I think it’s more that they have no idea that Linux exists, or headless operating systems used on servers and embedded devices. They are trying to legislate based on the experience of having an iPhone.
FOSS (and frankly all systems that don’t use walled garden commercial app stores) should be exempted from this, at a minimum.
If it’s like the Illinois one, all of tech are probably behind them, because these shift age verification away from service providers to a self-reported age bracket at the OS level.
It’s much safer than what some idiotic states are doing (like upload your photo id to services where it gets stolen).
The idea is a parent or guardian is probably setting up a device. They make a user account for their kid and specify a user age. The OS then can supply one of four age brackets to service providers.
Where does it explicitly mention operating systems?
Ok, so you’ll say that it just applies to operating systems even though it’s not explicitly mentioned. Show me where the ADA has been used successfully in a lawsuit against an OS developer for the construction of their OS. I’ll wait!
(e) (1) “Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.
(2) “Covered application store” does not mean an online service or platform that distributes extensions, plug-ins, add-ons, or other software applications that run exclusively within a separate host application.
(f) “Developer” means a person that owns, maintains, or controls an application.
(g) “Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.
...
1798.501. (a) An operating system provider shall do all of the following:
(1) Provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store.
(2) Provide a developer who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface that identifies, at a minimum, which of the following categories pertains to the user:
&c.
So yes, OSes are mentioned directly. The lawsuits will only come after it goes into effect.
This headline is misleading. The California law requires that the OS store and provide the age bracket. It does not require that any verification take place.
I am not arguing that this is a good idea, but it is simply false that the law requires that Linux 'check kids' IDs before booting'.
The New York law is worse, and should be opposed, but the article only mentions it at the end - and even then, we actually don't know what the verification mechanism would be. I've heard a proposal that "age verification passes" be sold at liqour stores and porno shops, for example, who already seem to do an acceptable job of checking ID without destroying people's privacy.
Are there any other places this argument could apply or is it specifically this one?
Like if I said "Yes, the university reserves the right to expel students who defecate on the teacher's desk. But we all know where this is going." that'd be pretty crazy, wouldn't it?
If universities didn't have the right to expel students at all and that was proposed, and they had a history of turning small law into totally encompassing law, I would fairly confidently say that the university is on the path to obtain the ability to expel students for any reason it seems fit.
But let’s talk about around the US. For example, all cars manufactured in 2029 and onward will be required to have a built-in alcohol detector / breathalyzer and to shut down and not let you drive if they detect your blood alcohol level is too high: https://www.clear2drive.com/the-pass-act-explained/
This is in addition to the interlinked CCTV cameras that are the norm in various cities (eg in the UK), new Flock cameras in US, etc. But the government doesnt even need Flock or Ring to cooperate. They have plenty of their own housing programs to install thousands of cameras to spy on citizens 24/7, and can now deploy AI to sift through it all. Here in NYC we already have the lovely Domain Awareness System: https://nysfocus.com/2025/08/11/eric-adams-nycha-nypd-camera...
To sum up: the government can know what you’re doing at all times, with sensors in your car, mandated apps on your phone, cameras on your street, and soon, mandated telemetry sent by your operating system. Caretakers of kids are required to report anything to authorities and not let parents know, in case the department of child services might need to know. Every child is required to be vaccinated too, with lots of different vaccines.
I wouldn’t be surprised if toilet plumbing in every apartment in the future will be required to install a test for what you’re eating or drinking, to catch diseases early and for public health.
Because it's a competitive market and offering a lower price than your competitors helps you earn more business. If your competitors lower their prices and you don't lower yours then you'll lose business.
It's optimistic to think it will even do anything to stop drunks. It's a $5 wrench problem. They think all this tech will stop drunks, when in reality some guy gorded out his mind on vodka is paying his 12 year old his weekly $20 allowance to blow into the machine.
To be fair, it's not about blowing into the machine, but a bunch of sensors all around the driver, e.g. looking at the finger pressing the button to test your blood alcohol content through your skin, detecting alcohol particles, etc. So you better hope your passenger isn't drunk LMAO
This is a wildly optimistic view for insurance companies in particular. You basically need to jump providers every few years, or else you're overpaying.
I don't understand how this is supposed to be an argument against what I'm saying. The fact that you can shop around and get a better rate demonstrates the fact that insurance is a competitive market and companies will lower rates to win business.
Or they could all just agree to not cut prices so everyone profits more than with a race to the bottom. Not the first nor last time for this to happen.
Undercutting the competition pays off when they're much smaller and you can eliminate them that way and subsequently raise prices.
They could. It's very hard to enforce a cartel like that when there are a large number of competitors. It's a prisoners' dilemma with dozens or hundreds of participants. It only takes one defector to break it.
If you've ever shopped for car insurance, it should be pretty clear that there isn't a cartel holding prices high. Prices differ substantially across insurers, and are influenced by many other factors as well. Premiums are much lower if you have a clean driving record and no claims, or if you drive a car that's cheaper to repair, or less likely to cause injury, or you're of an age/gender with less propensity to crash, or live in an area with less automobile-related crime. Why would they give you lower rates for these things when they could just keep the premiums high and collect more profits?
What's hilarious is that in supposed dystopic corrupt hellholes I've lived or spent time in (Syria during the civil war, Iraq, Philippines, etc) all of this is unimaginable. Westerners view freedom as having a piece of paper that says they are free plus not having to bother fighting off ISIS or the gangsters because the even bigger gangster in a clean uniform and nice jackboot will take care of it. Much of the rest of the world views freedom as the government being weak enough that it's actually possible for rebel groups to emerge, which you might then have to fight off, but at least that is easier to fight off than a central government that consumes 25+% of the GDP and projects their air power to every end of the earth and meanwhile if you exercise a bit of freedom it goes under the radar particularly if there is no victim to complain about it.
Of course, there are cases like North Korea where you get the worst of both worlds (strong central government + not even a useful piece of paper limiting it).
I often wonder what rights were not written down because the people writing the Constitution in the US just didn’t think of a state with enough capacity to infringe on them. I think a lot of surveillance stuff is like that: they concerned themselves with improper searches because that was how your privacy was violated. They didn’t even consider a system that could just automatically log all public actions and what could easily be inferred from those logs.
That said, I don’t think I would like to live in a region governed by gangs or rebel groups, even if they probably don’t have the capacity to annoy everybody, the low odds of a catastrophic interaction with enforcement seems bad.
That's not much of a source -- a 100-karma user in 2020 based on "I've known this for a long time. A quick google confirms that many people think the same." I don't believe it is true.
My trench is keeping backups of ISO's that do not contain this creeping garbage. I will manually patch apps and where I can't the OS will be read-only and ephemeral. This will be my process until governments are no longer vulnerable to bribery.
I suspect the dark pattern this will lead to is user-maintained ISO's as was the early days of Microsoft. People would slip-stream in patches, applications, better default settings and in some cases, malware.
When we are installing docker repositories on my Rockylinux installation on 100 nodes at once, should we need to manually put an age of the person who is running the script somewhere in the process? Will docker be forced to prevent me from downloading its packages if I do not transmit the age in a header?
The California law only stipulates that there's an "accessible interface at account setup" to set the birthday or age at account setup, and an interface to query the age bracket. Plus the crap for "application stores"
I don't think it's a very well thought-out law. But realistically this will end up as setting some env variable for your docker containers to assure them that you are 99 years old. And yes, maybe transmitting a header to docker hub that you are 99 years old. Probably configured via an env variable for the docker cli to use. It's stupid, but nothing a couple env variables wouldn't comply with
The real issue is when the law inevitably gets expanded to get some real teeth, and all the easy workarounds stop being legal
This is a neat attack (in that it is obvious and a big flaw but also it makes sense that the lawmakers wouldn’t have thought of it), but it would only affect users who have an age-bucket transition while your application is running, right?
Edit: as folks have pointed out, the attacking application doesn’t actually have to be running while the age-transition takes place. The attacker just has to have logs from before and after the age transition, and then they can narrow the birth-date down.
Then you store the user age every time it's run and check for changes on start. Maybe that only gives you a 7 day range for birthdays, but you can narrow that over time and it's still good enough for targeting.
I agree, sorry, I think my original comment was a little imprecise. My point was that the app can get the “exact” age only for users who undergo an age-bucket transition in an era that the app has logs for.
I mean, the app can query on a weekly basis, and then if you go from “under 18” to “over 18” it knows the week that you were born in. But, if the user was already an adult when the logging started, there isn’t a transition to go off.
is there any mention of granularity? so if the user sets their age bracket, then there's no DoB stored. if the user is old enough to fall into some other age bracket they can set that if they want. (and then somehow making this a bit more data driven - ie "verifying" - is a different matter altogether.)
IIRC the age buckets were defined in the California law. They were something along the lines of age ranges that would intuitively map to adults, teenagers, and kids, I forget the exact borders.
I think the intent was for the OS to know the user age, but only provide an age range, so it could automatically upgrade people as they aged (but I could be wrong about that).
Not necessarily, depending on how the application is logging it just means the resolution to which you know a birth date is limited by how often the application is run. If i check my email every morning at 8am, and my email app logs my "age bucket", then it can know to a resolution of one day. If i only check my email on Monday mornings, it knows to a resolution of one week, etc...
The size of the age bracket also puts practical limitations on it. There is only one mandated bracket for everyone who's at least 18, preventing that attack on anyone who starts using your software after their 18th birthday. And if a 13 year old signs up it takes three years for you to observe the switch to the >=16,<18 bucket
> And if a 13 year old signs up it takes three years for you to observe the switch to the >=16,<18 bucket
I think this is the big vulnerability in the scheme. This information is easy to track and log, so it is basically equivalent in the giving away the DOB of everybody who is currently under 18 (at least, everybody who uses the system as intended). In the long run that’s everybody.
We could have a discussion about whether or not it would be fine for services to know every user’s DOB, but it is clearly giving away more information than the law intended.
> There is only one mandated bracket for everyone who's at least 18, preventing that attack on anyone who starts using your software after their 18th birthday.
I don’t think that fully recognizes the size of the problem, “using your software” is fuzzy. Companies get bought, identities get correlated, ad services collect and log more information than needed. I think it is better to assume the attacker will have logs of these queries from the start date of a person’s first account.
The UI can be implemented using the user's date of birth, but it can also be implemented by selecting an age bracket and then all it tells you is that the user changed the age bracket setting.
Laws get made by whomever takes Gavin to the most dinners at the French Laundry. Don’t like this law? Good luck - reservations are booked out 6 months in advance.
Yeah, I think the idea of the law is fine. If you imagine "Operating System" to mean "things like Windows and iOS, or Desktop install of Fedora", "Application Store" to mean "Microsoft Store or AppStore or the like" and "Application" to mean "Word and Doom and stuff like that" then it's fine. Especially if you keep in mind that there isn't any actual verification of the age, it's simply set by whoever sets up the account
Most of the issues only arise because in the bill "operating system", "covered application store" and "application"/"developer" have very loose definitions that match lots of things where the law doesn't make sense.
Also, like, what about IOT devices. Are lightbulbs and thermostats going to need to attest the age of their users? There are so many computers without a useful concept of a user identity.
I honestly think the California law is well intentioned (in the sense that it just asks the OS to attest the age of the user, so, lawmakers probably thought this could be done in a privacy-preserving and minimally annoying fashion), but it seems very focused on desktop and cellphone use-cases.
> These laws can, and almost certainly will, get worse. New York's proposed Senate Bill S8102A explicitly forbids self-reporting. The state Attorney General will decide how to enforce it. For example, to use Linux, you might need to submit a driver's license.
None of it is enforcable, its basically meaningless.
Great job politics!
Like lots of laws that are being written nowadays by octogenarians, aimed at strong arming bigger tech companies into designing things differently at the expense of everyone smaller which ironically ends up curtailing our basic freedoms, privacy, etc... even when the intent was otherwise.
Then again I have yet to meet a politician that actually cares as long as: "this looks good for my campaign".
Regulating big platforms that affect billions of people is one thing but I really wish they would write laws actually discriminating between those platforms and everyone else.
Authoritarianism rarely happens overnight, it happens one step at a time and at every step the useful idiots [0] exclaim "It's just one step! What's the big deal? Stop overreacting!".
Next thing you know you've walked 100 miles and it's too late to turn back.
The comment you replied to only said the first "it's just one step" part. You're imagining the rest. Are we not even allowed to make factual statements when something is, in fact, just one step? "It's bad to factually describe what's happening because it will get worse" is a terrible way to make your case.
> I've heard a proposal that "age verification passes" be sold at liqour stores and porno shops, for example, who already seem to do an acceptable job of checking ID without destroying people's privacy.
This is not being supported because the size of the step is small, but because the step itself makes sense.
The slippery slope argument says that open source software is a stepping stone to a world where all commercial activity is banned. Should we therefore oppose open source software?
"makes sense" does a lot of heavy lifting. Explain the justification for this restriction on 1A rights and mandatory compulsion of speech for anyone writing software.
And your provided "slippery slope argument" is just a straw man argument. No one in this thread made that argument. The slippery slope is the authoritarian ratchet.
If you want to restrict your kid's access to the internet, install software that does that. I think in 2026, when kids have personal devices, key word "personal", meaning there is an expected level of privacy we should respect, effective insulation against the bad parts of the internet will not be achieved through software. Meanwhile, this legislation will be used to prevent children from turning into organized free thinkers.
Slippery slope is famously a fallacious argument. My first exposure to it was people insisting that legalizing gay marriage would end up legalizing marriage to animals.
A slippery slope is only a fallacy if there is no demonstrated history of it existing. I think we're all aware that that is not the case for surveillance laws.
> These laws can, and almost certainly will, get worse. New York's proposed Senate Bill S8102A explicitly forbids self-reporting. The state Attorney General will decide how to enforce it. For example, to use Linux, you might need to submit a driver's license.
FWIW, there are vanishingly few problems with improper voting in the US, and the extremely unusual occurrences are mostly PartyB voters trying to "counteract" the imaginary PartyA violations.
Anyone who tells you differently is lying or ignorant.
If there's no problem w/ improper voting, then why would anyone object to measures intended to verify that the proprieties involved are being followed?
If it were out of genuine concern for verification, those supporting it would want to ensure that all citizens are able to easily, quickly, and cheaply get ID. That is not the case, however.
Because 10% of US citizens (legitimate voters) do not have the forms of ID required in these proposed laws, and it can be expensive and time-consuming to get those forms of ID which are not otherwise required for their lives (QED), and they might not do so strictly for voting.
Some people think disenfranchisement is bad. Others see it as useful.
Specifically, PartyB thinks those people with inadequate ID skew toward PartyA voters. This has been the accepted wisdom for decades. So they are incentivized to make it harder for them to vote.
Interestingly though, PartyB might be wrong about the current population. PartyA, and those against disenfranchisement and imaginary crises in general (I count myself in this third group), do not want to blow up centuries of precedent especially if the consequences are likely to be undemocratic and unfair.
This is revealed as a fraudulent premise in many states, though. For instance, Illinois doesn't require ID to vote, yet requires an FOID to bear a firearm.
How is it that you don't need an ID to exercise the rights of voting 'citizens', but you need one to exercise the right of 'people'? Consider that virtually all 'citizens' are also 'people', and even if you argue they are not, the portion of voting citizens that aren't 'people' is inconsequential compared to the supposed "10%" that can't muster an ID.
It's almost as if both sides of the argument are just using logically inconsistent arguments that just aligns with whatever gets the voting demographics they like. In fact, Vermont is the only state I know of that gives both full rights of citizens and full rights of people to those without ID in a manner consistent with the anti-ID argument usually presented.
I reject your premise that the outcome of voting is less dangerous than dropping FOID requirements in places with no ID required to vote, and reject that it is actually reversible (can't undo all the dead school girls in Iran).
But lets accept your premise as true.
You're proposing something like rank-stacking the risk of various rights of citizens and people and if they're high enough on the stack it's OK to to ID and if they're lower maybe it's not OK. That seems to move the goalpost quite a bit from your prior argument.
> measures intended to verify that the proprieties involved are being followed?
Giving you the benefit of the doubt regarding the intent, why would anyone support a measure that demonstrably does not achieve what it intends, but instead denies you the right to vote?
Because the data is collected while voting is ongoing, and audited after the fact.
This is how we know how extremely few problems there are, and how we catch the accidents (which are backed out, hence the delay between voting and election certification), and the fraud (which is extremely rare but of course also backed out).
Voting is far more important. If someone is falsely denied access to some web site, it doesn't matter. But everyone with the right to vote must be allowed to vote, no exceptions.
In any case, voting is substantially more intrusive. You must register with your full name and address, which is made public record. Each time you vote, that is also made public record (not who you voted for, but the fact that you voted). In states with closed primaries, your party membership is public record. In states with open primaries, it's public record which party's primary you vote in. It's way more invasive than a text box in your computer's account setup screen that asks for your age.
I disagree there. I think that this is far more intrusive, because it impacts your everyday life rather than just a small slice of it, and thus more important.
Who is paying FOSS devs who will be implementing this? Who is providing them with legal indemnification since they are now apparently subject to fines for a fucking hobby if they do it wrong? Who is making CA the only jurisdiction instead of the myriad contradictory laws all over the place? Who is stepping in to make sure no additional legislation comes across regulating how FOSS has to include backdoors or weaken encryption?
Linux is the kernel, it has nothing to do with this.
The law apparently seems to target the packager/distributor of the distribution. Many small distros are hobby distros!
> The US is a federal system. It's part of our checks and balances.
Nonsensical answer. Different states are passing different requirements that often contradict each other. This is going to be a nightmare.
> No one. This is why organizations with actual security requirements do their own dependency checks.
So you’re saying that we should expect those laws too? Because before now “code is speech” has ruled, and the US government have not been able to be so invasive about how computers should work. If this is the direction we’re headed in, we need to organize and fight like hell.
Then region lock. You don't have to support California or NY or ...
> Different states are passing different requirements that often contradict each other. This is going to be a nightmare
Create regional feature flags or region lock. It's a solved problem.
> So you’re saying that we should expect those laws too
They already de facto exist contractually speaking.
> Because before now “code is speech” has ruled, and the US government have not been able to be so invasive about how computers should work
The mindset around tech regulation shifted after the 2016 election and Jan 6th. The maximalist tech civil libertarian view on privacy was an anomaly from the late 1990s to early 2010s when tech was viewed as inconsequential.
The 2016 election and Jan 6th showed otherwise.
---
The overlap between Linux daily drivers and "voters who can flip an election in California, NY, or <insert_state_here>" is nonexistent.
This also appears to be a front-run at reducing the risk of an Australia-style regulation being proposed.
Edit: can't reply
> Europe realized this with their new infosec liability regulations
European organizations (from private sectors to government agencies) sidestep this by contractually mandating SBOM and dependency requirements.
You end up with the same result, but it's essentially regulated via contracts instead of the law.
> Expecting volunteers to dump time into compliance is ridiculous. Not because they oppose the idea, but because huge swaths of the internet run on people doing something for free -- and they'll just do something else if governments begin threatening them
That's a decision a lot of governments and organizations are fine with.
OSS where maintainers are hired by sponsor organizations is already the norm, and government-backed OSS is becoming increasingly common in the EU and much of Asia.
Hobbyists who don't wish to comply can region gate within their license - that solves your liability risk and will keep regulators happy.
I think it would be better to create a parallel economy of underground unrestricted distributions while encouraging everyone to openly flaunt the law, and simultaneously fighting via lawfare and media. But maybe that’s just me!
If you are fine taking the legal liability and are open to civil and criminal prosecution, go right ahead.
Western jurisdictions tend to cooperate on extradition as well, and American free speech laws are significantly more expansive than those in the EU, Canada, or ANZ so taking a principled approach wouldn't be a viable defense if you decided to go and incite via that route.
Fine by me, I’m willing to fight. The freedom to compute is one of our most fundamental freedoms, connected inherently with freedom of thought and speech. Cowards like you don’t deserve the benefits you enjoy, and you will surely complain about their absence when they are gone!
This is not the first time I read comments from you, I just want to tell you you're probably one of the most annoyingly, reasonably correct person I read. And take it as a compliment, because each time I disagree with you I have to look at my position because I fear being on the wrong side of the argument (which is probably what I find annoying. I want to be unreasonable sometimes!).
This isn't just a kernel thing. Expecting volunteers to dump time into compliance is ridiculous. Not because they oppose the idea, but because huge swaths of the internet run on people doing something for free -- and they'll just do something else if governments begin threatening them.
Europe realized this with their new infosec liability regulations. If you're giving your labor away, you're not liable for your software; if you're making money off your software, step up and do better. Maybe California and the others should learn more from the EU.
> Expecting volunteers to dump time into compliance is ridiculous.
Exactly, so any distribution that relies on volunteers will likely include a region-locking clause in their documentation (which may or may not be a GPL violation)
Many big distributions (Ubuntu, Suse, Fedora) are sponsered by big tech companies, and are not maintained by volunteers.
>Who is paying FOSS devs who will be implementing this?
honestly if they let it be known they'd do it for payment the same person who's paying off the politicians to push this through would probably pay them too.
Work on a standardised solution has already been done and proposals are already being discussed. Things aren't moving as fast as they could be because every time something like this hits a front page somewhere a bunch of people have to come in and comment that they dislike the law, but the people behind open source projects don't seem to be bothered by the time they need to put into this. Their employer is probably just paying them to do so anyway.
Linux desktops already have APIs for profile management. This is just another field to add to those APIs.
Very few core Linux desktop development is coming from hobbyists compared to the massive corporations maintaining Linux as a real option. Companies like Red Hat and System76 isn't going to drop California as a customer base to make a statement that no politician will ever listen to.
A number of distros (even some large and well known ones) have signaled noncompliance or do not believe they are impacted due to technical reasons (Gentoo) or jurisdiction (OpenBSD, NixOS). Other US distros are not yet signaling agreement because of uncertainty regarding different laws in different states/countries and potential legal challenges. This is not set in stone and it’s still possible to present a united front of noncompliance.
To be fair, "it's just a fucking hobby" no longer being an excuse has been a long time coming, much in the same way that driving cars or flying airplanes started as just a hobby but became no longer one when practicing it had outsized consequences to non-practitioners.
Signed, someone who notes frequently that the default apache configs probably put a web developer in violation of the GDPR (since if you just left on collecting IP addresses for no reason, you are de-facto not collecting them for "network security.")
You’re arguing against freedom of computing, itself an extension of freedom of thought and freedom of speech. These laws are an attempt to regulate not just what you do with your computer, but how it operates. This is fundamentally an attack on rights and freedoms, and if it goes unchallenged then it will expand into other areas.
Maybe that doesn’t move you; it seems like you don’t care much for personal liberties. (A Euro, go figure.) But this is America and we have constitutional guarantees here.
Freedom doesn’t flow one way though. Their GDPR example just gives freedom to non-state malefactors to impinge upon user freedoms. You’re crying about 1984 and they’re crying about Neuromancer. An age-old dilemma.
You have made some fascinating assumptions about the person you are addressing. I recommend refraining from that in the future and instead asking why a fellow American takes a position other than the one you hold.
Two guys built a website to try and help people curb their undesired sexual proclivities and because they were bad at security, their users' personal information (including their own logs of their sexual proclivities) is leaked. They will see no consequences other than "oops, oh well, I guess we're going to shut down our website now and, probably, build another one."
Why is that okay? We've de-facto operated as if it os okay for decades under a notion of "user beware," but that notion is increasingly incompatible with the goals of treating Internet access as a human right because if you let everyone on, you are definitely letting people on who lack the capacity, knowledge, or savvy to beware. And we lack a framework for holding "two guys who just told the world how often you jack off" accountable for their violation of confidentiality.
Individual users become nodes in botnets. Individual users have their identities compromised. Individual users are talked into being kidnapped by anonymous victimizers. Individual users are, increasingly, everyone's concern the moment they connect to a shared network. And, perhaps most significantly to this topic: the Internet does not distinguish between two guys building a hobby app and a professional service.
This specific notion, age-gating access, may not be the right step. But we should be a lot more serious about taking more than zero steps. The time of effing around and pretending there are no consequences to these technologies is over.
If you’re an American and you want to change this, feel free to propose and pass an amendment. That’s the allowable process for changing what the government can and can’t do regarding individual rights.
Edit: removed part of my comment because misunderstood your rambling point about that website, and I guess I have no idea how it relates to OS regulation. Websites are not operating systems. Your ability to tell me how I run my systems stops at my door, especially if I’m not hosting commercial services. Again, that’s just a question of fundamental rights.
Conversely, you're an American and you want to change this, feel free to propose and pass an amendment that makes regulation of OS as a product the concern of the federal government, as opposed to (as per the 10th Amendment) a state government concern. These regulations are state affairs for the same reason that glyphosate is known in the state of California as a carcinogen (but not other states). Product standards are, generally, a state-level concern. I agree this is inefficient, but the burden to modify the Constitution is on those who would change that inefficiency.
I appreciate the grace in taking a step back on my other comment; I phrased it poorly. Here's my point in better summary: I think we have an issue right now where our hobby has two things that are true that have significant negative societal outcomes. And to be clear, I'm primarily responding to this comment: "Who is providing them with legal indemnification since they are now apparently subject to fines for a fucking hobby if they do it wrong?" Because the answer to that is "If these things are true, it doesn't matter."
1. There is very little daylight between professional and hobby coding. That has been one of its virtues: a person with the right idea can garage-hack way into becoming Fark, or Slashdot, or Craigslist. But the flipside of that coin is that a kid messing around in their garage can cause real consequences for real people they will never even meet. How many websites are falling over from people experimenting with AI crawling right now (at disregard for the existing best-practices for crawling)?
2. A lone actor misusing the machine can have large-impact consequences on strangers. A kid in their basement doing script-kiddie garbage can exfiltrate confidential data, steal someone's electricity to mine Bitcoin, or even just wreck their machine remotely, for fun. A lone actor with no malicious intent but simple negligence can drop a machine on the Internet with all the ports open and become a botnet node. When we have sitautions like that in the past, we often use licensure to ensure some minimum standard of care when using the shared resource.
In fairness, what may want to be licensed here is using the Internet, not installing an operating system. I think that's a fair point and state governments trying to move the issue to the OS, not network-connectivity level, are making a mistake.
State governments cannot pass laws that violate freedom of speech. Code is (written) speech, despite attempts to attack this.
If you want to push really hard, we can come up with something extremely verbose (worse than COBOL) that is VERY obviously speech. “Define a variable named x. Set the value of x to 3. Add the value of y to x.”
Outcomes take a back seat to rights. Bad outcomes are sometimes the inevitable consequence of liberty.
If you want to try and license use of public Internet infrastructure, like public roads, go ahead. But most of the Internet is private. Free association and free speech rules, regardless of the occasional difficulties it creates.
Code is speech, but installing an OS someone else wrote on hardware you own is not code.
I think you're making a good argument for why the regulation should be at the network-connect level and not the OS-account level, though, if the real issue is that networks are a shared resource with consequences for other people (which seems to be the issue). At that point, the OS collecting the data is just a convenience to satisfy the requirement for network access, not something that needs to be mandated.
> most of the Internet is private
True, but automotive licensing still applies to one's right to operate a vehicle on turnpikes. I believe the analogy here is that you might not need a license to set up an intranet.
> True, but automotive licensing still applies to one's right to operate a vehicle on turnpikes.
I wonder if this has ever been challenged? Driving on most private roads does not require a license or even a tag.
My rough understanding is that turnpikes are a special case because they were established by legislative charter, but it would be interesting to see the specifics. I don’t know much about the legal history.
> But we should be a lot more serious about taking more than zero steps
No, we shouldn't. There is no inherent need for government regulations in every part of our lives, let alone a computer. Sorry to be flippant, but this idea that everyone needs to have a "serious conversation" about something is laughable and inevitably leads to mountains of government legislation with unintended consequences.
Thanks, but no thanks. We should resist all of this bullshit and try not to become Europe 2.0 where it's illegal to offend people with your speech because some idiot thought that'd be "reasonable" regulation.
You still need legal standing for a civil case and the defendant isn't being threatened with jail time or men with guns. Yes, frivolous cases are a thing but it's both unlikely (because money) and not in the same league as criminal prosecution.
Stuff like the clean air act says that you don't. That's why "physicians for a healthy environment" were able to sue the diesel brothers for emissions delete hardware despite the fact they weren't able to point to standing for $760,000 in damages to themselves, unless by some insane legal stretch you want to argue literally everything anyone does has a tiny effect on you thus you have standing because a few molecules of whatever that actor did floated to where you are. In the end they even managed to put a "diesel brother" in jail despite the fact that a judge who examined his circumstances of being jailed for 'civil contempt' were bogus.
The consequences of the Wickard v. Filburn mistake will continue to haunt us until that decision is finally overturned. (Slightly different area of the law but similar principle.)
Even if the federal government won't sue, state and other jurisdictions could. The Diesel Brothers also ran afoul of Utah’s State Implementation Plan of the CAA. This whole story is about state law.
This is a good point, but even so, state governments also can’t override freedom of speech. Especially with small FOSS hobby projects, it’s hard to make an argument for regulation on commercial grounds.
What they really fear is general purpose computers that can run free software (free as in not enslaved) without approved backdoors and vetted gatekeepers. Cyberpunk dystopia is coming and is enabled by smartphone cartel: phoneposters don't care what's going on.
Simple:
the fail2ban jails need the logs to keep the bots away, that prevent a proper operation.
Thus it is technically necessary.
And this is explicitly allowed as part of the GDPR.
On the other hand, nobody can help a clueless web dev.
> driving cars or flying airplanes started as just a hobby
Those still are hobbies, you just need a license for it now. Which makes sense since crashing an airplane is a bit more devastating than crashing a computer. But most hobbies don't need a license and aren't a danger to others.
I think we've reached a point where we're really turning our heads and squinting away from reality if we think that computing is a hobby that no longer poses danger to others.
A person using their own machine can hack all manner of other people's machines without their consent. On the flipside, a person who is not even malicious, but negligent, can configure a machine on the open internet with open ports and become part of a botnet in a half-hour. Perhaps these behaviors imply a level of responsibility that suggests licensing to use the shared resource that is "The internet" is appropriate.
And a person using their pen can hack other people's brains, yet free speech is more important.
I think manufacturers being required to provide longer security update support against hacks etc would be more helpful than violating privacy and restricting access to "protect" people.
The amazing protective walled garden of mobile devices has mostly caused people to even forget what filesystems are and normalized subscriptions for the most basic things. A license for internet access or whatever would be an incredibly bad idea for anyone but abusive governments and corporations.
We do, in practice, impose all manner of limitation on free speech while still maintaining the sanctity of that right. Lying in a professional capacity is fraud and punishable even though it's "just words." Being wrong as an engineer or lawyer can cost you your license to practice (as an engineer, even if you never turned a wrench but your directions to build the thing were flawed beyond the reason of the standards of the profession). "Wire fraud" is an aggravation atop regular fraud.
These protections could go further, but they haven't. Why is it just "okay" that someone can call you up on the phone and convince you that your loved one is in mortal peril and you have to wire money to them right now? Why is the party transiting that fraud or providing the wires connecting entire fraud offices to the global telephonic network not responsible for enabling that attack?
> Why is it just "okay" that someone can call you up on the phone and convince you that your loved one is in mortal peril and you have to wire money to them right now?
It is not okay and is in fact a crime. Making it more illegal by forbidding access mainly hurts normal users of the network.
> Why is the party transiting that fraud or providing the wires connecting entire fraud offices to the global telephonic network not responsible for enabling that attack?
Same reason the electric grid is not responsible because it powered the phones, and water is not responsible for generating its electricity in a power plant. The phone network is a medium for communication, and so is the internet. And they can be abused just like air as a verbal communication medium between a scammer and a victim can.
> We do, in practice, impose all manner of limitation on free speech while still maintaining the sanctity of that right.
And we do impose legal limitations on online scams while still maintaining access to the internet. What more do you want?
Age verification passes? Now not only would extra costs be added for users to verify their age, that sounds like an age verification passes is a form factor that could easily be resold to someone else.
> liqour stores and porno shops, for example, who already seem to do an acceptable job of checking ID without destroying people's privacy
The difference being, of course, that as an adult one can simply refrain from frequenting a liquor store or porno shop if one chooses not to.
It's not practical to refrain from using a computer while participating fully in modern society. The UN has indicated Internet access to be a human right.
How is it misleading? It says "nanny state vs. Linux", in second paragraph says "several states in the US", then mentions EU and Brazil and California is mentioned first in seventh paragraph. It's not about California.
One thing will lead to another; if we let them have this now, they'll demand verification next - "closing the loophole", some ambitious politician will claim.
> The real problem is this hodgepodge of laws; it's the growth of the surveillance state. From voting rights in the United States, facing Trump's Orwellian-named SAVE America Act, to Ring's doggie tracking system that can also be used to follow people, to Trump booting Anthropic to the side for refusing to allow its AI tools to be used for mass surveillance, privacy is on the decline.
I understand it is popular to pick on the current administration, and there are plenty of rightful reasons to, but let's not forget this has been happening way before either of Trump's terms (see: KYC laws). The only difference between then and now is that current administration has essentially taken a mask-off approach, so we get to see this discussion finally brought up by mainstream media outlets.
I don't think it's unique to America either. It's just the ebb and flow of the envelope of possibilities for central governance as technology and culture changes. FATF has managed to implement KYC worldwide, even in banana republics at least for the peasant without connections.
You're not wrong, but there is a huge difference between moving US government regulated currency to (possibly) foreign and (possibly) nefarious actors, and this.
Ever since KYC was extended to cover cryptocurrency exchanges, I have given up any faith in that this is solely about regulated currencies, or money laundering at all.
I don't understand this position. Cryptocurrency exchanges are the primary legal touch point (fiat offramp) for a lot of criminal activity. Of course they will get attention for AML.
I can understand the regulation of fiat/crypto exchanges, but the verification extends to centralized exchanges that merely facilitate exchanges one kind of purely virtual currency for another, neither of which have to be recognized as legal tender.
I didn't know those existed, and so I kind of see your point.
The counterpoint is that if your job was to prevent/punish financial crimes that affect consumers, would it make sense to ignore these exchanges?
Heck, if M:TG cards were the medium, and they could be moved across international borders with a few keystrokes, then surely those would be watched too.
I won't argue that it's not privacy-invading for legitimate customers, but if the legal structure allows it, regulators have an obligation to look where the problems are expected to be.
If my job was to promote open source software it would make sense to ban proprietary software. That doesn't mean I should actually be allowed to do that.
RMS was right, again. He called it decades ago in "The Right to Read". It must be extremely frustrating to see all this and know what changes need to be made to stop it and then have it happen anyway. Over and over.
Next step after age verification through ID will be making sharing of computer with others illegal. And Right to Read was already written back in 1997:
I really should do that, plus GNU needs to decide whether or not to comply with these laws (GNU is an operating system, albeit an unconventional one with 2 kernels)
> Jef Spaleta, the Fedora Project leader, isn't sure of the legalities, but he thinks it might be as simple as mapping "uid to usernames and group membership and having a new file in /etc/ that keeps up with age."
Personally I think Linux distros should ignore this law and put a disclaimer on their download sites. I expect OpenBSD will do just that. If Linux decides to make this a requirement, I guess I know what OS I will move to next.
Anyway, Instead of a new file, there are optional fields in /etc/passwd that can be used for "age". These fields can be added as comma separated fields. But, maybe he is thinking of making the new file readable only by root ?
Many parents will not be proactive in protecting their children online and I think this is a legitimate societal problem. The idea of algorithmic feeds for adult content that descend into increasingly "engaging" depictions is something I find horrifying.
I do not want my kids to experience those "loss of innocence" moments too soon by letting their curiosity lead them into things they are not equipped to confront yet. Hell, I still have those moments as an adult on occasion.
There has to be steps we can take as a society to address these legitimate challenges ourselves so that governments can no longer hide behind them in tinkering with mechanisms for stability and control. Maybe a "sunlight disinfects" approach.
I want my kids exposed to the brutal realities of the world asap.
I reflect that my innocence caused me to make some extreme major mistakes as a young adult that took a decade to show itself. I cannot go back, and now I am suffering terribly.
I blame my parents at least a little bit, but I blame western idealism more majorly.
I am intrigued by this. I have long thought that exposing children to optimism and "what could be" allows them to envision a world different from our own. Kind of like how once you're in capitalism it's hard to think of alternatives.
I've always found it strange how Americans like to validate their ideals using their kids as vehicles. Instead of teaching kids how to be successful in a less than ideal world, we teach them our ideal view of the world. Like teaching kids violence is never the answer, instead of sometimes a situation does call for violence. We raise kids for a world that doesn't exist. It's up to the kid/adult to unlearn those obviously bogus ideals after they make contact with the world. It's just odd how we're so practiced at setting up our children for less success in the real world.
I mainly said America because I only feel qualified to speak on America. But I do think there is something uniquely American about seeing the march of "progress" as an ultimate ideal and stagnation in any form as a defeat. Economic and social progress is basically a founding ideal of American society and is a major driver of our success over the centuries. It permeates our culture in so many ways, e.g. the idea that your kids should have it better than you. So shaping the next generation by way of shaping the views of your kids, despite the potential mismatch between the ideal and the reality is seen as just a part of the march of progress.
randusername's comment from upthread bears witness to this to a large degree.
I think we do a little too much of this and end up hiding the way the world really is from kids who grow up middle class. So their politics and ethics suffer. The kids could arguably be better adjusted when naive but we aren't doing ourselves any favors in the long term.
If my old man slapped me on the back at 13, called me a man, and made me scroll through the morbid reality subreddit and do a book report on the Nanjing Massacre or My Lai I think that would be really damaging.
I think the stories we tell our children about the world, naive as they can be sometimes, tell us a lot about what we value in our societies and the ways in which we hope future generations will surpass us in overcoming our own failings. Everyone has to learn later that the truth is messy, yet the existence of brutality doesn't disqualify idealism and goodness.
I don't mean to imply that I'm denying your experience, but for most people, I hope, cynicism is temporary response to the disillusionment of the complexity of the world and not a persistent worldview.
It seems to me that this is a parental responsibility. Understandably, we have shifted increasing amounts of those on to the state. However, there are fireplaces, stoves, drills, and other power tools at home. Is the state responsible for children getting into those?
> It seems to me that this is a parental responsibility.
That's the point of the California law and similar laws in other states. It requires operating systems to implement a simple mechanism that parents can use to specify an age range on a child's account, and to provide a way for apps that that need to know if they are being used by children to ask for that information.
They probably omitted it because it is irrelevant. It says (according to the title of the Reddit post...the body has been removed) Meta is supporting laws to collect more data, which they profit from.
The Register article is about laws that were specifically designed to not give Meta and their ilk anything more than an unverified age bracket. The age reported is whatever the person who set up the account on the computer said to report.
I started using Linux when I was in high school. I got my first job years later because I knew my way around Linux much better than other candidates. My OS never tried to track my age to prevent me doing what I wanted. I used to live in one of these places where OSs should report user’s age and I am glad my kid will grow up in one that doesn’t (yet?).
I guess going forward if you are under 18 and want to learn programming and not be harassed by the government you have to go back to having and offline only computer and stack of o'reilly books?
Soon programming will itself require a license. Only government approved individuals will be able to write code. CPUs will only boot software signed by the government.
"Software engineering" is one of the few large practices with 'engineering' in its name that has no mechanism for license granting and revocation for violation of professional standard.
That's not what is happening here, but we might see that happen in our lifetimes. Hopefully before someone writes the software that kills enough people to necessitate licensing, not after (since generally, such outcomes are how licensing comes into being).
You could argue that we have security licenses (eg SOC 2), however I don't think it actually succeeds in making software safe. I think software is hard because unlike a bridge, which is built with limited scope and the risk is known when it's designed, software grows to become load bearing without us really realizing it. Eg CrowdStrike, I never would have assumed that an outage could affect so much of the world.
12 year old me would have sold their skateboard AND their bike to have a magic Patiently Explain Anything And Everything To Me robot instead of the mostly-impenetrable-to-my-tween-brain software engineering books I had access to in my town.
Totally inaccurate. The actual technical requirement is to add a self-reported age field to user creation flows, and that the value selected be made available to applications.
But let's just pretend something totally different is happening. It's more exciting that way.
And well, the law represents an intent.. if self-reporting won't work (obviously won't), then the scenario where PCs end up as locked down as smartphones is not far fetched.
The overwhelming majority of programmers likely cut their teeth on computers as kids. Any attempt to restrict computer access to 18+ will only handicap American programmers in the job market.
They require that when the administrator of the computer sets up an account for a user the admin can enter an age or birthdate for the user, and that the OS provides an interface so that apps that user runs can ask based on that admin provided information what age bracket the user is in ([0,13), [13,16), [16,18), [18,∞)).
Apps that need to make age based decisions can use that information.
When I was very young I installed OpenSUSE on my underpowered windows PC, it was really a hacker man experience that is engraved in my mind as a core memory. As a child I just thought it was cool to have a new and faster desktop, but as I've grown older I've stayed with Linux for its ideas and principles. Hopefully these laws can be overturned...
This is all just unenforceable theater. Are they going to jail or fine open source developers if they create an OS that doesn't support the requirements? Are they going to do customs checks for OSs? Firewalls?
These kinds of laws just seem like unworkable messes to fool the tech ignorant into thinking they care about kids.
Application side I get, there is an entity there running the application, that can be fined or banned or what have you. But software itself? No.
functionmouse | 6 hours ago
iamnothere | 6 hours ago
FOSS (and frankly all systems that don’t use walled garden commercial app stores) should be exempted from this, at a minimum.
forinti | 6 hours ago
dd8601fn | 6 hours ago
It’s much safer than what some idiotic states are doing (like upload your photo id to services where it gets stolen).
The idea is a parent or guardian is probably setting up a device. They make a user account for their kid and specify a user age. The OS then can supply one of four age brackets to service providers.
iamnothere | 6 hours ago
Before now, nobody has ever tried to legislate how an OS should work. This is unprecedented and unconstitutional.
gzread | 4 hours ago
There are already laws about OSes, that they shouldn't spy on you and so on.
iamnothere | 4 hours ago
gzread | 4 hours ago
iamnothere | 4 hours ago
Ok, so you’ll say that it just applies to operating systems even though it’s not explicitly mentioned. Show me where the ADA has been used successfully in a lawsuit against an OS developer for the construction of their OS. I’ll wait!
gzread | 4 hours ago
iamnothere | 3 hours ago
(2) “Covered application store” does not mean an online service or platform that distributes extensions, plug-ins, add-ons, or other software applications that run exclusively within a separate host application.
(f) “Developer” means a person that owns, maintains, or controls an application.
(g) “Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.
...
1798.501. (a) An operating system provider shall do all of the following:
(1) Provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store.
(2) Provide a developer who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface that identifies, at a minimum, which of the following categories pertains to the user:
&c.
So yes, OSes are mentioned directly. The lawsuits will only come after it goes into effect.
gzread | 2 hours ago
iamnothere | 2 hours ago
NoraCodes | 6 hours ago
I am not arguing that this is a good idea, but it is simply false that the law requires that Linux 'check kids' IDs before booting'.
The New York law is worse, and should be opposed, but the article only mentions it at the end - and even then, we actually don't know what the verification mechanism would be. I've heard a proposal that "age verification passes" be sold at liqour stores and porno shops, for example, who already seem to do an acceptable job of checking ID without destroying people's privacy.
g947o | 6 hours ago
But anyone from 10 miles away could see what's going to happen next.
gzread | 5 hours ago
Like if I said "Yes, the university reserves the right to expel students who defecate on the teacher's desk. But we all know where this is going." that'd be pretty crazy, wouldn't it?
xboxnolifes | an hour ago
So yes, we all know where this is going.
nszceta | 6 hours ago
EGreg | 6 hours ago
For minors, we have this lovely law coming in NYC: that will broadcast to everyone that you’re a minor: https://www.nysenate.gov/legislation/bills/2025/S8102
But let’s talk about around the US. For example, all cars manufactured in 2029 and onward will be required to have a built-in alcohol detector / breathalyzer and to shut down and not let you drive if they detect your blood alcohol level is too high: https://www.clear2drive.com/the-pass-act-explained/
And in 2027 — next year — new cars are required to watch where you are looking, how much you’re blinking or nodding and alert authorities if you aren’t alert enough: https://www.gadgetreview.com/federal-surveillance-tech-becom...
And it’s not just the US government. That phone in your hand? Governments have mandated tha all vendors preinstall spy software, filters and apps on it, that are not removable: https://www.aclu.org/news/privacy-technology/government-mand...
Also these phones no longer shut down when you shut them down. They continue operating and sending telemetry so the government can eventually know where they are at all times. https://android.stackexchange.com/questions/228682/why-do-ce...
This is in addition to the interlinked CCTV cameras that are the norm in various cities (eg in the UK), new Flock cameras in US, etc. But the government doesnt even need Flock or Ring to cooperate. They have plenty of their own housing programs to install thousands of cameras to spy on citizens 24/7, and can now deploy AI to sift through it all. Here in NYC we already have the lovely Domain Awareness System: https://nysfocus.com/2025/08/11/eric-adams-nycha-nypd-camera...
To sum up: the government can know what you’re doing at all times, with sensors in your car, mandated apps on your phone, cameras on your street, and soon, mandated telemetry sent by your operating system. Caretakers of kids are required to report anything to authorities and not let parents know, in case the department of child services might need to know. Every child is required to be vaccinated too, with lots of different vaccines.
I wouldn’t be surprised if toilet plumbing in every apartment in the future will be required to install a test for what you’re eating or drinking, to catch diseases early and for public health.
Looks like this short film is a documentary about our future, except with AI doing the snitching instead of humans: https://www.youtube.com/watch?v=vJYaXy5mmA8
rmast | 5 hours ago
“Once data prove the tech cuts drunk-driving crashes, insurers may trim rates.”
Why would any insurance company want to cut into their profits by reducing rates?
wat10000 | 5 hours ago
mothballed | 5 hours ago
EGreg | 5 hours ago
everdrive | 4 hours ago
wat10000 | 2 hours ago
alpaca128 | 4 hours ago
Undercutting the competition pays off when they're much smaller and you can eliminate them that way and subsequently raise prices.
wat10000 | 2 hours ago
If you've ever shopped for car insurance, it should be pretty clear that there isn't a cartel holding prices high. Prices differ substantially across insurers, and are influenced by many other factors as well. Premiums are much lower if you have a clean driving record and no claims, or if you drive a car that's cheaper to repair, or less likely to cause injury, or you're of an age/gender with less propensity to crash, or live in an area with less automobile-related crime. Why would they give you lower rates for these things when they could just keep the premiums high and collect more profits?
mothballed | 5 hours ago
Of course, there are cases like North Korea where you get the worst of both worlds (strong central government + not even a useful piece of paper limiting it).
bee_rider | 4 hours ago
That said, I don’t think I would like to live in a region governed by gangs or rebel groups, even if they probably don’t have the capacity to annoy everybody, the low odds of a catastrophic interaction with enforcement seems bad.
Noumenon72 | 5 hours ago
That's not much of a source -- a 100-karma user in 2020 based on "I've known this for a long time. A quick google confirms that many people think the same." I don't believe it is true.
Bender | 5 hours ago
I suspect the dark pattern this will lead to is user-maintained ISO's as was the early days of Microsoft. People would slip-stream in patches, applications, better default settings and in some cases, malware.
labcomputer | 4 hours ago
alphabetag675 | 6 hours ago
wongarsu | 6 hours ago
I don't think it's a very well thought-out law. But realistically this will end up as setting some env variable for your docker containers to assure them that you are 99 years old. And yes, maybe transmitting a header to docker hub that you are 99 years old. Probably configured via an env variable for the docker cli to use. It's stupid, but nothing a couple env variables wouldn't comply with
The real issue is when the law inevitably gets expanded to get some real teeth, and all the easy workarounds stop being legal
whywhywhywhy | 5 hours ago
bee_rider | 5 hours ago
Edit: as folks have pointed out, the attacking application doesn’t actually have to be running while the age-transition takes place. The attacker just has to have logs from before and after the age transition, and then they can narrow the birth-date down.
AlotOfReading | 5 hours ago
bee_rider | 5 hours ago
I mean, the app can query on a weekly basis, and then if you go from “under 18” to “over 18” it knows the week that you were born in. But, if the user was already an adult when the logging started, there isn’t a transition to go off.
pas | 5 hours ago
bee_rider | 5 hours ago
I think the intent was for the OS to know the user age, but only provide an age range, so it could automatically upgrade people as they aged (but I could be wrong about that).
bigfishrunning | 5 hours ago
wongarsu | 5 hours ago
bee_rider | 4 hours ago
I think this is the big vulnerability in the scheme. This information is easy to track and log, so it is basically equivalent in the giving away the DOB of everybody who is currently under 18 (at least, everybody who uses the system as intended). In the long run that’s everybody.
We could have a discussion about whether or not it would be fine for services to know every user’s DOB, but it is clearly giving away more information than the law intended.
> There is only one mandated bracket for everyone who's at least 18, preventing that attack on anyone who starts using your software after their 18th birthday.
I don’t think that fully recognizes the size of the problem, “using your software” is fuzzy. Companies get bought, identities get correlated, ad services collect and log more information than needed. I think it is better to assume the attacker will have logs of these queries from the start date of a person’s first account.
gzread | 5 hours ago
LtWorf | 4 hours ago
charlieo88 | 5 hours ago
browningstreet | 5 hours ago
parineum | 5 hours ago
vscode-rest | 5 hours ago
gzread | 5 hours ago
wongarsu | 4 hours ago
Most of the issues only arise because in the bill "operating system", "covered application store" and "application"/"developer" have very loose definitions that match lots of things where the law doesn't make sense.
kevin_thibedeau | 5 hours ago
slopinthebag | 5 hours ago
Which will happen. The road to hell is built one brick at a time.
GoblinSlayer | 5 hours ago
bee_rider | 5 hours ago
I honestly think the California law is well intentioned (in the sense that it just asks the OS to attest the age of the user, so, lawmakers probably thought this could be done in a privacy-preserving and minimally annoying fashion), but it seems very focused on desktop and cellphone use-cases.
gzread | 5 hours ago
GoblinSlayer | an hour ago
> These laws can, and almost certainly will, get worse. New York's proposed Senate Bill S8102A explicitly forbids self-reporting. The state Attorney General will decide how to enforce it. For example, to use Linux, you might need to submit a driver's license.
puppycodes | an hour ago
Great job politics!
Like lots of laws that are being written nowadays by octogenarians, aimed at strong arming bigger tech companies into designing things differently at the expense of everyone smaller which ironically ends up curtailing our basic freedoms, privacy, etc... even when the intent was otherwise.
Then again I have yet to meet a politician that actually cares as long as: "this looks good for my campaign".
Regulating big platforms that affect billions of people is one thing but I really wish they would write laws actually discriminating between those platforms and everyone else.
soulofmischief | 6 hours ago
Arguments like this one are why the authoritarian ratchet continues to turn unimpeded over time.
wat10000 | 5 hours ago
If your slippery slope argument can't withstand a simple statement that something is at the top of the slope, it's not much good.
slopinthebag | 5 hours ago
Next thing you know you've walked 100 miles and it's too late to turn back.
[0] https://en.wikipedia.org/wiki/Useful_idiot
wat10000 | 5 hours ago
soulofmischief | 5 hours ago
gzread | 5 hours ago
The slippery slope argument says that open source software is a stepping stone to a world where all commercial activity is banned. Should we therefore oppose open source software?
slopinthebag | 4 hours ago
> The slippery slope argument says that open source software is a stepping stone to a world where all commercial activity is banned.
No it doesn't.
gzread | 4 hours ago
Yes, it does.
soulofmischief | 4 hours ago
And your provided "slippery slope argument" is just a straw man argument. No one in this thread made that argument. The slippery slope is the authoritarian ratchet.
If you want to restrict your kid's access to the internet, install software that does that. I think in 2026, when kids have personal devices, key word "personal", meaning there is an expected level of privacy we should respect, effective insulation against the bad parts of the internet will not be achieved through software. Meanwhile, this legislation will be used to prevent children from turning into organized free thinkers.
kevinh | 3 hours ago
jmholla | 3 hours ago
soulofmischief | 2 hours ago
eudamoniac | an hour ago
m132 | 6 hours ago
> These laws can, and almost certainly will, get worse. New York's proposed Senate Bill S8102A explicitly forbids self-reporting. The state Attorney General will decide how to enforce it. For example, to use Linux, you might need to submit a driver's license.
LtWorf | 6 hours ago
quesera | 5 hours ago
Anyone who tells you differently is lying or ignorant.
linksnapzz | 5 hours ago
duskdozer | 5 hours ago
quesera | 5 hours ago
Some people think disenfranchisement is bad. Others see it as useful.
Specifically, PartyB thinks those people with inadequate ID skew toward PartyA voters. This has been the accepted wisdom for decades. So they are incentivized to make it harder for them to vote.
Interestingly though, PartyB might be wrong about the current population. PartyA, and those against disenfranchisement and imaginary crises in general (I count myself in this third group), do not want to blow up centuries of precedent especially if the consequences are likely to be undemocratic and unfair.
anonymousab | 5 hours ago
Luckily, this problem is wholly solved via selective enforcement.
mothballed | 5 hours ago
How is it that you don't need an ID to exercise the rights of voting 'citizens', but you need one to exercise the right of 'people'? Consider that virtually all 'citizens' are also 'people', and even if you argue they are not, the portion of voting citizens that aren't 'people' is inconsequential compared to the supposed "10%" that can't muster an ID.
It's almost as if both sides of the argument are just using logically inconsistent arguments that just aligns with whatever gets the voting demographics they like. In fact, Vermont is the only state I know of that gives both full rights of citizens and full rights of people to those without ID in a manner consistent with the anti-ID argument usually presented.
quesera | 4 hours ago
Consequences of errors with guns are higher than with voting, because elections are audited and mistakes and fraud are found and reversed.
You cannot helpfully audit misuse of guns, after the fact.
mothballed | 4 hours ago
But lets accept your premise as true.
You're proposing something like rank-stacking the risk of various rights of citizens and people and if they're high enough on the stack it's OK to to ID and if they're lower maybe it's not OK. That seems to move the goalpost quite a bit from your prior argument.
quesera | 4 hours ago
This happens before the winners are certified, and before they're given the ability to drop bombs.
I don't understand your confusion.
In the US, ACH transactions are reversible and trusted throughout the nation. Bitcoin transactions are not, and are not. This seems parallel to me.
wat10000 | 5 hours ago
jasonlotito | 5 hours ago
Giving you the benefit of the doubt regarding the intent, why would anyone support a measure that demonstrably does not achieve what it intends, but instead denies you the right to vote?
LtWorf | 5 hours ago
quesera | 5 hours ago
This is how we know how extremely few problems there are, and how we catch the accidents (which are backed out, hence the delay between voting and election certification), and the fraud (which is extremely rare but of course also backed out).
wat10000 | 5 hours ago
In any case, voting is substantially more intrusive. You must register with your full name and address, which is made public record. Each time you vote, that is also made public record (not who you voted for, but the fact that you voted). In states with closed primaries, your party membership is public record. In states with open primaries, it's public record which party's primary you vote in. It's way more invasive than a text box in your computer's account setup screen that asks for your age.
bigstrat2003 | 5 hours ago
jasonlotito | 5 hours ago
wat10000 | 2 hours ago
iamnothere | 5 hours ago
alephnerd | 5 hours ago
Most Linux maintainers are employed by Google, IBM, Facebook, and other similarly sized organizations.
> Who is making CA the only jurisdiction instead of the myriad contradictory laws all over the place
The US is a federal system. It's part of our checks and balances.
> Who is stepping in to make sure no additional legislation comes across regulating how FOSS has to include backdoors or weaken encryption
No one. This is why organizations with actual security requirements do their own dependency checks.
iamnothere | 5 hours ago
The law apparently seems to target the packager/distributor of the distribution. Many small distros are hobby distros!
> The US is a federal system. It's part of our checks and balances.
Nonsensical answer. Different states are passing different requirements that often contradict each other. This is going to be a nightmare.
> No one. This is why organizations with actual security requirements do their own dependency checks.
So you’re saying that we should expect those laws too? Because before now “code is speech” has ruled, and the US government have not been able to be so invasive about how computers should work. If this is the direction we’re headed in, we need to organize and fight like hell.
alephnerd | 5 hours ago
Then region lock. You don't have to support California or NY or ...
> Different states are passing different requirements that often contradict each other. This is going to be a nightmare
Create regional feature flags or region lock. It's a solved problem.
> So you’re saying that we should expect those laws too
They already de facto exist contractually speaking.
> Because before now “code is speech” has ruled, and the US government have not been able to be so invasive about how computers should work
The mindset around tech regulation shifted after the 2016 election and Jan 6th. The maximalist tech civil libertarian view on privacy was an anomaly from the late 1990s to early 2010s when tech was viewed as inconsequential.
The 2016 election and Jan 6th showed otherwise.
---
The overlap between Linux daily drivers and "voters who can flip an election in California, NY, or <insert_state_here>" is nonexistent.
This also appears to be a front-run at reducing the risk of an Australia-style regulation being proposed.
Edit: can't reply
> Europe realized this with their new infosec liability regulations
European organizations (from private sectors to government agencies) sidestep this by contractually mandating SBOM and dependency requirements.
You end up with the same result, but it's essentially regulated via contracts instead of the law.
> Expecting volunteers to dump time into compliance is ridiculous. Not because they oppose the idea, but because huge swaths of the internet run on people doing something for free -- and they'll just do something else if governments begin threatening them
That's a decision a lot of governments and organizations are fine with.
OSS where maintainers are hired by sponsor organizations is already the norm, and government-backed OSS is becoming increasingly common in the EU and much of Asia.
Hobbyists who don't wish to comply can region gate within their license - that solves your liability risk and will keep regulators happy.
iamnothere | 5 hours ago
alephnerd | 5 hours ago
> But maybe that’s just me
If you are fine taking the legal liability and are open to civil and criminal prosecution, go right ahead.
Western jurisdictions tend to cooperate on extradition as well, and American free speech laws are significantly more expansive than those in the EU, Canada, or ANZ so taking a principled approach wouldn't be a viable defense if you decided to go and incite via that route.
> fighting via lawfare
That is being done.
> and media
You heard about it via the media.
iamnothere | 5 hours ago
orwin | 4 hours ago
NegativeK | 5 hours ago
> You don't have to support
This isn't just a kernel thing. Expecting volunteers to dump time into compliance is ridiculous. Not because they oppose the idea, but because huge swaths of the internet run on people doing something for free -- and they'll just do something else if governments begin threatening them.
Europe realized this with their new infosec liability regulations. If you're giving your labor away, you're not liable for your software; if you're making money off your software, step up and do better. Maybe California and the others should learn more from the EU.
bigfishrunning | 5 hours ago
Exactly, so any distribution that relies on volunteers will likely include a region-locking clause in their documentation (which may or may not be a GPL violation)
Many big distributions (Ubuntu, Suse, Fedora) are sponsered by big tech companies, and are not maintained by volunteers.
whywhywhywhy | 5 hours ago
honestly if they let it be known they'd do it for payment the same person who's paying off the politicians to push this through would probably pay them too.
alephnerd | 5 hours ago
LtWorf | 4 hours ago
GoblinSlayer | 5 hours ago
jeroenhd | 5 hours ago
Linux desktops already have APIs for profile management. This is just another field to add to those APIs.
Very few core Linux desktop development is coming from hobbyists compared to the massive corporations maintaining Linux as a real option. Companies like Red Hat and System76 isn't going to drop California as a customer base to make a statement that no politician will ever listen to.
iamnothere | 5 hours ago
shadowgovt | 5 hours ago
Signed, someone who notes frequently that the default apache configs probably put a web developer in violation of the GDPR (since if you just left on collecting IP addresses for no reason, you are de-facto not collecting them for "network security.")
iamnothere | 5 hours ago
Maybe that doesn’t move you; it seems like you don’t care much for personal liberties. (A Euro, go figure.) But this is America and we have constitutional guarantees here.
Apocryphon | 5 hours ago
https://theonion.com/the-future-will-be-a-totalitarian-gover...
shadowgovt | 4 hours ago
Two guys built a website to try and help people curb their undesired sexual proclivities and because they were bad at security, their users' personal information (including their own logs of their sexual proclivities) is leaked. They will see no consequences other than "oops, oh well, I guess we're going to shut down our website now and, probably, build another one."
Why is that okay? We've de-facto operated as if it os okay for decades under a notion of "user beware," but that notion is increasingly incompatible with the goals of treating Internet access as a human right because if you let everyone on, you are definitely letting people on who lack the capacity, knowledge, or savvy to beware. And we lack a framework for holding "two guys who just told the world how often you jack off" accountable for their violation of confidentiality.
Individual users become nodes in botnets. Individual users have their identities compromised. Individual users are talked into being kidnapped by anonymous victimizers. Individual users are, increasingly, everyone's concern the moment they connect to a shared network. And, perhaps most significantly to this topic: the Internet does not distinguish between two guys building a hobby app and a professional service.
This specific notion, age-gating access, may not be the right step. But we should be a lot more serious about taking more than zero steps. The time of effing around and pretending there are no consequences to these technologies is over.
iamnothere | 4 hours ago
Edit: removed part of my comment because misunderstood your rambling point about that website, and I guess I have no idea how it relates to OS regulation. Websites are not operating systems. Your ability to tell me how I run my systems stops at my door, especially if I’m not hosting commercial services. Again, that’s just a question of fundamental rights.
shadowgovt | 2 hours ago
I appreciate the grace in taking a step back on my other comment; I phrased it poorly. Here's my point in better summary: I think we have an issue right now where our hobby has two things that are true that have significant negative societal outcomes. And to be clear, I'm primarily responding to this comment: "Who is providing them with legal indemnification since they are now apparently subject to fines for a fucking hobby if they do it wrong?" Because the answer to that is "If these things are true, it doesn't matter."
1. There is very little daylight between professional and hobby coding. That has been one of its virtues: a person with the right idea can garage-hack way into becoming Fark, or Slashdot, or Craigslist. But the flipside of that coin is that a kid messing around in their garage can cause real consequences for real people they will never even meet. How many websites are falling over from people experimenting with AI crawling right now (at disregard for the existing best-practices for crawling)?
2. A lone actor misusing the machine can have large-impact consequences on strangers. A kid in their basement doing script-kiddie garbage can exfiltrate confidential data, steal someone's electricity to mine Bitcoin, or even just wreck their machine remotely, for fun. A lone actor with no malicious intent but simple negligence can drop a machine on the Internet with all the ports open and become a botnet node. When we have sitautions like that in the past, we often use licensure to ensure some minimum standard of care when using the shared resource.
In fairness, what may want to be licensed here is using the Internet, not installing an operating system. I think that's a fair point and state governments trying to move the issue to the OS, not network-connectivity level, are making a mistake.
iamnothere | 2 hours ago
If you want to push really hard, we can come up with something extremely verbose (worse than COBOL) that is VERY obviously speech. “Define a variable named x. Set the value of x to 3. Add the value of y to x.”
Outcomes take a back seat to rights. Bad outcomes are sometimes the inevitable consequence of liberty.
If you want to try and license use of public Internet infrastructure, like public roads, go ahead. But most of the Internet is private. Free association and free speech rules, regardless of the occasional difficulties it creates.
Apocryphon | 2 hours ago
iamnothere | 2 hours ago
shadowgovt | 2 hours ago
I think you're making a good argument for why the regulation should be at the network-connect level and not the OS-account level, though, if the real issue is that networks are a shared resource with consequences for other people (which seems to be the issue). At that point, the OS collecting the data is just a convenience to satisfy the requirement for network access, not something that needs to be mandated.
> most of the Internet is private
True, but automotive licensing still applies to one's right to operate a vehicle on turnpikes. I believe the analogy here is that you might not need a license to set up an intranet.
iamnothere | an hour ago
I wonder if this has ever been challenged? Driving on most private roads does not require a license or even a tag.
My rough understanding is that turnpikes are a special case because they were established by legislative charter, but it would be interesting to see the specifics. I don’t know much about the legal history.
hypeatei | 4 hours ago
No, we shouldn't. There is no inherent need for government regulations in every part of our lives, let alone a computer. Sorry to be flippant, but this idea that everyone needs to have a "serious conversation" about something is laughable and inevitably leads to mountains of government legislation with unintended consequences.
Thanks, but no thanks. We should resist all of this bullshit and try not to become Europe 2.0 where it's illegal to offend people with your speech because some idiot thought that'd be "reasonable" regulation.
Apocryphon | 4 hours ago
hypeatei | 3 hours ago
mothballed | 2 hours ago
iamnothere | 2 hours ago
Apocryphon | 2 hours ago
iamnothere | an hour ago
GoblinSlayer | 4 hours ago
Their reason: https://www.aclu.org/news/privacy-technology/government-mand...
bee_rider | 4 hours ago
GuestFAUniverse | 4 hours ago
On the other hand, nobody can help a clueless web dev.
alpaca128 | 4 hours ago
Those still are hobbies, you just need a license for it now. Which makes sense since crashing an airplane is a bit more devastating than crashing a computer. But most hobbies don't need a license and aren't a danger to others.
shadowgovt | 2 hours ago
A person using their own machine can hack all manner of other people's machines without their consent. On the flipside, a person who is not even malicious, but negligent, can configure a machine on the open internet with open ports and become part of a botnet in a half-hour. Perhaps these behaviors imply a level of responsibility that suggests licensing to use the shared resource that is "The internet" is appropriate.
alpaca128 | an hour ago
I think manufacturers being required to provide longer security update support against hacks etc would be more helpful than violating privacy and restricting access to "protect" people. The amazing protective walled garden of mobile devices has mostly caused people to even forget what filesystems are and normalized subscriptions for the most basic things. A license for internet access or whatever would be an incredibly bad idea for anyone but abusive governments and corporations.
shadowgovt | an hour ago
These protections could go further, but they haven't. Why is it just "okay" that someone can call you up on the phone and convince you that your loved one is in mortal peril and you have to wire money to them right now? Why is the party transiting that fraud or providing the wires connecting entire fraud offices to the global telephonic network not responsible for enabling that attack?
alpaca128 | 3 minutes ago
It is not okay and is in fact a crime. Making it more illegal by forbidding access mainly hurts normal users of the network.
> Why is the party transiting that fraud or providing the wires connecting entire fraud offices to the global telephonic network not responsible for enabling that attack?
Same reason the electric grid is not responsible because it powered the phones, and water is not responsible for generating its electricity in a power plant. The phone network is a medium for communication, and so is the internet. And they can be abused just like air as a verbal communication medium between a scammer and a victim can.
> We do, in practice, impose all manner of limitation on free speech while still maintaining the sanctity of that right.
And we do impose legal limitations on online scams while still maintaining access to the internet. What more do you want?
GoblinSlayer | 4 hours ago
hamdingers | 5 hours ago
1. https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
RobotToaster | 5 hours ago
Yet
rmast | 5 hours ago
shadowgovt | 5 hours ago
The difference being, of course, that as an adult one can simply refrain from frequenting a liquor store or porno shop if one chooses not to.
It's not practical to refrain from using a computer while participating fully in modern society. The UN has indicated Internet access to be a human right.
slashdev | 5 hours ago
phendrenad2 | 5 hours ago
a456463 | 5 hours ago
gzread | 5 hours ago
rebolek | 5 hours ago
marssaxman | 4 hours ago
m132 | 6 hours ago
I understand it is popular to pick on the current administration, and there are plenty of rightful reasons to, but let's not forget this has been happening way before either of Trump's terms (see: KYC laws). The only difference between then and now is that current administration has essentially taken a mask-off approach, so we get to see this discussion finally brought up by mainstream media outlets.
mothballed | 6 hours ago
quesera | 6 hours ago
m132 | 5 hours ago
quesera | 5 hours ago
m132 | 5 hours ago
shadowgovt | 5 hours ago
quesera | 5 hours ago
The counterpoint is that if your job was to prevent/punish financial crimes that affect consumers, would it make sense to ignore these exchanges?
Heck, if M:TG cards were the medium, and they could be moved across international borders with a few keystrokes, then surely those would be watched too.
I won't argue that it's not privacy-invading for legitimate customers, but if the legal structure allows it, regulators have an obligation to look where the problems are expected to be.
gzread | 4 hours ago
quesera | 4 hours ago
Your implied comparison of "promotion" vs "monitoring" makes zero sense though.
pelagicAustral | 6 hours ago
phendrenad2 | 5 hours ago
LtWorf | 5 hours ago
superkuh | 5 hours ago
big-and-small | 5 hours ago
https://www.gnu.org/philosophy/right-to-read.en.html
mghackerlady | 4 hours ago
hsnewman | 5 hours ago
jmclnx | 5 hours ago
Personally I think Linux distros should ignore this law and put a disclaimer on their download sites. I expect OpenBSD will do just that. If Linux decides to make this a requirement, I guess I know what OS I will move to next.
Anyway, Instead of a new file, there are optional fields in /etc/passwd that can be used for "age". These fields can be added as comma separated fields. But, maybe he is thinking of making the new file readable only by root ?
randusername | 5 hours ago
I do not want my kids to experience those "loss of innocence" moments too soon by letting their curiosity lead them into things they are not equipped to confront yet. Hell, I still have those moments as an adult on occasion.
There has to be steps we can take as a society to address these legitimate challenges ourselves so that governments can no longer hide behind them in tinkering with mechanisms for stability and control. Maybe a "sunlight disinfects" approach.
butILoveLife | 5 hours ago
I want my kids exposed to the brutal realities of the world asap.
I reflect that my innocence caused me to make some extreme major mistakes as a young adult that took a decade to show itself. I cannot go back, and now I am suffering terribly.
I blame my parents at least a little bit, but I blame western idealism more majorly.
hrimfaxi | 5 hours ago
hackinthebochs | 5 hours ago
hrimfaxi | 4 hours ago
hackinthebochs | 2 hours ago
randusername's comment from upthread bears witness to this to a large degree.
DangitBobby | 2 hours ago
randusername | 5 hours ago
If my old man slapped me on the back at 13, called me a man, and made me scroll through the morbid reality subreddit and do a book report on the Nanjing Massacre or My Lai I think that would be really damaging.
I think the stories we tell our children about the world, naive as they can be sometimes, tell us a lot about what we value in our societies and the ways in which we hope future generations will surpass us in overcoming our own failings. Everyone has to learn later that the truth is messy, yet the existence of brutality doesn't disqualify idealism and goodness.
I don't mean to imply that I'm denying your experience, but for most people, I hope, cynicism is temporary response to the disillusionment of the complexity of the world and not a persistent worldview.
forshaper | 5 hours ago
tzs | 4 hours ago
That's the point of the California law and similar laws in other states. It requires operating systems to implement a simple mechanism that parents can use to specify an age range on a child's account, and to provide a way for apps that that need to know if they are being used by children to ask for that information.
gzread | 5 hours ago
dv_dt | 5 hours ago
tzs | 4 hours ago
The Register article is about laws that were specifically designed to not give Meta and their ilk anything more than an unverified age bracket. The age reported is whatever the person who set up the account on the computer said to report.
dv_dt | 4 hours ago
jwrallie | 5 hours ago
t1234s | 5 hours ago
matheusmoreira | 5 hours ago
shadowgovt | 5 hours ago
That's not what is happening here, but we might see that happen in our lifetimes. Hopefully before someone writes the software that kills enough people to necessitate licensing, not after (since generally, such outcomes are how licensing comes into being).
gzread | 5 hours ago
hahn-kev | an hour ago
bigfishrunning | 5 hours ago
tzs | 4 hours ago
mceachen | 4 hours ago
k33n | 5 hours ago
But let's just pretend something totally different is happening. It's more exciting that way.
zb3 | 5 hours ago
And well, the law represents an intent.. if self-reporting won't work (obviously won't), then the scenario where PCs end up as locked down as smartphones is not far fetched.
gzread | 5 hours ago
curt15 | 5 hours ago
Arch485 | 5 hours ago
tzs | 4 hours ago
They require that when the administrator of the computer sets up an account for a user the admin can enter an age or birthdate for the user, and that the OS provides an interface so that apps that user runs can ask based on that admin provided information what age bracket the user is in ([0,13), [13,16), [16,18), [18,∞)).
Apps that need to make age based decisions can use that information.
duckerduck | 5 hours ago
BobbyJo | 5 hours ago
These kinds of laws just seem like unworkable messes to fool the tech ignorant into thinking they care about kids.
Application side I get, there is an entity there running the application, that can be fined or banned or what have you. But software itself? No.
gzread | 5 hours ago
mayama | 4 hours ago
gzread | 5 hours ago
Refreeze5224 | 5 hours ago
9991 | 5 hours ago
hard_times | 4 hours ago
stevetron | 4 hours ago
28304283409234 | 4 hours ago
kevincloudsec | 3 hours ago
exabrial | 2 hours ago