, and make it popular. Oh, yeah... there isn't a single solitary disto built by an LLM, is there? Not even one. Wow. I wonder why...
Bernstein v US says you’re right but let’s see if it gets there and hope they get legal reasoning right. One can hope the EFF and others are on this. Anyone know about any current challenges?
To the extent code is functional rather than expressive it is not speech, and when the government seeks to compel code, it generally seeks to compel function not expressive content.
(That doesn’t mean it is not a bad idea, and even perhaps unconstitutional for other reasons.)
Code is speech, though, and is protected by the first amendment: see Bernstein v. United States.
I don't think a cryptographic algorithm is "expressive" any more than it is purely functional; indeed, the 9th circuit evaluated and rejected the expressive/functional distinction for source code in the above case.
Regardless - code is speech, and the government cannot compel or prevent speech except in very narrow circumstances.
> Code is speech, though, and is protected by the first amendment: see Bernstein v. United States.
That is very much overstating the holding in the case [0], the most relevant part of which seems to be:
“encryption software, in its source code form and as employed by those in the field of cryptography, must be viewed as expressive for First Amendment purposes”
The ruling spends a key bit of analysis discussing the expressive function of source code in this field as distinct from the function of object code in controlling a computer.
A law compelling providing functionality which it is merely most convenient to comply with by creating source code as part of the process is not directing speech, any more than an law delivery of physical goods where the most convenient method of doing so involves interacting by speech with the person who physically holds them on your behalf is.
> In the government's view, by targeting this unique functional aspect of source code, rather than the content of the ideas that may be expressed therein, the export regulations manage to skirt entirely the concerns of the First Amendment. This argument is flawed for at least two reasons...
I think you should read it a bit more closely. The court threw out the "functional/expressive" argument for source code, like I said in my original comment.
Secondly, what are you talking about that source code is the most "convenient" way to implement this? It's the literal, only possible way to present an interface to a user, ask them a question, and "signal" to other applications if the user is a minor or not. You're being completely nonsensical there. There's no other way to do that: someone must write some code. The bill specifically says "an API"!
I think you should read a bit more closely, both to the decision, and to the post you are responding to (which addresses that), and to the context of what is being discussed in the thread (which is not "source code").
That's forced labor. I'm not required to write a line of code to please anyone. It's free software with no warranty. They have LLMs, let's see them build it. :)
Well, that's a 13th Amendment issue not a 1st Amendment one, but, in any case, its not forced if it doesn't direct who does the work to create the functionality, only requires you to have the functionality provided if you are doing some other activity, it is more of an in-kind tax. [0] (Now, if you want to make an argument that when the activity it is conditioned on is expressive that that makes it a 1A violation as a content-based regulation when the condition is tied to the content of the expressive act, that is a better 1A argument, that might actually have some merit against many of the real uses of, say, age verification laws; but “if I am doing this activity, I must either create or acquire and use software that has a specified function” is not, in general, a 1A violation.)
[0] It's not really that other than metaphorically, either, any more than every regulation of any kind is an “in-kind tax”, but its far closer to that than “forced labor”.
I'm not sure what you're trying to say, but if you are suggesting that writing an "API", as is legally required in AB1043, can be done without writing code I would be interested to know how!
Providing an API is required if you do some other thing, but you are not required to do that other thing. Requirements that are triggered by engaging in some other activity are not compulsions if the activity they are triggered by is not compulsory. (Now, whether restricting the thing that triggers the requirement by adding the requirement is permissible is a legitimate question, but that is not the question that is addressed when you ignore the thing triggering the requirement and treat the requirement as a free-standing mandate.)
> Provide a developer who has requested a signal with respect to a
particular user with a digital signal via a reasonably consistent real-time
application programming interface that identifies, at a minimum, which of
the following categories pertains to the user...
It’s simple you can’t go drinking under age, you can’t drive a car under age. And the harm that can come from the internet is well above this so it makes sense to also ask for id. I agree though that it needs a system to protect information.
It’s not about the system being always fail safe it’s about the general rule that by default what is happening is not legal to protect and not put the burden on every parent or family.
„But Jonas parents allow him to do that“ in reality Jonas parents should not have a say in this.
I wonder who is behind this sudden push for these age verification laws. This wasn't an issue until recently and suddenly there are not just laws in California and Colorado, but also New York and Brazil.
Just a reminder of what liability the CA age verification law imposes upon developers and providers.
It's not enough to adhere to the OS age signal:
> (3) (A) Except as provided in subparagraph (B), a developer shall treat a signal received pursuant to this title as the primary indicator of a user’s age range for purposes of determining the user’s age.
> (B) If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.
Developers are still burdened with additional liability if they have reason to believe users are underage, even if their age flag says otherwise.
The only way to mitigate this liability is to confirm your users are of age with facial and ID scans, as it is implemented across platforms already. Not doing so opens you up to liability if someone ever writes "im 12 lol" on your app/platform.
> if they have reason to believe users are underage
The law requires "clear and convincing information", not merely "reason to believe". And since the law requires developers to rely on the provide age signal as the primary indicator of the user's age, developers are not incentivized to create a system that uses sophisticated data mining to derive an estimated age. If someone posts a comment on a YouTube video saying "I'm twelve years old and what is this?", that would absolutely not require YouTube to immediately start treating that account as an under-13 account.
That would have to be litigated in court, and the easiest and cheapest way to avoid litigation is to just scan faces and IDs so you're sure your users won't upload or say anything that can bankrupt you while you sleep.
It would be at least as valid a strategy to avoid collecting any unnecessary personal information about your users, so that you don't have to worry about whether the information you've amassed adds up to "internal clear and convincing information".
Remember, only the state AG can bring a suit under this law, and the penalty is limited to $2500 per child for negligent violations. It's probably cheaper to get insurance against such a judgement than to implement an invasive ID-scanning age verification system (and assume the risks of handling such highly-sensitive personal information).
No platform is going to forgo analytics and using demographic information for advertising, that's their bread and butter.
I'd also argue it's clear and convincing if a kid changes their profile picture to a selfie of themselves, says they're 12, says they're in grade school, etc. Any reasonable person would take that at face value.
> implement an invasive ID-scanning age verification system (and assume the risks of handling such highly-sensitive personal information)
It's already implemented as face and ID scans by all the major platforms as it is. The systems are already there and they're already deployed.
Apps and platforms already integrate with 3rd party age verification platforms who handle the face and ID data, nothing ever has to touch your servers.
> I'd also argue it's clear and convincing if a kid changes their profile picture to a selfie of themselves, says they're 12, says they're in grade school, etc. Any reasonable person would take that at face value.
That's so fragile, and it's not like they're making those claims to the site, it's natural language posting.
And someone who knows what they're doing would never take "I'm twelve years old and what is this?" at face value.
You've completely changed the scenario. A human doing a one on one examination and personally sending data is totally different from a website allowing an account to exist and browse.
... except that analyzing profile pictures isn't exactly reliable (plenty of people use photos of their cats), people lie in chat, and advertising profiles are at best an educated guess.
The current analytics profiles are closer to "definitely into Roblox, 70% chance of being 13-18" than "This user was beyond any reasonable doubt born on 07-03-2002". Calling them "clear and convincing information" would be a massive exaggeration.
I read it the exact opposite way: you are forbidden from using facial and ID scans solely for age verification (as the OS-provided signal shall be the primary indicator of age), but if you already need to obtain the user's age for other reasons using more reliable means (say, a banking KYC law requiring ID scans) you are not required to discard this more reliable source in favor of the OS-provided signal.
Do you want to go to court to find out where the line is? That's expensive, risky and time consuming. It's easier to just scan faces and IDs to make sure your users are of age and not take on that liability.
I could see them eventually going far enough to bypass all of that and either requiring age verification at the point of the internet uplink on the ISP side or making it a crime similar to using a fake ID to buy alcohol if you try to bypass it. And then also punish companies that happen to be serving underage/non verified users.
There is already age verification at the ISP level. They only sell Internet service to adults. What the adults choose to do with it or with whom they share it with should be of zero concern to the government.
Of course, that's an ineffective argument, because the long-term goal of these laws (in the sense of, "the goal of the system is what it does") was never going to be about keeping kids off the Internet.
These lawd prove one thing: the politicians know nothing about the subject matter.
What is almost more disturbing: at least some of the politicians will have been advised by consultants or lobbyists who know what they're advocating for. What's their game?
Don't see how anyone is gonna make me do anything. Just evade anything like this through various means and opt out of things that reduce your quality of life (by destroying your freedom and making you a slave)
It's simple. Don't comply. Software engineers, despite not having the same requirement of mechanical engineers, should uphold the ethical obligations of their craft. This law is harmful. Given the requirement of compelled speech, given code has been _proven_ to be such, Do. Not. Comply.
We should collectively make sure that any PRs trying to land these changes are very well reviewed. We wouldn't want any security holes to slip by. I think a couple dozen rounds of reviews should suffice. I've heard great things about how productive AI can be at generating very thorough code quality assessments. After all, we should only ship it once it's perfect.
To be more direct - if you're in any editorial position where something that smells like this might require your approval, please give it the scrutiny it deserves. That is, the same scrutiny that a malicious actor submitting a PR that introduces a PII-leaking security hole would receive. As an industry we need to civil disobedience the fuck out of this.
I was gifted my first computer, running Windows 95, at 11 years of age. By age 13 I was probably within the five people who better understood how to do stuff on a computer in my town. By age 16 I was making Pokemon hackroms, flash animations for newgrounds and translating manga for pirate sites in photoshop. By then I knew my entire life would be tied to computers somehow.
Now some 50-60yo politician who has never even created a folder in their desktop without help wants to dictate how I should have used my device?
I don't really see a problem where there is a standard api (or even syscall!) to rethrieve a persons age bracket and for various apps being able to easily implement it. But please make it fucking optional.
Make it optional and assume an adult otherwise, it's a good idea if it's optional and doesn't have dumb fines, you could have fines for not enforcing it / not using the api [porn sites] that already exists [and it doesn't work since 1 button is not age verification].
I see this as a good way for parents and institutions to set up their phones, school laptops etc and would pretty much solve the large majority of these issues while having a fraction of the invasiveness.
I have been saying this all along. You can't prevent kids from getting around restrictions. All you can do is try to help them understand what they find on the other side and what some options are. Age-gating is just a way to push forward a surveillance agenda. The fact thats happening everywhere all at once proves my point.
It's pushed both by those with surveillance agendas and AI companies like Anthropic, who donated millions to PACs and politicians that are pushing online age verification and surveillance laws[1].
The goal for the AI side is that they get to be censors and gatekeepers of all user-generated content on the internet, their models will rank/grade/censor content for age-appropriateness and they will have the pleasure of being paid to train on all new content uploaded to the internet in real-time, in perpetuity.
> What you're saying is we should allow kids to buy tobacco, to gamble, to purchase Meth and Heroine because Kids get around restrictions anyway
This is false equivalence. All of the above are vices that objectively carry more harm than good. There's no inherent harm in using a computer, there's a subset of ways in which using a computer can be harmful, which kids can be taught how to avoid or navigate, there's no subset of meth use that isn't harmful
Their attempts of a "solution" are quite interesting. One other user
suggested that GUI tools ask for the age of the user.
Well ... I have a very strong opinion here. I have been using Linux
since over 20 years and I will not ever give any information about
my personal data to the computer devices I own and control. So any
GUI asking for this specifically would betray me - and I will remove
it. (Granted, it is easier to patch out the offending betrayal code
and recompile the thing; I do this with KDE where Nate added the
pester-donation daemon. Don't complain about this on reddit #kde, he
will ban you. KDE needs more money! That's the new KDE. I prefer
oldschool KDE but I digress so back to the topic of age "verification").
The whole discussion about age "verification" appears to be to force
everyone into giving data to the government. I don't buy for a moment
that this is about "protecting children". And, even IF it were, I could
not care any less about the government's strategy. Even more so as I am
not in the country that decided this in the first place, so why would I
be forced to comply with it when it ends up with GUI tools wanting to
sniff my information and then give it to others? For similar reasons,
one reason I use ublock origin is to give as few information to outside
entities when I browse the web (I am not 100% consistent here, because
I mostly use ublock origin to re-define the user interface, which includes
blocking annoying popups and what not; that is the primary use case, but
to lessen the information my browser gives to anyone else, is also a good
thing. I fail to see why I would want to surrender my private data, unless
there is really no alternative, e. g. online financial transactions.)
I also don't think we should call this age "verification" law. This is very
clearly written by a lobbiyst or several lobbyists who want to sniff more
data off of people. The very underlying idea here is wrong - I would not
accept Linux to become a spy-tool for the government. I am not interested
in how a government tries to reason about this betrayal - none of those
attempts of "explanation" apply in my case. It is simply not the job of the
government to sniff after all people at all times. This would normally
require a warrant/reasonable suspicion of a crime. Why would people surrender
their rights here? Why is a government sniffing after people suddenly? These
are important questions. That law suddenly emerging but not in the last +25
years is super-suspicious.
I mean, genuine question, is Linux Mint or MX Linux endangered by this?
Unless I'm missing something, I have zero concern for companies who sell out by complying.
The code was "free as in freedom" when you decided to build your company on it; and while you're not legally obligated to defend that freedom, and I, and hopefully other consumers, find that you are morally obligated to.
I think this is the way that Linux desktop distributions are endangered, quoting from the article: "... apps and websites will not assume liability when a signal is not provided and assume the lowest age bracket. Any Linux distribution that does not provide an age bracket signal will result in a nerfed internet for their users."
Good words, glad to see more companies taking a principled stance on these important matters. That leading quote is great for sharing with non-technical friends. We have 365d 23h of non-voting time to take direct action to make our world better.
This is the one thing that truly scares me. I've decided I'm not going to verify my age anywhere or use facial recognition apps to login anywhere. And this is a much bigger fear for my job than AI.
At the moment only some countries banning porn, social media and gambling. But how soon will I have to do it for a work app? And will I lose my job then if I refuse?
I don't think the argument that children might bypass parental controls therefore devices should not have parental controls.
>Limiting a child’s ability to explore what they can do with a computer limits their future.
Parents don't want to limit their children from writing software. Saying that limiting minors from accessing porn will limit their future is another argument I doing think many will agree with.
Aaaaand to throw it all away at the end with "well when the rubber meets the road we'll comply anyway, thanks for inhaling my hot air." Take a damn stand and dare them to sue the hacker known as Linux or whatever.
I'd say that anger is better directed towards the legislators in charge of creating these absurd policies, not the folks at System76. It's not reasonable to expect a company to sacrifice its entire business on a moral battlefield.
The prostitutes pushing for this do not deserve words. They deserve ridicule, public humiliation, and worse. The computer is a tool. Whoever would encumber it is an obvious shill for the corporations (google/apple/microsoft) who would like to attach an identity (i.e. tolls and controls) to actions prior generations could do freely and without surcharge. It is a modern-day enclosure movement. Its proponents should be juicily spat upon.
> Some of these laws impose requirements on System76 and Linux distributions in general. The California law, and Colorado law modeled after it, were agreed in concert with major operating system providers. Should this method of age attestation become the standard, apps and websites will not assume liability when a signal is not provided and assume the lowest age bracket. Any Linux distribution that does not provide an age bracket signal will result in a nerfed internet for their users.
> We are accustomed to adding operating system features to comply with laws. Accessibility features for ADA, and power efficiency settings for Energy Star regulations are two examples. We are a part of this world and we believe in the rule of law. We still hope these laws will be recognized for the folly they are and removed from the books or found unconstitutional.
Anyways, it feels like all sides of the political spectrum are trying to strip away any semblance of anonymity or privacy online both in the US and abroad. No one should have to provide any personal details to use any general computing device. Otherwise, given the pervasive tracking done by corporations and the rise of constant surveillance outdoors, there will be nowhere for people to safely gather and express themselves freely and privately.
I agree. I also agree with S76 that some laws regarding how an operating system intended for wide use should function are acceptable. How would you react to this law if the requirement was only that the operating system had to ask the user what age bracket it should report to sites? You get to pick it, it isn't mandatory that it be checked, and it doesn't need to be a date, just the bucket. Is that still too onerous?
I ask because I feel like if we don't do something, the trajectory is that ~every website and app is going to either voluntarily or compulsorily do face scans, AI behavior analysis, and ID checks for their users, and I really don't want to live in that world.
Instead, the service should be telling your device the nature of the content. Then, if the content is for adults and you're not one, your parents can configure your device not to display it.
> The child can install a virtual machine, create an account on the virtual machine and set the age to 18 or over
It's precisely how I worked around the parental control my parents put on my computer when I was ~12. Get Virtualbox, get a Kubuntu ISO, and voilà! The funniest is, I did not want to access adult content, but the software had thepiratebay on its blacklist, which I did want.
In the end, I proudly showed them (look ma!), and they promptly removed the control from the computer, as you can't fight a motivated kid.
That's assuming the parental controls allow the kid to create a virtual machine. And then that the kid knows how to create a virtual machine, which is already at the level of difficulty as getting the high school senior who is already 18 to loan you their ID.
None of this stuff is ever going to be Fort Knox. Locks are for keeping honest people honest.
So put the content tag at the granularity of the content.
You're going to get that, anyway. Platforms want to sell their userbases as real monetizable humans. Governments want to know who says and reads what online. AI companies want your face to train their systems they sell to the government, and they want to the be the gatekeepers that rank internet content for age appropriateness and use that content as free training material.
Age verification across platforms is already implemented as AI face and ID scans. This is where we're already at.
Isn't that what the CA law is?
As a silly example, tax software probably has your full birthday, including year, which is more precise. Many social networks collected this data, as did a lot of major tech companies that implemented parental controls already.
Honestly it’s the dumbest thing ever. Best just not to play that game.
The problem is that the comparison falls flat. ADA does not sniff for birth date and surrender that data to others. One has to look at things at a cohesive unit, e. g. insecure bootloaders by Microsoft surrendering data to others. It seems as if they try to make computers spy-devices. That in itself is suspicious. Why should we support any such move? Some laws are clearly written by lobbyists.
It's not this or that political party, your neighbors simply don't share your values. Maybe you don't agree with their values either — like to what degree we should be ceding privacy in favor of fighting child exploitation on the internet. Child protection arguments work because it is a compass to the true feelings of your neighbors.
The problem with this argument is that everyone agrees with protecting children.
"Think of the children" arguments are the legislator's fallacy: Something must be done, this is something, therefore we must do this.
In reality there are alternative means to accomplish any given goal, and the debate is about what should be done, because no one benefits from using methods that cost more than they're worth.
Well, almost no one. The opportunists who drape themselves in the cloak of "safety" when they want to have the government mandate the use of their services or use it as an excuse to monopolize markets or establish a chokepoint for surveillance and censorship do benefit from the machinations that allow them to screw the majority of the population. But the majority of the population doesn't.
If you see politics through this lens then the 'democratic backsliding' that has been universal across the world for the past two decades is entirely unsurprising.
Vae Victus.
So it is Microsoft, Google and Apple pushing for this.
Of course, there will be stories of smart kids doing amazing things with access to vast troves of information, but the average story is much sadder.
The EU is working on a type of digital ID that an age-restricted platform would ask for, which only gives the platform the age information and no further PII.
Companies (not talking about system76) amazingly always find the shittyest interpretations of their obligations to make sure to destroy the regulations intention as much as they can. The cookie popups should have been an option in the browser asking the user whether they want to be tracked and platforms were meant to respect this flag. Not every site asking individually, not all this dark pattern annoyance. It's mind-blowing that that was tanked so hard.
I saw this a lot in college. Kids that didn’t have any freedom or autonomy while living at home went wild in college. They had no idea how to self-regulate. A lot of them failed out. Those who didn’t had some rough years. Sheltering kids for too long seems to do more harm than good. At least if they run into issues while still children, their parents can be there to help them through it so they can better navigate on their own once they move out.
And if the person is high energy, then that energy needs to be channeled.
(And the proper way to do "less long" is to slowly loosen up over time.)
Sounds like you got the first but not the second, which must have been tough. Hope you're doing better now.
> I can see that there will be programs that run on general purpose computers and peripherals that will even freak me out. So I can believe that people who advocate for limiting general purpose computers will find receptive audience for their positions. But just as we saw with the copyright wars, banning certain instructions, or protocols, or messages, will be wholly ineffective as a means of prevention and remedy; and as we saw in the copyright wars, all attempts at controlling PCs will converge on rootkits; all attempts at controlling the Internet will converge on surveillance and censorship, which is why all this stuff matters.
Full talk: https://www.youtube.com/watch?v=HUEvRyemKSg
Didn't regulating cigarettes kind of work?
https://arxiv.org/html/2506.06299v4
This all could've been avoided. Governments all over the world have been ringing the alarm bells about lack of self-regulation in tech and social media. And instead of doing even a minimum of regulation, anything to calm or assuage the governments, the entire industry went balls-to-the-wall "line go up" mode. We, collectively, only have ourselves to blame, and now it's too late.
If you look back, it didn't have to be this way: - Governments told game publishers to find a system to handle age rating or else. The industry developed the ESRB (and other local systems), and no "or else" happened. - Governments told phone and smart device manufacturers to collectively standardize on a charging standard, almost everyone agreed on USB-C and only many years later did the government step in and force the lone outlier to play ball. If that one hadn't been stubborn, there wouldn't have been a law.
The industry had a chance to do something practical, the industry chose not to, and now something impractical (but you better find a way anyway, or else) will be forced upon them. And I won't shed a tear for the poor companies finally having to do something.
Why would we have to be blamed for a law written by some lobbyists? That makes no sense at all. There are of course some folks that are in favour of this because "of the children" but their rationale does not apply to me nor to many other people. Why should they be able to force people to surrender their data, with the operating system becoming a sniffer giving out private data to everyone else? That makes no sense.
If people could just say I don't agree with this law, it "makes no sense" and it's written by "lobbyists" and the government should not "be able to force" me to comply then we don't have a society anymore.
You had better come up with some better arguments otherwise it just seems like the typical sad case of the losing side suddenly griping about the referee's monopoly of force when it's no longer going their way...
The comment you replied to rightly pointed out one way of getting ahead of said monopoly of force is addressing problems with the status quo before the state takes an interest. It didn't happen, and now you will probably get some heavy handed intervention. But ignoring this basic point to ask why oh why suggests an ignorance of the very nature of the society that is and has been constantly regulating you.
If you only happened to notice now you should consider yourself a rather lucky specimen in the long line of human history, full of those remarking "this makes no sense" as they are nonetheless compelled to comply.
Can't believe I'm reading this. I don't want age verification at all, whether it's self-imposed or not. I should be free to use whatever tools I want however I want.
We somehow lost the war of freedom of privacy ... or, maybe the battle still rages
Wrong. There was no choice. Any type of identification technology causes more problems than it solves. The right choice is to look for different approaches than identification technology for solving the problems. And as the article points out, the problems are best tackled with education and not with tech.
Uh, no.
Governments demanding computers enforce age is as dumb as governments demanding books, pen, and paper enforce age.
This is unrelated to industry. This is idiots running the government.
Again, I'm probably missing something but it strikes me as pretty trivial to comply with?
But on this specific point - It's a bellwether. They're doing this to lay the groundwork and test the waters for compulsory identification and/or age verification. Getting MacOS and Windows and Linux and etc to implement this WILL be used as evidence that compulsory identity verification for computer use is legally workable.
You can disclose just a subset of a credential, and that can be a derived value (eg age bracket instead of date of birth), and a derived key is used so that its cryptographically impossible to track you. I wish more people discussed using that, but I suspect that it’s a bit too secure for their real intentions.
* under 13 years of age.\n * at least 13 years of age and under 16 years of age. * at least 16 years of age and under 18 years of age. * at least 18 years of age.
that's it. The OS can decide how it wants to implement that, but personally I'd literally just do get_age_bracket_enum(now() - get_user_birthday());
The bill is here: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
The uproar seems to be extremely overblown.
There is no benefit in doing that because parents already know how old their kid is. They don't need the government to certify it to them, and then they can configure the kid's device not to display adult content.
Involving government ID is pointless because the parent, along with the large majority of the general population, has an adult ID, and therefore has the ability to configure the kid's device to display adult content or not even in the presence of an ID requirement if that's what they want to do. At which point an ID requirement is nothing but a footgun to "accidentally" compromise everyone's privacy. Unless that was the point.
No, "we" really don't. I wrote software. It's free. You're welcome to use it, or not. Nobody is forcing my software on you. You are not allowed to tell me that the software I wrote, for free, and gave to you, for free, needs to have features that I don't care about.
You have an LLM now. I'm obsolete now, right? Do it. Build your nerfed distro, and make it popular. Oh, yeah... there isn't a single solitary disto built by an LLM, is there? Not even one. Wow. I wonder why...
(That doesn’t mean it is not a bad idea, and even perhaps unconstitutional for other reasons.)
I don't think a cryptographic algorithm is "expressive" any more than it is purely functional; indeed, the 9th circuit evaluated and rejected the expressive/functional distinction for source code in the above case.
Regardless - code is speech, and the government cannot compel or prevent speech except in very narrow circumstances.
That is very much overstating the holding in the case [0], the most relevant part of which seems to be:
“encryption software, in its source code form and as employed by those in the field of cryptography, must be viewed as expressive for First Amendment purposes”
The ruling spends a key bit of analysis discussing the expressive function of source code in this field as distinct from the function of object code in controlling a computer.
A law compelling providing functionality which it is merely most convenient to comply with by creating source code as part of the process is not directing speech, any more than an law delivery of physical goods where the most convenient method of doing so involves interacting by speech with the person who physically holds them on your behalf is.
[0] text here: https://law.resource.org/pub/us/case/reporter/F3/176/176.F3d...
I think you should read it a bit more closely. The court threw out the "functional/expressive" argument for source code, like I said in my original comment.
Secondly, what are you talking about that source code is the most "convenient" way to implement this? It's the literal, only possible way to present an interface to a user, ask them a question, and "signal" to other applications if the user is a minor or not. You're being completely nonsensical there. There's no other way to do that: someone must write some code. The bill specifically says "an API"!
That's forced labor. I'm not required to write a line of code to please anyone. It's free software with no warranty. They have LLMs, let's see them build it. :)
> That's forced labor.
Well, that's a 13th Amendment issue not a 1st Amendment one, but, in any case, its not forced if it doesn't direct who does the work to create the functionality, only requires you to have the functionality provided if you are doing some other activity, it is more of an in-kind tax. [0] (Now, if you want to make an argument that when the activity it is conditioned on is expressive that that makes it a 1A violation as a content-based regulation when the condition is tied to the content of the expressive act, that is a better 1A argument, that might actually have some merit against many of the real uses of, say, age verification laws; but “if I am doing this activity, I must either create or acquire and use software that has a specified function” is not, in general, a 1A violation.)
[0] It's not really that other than metaphorically, either, any more than every regulation of any kind is an “in-kind tax”, but its far closer to that than “forced labor”.
Good, because I'm not writing it, f\/ck them. Free software, no warranty. Use it if you want to. Otherwise, pound sand.
Don't you mean "bad"? Shouldn't you want it to be a violation of the constitution so it gets thrown out?
Providing an API is required if you do some other thing, but you are not required to do that other thing. Requirements that are triggered by engaging in some other activity are not compulsions if the activity they are triggered by is not compulsory. (Now, whether restricting the thing that triggers the requirement by adding the requirement is permissible is a legitimate question, but that is not the question that is addressed when you ignore the thing triggering the requirement and treat the requirement as a free-standing mandate.)
„But Jonas parents allow him to do that“ in reality Jonas parents should not have a say in this.
It's not enough to adhere to the OS age signal:
> (3) (A) Except as provided in subparagraph (B), a developer shall treat a signal received pursuant to this title as the primary indicator of a user’s age range for purposes of determining the user’s age.
> (B) If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.
Developers are still burdened with additional liability if they have reason to believe users are underage, even if their age flag says otherwise.
The only way to mitigate this liability is to confirm your users are of age with facial and ID scans, as it is implemented across platforms already. Not doing so opens you up to liability if someone ever writes "im 12 lol" on your app/platform.
The law requires "clear and convincing information", not merely "reason to believe". And since the law requires developers to rely on the provide age signal as the primary indicator of the user's age, developers are not incentivized to create a system that uses sophisticated data mining to derive an estimated age. If someone posts a comment on a YouTube video saying "I'm twelve years old and what is this?", that would absolutely not require YouTube to immediately start treating that account as an under-13 account.
Remember, only the state AG can bring a suit under this law, and the penalty is limited to $2500 per child for negligent violations. It's probably cheaper to get insurance against such a judgement than to implement an invasive ID-scanning age verification system (and assume the risks of handling such highly-sensitive personal information).
I'd also argue it's clear and convincing if a kid changes their profile picture to a selfie of themselves, says they're 12, says they're in grade school, etc. Any reasonable person would take that at face value.
> implement an invasive ID-scanning age verification system (and assume the risks of handling such highly-sensitive personal information)
It's already implemented as face and ID scans by all the major platforms as it is. The systems are already there and they're already deployed.
Apps and platforms already integrate with 3rd party age verification platforms who handle the face and ID data, nothing ever has to touch your servers.
That's so fragile, and it's not like they're making those claims to the site, it's natural language posting.
And someone who knows what they're doing would never take "I'm twelve years old and what is this?" at face value.
No one is suggesting a meme should be taken literally.
The current analytics profiles are closer to "definitely into Roblox, 70% chance of being 13-18" than "This user was beyond any reasonable doubt born on 07-03-2002". Calling them "clear and convincing information" would be a massive exaggeration.
A. If end users will mod their distros to send a "signal" (TBD?) to websites.
B. If end users will just grab a pirate OS with apps compiled to not care about age.
Hopefully the latest TAILS I downloaded is free of Big (over 18) Brother. And (A)
Or just compile, Gentoo and LFS style.
C. If pirates just take care of all this for friends and neighbors.
D. When, not if, this unconstitutional coercion is challenged in court and cancelled via petition. Remember Proposition 8?
Of course, that's an ineffective argument, because the long-term goal of these laws (in the sense of, "the goal of the system is what it does") was never going to be about keeping kids off the Internet.
What is almost more disturbing: at least some of the politicians will have been advised by consultants or lobbyists who know what they're advocating for. What's their game?
To be more direct - if you're in any editorial position where something that smells like this might require your approval, please give it the scrutiny it deserves. That is, the same scrutiny that a malicious actor submitting a PR that introduces a PII-leaking security hole would receive. As an industry we need to civil disobedience the fuck out of this.
Now some 50-60yo politician who has never even created a folder in their desktop without help wants to dictate how I should have used my device?
Fuck'em
Make it optional and assume an adult otherwise, it's a good idea if it's optional and doesn't have dumb fines, you could have fines for not enforcing it / not using the api [porn sites] that already exists [and it doesn't work since 1 button is not age verification].
I see this as a good way for parents and institutions to set up their phones, school laptops etc and would pretty much solve the large majority of these issues while having a fraction of the invasiveness.
This ties in nicely with the international movement to require ID to use social media.
Why is this an international movement? Suddenly, simultaneously, all over the Western world? It's enough to make on believe in conspiracies...
The goal for the AI side is that they get to be censors and gatekeepers of all user-generated content on the internet, their models will rank/grade/censor content for age-appropriateness and they will have the pleasure of being paid to train on all new content uploaded to the internet in real-time, in perpetuity.
[1] https://news.ycombinator.com/item?id=47162956
This is false equivalence. All of the above are vices that objectively carry more harm than good. There's no inherent harm in using a computer, there's a subset of ways in which using a computer can be harmful, which kids can be taught how to avoid or navigate, there's no subset of meth use that isn't harmful
I'm guessing you meant can't
One developer began a discussion:
https://lists.ubuntu.com/archives/ubuntu-devel/2026-March/04...
Their attempts of a "solution" are quite interesting. One other user suggested that GUI tools ask for the age of the user.
Well ... I have a very strong opinion here. I have been using Linux since over 20 years and I will not ever give any information about my personal data to the computer devices I own and control. So any GUI asking for this specifically would betray me - and I will remove it. (Granted, it is easier to patch out the offending betrayal code and recompile the thing; I do this with KDE where Nate added the pester-donation daemon. Don't complain about this on reddit #kde, he will ban you. KDE needs more money! That's the new KDE. I prefer oldschool KDE but I digress so back to the topic of age "verification").
The whole discussion about age "verification" appears to be to force everyone into giving data to the government. I don't buy for a moment that this is about "protecting children". And, even IF it were, I could not care any less about the government's strategy. Even more so as I am not in the country that decided this in the first place, so why would I be forced to comply with it when it ends up with GUI tools wanting to sniff my information and then give it to others? For similar reasons, one reason I use ublock origin is to give as few information to outside entities when I browse the web (I am not 100% consistent here, because I mostly use ublock origin to re-define the user interface, which includes blocking annoying popups and what not; that is the primary use case, but to lessen the information my browser gives to anyone else, is also a good thing. I fail to see why I would want to surrender my private data, unless there is really no alternative, e. g. online financial transactions.)
I also don't think we should call this age "verification" law. This is very clearly written by a lobbiyst or several lobbyists who want to sniff more data off of people. The very underlying idea here is wrong - I would not accept Linux to become a spy-tool for the government. I am not interested in how a government tries to reason about this betrayal - none of those attempts of "explanation" apply in my case. It is simply not the job of the government to sniff after all people at all times. This would normally require a warrant/reasonable suspicion of a crime. Why would people surrender their rights here? Why is a government sniffing after people suddenly? These are important questions. That law suddenly emerging but not in the last +25 years is super-suspicious.
Unless I'm missing something, I have zero concern for companies who sell out by complying.
The code was "free as in freedom" when you decided to build your company on it; and while you're not legally obligated to defend that freedom, and I, and hopefully other consumers, find that you are morally obligated to.
The time is coming where we will unseat legislative traitors who use EU/Old World manipulations in the USA.
An unjust law is no law at all. That is the exception the rule of law requires to remain moral.
At the moment only some countries banning porn, social media and gambling. But how soon will I have to do it for a work app? And will I lose my job then if I refuse?
>Limiting a child’s ability to explore what they can do with a computer limits their future.
Parents don't want to limit their children from writing software. Saying that limiting minors from accessing porn will limit their future is another argument I doing think many will agree with.
I mean... How else would you educate children about computers and evading stupid restrictions?