- cross-posted to:
- technology@lemmy.world
- cross-posted to:
- technology@lemmy.world
AB-1043 “Age verification signals: software applications and online services.”
Text https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB1043
Other info https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260AB1043
California AB 1043 signed. Mandatory os-level, device-level, app store, and even developer-required age verification for all computing devices.
Edit: altered title from “ID check” to “Age Verification check”
You must log in or register to comment.
Good luck enforcing that on Linux.
That’s probably the point.
I wouldn’t be surprised if Microsoft and Google lobbied for this to prevent open source from encroaching on their terf
Likely yes, though it won’t matter to me. I’ll recompile from suitably modified source code if it comes to that.
They might try to stop Linux from booting at all with locked bootloaders.
That would be the point at which things - expensive, crucial things - would start catching on fire for reasons that has nothing to do with anything I might be doing.
Like what? I believe you but I’m interested in the implications of this bill
that would basically destroy the internet considering how many servers - including microsofts own sites - run on linux
There’s precedent that source code is protected speech, so maybe Gentoo is about to become a lot more popular.
And who doesn’t enjoy using 90% of their system resources to compile the 10% remainder all the time?
You can compile while doing other things.
Any recent (AMD) cpu will handle it just fine.
Even most games struggle to utilize many threads.
Gentoo is also amazingly easy to use.
You can use binary versions if you want.
reinstalling OS is fairly easy. I expect utlities to “correct age error”.
The bigger distros will probably do it, especially any that have an organization to fund their development.
That have funding from American organizations, or are an American organization themselves. Possibly even Californian only.
You just know that when a bill is titled “Protect the little children from eternal suffering bill”, it’s gonna contain some real fucked up anti-privacy nonsense in it.
That or terrorism
All laws are terrorism. That’s not special.
I apologize for this being posted about 2 weeks after the bill was signed, was going through my usual methods of checking news and new laws and found this.
Now terminals will read: “GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law, and contains code known by the State of California to cause cancer or other reproductive harm.” /j
i once compiled C code and now have finger cancer
He can go fuck himself. “Dems are the good guys!!!” Fuck off. This isnt about protecting kids. Its about tracking, profiling and data collection. No doubt to sell to 3rd parties. Fuck all these cunts who push this shit.
There’s no fighting 21st century fascism without breaking this law.
This is so much more effectively evil than ehat the trump admin has been doing holy shit.
This might genuinely be world leading evil.
Evil has won and has pulled up the ladder behind it to make sure no one can challenge it.
*to make sure nobody can challenge it without illegally building or stealing a ladder.
Read the link yall
The bill requires:
- OSes to take user birthday during account creation
- this info is binned into categories (<13, 13-16, 16-18, >18)
- the category info must be made available to basically all software
- software is supposed to use this data to age gate content but is not allowed to send this data to 3rd parties
What this bill does not do:
- Your full birthday is specifically not to be sent to every application
- OSes are not being asked to check your id it doesn’t say the OS should do anything to verify the birthday, just that it should record it
- There isn’t anything to prevent you from entering 1/1/2000 instead of your real birthday
Honestly this doesn’t seem that bad to me. If anything it’s a little pointless. This style of age verification is basically universally already used. I guess you could read this as forcing OSes to have parental controls.
I do think there is a bit of a privacy issue in this information being shared with every program, but they attempt to minimize this using the binning (so ironically it really only hurts the privacy of teenagers since for adults it will just say >18), and this information is supposed to not be shared with 3rd parties (but we all know Facebook and Google are going to do whatever they can this info, pushing the limits of that part of the law, or just waiting to be sued and paying the fine when it happens).
I honestly think most Linux distros will just implement it.
We use 1/1/1970, the Unix epoch.
Wild! I am exactly the same age as the Unix Epoch.
Are you serious?! Mad jealous as I missed it by a year.
How cool! :)
How surprising that’s my birthday too!
Yeah, no
First off, this is just another step, and if you believe it’s the last one then I have a nice bridge to sell you
Secondly, this won’t work in practice. Software is being developed all ove the world by single nerds to scientists to little kids, to small software companies to huge software multinationals with hundreds of thousands of developers.
99.9% of the world doesn’t have these rules and won’t give a shit about what California wants. Do you believe that the app developed by some random kid in a random country will start checking age just because newsom wants it? Ok Boomer.
And IF this system allows you to put in whatever date, then what’s the point, beyond some security theater?
This bill is absolute horse shit and won’t go anywhere because this is not how the world works. This will likely end with citizens in California having a really really tiny amount of software available to them legally
First off, this is just another step, and if you believe it’s the last one then I have a nice bridge to sell you
Slippery slope fallacy. This law is basically just asking for a more unified and organized version of how we already check for age verification (which is every individual app or website asking for your birthday). If there was anything more than that I’d agree with you. I do agree that it’s annoying this is coming in the form of a law instead of an addition from Apple that they use in marketing that gets others to follow suit. I think that would have been a healthier way for this sort of organization to happen.
That being said, I do agree with you that the potential “next step” of asking the OS to verify your age would be an issue.
Do you believe that the app developed by some random kid in a random country will start checking age just because newsom wants it?
They already have to select what age range the app is for when they submit it to Apple or Google, and it’s Apple or Google that will have to make changes to comply with this law. If they aren’t distributing through an “app store” there is nothing the 3rd party developer needs to do or worry about according tot his law. However, I am curious how this will end up being applied to command line tools and package managers.
And IF this system allows you to put in whatever date, then what’s the point, beyond some security theater?
I agree, except it could be a form of parental controls. One thing I really don’t like about this law is I think the parents should decide what content is appropriate for their child, rather than the App Store. But not having any validation both puts the control back in the parents hands to some extent, while also making sure the law stops short of becoming a serious privacy and security issue.
This bill is absolute horse shit and won’t go anywhere because this is not how the world works. This will likely end with citizens in California having a really really tiny amount of software available to them legally
Considering most of the biggest software companies in the world have offices in or are based out California, that’s simply not true. Apple, Google, and Microsoft will all comply, regardless of how reasonable the rules are. At best they would fight it in court.
I doubt anyone is planning to sue open source OS developers over this, but honestly the changes it asks for are pretty small, so I expect most linux distros will follow suit anyway.
Ofc I don’t think there is anything California could do to enforce this on FOSS software in any practical way, if it came to that.
I doubt anyone is planning to sue open source OS developers over this,
Why not? Microsoft would love for open source OS developers to all be shut down. This is just another way to attack them.
Slippery slope fallacy
That’s not the slippery slope fallacy. Are you operating under the assumption that any sequence of events and projection of a future step is an example of the slippery slope fallacy?
As a parent, I reckon a voluntary system like this (if I understand correctly) could be very handy. I could create a child account and automatically get age gated content for it.
And when said child is smart enough to circumvent the system, then they deserve whatever content they manage to get their hands on. I’d be so proud.
But I’m sure capitalism would find a way to abuse and misuse the system for gains.
Even with binning, it doesn’t prevent the date from being learned. All an application would have to do is ask for the bin every day. On the day it changes you learned their birthday. It only works for <18s, but isn’t that specifically who they’re saying they’re trying to protect?
Yeah this is a real issue.
The smallest window for binning is 2 years and you would need another identifier to compare it against for any meaningful data gathering. If the law also provides penalties for gathering that type of telemetry on minors then it should be solid.
If it does that, sure. It would create penalties at least.
You wouldn’t need another identifier though. On your 16th birthday, for example, your age range changes from <16 to >16. If the application checked every day and recorded it, then they would then know your birthday. The bins are larger, but switching bins is by the day. It doesn’t matter how large the bins are at that point.
It’s still pretty bad and senseless. We all know how antis, nazis and conservationists are: you given them an inch, they’ll try to bite your entire arm off, not to mention leaving an infection behind.
Honestly this doesn’t seem that bad to me
A state governor doesn’t get to decide what kind of data libre software must or must not collect.
A state governor doesn’t get to decide
Correct, it takes a whole process and a bunch of politicians to write a law like this.
No and if you dont see the problem, get a fucking mirror.
Would Linux be required to though since it’s free open source software? Windows I can see because it’s a product, but Linux isn’t.
I think any used in an official capacity (think enterprise facing software like Redhat), might, but for anything not used at a company level would be both impossible to enforce and unlikely to be audited.
sounds sane to me, and like something that should be done.
This is probably the most dystopian child safety bill so far.
Most dystopian “child safety” bill. Let’s not legitimize the claim that these laws are made to protect children while having privacy-invading side effects - they are privacy-invading laws disguised as child protection, while failing to have any real impact on children’s online safety and wellbeing
I’m not sure anything this repressive is implemented anywhere in the world.
Edit: wait this is the other half of the thing everywhere else is doing that would make this nightmare shit.
The only thing that I can think of is how China regulates it’s online gaming.
What is China’s Age Verification System?
China’s Age Verification System or 游戏适龄提示 in Chinese, is a government-mandated infrastructure that restricts minors’ access to online games and digital platforms. In China, all users must undergo “Real Name Verification” (实名认证) before accessing gaming services, enabling platforms to enforce age-appropriate restrictions automatically.
The system is overseen by the National Press and Publication Administration (NPPA) and integrates with national databases to verify user identities in real-time.
https://appinchina.co/blog/the-complete-guide-to-chinas-age-verification-system/
The move to do this was largely in part thanks to complaints of parents in regards to their kids’ habits with gacha games. For anyone interested, what I posted was a small excerpt from the link, there’s a lot more info on it there.
Is it in the OS?seems like just games.
It is similar, not the same. Some other key differences to consider are that while the US one is at the OS level, it’s just asking you to provide an age that isn’t linked to your ID or anything. It’s just like when a website asks your age, you can absolutely lie about it. But now it’s being done on the OS account, not the website.
Whereas, yeah, it is just for games in China, but it is absolutely being run against the person’s ID in a national database. Some games even require facial recognition. So it’s on a whole other level of verification and tracking.
while the US one is at the OS level, it’s just asking you to provide an age that isn’t linked to your ID or anything.
It’s Age Verification, which will almost certainly mean either ID scanning or facial scanning via the device camera. Or alternatively card transaction verification - the OG method baked into all these laws is the one that pays MasterCard and VISA. ID and facial recognition are cheaper services because the business providing the scan service can make more money off the ID or face they scan.
“Almost certainly,” is just you assuring it is so. Nothing in the legislation itself demands that.
The us is also openly capitalist with no other pretentions or pressures, and currently in the grip of a fascist regime.
I mean, sure? But that’s rather broad and does not really pertain to the topic at hand which is potentially (or outright) privacy-breaking legislature enacted and enforced on technology in the name of protecting childeren.
Its the difference between fucking around with a gun in the hospital parking lot with your two EMT lovers who are trying to get you to stop, and fucking around with a gun in the deep arctic with two hardened killers who want you dead.
Take it from a Brit… It’s not about the children. It’s never about the children.
One of the architects of Project 2025 confessed on secret camera that the purpose of age verification laws is a de facto porn ban.
I’m sorry but you’re using that term wrong. You mean a de jure porn ban.
A de facto porn ban would mean that you actually couldn’t get any. And that’s just ridiculous.
Like drugs are illegal de jure, but de facto getting weed pretty much anywhere in the world is not a challenge. Usually even easier than getting alcohol as an underage person. Not that I have experience of that in the past few decades (being underage that is).
I mean I guess it’s “de facto” in sofar that it’s not exactly presciptively de jure illegal when it’s done like that. So in that sense you are right to use it like that, but eh. I disagree with who I was when I started writing this. No matter we’re on lemmy.
Maybe for them. But for governments in general the point is that age verification is ID verification and it means everything you do online or on any electronic device can be surveilled and tied to your real identity. And that makes political dissent a lot harder to organize without being shut down.
Fuck that stupid bullshit.
Please update your title to remove the misinformation about the bill, specifically calling it “OS-level ID verification” is not even close. It’s not got anything to do with personally identifying information or any actual verification of age information.
It’s actually an incredibly privacy conscious method of doing what it is trying to do, which is to allow parents to set up a child’s account with their age information on a device and have that age bracket information passed to websites and applications. That way, it makes it harder for a child to bypass age-restrictions, but without requiring dangerous age verification methods such as ID or face scans.
If you want parental controls, you can have them.
If you want parental controls with root, you can have those too.
They exist currently.
Bullshit. This is not a voluntary thing that parents can choose to do or not: it is an enforced, mandatory requirement that is foisted upon literally all programs, regardless of user choice or whether it makes any sense at all to do so. Oh, and there’s a penalty of TWO HOUSAND FIVE HUNDRED DOLLARS for EACH VIOLATION for EACH CHILD.
Download a foreign video app on your smart TV that doesn’t comply? Congrats, the pigs will fine a three-child family $7500 for the crime of watching manga.
You live in the US. You know that this will be unequally applied to the poor and minorities. You know that this will be used as an excuse to search people’s devices at massive scale. You know that companies will simply shrug and use face ID anyway, because they already have to do it for other locales, so why not just reuse the same process? You know that this is a foot in the door for the facists and capitalists. You know all this, so stop running interference for them.
The law has no way to go after parents, unless there’s already some law on the books that does so and the penalties defined in this one somehow apply to that.
The penalties defined in this law are for OS providers not having a way to set age data within an account on a device or for not sending the age signal when requested and for developers ignoring the age signal or not requesting it.
I have edited the title to include “age verification checks” from “ID check”.
It’s better but the only place the word verification, or anything like it, actually appears in the text is in the title and in the introduction. It doesn’t have any verification in it, just passing whatever you tell your device to other systems it interacts with.
I wish the politicians were honest about what it does. Accepting this makes it seem like we’re ok with verification because that’s what’s in the title, but it’s possible to be both supportive of requiring some type of standard parental control system and be against any sort of age verification.
Think about how much it must take for parents to set up age controls on every single individual app and service their kids use. Having the ability to set up an account for your child on their phone or laptop and know that appropriate controls for that age range will be automatically applied will make it so many more parents will do so than they do now.
This is a good thing because we don’t want what they’ve got in the UK, which is requiring this patchwork of age verification from websites and apps to avoid liability. We want it to be the responsibility of parents, so that we as adults can once again browse freely and no longer be asked to input our birthday to “verify” we are old enough to see a list of beers the local brewery has on tap.
(b) If an application last updated with updates on or after January 1, 2026, was downloaded to a device before January 1, 2027, and the developer has not requested a signal with respect to the user of the device on which the application was downloaded, the developer shall request a signal from a covered application store with respect to that user before July 1, 2027.
(f) “Developer” means a person that owns, maintains, or controls an application.
1798.503. (a) A person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation
So a developer of a FOSS application that gets installed on a device on California via a 3rd party app store (maybe F-droid) must have implemented a query to the OS for this data. Even if the app does not actually provide any inappropriate content or actually any content.
Nor does it matter if he is involved in the distribution of the app to California, a FOSS app redistributed via a 3rd party (F-droid maybe) would make the developer subject to this.
As a developer who can’t control who distributes their software, I would simply change my license to exclude residents of California until this blows over, just to avoid the fine.
According to (f), the user is officially the developer of a FOSS application:
- The user is the owner of the binary. (Although with copyright restrictions)
- The user often maintains the application by installing updates. (In FOSS applications updates are rarely forced)
- The user controls the application, as FOSS gives users control.
In some cases (such as the Arch User Repository or the Gentoo distribution), the developer does not even give the user an application but merely source code. The user creates the application.
AUR works with binaries too, it creates an arch compatible package but that can be from source or massaging an existing package designed for a different distro (like .deb).
Thanks. I didn’t know that.
There is no mention of binaries in either f or c. Possession of binaries does not constitute ownership of an application, ownership of software means holding the copyrights.
But even if we abuse this definition we simply make whoever installs the application liable. In a lot of cases that would be a parent. It could also be the user since the law doesn’t state they can’t be the same person.
The word ‘application’ means the binary. The source code is not the application.
That’s your opinion. It’s wrong. There even are applications that do not have binaries at all. There is no reason to believe the legislators would not want them covered by this law, it certainly does not say so.
It also does not make a difference, owner of the copyright of a binary is the owner of the copyright of the source code. Compiling does not remove the copyright of the source code author as the binary is clearly derived from the source code. The person who compiles the source code does not even get any copyright since it’s not a creative process.
You are not helping FOSS by trying to portray the law as FOSS friendly when it isn’t. Unfortunately the law rarely is FOSS friendly if not due to hostility due to indifference/ignorance on the part of the legislators.
That’s your opinion. It’s wrong.
Only facts can be right or wrong.
Anyway, I know there are applications that don’t have binaries, but most do. I am not a lawyer, but if I’m not mistaken, source code is under U.S. law protected by the first amendment while binaries are not.
Also, it doesn’t matter who owns the copyright. The laws specifies “a person that owns, maintains, or controls an application”.
I am not saying that the law is FOSS friendly. I am saying that the law does not cover all FOSS software despite it being the clear intend of the lawmakers to cover all software. In such cases it will have to be decided by courts (I believe courts still have this function for state laws), whether it also applies to FOSS software.
What I am saying is that the lawmakers clearly do not understand the topic they are trying to regulate.
Only facts can be right or wrong.
Opinions (such as that the Earth is flat) can obviously be wrong. Facts cannot. Look up the definition of fact.
Anyway, I know there are applications that don’t have binaries, but most do. I am not a lawyer, but if I’m not mistaken, source code is under U.S. law protected by the first amendment while binaries are not.
You admit applications are not necessarily binary, the law does not mention binary or source code or anything like that where it defines applications. You are just grasping at straws to justify an indefensible position, that whoever possesses a binary is it’s owner.
Which is obviously untrue. Ownership of software means ownership of it’s copyright. It’s been made very clear in the last decades that you (legally) don’t even own software that you pay for. You own a license to use the software.
You cannot argue, in good faith at least, that this is what is intended by the law. First it would be spelled out and secondly it would mean that for all applications, not just FOSS ones, the people paying the fines would be the users, $2500 for each app they install that’s in violation. Which is obviously not what’s intended.
I am not saying that the law is FOSS friendly. I am saying that the law does not cover all FOSS software despite it being the clear intend of the lawmakers to cover all software. In such cases it will have to be decided by courts (I believe courts still have this function for state laws), whether it also applies to FOSS software.
Unfortunately it does since it does not discriminate. If anybody that can be effectively prosecuted (i.e. US/California resident) takes your advice and takes it to court, he is getting fucked.
What I am saying is that the lawmakers clearly do not understand the topic they are trying to regulate.
No shit. That does not mean FOSS software is not affected. You also do not understand the topic or choose to not understand it because it’s spells trouble for FOSS. But pretending everything is ok does not make it so. FOSS projects either need to implement it or make sure they isolate themselves from US/California jurisdiction.
Opinions (such as that the Earth is flat) can obviously be wrong. I thought I knew English, but apparently not. (I’m not a native speaker.) I always assumed that “opinion” meant the same as judgement (which is what I learned at school), but I just looked opinion up in the dictionary, and it can also mean belief or or view.
It’s been made very clear in the last decades that you (legally) don’t even own software that you pay for. You own a license to use the software. This is untrue. Legally speaking you “own” the software, but what you can do with the software is limited by both the copyright and the license. Often this license will say that the creator still owns the software, so by accepting the license, you no longer own the software. Today you often have to accept the license before you even download the software. So you are correct that the user doesn’t own the software, but that’s not the default. For example, FOSS licenses do not specify that the creator continues to own the software, therefore ownership is given to the user.
for all applications, not just FOSS ones, the people paying the fines would be the users, $2500 Nope. Since most licenses say that the developer is the owner, the fine would go to the developer. Also, the law says that the fine can go to the “maintainer” which, again, is the developer.
takes your advice I wasn’t giving advice. I’m saying that the decision is up to the court. But if you want legal advice (disclaimer: I am not a lawyer): Do not do anything of which the legality still has to be decided by a court.
That does not mean FOSS software is not affected I never said that. I said that FOSS software is affected differently if you take the law by the letter (which the courts don’t have to do).
So then also copyleft is exempt?
Copyleft is not a legal term. It’s a term for (foss) licenses that require users to keep the same terms when redistributing software. Such licenses do not actually transfer copyright. I fail to see how this would exempt foss developers.
So a developer of a FOSS application that gets installed on a device on California
would make the developer subject to this.
And they’re going to do what exactly to a developer that doesn’t live in California? I won’t add any kind of age verification to my bioinformatics projects and I’ll keep issuing releases. Are they going to nuke Brazil? Block GitHub in California?
Since it’s a civil case I doubt they could enforce payment on people outside the US. I am not sure if they can collect from people in the rest of the US but they probably can.
I suppose not complying with a court order could result in criminal charges. Brazil will not extradite you but you will not be able to visit the US.
you will not be able to visit the US.
That’s fantastic news, so I win and keep winning in that case. Great, no age verification on my software.
Mandatory os-level
Cute attempt, but libre software - as always - remains superior and impossible to control. That’s by design. Write any law you want, I can modify whatever line of code implements this stupid check, remove it, and move on.
On a PC that isn’t so hard to do. The problem though is that online services will start requiring the os level check which itself will likely require phoning home to some service.
Plus open software on phones and tablets is still in very early stages.
Plus open software on phones and tablets is still in very early stages.
This simply isn’t true. However your first comment about OS level checks is where the issue lies - if you don’t phone home to Google your banking app won’t work.
Well good thing banks have websites.
And if you block your browser’s connection to Google you won’t be able to log in to your bank.
Time to switch banks then.
On a PC that isn’t so hard to do. The problem though is that online services will start requiring the os level check
Easy peasy, the browser checks the OS them reports it to the website
You mean the libre software that is all primarily stored on AWS, Azure, or Google infrastructure, especially github?
Linux is the giant it is using email as the primary infrastructure for development. We will be fine.
Can’t we just fork it over to something like Codeberg eventually? I know it’s a lot to move over, but with time and patience, it seems achievable.
Gavin is as slimey as his hair.
Coincidentally, my birthday is 1900, January 1st.
1970, Jan 1st is better for this situation
i hope people talking about him as a potential president remember this; he’s a conservative robot who doesn’t give a shit about you.
Which is orders of magnitude better than a conservative pile of goo that actively wants to inflict as much suffering on you that is humanly possible. Which is very loved by a median voter for no good reason whatsoever
goo is more human than robot. there’s a reason why neolibs lose elections but Trumps, Mamdanis and Bernies win, and it’s not populism, it’s ideology.
Bernie lost popular vote two times in a row.
Bernie won plenty of mayoral and senate elections, as well as many states during his primary campaigns.
America has pockets of progressiveness so to speak, that’s why once in a generation you can get occasional mayoral wins and such. But they never grow into anything bigger, for many many reasons, from the fact that America is a stupid country full of stupid people, to the fact that lefties will always chose infighting and purity checks over pragmatism, to the fact that significant portion left-leaning people are extremely anti-democracy and use “voting” as a slur word.
Doesn’t mean nothing can be done, but you also can’t just ignore all of thatyeah there are definitely challenges
Almost like the nominations were rigged and the media hated someone who would ruin the rich who own the media’s income.
If there is something that Americans love to do more than bitching about their elections being rigged, that’s not actually participating in said elections and waiting that someone will do voting for them, while they sit around and call everyone who actually votes “libs”. That and daydreaming about murdering people during their inevitable revolution/civil war.
That doesn’t mean elections aren’t actually rigged, they very much are.
Between the preferences of the machinery of both parties, media ownership - including web companies, increasingly militarised police, ai + agents having the potential to effect the kind of 1980’s de-industrialisation on the middle class, and the rise of a surveillance state that would make the stasi blush, voting for the lesser of two evils isn’t going to do it any more. The lesser of two evils, both complicit in the construction of the explicit oligarchy America how has, is responsible for this.
You might extend the fuse a bit, but that will result in a bigger bomb. If it isn’t too late already, you need to look to the likes of Sanders. Or you need a No Kings protest every day, or as often as possible. Or a permanent Occupy Washington, which I think would come at serious risk of harm for the participants. It is critical now for America’s future.
We’ve seen some truly horrific and tragic examples of young people harmed by unregulated tech, and we won’t stand by while companies continue without necessary limits and accountability.
So it’s individuals that will get the limits and accountability while privacy companies will get off with slaps on the wrist when they inevitably have data breaches. Really tired of this double speak bullshit.
