There's an obvious theme with lawmakers in California—they pass laws to regulate things they have zero clue about, add them to their achievement page, cheer for themselves, and declare, "There! I've made the world a better place." There are just too many examples. For instance:
- Microstamping requirements for guns—printing a unique barcode on every bullet casing (Glock gen3 cannot be retired, thus, the auto-mode switch bug cannot be patched...)
- 3D printers should have a magical algorithm to recognize all gun parts in their tiny embedded systems
- Now, you need to verify your age... on your microwave?
At this rate, California should just go back to the Stone Age. Modern technology is simply not compatible with clueless politicians who are more eager to virtue-signal than to solve any actual problems or even borther to study the subject about the law they are going to pass. There will be more and more technology restrictions (or outright bans on use) in California because it's becoming impossible to operate anything here without getting sued or running afoul of some overreaching regulation.
Ignoring all the tedious 'no, you're a bad person for having different priorities and beliefs to me' comments that this will inevitably inspire, I have to ask: why does the operating system need to be involved in this? The intended target of the regulation seems to be app stores.
> why does the operating system need to be involved in this?
The goal in my mind is to have an account a parent can setup for their child. This account is set up by an account with more permissions access. Then the app store depends on that OS level feature to tell what apps are can be offered to the account.
Let say the the age questions happen when you install the app store. That means if you can install the app store while logged in as the child account the child can answer whatever they want and get access to apps out side of their age range. The law could require the app to be installable and configurable from a different account then given access or installed on the child account, however at a glance that seem a larger hurdle than an os/account level parental control features.
The headline calls this age verification, but the quote in the article "(2) Provide a developer who...years of age." Make it sound way different and much more reasonable than what discord is doing.
I would much rather have OSs be mandated with parental control features than what discord is currently doing. I am going to read the bill later but here is how discord age verification could work under this law.
During account creation discord access a browser level api and verifies it server side. discord no knows if the OS account is label as for someone under 13 years, over 13 and under 16, over 16 and under 18, or over 18. Then sets their discord account with the appropriate access.
No face scan, no third party, and no government ID required.
> The goal in my mind is to have an account a parent can setup for their child. This account is set up by an account with more permissions access. Then the app store depends on that OS level feature to tell what apps are can be offered to the account.
That sounds like an OS feature that parents would like to have. Probably has some market value. Maybe just let the market figure that one out.
Or, we could have an overbroad law passed that torpedoes every open-source OS in existence. If I were MS, Google, or Apple, that'd be a great side benefit of this law. Heck, they probably already have this functionality in place.
The problem here is legally-mandated age verification, not where it is placed (although forcing it into all OSes is absolutely ...). The gains are minimal for children and the losses are gigantic for children and adults. I'm not keen to have children avoid blisters by cutting off their feet.
Put control back with the parents. Let them buy tech that restricts their children's access. This law doesn't protect children from the mountains of damaging content online.
And let all the adults run Linux if they want to without requiring Torvalds to put some kind of age question in the kernel and needing `ls` to check it every single run.
> That sounds like an OS feature that parents would like to have. Probably has some market value. Maybe just let the market figure that one out.
If there was a competitive market for OSs this probably would work, but we do not really have that. Getting the market to be competitive likely either takes considerable time, or other forms of government intervention. If there really was a competitive market then this would have been a solved problem ~15-20 years ago since parents have been complaining about this for ~25-30 years at this point.
> Or, we could have an overbroad law passed that torpedoes every open-source OS in existence. If I were MS, Google, or Apple, that'd be a great side benefit of this law. Heck, they probably already have this functionality in place.
I do not think the law does that. Either a additional feature making age/birth date entry and age bracket query available, or indicated the os is not intended for use in California, both seem to let developers continue along like normal. edit Or, I think, indicate that it is not for use by children.
> The problem here is legally-mandated age verification, not where it is placed (although forcing it into all OSes is absolutely ...). The gains are minimal for children and the losses are gigantic for children and adults. I'm not keen to have children avoid blisters by cutting off their feet.
In this case the mandate is entering an age/birth date at account creation where you can lie about said age/birth date. The benefit is the ability of an adult to set up parental controls for a child account.
> Put control back with the parents. Let them buy tech that restricts their children's access. This law doesn't protect children from the mountains of damaging content online.
This puts control in the parents hands. When they set up their child's account they can put in their child's age, or not, they can make it an adult account.
> And let all the adults run Linux if they want to without requiring Torvalds to put some kind of age question in the kernel and needing `ls` to check it every single run.
So from the literal reading of the law the age checks are only required when "a child that is the primary user of the device". It does not need to effect accounts where the primary user is not a child. Nor does it seem like any application needs to run the check every time the application is launched.
The law unfortunately does require:
> (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
So in the case where a child is the primary account/device user. The app needs to request the signal at least once when first launched, though it is not required to do anything with it. Delegating that to the package manager would make sense, but this part of the law should be modified, apps that can not use the signal for anything should not be required to request it, 'ls' for example.
> why does the operating system need to be involved in this?
Well, the politicians probably meant to say “Apple, Google, Microsoft, plus maybe Sony and Nintendo”
i.e. the companies that already have biometrics, nigh-mandatory user accounts, app stores linked to real identities, parental controls, locked down attested kernels, and so on.
If phones had workable parental controls that let parents opt their kid into censorship, that’s better than the give-your-passport-to-the-porn-site approach the UK have taken.
Of course if they have applied it to every OS, not just the big corporate-controlled options, that’s a dumb choice.
Because that's the first layer that deals with user accounts, and subsequent layers commonly base off of identity information stored in there. Just like how and why every other shared interface exists.
Sounds to me that this is how kids learn to spin their own operating systems (a la LFS, Gentoo)and apps.
This is how people bought personal computers when the mainframe priesthood banned them.
It appears that very soon, young people will "de facto" need to have this level of competence in order to survive and thrive in a world of "in loco parentis" operating systems and apps.
The latin reveals my age, but one thing about my age:
People my age did exactly that. We built our own hardware when there was none. We compiled (or copied) operating systems and apps. A couple of my friends wrote an operating system and a C compiler.
"My generation" created this entire internet thingy, installed and web-based apps.
Indeed, dumb-asses are going to level up young people.
How wouldn't this also apply to things like useradd(8) or simply automated user account setup, e.g. like cups, sshd, etc? Do we need to add this to vi for use in vipw on UNIX?
useradd has the Other category at setup. Could you argue that anything which allows arbitrary text information to be input into a user account that could be passed on to other applications technically fulfills the requirement, as the user could indicate age on the account?
As noted at the end of the article, I suspect the impact for many OS's is going to be that they add a line in the fine print somewhere saying not for use in California.
Hmm i think at te moment its only Linux that has by default local only accounts except if being used in some sort of SSO environment .
Microsoft has been pushing aggressively to deprecate the local and funnel everyone to Microsoft online accounts , while Android and macOS/iOS are already in such a state by default.
Coupled with the same accounts being used for online login, looks like a feature creep panopticon in the making. With Linux lucking out be default.
> (g) This title does not impose liability on an operating system provider, a covered application store, or a developer that arises from the use of a device or application by a person who is not the user to whom a signal pertains.
So, this makes desktop Linux illegal, but all the software-as-a-service like Microsoft Azure and OpenAI get off scott-free?
> [..] requires an account holder to _indicate_ [..]
i.e. this doesn't require age verification at all
just a user profile age property
> [..] interface that identifies, at a minimum, which of the following _categories_ pertains to the user [..]
so you have to give apps and similar a 13+,16+,18+,21+ hint (for US)
if combined with parent controls and reasonably implemented this can archive pretty much anything you need "causal" age verification for
- without any identification of the person, its just an age setting and parent controls do allow parents to make sure it's correct
- without face scans or similar AI
- without device attestation/non open operating systems/hardware
like any such things, it should have some added constraints (e.g. "for products sold with preinstalled operating system", "personal OS only" etc.)
but this gets surprisingly close to allowing "good enough privacy respecting" age verification
the main risk I see is that
- I might have missed some bad parts parts
- companies like MS, Google, Apple have interest in pushing malicious "industry" standards which are over-enginered, involve stuff like device attestation and IRL-persona identification to create an artificial moat/lock out of any "open/cost free" OS competition (i.e. Linux Desktop, people installing their own OS etc.).
---
"causal" age verification == for games, porn etc. not for opening a bank account, taking a loan etc. But all of that need full IRL person identification anyway so we can ignore it's use case for any child protection age verification law
----
it's still not perfect, by asking every day daily used software can find the birthdate. But vendors could take additional steps to reduce this risk in various ways, through never perfect. But nothing is perfekt.
---
Enforcement is also easy:
Any company _selling_ in California has to comply, any other case is a niche product and for now doesn't matter anyway in the large picture.
As others have pointed out, this is just a foot in the door. There's also a part of the law this article doesn't cover that requires EVERY application to query this information on every launch, regardless of whether or not the application has any age related limitations.
So it looks like the law only requires it on first launch. Which makes sense if the application can only be run from that one account. Apps that can be launched from multiple accounts are not singled out in the law, but the spirt of the law would have you checking what account is launching the app and are they in the correct age range.
That's not a guarantee. It's up to how the courts interpret that and. Given that this law is meant to handle a moving target like age, I fully expect them to interpret it as its disjunctive form.
I agree, I don’t like it as much as you do. I’m just saying nothing short of a mandated TPM will actually enforce this. I think they know that.
I think this is mostly for show to stay relevant wrt. What is happening in the courts. This is the Same play as it always been for registration “are you over the age of 13?”
Which begs the question if Microsoft's stubborn insistence on TPM 2.0 for Windows 11 to operate was something planned out in advance of this law being proposed.
I'm under the impression anyone doing nefarious things online are probably more-than tech savvy enough to not install an OS that rats them out...right?
Isnt that literally one of the first rules of the DNM Bible?
Will kids raised on it not know anything different? Seems a path to reduce computer literacy. Then again, being blocked from doing something I wanted is what lead me to find ways around said block. But I already had unrestricted access to the system to bend it to my will. Seems like these kinds of systems won’t allow for the user to learn how to works at all. It’s a mystery box.
One thing that's happening is that attestation is being plumbed into the web itself. CloudFlare and Apple have a collab where Safari will inject tokens that let CF know that the request is coming from a blessed device. In a world where all websites are being crushed by bot traffic, expect that Goog pushes on their own integrity initiative in Chrome in the next year or two.
This thing is so broadly-written, the only thing saving you from needing to give you age to your toaster is that it's not a "general-purpose" computing device. Never mind that it can run DOOM...
I really hate this new world where one jurisdiction - California, Europe, wherever - makes a law and suddenly every other jurisdiction has to comply because the law-making jurisdiction is big enough that tech companies can't abandon it.
And since it doesn't make sense to have dozens of different versions of their apps, they write to the strictest jurisdiction's laws.
If everyone has the power to make laws that apply to everyone...it's chaos.
"Self, are you 18 years old?"
"Why, yes I am."
"OK, self, please fill out a 27B stroke 6 form in your head."
"I've completed it."
"OK, self, I've validated it."
Bill text (it’s longer, but the rest is mostly definitions of the terms used here):
1798.501. (a) An operating system provider shall do all of the following:
(1) Provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store.
(2) Provide a developer who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface that identifies, at a minimum, which of the following categories pertains to the user:
(A) Under 13 years of age.
(B) At least 13 years of age and under 16 years of age.
(C) At least 16 years of age and under 18 years of age.
(D) At least 18 years of age.
(3) Send only the minimum amount of information necessary to comply with this title and shall not share the digital signal information with a third party for a purpose not required by this title.
(b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
(2) (A) A developer that receives a signal pursuant to this title shall be deemed to have actual knowledge of the age range of the user to whom that signal pertains across all platforms of the application and points of access of the application even if the developer willfully disregards the signal.
(B) A developer shall not willfully disregard internal clear and convincing information otherwise available to the developer that indicates that a user’s age is different than the age bracket data indicated by a signal provided by an operating system provider or a covered application store.
(3) (A) Except as provided in subparagraph (B), a developer shall treat a signal received pursuant to this title as the primary indicator of a user’s age range for purposes of determining the user’s age.
(B) If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.
(4) A developer that receives a signal pursuant to this title shall use that signal to comply with applicable law but shall not do either of the following:
(A) Request more information from an operating system provider or a covered application store than the minimum amount of information necessary to comply with this title.
(B) Share the signal with a third party for a purpose not required by this title.
The definitions of the terms are completely bananas
The language is so broad it seems to cover all software that exists and is accessible via the internet, and every install of an operating system on any kind of machine
> (c) “Application” means a software application that may be run or directed by a user on a computer, a mobile device, or any other general purpose computing device that can access a covered application store or download an application.
> “Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.
> “Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.
So any piece of software you can download from the internet will be required to check this "signal" made available by the os?
> “Covered application store” means a publicly available internet website,
Client side JavaScript can be considered an application, and then ad business would need to first verify that I am over 18 in order to allow me to see their ads.
So my Garmin watch, my Home Assistant OS, maybe even my Shelly devices?
I want to know who is behind these laws like this one and the 3D printer gun verification, that seem to pop up across state legislatures all at the same time.
Which seems like a silly accidental overreach of the law. If that is the way it applies.
The literal reading of the law says this only required when a child is the primary user of the device.
> (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
but 'user' here is:
> (i) “User” means a child that is the primary user of the device.
So these rules should only apply to accounts/devices where a child is the primary user.
Grep on an adult's machine would not need to check how old you are, at least with a literal reading of the law.
I do not think the law provides guidance here. The signal is only required when children are the primary device/account users. So one model would be any initial account set up is automatically considered the 'account holder' and not a child account. Then it would be prerogative of the 'account holder' to set up child accounts or not. That seems to fit into the spirt and literal parts of the law.
So grep/ls/etc are all installed as part of that 'account holder' and do not need to do any age verification.
The signal only needs to be checked when the device/account user is a child and when downloading apps. I think an unfortunate consequence here is that the literal definition of the law says package managers probably can not run on children accounts without jumping through a bunch of hoops. Which is bad for children learning code/computers/etc.
The first thing I would change about this law would be:
> (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
Any application that does not need to know a users age should not be required request the 'signal'
Two important definitions that might surprise people:
(a) (1) “Account holder” means an individual who is at least 18 years of age or a parent or legal guardian of a user who is under 18 years of age in the state.
(a) (2) “Account holder” does not include a parent of an emancipated minor or a parent or legal guardian who is not associated with a user’s device.
(i) “User” means a child that is the primary user of the device.
User is the most surprising here. It really should just be minors, or non-emancipated minors. Further, I think there are interesting ways the definition of account holder and user combined play out in interpreting the rest of the law.
One could cope that this regulation can not apply to Linux or other OSS operating systems. But this is only true unless the bootloaders on consumer devices are mandated to be closed next.
We already have Secure Boot, the infrastructure is in place. It is currently optional, but a law like this can change that.
Sure, I'll ask where the user is located, and if they choose California, I'll ask them for their age. And if they choose over 21 I'll scold them for voting for Gavin.
You know the non-governmental organization "Save the Children"? Maybe it's time to create a new one called "Fuck the Children" to defend people from these laws designed to mine privacy under the pretense of protecting minors.
when you force someone to signal status as a minor, you are forcing them to wear a target, hostiles will not have so much work to find minors, now they only have to contact, groom, and offend.
Ok. No more linux in california. Forget silicon valley. Forget all the supercomputers at research establishments. Forget all the smart TVs. Forget all the cars with in-dash computers. Let's see how long california can keep its lights on without embedded linux.
In all seriousness, rather than comply, linux distros should enforce this law. Any linux install that detects itself being in california should automatically shutdown with a loud error message. I give it a week before a madmax situation develops.
It would have to be done at the license level and with litigation. Anything relying on code to be added, would be removed. And probably, trying to do the license thing would force some people to fork the software.
There's an obvious theme with lawmakers in California—they pass laws to regulate things they have zero clue about, add them to their achievement page, cheer for themselves, and declare, "There! I've made the world a better place." There are just too many examples. For instance:
- Microstamping requirements for guns—printing a unique barcode on every bullet casing (Glock gen3 cannot be retired, thus, the auto-mode switch bug cannot be patched...)
- 3D printers should have a magical algorithm to recognize all gun parts in their tiny embedded systems
- Now, you need to verify your age... on your microwave?
At this rate, California should just go back to the Stone Age. Modern technology is simply not compatible with clueless politicians who are more eager to virtue-signal than to solve any actual problems or even borther to study the subject about the law they are going to pass. There will be more and more technology restrictions (or outright bans on use) in California because it's becoming impossible to operate anything here without getting sued or running afoul of some overreaching regulation.
Ignoring all the tedious 'no, you're a bad person for having different priorities and beliefs to me' comments that this will inevitably inspire, I have to ask: why does the operating system need to be involved in this? The intended target of the regulation seems to be app stores.
Someone has fallen victim to Politician's Logic: https://www.youtube.com/watch?v=vidzkYnaf6Y
> why does the operating system need to be involved in this?
The goal in my mind is to have an account a parent can setup for their child. This account is set up by an account with more permissions access. Then the app store depends on that OS level feature to tell what apps are can be offered to the account.
Let say the the age questions happen when you install the app store. That means if you can install the app store while logged in as the child account the child can answer whatever they want and get access to apps out side of their age range. The law could require the app to be installable and configurable from a different account then given access or installed on the child account, however at a glance that seem a larger hurdle than an os/account level parental control features.
The headline calls this age verification, but the quote in the article "(2) Provide a developer who...years of age." Make it sound way different and much more reasonable than what discord is doing.
I would much rather have OSs be mandated with parental control features than what discord is currently doing. I am going to read the bill later but here is how discord age verification could work under this law.
During account creation discord access a browser level api and verifies it server side. discord no knows if the OS account is label as for someone under 13 years, over 13 and under 16, over 16 and under 18, or over 18. Then sets their discord account with the appropriate access.
No face scan, no third party, and no government ID required.
> The goal in my mind is to have an account a parent can setup for their child. This account is set up by an account with more permissions access. Then the app store depends on that OS level feature to tell what apps are can be offered to the account.
That sounds like an OS feature that parents would like to have. Probably has some market value. Maybe just let the market figure that one out.
Or, we could have an overbroad law passed that torpedoes every open-source OS in existence. If I were MS, Google, or Apple, that'd be a great side benefit of this law. Heck, they probably already have this functionality in place.
The problem here is legally-mandated age verification, not where it is placed (although forcing it into all OSes is absolutely ...). The gains are minimal for children and the losses are gigantic for children and adults. I'm not keen to have children avoid blisters by cutting off their feet.
Put control back with the parents. Let them buy tech that restricts their children's access. This law doesn't protect children from the mountains of damaging content online.
And let all the adults run Linux if they want to without requiring Torvalds to put some kind of age question in the kernel and needing `ls` to check it every single run.
> That sounds like an OS feature that parents would like to have. Probably has some market value. Maybe just let the market figure that one out.
If there was a competitive market for OSs this probably would work, but we do not really have that. Getting the market to be competitive likely either takes considerable time, or other forms of government intervention. If there really was a competitive market then this would have been a solved problem ~15-20 years ago since parents have been complaining about this for ~25-30 years at this point.
> Or, we could have an overbroad law passed that torpedoes every open-source OS in existence. If I were MS, Google, or Apple, that'd be a great side benefit of this law. Heck, they probably already have this functionality in place.
I do not think the law does that. Either a additional feature making age/birth date entry and age bracket query available, or indicated the os is not intended for use in California, both seem to let developers continue along like normal. edit Or, I think, indicate that it is not for use by children.
> The problem here is legally-mandated age verification, not where it is placed (although forcing it into all OSes is absolutely ...). The gains are minimal for children and the losses are gigantic for children and adults. I'm not keen to have children avoid blisters by cutting off their feet.
In this case the mandate is entering an age/birth date at account creation where you can lie about said age/birth date. The benefit is the ability of an adult to set up parental controls for a child account.
> Put control back with the parents. Let them buy tech that restricts their children's access. This law doesn't protect children from the mountains of damaging content online.
This puts control in the parents hands. When they set up their child's account they can put in their child's age, or not, they can make it an adult account.
> And let all the adults run Linux if they want to without requiring Torvalds to put some kind of age question in the kernel and needing `ls` to check it every single run.
So from the literal reading of the law the age checks are only required when "a child that is the primary user of the device". It does not need to effect accounts where the primary user is not a child. Nor does it seem like any application needs to run the check every time the application is launched.
The law unfortunately does require:
> (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
So in the case where a child is the primary account/device user. The app needs to request the signal at least once when first launched, though it is not required to do anything with it. Delegating that to the package manager would make sense, but this part of the law should be modified, apps that can not use the signal for anything should not be required to request it, 'ls' for example.
> why does the operating system need to be involved in this?
Well, the politicians probably meant to say “Apple, Google, Microsoft, plus maybe Sony and Nintendo”
i.e. the companies that already have biometrics, nigh-mandatory user accounts, app stores linked to real identities, parental controls, locked down attested kernels, and so on.
If phones had workable parental controls that let parents opt their kid into censorship, that’s better than the give-your-passport-to-the-porn-site approach the UK have taken.
Of course if they have applied it to every OS, not just the big corporate-controlled options, that’s a dumb choice.
> Of course if they have applied it to every OS, not just the big corporate-controlled options, that’s a dumb choice.
I guess we'll just have to trust that our legislators are technologically savvy...
Because that's the first layer that deals with user accounts, and subsequent layers commonly base off of identity information stored in there. Just like how and why every other shared interface exists.
It's not just local apps that are potential consumers of this information. Websites would also be interested.
The "why" is also clear: deflecting/shifting responsibility.
Sounds to me that this is how kids learn to spin their own operating systems (a la LFS, Gentoo)and apps.
This is how people bought personal computers when the mainframe priesthood banned them.
It appears that very soon, young people will "de facto" need to have this level of competence in order to survive and thrive in a world of "in loco parentis" operating systems and apps.
The latin reveals my age, but one thing about my age:
People my age did exactly that. We built our own hardware when there was none. We compiled (or copied) operating systems and apps. A couple of my friends wrote an operating system and a C compiler.
"My generation" created this entire internet thingy, installed and web-based apps.
Indeed, dumb-asses are going to level up young people.
How wouldn't this also apply to things like useradd(8) or simply automated user account setup, e.g. like cups, sshd, etc? Do we need to add this to vi for use in vipw on UNIX?
All good questions the legislators had no idea even existed.
useradd has the Other category at setup. Could you argue that anything which allows arbitrary text information to be input into a user account that could be passed on to other applications technically fulfills the requirement, as the user could indicate age on the account?
..or "browse as guest" on a chromebook?
As noted at the end of the article, I suspect the impact for many OS's is going to be that they add a line in the fine print somewhere saying not for use in California.
Hmm i think at te moment its only Linux that has by default local only accounts except if being used in some sort of SSO environment .
Microsoft has been pushing aggressively to deprecate the local and funnel everyone to Microsoft online accounts , while Android and macOS/iOS are already in such a state by default.
Coupled with the same accounts being used for online login, looks like a feature creep panopticon in the making. With Linux lucking out be default.
> (g) This title does not impose liability on an operating system provider, a covered application store, or a developer that arises from the use of a device or application by a person who is not the user to whom a signal pertains.
So, this makes desktop Linux illegal, but all the software-as-a-service like Microsoft Azure and OpenAI get off scott-free?
Fantastic.
Are lawmakers bored? Who is asking for this? Not the tax paying citizens.
Ah, so this is what Lennart Poettering has been cooking? [1]
[1] https://news.ycombinator.com/item?id=46784572
> [..] requires an account holder to _indicate_ [..]
i.e. this doesn't require age verification at all
just a user profile age property
> [..] interface that identifies, at a minimum, which of the following _categories_ pertains to the user [..]
so you have to give apps and similar a 13+,16+,18+,21+ hint (for US)
if combined with parent controls and reasonably implemented this can archive pretty much anything you need "causal" age verification for
- without any identification of the person, its just an age setting and parent controls do allow parents to make sure it's correct
- without face scans or similar AI
- without device attestation/non open operating systems/hardware
like any such things, it should have some added constraints (e.g. "for products sold with preinstalled operating system", "personal OS only" etc.)
but this gets surprisingly close to allowing "good enough privacy respecting" age verification
the main risk I see is that
- I might have missed some bad parts parts
- companies like MS, Google, Apple have interest in pushing malicious "industry" standards which are over-enginered, involve stuff like device attestation and IRL-persona identification to create an artificial moat/lock out of any "open/cost free" OS competition (i.e. Linux Desktop, people installing their own OS etc.).
---
"causal" age verification == for games, porn etc. not for opening a bank account, taking a loan etc. But all of that need full IRL person identification anyway so we can ignore it's use case for any child protection age verification law
----
it's still not perfect, by asking every day daily used software can find the birthdate. But vendors could take additional steps to reduce this risk in various ways, through never perfect. But nothing is perfekt.
---
Enforcement is also easy:
Any company _selling_ in California has to comply, any other case is a niche product and for now doesn't matter anyway in the large picture.
Does not require verification, no biggie, this is essentially a parental control system.
As others have pointed out, this is just a foot in the door. There's also a part of the law this article doesn't cover that requires EVERY application to query this information on every launch, regardless of whether or not the application has any age related limitations.
The language I found was:
> when the application is downloaded and launched
So it looks like the law only requires it on first launch. Which makes sense if the application can only be run from that one account. Apps that can be launched from multiple accounts are not singled out in the law, but the spirt of the law would have you checking what account is launching the app and are they in the correct age range.
That's not a guarantee. It's up to how the courts interpret that and. Given that this law is meant to handle a moving target like age, I fully expect them to interpret it as its disjunctive form.
Keep in mind this forced parental control system in the OS is supposedly because of app stores.
So we're already pretty deep in the law deciding what shape of computing you're allowed to do. What makes you think it will stop here?
Overton window.
Wedge.
Then ratchet.
No but then the next step is "well we need a way to enforce it because people are just lying about their age".
I guess let me show a slope I found over here, just past the boiling frogs, watch your footing though, it's recently been greased and is quite steep.
I agree, I don’t like it as much as you do. I’m just saying nothing short of a mandated TPM will actually enforce this. I think they know that.
I think this is mostly for show to stay relevant wrt. What is happening in the courts. This is the Same play as it always been for registration “are you over the age of 13?”
Which begs the question if Microsoft's stubborn insistence on TPM 2.0 for Windows 11 to operate was something planned out in advance of this law being proposed.
How does a TPM stop people from lying about their age?
I'm under the impression anyone doing nefarious things online are probably more-than tech savvy enough to not install an OS that rats them out...right?
Isnt that literally one of the first rules of the DNM Bible?
Will kids raised on it not know anything different? Seems a path to reduce computer literacy. Then again, being blocked from doing something I wanted is what lead me to find ways around said block. But I already had unrestricted access to the system to bend it to my will. Seems like these kinds of systems won’t allow for the user to learn how to works at all. It’s a mystery box.
One thing that's happening is that attestation is being plumbed into the web itself. CloudFlare and Apple have a collab where Safari will inject tokens that let CF know that the request is coming from a blessed device. In a world where all websites are being crushed by bot traffic, expect that Goog pushes on their own integrity initiative in Chrome in the next year or two.
Is Github an application store? Is npm? apt? yum?
If not, why not? You need age verification before you even create an account.
Is `ls` an application? Is `cat`?
This thing is so broadly-written, the only thing saving you from needing to give you age to your toaster is that it's not a "general-purpose" computing device. Never mind that it can run DOOM...
Looking forward to resisting the regime.
I'm thinking that I should grab a current Linux distro image while I can...
This sounds like one of those laws that get used not so much to force compliance, but to punish noncompliance as part of a larger case.
I really hate this new world where one jurisdiction - California, Europe, wherever - makes a law and suddenly every other jurisdiction has to comply because the law-making jurisdiction is big enough that tech companies can't abandon it.
And since it doesn't make sense to have dozens of different versions of their apps, they write to the strictest jurisdiction's laws.
If everyone has the power to make laws that apply to everyone...it's chaos.
How will this work with the numerous "Hobby" Operating Systems out there ?
You have to ask yourself, I guess.
"Self, are you 18 years old?" "Why, yes I am." "OK, self, please fill out a 27B stroke 6 form in your head." "I've completed it." "OK, self, I've validated it."
useradd...
The actual bill: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
Bill text (it’s longer, but the rest is mostly definitions of the terms used here):
1798.501. (a) An operating system provider shall do all of the following:
(1) Provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store.
(2) Provide a developer who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface that identifies, at a minimum, which of the following categories pertains to the user:
(A) Under 13 years of age.
(B) At least 13 years of age and under 16 years of age.
(C) At least 16 years of age and under 18 years of age.
(D) At least 18 years of age.
(3) Send only the minimum amount of information necessary to comply with this title and shall not share the digital signal information with a third party for a purpose not required by this title.
(b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
(2) (A) A developer that receives a signal pursuant to this title shall be deemed to have actual knowledge of the age range of the user to whom that signal pertains across all platforms of the application and points of access of the application even if the developer willfully disregards the signal.
(B) A developer shall not willfully disregard internal clear and convincing information otherwise available to the developer that indicates that a user’s age is different than the age bracket data indicated by a signal provided by an operating system provider or a covered application store.
(3) (A) Except as provided in subparagraph (B), a developer shall treat a signal received pursuant to this title as the primary indicator of a user’s age range for purposes of determining the user’s age.
(B) If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.
(4) A developer that receives a signal pursuant to this title shall use that signal to comply with applicable law but shall not do either of the following:
(A) Request more information from an operating system provider or a covered application store than the minimum amount of information necessary to comply with this title.
(B) Share the signal with a third party for a purpose not required by this title.
The definitions of the terms are completely bananas
The language is so broad it seems to cover all software that exists and is accessible via the internet, and every install of an operating system on any kind of machine
> (c) “Application” means a software application that may be run or directed by a user on a computer, a mobile device, or any other general purpose computing device that can access a covered application store or download an application.
> “Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.
> “Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.
So any piece of software you can download from the internet will be required to check this "signal" made available by the os?
> “Covered application store” means a publicly available internet website,
Client side JavaScript can be considered an application, and then ad business would need to first verify that I am over 18 in order to allow me to see their ads.
Ultimate ad blocker.
So my Garmin watch, my Home Assistant OS, maybe even my Shelly devices?
I want to know who is behind these laws like this one and the 3D printer gun verification, that seem to pop up across state legislatures all at the same time.
It sure sounds like my Arduino is subject to this since it can download a sketch and run it when hooked to my PC
Yes, that’s clearly the intent of the bill (note I’m not commenting on the wisdom of this idea!)
good to know that `grep` will have to check how old i tell my os i am before it will do anything
Which seems like a silly accidental overreach of the law. If that is the way it applies.
The literal reading of the law says this only required when a child is the primary user of the device.
> (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
but 'user' here is:
> (i) “User” means a child that is the primary user of the device.
So these rules should only apply to accounts/devices where a child is the primary user.
Grep on an adult's machine would not need to check how old you are, at least with a literal reading of the law.
How else but the signal could it determine whether the user is an adult or not?
I do not think the law provides guidance here. The signal is only required when children are the primary device/account users. So one model would be any initial account set up is automatically considered the 'account holder' and not a child account. Then it would be prerogative of the 'account holder' to set up child accounts or not. That seems to fit into the spirt and literal parts of the law.
So grep/ls/etc are all installed as part of that 'account holder' and do not need to do any age verification.
The signal only needs to be checked when the device/account user is a child and when downloading apps. I think an unfortunate consequence here is that the literal definition of the law says package managers probably can not run on children accounts without jumping through a bunch of hoops. Which is bad for children learning code/computers/etc.
The first thing I would change about this law would be:
> (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
Any application that does not need to know a users age should not be required request the 'signal'
Two important definitions that might surprise people:
(a) (1) “Account holder” means an individual who is at least 18 years of age or a parent or legal guardian of a user who is under 18 years of age in the state.
(a) (2) “Account holder” does not include a parent of an emancipated minor or a parent or legal guardian who is not associated with a user’s device.
(i) “User” means a child that is the primary user of the device.
User is the most surprising here. It really should just be minors, or non-emancipated minors. Further, I think there are interesting ways the definition of account holder and user combined play out in interpreting the rest of the law.
"The road to hell is paved with good intentions." - unknown
One could cope that this regulation can not apply to Linux or other OSS operating systems. But this is only true unless the bootloaders on consumer devices are mandated to be closed next.
We already have Secure Boot, the infrastructure is in place. It is currently optional, but a law like this can change that.
Is this a weird attempt at device verification?
Sure, I'll ask where the user is located, and if they choose California, I'll ask them for their age. And if they choose over 21 I'll scold them for voting for Gavin.
Colorado is trying to copy this law right now, too.
It's getting to be time for tech firms to leave California.
Extremely stupid that this will fall on the OS.
Accomplishes three things: Demonizes age verification, big tech gets to dodge it, cedes more control of your PC.
Next step will be reporting potentially unlawful activities.
You know the non-governmental organization "Save the Children"? Maybe it's time to create a new one called "Fuck the Children" to defend people from these laws designed to mine privacy under the pretense of protecting minors.
literally.
when you force someone to signal status as a minor, you are forcing them to wear a target, hostiles will not have so much work to find minors, now they only have to contact, groom, and offend.
this proposed law actually endangers minors.
I was thinking "Save the freedom", but your idea works too.
Ghislaine Maxwell asks where to send her CV in, she's going to be available for work soon...
Not the best choice of words, but I get what you're saying.
Well, you might actually get support from the Epsteinian class ruling the US.
And their MAP allies.
Ok. No more linux in california. Forget silicon valley. Forget all the supercomputers at research establishments. Forget all the smart TVs. Forget all the cars with in-dash computers. Let's see how long california can keep its lights on without embedded linux.
In all seriousness, rather than comply, linux distros should enforce this law. Any linux install that detects itself being in california should automatically shutdown with a loud error message. I give it a week before a madmax situation develops.
How expensive do you expect such an API to cost to make? It's pretty simple.
Considering the law requires every app to do it, pretty expensive.
It would have to be done at the license level and with litigation. Anything relying on code to be added, would be removed. And probably, trying to do the license thing would force some people to fork the software.