Age _indication_ means that when you set up your device or create a user account, you enter a date of birth for the user. The OS then provides a native API to return a user's age bracket (not full date-of-birth). If the user is a minor, the OS will require parental authentication in some way to modify the setting again. This can all be done completely offline. It works because parents almost always buy the devices used by children, and can enter the correct date-of-birth during setup.
Age _verification_ means that some online service has to verify your age, and collects a bunch of (meta)data in the process. This is highly problematic for privacy, security, and the open internet.
1) The parental responsibility is given to the wrong people. You're basically being forced by law to give all apps and websites your child's age on request, and then trusting those online platforms to serve the right content (lol). It should be the other way around. The apps and websites should broadcast the age rating of their content, and the OS fetches that age rating, and decides whether the content is appropriate by comparing the age rating to the user's age. The user's age, or age bracket, or any information about the user at all, should not leave the user's computer.
2) The age API is not "completely private". It's a legally-mandated data point that can be used to track a user across apps and websites. We must reject all legally-mandated tracking data points because it sets the precedent for even more mandatory tracking to be added in the future. We should not be providing an API that makes it easier for web platforms to get their hands on user data!
For many years, certain tech companies, SIGs, and governments have fought against technologies that could enable real digital parenting, all while claiming to do the opposite and "protecting children". They craft a narrative to convince you that top-down digital surveillance and access-control is for your own good, but it's time we reject that and flip their narrative upside down: https://news.ycombinator.com/item?id=47472805
The EFF has a good series related to this[1].
[1] https://www.eff.org/deeplinks/2026/03/rep-finke-was-right-ag...
FWIW, this is not quite an accurate description of AB1043, in at least three respects:
1. Apps don't get your exact age, just an age range.
2. Websites don't get your age at all.
3. AB1043 itself doesn't mandate any content restrictions; it just says that the app now has "actual knowledge" of the user's age. That's not to say that there aren't other laws which require age-specific behaviors, but this particular one is pretty thi on this.
In addition, I certainly understand the position that the age range shouldn't leave the computer, but I'm not sure how well that works technically, assuming you want age-based content restrictions. First, a number of the behaviors that age assurance laws want to restrict are hard to implement client side. For example, the NY SAFE For Kids act forbids algorithmic feeds, and for obvious reasons that's a lot easier to do on the server. Second, even if you do have device-side filtering, it's hard to prevent the site/app from learning what age brackets are in place, because they can experimentally provide content with different age markings and see what's accepted and what's blocked. Cooper, Arnao, and I discuss this in some more detail on pp 39--42 of our report on Age Assurance: https://kgi.georgetown.edu/research-and-commentary/age-assur...
I'm not saying that this makes a material difference in how you should feel about AB 1043, just trying to clarify the technical situation.
Imagine you're a streaming service, trying to show a list of movies that a user can watch. If you can only communicate age restrictions to the OS, but can't actually check the users age, you have a choice of showing a list of movies that some users won't actually be able to watch, or a list of movies limited to those appropriate for all ages. Neither are great options.
If you can check the user's age bracket, you can actually tailor the list to what the user can realistically watch.
2. Is it meaningfully more identifying than User-Agent? There’s dozens of other datapoints for uniquely identifying a user. If we get a few high profile lawsuits because advertising companies knowingly showed harmful ads to children, I’d consider it a win. Age is not that interesting of a data point.
How would you make that happen? Many websites would not be subject to your jurisdiction.
That's to say, this distinction is meaningless unless you're planning on blocking every jurisdiction outside of California so you can just adhere to its age verification laws and no one else's.
If I may nitpick, the conventional term for systems which attempt to determine the user's age is "age assurance". This covers a variety of techniques, which are typically broken down into:
* Age estimation, which is based on statistical models of some physical characteristic (e.g., facial age estimation).
* Age verification, which uses identity documents such as driver's licenses.
* Age inference, which tries to determine the user's age range from some identifier, e.g., by using your email address to see how old your account is.
These distinctions aren't perfect by any means, and it's not uncommon to see "age verification" used for all three of these together but more typically people are using "age assurance".
Call the API every day, when the age bracket changes you can infer the date-of-birth.
As appealing as the private part sounds I genuinely think it may make the situation worse here by facilitating the transition & muddying the waters
Even if you think adding "age indication" to a project is harmless, you have to consider the precedent this is setting for compelled speech in the future, potentially by regimes that you are not politically aligned with.
In the specific case of CA AB1043: (1) Systems are required to ask the user for their age and just trust whatever they say (2) Applications are required to query the system for the user's age range. Other enacted and proposed device-based age assurance mandates have different properties.
This post goes into quite a bit of detail about the various points of concern: https://educatedguesswork.org/posts/device-based-age-assuran...
I’ve been shocked at how many HN comments always come out in favor of age related legislation and heavy government regulation when the topic comes up. The pro-regulation commenters always seem to assume the age checks would never apply to them because they don’t have use TikTok or Facebook or other services, yet few realize that there aren’t going to be laws written in a way that only apply to a couple named companies you don’t use anyway. If we age verification laws then they’re going to be everywhere.
I personally hope this legislation dies and we can be done with this silly exercise, but if we’re stuck with age verification moral panic than a simple OS-level switch that we set once and then forget about seems like the least intrusive form of “age verification” we can get away with.
In other words, I think this first bit of legislation had to be watered down to not receive too much backlash. This is the governments first plunge into mandating things on the frontend.
Just for clarification. CA AB1043 was signed back in 2025 and takes effect January 1 2027.
Anyone with more than 2 brain cells can put it together
Where do you see that? HN is overwhelmingly critical of age sniffing.
In other words, all of these age verification laws are here predominantly to indemnify Facebook from a growing wave of child endangerment lawsuits in a way that will ensure Facebook doesn't have to kick off even a single teen from their platforms. That's why the "verification" is just a date and an age range bucket.
My personal opinion is that these laws are stupid, but not harmful to Linux users, and that everyone angry at systemd for complying is shooting the wrong guy. Your real target is Facebook and you should be yelling at your local representative to make this bill not target Linux distros.
If you're going to do anything like this, this is the thing they actually get right. It removes the inconvenience, privacy invasion, forced use of corporate verifiers with perverse incentives, etc. Meanwhile if the user is actually a child then their age is set by their parent.
> Applications are required to query the system for the user's age range.
This is classic legislative stupidity. Applications are required to query the user's age range even if they contain no age-restricted content? Brilliant.
Well, maybe. For instance, if a child buys their own device they could set the age to whatever they want.
>> Applications are required to query the system for the user's age range. > > This is classic legislative stupidity. Applications are required to query the user's age range even if they contain no age-restricted content? Brilliant.
Note that AB1043 doesn't actually impose much in the way of requirements about age restricted content. Rather, the way it works is that the developer is then assumed to have "actual knowledge" of the user's age (See 1798.501(b)(2)(A)) and then has to behave accordingly in other age-restricted contexts.
This is classic programmer stupidity attempting to read the law in the stupidest possible way. No - if the application needs to know the user's age because of a content restriction, it shall query the system for that, instead of getting it some other way. Unlike computer code, laws are understood by humans in a context.
Why are these changes being made on a worldwide basis when the laws that have been introduced are a relatively small fraction of the world? California isn't going to go after individual systemd maintainers. Will California go after Torvalds? I doubt it. Apple? Surely, but this is, quite frankly, a ridiculous thing to even suggest for inclusion into these setups.
This is the same reason a bunch of the food in your pantry is certified kosher. No one is going to not buy something because it is kosher. But if paying a thousand dollars a year to put a small circle-u symbol on the back of your box can increase sales by 1% among observant Jews, most companies are going to do it.
Contrary to perceived politics, many Muslims will eat kosher food because it's a superset of halal rules (excl. alcohol).
It's a globally consolidated certification through organizations like the Orthodox Union. This is unlike halal which is local and has many scammers offering to pencil whip compliance. This means many Muslims will prefer kosher to "halal" food to avoid due diligence on the certification agency.
To tie this into age-verification, companies and ecosystems will use the strictest method that makes them globally compliant. Consumers will prefer that convenience even in the presence of intense political beliefs.
A bank that uses seamless OS-level age checks everywhere will win against one asking manually in the jurisdictions it isn't required.
Two corporations, e.g. Canonical and Red Hat, might suffice.
I hope everybody remembers how systemd was thrust upon the community by having Gnome largely depend on it. This was mostly done by efforts of Red Hat, and that sufficed.
That's it.
Making user-hostile changes seems exactly on-brand for systemd, to my mind.
I wonder if it's time to try something like sixos or Guix SD.
Why? Given the nature of how NixOS works (config-driven), the maintainers have plausible deniability: if push comes to shove, they can shift the burden to users and have them enable the age verification service as part of their NixOS config.
2. There are software engineers in the UK and EU.
3. This specific implementation by Apple is not actually required by any UK or EU law, to my knowledge.
4. This specifically is or will be required by the laws of some US states and other countries.
2 Devs for companies can start working with proprietary OSes for the businesses they sell their soul to.
3 Who cares what apple is doing.
4 And systemd should not be liable for upholding any of them.
But my main concern with this is applications like Firefox will eventually require this systemd age specific field and a standard systemd function to call. That means this age field will need to be populated and thus locking out the *BSDs and non-systemd Linux.
If that happens, this makes the systemd critics 100% right, systemd is being forced upon all distros by various upstream applocations.
The risk is real, and the solution is to move away from systemd now, not wait until it's too late. Whatever conveniences it brings over other init systems are certainly not enough to justify giving up online anonymity forever.
You see people rave about the greatness of systemd, then they turn to deploy their applications using Docker and some s6 config.
Otherwise my Intel NUC server with Debian is 2 years old, so I expect the honest age would be 2 years? I may have parts for some old PCs to put together that could get adult software I guess...
I've already had it up to my back teeth with Google arbitrarily updating things such that the on/off button was hijacked, preventing me from switch the device off, instead triggering an interaction with freaking Gemini (what sort of IDIOT thought doing that to a device was a good idea)
I'm seriously trying to find a way to no longer run Apple or Google OS based phones - which puts me in the "Linux" or "Graphene" market
Once that is established, it is easier for politicians to push for newer laws that add more features to reveal even more information. Politicians can propose any unrealistic law they want. But it is much easier for them, to convince a necessary majority, when there is technical infrastructure already in place. "We are already doing X, why don't we just also do Y?". Or: "Country A has already X, why don't we also do X?"
They have access to every message you send. They know where your device is at every time of day. Your name is all over the entries in your wallet, be they tickets, SF bus ticket or.. your credit cards.
It is similar with crypto wars. They try and try until they have backdoor everywhere.
About verification they will try to implement WEI on browsers, and verification on os.
It is a crusade to make you always identifiable. Companies and governments want it so much because it is so valuable to them, it adds so much power over people.
So what's next. They will move borders here, and there. Every year.
https://en.wikipedia.org/wiki/Economy_of_California
So yeah it's pretty big.
the simple fact you sending the same signal over and over again, with all other signals your browser send, it will be another key to make you apart. They don't care if you lie. Important that you lie the same story every time.
And after having your dob, who could easily be a flag if you are less than 18, they could easily request your name, or a document number, but I think it will be much better, it will have some ISP and/or Device ID.
Also, while some bills do seem to require browsers to promulgate age data to websites (e.g., NY SB102A [0]), AB1043 does not. Rather, it requires the browser to read the age range just like any other app, but does't say anything about providing it to sites.
[0] https://www.nysenate.gov/legislation/bills/2025/S8102/amendm...
Might seem harmless now but it won’t next time, and you will have already capitulated
The only sane way to do this is you were playing along with arbitrary legislative age-gaters would be to add a generic "additional user info" blob to the account fields, if it didn't already exist.
If they ever seize your computer, they can probably also tack on computer fraud charges
For root to manage privileges in an OS, isn't a group the most straitforward way?
Can't flatpak read the groups of an user?
