* This approach is the _most consistent_ with retaining anonymity on the internet, while actually helping parents with their issues. If any age-relevant gatekeeping needs to be made on the internet at all, this is the one I find acceptable.
* this is because the act very specifically does NOT require age _verification_ ie using third-parties to verify whether the claimed age is correct. Rather, it is piggybacking on the baked-in assumption, that parents will set up the device for their kids, indicating on first install what the age/DoB is, then handing over the device -a setting which can, presumably, only be modified with parental consent
* yes, there are edge cases, esp in OSS, and yes, it would be nice to iron those out -but the risk = probability x impact calculus on this is very very low.
* If retaining anonymity on the internet is of value to you, don't let the perfect be the enemy of good enough.
I understand where you’re coming from, but I respectfully disagree with some of the points you made:
* It’s ambiguous how your proposed parental setup and control process would work for anything other than walled gardens like Apple’s ecosystem. On an OS like Debian, does that mean a child can’t have the root password in case they use to it change the age? Does that mean we need a second password that needs to be entered in addition to the root password to change the age? Will Arduinos and similar devices also need to be age gated?
* Those edge cases might seem small, but read broadly they would require substantial, invasive, and perhaps even impossible changes to how FOSS works. If the law isn’t changed and FOSS doesn’t adapt, this basically means the entire space will exist in a legal gray area where an overzealous prosecutor could easily kill everything.
* This is not a matter of “perfect vs good enough”, this is a major slippery slope to go down. Also, this doesn’t mean age _verification_ will simply go away.
> On an OS like Debian, does that mean a child can’t have the root password in case they use to it change the age? Does that mean we need a second password that needs to be entered in addition to the root password to change the age?
No. You're still not quite internalizing that the California regulation does not mandate any verification or enforcement or protection of the accuracy of the age bracket data. It mandates that the question be asked, and the answer taken as-is.
Which means that many of the concerns about implementation disappear, because the setting really does not need to be anything more than a simple flag that apps can check.
> Will Arduinos and similar devices also need to be age gated?
Only to the extent that they are general purpose computing devices, have an operating system, are capable of downloading apps, and are actually used by children (since the enforcement mechanism requires a child to be affected by the non-compliance). And if an app fails to obtain age information but also doesn't do anything that is legally problematic for a user that is a child, then it's hard to argue that the app's ignorance affected the child.
> Also, this doesn’t mean age _verification_ will simply go away.
It will in California, until the law gets repealed or amended. Apps won't be allowed to ask for further age-related information or second-guess the user-reported age information, except when the app has clear and convincing information that the reported age is inaccurate.
That would seem to require that the act provide a shield against liabilities involving minors, which doesn't seem compatible with the notion that it's such a low-friction mechanism. A minor installs debian on a raspberry py, clicks “I am 23 years old and then an “adult dating” site isn't allowed to repeat the question?
If anything, this seems like a convenient path to mandating far more restrictive measures under the guise of “fixing an obvious loophole in the law”.
> Only to the extent that they are general purpose computing devices, have an operating system, are capable of downloading apps, and are actually used by children
So my kid's micro:bit, running an OS she built, is eligible. As is half the esp-ecosystem.
Agreed. And if the same legislation was designed under the supervision of domain experts, it would be an HTTP header or envvar to indicate one of specified brackets, with recommended integration with applicable parental control system.
Instead it was drafted by people not understanding the difference between browser, app, and "OS", explaining the result.
If they can get what they want from this, they will not stop after they get it. Even if the authors of the law want it to stop here, their successors will not, and will build upon this to erode privacy. When governments can change the deal effectively unilaterally, as is the case, you cannot make a deal with them that they cannot change, and you will have already surrendered the strongest argument against the next "deal" they want to unilaterally impose. Do not treat this as a deal to prevent further erosion, that is not what this is, treat this as an attack and attempt to advance against privacy and anonymity. Treating it as anything else is absolute gullibility.
So if it's an application that runs within the os that the parent enables and does not collect or send any personal info that sounds reasonable. But if has to be embedded into the OS that's going to present problems I can only imagine.
that would be fine if the embedding means all applications can leverage this functionality - like how accessibility is embedded into the OS rather than per-app.
The only problem is if this embedding requires third-party verification (which i dont believe it is), or require some sort of hardware attestation to a remote server (so you cannot modify the OS to turn it off if you wish as a non-parent).
To me, flexibility and choice is paramount. The parents have the responsibility to monitor their child, and this tool should help when the parents opt-in for it. It should not be enforced on all computer users arbitrarily without a parental opt-in first.
> Are the devices parents are currently setting up lacking these controls?
It's an inconsistent mess.
> Is there no third party software which can achieve this?
No third-party software can force a standardized age reporting mechanism onto somebody else's platform and associated app ecosystem. A third-party unofficial age reporting mechanism is something that other apps are free to ignore. This law requires platforms to have a minimal but mandatory age reporting mechanism that apps cannot claim ignorance of and cannot decline to use in favor of an alternative age reporting mechanism.
> Then why is it a crime with an associated fine for me to provide an OS which does not have one?
Impact calculus? Really?? OSS Maintainers do not have enough bs to deal with and now need to balance utter financial ruin to the state? No. Highly unserious take.
“Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.
So… DNS servers are “covered application stores”, right? As is PyPI or GitHub or any other such service. S3 and such, too — lots of facilitating going on.
And I’m wondering… lots of things are general purpose computers. Are servers covered? How about embedded systems? Lots of embedded systems are quite general purpose.
edit: Yikes, whoever wrote the text of the law seems to have failed to think at all.
> (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
The developer shall request? Not the application? So if I write an application and you download it and run it on an operating system, then I need to personally ask your OS how old you are? This makes no sense.
> (2) (A) A developer that receives a signal pursuant to this title shall be deemed to have actual knowledge of the age range of the user to whom that signal pertains across all platforms of the application and points of access of the application even if the developer willfully disregards the signal.
Did they forget to make this conditional on getting g the right answer? If I develop an application used by a 12-year-old and the OS says the user is 18+ (which surely will happen all the time even if no one lies because computers have multiple users), and the OS answers my query, then courts are directed to deem that I have actual knowledge that the user is under 13? Excuse me?
My reading of 2A is that devs can take the word of the OS or App Store. If they say the user’s 18, and the user’s really 13, then the developer’s in the clear for serving adult content to them because they took the word of the certifying entity.
Conversely, if the OS says the user’s 13, then they can’t say they thought the user was actually 18. Guess sucks to suck if you want to buy a movie ticket from your kid’s phone, or if you mistyped your age when you set yours up because you didn’t have your passport nearby.
2A just says that if the e.g. client request headers say the age bracket, the server (dev) can trust the reported age, but also shall not ignore it on purpose. No "just ignore the do-not-track flag" escape hatch here. "A bartender can't willfully refuse to check someone's ID if they are presented with it."
For incorrect OS answers, keep reading. 3B covers what happens if there's clear and convincing evidence that the age covered in 2A is inaccurate. (Reported profile birthday, for instance)
This is "if someone shows a bartender a valid drinking-age ID but says they're celebrating their 17th birthday, this can't be ignored".
Nothing there responds to the question. If my 17 year old answers “I'm 23”, what exactly prevents them from posting to /r/nsfw? What constitutes “clear and convincing evidence”? If there's no answer here, then there appears to be no purpose to this law as this sort of thing is precisely what it's supposed to be preventing.
The difference is a bartender has a handy thing called a human brain that can integrate every evidence and prior without explicit handling. Which a computer program can not. Now we have another "legitimate interest", potentially _forcing_ us to collect biometric and behavioural data we definitely wouldn't monetize to just cover its cost.
> “Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.
So OpenWRT would be covered since they allow the user to download packages (ie software) via apk/opkg.
Quite possibly, yes. Though maybe a router wouldn't qualify as a general purpose computing device, and maybe the packages wouldn't qualify as being from third-party developers when the binaries that get downloaded are both built and distributed by OpenWRT.
I think it’s a gross failing on the part of the state to intentionally _pass_ a bad/vague law and then ask for amendments. If you can’t write a good law, then don’t pass it. Corporations already do enough beta testing on people and the government certainly shouldn’t beta test laws.
Nothing about this law restricts what a parent is allowed to do with respect to their children. If a parent wants to set up a device or account for their kid and set the age of the account to 18+, that does not violate the law.
The bill affects operating systems and apps, requiring them to have only the most basic feature necessary to implement age-based restrictions, and to make it an official platform-wide API instead of each app implementing their own age verification scheme. But parents remain free to use or ignore the age setting at their own discretion.
On the one hand the legislation seems unimplementable for many OS makers, not just FOSS ones.
(The issue of "primary owner of the device" being the most problematic.)
Equally the concept of "app store" is different for different OS's. iOS and Android are clear. Mac and Windows are mostly "download and run from website" (although both want to pivot to appstore, with varying degrees of success.)
Then we need to wonder if yum and apt are stores, given that they aren't actually owned by "linux".
In truth though it kinda doesn't matter. It's trivial to add an "age" field to account creation. It's trivial for users to enter any date they like. So on the one hand it's easy for OS makers to comply, it's easy for users to lie.
Presumably if the law could have mandated age checks then would have, so I'm not even sure thus is slippery slope. Most minors don't have photo ID. Most desktop hardware doesn't have a camera (at the time of account creation.)
This feels like performative law-making. Vague language. Unenforceable user participation.
> Then we need to wonder if yum and apt are stores
IMO this is quite simple - as they provide software, they are "stores" too. Although I think most would associate a store with e. g. MS store, Apple store and so forth.
The word "store" is weird though. Would it not be easier to use different words? Anyone providing software for download; and perhaps add a size threshold to stop pestering small business or solo users. This really seems to target Linux here.
I’m not defending this law, just discussing the wording.
First, either this law, or another already on the books, or established case law, defines what an app store is. Sovereign citizens get hung up on legal wordplay because they mistake legal jargon for English. It’s not, any more than I move a small furry mammal (mouse) to click religious imagery (icons) on my desktop (not a desktop).
But second, if you really want to wordsmith it, “store” can mean “place where you keep stuff”, not only “place to buy things from”, as in in short for storage. Where do you save work documents? A file store. That’s not where you buy docs, but where you keep them. A crafty DA could probably say, lacking a definition otherwise, that an app store is where you store apps, and buying them is incidental. And they’d probably win over you and me arguing otherwise, because they can speak legal to the judge and we can’t.
As the user interface through which users download (among other things) apps... it absolutely is an "app store". It's not where the binaries are hosted, but you don't see anyone claiming the App Store iOS app isn't an app store because the apps are ackshyually on Apple's CDN servers, do you?
A lot of people people contributing to FOSS are volunteers. The calculus of working on stuff for free involves an assumption that your worst-case outcome is you make $0. This act's punitive fines change the worst-case outcome to somewhere around -$9999999 or more.
If you work on any programming project at all in any capacity:
- Are you confident your work doesn't fall afoul of this?
- Are you confident they won't decide to come after you anyway for insane political, bureaucratic or "seeing-like-a-state" dysfunctions?
- Are you willing to bet millions of dollars in potential fines that your answers to the previous two questions are correct?
Just in case your answers to the parent post's three questions were "Yes, yes and yes" here are some additional questions:
- Have you ever uploaded a container to Dockerhub or Quay.io?
- Does that container have an OS inside it that has user accounts?
- Before you answered parent post's questions, did it occur to you that you might have to update your Docker images to comply?
- Did you remember on your own that you also have to delete or update older Docker images to comply, or did you not think of that until you read this question?
After you've answered these questions, please re-answer the parent post's questions.
Copyright, patents, censorship, age controls etc... have never worked on kids.
When it comes to technology, parents will always, always be years behind their kids. The kids will find a way to circumvent all these controls that the laws are trying to force technology providers into implementing.
These laws won't result in less violence, lower drug use, more opportunity, or closer, more tight knit communities.
I’ve gotta agree. Even if I supported the idea, which I don’t, I’d oppose it on implementation’s sake.
I’d rather be tasked to solve the Halting Problem than to be responsible for keeping kids away from porn. There’s no hacker more motivated than a teen who wants to see a boob. I know. I remember. “Son, why do you have a calling card for Peru?” “Uh, there’s this BBS in Lima…”
I haven’t made up my mind on whether I like this law or not, but this is a bigger condemnation of the FOSS community than anything else.
This law was introduced over a year ago, it was reviewed by multiple committees and nobody from the FOSS community ever went up to Sacramento to speak against it. A couple of emails to the right people back in March 2025 would’ve had a real shot of turning this bill into a non-issue. But nobody paid attention until it became a news cycle, and now it’s too little too late.
I hope this is a wakeup call for the linux community: if you don’t wanna get choked out by bad legislation, you have to get politically organized.
Repost my comment in the other thread: I know this sounds absurd. But let me try not to be cynical and explain how we got here, according to what I understand:
First, let's admit the push for age verification laws isn't a partisan or ideological thing. It's a global trend. This California law has bipartisan sponsorship and only major org opponent is the evil G [1]. While age verification is unpopular in tech community, I imagine a lot of average adult voters agree that limiting children's access to wilder parts of the Internet is a good thing.
On this premise, the discussion is then who should be responsible for age verification. The traditional model is to require app developers / website owners to gatekeep -- like the Texas and Ohio laws that require PornHub to verify users' IDs. But such model put too much burden on small developers, and it's a privacy nightmare to have to share your PII with random apps.
This is why we see this new model. States started to believe it seems more viable to dump the responsibility on big tech / platforms. A newer Texas law is adopt this model (on top the traditional model) to require app stores to verify user age (but was recently blocked by court) [2]. And this California law pretty much also takes this model -- the OS (thinking as iOS / Android / Windows with app store) shall obtain the user age and provide "a signal regarding the users age bracket to applications available in a covered application store".
While many people here are concerning open-source OSes, and the language do cover all OSes -- my intuition is no lawmaker had ever think about them and they were not the target.
TBH my kids have limited access to their (Android) phones using family link but I don't see option there to:
- block certain list of sites
- block walls inside YouTube for example
- limit amount of scrolling time Vs amount of learning time (this can be done quite easily)
So just give the tools to parents and stop requiring IDs for adults. What happens if kid gets adult's phone? And what happens when kid gets dad's rifle or car keys? It doesn't mean that all the rifles and car keys should now start to include blood sample based age verification mechanisms
--Edit--
Apple family management is even worse. The best I heard of is implemented in the switch console
Yup, see how long it lasts when companies in California can't install anything on their servers because they get Rejected for Legal Reasons responses to their package requests.
Because the "store" never confirmed that Cloudflare is 18.
A lot of words to say adding a column to passwd and changing all software that creates accounts will take some work.
For me giving parents more tools seems easily worth the work, but I can understand others who disagree.
IIRC there wasn’t anything about the OS needing to validate the info, just ask for it at setup and provide it when requested. Part of me wonders if this was just an attempt to stake out a position as to what a law of this sort, that still respects privacy, might look like.
I dunno. I don’t love it. But if a dumb age-range flag became “the thing” to check, well, that’s be less invasive than uploading an ID or something.
If you actually read this law, it does exactly the opposite to avoid every random app/website from having to do age verification (like traditional age verification laws requires). It requires that only the OS to ask the user's age (not even verify it). Individual apps should use the age buckets signaled by the OS.
The Digital Age Assurance Act is a disaster both in concept and in its statutory language. Its author(s) seem to be entirely unaware of how software is distributed outside of walled gardens like Apple’s ecosystem. If I’m understanding the law correctly, then even software like Homebrew would have to implement some kind of integration with macOS to detect a user’s age. On a naive level, I’m surprised such an obviously flawed bill was passed and signed in California, where there are so many tech companies and lobbyists. The realist in me, however, realizes that tech companies don’t care about the privacy and software supply chain impacts and might even want these impacts to happen as a way of consolidating their control over the market. As an American progressive, it disappoints me that the only thing progressives and conservatives seem to agree is stripping ordinary people of any semblance of anonymity or privacy in the name of “safety”.
"It probably does not apply to you" and "Laws are usually applied as intended" and "You'll probably be ok" is what i keep hearing.
None of that addresses "if you get unlucky and some prosecutor decides to help his career by prosecuting you as an enabler-of-child-inappropriate-whatever-it-is". YOLOing away one's freedom on "probably" seems risky, and there is no reward to be had for doing it.
The only sane solution is to simply add "not for use in california" to all OSs, until California gets its collective head out of its collective rectum.
>simply add "not for use in california" to all OSs
I was wondering if a boilerplate like that would be legally binding if the language were more generic. eg- "This software may not be used by any individual or in any locality where it is not legal to do so".
Another service precluded "persons under the age of 18", but if the language of the law doesn't align with that (considering emancipated persons under the age of 18, or people over the age of 18 under some form of guardianship), would a California carve out still be required for compliance?
And the state AG can only bring a civil case, with fines limited in proportion to the number of actual children affected by the non-compliance.
And for most applications, compliance is as simple as calling the relevant API and throwing away the return value, because most applications aren't doing anything that is already required by law to have age restrictions.
and you are 100% sure none of this will change suddenly, and are willing to bet you have the money to defend yourself in case you are sued wrongly, perhaps, but still need to provide a lawyer to defend yourself, on your own dime? ballsy move.
> and you are 100% sure none of this will change suddenly
Yeah. We're talking about a law that's still over a year from taking effect. It's not going to be replaced by one having the opposite effects overnight with no warning.
> and are willing to bet you have the money to defend yourself in case you are sued wrongly
Since I don't develop or distribute applications or operating systems that are used by children, let alone software that would be legally required to behave differently when the user is a child, I'm quite confident that any lawsuit targeted at me by the State of California's elected AG would be laughed out of court at the first hearing, and I'd probably have plenty of offers of pro-bono representation. And I wouldn't even need a lawyer to help me ask to see the evidence that a child was affected by the non-compliance of the software I didn't write, and if a court did somehow get convinced, I could survive being fined the maximum fine for negligent violations with respect to at least several children. And I'm not at all concerned about receiving an injunction to not do something I'm already not doing.
Any law could be amended, or abused. Not having a law can make prosecutorial misconduct easier. I don't see anything in this law that seems more ripe for creative misinterpretation and abuse than is typical, and I don't think it likely that a California state court would cooperate with an egregious attempt to abuse this law.
You seem to be having a reaction to this law that would be triggered by being confronted with any law that isn't specified with the precise mathematical rigor necessary to appease a compiler.
Four of the biggest OSes (iOS, macOS, Android, and Chrome OS) are made in California by the companies who pushed this legislation through. Never going to happen.
Annoyingly? Ironically? The best technical implementation of this law would be to make it possible for the "device owner" to tell the OS to set a flag that the user was under age. Never send the age, never send anything else. Just have a global variable indicating that the user is under age that can be accessed by the browser.
Now what would happen after that?
First oses would have to implement the above in a way that could not be bypassed, pretty much impossible if the child has access to the device.
Then you would need to require that websites honor that token or any similar token no matter how it was implemented ... https MITM etc. good luck with that.
Finally once all the implementation and enforcement hurdles are complete every website out there would immediately know that the user browsing was a child and all the trackers and ad networks on the web would immediately start targeting those users because children are marks.
Now you need even more laws and regulations to protect the children from being targeted by advertising companies, and good luck with enforcing that.
This is what I was hoping for when I read one of the comments. It's okay if the child can technically bypass the flag. That's what the parent is for, to regularly monitor their child's device. But I am a parent with a technical background so this works for me, selfishly, I have no idea how it will work for everyone else.
But once again, I'd like to bring up my preferred solution for this problem. Ban "smartphone" (precise meaning TBD) for minors in public spaces. My belief is that it will disrupt the dopamine hits enough that it doesn't become addicting and kids don't rely on it completely to function socially. And just having it in legislature will serve as a starting point for parents to discuss the topic more openly, which will help with the network effects. Parents don't have second thoughts on why cigarettes or drugs or alcohol is bad for children, they just are, and whole groups of parents can collectively agree that their children and friends of their children should not be using them. I hope to see the same for "smartphones".
Stallman was, once again, right. We need free software and hardware more than ever because of idiotic laws like this. Because of the decentralized development model, there is no single company or developer that can be unfairly targeted and coerced into adding anti-features such as age verification or encryption backdoors. California can shove its requests where the sun don't shine.
It is indeed strange that California suddenly became a lobbyist's paradise. Louis Rossmann doesn't have an infinite number of time available and he is more an East Coast person, even after having left New York, but it would be really interesting to see which lobbyists drafted that law. It will probably be copy/pasted to more states soon.
I'm almost certain we will live to see "they can't fine all of us" get torn to shreds in real time as government language models patrol the 'net for software projects that lack an age verification call.
Why, we could even see a legal requirement for code repositories to run one themselves, constantly scanning for compliance. That way the compute cost is offloaded properly on the citizenry :)
All open source projects should withdraw immediately from the United States, IP-block all USA downloads, and headquarter themselves in sensible countries without such laws. Any state having these laws means they can drag you into their courts for violating them.
Did they? Or is it regulatory capture? MS is really pushing their online MS account thing, Apple and Google already have online accounts associated with your OS profile. It feels a lot like regulatory capture...
Sacramento legislature is a "small town", insular, corrupt lobbying crucible that mostly does whatever it wants and whatever people with money and social media followings say.
Counterpoint to peeps on this thread:
* This approach is the _most consistent_ with retaining anonymity on the internet, while actually helping parents with their issues. If any age-relevant gatekeeping needs to be made on the internet at all, this is the one I find acceptable.
* this is because the act very specifically does NOT require age _verification_ ie using third-parties to verify whether the claimed age is correct. Rather, it is piggybacking on the baked-in assumption, that parents will set up the device for their kids, indicating on first install what the age/DoB is, then handing over the device -a setting which can, presumably, only be modified with parental consent
* yes, there are edge cases, esp in OSS, and yes, it would be nice to iron those out -but the risk = probability x impact calculus on this is very very low.
* If retaining anonymity on the internet is of value to you, don't let the perfect be the enemy of good enough.
I understand where you’re coming from, but I respectfully disagree with some of the points you made:
* It’s ambiguous how your proposed parental setup and control process would work for anything other than walled gardens like Apple’s ecosystem. On an OS like Debian, does that mean a child can’t have the root password in case they use to it change the age? Does that mean we need a second password that needs to be entered in addition to the root password to change the age? Will Arduinos and similar devices also need to be age gated?
* Those edge cases might seem small, but read broadly they would require substantial, invasive, and perhaps even impossible changes to how FOSS works. If the law isn’t changed and FOSS doesn’t adapt, this basically means the entire space will exist in a legal gray area where an overzealous prosecutor could easily kill everything.
* This is not a matter of “perfect vs good enough”, this is a major slippery slope to go down. Also, this doesn’t mean age _verification_ will simply go away.
> On an OS like Debian, does that mean a child can’t have the root password in case they use to it change the age? Does that mean we need a second password that needs to be entered in addition to the root password to change the age?
No. You're still not quite internalizing that the California regulation does not mandate any verification or enforcement or protection of the accuracy of the age bracket data. It mandates that the question be asked, and the answer taken as-is.
Which means that many of the concerns about implementation disappear, because the setting really does not need to be anything more than a simple flag that apps can check.
> Will Arduinos and similar devices also need to be age gated?
Only to the extent that they are general purpose computing devices, have an operating system, are capable of downloading apps, and are actually used by children (since the enforcement mechanism requires a child to be affected by the non-compliance). And if an app fails to obtain age information but also doesn't do anything that is legally problematic for a user that is a child, then it's hard to argue that the app's ignorance affected the child.
> Also, this doesn’t mean age _verification_ will simply go away.
It will in California, until the law gets repealed or amended. Apps won't be allowed to ask for further age-related information or second-guess the user-reported age information, except when the app has clear and convincing information that the reported age is inaccurate.
That would seem to require that the act provide a shield against liabilities involving minors, which doesn't seem compatible with the notion that it's such a low-friction mechanism. A minor installs debian on a raspberry py, clicks “I am 23 years old and then an “adult dating” site isn't allowed to repeat the question?
If anything, this seems like a convenient path to mandating far more restrictive measures under the guise of “fixing an obvious loophole in the law”.
> Only to the extent that they are general purpose computing devices, have an operating system, are capable of downloading apps, and are actually used by children
So my kid's micro:bit, running an OS she built, is eligible. As is half the esp-ecosystem.
Put that way sounds very sensible.
Hopefully it stays that way.
This will be as ineffective as current, are you 18 pop-ups
Agreed. And if the same legislation was designed under the supervision of domain experts, it would be an HTTP header or envvar to indicate one of specified brackets, with recommended integration with applicable parental control system.
Instead it was drafted by people not understanding the difference between browser, app, and "OS", explaining the result.
It's the software developers, it's the government's, it's anyone's responsibility but mine to parent my kids!
If they can get what they want from this, they will not stop after they get it. Even if the authors of the law want it to stop here, their successors will not, and will build upon this to erode privacy. When governments can change the deal effectively unilaterally, as is the case, you cannot make a deal with them that they cannot change, and you will have already surrendered the strongest argument against the next "deal" they want to unilaterally impose. Do not treat this as a deal to prevent further erosion, that is not what this is, treat this as an attack and attempt to advance against privacy and anonymity. Treating it as anything else is absolute gullibility.
So if it's an application that runs within the os that the parent enables and does not collect or send any personal info that sounds reasonable. But if has to be embedded into the OS that's going to present problems I can only imagine.
> But if has to be embedded into the OS
that would be fine if the embedding means all applications can leverage this functionality - like how accessibility is embedded into the OS rather than per-app.
The only problem is if this embedding requires third-party verification (which i dont believe it is), or require some sort of hardware attestation to a remote server (so you cannot modify the OS to turn it off if you wish as a non-parent).
To me, flexibility and choice is paramount. The parents have the responsibility to monitor their child, and this tool should help when the parents opt-in for it. It should not be enforced on all computer users arbitrarily without a parental opt-in first.
> while actually helping parents with their issues.
> that parents will set up the device for their kids
Are the devices parents are currently setting up lacking these controls? Is there no third party software which can achieve this?
Then why is it a crime with an associated fine for me to provide an OS which does not have one? How have I failed to "help parents with their issues?"
> Are the devices parents are currently setting up lacking these controls?
It's an inconsistent mess.
> Is there no third party software which can achieve this?
No third-party software can force a standardized age reporting mechanism onto somebody else's platform and associated app ecosystem. A third-party unofficial age reporting mechanism is something that other apps are free to ignore. This law requires platforms to have a minimal but mandatory age reporting mechanism that apps cannot claim ignorance of and cannot decline to use in favor of an alternative age reporting mechanism.
> Then why is it a crime with an associated fine for me to provide an OS which does not have one?
Not a crime, just a civil penalty.
Impact calculus? Really?? OSS Maintainers do not have enough bs to deal with and now need to balance utter financial ruin to the state? No. Highly unserious take.
[dead]
What a crappy law.
> Section 1798.500(e)(1) states:
“Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.
So… DNS servers are “covered application stores”, right? As is PyPI or GitHub or any other such service. S3 and such, too — lots of facilitating going on.
And I’m wondering… lots of things are general purpose computers. Are servers covered? How about embedded systems? Lots of embedded systems are quite general purpose.
edit: Yikes, whoever wrote the text of the law seems to have failed to think at all.
> (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
The developer shall request? Not the application? So if I write an application and you download it and run it on an operating system, then I need to personally ask your OS how old you are? This makes no sense.
> (2) (A) A developer that receives a signal pursuant to this title shall be deemed to have actual knowledge of the age range of the user to whom that signal pertains across all platforms of the application and points of access of the application even if the developer willfully disregards the signal.
Did they forget to make this conditional on getting g the right answer? If I develop an application used by a 12-year-old and the OS says the user is 18+ (which surely will happen all the time even if no one lies because computers have multiple users), and the OS answers my query, then courts are directed to deem that I have actual knowledge that the user is under 13? Excuse me?
I guess we will have to replace the OS of every system that can play a violent and inappropriate videogame, like Doom.
My reading of 2A is that devs can take the word of the OS or App Store. If they say the user’s 18, and the user’s really 13, then the developer’s in the clear for serving adult content to them because they took the word of the certifying entity.
Conversely, if the OS says the user’s 13, then they can’t say they thought the user was actually 18. Guess sucks to suck if you want to buy a movie ticket from your kid’s phone, or if you mistyped your age when you set yours up because you didn’t have your passport nearby.
2A just says that if the e.g. client request headers say the age bracket, the server (dev) can trust the reported age, but also shall not ignore it on purpose. No "just ignore the do-not-track flag" escape hatch here. "A bartender can't willfully refuse to check someone's ID if they are presented with it."
For incorrect OS answers, keep reading. 3B covers what happens if there's clear and convincing evidence that the age covered in 2A is inaccurate. (Reported profile birthday, for instance) This is "if someone shows a bartender a valid drinking-age ID but says they're celebrating their 17th birthday, this can't be ignored".
> For incorrect OS answers, keep reading
Nothing there responds to the question. If my 17 year old answers “I'm 23”, what exactly prevents them from posting to /r/nsfw? What constitutes “clear and convincing evidence”? If there's no answer here, then there appears to be no purpose to this law as this sort of thing is precisely what it's supposed to be preventing.
The difference is a bartender has a handy thing called a human brain that can integrate every evidence and prior without explicit handling. Which a computer program can not. Now we have another "legitimate interest", potentially _forcing_ us to collect biometric and behavioural data we definitely wouldn't monetize to just cover its cost.
DNS doesn't generally distribute applications, so no it doesn't apply.
but it facilitates the download.
Facilitating the download is not sufficient; the service would have to both distribute and facilitate the download to satisfy the definition.
So a torrent tracker isn't in-scope because it doesn't distribute and only facilitates peer discovery?
If that’s your bar, then so does the power company and who ever manufactured your router.
thats-the-joke-meme.jpg
What if a dns software has an RCE and a prosecutor thinks it satisfies "facilitates download" clause ?
The clause says "distributes and facilitates the download", not "distributes or facilitates the download".
> [distributes] AND [facilitates the download of]
Grouping braces and capitalization mine. So distributing also required. However it's still overly broad, vague, and ambiguous.
> “Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.
So OpenWRT would be covered since they allow the user to download packages (ie software) via apk/opkg.
Awesome!
Quite possibly, yes. Though maybe a router wouldn't qualify as a general purpose computing device, and maybe the packages wouldn't qualify as being from third-party developers when the binaries that get downloaded are both built and distributed by OpenWRT.
Christ, that would make Google, Dell, Netgear, and Comcast a "covered application store".
This isn't a law. It's a prayer.
This is an intentionally vague law, and seems like the governor is more than happy to call for amendments: https://www.gov.ca.gov/wp-content/uploads/2025/10/AB-1043-Si...
I think it’s a gross failing on the part of the state to intentionally _pass_ a bad/vague law and then ask for amendments. If you can’t write a good law, then don’t pass it. Corporations already do enough beta testing on people and the government certainly shouldn’t beta test laws.
Amendment 1: Parents must parent first. State must not nanny.
Nothing about this law restricts what a parent is allowed to do with respect to their children. If a parent wants to set up a device or account for their kid and set the age of the account to 18+, that does not violate the law.
The bill affects operating systems and apps, requiring them to have only the most basic feature necessary to implement age-based restrictions, and to make it an official platform-wide API instead of each app implementing their own age verification scheme. But parents remain free to use or ignore the age setting at their own discretion.
Wait, so, say I build XYZ Distro of Linux, but dotn want to cater to children, am I still required to implement a way for setting up a DoB?
Even if say I am based in timbuktu, but allow for my ISO to be downloadede bye a resident of the state of california?
On the one hand the legislation seems unimplementable for many OS makers, not just FOSS ones.
(The issue of "primary owner of the device" being the most problematic.)
Equally the concept of "app store" is different for different OS's. iOS and Android are clear. Mac and Windows are mostly "download and run from website" (although both want to pivot to appstore, with varying degrees of success.)
Then we need to wonder if yum and apt are stores, given that they aren't actually owned by "linux".
In truth though it kinda doesn't matter. It's trivial to add an "age" field to account creation. It's trivial for users to enter any date they like. So on the one hand it's easy for OS makers to comply, it's easy for users to lie.
Presumably if the law could have mandated age checks then would have, so I'm not even sure thus is slippery slope. Most minors don't have photo ID. Most desktop hardware doesn't have a camera (at the time of account creation.)
This feels like performative law-making. Vague language. Unenforceable user participation.
> Then we need to wonder if yum and apt are stores
IMO this is quite simple - as they provide software, they are "stores" too. Although I think most would associate a store with e. g. MS store, Apple store and so forth.
The word "store" is weird though. Would it not be easier to use different words? Anyone providing software for download; and perhaps add a size threshold to stop pestering small business or solo users. This really seems to target Linux here.
I’m not defending this law, just discussing the wording.
First, either this law, or another already on the books, or established case law, defines what an app store is. Sovereign citizens get hung up on legal wordplay because they mistake legal jargon for English. It’s not, any more than I move a small furry mammal (mouse) to click religious imagery (icons) on my desktop (not a desktop).
But second, if you really want to wordsmith it, “store” can mean “place where you keep stuff”, not only “place to buy things from”, as in in short for storage. Where do you save work documents? A file store. That’s not where you buy docs, but where you keep them. A crafty DA could probably say, lacking a definition otherwise, that an app store is where you store apps, and buying them is incidental. And they’d probably win over you and me arguing otherwise, because they can speak legal to the judge and we can’t.
apt and yum don't sell software, so they are not stores
yum and apt are binaries that reference config files et. al. to search a url tree via a manifest, they are no more stores than curl or wget.
curl and wget surely facilitates the download.
No one could interpret yum or apt as stores on their own. The "store" would be the repository that the software is coming from.
As the user interface through which users download (among other things) apps... it absolutely is an "app store". It's not where the binaries are hosted, but you don't see anyone claiming the App Store iOS app isn't an app store because the apps are ackshyually on Apple's CDN servers, do you?
A lot of people people contributing to FOSS are volunteers. The calculus of working on stuff for free involves an assumption that your worst-case outcome is you make $0. This act's punitive fines change the worst-case outcome to somewhere around -$9999999 or more.
If you work on any programming project at all in any capacity:
- Are you confident your work doesn't fall afoul of this?
- Are you confident they won't decide to come after you anyway for insane political, bureaucratic or "seeing-like-a-state" dysfunctions?
- Are you willing to bet millions of dollars in potential fines that your answers to the previous two questions are correct?
Just in case your answers to the parent post's three questions were "Yes, yes and yes" here are some additional questions:
- Have you ever uploaded a container to Dockerhub or Quay.io?
- Does that container have an OS inside it that has user accounts?
- Before you answered parent post's questions, did it occur to you that you might have to update your Docker images to comply?
- Did you remember on your own that you also have to delete or update older Docker images to comply, or did you not think of that until you read this question?
After you've answered these questions, please re-answer the parent post's questions.
Exactly and thankfully at least a few ppl get it! The risks of these sized fines, even 1 of them, is more than most OSS projects could cover.
Copyright, patents, censorship, age controls etc... have never worked on kids.
When it comes to technology, parents will always, always be years behind their kids. The kids will find a way to circumvent all these controls that the laws are trying to force technology providers into implementing.
These laws won't result in less violence, lower drug use, more opportunity, or closer, more tight knit communities.
I’ve gotta agree. Even if I supported the idea, which I don’t, I’d oppose it on implementation’s sake.
I’d rather be tasked to solve the Halting Problem than to be responsible for keeping kids away from porn. There’s no hacker more motivated than a teen who wants to see a boob. I know. I remember. “Son, why do you have a calling card for Peru?” “Uh, there’s this BBS in Lima…”
> Copyright, patents, censorship, age controls etc... have never worked on kids.
What the heck does it even mean to say patents have never worked on kids?
They might meant like hacking or piracyng?
I haven’t made up my mind on whether I like this law or not, but this is a bigger condemnation of the FOSS community than anything else. This law was introduced over a year ago, it was reviewed by multiple committees and nobody from the FOSS community ever went up to Sacramento to speak against it. A couple of emails to the right people back in March 2025 would’ve had a real shot of turning this bill into a non-issue. But nobody paid attention until it became a news cycle, and now it’s too little too late.
I hope this is a wakeup call for the linux community: if you don’t wanna get choked out by bad legislation, you have to get politically organized.
Repost my comment in the other thread: I know this sounds absurd. But let me try not to be cynical and explain how we got here, according to what I understand:
First, let's admit the push for age verification laws isn't a partisan or ideological thing. It's a global trend. This California law has bipartisan sponsorship and only major org opponent is the evil G [1]. While age verification is unpopular in tech community, I imagine a lot of average adult voters agree that limiting children's access to wilder parts of the Internet is a good thing.
On this premise, the discussion is then who should be responsible for age verification. The traditional model is to require app developers / website owners to gatekeep -- like the Texas and Ohio laws that require PornHub to verify users' IDs. But such model put too much burden on small developers, and it's a privacy nightmare to have to share your PII with random apps.
This is why we see this new model. States started to believe it seems more viable to dump the responsibility on big tech / platforms. A newer Texas law is adopt this model (on top the traditional model) to require app stores to verify user age (but was recently blocked by court) [2]. And this California law pretty much also takes this model -- the OS (thinking as iOS / Android / Windows with app store) shall obtain the user age and provide "a signal regarding the users age bracket to applications available in a covered application store".
While many people here are concerning open-source OSes, and the language do cover all OSes -- my intuition is no lawmaker had ever think about them and they were not the target.
[1] https://calmatters.digitaldemocracy.org/bills/ca_202520260ab...
[2] https://www.politico.com/news/2026/01/05/big-tech-won-in-tex...
TBH my kids have limited access to their (Android) phones using family link but I don't see option there to:
- block certain list of sites
- block walls inside YouTube for example
- limit amount of scrolling time Vs amount of learning time (this can be done quite easily)
So just give the tools to parents and stop requiring IDs for adults. What happens if kid gets adult's phone? And what happens when kid gets dad's rifle or car keys? It doesn't mean that all the rifles and car keys should now start to include blood sample based age verification mechanisms
--Edit--
Apple family management is even worse. The best I heard of is implemented in the switch console
They’ll just slap a “Not for use in California” label over the download page then move on with their lives
Yup, see how long it lasts when companies in California can't install anything on their servers because they get Rejected for Legal Reasons responses to their package requests.
Because the "store" never confirmed that Cloudflare is 18.
And "not for use in Texas": https://legiscan.com/TX/text/SB2420/id/3237346
And "not for use in Louisiana": https://legis.la.gov/legis/Law.aspx?d=1428944
And maybe Brazil, Australia, Singapore and Utah as well (not checked): https://developer.apple.com/news/?id=f5zj08ey
A lot of words to say adding a column to passwd and changing all software that creates accounts will take some work. For me giving parents more tools seems easily worth the work, but I can understand others who disagree.
This is a mess.
So how does it apply? Is that the mandatory age verification clause that forces everyone into becoming a data sniffer?
California is kind of strange - on the one hand giving rise to open source; on the other hand being a lobbyist's paradise.
IIRC there wasn’t anything about the OS needing to validate the info, just ask for it at setup and provide it when requested. Part of me wonders if this was just an attempt to stake out a position as to what a law of this sort, that still respects privacy, might look like.
I dunno. I don’t love it. But if a dumb age-range flag became “the thing” to check, well, that’s be less invasive than uploading an ID or something.
If you actually read this law, it does exactly the opposite to avoid every random app/website from having to do age verification (like traditional age verification laws requires). It requires that only the OS to ask the user's age (not even verify it). Individual apps should use the age buckets signaled by the OS.
I don't even get why people think lobbyists hijack the law. It might be too left/progressive/socialism/or whatever. But, basically, the only major org opponent of this law is Google: https://calmatters.digitaldemocracy.org/bills/ca_202520260ab...
As Disney took open source IP (fairy tales, etc) and pulled the ladder up behind them, so too are tech companies.
The Digital Age Assurance Act is a disaster both in concept and in its statutory language. Its author(s) seem to be entirely unaware of how software is distributed outside of walled gardens like Apple’s ecosystem. If I’m understanding the law correctly, then even software like Homebrew would have to implement some kind of integration with macOS to detect a user’s age. On a naive level, I’m surprised such an obviously flawed bill was passed and signed in California, where there are so many tech companies and lobbyists. The realist in me, however, realizes that tech companies don’t care about the privacy and software supply chain impacts and might even want these impacts to happen as a way of consolidating their control over the market. As an American progressive, it disappoints me that the only thing progressives and conservatives seem to agree is stripping ordinary people of any semblance of anonymity or privacy in the name of “safety”.
"It probably does not apply to you" and "Laws are usually applied as intended" and "You'll probably be ok" is what i keep hearing.
None of that addresses "if you get unlucky and some prosecutor decides to help his career by prosecuting you as an enabler-of-child-inappropriate-whatever-it-is". YOLOing away one's freedom on "probably" seems risky, and there is no reward to be had for doing it.
The only sane solution is to simply add "not for use in california" to all OSs, until California gets its collective head out of its collective rectum.
>simply add "not for use in california" to all OSs
I was wondering if a boilerplate like that would be legally binding if the language were more generic. eg- "This software may not be used by any individual or in any locality where it is not legal to do so".
Another service precluded "persons under the age of 18", but if the language of the law doesn't align with that (considering emancipated persons under the age of 18, or people over the age of 18 under some form of guardianship), would a California carve out still be required for compliance?
"Designed by Apple in California, not for use in California" would be quite the statement.
FWIW, only the attorney general can bring cases, not district attorneys or individuals.
And the state AG can only bring a civil case, with fines limited in proportion to the number of actual children affected by the non-compliance.
And for most applications, compliance is as simple as calling the relevant API and throwing away the return value, because most applications aren't doing anything that is already required by law to have age restrictions.
and you are 100% sure none of this will change suddenly, and are willing to bet you have the money to defend yourself in case you are sued wrongly, perhaps, but still need to provide a lawyer to defend yourself, on your own dime? ballsy move.
> and you are 100% sure none of this will change suddenly
Yeah. We're talking about a law that's still over a year from taking effect. It's not going to be replaced by one having the opposite effects overnight with no warning.
> and are willing to bet you have the money to defend yourself in case you are sued wrongly
Since I don't develop or distribute applications or operating systems that are used by children, let alone software that would be legally required to behave differently when the user is a child, I'm quite confident that any lawsuit targeted at me by the State of California's elected AG would be laughed out of court at the first hearing, and I'd probably have plenty of offers of pro-bono representation. And I wouldn't even need a lawyer to help me ask to see the evidence that a child was affected by the non-compliance of the software I didn't write, and if a court did somehow get convinced, I could survive being fined the maximum fine for negligent violations with respect to at least several children. And I'm not at all concerned about receiving an injunction to not do something I'm already not doing.
Any law could be amended, or abused. Not having a law can make prosecutorial misconduct easier. I don't see anything in this law that seems more ripe for creative misinterpretation and abuse than is typical, and I don't think it likely that a California state court would cooperate with an egregious attempt to abuse this law.
You seem to be having a reaction to this law that would be triggered by being confronted with any law that isn't specified with the precise mathematical rigor necessary to appease a compiler.
Four of the biggest OSes (iOS, macOS, Android, and Chrome OS) are made in California by the companies who pushed this legislation through. Never going to happen.
Annoyingly? Ironically? The best technical implementation of this law would be to make it possible for the "device owner" to tell the OS to set a flag that the user was under age. Never send the age, never send anything else. Just have a global variable indicating that the user is under age that can be accessed by the browser.
Now what would happen after that?
First oses would have to implement the above in a way that could not be bypassed, pretty much impossible if the child has access to the device.
Then you would need to require that websites honor that token or any similar token no matter how it was implemented ... https MITM etc. good luck with that.
Finally once all the implementation and enforcement hurdles are complete every website out there would immediately know that the user browsing was a child and all the trackers and ad networks on the web would immediately start targeting those users because children are marks.
Now you need even more laws and regulations to protect the children from being targeted by advertising companies, and good luck with enforcing that.
This is what I was hoping for when I read one of the comments. It's okay if the child can technically bypass the flag. That's what the parent is for, to regularly monitor their child's device. But I am a parent with a technical background so this works for me, selfishly, I have no idea how it will work for everyone else.
But once again, I'd like to bring up my preferred solution for this problem. Ban "smartphone" (precise meaning TBD) for minors in public spaces. My belief is that it will disrupt the dopamine hits enough that it doesn't become addicting and kids don't rely on it completely to function socially. And just having it in legislature will serve as a starting point for parents to discuss the topic more openly, which will help with the network effects. Parents don't have second thoughts on why cigarettes or drugs or alcohol is bad for children, they just are, and whole groups of parents can collectively agree that their children and friends of their children should not be using them. I hope to see the same for "smartphones".
Stallman was, once again, right. We need free software and hardware more than ever because of idiotic laws like this. Because of the decentralized development model, there is no single company or developer that can be unfairly targeted and coerced into adding anti-features such as age verification or encryption backdoors. California can shove its requests where the sun don't shine.
It is indeed strange that California suddenly became a lobbyist's paradise. Louis Rossmann doesn't have an infinite number of time available and he is more an East Coast person, even after having left New York, but it would be really interesting to see which lobbyists drafted that law. It will probably be copy/pasted to more states soon.
I'm almost certain we will live to see "they can't fine all of us" get torn to shreds in real time as government language models patrol the 'net for software projects that lack an age verification call.
Why, we could even see a legal requirement for code repositories to run one themselves, constantly scanning for compliance. That way the compute cost is offloaded properly on the citizenry :)
All open source projects should withdraw immediately from the United States, IP-block all USA downloads, and headquarter themselves in sensible countries without such laws. Any state having these laws means they can drag you into their courts for violating them.
When will the AI bubble pop already? Things seem to just get worse
How is this related to the AI bubble?
Incredible that California lawmakers choose to deliberately ignore the entire tech industry (that brings California its revenue.)
Did they? Or is it regulatory capture? MS is really pushing their online MS account thing, Apple and Google already have online accounts associated with your OS profile. It feels a lot like regulatory capture...
Sacramento legislature is a "small town", insular, corrupt lobbying crucible that mostly does whatever it wants and whatever people with money and social media followings say.
[dead]