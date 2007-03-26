from the big-brother dept.
Uproar About OS-level Age Verification Laws
Hackaday reports that unnoticed by many, several jurisdictions, including California and Brazil, have passed age verification laws that require operating system providers to keep age records of users. The uproar has now also spread among many FOSS-covering creators.
The wording of the California law is vague, and the inevitable interpretation by courts might have the outcome of a mandatory cloud account connection for every computer use ("An operating system provider shall ... provide ... with respect to a particular user ... a digital signal"). It is unclear how server computing and community based distros could deal with this.
It appears that the large corporate distributions are willing to cave in, but it is entirely unclear, and has not been even touched within all the uproar, how grassroots distributions like Debian will be affected with their many mirrored repositories and no central user database.
System76 on Age Verification Laws
[...] Colorado's Senate Bill 26-051 and California's Assembly Bill No. 1043 require operating systems to report age brackets to app stores and web sites. A person who creates an account on a computer is supposed to be 18 or older and attest to the age of the user they're creating for themselves or their child. In practice, this means anyone under 18 isn't supposed to create a computer account on their own.
Most System76 employees installed operating systems and created accounts on their computer when they were under 18. They did this out of curiosity. Many started writing software. Some were already writing operating systems. I'm sure the story is similar at most tech companies. Limiting a child's ability to explore what they can do with a computer limits their future. Removing user limitations to the computer (proprietary software, locked-down platforms like Android and iOS) is why System76 exists.
If there is any solace in these two laws, it's that they don't have any real restrictions. There is no actual age verification. Whoever installed the operating system or created the account simply says what age they are. They can lie. They will lie. They're being encouraged to lie for fear of being restricted to a nerfed internet.
[...] It can get worse. New York's proposed Senate Bill S8102A requires adults to prove they're adults to use a computer, exercise bike, smart watch, or car if the device is internet enabled with app ecosystems. The bill explicitly forbids self-reporting and leaves the allowed methods to regulations written by the Attorney General. Practical methods for a bill of such extreme breadth would require, in many instances, providing private information to a third-party just to use a computer at all. Privacy disappears.
In a bizarre twist, under its current wording, a Linux distribution downloaded from the internet could technically make the downloader the "device manufacturer". They are the entity responsible for providing a freely distributed operating system to the device. In practice, this type of language is rarely enforced. Nonetheless, it highlights how laws written for centralized platforms like iOS and Android struggle to define who is responsible in open computing ecosystems where anyone can install or distribute the operating system.
A centralized platform designed to control the activity of the user creates the environment where the centralized platform provider can themselves then be controlled by higher powers. Decentralized platforms and app stores, like Linux, are essential to the personal liberty of adults and children.
This extends to the potential of humanity itself. The computer is the most powerful and versatile technology we've ever created. It is a foundational technology that affects the progress of all other innovations. A platform that controls the user's activity, and can itself be controlled, limits the user's ability to contribute to our shared future. Many of the world's best programmers started experimenting with computers as children.
In the case of Colorado's and California's bills, effectiveness is lost. In the case of New York's bill, liberty is lost. In the case of centralized platforms, potential is lost.
[...] The challenges we face are neither technical nor legal. The only solution is to educate our children about life with digital abundance. Throwing them into the deep end when they're 16 or 18 is too late. It's a wonderful and weird world. Yes, there are dark corners. There always will be. We have to teach our children what to do when they encounter them and we have to trust them.
Ubuntu Looking at How to Implement Age Verification Law Compliance
[...] Recently, a new law was passed in California that requires OS vendors to provide some limited info about a user's age via an API that application distribution websites and application stores can use. [1] Colorado seems to be working on a similar law. [2] The law will go into effect January 1, 2027, it is no longer a draft. I do quite a bit of work with an OS vendor (working with the Kicksecure [3] and Whonix [4] projects), and we aren't particularly interested in blocking everyone in California and Colorado from using our OSes, so we're currently looking into how to implement an API that will comply with the laws while also not being a privacy disaster. Given that other distributions are also investigating what to do with this, and the law requires us to make a "good faith effort to comply with [the] title, taking into consideration available technology", I figured it would be a good idea to bring the issue here.
At its core, the law seems to require that an "operating system" (I'm guessing this would correspond to a Linux distribution, not an OS kernel or userland) request the user's age or date of birth at "account setup". The OS is also expected to allow users to set the user's age if they didn't already provide it (because the OS was installed before the law went into effect), and it needs to provide an API somewhere so that app stores and application distribution websites can ask the OS "what age bracket does this user fall into?" Four age brackets are defined, "= 13 and = 16 and = 18". It looks like the API also needs to not provide more information than just the age bracket data. A bunch of stuff is left unclear (how to handle servers and other CLI-only installs, how to handle VMs, whether the law is even applicable if the primary user is over 18 since the law ridiculously defines a user as "a child" while also defining "a child" as anyone under the age of 18, etc.), but that's what we're given to deal with.
The most intuitive place to put this functionality would be, IMO, AccountsService. The main issue with that is that stable-release distributions, and distributions based upon them, would be faced with the issue of how to get an updated version of AccountsService integrated into their software repositories, or how to backport the appropriate code. The law goes into effect on January 1, 2027, Debian Bookworm is going to be supported by ELTS until July 30, 2033, and we don't yet know if Debian will care enough about California's laws to want to backport a new feature in AccountsService into Debian Bookworm (or even Trixie). Distributions based on Debian (such as Kicksecure and Whonix) may still want to comply with the law though, so something using AccountsService-specific APIs would be frustrating. Requiring a whole separate daemon for the foreseeable future just for an age verification API would also be annoying.
Another place the functionality could go is xdg-desktop-portal. This one is a bit non-ideal for a couple of reasons; for one, the easiest place to put the call would be in the Account portal, which returns more information than the account's age bracket. This could potentially be considered non-compliant with the law, as it states that the operating system shall "[s]end only the minimum amount of information necessary to comply with this title". This also comes with the backporting disadvantages of an AccountsService-based implementation.
For this reason, I'd like to propose a "hybrid" approach; introduce a new standard D-Bus interface, `org.freedesktop.AgeVerification1`, that can be implemented by arbitrary applications as a distro sees fit. AccountsService could implement this API so that newer versions of distros will get the relevant features for free, while distros with an AccountsService too old to contain the feature can implement it themselves as a stop-gap solution.
(Score: 1) by Runaway1956 on Monday March 09, @12:32AM (5 children)
Is an unenforceable law even a law? Dumbasses in state and national capitols can play pretend all they like. Even if/when Microsoft, Apple, and Google implement what the fools are asking for, kids will quickly figure out how to work around the stupid. As mentioned within the article, kids create everything up to, and including operating systems. It's not like computer science is some kind of magic that takes 180 years to master. Even if it were, Gandalf wasn't an ancient old bastard when he started magicking.
If I ever see such arcane bullshit on an operating system, I'll sit my ass down to subvert it almost immediately, LMAO!
We're gonna be able to vacation in Gaza, Cuba, Venezuela, Iran and maybe Minnesota soon. Incredible times.
(Score: 4, Interesting) by corey on Monday March 09, @02:04AM (1 child)
This seems a blow to Linux, maybe I’m wrong. But I wonder how much Microsoft had to do with lobbying for these laws. Win win, Linux is damaged and MS get to force users to give up personal info, because it’s the law now.
(Score: 3, Insightful) by Bentonite on Monday March 09, @04:28AM
Obviously microsoft was one of the companies behind this conspiracy.
It'll be a blow to proprietary GNU/Linux distros - free GNU/Linux-libre distros won't implement any of such restrictions, as if anyone does, someone will take them back out and release a fixed version.
(Score: 4, Insightful) by Undefined on Monday March 09, @02:15AM
Certainly. The problem is that then more coercive and punitive (and ineffective) legislation will be added to address the workarounds. And when those fail, as they absolutely will, rinse and repeat: they'll focus in on what they see as "the problem" and cinch the noose tighter and tighter.
The "problem" being, they want to know, without doubt, who is accessing what. Because access to, and use thereof, resources they don't approve of is anathema to them. Also potentially threatening to their power. Simple as that.
The end of these cycles is most likely to be a form of full government ID requirement with active biological confirmation of some sort. Live retina detection and analysis, that sort of thing. They'll iterate as many times as necessary to finally get what they're after, all the while trumpeting "save the children" at the voters. Which will work, as it always does.
The objections to the currently proposed laws are not because they're going to be effective — they most certainly are not — but because the path here seems to inevitably lead to something much, much worse.
As politicians have already intentionally and successfully begun to legislate access on multiple fronts, it is now nearly impossible to stop the process. These laws tend to be bipartisan, well supported by both major parties. So it's extraordinary difficult for voters to counter the mindset by replacing legislators.
(Score: 1) by khallow on Monday March 09, @09:29AM
What's unenforceable about it? If the answer is that you either a) never can visit California/Brazil, b) have to go to court to defend yourself from bullshit law, or c) never can have government agencies from these countries use your distribution, then it's being enforced. Big companies probably see this as convenient barrier to entry.
Gandalf existed from well before as one of the Maia. He was present at the making of the world and much, much later choose a human form to help defeat Sauron in the Third Age (the First Age BTW being composed of many long, often indeterminate periods of time).
(Score: 0) by Anonymous Coward on Monday March 09, @10:05AM
Of course it is, they might not be capable of enforcing it in the gross but that was never the intention, it's the enforcement in the fine that matters to them, it exists as a means to 'get' someone on an easy charge which then allows them 'widen the scope of their enquiries'.
The legal system is tricky, I had a rather interesting conversation about one piece of UK legislation I had to check in the course of my last job, it specifies something like 'if X, when measured, is below Y, then this legislation does not apply' but nowhere in the legislation or official guidance is there a legal definition of X, what it technically is or how it is to be gauged for legislative purposes, but does however precisely define Y in SI units.
The opinion was that if it came up in a court, even if you could prove that Y is, by multiple metrics, below the legally set limit, the judge could arbitrarily define X in such a manner as to negate these results based on the 'common understanding' of what X is, and how it's measured, bluntly even if X, when measured, is Y, it technically could be made to be Z therefore you're in breach of the law.
Further opinion was that a lot of legislation is worded in such a manner as to provide them with so many 'gotchas' that it's impossible to live in a modern society without breaking the law in one way or another, and that it's not a flaw, but a feature.
(Score: 0) by Anonymous Coward on Monday March 09, @01:16AM (3 children)
To make this work it has to be built into certified hardware that you will rent from the phone company, like when AT&T ruled, and the user will have to insert his/her ID card.
(Score: 4, Informative) by Bentonite on Monday March 09, @04:26AM (2 children)
Hardware already has the needed restrictions mechanisms built in via restricted boot and TPM's - all it would take would be for "UEFI"'s to have an "age-check" form built-in on power-on (making the "UEFI" connect to the internet isn't that hard).
Then it would be a simple matter to make it so that restricted boot will only boot approved proprietary OS's that accept the age information and implement the required restrictions.
The only reliable workaround to that would be to use old hardware without such restrictions (although there's a mountain of that still available).
(Score: 2) by cykros on Monday March 09, @10:31AM
Gonna finally be getting back to the 90s where we have to meet up with sketchy guys in seedy apartment buildings, like Greg Anderson in the Matrix, to get our contraband tech. The idea of it being done with software was always sort of just a movie trope back then, because you'd just download it, but when it's hardware, we can finally actually play out these Shadowrun-esque adventures...
Might be time for me to finally move on from this desktop I'm running that was originally build in 2011 so that whatever comes I've got something to survive for awhile as the contraband supply chain gets built out. It's running Slackware so frankly I haven't otherwise felt a need to, as it continues to just work.
(Score: 2) by canopic jug on Monday March 09, @10:36AM
The only reliable workaround to that would be to use old hardware without such restrictions (although there's a mountain of that still available).
However, that is only a workaround. Even if that old hardware is somehow not blocked from the Internet, it will eventually wear out and the replacements will run out.
The only long term solution is to ensure that technical solutions are not sought for social problems. This is a parenting problem and the onus is on the parents to actually engage in raising their kids. Rather than coming down on the OS developers, the states in question could much more effectively come down on the parents of the feral kids.
Money is not free speech. Elections should not be auctions.
(Score: 2) by cykros on Monday March 09, @10:25AM
It's unclear WHY a community based distro would deal with this. Host outside of California, don't do any official business, and play the Pirate Bay's game of sending maps to anyone who has issues with it.
And if you want to sell customer service to pay the bills, organize separately so that company isn't the provider of the software.
Seriously, who are they even trying to go after when it's a community repository? Github? Seems trivial enough to host elsewhere if that's the concern...