Posted by todsacerdoti 4 hours ago
* This approach is the _most consistent_ with retaining anonymity on the internet, while actually helping parents with their issues. If any age-relevant gatekeeping needs to be made on the internet at all, this is the one I find acceptable.
* this is because the act very specifically does NOT require age _verification_ ie using third-parties to verify whether the claimed age is correct. Rather, it is piggybacking on the baked-in assumption, that parents will set up the device for their kids, indicating on first install what the age/DoB is, then handing over the device -a setting which can, presumably, only be modified with parental consent
* yes, there are edge cases, esp in OSS, and yes, it would be nice to iron those out -but the risk = probability x impact calculus on this is very very low.
* If retaining anonymity on the internet is of value to you, don't let the perfect be the enemy of good enough.
* It’s ambiguous how your proposed parental setup and control process would work for anything other than walled gardens like Apple’s ecosystem. On an OS like Debian, does that mean a child can’t have the root password in case they use to it change the age? Does that mean we need a second password that needs to be entered in addition to the root password to change the age? Will Arduinos and similar devices also need to be age gated?
* Those edge cases might seem small, but read broadly they would require substantial, invasive, and perhaps even impossible changes to how FOSS works. If the law isn’t changed and FOSS doesn’t adapt, this basically means the entire space will exist in a legal gray area where an overzealous prosecutor could easily kill everything.
* This is not a matter of “perfect vs good enough”, this is a major slippery slope to go down. Also, this doesn’t mean age _verification_ will simply go away.
No. You're still not quite internalizing that the California regulation does not mandate any verification or enforcement or protection of the accuracy of the age bracket data. It mandates that the question be asked, and the answer taken as-is.
Which means that many of the concerns about implementation disappear, because the setting really does not need to be anything more than a simple flag that apps can check.
> Will Arduinos and similar devices also need to be age gated?
Only to the extent that they are general purpose computing devices, have an operating system, are capable of downloading apps, and are actually used by children (since the enforcement mechanism requires a child to be affected by the non-compliance). And if an app fails to obtain age information but also doesn't do anything that is legally problematic for a user that is a child, then it's hard to argue that the app's ignorance affected the child.
> Also, this doesn’t mean age _verification_ will simply go away.
It will in California, until the law gets repealed or amended. Apps won't be allowed to ask for further age-related information or second-guess the user-reported age information, except when the app has clear and convincing information that the reported age is inaccurate.
Hopefully it stays that way.
that would be fine if the embedding means all applications can leverage this functionality - like how accessibility is embedded into the OS rather than per-app.
The only problem is if this embedding requires third-party verification (which i dont believe it is), or require some sort of hardware attestation to a remote server (so you cannot modify the OS to turn it off if you wish as a non-parent).
To me, flexibility and choice is paramount. The parents have the responsibility to monitor their child, and this tool should help when the parents opt-in for it. It should not be enforced on all computer users arbitrarily without a parental opt-in first.
> that parents will set up the device for their kids
Are the devices parents are currently setting up lacking these controls? Is there no third party software which can achieve this?
Then why is it a crime with an associated fine for me to provide an OS which does not have one? How have I failed to "help parents with their issues?"
It's an inconsistent mess.
> Is there no third party software which can achieve this?
No third-party software can force a standardized age reporting mechanism onto somebody else's platform and associated app ecosystem. A third-party unofficial age reporting mechanism is something that other apps are free to ignore. This law requires platforms to have a minimal but mandatory age reporting mechanism that apps cannot claim ignorance of and cannot decline to use in favor of an alternative age reporting mechanism.
> Then why is it a crime with an associated fine for me to provide an OS which does not have one?
Not a crime, just a civil penalty.
> Section 1798.500(e)(1) states:
“Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.
So… DNS servers are “covered application stores”, right? As is PyPI or GitHub or any other such service. S3 and such, too — lots of facilitating going on.
And I’m wondering… lots of things are general purpose computers. Are servers covered? How about embedded systems? Lots of embedded systems are quite general purpose.
edit: Yikes, whoever wrote the text of the law seems to have failed to think at all.
> (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
The developer shall request? Not the application? So if I write an application and you download it and run it on an operating system, then I need to personally ask your OS how old you are? This makes no sense.
> (2) (A) A developer that receives a signal pursuant to this title shall be deemed to have actual knowledge of the age range of the user to whom that signal pertains across all platforms of the application and points of access of the application even if the developer willfully disregards the signal.
Did they forget to make this conditional on getting g the right answer? If I develop an application used by a 12-year-old and the OS says the user is 18+ (which surely will happen all the time even if no one lies because computers have multiple users), and the OS answers my query, then courts are directed to deem that I have actual knowledge that the user is under 13? Excuse me?
For incorrect OS answers, keep reading. 3B covers what happens if there's clear and convincing evidence that the age covered in 2A is inaccurate. (Reported profile birthday, for instance) This is "if someone shows a bartender a valid drinking-age ID but says they're celebrating their 17th birthday, this can't be ignored".
Conversely, if the OS says the user’s 13, then they can’t say they thought the user was actually 18. Guess sucks to suck if you want to buy a movie ticket from your kid’s phone, or if you mistyped your age when you set yours up because you didn’t have your passport nearby.
Grouping braces and capitalization mine. So distributing also required. However it's still overly broad, vague, and ambiguous.
So OpenWRT would be covered since they allow the user to download packages (ie software) via apk/opkg.
Awesome!
This isn't a law. It's a prayer.
The bill affects operating systems and apps, requiring them to have only the most basic feature necessary to implement age-based restrictions, and to make it an official platform-wide API instead of each app implementing their own age verification scheme. But parents remain free to use or ignore the age setting at their own discretion.
Even if say I am based in timbuktu, but allow for my ISO to be downloadede bye a resident of the state of california?
I hope this is a wakeup call for the linux community: if you don’t wanna get choked out by bad legislation, you have to get politically organized.
When it comes to technology, parents will always, always be years behind their kids. The kids will find a way to circumvent all these controls that the laws are trying to force technology providers into implementing.
These laws won't result in less violence, lower drug use, more opportunity, or closer, more tight knit communities.
I’d rather be tasked to solve the Halting Problem than to be responsible for keeping kids away from porn. There’s no hacker more motivated than a teen who wants to see a boob. I know. I remember. “Son, why do you have a calling card for Peru?” “Uh, there’s this BBS in Lima…”
What the heck does it even mean to say patents have never worked on kids?
First, let's admit the push for age verification laws isn't a partisan or ideological thing. It's a global trend. This California law has bipartisan sponsorship and only major org opponent is the evil G [1]. While age verification is unpopular in tech community, I imagine a lot of average adult voters agree that limiting children's access to wilder parts of the Internet is a good thing.
On this premise, the discussion is then who should be responsible for age verification. The traditional model is to require app developers / website owners to gatekeep -- like the Texas and Ohio laws that require PornHub to verify users' IDs. But such model put too much burden on small developers, and it's a privacy nightmare to have to share your PII with random apps.
This is why we see this new model. States started to believe it seems more viable to dump the responsibility on big tech / platforms. A newer Texas law is adopt this model (on top the traditional model) to require app stores to verify user age (but was recently blocked by court) [2]. And this California law pretty much also takes this model -- the OS (thinking as iOS / Android / Windows with app store) shall obtain the user age and provide "a signal regarding the users age bracket to applications available in a covered application store".
While many people here are concerning open-source OSes, and the language do cover all OSes -- my intuition is no lawmaker had ever think about them and they were not the target.
[1] https://calmatters.digitaldemocracy.org/bills/ca_202520260ab...
[2] https://www.politico.com/news/2026/01/05/big-tech-won-in-tex...
- block certain list of sites
- block walls inside YouTube for example
- limit amount of scrolling time Vs amount of learning time (this can be done quite easily)
So just give the tools to parents and stop requiring IDs for adults. What happens if kid gets adult's phone? And what happens when kid gets dad's rifle or car keys? It doesn't mean that all the rifles and car keys should now start to include blood sample based age verification mechanisms
--Edit--
Apple family management is even worse. The best I heard of is implemented in the switch console
(The issue of "primary owner of the device" being the most problematic.)
Equally the concept of "app store" is different for different OS's. iOS and Android are clear. Mac and Windows are mostly "download and run from website" (although both want to pivot to appstore, with varying degrees of success.)
Then we need to wonder if yum and apt are stores, given that they aren't actually owned by "linux".
In truth though it kinda doesn't matter. It's trivial to add an "age" field to account creation. It's trivial for users to enter any date they like. So on the one hand it's easy for OS makers to comply, it's easy for users to lie.
Presumably if the law could have mandated age checks then would have, so I'm not even sure thus is slippery slope. Most minors don't have photo ID. Most desktop hardware doesn't have a camera (at the time of account creation.)
This feels like performative law-making. Vague language. Unenforceable user participation.
IMO this is quite simple - as they provide software, they are "stores" too. Although I think most would associate a store with e. g. MS store, Apple store and so forth.
The word "store" is weird though. Would it not be easier to use different words? Anyone providing software for download; and perhaps add a size threshold to stop pestering small business or solo users. This really seems to target Linux here.
First, either this law, or another already on the books, or established case law, defines what an app store is. Sovereign citizens get hung up on legal wordplay because they mistake legal jargon for English. It’s not, any more than I move a small furry mammal (mouse) to click religious imagery (icons) on my desktop (not a desktop).
But second, if you really want to wordsmith it, “store” can mean “place where you keep stuff”, not only “place to buy things from”, as in in short for storage. Where do you save work documents? A file store. That’s not where you buy docs, but where you keep them. A crafty DA could probably say, lacking a definition otherwise, that an app store is where you store apps, and buying them is incidental. And they’d probably win over you and me arguing otherwise, because they can speak legal to the judge and we can’t.
Because the "store" never confirmed that Cloudflare is 18.
And "not for use in Louisiana": https://legis.la.gov/legis/Law.aspx?d=1428944
And maybe Brazil, Australia, Singapore and Utah as well (not checked): https://developer.apple.com/news/?id=f5zj08ey