rm - ok for all ages.
grep - 18+, you can obviously use this to search for porn.
find - 18+, see grep.
reboot - ok for all ages.
echo - ok for all ages.
cat - 18+, prints the porn you found directly to your terminal.
sudo - 18+, obviously.
kill - ok for all ages. This is the US, right.
ps - 18+, no peeping at other processes.
> cat - 18+, prints the porn you found directly to your terminal.
Sound good in theory, until you realise that any teenager knows perfectly well how to trivially get around the lack of `cat` to read their terminal smut:
$ while read -r LINE; do echo $LINE; done <my_porn_file.sextreboot - you never know what the sysadmin might have loading on boot, unsafe as it could load porn
echo - ASCII art would like to have a word
kill - I know the US will have mixed feelings, but communicating with other processes might allow them to send you porn
I'm not so sure, who knows what woke UEFI and edgy motherboard vendors are putting up as splash screens these days. And the law doesn't even consider those since they aren't part of the OS!
- Microstamping requirements for guns—printing a unique barcode on every bullet casing (Glock gen3 cannot be retired, thus, the auto-mode switch bug cannot be patched...)
- 3D printers should have a magical algorithm to recognize all gun parts in their tiny embedded systems
- Now, you need to verify your age... on your microwave?
At this rate, California should just go back to the Stone Age. Modern technology is simply not compatible with clueless politicians who are more eager to virtue-signal than to solve any actual problems or even borther to study the subject about the law they are going to pass. There will be more and more technology restrictions (or outright bans on use) in California because it's becoming impossible to operate anything here without getting sued or running afoul of some overreaching regulation.
So we don’t have professional legislatures with long-term electability incentives or leadership goals, we have a resumé-building exercise that we call the legislature. They’re all interchangeable and within 12 years, 100% of it will be changed out.
It seems all at once, everywhere that many groups that have a vested interest in forcing precedent and compliance of non-anonymous access across the computer world. It smacks of something less-than-organic.
You can remove the in California
While you are correct with this statement in this context, I would say it applies to most things in government in general.
The vast majority of lawmakers have zero experience solving any real world problems and are content spending everyone else's money to play pretend at doing so.
The reality is, most government "solutions" cause more problems than they solve, after which, they blame their predecessors for all the problems they caused and the cycle continues.
I don't know much about guns, but I assume that would be on the hammer? Couldn't you remove that "microstamping" by lightly filing down the hammer or just using it a bunch and causing some wear?
come to think of it, maybe there is something good about this law. :D
What part of the bill makes you think this would apply to a microwave? https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
And what part makes you think you need to verify your age, as opposed to just specifying it? Nobody is requiring any verification. The only requirement is on there being an interface for you to input whatever age you want to input.
People who dont understand the problem must pass a solution that makes people feel good. Clean needles, homeless hotels, etc. If they dont make things worse, that is a win.
A Spanish venture-backed firm is developing some vaporware called Print&Go and has convinced the NY DA's office that it'll permanently solve the Luigi problem.
The best part? This company is drooling at the possibility of getting a permanent rent-seeking license for printers they didn't design, for nonexistent vaporware software that reduces its capabilities.
They frame it as "enhancing 3D printer capabilities," the way a slaveowner would frame putting chains on a slave's wrists as an "employee retention innovation."
Is everyone involved with promoting this software and these laws lying? Of course.
https://blog.adafruit.com/2026/02/08/any-user-who-has-a-3d-p...
What's even more curious is that the California voters seem not care at all. As long as the government can collect more taxes with more altruistic slogans, the voters will stay happy.
He may be our next president and this becomes an executive order.
Anyone buying or selling a microwave with an app store deserves this mess.
Some people think all problems should be fixed with regulation.
Some people think all problems should be fixed with free market / responsibility.
California and liberals tend to lean to the former. A place like Texas and conservatives tend to lean to the latter.
I think both camps are crazy because it’s a case-by-case basis where you need to consider second and third order effects. But man talk to a die hard regulation supporter or die hard free market supporter and you just want to say “the world isn’t just simple rules like that.”
What it takes to become a “successful” politician is typically not what it takes to define good policy.
All this does is require the user to select a non-verified age bracket on first boot. You can lie, just like porn sites today. I thought HNers wanted parents to govern their children's use of technology with these kinds of mechanisms.
> There's an obvious theme with lawmakers in California—they pass laws to regulate things they have zero clue about, add them to their achievement page, cheer for themselves, and declare, "There! I've made the world a better place."
There's an obvious theme with HN posters about politics—they make cheap drive-by comments about regulations they have zero clue about, based on articles they haven't actually read, cheer for themselves, and declare, "There! I've shown why I'm smarter than all these politics people."
Eh, sounds kinda reasonable. Ammo already has unique serial numbers embedded in the butt of every cartridge (in some countries, not sure about the US), and guns do leave somewhat unique marks on the bullets upon firing so... sure, why not. Surprised it took that long TBF, the necessary technology has been commercially available since the early 90s, I think?
> 3D printers should have a magical algorithm to recognize all gun parts in their tiny embedded systems
Yeah, this one's seems unnecessary. Is weapon manufacturing without a license a crime? If yes, then whoever 3D-prints a gun can be prosecuted normally.
> Now, you need to verify your age... on your microwave?
Or on your gas stove. A travesty, really: I was taught how to operate a stove when I was in the second grade and never burned any houses down, thank you very much.
I'm no democrat, although I'm sure as hell no republican, and as a resident of the state, I'm also a routine critic of the California state government.
I agree that a lot of their activities are indeed, performance art in nature.
However I do agree with the identification requirements on guns and ammo.
You can't shoot someone with a computer, no matter what OS you run.
The idea that lethal weaponry is the same as any other consumer product is just not accurate.
> 3D printers should have a magical algorithm to recognize all gun parts in their tiny embedded systems
Color scanners and printers have long had algorithms to recognize currency and prevent its reproduction, implemented with the technology of decades ago. It seems relatively simple to implement gun part recognition today, especially with the recent leap in image recognition capability.
(Rants and takedowns, IME, may entertain fellow believers, but signal a comment that's going to go well beyond any facts.)
Someone has fallen victim to Politician's Logic: https://www.youtube.com/watch?v=vidzkYnaf6Y
The goal in my mind is to have an account a parent can setup for their child. This account is set up by an account with more permissions access. Then the app store depends on that OS level feature to tell what apps are can be offered to the account.
Let say the the age questions happen when you install the app store. That means if you can install the app store while logged in as the child account the child can answer whatever they want and get access to apps out side of their age range. The law could require the app to be installable and configurable from a different account then given access or installed on the child account, however at a glance that seem a larger hurdle than an os/account level parental control features.
The headline calls this age verification, but the quote in the article "(2) Provide a developer who...years of age." Make it sound way different and much more reasonable than what discord is doing.
I would much rather have OSs be mandated with parental control features than what discord is currently doing. I am going to read the bill later but here is how discord age verification could work under this law.
During account creation discord access a browser level api and verifies it server side. discord no knows if the OS account is label as for someone under 13 years, over 13 and under 16, over 16 and under 18, or over 18. Then sets their discord account with the appropriate access.
No face scan, no third party, and no government ID required.
Age verification is the quickest road to ending general-purpose computing, because it plays on people's knee-jerk emotions. It won't do it by itself, but it'll goes a long way towards it.
There are essentially two desktop operating systems, Windows and macOS. Linux is a decimal point and too fractured to worry about.
There are essentially two mobile operating systems, Android and iOS. And while Android is fractured, Google still has reasonable control they can exert.
This is (weirdly) the smart way to do this type of law.
Make the consumer OS providers add an age signal. That property can be bound to an account with the inability to change it.
Behold, "universal enough" parental controls which will require only a handful of lawsuits to litigate.
What I don't get is why it can't just all be client side. An app will just signal "I am going to show 16+ information" and the OS will either show it or not show it. No need to communicate anything.
Giving people the choice to limit a device for their children is okay by me.
Well, the politicians probably meant to say “Apple, Google, Microsoft, plus maybe Sony and Nintendo”
i.e. the companies that already have biometrics, nigh-mandatory user accounts, app stores linked to real identities, parental controls, locked down attested kernels, and so on.
If phones had workable parental controls that let parents opt their kid into censorship, that’s better than the give-your-passport-to-the-porn-site approach the UK have taken.
Of course if they have applied it to every OS, not just the big corporate-controlled options, that’s a dumb choice.
The "why" is also clear: deflecting/shifting responsibility.
Reaction 2: it's open source, make the lawmakers do submit the changes.
Reaction 3: how would this ever be enforced? Would they outlaw downloading distributions, or even older versions of distributions? When there's no exchange of money, a law like this is seems like it would be suppression of free speech.
Reaction 4: Someone needs to maliciously comply, in advance, on all California government systems. Shutdown the phones, the Wi-Fi, the building access systems, their Web servers, data centers, alarm systems, payroll, stop lights, everything running any operating system. Get everyone to do it on the same day as an OS boycott. And don't turn things back on until the law is repealed.
It defines operating system in the law. This wouldn’t apply to embedded systems and WiFi routers and traffic lights and all those things. It applies to operating systems that work with associated app stores on general purpose computers or mobile phones or game consoles. That’s it.
Enforcement applies as civil fines per-child usage. So no suppression of speech by banning distribution.
(Also it’s not age verification really, it’s just a prompt that asks for your age to share as a system API for apps from above app store, no verification required)
I doubt the california legislature knows what a Linux even is.
That's not what will happen. We've already seen examples of what will happen. So let me just list them instead:
1. The Secure Boot chain for UEFI initially mandated that only OS that were signed by Microsoft would be allowed to boot on PCs where SB is enabled. This was partially rolled back after public backlash.
2. iOS devices and majority of Android devices already don't allow you to install an alternate OS or distro.
3. Platform attestation proposals like Web Environment Integrity and its Android version.
4. Mandate that every developer must register with and pay an MNC to be able to release any app on their platforms.
Basically, they'll just take away your ability to control your device in any way. Don't be surprised if it turns out that these MNCs were behind such legislations. But this legislation is especially dangerous in that it will effectively kill user-controlled general-purpose computing, even from vendors like Pine64, Framework, System76, Fairphone and Purism who are willing to offer those.
Considering the amount of damage caused by these sort of legislative BS, those who propose and vote for such bills should be investigated publicly for corruption, conflict of interests and potential treason. They should be forced to divulge any relationship, directly or indirectly, with the benefactors of these bills. On the other side, rich corporations should be banned from 'lobbying' or bribery more appropriately, in matters that they have a stake in. And they should have stiff penalties for any violations. Not those couple of million dollar slaps on their wrist. At least 5% of their annual global profits, incarceration of top executives and breaking up the company. There has to be a consequence that's uncomfortable enough, for any fairness to be reestablished. This should apply even more for those professional lobbying firms and 'industry advocacy groups'.
People also need to start strongly opposing, rejecting and condemning justifications like this that rely on the cliche tropes of CSAM, terrorism, public safety, national security, etc. None of those measures are necessary or even useful in preventing any of those. Insistence on the contrary should be treated as an admission of inability and incompetence of the respective authorities in tackling the problem. In fact, why do they assume that kids, especially teens, are unimaginative and incapable of working around the problem? They should at least be starting with awareness campaigns to get the kids and the parents on their side and empower parents to enforce parental controls, instead of reaching for such despotic measure right away. This is like banning drugs before the problem of drug addiction is addressed. Black markets exist, even for cyberspace. It will just make the problem a whole lot worse.
And finally, don't let people without clearly proven vested interests anywhere near such regulations. And choose professionals or at least competent people for taking such decisions. You can't rein in this attack on ordinary people without stemming the uncontrolled corruption in the public offices that deal with it.
Doesn't the bill explain all this pretty clearly? https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
>> An operating system provider shall [...] provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user [...]
>> “Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.
Your hypothetical "embedded system" almost certainly neither has an account setup process in the first place, nor is it a general-purpose computing device, a mobile phone, or a computer.
> Reaction 3: how would this ever be enforced?
Pretty easily? They enforce it against the OS vendor for not providing such a process. They aren't enforcing the correctness of the age, nor are they claiming to.
> Someone needs to maliciously comply, in advance, on all California government systems.
...what? This is a law demanding compliance from OS vendors. Whose compliance is it even demanding in government systems for them to be malicious about it?
They can outlaw you from using those distributions and/or scare the maintainers so there won't be distributions anymore. And if you want to use a desktop computer rent one from an hyperscaler, tied to a credit card and access it from a tablet with age verification. I don't know if I should add /s
the point of laws like these isn't to make sense, it's to be annoying
i.e. this doesn't require age verification at all
just a user profile age property
> [..] interface that identifies, at a minimum, which of the following _categories_ pertains to the user [..]
so you have to give apps and similar a 13+,16+,18+,21+ hint (for US)
if combined with parent controls and reasonably implemented this can archive pretty much anything you need "causal" age verification for
- without any identification of the person, its just an age setting and parent controls do allow parents to make sure it's correct
- without face scans or similar AI
- without device attestation/non open operating systems/hardware
like any such things, it should have some added constraints (e.g. "for products sold with preinstalled operating system", "personal OS only" etc.)
but this gets surprisingly close to allowing "good enough privacy respecting" age verification
the main risk I see is that
- I might have missed some bad parts parts
- companies like MS, Google, Apple have interest in pushing malicious "industry" standards which are over-enginered, involve stuff like device attestation and IRL-persona identification to create an artificial moat/lock out of any "open/cost free" OS competition (i.e. Linux Desktop, people installing their own OS etc.).
---
"causal" age verification == for games, porn etc. not for opening a bank account, taking a loan etc. But all of that need full IRL person identification anyway so we can ignore it's use case for any child protection age verification law
----
it's still not perfect, by asking every day daily used software can find the birthdate. But vendors could take additional steps to reduce this risk in various ways, through never perfect. But nothing is perfekt.
---
Enforcement is also easy:
Any company _selling_ in California has to comply, any other case is a niche product and for now doesn't matter anyway in the large picture.
This is usually how they do it though. First make a dumb law with poor enforcement. People don't push back about it because it obviously won't be enforced. Wait a bit, then say "people are flagrantly violating this law, we need better enforcement". At that point it's a lot harder to say "it shouldn't be a law at all!" because nobody complained when it was brought into law.
Which isn't to suggest that it's a good law, just not really "age verification".
[1]: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
> good faith effort to comply with this title, taking into consideration available technology and any reasonable technical limitations or outages
could easily be read as meaning "facial recognition technology exists and is available, not using it is a business decision, failure to use it removes the good faith protection".
If the lawmakers didn't intend this, then they didn't need to add all the wiggle words that'll let the courts expand the scope of this law.
* The signal has to be made available to both apps and websites
* So if you dutifully input valid ages for your computer users, now any groomer with a website or an app can find out who's a kid and who isn't. You just put a target on your kid's back.
* A fair share of parents will realize this, and in order to protect their children, will willfully noncomply. So now we'll have a bunch of kids surfing the net with a flag saying they're an adult and it's okay to show them adult content.
* Some apps/websites will end up relying on this signal instead of some real age verification, which means that in places like porn sites where there's a decent argument for blocking access from kids, it'll get harder. Or your kid will get random porn ads on websites or something.
So basically unless this thing is thrown out by the courts, California lawmakers have just increased the number of kids who get groomed and the number of kids who get shown porn.
Mind boggling that something this bad passed.
This is how people bought personal computers when the mainframe priesthood banned them.
It appears that very soon, young people will "de facto" need to have this level of competence in order to survive and thrive in a world of "in loco parentis" operating systems and apps.
The latin reveals my age, but one thing about my age:
People my age did exactly that. We built our own hardware when there was none. We compiled (or copied) operating systems and apps. A couple of my friends wrote an operating system and a C compiler.
"My generation" created this entire internet thingy, installed and web-based apps.
Indeed, dumb-asses are going to level up young people.
Nah. It follows that computers will be required to only boot age restriction compliant operating systems, as verified by digital signatures.
This is of course just MacOS and Windows.
Before they do this, it will be easy to lock the internet to only allow attested operating systems online.
So, this makes desktop Linux illegal, but all the software-as-a-service like Microsoft Azure and OpenAI get off scott-free?
Fantastic.
The sentence you quoted says that folks who are required to comply with the law are not also required to ensure that the person currently using the device or application is the same one who entered their age or birth date into the OS's "how old are you?" database. [0]
It is true that this law is as bad as the recent Oklahoma one for small, non-corporate Linux distros... but that sentence you quoted has nothing to do with that problem.
[0] If we were speaking in person, I'd love to have you walk me through that sentence and explain to me, piece by piece, how you came to the conclusion that you did. Doing it remotely like this would be too tedious.
They absolutely want to make it illegal.
The narratives are changing. All these locks and controls used to be about curbing copyright infringement. Now that AI has more or less rendered copyright irrelevant it's turned into a straight up attempt to control the population. They're barely even making excuses anymore.
- servers living in datacenters
- realtime operating systems in embedded devices
- the Intel Management Engine
- the OS on every smart chip in credit cards and debit cards
- wireless cameras, roombas, smart TVs, smart fridges
- cars. Those automotive systems have OSes too right?
- all those IoT devices, including California’s traffic cameras
What age signals should those devices send out? Is there an exclusionary clause?
Vendors will need support stuff like "account holder is 12msec old, and can access adult content". They can even create a special certification for it.
>> useradd -G under13usergroup username
These companies have fewer ethics than a minimum-wage liquor store clerk when it comes to caring about the age of their users.
Yes, yes, free speech and everything, you just have to first give the OS your phone number, credit card number, drink a verification can and please also... you do want to still keep your job, right?
- AI causing RAM/disk price shocks and shortages
- Google attempting to lock down Android
- The EeYou codifying the Google-Apple duopoly into age-verification legislation
- Age verification requirements spreading rapidly
- AI scraping meaning many sites have WAF rules set to 'max'. It's getting extremely hard to browse the internet with a VPN + privacy features such as WebGL blocking etc. Geoblocking seems to be on the rise too (eg Trenitalia, Aegean Air).
- Governments wanting backdoors on devices
- Broadband price increases (10-25% rises are being baked into annual contracts here in the UK)
It seems in 2026 they've really gone full speed ahead.
What is the future going to look like? A Government-approved Apple OR Google spying device for the things you need to exist as a citizen... and a bunch of paper books/library cards/porn mags?
So we're already pretty deep in the law deciding what shape of computing you're allowed to do. What makes you think it will stop here?
I guess let me show a slope I found over here, just past the boiling frogs, watch your footing though, it's recently been greased and is quite steep.
Now exchange "car" for "OS" and "alcohol" for "age-sensitive content"
To your point, a user shouldn’t be forced to put in age details just to use an OS. That said, if an OS can send a simple Boolean to an app/site if the user is over 18 or not, I’m guessing more people would rather opt into that system vs handing over extensive details to each and every vendor who asks.
As a person in my 40s, with no kids in my house, I find all of this absurd. Let parents install some nanny software if they want, don’t force it on everyone and use “protecting children” as the scapegoat.
It's a good reason not to put cloud dependencies into things.
no accounts to compromise. no passwords to remember. end point devices control their connectivity. no vpn needed to connect, no intermediary to see all traffic and peer traffic is specifically what is needed/allowed/requested, not a wide open network connection/accounts to be compromised
The saving grace is that obviously they have no idea what a Linux distribution is, and only the Attorney General can bring action, so there isn't much risk of the AG suing Debian.
What happens if I bring a laptop with an "illegal" OS without this unwanted "feature" into the state? Will I be denied access to public wifi in hotels and restaurants? Or will it grant me access, but snitch on me -- make a call to the state police to come deal with someone with an illegal laptop? Will I be forced to install a different OS while a police officer watches? Will my laptop be confiscated and destroyed as contraband? Will I be thrown in a California prison?
I don't want to take a risk and find out.
The only remedies listed are:
> 1798.503. (a) A person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation or not more than seven thousand five hundred dollars ($7,500) per affected child for each intentional violation, which shall be assessed and recovered only in a civil action brought in the name of the people of the State of California by the Attorney General.
And there are several other provisions that further narrow the circumstances under which this law could be enforced.
If your personal computer is not being used by a child, and you're not distributing software to children or devices used by children, then there are no circumstances under which your actions could violate this law.
Microsoft has been pushing aggressively to deprecate the local and funnel everyone to Microsoft online accounts , while Android and macOS/iOS are already in such a state by default.
Coupled with the same accounts being used for online login, looks like a feature creep panopticon in the making. With Linux lucking out be default.
Isnt that literally one of the first rules of the DNM Bible?
It still parents that usually buy the computers and set up the différents user accounts. So the responsibilities would be put back in their hands as machine owners to correctly tag kid's accounts. OS vendors would then only be responsible to accurately transmit this declarative information to requesting App/services.
Of course some smart kids are gonna find a way to bypass that (as any other mesure you can imagine, because kids are smart). But nonetheless we could have a good enough OS level declarative age for 95% uses cases and send to the trashbin all the age verification creep that is the current trend.
That isn’t age verification at all
First, let's admit the push for age verification laws isn't a partisan or ideological thing. It's a global trend. This California law has bipartisan sponsorship and only major org opponent is the evil G [1]. While age verification is unpopular in tech community, I imagine a lot of average adult voters agree that limiting children's access to wilder parts of the Internet is a good thing.
On this premise, the discussion is then who should be responsible for age verification. The traditional model is to require app developers / website owners to gatekeep -- like the Texas and Ohio laws that require PornHub to verify users' IDs. But such model put too much burden on small developers, and it's a privacy nightmare to have to share your PII with random apps.
This is why we see this new model. States start to believe it seems more viable to dump the responsibility on big tech / platforms. A newer Texas law is adopt this model (on top the traditional model) to require app stores to verify user age (but was recently blocked by court) [2]. And this California law pretty much also takes this model -- the OS (thinking as iOS / Android / Windows with app store) shall obtain the user age and provide "a signal regarding the users age bracket to applications available in a covered application store".
While many people here are concerning open-source OSes, and the language do cover all OSes -- my intuition is no lawmaker had ever think about them and they were not the target.
[1] https://calmatters.digitaldemocracy.org/bills/ca_202520260ab... [2] https://www.politico.com/news/2026/01/05/big-tech-won-in-tex...
Curious.
The people who wrote this law work for Microsoft and think people have individual laptops and phones with a cellular plan. They care nothing for user privacy, in fact they want persistent digital identifies for advertising.
Why is this "news" today? Am I missing something?
My question, is if "the children" are worth protecting, why not adults? I would like to opt into not having to deal with dark patterns. Why not a age independent system, which a user can opt into and which "children" are automatically optd into.
It says users, on account creation, must indicate their age or birth year (or both) and that programs must have access to that info, but I don’t see any requirement about checking whether what the user enters is correct.
What does make it weird is that it requires account holders to enter that data at account creation, and it defines an account holder as ”an individual who is at least 18 years of age or a parent or legal guardian of a user who is under 18 years of age in the state”
So, kids are allowed to create an account, but then, an account holder has to enter their age or birth year.
To top it of “a parent or legal guardian who is not associated with a user’s device” is not an account holder, so let’s say a 15-year old buys a laptop or smartphone and wants to set it up. There’s nobody associated with the device, so there are no account holders. Who should enter that age info?
On many smartphones, having a grown-up create an account first won’t work, as there’s no way to set up a second account.
but users don't have a 1:1 mapping to the people that log into them. linux users that aren't used by any particular person, but by a particular _service_ are common. so are linux users that could be logged into by any number of people, and which have no specific single owner.
Practically, I think this is tough. How does a business verify their 20k Linux servers in AWS? What prevents Linux users from simply modifying their code such that they no longer do age verification? I think it's easy to imagine circumventing this one law, but this is another brick in the wall. Maybe your bank stops working on Linux. Maybe major websites stop working unless they get your citizen ID and age verification data from your OS. Maybe no one makes a browser that doesn't try to grab that information.
Not joking; stock up on books and keep a collection of media that you own personally. Perhaps your linux computer will start looking a lot like your PC from the early 90s: not connected to the internet, just used for word processing, some installed games, and media.
For example, I've got a map application on my phone that lets me download maps, widgets, POI lists, etc. from their app store. It seems like enabling that age signal through this exchange is exactly what the politicians are looking for.
I can imagine Samsung asking for the user's age every time you want to grab a snack and refusing to unlock the door otherwise.
Or perhaps... they could add a camera to the fridge and send a stream 24/7 to their servers so they can identify the age of whoever opens the door. For complying with the laws of California, honestly!
The way I read that, you just have to ask for an indication of age. Like when I'm not logged in to Steam and I want to look at a game with blood, it asks for a birth year and I pretend to be 109. That's not exactly "age verification." Am I missing something?
Bill text (it’s longer, but the rest is mostly definitions of the terms used here):
1798.501. (a) An operating system provider shall do all of the following:
(1) Provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store.
(2) Provide a developer who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface that identifies, at a minimum, which of the following categories pertains to the user:
(A) Under 13 years of age.
(B) At least 13 years of age and under 16 years of age.
(C) At least 16 years of age and under 18 years of age.
(D) At least 18 years of age.
(3) Send only the minimum amount of information necessary to comply with this title and shall not share the digital signal information with a third party for a purpose not required by this title.
(b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
(2) (A) A developer that receives a signal pursuant to this title shall be deemed to have actual knowledge of the age range of the user to whom that signal pertains across all platforms of the application and points of access of the application even if the developer willfully disregards the signal.
(B) A developer shall not willfully disregard internal clear and convincing information otherwise available to the developer that indicates that a user’s age is different than the age bracket data indicated by a signal provided by an operating system provider or a covered application store.
(3) (A) Except as provided in subparagraph (B), a developer shall treat a signal received pursuant to this title as the primary indicator of a user’s age range for purposes of determining the user’s age.
(B) If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.
(4) A developer that receives a signal pursuant to this title shall use that signal to comply with applicable law but shall not do either of the following:
(A) Request more information from an operating system provider or a covered application store than the minimum amount of information necessary to comply with this title.
(B) Share the signal with a third party for a purpose not required by this title.
The language is so broad it seems to cover all software that exists and is accessible via the internet, and every install of an operating system on any kind of machine
> (c) “Application” means a software application that may be run or directed by a user on a computer, a mobile device, or any other general purpose computing device that can access a covered application store or download an application.
> “Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.
> “Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.
So any piece of software you can download from the internet will be required to check this "signal" made available by the os?
Does that mean that the admin will have to manage dob of every student when creating accounts ?
> A developer shall not willfully disregard internal clear and convincing information otherwise available to the developer that indicates that a user’s age is different than the age bracket data indicated by a signal provided by an operating system provider or a covered application store.
>If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.
So, I have a button "I'm older than 18" on my app but the signal is "under 13", I can decide that the user is older than 18 ?
(a) (1) “Account holder” means an individual who is at least 18 years of age or a parent or legal guardian of a user who is under 18 years of age in the state.
(a) (2) “Account holder” does not include a parent of an emancipated minor or a parent or legal guardian who is not associated with a user’s device.
(i) “User” means a child that is the primary user of the device.
User is the most surprising here. It really should just be minors, or non-emancipated minors. Further, I think there are interesting ways the definition of account holder and user combined play out in interpreting the rest of the law.
I wonder: since that operating system needs to attest and (vaguely) eventually report an age and other identifiers to a government API and app developers, will that report violate HIPAA?
If not, why not? You need age verification before you even create an account.
This thing is so broadly-written, the only thing saving you from needing to give you age to your toaster is that it's not a "general-purpose" computing device. Never mind that it can run DOOM...
History teaches us governments are the best at protecting children.
California Assembly Bill 1043 requires OS providers (including Linux) to add age verification at account setup, prompting users for birth date/age to signal age brackets to apps in covered stores. It may violate privacy by enabling data collection/misuse beyond age checks, similar to UK/Discord issues; no explicit civil rights violations noted, but could restrict access for adults/minors if misapplied. Benefits: Enables age-appropriate app content, protecting minors. Drawbacks: Privacy risks, enforcement hurdles (e.g., Linux disclaimers like "not for California use"), aligns with global trends amplifying concerns.
An updated deep dive by Mr. AI returned the following analysis:
Official link: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm... Revised pros: Enhances child safety via non-PII age brackets for app compliance; data minimization limits info shared; anticompetitive prohibitions prevent misuse; good faith shields from liability. Revised cons: Setup requires age input, risking misuse despite safeguards; enforcement challenges for open-source OS like Linux; increased developer liability for signals; potential access restrictions from errors or misreports. No clear privacy/civil rights violations for adults/minors, but implementation costs and global trend concerns persist.
My thoughts: California lawmakers keep turning the screw more and more to the left with AB 1043 being introduced by Democrat Buffy Wicks. Though it has bipartisan co-authors (8 Democrats, 3 Republicans) and passed the Assembly unanimously (58-0), it still feels a bit authoritarian to me. The California Assembly political divide is very left leaning with Democrats controlling 60 seats and Republicans 20 for a total of 80 with Democrats controlling a supermajority.
What's to stop someone from building their own Distro using LinuxFromScratch to bypass this new restriction? Nothing, in my view!
Which I had money cause, Florida looking good about now.
What's next? Chinese style social credit? You’ll need 800 points to run a sudo command?
Free society? Mass surveillance. The West is becoming more of a nanny state like China every year.
BUT this is obviously not the right way to implement this.
Right now I'm on an ESP32 with free RTOS, will I need to add a keyboard and display just for age verification?
I'd like to see that definition. My OS doesn't have an "application store", so I doubt it's impacted by this law.
All this does is require the user to select a non-verified age bracket on first boot. You can lie, just like porn sites today. I thought HNers wanted parents to govern their children's use of technology with these kinds of mechanisms.
In the US maybe, but where I am you can't fap in peace without using a VPN or have some kind of age verification. Some of them being baroque. Example:
"We analyze your email’s digital footprint (history and reputation) against trusted databases. This is often enough to confirm that you're of legal age."
Really? Can you expand on the version of Australian legislation that requires an OS to have age verification?
The AU legislation I'm aware of requires various social media sites to verify that users of those sites are not under some age, 16 or so.
That is not a constraint on the OS or on potential users, that's a legal requirement for Social Service providers.
"This title does not impose liability on an operating system provider, a covered application store, or a developer that arises from the use of a device or application by a person who is not the user to whom a signal pertains."
This is obviously a law so poorly written that it'll never pass a court challenge. Assuming anyone brings one.
Accomplishes three things: Demonizes age verification, big tech gets to dodge it, cedes more control of your PC.
"useradd bob" is an "account setup". does that need age verification too? haha
I've been working around the Microsoft user-creation requirement for years. Looks like they were ahead of the game. CA is marching towards private-business surveillance. What could go wrong?
And since it doesn't make sense to have dozens of different versions of their apps, they write to the strictest jurisdiction's laws.
If everyone has the power to make laws that apply to everyone...it's chaos.
It was already approved? This seems wildly invasive, and CA can't even pretend they're doing it to stop porn. CA is just monitoring citizens for the love of the game
More significantly, it does require all applications (from "covered application stores", but which has a definition for that which seems to include not only what you would normally call an app store, but any website or other source from which an app can be downloaded) to check the age signal provided by the OS when the application is "downloaded and launched".
While it is poorly drafted, circular, and self-contradictory on some definitions and other points, it arguably seems to prohibit age verification within the scope of apps it covers, in that:
(1) It requires all OS's to have an age attestation feature, (2) It requires all applications to use the age attestation feature, (3) It requires developers of applications to rely on the info from the age attestation feature as the "primary indicator of a users age range for determining the user's age", with the only exception being if the developer has internal (not external) information which is "clear and convincing information" that the user's age is different from what is signalled by the OS.
Not exactly true as you can do local account installs.
I wonder if you can get around the law by just having people build their own image from the source.
But what about your outrage you all at the moral and ethical implications of this?
Won't kids just lie about their age, like they do to sign up with social media?
What if more than one person uses the pc?
What if it is sold?
If the OS is open source, then the user could remove the software code to collect the data.
This is protect-young-people theater.
If
In all honesty the V-Chip was meant to protect children.
Age verification and identity assurance[1] is meant to reduce online banking fraud and combat terrorism/espionage.
Whats next outlawing encryption with Clipper Chip[2] 2.0 and saying its to save the whales? I guess we have QUIC and other DRM tech to ruin our day so it doesn't even matter.
I would prefer we drop the think of the children[3] charade and act like adults and get serious about online crime/fraud/terrorism and maximizing online banking.
The biggest problem with this thought domain is that the internet is global and we are thinking at regional, national, and state levels. For so many years everyone has heard complaints about the great firewall of China only to build our own? I guess we have no other choice since bad apples spoil the bunch[4].
[0]https://en.wikipedia.org/wiki/V-chip [1]https://pages.nist.gov/800-63-3/sp800-63-3.html [2]https://en.wikipedia.org/wiki/Clipper_chip [3]https://en.wikipedia.org/wiki/Think_of_the_children [4]https://en.wikipedia.org/wiki/Bad_apples
They should also require background checks for gun safes.
They’re trying to destroy all the best nerdy hobbies. First drones, then 3D printing, now even my precious Amiga!
(I’m being sarcastic of course)
And I'll have to give a fake ID to our automated CI pipelines, I guess.
Overall, I think don't think it's a bad idea for devices to be able to host an age verification system that offers requestable boolean proof of age, like if porn site demands over 18 to view, the user, regardless of age, is prompted and if they accept, it returns either a positive cryptographic claim or a cancel signal if not of age. If they don't accept the prompt, the same cancel signal goes back. The idea that this feature would need a mandate of law is dumb.
This is truly stupid.
By next January there will be 30 different methods of age input signalling between OS and application. And then by 2030 we might have the top 3 adopted as established defacto standards.
somewhat related-ish https://xkcd.com/927/ :)
This is just not going to be a thing on Linux.
Are there app stores on Linux? Yes, that's what FlatHub and Snap supposed to be.
So what, should Canonical just block Ubuntu downloads to anyone in the state of California? No security researcher is going to download an operating system that asks them their age for example. I feel like it draws a red line for me also.
This law is so completely insane. It sounds like it was written by some Apple fanboy to whom there is no other operating system other than Apple. The very state that spawned GNU and BSD is the same state that is not only demanding your data but enshrining its use in spyware in law.
Server operators could add this header to anything adult or that may contain user-contibuted content in their sleep. App developers could add a snippet of code to look for the header in their sleep. Then have a law that requires parents with small children under 10 must enable parental controls on devices used by their children. Why under 10? No confrontation with teens. The small children will grow into the process. No PII shared. No asking for ID. No sharing ID. Not on the OS, not on a third party website. I don't like green eggs and ham, I don't like them Sam I am.
We all know that once this law has been complied to they will extend it to require ID be uploaded to whatever company gives the most kick-backs to Gavin and an API key will have to be saved on the OS per account. This data will be leaked in 3 ... 2 ...
To be wrong, one must understand what one is talking about.
Sigh.
step1: "lets see if we can get away with imposing a small easy requirement, you know 'think of the children'"
step2: "now that we have a foot in the door, lets see if we can get some real tracking in place, for the children of course"
Anyhow: as far as I can tell compliance on linux would be as simple as
echo $YEAR_BORN > ~/.config/ca_ab_1043
In all seriousness, rather than comply, linux distros should enforce this law. Any linux install that detects itself being in california should automatically shutdown with a loud error message. I give it a week before a madmax situation develops.
My TV, my fridge, my 30 year-old TI-82, my sprinkler system… my mom’s pacemaker.
And will I have to verify again when I switch to command line? =P
What a joke.
We already have Secure Boot, the infrastructure is in place. It is currently optional, but a law like this can change that.
I would not know why the operating system I use would need to sniff on me - or yield that information to anyone else.
This is clearly fascism.
Not enjoying this verification can future
Colorado Senate Bill "26-051"
The actual bill and links to its two sponsors Matt Ball and Amy Paschal.
https://leg.colorado.gov/bills/SB26-051
https://leg.colorado.gov/legislators/matt-ball
https://leg.colorado.gov/legislators/amy-paschal
* It also reveals that visitors to any site are children, compromising their privacy and opening them up to targeted advertising
* The data will undoubtedly be added to the accumulated, traded databases so many services use
* The bill makes onerous demands of developers to consider other items that may suggest the user is actually in a different age bracket, like doing websearches for "toys" (child) or "toys" (adult) - which works what percentage of the time, exactly?
* And it's totally ineffective, since kids can look at porn anywhere they want, or internationally, regards of useless bill like this
The most egregious part of this bill is that:
* It legislates that if kids connect to a website, that website can query their age brackets (an "age signal"). This means their approximate age is revealed for kids-specific advertising, manipulation, or even sold to a pedophile group.
A DEVELOPER SHALL REQUEST AN AGE SIGNAL WITH RESPECT TO A PARTICULAR USER FROM AN OPERATING SYSTEM PROVIDER OR A COVERED APPLICATION STORE WHEN THE DEVELOPER'S APPLICATION IS DOWNLOADED AND LAUNCHED.
Basically SB 26-051 creates a mechanism that can be used to harvest the data that certain users are kids and then sell that data to anyone who will pay for it.
Data like this is traded internationally, which makes it tragic that elected lawmakers would waste time pushing a bill whose only mid-term effect would be making Colorado less attractive to developers and software companies.
The irony is that normally your kids would have been protected, by standard practices, from having their age exposed. This bill reverses that, putting your children at more risk.
The bill also would force many devices to provide age bracket data that are surprising to most people, because this part:
"DEVICE" MEANS ANY GENERAL-PURPOSE COMPUTING DEVICE THAT CAN ACCESS A COVERED APPLICATION STORE OR DOWNLOAD AN APPLICATION.
... means anything with Internet access and storage. This includes smart televisions, thermostats, tablets, smartphones, smart watches, some fitness tracking devices, some smart toilets, and so on, all potentially reporting your activity on demand, even if that back-end service has nothing to do with porn.
The bill is also poorly structured. Clearly it's intended to focus on services like app stores (Android, Apple), but by attempting to integrate support for this into operating systems, makes it available to hostile actors for any purpose worldwide. Further, it requires developers to guess whether other available information on a user might mean they're really in a different age bracket, exposing them to fines of $2500 to $7500 per minor "affected" (note: "affected" is not defined in the bill). The exemptions give blanket protection to developers working on for-internal-use software, but give no exemptions to recreational programmers. non-profit personal software, university projects, and so on, casting a chilling effect across software engineering generally.
Lastly, the bill is ineffective. Most of the web runs on Linux, a coöperative international effort, nominally controlled by one man in Finland. There is no chance of this bill's mechanism being implemented in this context. Nor will other developers be especially interested in rewriting software for this Colorado-specific bill. Further, the kids supposedly being protected from all the Colorado native porn sites would just web-browse to nearly any porn site and be outside of Colorado anyway, if not outside the US entirely.
These sponsors aren't alone. Most elected lawmakers are equally bad at technology and protecting democracy from the threats that come from chipping away at privacy protection. Bills like this appear in other states all the time, despite being toothless, easily circumvented by kids (who trivially circumvent even face photo hurdles), or radically compromising the privacy of adults (like this one).
There's also the long game, where these sometimes Democrat-led bills in various states could eventually see a much deeper-reaching federal one, where, instead of a "age signal", the user's computer must send an "ID signal", allowing all personal interactions with the Internet to be tracked, analyzed for political and other biases, and used by backbone firewalls to control exactly what people are allowed to read. Very handy for a dictator who might want to block off "fake news".
This is only a hypothesis, but one has to wonder whether sponsors to such bills even care if the bills work or pass, since either way they still get to claim they Protected the Children! even though the bills themselves violate privacy for everyone, often cause websites about breast cancer to be censored, or pave the way for authoritarian control - something this one stands out for. The only thing really surprising is that this bill wasn't sponsored by MAGA Republicans deliberately to add another paving stone to the road to national censorship.
I urge everyone to get in touch with other Colorado representatives to call for a fight against this travesty of a bill. Further, I would excoriate the two sponsors by email and phone, and tell them now that you will not reward this sort of juvenile lawmaking with your vote. Lastly, tell other people about how Matt and Amy plan to strip away their privacy in a way that puts children more at risk than doing nothing.
Recently after we spent hours getting a Chromebook set up after a "Power Wash" due to remote auth failure, it wanted the old password and there was no option but to wipe the device.
They held our homedir hostage with required remote auth.
We were not able to log into our computer and lost all of our data because of remote auth.
Secure critical systems must not have a centralized remote auth dependency that can be denied.