- cross-posted to:
- technology@lemmy.world
- cross-posted to:
- technology@lemmy.world
AB-1043 “Age verification signals: software applications and online services.”
Text https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB1043
Other info https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260AB1043
California AB 1043 signed. Mandatory os-level, device-level, app store, and even developer-required age verification for all computing devices.
Edit: altered title from “ID check” to “Age Verification check”
You must log in or register to comment.
This bill, beginning January 1, 2027, would require, among other things related to age verification with respect to software applications, an operating system provider, as defined, to provide an accessible interface at account setup that requires an account holder, as defined, to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store and to provide a developer, as defined, who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface regarding whether a user is in any of several age brackets, as prescribed. The bill would require a developer to request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
I’m not sure how this is going to be enforceable. So, in essence:
-
The OS should have an accessible API that returns the age bracket of the user, presumably for the purposes of eliminating a lack of compliance on apps using children’s data for advertising. That’s not necessarily a massive problem, though I don’t like the idea of age brackets, I’d prefer it if it’s just a “Adult” vs “Child” bracket.
-
It doesn’t seem to be asking that the age be verified through some external provider, so simply stating the age of the user is enough.
-
App developers are expected to always request that information on launch/installation, which is simply not going to work because how would you enforce it for software made before this law came into effect?
-
The definition of “covered application store” is way too broad and covers basically anywhere you can download software, including things like public docker hubs or Github, so no that’s never going to work out. Apple and Google can maybe include the request for age brackets and provide that information by default as part of the SDK, but legacy software? Good luck getting WinRAR to request that information. You’ve essentially banned all software made before 2025.
So… The OS-level stuff isn’t a huge deal, but the requirements on app developers are way too strict and would be unworkable. If I were to re-write the bill, I’d make it so the age bracket must be available at the OS level, but not required by the app developer to actually use it. I would then add more strict requirements on sites to not use children’s data for advertising, with the reasoning being that they could have asked for the age bracket from the OS at any time, and the fact that they didn’t even bother means they actually wanted to use children’s data.
The bigger problem IMO is the implication that a device/OS must have a defined “account holder” that is associated with an actual person with an age. Nevermind that there isn’t any verification happening that could de-anonymize a user or be breached - as an administrator, am I responsible for ensuring users only use a specific account with the correct age identified? What about google or apple? Are devices meant for children to be locked down so that new users or accounts can’t be created to circumvent restrictions?
This law is too vague to have any meaningful impact on child safety, and the implications behind it make future erosion of privacy far more likely.
-
Why do I need to show my ID to install Gentoo?
I’d like to see them try. Is it during installation or download?
Oops, forgot to compile that module. Oh well.
Take it from a Brit… It’s not about the children. It’s never about the children.
One of the architects of Project 2025 confessed on secret camera that the purpose of age verification laws is a de facto porn ban.
Maybe for them. But for governments in general the point is that age verification is ID verification and it means everything you do online or on any electronic device can be surveilled and tied to your real identity. And that makes political dissent a lot harder to organize without being shut down.
Written with the checkmarks emoji characteristic of AI…
I think the blog post is just a summary of the official document - AI summary nevertheless.
deleted by creator
i hope people talking about him as a potential president remember this; he’s a conservative robot who doesn’t give a shit about you.
Which is orders of magnitude better than a conservative pile of goo that actively wants to inflict as much suffering on you that is humanly possible. Which is very loved by a median voter for no good reason whatsoever
Between the preferences of the machinery of both parties, media ownership - including web companies, increasingly militarised police, ai + agents having the potential to effect the kind of 1980’s de-industrialisation on the middle class, and the rise of a surveillance state that would make the stasi blush, voting for the lesser of two evils isn’t going to do it any more. The lesser of two evils, both complicit in the construction of the explicit oligarchy America how has, is responsible for this.
You might extend the fuse a bit, but that will result in a bigger bomb. If it isn’t too late already, you need to look to the likes of Sanders. Or you need a No Kings protest every day, or as often as possible. Or a permanent Occupy Washington, which I think would come at serious risk of harm for the participants. It is critical now for America’s future.
goo is more human than robot. there’s a reason why neolibs lose elections but Trumps, Mamdanis and Bernies win, and it’s not populism, it’s ideology.
Bernie lost popular vote two times in a row.
seems like MS lobbying group.
Coincidentally, my birthday is 1900, January 1st.
1970, Jan 1st is better for this situation
Mandatory os-level
Cute attempt, but libre software - as always - remains superior and impossible to control. That’s by design. Write any law you want, I can modify whatever line of code implements this stupid check, remove it, and move on.
On a PC that isn’t so hard to do. The problem though is that online services will start requiring the os level check which itself will likely require phoning home to some service.
Plus open software on phones and tablets is still in very early stages.
Plus open software on phones and tablets is still in very early stages.
This simply isn’t true. However your first comment about OS level checks is where the issue lies - if you don’t phone home to Google your banking app won’t work.
Well good thing banks have websites.
Lovely aint it?
Can’t wait for the big wigs to start sponsoring bills going after whistleblower protection.
He can go fuck himself. “Dems are the good guys!!!” Fuck off. This isnt about protecting kids. Its about tracking, profiling and data collection. No doubt to sell to 3rd parties. Fuck all these cunts who push this shit.
There’s no fighting 21st century fascism without breaking this law.
This is so much more effectively evil than ehat the trump admin has been doing holy shit.
This might genuinely be world leading evil.
Evil has won and has pulled up the ladder behind it to make sure no one can challenge it.
*to make sure nobody can challenge it without illegally building or stealing a ladder.
Gavin is as slimey as his hair.
This is probably the most dystopian child safety bill so far.
Most dystopian “child safety” bill. Let’s not legitimize the claim that these laws are made to protect children while having privacy-invading side effects - they are privacy-invading laws disguised as child protection, while failing to have any real impact on children’s online safety and wellbeing
I’m not sure anything this repressive is implemented anywhere in the world.
Edit: wait this is the other half of the thing everywhere else is doing that would make this nightmare shit.
The only thing that I can think of is how China regulates it’s online gaming.
What is China’s Age Verification System?
China’s Age Verification System or 游戏适龄提示 in Chinese, is a government-mandated infrastructure that restricts minors’ access to online games and digital platforms. In China, all users must undergo “Real Name Verification” (实名认证) before accessing gaming services, enabling platforms to enforce age-appropriate restrictions automatically.
The system is overseen by the National Press and Publication Administration (NPPA) and integrates with national databases to verify user identities in real-time.
https://appinchina.co/blog/the-complete-guide-to-chinas-age-verification-system/
The move to do this was largely in part thanks to complaints of parents in regards to their kids’ habits with gacha games. For anyone interested, what I posted was a small excerpt from the link, there’s a lot more info on it there.
Is it in the OS?seems like just games.
It is similar, not the same. Some other key differences to consider are that while the US one is at the OS level, it’s just asking you to provide an age that isn’t linked to your ID or anything. It’s just like when a website asks your age, you can absolutely lie about it. But now it’s being done on the OS account, not the website.
Whereas, yeah, it is just for games in China, but it is absolutely being run against the person’s ID in a national database. Some games even require facial recognition. So it’s on a whole other level of verification and tracking.
while the US one is at the OS level, it’s just asking you to provide an age that isn’t linked to your ID or anything.
It’s Age Verification, which will almost certainly mean either ID scanning or facial scanning via the device camera. Or alternatively card transaction verification - the OG method baked into all these laws is the one that pays MasterCard and VISA. ID and facial recognition are cheaper services because the business providing the scan service can make more money off the ID or face they scan.
“Almost certainly,” is just you assuring it is so. Nothing in the legislation itself demands that.
The us is also openly capitalist with no other pretentions or pressures, and currently in the grip of a fascist regime.
I mean, sure? But that’s rather broad and does not really pertain to the topic at hand which is potentially (or outright) privacy-breaking legislature enacted and enforced on technology in the name of protecting childeren.
Its the difference between fucking around with a gun in the hospital parking lot with your two EMT lovers who are trying to get you to stop, and fucking around with a gun in the deep arctic with two hardened killers who want you dead.
While I oppose this with every inch of my being I do look forward to seeing some super tongue in cheek implementations in Linux distros.
export $AGE
Linux dev sitting there like: well, my work is done.
(b) If an application last updated with updates on or after January 1, 2026, was downloaded to a device before January 1, 2027, and the developer has not requested a signal with respect to the user of the device on which the application was downloaded, the developer shall request a signal from a covered application store with respect to that user before July 1, 2027.
(f) “Developer” means a person that owns, maintains, or controls an application.
1798.503. (a) A person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation
So a developer of a FOSS application that gets installed on a device on California via a 3rd party app store (maybe F-droid) must have implemented a query to the OS for this data. Even if the app does not actually provide any inappropriate content or actually any content.
Nor does it matter if he is involved in the distribution of the app to California, a FOSS app redistributed via a 3rd party (F-droid maybe) would make the developer subject to this.
As a developer who can’t control who distributes their software, I would simply change my license to exclude residents of California until this blows over, just to avoid the fine.
So a developer of a FOSS application that gets installed on a device on California
would make the developer subject to this.
And they’re going to do what exactly to a developer that doesn’t live in California? I won’t add any kind of age verification to my bioinformatics projects and I’ll keep issuing releases. Are they going to nuke Brazil? Block GitHub in California?
Since it’s a civil case I doubt they could enforce payment on people outside the US. I am not sure if they can collect from people in the rest of the US but they probably can.
I suppose not complying with a court order could result in criminal charges. Brazil will not extradite you but you will not be able to visit the US.
you will not be able to visit the US.
That’s fantastic news, so I win and keep winning in that case. Great, no age verification on my software.
According to (f), the user is officially the developer of a FOSS application:
- The user is the owner of the binary. (Although with copyright restrictions)
- The user often maintains the application by installing updates. (In FOSS applications updates are rarely forced)
- The user controls the application, as FOSS gives users control.
In some cases (such as the Arch User Repository or the Gentoo distribution), the developer does not even give the user an application but merely source code. The user creates the application.
There is no mention of binaries in either f or c. Possession of binaries does not constitute ownership of an application, ownership of software means holding the copyrights.
But even if we abuse this definition we simply make whoever installs the application liable. In a lot of cases that would be a parent. It could also be the user since the law doesn’t state they can’t be the same person.
The word ‘application’ means the binary. The source code is not the application.
That’s your opinion. It’s wrong. There even are applications that do not have binaries at all. There is no reason to believe the legislators would not want them covered by this law, it certainly does not say so.
It also does not make a difference, owner of the copyright of a binary is the owner of the copyright of the source code. Compiling does not remove the copyright of the source code author as the binary is clearly derived from the source code. The person who compiles the source code does not even get any copyright since it’s not a creative process.
You are not helping FOSS by trying to portray the law as FOSS friendly when it isn’t. Unfortunately the law rarely is FOSS friendly if not due to hostility due to indifference/ignorance on the part of the legislators.
That’s your opinion. It’s wrong.
Only facts can be right or wrong.
Anyway, I know there are applications that don’t have binaries, but most do. I am not a lawyer, but if I’m not mistaken, source code is under U.S. law protected by the first amendment while binaries are not.
Also, it doesn’t matter who owns the copyright. The laws specifies “a person that owns, maintains, or controls an application”.
I am not saying that the law is FOSS friendly. I am saying that the law does not cover all FOSS software despite it being the clear intend of the lawmakers to cover all software. In such cases it will have to be decided by courts (I believe courts still have this function for state laws), whether it also applies to FOSS software.
What I am saying is that the lawmakers clearly do not understand the topic they are trying to regulate.
So then also copyleft is exempt?
Copyleft is not a legal term. It’s a term for (foss) licenses that require users to keep the same terms when redistributing software. Such licenses do not actually transfer copyright. I fail to see how this would exempt foss developers.
AUR works with binaries too, it creates an arch compatible package but that can be from source or massaging an existing package designed for a different distro (like .deb).
Thanks. I didn’t know that.
