So, I have actually read the text of California law CA AB1043 and, honestly, I don't hate it. It requires operating systems to let you enter a date when you create a user account and requires a way for software to get a coarse-grained approximation of this that says either 'over 18' or one of three age ranges of under-18s. Importantly, it doesn't require:
- Remote attestation.
- Tamper-proof storage of the age.
- Any validation in the age.
In short, it's a tool for parents: it allows you to set the age of a child's account so that apps (including web browsers, which can then expose via JavaScript or whatever) can ask questions about what features they should expose.
In a UNIX-like system, this is easy to do, with a tiny amount of new userspace things:
- Define four groups for the four age ranges (ideally, standardise their names!).
- Add a
/etc/user_birthdaysfile (or whatever name it is) that stores pairs of username (or uid) and birthdays. - Add a daily cron job that checks the above file and updates group membership.
- Modify user-add scripts / GUIs to create an entry in the above file.
- Add a tool to create an entry in the above file for existing user accounts.
This doesn't require any kernel changes. Any process can query the set of groups that the user is in already.
If a parent wants to give their child root, they can update the file and bypass the check. And that's fine, that's a parent's choice. And that's what I want.
I like this approach far more than things that require users to provide scans of passports and other toxically personal information to be able to use services. If we had this feature, then the Online Safety Act could simply require that web browsers provide a JavaScript API to query the age bracket and didn't work unless it returned 'over 18'.
reshared this
katzenberger
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •Do Not Obey in Advance
On Tyranny ProjectDave Rahardja
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •David Chisnall (*Now with 50% more sarcasm!*)
in reply to Dave Rahardja • • •@drahardja The law doesn't specify a particular implementation, it specifies only that:
In particular, it doesn't specify what that API is, but does specify that it must be coarse-grained (giving no more information than the four age ranges, and not giving the precise age or date of birth).
Dave Rahardja
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •So I also read the text leginfo.legislature.ca.gov/fac…
I have MANY issues with how poorly defined many of the terms are in the document (e.g. is a website an “application”?), and how it still holds developers liable for verifying the provided age information (“internal clear and convincing information…that a user’s age is different”), but…
The part that to me implies implementation is that there is no leeway for the OS to *under*-report the account’s age group, e.g. reporting that a user is younger than they actually are—strictly, they are liable for civil penalties either way. This implies that the OS *must* collect the user’s date of birth and store it somewhere, and derive the age bracket from that date on a daily basis (like your algorithm says). This means that it’s not enough for a parent to set up an account as “13–16 years old” and leave it at that forever.
IMO the fact that the OS *must* collect a child’s birthdate to comply is an erosion of privacy.
Bill Text - AB-1043 Age verification signals: software applications and online services.
leginfo.legislature.ca.govDiane
in reply to Dave Rahardja • • •@drahardja
Is anyone suing to block this bill?
Dave Rahardja
in reply to Diane • • •Diane
in reply to Dave Rahardja • • •@drahardja
I just did a belated write to my rep about
CA AB1043
leginfo.legislature.ca.gov/fac…
But it's been signed. So the next step is to get it blocked.
Is the @eff doing anything to sue to block it? Maybe @conservancy for the difficulty for community Linux supporting this?
One bullshit solution is:
"(f) This title does not apply to any of the following:.
(3) The delivery or use of a physical product"
So, time to bring back Linux on physical media?
Shall people distribute epub zines?
Also the law says it applies to stores? What is a store? Is the Debian archive a store? Flathub might be what's most in trouble.
What about guix? That's just a giant git repository?
Bill Text - AB-1043 Age verification signals: software applications and online services.
leginfo.legislature.ca.govDave Rahardja
in reply to Diane • • •Diane
in reply to Dave Rahardja • • •@drahardja
So here's some Linux people trying to make a compliant implementation.
mastodon.online/@danirabbit/11…
Danielle Foré (@danirabbit@mastodon.online)
Danielle Foré (Mastodon)Diane
in reply to Diane • • •@drahardja
Here's the Debian legal thread arguing about California OS level age signal law.
So far no lawyers have commented.
lists.debian.org/debian-legal/…
debian-legal Mar 2026 by thread
lists.debian.orgDave Rahardja
in reply to Dave Rahardja • • •In fact the text says so:
“Provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store.”
REQUIRES is the key word here. There is no reason why a birthdate (or age, but I don’t know how an OS provider can *strictly* comply with this bill without the actual birthdate) is needed to create an adult account, but it will still be required.
Can’t wait to enter my birthdate into my Samsung Smart Fridge (it has apps, so it’s an OS, maybe, probably). Surely it won’t be abused in any other way.
Ironically, the bill says that the OS provider “shall not share the digital signal information with a third party for a purpose not required by this title” but says nothing about sharing the actual birth date that I entered.
This is not a good bill.
Patrick Loftus 🖖
in reply to Dave Rahardja • • •@drahardja Tizen OS - a Linux based OS by Samsung.
Hold on, need to verify my age so I can open my fridge and drink my Mountain Dew Verification can before losing access to my devices.
Pseudonymous
in reply to Dave Rahardja • • •@drahardja
There are multiple humans with the same legal name and everyone hates giving what they think is real identifying information, so to look someone up in local police databases they use the birthday to tell you apart.
Petr Menšík
in reply to Dave Rahardja • • •Ludwig Vielfrass
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •And then another state or country passes a law that requires four age ranges, or another one that requires two, but they do not map nicely to the three CA requires.
You have now replicated another timezone mess.
reshared this
Oblomov reshared this.
Arcaik
in reply to Ludwig Vielfrass • • •reshared this
Oblomov reshared this.
Petr Menšík
in reply to Arcaik • • •Riley S. Faelan
in reply to Arcaik • • •@Arcaik 18 is the closest there is to a standard, due to the Convention on the Rights of the Child, which establishes 18 as the default age of majority (but stll allows it to be overridden by local laws). A curious example of another value leaking is how, because 16 used to be the age of majority in Netherlands for a long time, a lot of medical guidelines for trans youths, even in other countries, used to adopt 16 as an explicit age that a person would be able to consent to their gender (until the GOPnik bullies decided to start picking on trans women and children after the Oberge fell).
@lerxst @david_chisnall
⠠⠵ avuko
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •Graham Sutherland / Polynomial
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •reshared this
Oblomov reshared this.
brib
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •Sensitive content
My main worry that it will be some sort of gateway for further age verification creep. We're seeing this in the UK where the OSA, having failed to achieve any of its actual objectives (as many of us predicted a few years ago), is now being extended to incorporate broader-scope social media bans and even VPN bans.
Similarly the AV lobby could say that simple age attestation isn't accurate enough and start to demand more intrusive monitoring. Idk if that's far-fetched (maybe it is), but the situation in the UK does not make me hopeful for these kinds of laws
SeanBurlington 🌈 🕊️
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •parental controls on most things are really broken - just badly thought through - lacking integration with each other - and plain buggy.
I think that effective regulation which actually required well functioning parental controls would be a game changer.
Verena Starwalker
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •I'm going to disagree. Very vehemently.
This is just a foot in the door to surveillance. You of all people should know better than to defend this.
Sure it's this now, but at some point, it will become like every other system so far.
Patrick Loftus 🖖
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •So we build yet another layer for users to select Jan 1st, 1970?
Seems like an enormous waste of time.
How about parents parenting?
I agree with you building something that is easy to bypass and doesn’t require storage of PII is much better than the uploading of secure documents but in this case not making a change is also superior.
Parents adding their children to the sudoer list? Does any parent capable of this require an age verification system to assist them?
Pseudonymous
in reply to Patrick Loftus 🖖 • • •@pwloftus
This is just 2FA all over again. Some #Boomer that's a federal judge says, ''you can't follow them until you have two confirmed data points,'' then the plaintiff/defendant runs around with their new two-factor identity service.
🤷 
nothacking
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •Local filtering is definitely the way to go here. Do I want parental controls to be legally mandated? Ehhh... Do I want to hand over my ID to 50 companies just to use the internet? Absolutely not.
It seems like the lawmakers actually thought about the privacy implications: Only 2 bits of information are ever disclosed and there's nothing stopping you from putting in a fake data (or rm-ing the file...).
Although I do think it should be implemented as a list of allowed content instead of an age: Having nothing allowed before 18 and everything allowed the day after seems arbitrary to say the least.
Kevin Boyd (he/him) 🇨🇦
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •undead
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •It also covers:
1798.500 (e) (1) “Covered application store” means a publicly available internet website, etc..
So, a private forgejo site could be held liable for every download of curl. I mean, if they didn't trap for an age signal that isn't defined yet by the law. If the store serves apps and libs, or software that are dependencies, then that is a huge legal mess waiting to hit a small project or solo dev at $2500-7500 a download.
undead
in reply to undead • • •That means a lot of open source app stores may need to be completely reworked. And forges/repos. And every bit torrent client.
Dependencies on apps that also double as non-covered applications now will need to be age gated.
Developers will need to know their legal liabilities in distributing every single executable they publish.
So, depending upon who is enforcing it, this shouldn't be a problem. 🫠
Peter H. Fröhlich
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •Frost, wolf of winter 🐺🎄
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •That's surprisingly not that horrible.
For /now./
Still a bad precedent to set, though.
Bill Zaumen
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •One problem with the law is that one section says: “Covered application store” does not mean an online service or platform that distributes extensions, plug-ins, add-ons, or other software applications that run exclusively within a separate host application. But another says: A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
It's confusing (more)
Bill Zaumen
in reply to Bill Zaumen • • •dasgrueneblatt
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •Murteza Yesil
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •That is a brilliantly simple, and sensible way to approach this. Let parents/guardians to set things up for their kids.
But the issue politicians will find with this approach right away is that it gives control away. We can't have that. It is governments' job to parent kids, not parents' job.
Van Sice
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •All of this assumes good faith on the part of the website. But, if you are a predator looking for children, why wouldn't you actively seek out this signal? I have to be honest, there are way too many bad faith actors for me to see this as a good idea.
Some of them are lawmakers themselves. Here in the US, we don't manage to prosecute them.
Paul SomeoneElse
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •to do that ?
Vincent Sparks
in reply to Paul SomeoneElse • • •Paul SomeoneElse
in reply to Vincent Sparks • • •"doesn't have the bandwidth to...store a file of birthdays and run a service to allow programs to query the user's age?"
Correct. Does not have the bandwidth or need or desire to change their OS to
do that. That was my question.
Vincent Sparks
in reply to Paul SomeoneElse • • •Paul SomeoneElse
in reply to Vincent Sparks • • •"I'm not convinced it takes that much bandwidth"
I regret engaging.
Paolo Redaelli
in reply to Paul SomeoneElse • • •Vincent Sparks
in reply to Paolo Redaelli • • •@paoloredaelli
I knew @pkw was talking about developer bandwidth, and I'm not convinced it takes much of that either.
Paolo Redaelli
in reply to Vincent Sparks • • •kramaker
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •It doesn't matter how inoffensive it might seem now. 1) It won't remain that way, and 2) politics and politicians should not be designing nor mandating requirements in software when maybe 1 in 10,000 of them have any understanding whatsoever of how what they're dabbling in works (and, perhaps more importantly, often fails to work).
The formerly lesser-evil Democrats in their misguided zeal to legislate utopia, now by dabbling in technology design, are pushing me into the arms of the anarchists.
reshared this
Oblomov reshared this.
Chris Dolunt ☀️🌱⚙️📖🎲
in reply to kramaker • • •(opens arms)
reshared this
Oblomov reshared this.
Petr Menšík
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •Petr Menšík
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •numanumayey
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •@mullvadnet
invidious.nerdvpn.de/watch?v=f…
#andthen
tle, tarragon; a series of short charges
invidious.nerdvpn.deottO
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •minus9
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •Endareth
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •Shawn Webb
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •gecosfield in/etc/passwd? Or is that not sufficient?M3OW
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •Винт Прокс
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •Jocelynephiliac
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •Arthfach 🐻
in reply to David Chisnall (*Now with 50% more sarcasm!*) • • •There's honestly nothing good about the law, if you want to talk in a serious way. I have also read the text of the law and it is plain and simple overreach.
Parents already have mechanisms for controlling what their children are exposed to. Up to and including strictly supervised access and "child friendly" DNS providers, among other things (although I admit with DNS over HTTPS, that at least can be fairly trivially circumvented if the child knows how and is unsupervised enough to do so).
What the ideal solution would be is a voluntary system that parents can OPT IN to, but is opt out by default, that would allow for an age range reported to supported providers. Not mandatory - choice.