Reaction 1: how would this even work with embedded systems that have no UI to input this data?
Reaction 2: it's open source, make the lawmakers do submit the changes.
Reaction 3: how would this ever be enforced? Would they outlaw downloading distributions, or even older versions of distributions? When there's no exchange of money, a law like this is seems like it would be suppression of free speech.
Reaction 4: Someone needs to maliciously comply, in advance, on all California government systems. Shutdown the phones, the Wi-Fi, the building access systems, their Web servers, data centers, alarm systems, payroll, stop lights, everything running any operating system. Get everyone to do it on the same day as an OS boycott. And don't turn things back on until the law is repealed.
While there are some enforcement questions here, especially around non commercial OSes, most of your reactions are clearly based on the headline alone.
It defines operating system in the law. This wouldn’t apply to embedded systems and WiFi routers and traffic lights and all those things. It applies to operating systems that work with associated app stores on general purpose computers or mobile phones or game consoles. That’s it.
Enforcement applies as civil fines per-child usage. So no suppression of speech by banning distribution.
(Also it’s not age verification really, it’s just a prompt that asks for your age to share as a system API for apps from above app store, no verification required)
" It applies to operating systems that work with associated app stores on general purpose computers or mobile phones or game consoles. That’s it"
Everything is a general purpose computer. Just look at how many things have been made to run doom. I haven't read the law specifically but if it actually does say this then that language is useless and means practically everything.
until you root out their friends and maliciously develop app stores for their products, then install them multiple billions of times on a docker and let them rack up charges ;) doom can run on -anything-
Is a repository on a linux machine an app store? Are custom repositories app stores? Does this mean that now most automated deployments are now not automated? If they can be automated, does that mean that having the automation by default makes sense?
The law defines a user as a child running software on a general purpose computer.
> “User” means a child that is the primary user of the device.
It’s definitely more vague that necessary, but I’d imagine courts would readily find automated software deployment by an adult or corporation does not constitute a child using the device. Especially if done for servers or a fleet. Because then it’s pretty obvious that a child is not the primary user of the computer nor the software. Even if that software is a server that involves childish activities (eg game servers).
But I’d imagine that Linux package managers associated with a desktop operating system provider would fall under this law. And that raises questions about the software distributed by said package managers.
What’s going to happen when there’s no UI, just a shell, and they pacman -S <mything>? This law is unconstitutional based on criteria of vagueness. If they want it to stick, they need to call out the commercial app stores of Microsoft, Apple, Google, etc where a credit card is attached. Otherwise it’s too vague a term unless they define “store”.
The language in the bill says operating system “or” application store. Isn't that then implying any operating system that would download applications, even if it doesn’t come from a store. But IANAL.
Seems to me this would include TVs, cars, smart devices, etc. The Colorado version of this bill excludes devices used for physical purchase, so your gas pumps and POS systems would be excluded in CO. But I didn’t see that in the CA bill.
They’re both overly broad, ill-considered, frankly terrible bills that make as much sense as putting your birthday into a brewery site or Steam. Enter your birthday and we trust you. Now do that for every single one of those 100 VMs you just deployed…
> Reaction 3: how would this ever be enforced? Would they outlaw downloading distributions, or even older versions of distributions? When there's no exchange of money, a law like this is seems like it would be suppression of free speech.
That's not what will happen. We've already seen examples of what will happen. So let me just list them instead:
1. The Secure Boot chain for UEFI initially mandated that only OS that were signed by Microsoft would be allowed to boot on PCs where SB is enabled. This was partially rolled back after public backlash.
2. iOS devices and majority of Android devices already don't allow you to install an alternate OS or distro.
3. Platform attestation proposals like Web Environment Integrity and its Android version.
4. Mandate that every developer must register with and pay an MNC to be able to release any app on their platforms.
Basically, they'll just take away your ability to control your device in any way. Don't be surprised if it turns out that these MNCs were behind such legislations. But this legislation is especially dangerous in that it will effectively kill user-controlled general-purpose computing, even from vendors like Pine64, Framework, System76, Fairphone and Purism who are willing to offer those.
Considering the amount of damage caused by these sort of legislative BS, those who propose and vote for such bills should be investigated publicly for corruption, conflict of interests and potential treason. They should be forced to divulge any relationship, directly or indirectly, with the benefactors of these bills. On the other side, rich corporations should be banned from 'lobbying' or bribery more appropriately, in matters that they have a stake in. And they should have stiff penalties for any violations. Not those couple of million dollar slaps on their wrist. At least 5% of their annual global profits, incarceration of top executives and breaking up the company. There has to be a consequence that's uncomfortable enough, for any fairness to be reestablished. This should apply even more for those professional lobbying firms and 'industry advocacy groups'.
People also need to start strongly opposing, rejecting and condemning justifications like this that rely on the cliche tropes of CSAM, terrorism, public safety, national security, etc. None of those measures are necessary or even useful in preventing any of those. Insistence on the contrary should be treated as an admission of inability and incompetence of the respective authorities in tackling the problem. In fact, why do they assume that kids, especially teens, are unimaginative and incapable of working around the problem? They should at least be starting with awareness campaigns to get the kids and the parents on their side and empower parents to enforce parental controls, instead of reaching for such despotic measure right away. This is like banning drugs before the problem of drug addiction is addressed. Black markets exist, even for cyberspace. It will just make the problem a whole lot worse.
And finally, don't let people without clearly proven vested interests anywhere near such regulations. And choose professionals or at least competent people for taking such decisions. You can't rein in this attack on ordinary people without stemming the uncontrolled corruption in the public offices that deal with it.
Continually surprised by politicians wanting an OS to do what a parent should be doing. Why not just mandate that all devices with access control capabilities implement parental controls, and then mandate that all adults enable controls before handing a device to a minor? For devices that are incapable of user access control, the same rules as a knife, chainsaw or gun apply.
This isn’t so heavy handed. The purpose of age signaling is so that a parent can set in one place an age, and then federal privacy protections under COPPA and state protections under the AADC kick in.
Only wealthy parents (upper middle class or better) have the time or energy to do anything other than work, put food on the table, and do basic child care.
Most parents lack the technical expertise to police digital devices.
The big three will love this. They'll implement the feature, then they get to dob in Linux and friends and get them buried in regulatory lawsuits.
All three already have identity linked accounts. Windows practically shoves it down your throat on install, for example. They'll love the excuse to finally disallow web-free accounts.
It’s only enforced by the CA Attorney General, and I’d be surprised to see a threat, let alone a lawsuit, against Linux on this. Not to say this is ideal.
> I doubt the california legislature knows what a Linux even is.
All Congress critters have staff to help write the bills and fill out the policy. You can bet your sweet bippy that there are people on staff in the California legislature who know what a Linux even is.
Exactly. This is obviously targeted at these three, and in those cases will be a massive improvement over forcing every site operator to start collecting photo ID.
I love political theater, the Democrats are best at the really funny stuff, they crack me up. Stuff like Clinton going from,"I smoked pot but never inhaled" to "I did not have sex with that woman, ML." and now with, "I never saw or did anything wrong"
That is meaningless when he has no clue of what's right and wrong.
It’s clear you last poked your head out of a hole in the ground 30 years ago. Check out the iPhone and the Internet while you’re up here, they will blow your mind.
>> An operating system provider shall [...] provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user [...]
>> “Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.
Your hypothetical "embedded system" almost certainly neither has an account setup process in the first place, nor is it a general-purpose computing device, a mobile phone, or a computer.
> Reaction 3: how would this ever be enforced?
Pretty easily? They enforce it against the OS vendor for not providing such a process. They aren't enforcing the correctness of the age, nor are they claiming to.
> Someone needs to maliciously comply, in advance, on all California government systems.
...what? This is a law demanding compliance from OS vendors. Whose compliance is it even demanding in government systems for them to be malicious about it?
This term doesn't seem defined in the law at all. How general is general?
Graphing calculators that support apps and Python? Of course, they don't usually have "accounts" either. But to a technologist it's a "general purpose computer" insofar as it can run new code that the user loads into it, it can definitely run games that it didn't come from the factory with, etc. It's a tiny multipurpose computing device.
There's an obvious theme with lawmakers in California—they pass laws to regulate things they have zero clue about, add them to their achievement page, cheer for themselves, and declare, "There! I've made the world a better place." There are just too many examples. For instance:
- Microstamping requirements for guns—printing a unique barcode on every bullet casing (Glock gen3 cannot be retired, thus, the auto-mode switch bug cannot be patched...)
- 3D printers should have a magical algorithm to recognize all gun parts in their tiny embedded systems
- Now, you need to verify your age... on your microwave?
At this rate, California should just go back to the Stone Age. Modern technology is simply not compatible with clueless politicians who are more eager to virtue-signal than to solve any actual problems or even borther to study the subject about the law they are going to pass. There will be more and more technology restrictions (or outright bans on use) in California because it's becoming impossible to operate anything here without getting sued or running afoul of some overreaching regulation.
The incentives are all wrong. You can serve up to 6 two-year terms in the Assembly or up to 3 four-year terms in the Senate, but regardless of which combination you do, nobody in the California legislature can serve more than 12 years combined across both Houses of the legislature.
So we don’t have professional legislatures with long-term electability incentives or leadership goals, we have a resumé-building exercise that we call the legislature. They’re all interchangeable and within 12 years, 100% of it will be changed out.
That's a non sequitur. Creating long-term professional politicians is not going to create legislators competent in the various domains they legislate on. It's going to create politicians competent at being elected long term, whatever the means.
Yeah we need not look further than the 70 year old men in the United States senate/congress who have been in their seats for longer than I've been alive, making laws on technology they don't understand.
I don't know what the solution is for California, but I don't think it's that.
> So we don’t have professional legislatures with long-term electability incentives or leadership goals
Raises an interesting question of who is less popular, the Californian government or the US Senate. The experiments with long-term professional legislatures have generally not been very promising - rather than statesmen it tends to be people with a certain limpet-like staying power and a limpet-like ability to learn from their mistakes. In almost all cases people's political solution is just "well we didn't try my idea hard enough" and increasing their tenure in office doesn't really help the overall situation.
The interesting middle ground might be to prohibit anyone from serving more than two contiguous terms in the Senate or four in the House. Then if you've done your two terms in the Senate, you can run for a House seat, do three terms there and then your old Senate seat is back up for reelection. Except your old Senate seat now has a new incumbent who is only on their first term and you're running as the challenger. Meanwhile there are more seats in the House than the Senate, so if you hit your limit in the House you could go work for an administrative agency or run for a state-level office for two years and then come back, but then you're the challenger again.
The result is that you can stay as long as people keep voting you back in, but you lose the incumbency advantage and end up with a higher turnover rate without ending up with a 100% turnover rate. And you make them learn how other parts of the government work. It wouldn't hurt a bit to see long-term members of Congress do a two-year stint in an administrative agency once in a while.
Interesting idea and I do agree that contiguous is OK but total is not.
I think I'd suggest a more generous Senate term limit. Three terms (18 years) would allow for someone to see out a complete Presidential super-cycle, for example.
The word Senate is etymologically related to "senior", it's a place where you _want_ people to be able to develop a lot of institutional experience.
>The word Senate is etymologically related to "senior", it's a place where you _want_ people to be able to develop a lot of institutional experience.
I’m not disagreeing with the rest of your comment, but I’m going to challenge the notion that this etymological connection carries meaning. The word comes from Roman Senate, and in that context in Latin “senior” really meant people with higher status rather than age. Latin is full of these weird double meanings. Compare to seigneur in French or señor in Spanish. Also, the House of Lords in the United Kingdom.
This is an interesting idea. Would be curious to hear from someone who thinks this is a bad idea (why).
edit: I see the "term limits are anti-democratic" takes elsewhere in the comments, so I guess let me narrow the above ask to "someone who isn't opposed to term limits, but thinks this idea is flawed."
Fill the arena with HR ladies and have them do a battle royal to produce a half decent set of interview questions.
Put the electables in isolation cells fromwhere they one by one end up on the Tee Vee, give voters an app with AYE, NEY and Uhh? The questions are red by the winning HR lady but also appear on the app.
The applicant writes the fizzbuzz etc etc
Then, after the job interview, we give the job to the most satisfying candidate!
It's not necessary but I would also add a series of certificates and diplomas for the voter to show they actually have some kind of idea what the job involves. The level 1 certificate should be supper simple and easy to create. It will grant you 0.1 extra vote power. There could be as many levels as we want but to grow beyond [say] 50 votes should require a mythical effort impossible to attain for 99% while we aim to reserve the right to cast 5000 votes for 1 to 5 people with supper human abilities.
The top 20 should have to explain their AYE's and their NAY's to the Tee Vee audience.
Bold of you to assume any aspect of the California State legislature is visible enough to be more or less popular. People at least pay attention to what the US Senate does, and you know that no matter how the next election goes, the US Senate as one body is unlikely to go very far off the deep end in one direction or the other.
It is interesting that this is a mainstream existing thing in the US (at the state level), but more of a fringe proposal in the rest of the English-speaking world.
I think the answer may be that the difference in political systems (parliamentary vs presidential) and party systems (less two-party but with greater party discipline) solves many of the problems term limits are intended to solve in completely different ways.
Maybe a better answer would be for US states to adopt the parliamentary system? Although there is some debate about what the "republican form of government" clause means, it arguably doesn't rule out parliamentary republicanism, and Luther v Borden (1849) ruled the clause wasn't justiciable anyway. Added to that, the widespread practice in first half of the 19th century, in which governors were elected by state legislatures, was de facto the parliamentary system. I don't think there is any federal constitutional obstacle to trying this – it is just a political culture issue, it currently sits outside the state constitutional Overton window.
While you could adopt the Australia/Canada model of a figurehead state governor/lieutenant governor with a state premier, I think just having a premier but calling them "the governor" would be more feasible
> Maybe a better answer would be for US states to adopt the parliamentary system?
Maybe. Maybe not. I don’t think it would change outcomes as much as people would think, but to scope limit this back to California again because electoral law discussions just fucking spiral anytime there’s no geographic constraint, the root of California’s lawmaking problems is that the legislature is both poorly structured and poorly balanced against the direct democratic approach we have taken for so much of our lawmaking. I don’t think that’s inherent to the non-parliamentary system we have in place, but a result of incremental rule changes stemming from decades of ballot propositions that are supposed to solve a problem, but don’t and tend to have negative knock-on effects that fly under the radar.
Or put another way: the legislature is for legislating. It doesn’t need a competing power structure, and it doesn’t need to be balanced by anything other than a good functional Executive power and a good functional independent Judiciary. If you have that as your starting point, then maybe there’s room to discuss if there are any real advantages of a Parliamentary system instead.
A very widespread belief among political scientists is that parliamentary systems are superior to presidential systems in terms of stability and quality of governance. In fact, even the US State Department's own "nation-building" advisors tell other countries not to copy the US system (or at least they did prior to Trump, I'm honestly not sure if the Trump admin is sustaining that line or not)
Presidential systems have had a terrible run if you look at Latin America. The US seemed to be an exception to the rule, but maybe recent events have shown that the US got away with a substandard political system for so long because they had so many other advantages to make up for that, now their other advantages are weakening and the US is slowly converging with Latin America
nah, none of us. Power corrupts, pretty much any of it does - so basically we should only have power over ourselves is the only thing I can really think of.
Term limits are anti-democratic, and it's just a way for voters to not take responsibility for their voting.
A much more real issue is actually age limits. If someone starts in the Senate at 40 and serves for 24 years, term limits hardly seem to be the big issue. They are retiring at a normal time, and they should still be functioning at a high level.
Conversely, someone who gets elected at 70 and then gets term-limited at 82 is still over a normal, reasonable retirement age. The typical 82 is not in the physical or mental condition to be taking on such an important, high-stakes role.
Both of my parents are in their mid-70s and are in very good mental health for their age. They are very lucid, and my Dad still works part-time as a lawyer. They are also clearly not at the same intellectual powers they were a decade or two ago. Some of it can even just come down to energy levels. I have to imagine being a good legislator requires high energy levels.
Many public companies have age limits for board members, and they even have traditional retirement ages for CEOs. In the corporate world where results matter, there is a recognition that a high-stress, high-workload, high-cognitiative ability job is not something that someone should be doing well past their prime.
Al Gore had to leave the Apple board because he turned 75. In the U.S. Senate, there are 16 people 75 and older.
> Term limits are anti-democratic, and it's just a way for voters to not take responsibility for their voting.
That is one aspect, but not the important one. The most important element is anti-corruption. Legal bodies can always entrench themselves and their own interests. Term limits significantly weakens entrenchment...excepting when the same legal bodies inevitably gut it.
That's in fact not at all what the research says. There's a decent amount of research that suggests that they actually increase corruption. There's overwhelming evidence that they increase the power of lobbyists and interest groups.
This is a classic one of those ideas that many people intuitively "feel" makes sense but is actually just terrible policy.
> That's in fact not at all what the research says.
> There's overwhelming evidence that they increase the power of lobbyists and interest groups.
There are a lot of factors beyond term limits that influence this kind of research. The most important detail is to remember that corruption spans more than external influence. Institutional ossification has benefits and drawbacks. The drawbacks have outweighed the benefits, historically in the US and England. It was literally baked into the US Constitution to ensure this would not repeat for the US head of state. Notably the Supreme Court was baked in as a lifetime appointment. Granted, the remaining political bodies have not followed suit, I think it's clear that this has had a negative consequence due to the aforementioned entrenchment of the political parties.
> There's overwhelming evidence that they increase the power of lobbyists and interest groups.
It is incorrect to claim that is the only effect. I also don't believe that the conclusion is correct. I do believe it's closer to your initial statement.
> it's just a way for [legislators] to not take responsibility for their voting.
ie It shows a lack of care in executing the responsibilities of the elected position, which is why they barely do anything but campaign at the federal level.
It seems logical to me that a term limit could increase vulnerability to corruption in your last term. If you can't be re-elected, there is less incentive to be loyal to the people you represent.
> And yet, term limits are something many people want in the hopes that it will solve some of the problems in Washington DC.
Plenty of shitty ideas are popular based on a hope and a prayer. That’s why you don’t give in to populism. If we’re to impose any kind of limits on Congress, it has to be more intelligent than term limits.
How about, if your taxable income exceeds some multiple of the median income of your district, you are no longer eligible to represent them. It’s pretty amazing how much a representative’s income grows once they take public service positions.
if your taxable income during OR post-office exceeds (some 1,3,5 yr average) prior high watermark income, or the officeholder's salary (whichever is higher), every penny over high watermark is taxed at 99% tax rate.
That should take care of those pesky "speaking fees" and other nonsense that makes politicians rich.
How about we stop screwing around and let becoming a legislator become an attractive & competitive job and just hold our noses at the little things that make politicians as a class generally unattractive people? Like not limitless, not with total impunity, but instead of trying to micromanage our way to perfection every fucking step of the way, we accept that politicians are going to politic.
This smells like funding schools based on student test results. Won't it disadvantage the most vulnerable areas? If I live in a state with some poor areas and some wealthy areas why would the most qualified people not compete to represent the wealthy areas?
If the problem is representatives using insider knowledge to enrich themselves then just hire more Inspectors General. If the problem isn't insider knowledge specifically then make whatever allows them to get rich illegal.
Decisions should be made by people who are the most informed about the subject matter. By definition you cannot have someone who is the most informed about everything.
If someone can still keep getting people to vote for them, that’s not really an issue.
We elect the way we do and empower the way we do because it empowers voters to choose on a regular recurring basis who is going to provide oversight that way. When you start screwing around with the basis tenets of electoral democracy, you distort and pervert the value of an actual legislative seat and undermine the value of holding people directly responsible through elections.
Another good example is the ballot proposition system. Some things must go before voters—which is another separate wrong which would be righted—but apart from those, the ballot proposition also presents legislators an opportunity to outsource decision-making risk to voters where instead of having to take a chance of being wrong on a piece of legislation with a roll call vote, they can pass the risk off to State voters. If people voted on the issue directly, they’re not as empowered to hold the people who only put it on the ballot rather than making the decision as someone whose job is to make & pass legislation.
You want legislators to be empowered to serve their role in society so that they are also taking real risks every time they take a stand on an issue that risks pissing off their constituents.
> By definition you cannot have someone who is the most informed about everything.
This is not true-by-definition . It may be true, but not by-definition. If there were an omniscient person, they would be the most informed about everything.
I used to think like this but now I'm not so sure. Representatives should represent the electorate, not special interests. If someone invents a civilization destroying macguffin they are the most qualified person on that topic but we wouldn't want them to be in charge of regulating it.
I’m more curious in the genesis of these laws, whether their sponsors received written suggestions or ghostwritten bills, etc. as a form of parallel construction.
It seems all at once, everywhere that many groups that have a vested interest in forcing precedent and compliance of non-anonymous access across the computer world. It smacks of something less-than-organic.
This law doesn't do anything that prevents non-anonymous access. Here's how you would access things anonymously if you bought a new computer that implemented this.
1. When you set up your account and it asks for your birthdate, make up any date you want that is at least far enough in the past to indicate an age older that what any site you might use that checks age requires.
2. Access things the way you've always done. All that has changed is that things that care about age checks find out you claim to be old enough.
The only people it actually materially affects on your new computer are people who cannot set up their own accounts, such as children if you have set up permissions so they have to get you to make their accounts.
Then if you want you can enter a birthdate that gives an age that says non-adult, so sites that check age will block them.
From a privacy and anonymity perspective this is essentially equivalent to sites that ask "Are you 18+?" and let you in if you click "yes" and block you if you click "no". It is just doing the asking locally and caching the result.
I agree. I feel the flow of having browsers send some flag to sites is the most privacy-preserving approach to this whole topic. The system owner creates a “child” account that has the flag set by the OS and prevents the execution of unsanctioned software.
This puts the responsibility back on parents to do the bare minimum required in moderating their child’s activities.
What would be even more privacy preserving would be to mandate sites to send age appropriateness headers (mainstream porn sites already do this voluntarily).
Possibly it could be further mandated that the OS collect relevant rating information for each account and provide APIs with which browsers and other software could implement filtering.
And possibly it could be further mandated that web browsers adopt support for this filtering standard.
And if you want a really crazy idea you could pass a law mandating that parents configure parental controls on devices of children under (say) 12 and attach civil penalties for repeated failure to do so.
There's never any need for information about the user to be sent off to third parties, nor should we adopt schemes that will inevitably provide ammo for those advocating attested digital platforms.
I think you would find widespread support from the various websites out there for this. Most porn websites today voluntarily implement some type of mechanism that advertises them as not for children.
So does Google send a header for each search result when you look up "Ron Jeremy" so that some results get hidden, or does the browser just block the whole page?
Sending all the "bad" data to the client and hoping the client does the right thing outs a lot of complexity on the client. A lot easier to know things are working if the bad data doesn't ever get sent to the client - it can't display what it didn't get.
Google would send a header that it is appropriate for all ages (I'm not sure how the safe search toggle would interact with this, the idea is just a rough sketch after all).
When you click on a search result, you load a new page on a different website. The new page would once again come with a header indicating the content rating. This header would be attached to all pages by law. It would be sent every time you load any page.
Assuming that the actual problem here is the difficulty of implementing reliable content filtering (ala parental controls) then the minimally invasive solution is to institute an open standard that enables any piece of software to easily implement the desired functionality. You can then further pass legislation requiring (for example) that certain classes of website (ex social media) include an indication of this as part of the header.
Concretely, an example header might look like "X-Content-Filter: 13,social-media". If it were legally mandated that all websites send such it would become trivially easy to implement filtering on device since you could simply block any site that failed to send it.
> A lot easier to know things are working if ...
Which is followed by wanting an attested OS (to make sure the value is reliably reported), followed by a process for a third party to verify a government issued ID (since the user might have lied), followed by ...
It's entirely the wrong mentality. It isn't necessary for solving the actual problem, it mandates the leaking of personal data, and it opens an entire can of worms regarding verification of reported fact.
If browsers are going to send flags, they should only send a flag if its a minor. Otherwise is another point of tracking data that can be used for fingerprinting.
If you send a flag ever, then absence of a flag is also fingerprinting surface.
If you imagine a world where you have a header, Accepts-Adult-Content, which takes a boolean value: you essentially have three possibilities: ?0, ?1, and absent.
How useful of a tracking signal those three options provide depends on what else is being sent —
For example, if someone is stuffing a huge amount of fingerprinting data into the User-Agent string, then this header probably doesn’t actually change anything of the posture.
As another example, if you’re in a regular browser with much of the UA string frozen, and ignoring all other headers for now, then it depends on how likely the users with that UA string to have each option: if all users of that browser always send ?0 (if they indicate themselves to be a minor) or ?1 (if they indicate themselves to be an adult or decline to indicate anything), then a request with that UA and it absent is significantly more noteworthy — because the browser wouldn’t send it — and more likely to be meaningful fingerprinting surface.
That said, adding any of this as passive fingerprinting surface seems like an idea unlikely to be worthwhile.
If you want even a weak signal, it would be much better to require user interaction for it.
I'm not sure it's worth entertaining these hypotheticals. Just another absurd CA law that's impossible to comply with. "When you set up your account and it asks for your birthdate." What does this mean? "Setup" what account? "It" what? Some graphical installer? What if I don't want to use one? How would this protocol be implemented in such a way where it's not trivially easy for the user to alter the "age signal" before sending a request? The "signal" is signed with some secret that you attest to but can't write? So it's in some enclave? What if my smart toaster doesn't have an enclave? Does my toaster now have to implement software enclave? I'm not aware of a standard, or industry standards body, or standard specification, or implementation of a specification, around this "age signal" thing. Is this some proprietary technology that some company has a patent on, and they've been lobbying for their patent to be legally mandated? If so that's very concerning and probably has antitrust implications (it is ironic that ever-tightening surveillance of people is a downstream consequence of all this deregulation of corporate persons; fine for me but not for thee I guess). I would love to know the full story here, since this is being shopped around in several states, but I haven't seen any sort of investigative journalism about this which is disappointing. This whole thing is really curious.
Your toaster is not impacted. You’re turning a law that, yes, has some open questions around implementation, into a way bigger scare and conspiracy.
> operating system provider, as defined, to provide an accessible interface at account setup that requires an account holder, as defined, to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store and to provide a developer, as defined, who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface regarding whether a user is in any of several age brackets, as prescribed. The bill would require a developer to request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
Let’s be honest here. 99% of general purpose computing devices targeted at consumers make an “account” when you setup for the first time. Even Linux if just to name a home directory. It’s pretty obvious what an account is. Especially when it only applies to bundled app stores. What App Store has no account anyways?
It allows the operating system to define the interface. No patent or proprietary system. No surveillance. The law says user interface. Not graphical interface. Do with that as you will. A OS producer who has an App Store probably has a graphical interface, but if not they surely figured out how to interface with users already.
It actually requires operating systems and developers to not abuse this data or use it for anticompetitive purposes.
There is no attestation. It’s entirely self reported and unverified.
Their definition of "app store" is a mile wide: "(e) (1) “Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application."
Grats, github is an appstore. apt-get is an app store. You posting software on your own website is an app store.
GitHub isn’t an app stores associated with an operating system though. Your personal website is most likely not in scope. You have to put all the pieces together.
Apt… yes is an App Store run by an operating system organization (Debian org). That feels pretty unsurprising. Debian’s parent organization (headquartered in the US) probably needs to comply with this.
> Apt… yes is an App Store run by an operating system organization (Debian org). That feels pretty unsurprising. Debian’s parent organization (headquartered in the US) probably needs to comply with this.
And that right there is exactly the fucking problem. A zero profit collective “store” that publishes zero profit hobbyist “apps” is now going to have to invest in some kind of harebrained compliance scheme that will only grow from here.
In a couple of years is my “app” in Debian’s store going to require some goddamn TPS report and certification to tell California that everything is above board? It’s incredibly likely! By itself this law does nothing but lay the groundwork for regulation of “apps”, which by itself might be acceptable, but including FOSS distribution channels and hobby apps in the scope of this law is nothing short of evil. It’s laying the groundwork for a frontal assault on FOSS, and if you don’t see that then I don’t know what to tell you.
My guess is that Linux wasn’t extensively considered in the writing of this law, but when the next stage comes along and people start complaining, legislators will shrug and say “oh well, they need to comply”—and lobbyists for the big 3 proprietary software firms will back that position up. This is setting up a killshot for consumer Linux.
> This bill, sponsored by the International Centre for Missing and Exploited Children and Children Now, seeks to require device and operating systems manufacturers to develop an age assurance signal that will be sent to application developers informing them of the age-bracket of the user who is downloading their application or entering their website. Depending on the age range of the user, a parent or guardian will have to consent prior to the user being allowed access to the platform. The bill presents a potentially elegant solution to a vexing problem underpinning many efforts to protect children online. However, there are several details to be worked out on the bill to ensure technical feasibility and that it strikes the appropriate balance
between parental control and the autonomy of children, particularly older teens.
The bill is supported by several parents’ organizations, including Parents for School Options, Protect our Kids, and Parents Support for Online Learning. In addition, the TransLatin Coalition and The Source LGBT+ Center are in support. The bill is opposed by Oakland Privacy, TechNet, and Chamber of Progress.
> It seems all at once, everywhere that many groups that have a vested interest in forcing precedent and compliance of non-anonymous access across the computer world. It smacks of something less-than-organic.
I think you’ve nailed it here. How many of these people campaigned on this issue? Where were the grassroots to push this? Where did this even come from?
Somebody, somewhere - with a heck of a lot of money - wants to see this happen. And I don’t think they have good intentions with it.
Conservatives discovered a cheat code to get: (a) people to have to identify on the computer everywhere and (b) control what they can do with and without this identification.
Death threats mainly. Personally I think it would be easier if they just made it so that platforms ran a tiny LLM against the content that will be posted - determined if it is a death threat, then require them to be identified before it's posted, then it would solve a lot of these problems.
TLDR: Evil people be doxxed internally not everyone.
These days the name "LLM" refers more to the architecture & usage patterns than it does to the size of model (though to be fair, even the "tiny" LLMs are huge compared to any models from 10+ years ago, so it's all relative).
If a platform decides to require an account to post, or requires your message to pass an LLM sniff test before publishing it, you can break all the rules you want but your message won't be visible to others on said platform.
I assume you mean EU directives and not Belgian law, and the thing is it's incredibly hard to pass an EU directive, it needs to originate in the Commission, then pass qualified majority in the Council then pass a vote in the Parliament. Nothing without a broad consensus can get anywhere near.
The old people's tolerance for general problems is why the general problems persist.
A realistic dynamic is the old people are comfortable with the general problems and have positioned themselves to benefit from them. Indeed, they solved the general problems that troubled them in their youth with political activism in their middle age. The young people have different political needs that require general problems to be solved.
Also young people have a terrible track record of actually identifying problems, they are pretty clueless in the main.
> they pass laws to regulate things they have zero clue about
While you are correct with this statement in this context, I would say it applies to most things in government in general.
The vast majority of lawmakers have zero experience solving any real world problems and are content spending everyone else's money to play pretend at doing so.
The reality is, most government "solutions" cause more problems than they solve, after which, they blame their predecessors for all the problems they caused and the cycle continues.
> The reality is, most government "solutions" cause more problems than they solve
The "reality" is that propaganda heavily encourages you to ignore the government successes and only focus on the failures. I'll leave it as an exercise for the reader to determine who benefits from that.
> I know that the next step is you explaining why these don’t count, or saying “wow only 3” or whatever, but
Oh, there's more: Medicare, Social Security, the highway system.
The whole food/medicine regulatory system is also a big one, and it's the reason a lot of US (and European) products like baby formula are imported into China, because they can be more trusted.
My bet is the GP's going to weasel out using his "that people willingly buy" language. The flawed assumption there is the government should be conceptualized as just another company selling in the market, when the government's actual role is very different.
As with anything, they are all things that could be done better by a company.
Airlines are a great example of this. They have changed very little in the last 30 years (again, thanks to all the government regulation and red tape).
Smartphones, TVs, (and literally anything else not in the hands of the government) has also seen rapid improvements.
Anything the government handles is always rife with overspending, inefficiency, and corruption.
A company must maintain profitability to stay alive.
The government on the other hand, is $38 TRILLION dollars in the red.
Yes, the things that "people willingly buy" are the literal engine that makes all of this possible. It is not the reverse.
> As with anything, they are all things that could be done better by a company.
No
> Airlines are a great example of this. They have changed very little in the last 30 years (again, thanks to all the government regulation and red tape).
And thanks to regulations, we have less airline accidents than ever. Private companies are more than willing to "externalise" any accidents from cutting costs otherwise.
> Smartphones, TVs, (and literally anything else not in the hands of the government) has also seen rapid improvements.
So does government funded medical research, which improves the quality of life of people corporations deem "unprofitable".
> Anything the government handles is always rife with overspending, inefficiency, and corruption.
Because large corporations and rich donors lobby them to do so.
> A company must maintain profitability to stay alive.
So does a government, debt only lasts as long as the lender believes in your ability to pay it back.
> The government on the other hand, is $38 TRILLION dollars in the red.
And which of the Mag7 are not in debt? I remind you that if you wish to compare the USA to companies, they are literally an entity of over 300,000 people. No company employs that many people.
> Yes, the things that "people willingly buy" are the literal engine that makes all of this possible. It is not the reverse.
No, government enforced order is what allowed the engine to exist to begin with. No one would innovate if their IP could not be protected, and we would regress back into cartels if the government could not enforce private property.
The prosperity of the modern world is build upon a foundation of solid governance.
When I ship packages, I could choose to use a service other than USPS, but I don’t, because USPS is generally cheaper and more reliable.
I strongly prefer Medicaid to my employer-provided healthcare plans because of ease of use, and if I were allowed to I would willingly pay more money into it, either via taxes or direct premium payments, when I am making too much income to qualify.
I gladly give money to the NPS every year, even though I have a choice to pay for a private campground, or other public lands agencies.
I answered the question. You can choose to believe I didn’t all you want.
Oh yeah. I feel sooooo good dealing with Comcast. At this point in life, I spent more time on the phone with Comcast support than I ever spent time in various DMV offices.
> A company must maintain profitability to stay alive.
Yeah. And once it becomes a monopoly (like Comcast), it can just keep raising prices.
Not here. It's a natural monopoly, just like sewer lines or electric transmission.
Where I live now, I paid $50k to get a private fiber optics line just not to deal with Comcast anymore. There were no other options. We _might_ get AT&T fiber, eventually.
It has not been a monopoly here for the last 2 decades (at least). There also was Wave Broadband nearby they serve some high-rise buildings, I got a private business-class line from them.
But it was not profitable for them to expand normally. They can't offer drastically cheaper service than Comcast, the installation costs in cities are huge. I also have Starlink as a backup, and it's even slower than Comcast.
So yeah, government actually works better than commercial companies for most infrastructural needs. And in particular, municipal broadband is usually head-and-shoulders better than anything from large commercial companies. It has higher consumer satisfaction ratings and is cheaper on average.
Have you ever called the DMV? In my state it's worse than Comcast. 45min wait time when the lines open in the morning, only increasing from there.
I "owe" Comcast $200. They say I didn't cancel at an old apartment. I say I did. I have the email. They insist. They've sent me a letter once a year for a decade. About 2yr in it went to collections. They're still trying.
Imagine the consequences if I did that with government.
Say nothing of the fact that if I tried to pay it, Comcast would be able to take my money no problem. The government would take a check, ACH or charge me $5 to use a buggy 3rd party CC processing service.
Well, ask your state to fix the issue. Perhaps elect better politicians? The states where I lived all have online booking.
And their websites are well-designed and functional. There are customer support emails and phone numbers.
> Say nothing of the fact that if I tried to pay it, Comcast would be able to take my money no problem.
About that... A couple of years ago I got locked out of AT&T because I forgot to update my credit card. And I couldn't log in because it required a (you guessed it) one-time SMS password. Their "pay your bill" needed a bill number, for which I needed to log into their website.
Their fix? Visit the store.
> Imagine the consequences if I did that with government.
A couple of years ago I accidentally overpaid the IRS (I paid the capital gains tax twice, as it was already deducted during the sale by the broker) to the tune of $10k. A year later, they sent a letter asking me for clarifications. I called them, and they sent me a refund check.
> The government would take a check, ACH or charge me $5 to use a buggy 3rd party CC processing service.
This discussion about the purpose of government is valid as a way to disagree with the "willingly buy" language, but it's still true that most of those examples don't answer the question and to refuse them is not "weaseling out".
> but it's still true that most of those examples don't answer the question
That's because the question is bad. It was meant to challenge the benefit of government, and a non-answer was meant to be interpreted as "government < business." But at its core is was fundamental misunderstanding of government, so if the question was answered mindlessly, it was unfairly biased towards the asker's biased conclusion.
> and to refuse them is not "weaseling out".
It'd be weaseling out of the faults of the question.
The proto-Internet. GPS. Nuclear energy. MRIs. Fracking. The Human Genome Project. Fiber optics. Optical data storage. Jet engines. Heck, the entire space industry. Lithium ion batteries. Radar. Night vision technology. Modern lower limb prosthetics. Just off the top of my head
Jet engines - Frank Whipple (England) and Franz Ohain (Germany) invented them. In both cases the governments were not interested in them until flying jet aircraft were demonstrated. Lockheed was ordered by the government to abandon their jet engine project and focus on piston engines instead (which resulted in the US having to get started on jet aircraft by buying British machines).
Human genome - J. Venter was the first to sequence the human genome, privately funded.
the entire space industry - Liquid fuel rockets were pioneered by Goddard, through private funding.
Radar - originated from late 19th-century experiments on radio wave reflection, pioneered by Heinrich Hertz in 1886. While Christian Hülsmeyer patented a "telemobiloscope" for ship detection in 1904
The proto-Internet - Pioneered by Samuel Morse, see "The Victorian Internet" by Tom Standage. Privately funded.
Whittle (Whipple is a painter) "invented" the jet engine while serving in the RAF, so technically not privately funded at the point of invention. There was private funding used later to create prototype engines.
Quite a stretch to say the Atomic Bomb was privately funded!!!
The original Whittle engine was developed with private funds.
From "The Development Of Jet And Turbine Aero Engines" by Gunston:
pg 123: of which £200 came from an old lady who ran a corner shop near Whittle's parents in Coventry
pg 123: But a direct request to Air Ministry for a research contract in October 1936 brought flat rejection,
pg 124: Whittle could see that the only possible way to proceed was to take the gigantic gamble of running a complete engine.
pg 125: Indeed, there was little money for anything. While the RAF backed Whittle in every way they could - for example, by not requiring him to take the usual examination for promotion to Squadron Leader - the Air Ministry contributed nothing to Power Jets until May 1938, and Whittle had to watch every penny. He nearly cracked under the strain, which in fact was to get worse for seven years, not because of the Problems in developing the engine, but from the suspicion and enmity with which he was regarded by officials and manufacturers, and by the outrageous behaviour of the Company picked by the Air Ministry to produce his engine.
I see Massachusetts as sort of the non-insane liberal counterpoint to California.
Things work here and nobody seems to be passing the "oops my unintended side effects and clueless regulations messed things up horribly." Or, if they do, it is at something like 1/10th the level.
We didn't start warning label spam everywhere. We don't have weird propositions that are causing run-away housing prices. There aren't bar codes on our 3d printers, or cookie banner requirements on every website. Well, ok we do, but that nonsense all came in from other places.
We did pass laws to lower PFAS/PFOAS. That seems reasonable. Government can work.
> We don't have weird propositions that causing run-away housing prices.
Most of those are a reaction rather than the cause. People want to move to california, it creates a different set of problems for california vs Massachusetts
MA legislature is too busy enriching themselves with back room dealing to f the state up too much.
I wish I was joking. They get audited yet? Pretty sure that was a ballot measure that passed by a huge margin years back and last I checked they were stalling...
I mean, sure, but all those things I named don't seem to be scale induced? They seem to all stem from clueless regulation, which is as simple as not not signing silly laws? I'm missing where scale plays into the items I mentioned.
most government "solutions" cause more problems than they solve
Zero basis in fact. We’re in the wealthiest nation on the planet. Most of us live better than any previous generation. To claim all that success is completely in spite of government is ridiculous.
Have you ever looked at a dollar bill in your life.
Who do you think printed it. Who signed the bill?
The US can just print money and receive goods in exchange of literal paper. Or just put an extra zero in a bank account and receive goods in exchange.
And if a certain yahoo decides they want in the money printing scheme...who do you think is going to send the goons with guns to prevent the government monopoly in creating literal wealth.
It's true, and yet there are real market failures that even a very ineffective government can improve on dramatically, like innovation & research output via basic science.
> - Microstamping requirements for guns—printing a unique barcode on every bullet casing (Glock gen3 cannot be retired, thus, the auto-mode switch bug cannot be patched...)
I don't know much about guns, but I assume that would be on the hammer? Couldn't you remove that "microstamping" by lightly filing down the hammer or just using it a bunch and causing some wear?
For most modern guns, it would be the firing pin, also called the "striker". Nobody manufactures microstamped guns, but if they did, the striker is a $20 part you can replace in ten minutes - or you could just spend half an hour on target practice at your local range, because 200 rounds are apparently enough to wear the etching down to illegibility.
This is exactly it, it’s death by a thousand stupid cuts by throwing everything at the wall and hoping that something sticks. They know that many of these laws won’t pass constitutional scrutiny, but by the time they make their way to the Supreme Court, the damage will be done and 10 new stupid laws will take their place. The anti gun lobby has been doing the exact same thing for years.
And what part makes you think you need to verify your age, as opposed to just specifying it? Nobody is requiring any verification. The only requirement is on there being an interface for you to input whatever age you want to input.
It's not a coincidence the equally clueless citizens are asking for these laws. Like in business, sometimes it's better to do "some thing" when you're not smart enough to do the right thing. Maybe you get there, maybe you don't, but inaction is not looked upon kindly.
i did not even think of that! As the current law reads, will smart devices with OSes require age verification? Many IoTs are just tiny Linux versions running on a small processor. This makes all smart GE washing machines, dryers and refrigerators illegal in California.
come to think of it, maybe there is something good about this law. :D
So essentially California is becoming more and more like EU? It's curious to see how it pans out. Maybe EU's model turns out to be better than a more laissez-faire world like the US. Who knows.
What's even more curious is that the California voters seem not care at all. As long as the government can collect more taxes with more altruistic slogans, the voters will stay happy.
Some people think all problems should be fixed with regulation.
Some people think all problems should be fixed with free market / responsibility.
California and liberals tend to lean to the former. A place like Texas and conservatives tend to lean to the latter.
I think both camps are crazy because it’s a case-by-case basis where you need to consider second and third order effects. But man talk to a die hard regulation supporter or die hard free market supporter and you just want to say “the world isn’t just simple rules like that.”
What I'm reading of this law is that it requires OS developers to require users select their age (really their age bracket) when making a user account, and an interface for applications/websites to read that user-provided field. I.e. not age verification, but just a standard way to identify if a user is on a child account. If that understanding is correct, how is this bad at all? It's a way to put to rest people's concerns and pearl-clutching over children accessing adult content without every individual app and service provider contracting with Palantir to scan you and guess your age. Instead they can just read the IsAdult header and call it a day. What's the cost to user-freedom? You have to be presented a Date of Birth field or I Am an Adult / Teen / Child selector when setting up a device... a thing that every operating system impacted by this law already does.
Why should it be law? I am a developer in California, and a long time Linux nerd. If I were to release a hobby on my GitHub for fun, without age verification, am I now subject to fines? Imprisonment? Why should their be a legal requirement?
As with any law like this, it should apply to systems made for normal end-users with over some minimum number of users. If your hobby Linux distro picks up a million home users then yeah, you're responsible for making it suitable for purpose for as long as you're distributing it. It's the same with accessibility requirements, safety requirements, labor laws, etc.
If California starts knocking on the door of random distros and hobby OSes designed for power users or servers with 2000 average monthly downloads then I'll go to bat defending them.
Though to re-iterate, I'm pretty sure the requirements here are for asking a user to set an age, not to do age verification, so if you did want to comply it would mean adding a Date field to your setup flow and then wiring that up to applications that ask for it.
This is exactly the sort of infrastructure that would make it super easy to pass a law banning tracking and advertising to minors. Once every platform can trivially detect when they should turn off the ads there's no reasonable counter-argument about privacy or feasibility.
Have we banned advertising tk minors on tv shows aimed at minirs? Are barbie/action hero/etc commercial showing kids having fun with barbies on channels whose primary demo is children no longer a thing?
Technology has never been tge limiting factor. Politicak will is.
How is this good at all for a free society? You are basically making a "what about the children?" argument. its the parent job to protect their children. why should anyone suffer this b.s.?
not to be flippant, i am answering your question with the seriousness it deserves:
it is because any government regulation over user identifiers in an operating system (and left to grow and fester according to political wont) will chill free speech (code, data) and assembly (the ability to share code and data with others unsupervised).
Yeah, the commercial firms invented them all on their own just to keep tracking customers and oversharing whatever data they gather with random third parties while still getting to complain about stupid laws that require them to do so [0].
There is a name for it, feel good policies and cali is not unique.
People who dont understand the problem must pass a solution that makes people feel good. Clean needles, homeless hotels, etc. If they dont make things worse, that is a win.
Democracy rewards mass appeal, and that in turn encourages demagoguery and gives a platform for stupidity. It's been an unavoidable problem with the system since Athens.
Headline is wrong, and you didn't read the article. There is no verification requirement. You are a bad HN poster and should feel bad.
All this does is require the user to select a non-verified age bracket on first boot. You can lie, just like porn sites today. I thought HNers wanted parents to govern their children's use of technology with these kinds of mechanisms.
> There's an obvious theme with lawmakers in California—they pass laws to regulate things they have zero clue about, add them to their achievement page, cheer for themselves, and declare, "There! I've made the world a better place."
There's an obvious theme with HN posters about politics—they make cheap drive-by comments about regulations they have zero clue about, based on articles they haven't actually read, cheer for themselves, and declare, "There! I've shown why I'm smarter than all these politics people."
> All this does is require the user to select a non-verified age bracket on first boot.
This is the age verification requirement which you rudely and incorrectly said doesn't exist. Nothing is done with the data (for now) but age is in fact verified on the assumption that the user doesn't lie.
Instead of lengthy condescending missives about the behavior of other users, you should instead write "I'm sorry for being negative and bringing down the quality of discussion."
If it must be ignored, then it exists. The bill proposes age verification. You may think the measures employed are weak or trivial, and I would agree, but the bill proposes age verification.
You seem to be operating with an unreasonably weak definition of "verification". What this bill is requiring is that app stores or operating systems ask for age information. Verification would mean doing something to verify the accuracy of the information provided, not merely receiving a response to the question. "Age verification" is not a synonym for "having age-based restrictions".
Ah we should be happy about a bad law because it's enforcement mechanism is weak? That's twice-bad: undermines the strength and meaning of Law, and aligns Law with the bad.
When the law and it's execution are undermined and weak, it becomes the cudgel of fickle changing power, i.e. it is applied selectively and it means nothing to people except when they are being beat in the head with it, at which point they only regret having been caught, successfully undermining the social and political fabric of a nation.
Having a bad law with a weak enforcement mechanism isn't quite the thing to be boasting about you seem to think it is.
Eh, sounds kinda reasonable. Ammo already has unique serial numbers embedded in the butt of every cartridge (in some countries, not sure about the US), and guns do leave somewhat unique marks on the bullets upon firing so... sure, why not. Surprised it took that long TBF, the necessary technology has been commercially available since the early 90s, I think?
> 3D printers should have a magical algorithm to recognize all gun parts in their tiny embedded systems
Yeah, this one's seems unnecessary. Is weapon manufacturing without a license a crime? If yes, then whoever 3D-prints a gun can be prosecuted normally.
> Now, you need to verify your age... on your microwave?
Or on your gas stove. A travesty, really: I was taught how to operate a stove when I was in the second grade and never burned any houses down, thank you very much.
The micro stamping law is in no way reasonable because removing the micro stamping from the end of a firing pin is laughably trivial. The only people who won’t do this are people who weren’t going to break the law in the first place.
Even people who didn’t want to break the law might find themselves on the receiving end of law-enforcement if the firing pin wears such that the micro stamping is no longer identifiable.
The micro stamping law does nothing to prevent the flow of guns to people who should not have them, and does everything to prevent the use or purchase of guns by people who can lawfully own them - which is the whole point of a law like this. The people who make these laws are well aware of this.
The age verification law, coupled with the proposed hardware attestation that our good friend Lennart poettering is working on will ensure that anonymity on the Internet is gone. This is precisely what lawmakers are aiming for. And just like the micro stamping law, the intent of the law is not the literal word of the law.
> The micro stamping law is in no way reasonable because removing the micro stamping from the end of a firing pin is laughably trivial. The only people who won’t do this are people who weren’t going to break the law in the first place.
I'm curious, so if (when?) California ends up successfully hunting down some criminals with this, what is your new position going to be? They were going to get caught anyway, or something like that?
It'll never happen. As op said, it's laughably trivial to remove, and thus criminals will remove it.
Legitimate gun users will, at best, use their weapon in self defense, in which case they'll be sitting there waiting when the police arrive, so no need for microstamping.
The "crime of passion" so popular in TV shows are few and far between, and there's usually a huge amount of other evidence.
I'm, again, glad to run linux. The distro I run has no affiliated online "account" at all, and I would expect this exempts it from the requirement.
I'm no democrat, although I'm sure as hell no republican, and as a resident of the state, I'm also a routine critic of the California state government.
I agree that a lot of their activities are indeed, performance art in nature.
However I do agree with the identification requirements on guns and ammo.
You can't shoot someone with a computer, no matter what OS you run.
The idea that lethal weaponry is the same as any other consumer product is just not accurate.
> You can't shoot someone with a computer, no matter what OS you run.
No, you can just target-lock them. The computer database (and now, LLM) is probably the biggest threat to freedom in existence. You can keep your popgun. They'll know where it is, and come with bigger ones.
China be doing some pretty heavy-duty damage with computers, but age-gates won't stop them.
Political office in general attracts the sort of people who like the "performance art" parts of it. It doesn't attract the sorts of people who like "getting things done" because the political process by design moves at a snail's pace, and if you actually solved problems you would remove issues run on in the next campaign.
This doesn't have anything to do with democrats and republicans, considering that this bill passed unanimously through every committee and both chambers.
It's about as easy to restrict the proliferation of firearms and ammunition as it is to restrict the proliferation of open source software. Anyone can make functional firearms out of supplies from any hardware store, this is true regardless of how many laws you pass. Look at the weapon that was used to assassinate Shinzo Abe. That was manufactured and used in a country with gun control laws that basically make California's gun control look indistinguishable from Texas. No number of laws have ever or will ever stop criminals with a rudimentary grasp of basic physics and basic chemistry.
You can't put the genie of firearms back in the bottle any more than Hollywood can put the genie of p2p file sharing back in the bottle. Trying to do so is like trying to unscramble eggs. It doesn't matter how valid your desires or justifications for attempting to so are, it's an act of banging your own head against the cold, hard wall of reality.
It's a logical mistake to say that because an extremely motivated person can still cause harm somehow that implies no regulation or policy can have any positive impact anywhere.
I don't have a stance here on what "the right" policies around gun control are but it is clearly a much wider field than just a preplanned assassination with diy parts.
A non-exhaustive list of a few very different scenarios that are all involved with anything touching or rejecting gun control:
- highly motivated, DIY-in-the-basement assassination plots like you mentioned
- hunting for food
- hunting for fun
- wilderness safety
- organized crime and gang related violence
- mass shootings at things like concerts, sporting events, colleges. Sub point of mass shootings at schools where the law requires children to be.
- gun violence involved with suddenly escalating impromptu violence like road rage and street/bar fights
- systematic intimidation / domestic terrorism of particular groups or areas
- gun related suicides
All of these are very very different. None of them have perfect answers but that doesn't make thinking about it "an act of banging your own head against the cold, hard wall of reality" nor does it make anyone interested in working on some of these problems naive or stupid like you imply.
If you're being earnest or maybe jaded, I'd say dont give up hope and don't let perfect be the enemy of good.
If you're just being a dick then so be it, maybe someone else gets something out of this comment.
> It's a logical mistake to say that because an extremely motivated person can still cause harm somehow that implies no regulation or policy can have any positive impact anywhere
That kind of mistake is common here, but I don't think it is due to a failure of logic. I think it is something deeper.
I've noticed that people who have worked deeply and/or a long time as developers tend to lose the ability to see things as a continuum. They see them as quantized, often as binary.
That's also why there are so many slippery slope arguments made around here that go from even the most mild initial step almost immediately to a dystopian hellscape.
This is prevalent enough that it arguably should be considered an occupational hazard for developers and the resultant damage to non-binary thinking ability considered to be a work related mental disability with treatment for it covered by workers compensation.
A way to protect against developing this condition is to early in your career seriously study something where you have to do a lot of non-binary thinking and there are often aren't any fully right answers.
A good start would be make part of the degree requirement for a bachelor's degree in computer science (and maybe any hard science or engineering) in common law countries a semester of contract law and a semester of torts. Teach these exactly like those same courses are taught in first year law school. Both contracts and torts are full of things that require flexible, non-binary, thinking.
I think they demonstrate a welcome and sophisticated understanding of technology. Their solution to age verification maximizes privacy by not sending any data off the computer besides a simple signal of age category (if I understand the design). They show more sophistication than the parent commment:
> 3D printers should have a magical algorithm to recognize all gun parts in their tiny embedded systems
Color scanners and printers have long had algorithms to recognize currency and prevent its reproduction, implemented with the technology of decades ago. It seems relatively simple to implement gun part recognition today, especially with the recent leap in image recognition capability.
(Rants and takedowns, IME, may entertain fellow believers, but signal a comment that's going to go well beyond any facts.)
3d shape classification is different from matching a set of well-known, mostly fixed patterns (like eurion constellation) necessary to detect currency.
With 3d shapes of non-governmental origin this is at best difficult and at worst intractable. Consider the fact that many parts of a gun can be split into multiple printable pieces to be later assembled, making it very nontrivial to decipher the role of the shape.
With currency, the government has the controls for the supply of the target shape (it can encode hidden signals onto banknotes) and effectively controls the relroduction side (through the pressure on printer manufacturers). But it cannot control the supply of gun-part-shapes (it is not the only source for it), and since the problem is likely intractable - neither can it enforce the control on the 3d printing side.
Paper money being almost non-fungible is a great achievement, but is it as easy to make any mesh nonfungible as well?
It's certainly harder, I agree. We have highly sophisticated, non-deterministic image recognition. We don't have to be perfect to have a significant impact, and to stop the 99.x% of amateurs.
> Paper money being almost non-fungible is a great achievement
Going off on a tangent: Many people in technology and in the public look at cash as backward, boring, even socially embarassing technology. I think few it's amazing technology, an incredible hack: tech we struggle to implement in computers is implemented highly successfully and reliably in a piece of paper.
> It seems relatively simple to implement gun part recognition today, especially with the recent leap in image recognition capability
And it's sits fine with you because you are the one who wouldn't pay the price for this "simple image recognition capability". Except you would pay of course, indirectly but at least you wouldn't know for sure so your conscience would feel at ease.
> cat - 18+, prints the porn you found directly to your terminal.
Sound good in theory, until you realise that any teenager knows perfectly well how to trivially get around the lack of `cat` to read their terminal smut:
$ while read -r LINE; do echo $LINE; done <my_porn_file.sext
I'm not so sure, who knows what woke UEFI and edgy motherboard vendors are putting up as splash screens these days. And the law doesn't even consider those since they aren't part of the OS!
Skimming the actual text of the law[1], I don't see anything particularly objectionable. Basically it requires a toggle when creating/editing a local user account that signals "this user is/is not a child". Applications could then tailor their content for child/not child audiences.
Which isn't to suggest that it's a good law, just not really "age verification".
> good faith effort to comply with this title, taking into consideration available technology and any reasonable technical limitations or outages
could easily be read as meaning "facial recognition technology exists and is available, not using it is a business decision, failure to use it removes the good faith protection".
If the lawmakers didn't intend this, then they didn't need to add all the wiggle words that'll let the courts expand the scope of this law.
My first reaction is that this is an insanely bad law:
* The signal has to be made available to both apps and websites
* So if you dutifully input valid ages for your computer users, now any groomer with a website or an app can find out who's a kid and who isn't. You just put a target on your kid's back.
* A fair share of parents will realize this, and in order to protect their children, will willfully noncomply. So now we'll have a bunch of kids surfing the net with a flag saying they're an adult and it's okay to show them adult content.
* Some apps/websites will end up relying on this signal instead of some real age verification, which means that in places like porn sites where there's a decent argument for blocking access from kids, it'll get harder. Or your kid will get random porn ads on websites or something.
So basically unless this thing is thrown out by the courts, California lawmakers have just increased the number of kids who get groomed and the number of kids who get shown porn.
I'm not sure what the solution is, but to steel man a bit, the alternative is kids have access to all the adult spaces, where they will be groomed. A website/app serving grooming content to a kid is just so incredibly unlikely compared to a kid being groomed as the result of having unrestricted access.
Since I do not see a solution, and you see identifying children as a risk, what do you see as a solution for kids being in the same spaces as adults? Do you see a reasonable implementation to separate them, that doesn't have the "we know which accounts are children" problem? Maybe there's something in between?
Also, I think it's important to understand the life of a modern child, who's in front of a screen 7.5 hours a day on average [1], with that increasingly being social media, half having unrestricted access to the internet [2].
I hate government control/nanny state, but I think 5 year olds watching gore websites, watching other children die for fun, is probably not ok (I saw this at the dentist). People are really stupid, and many parents are really shitty. What do you do? Maybe nothing is the answer?
Instead, websites should voluntarily put content ratings on their own stuff--most would because either they don't intend to harm children, or from societal pressure.
Then, software on the user's computer can filter without revealing any information about the user.
> So if you dutifully input valid ages for your computer users, now any groomer with a website or an app can find out who's a kid and who isn't. You just put a target on your kid's back.
I'm not going to say that's impossible but the number of sites that do the right thing and reduce risk are going to vastly outnumber that. And 90% of those kids already have targets on their backs by virtue of the sites they visit.
Ignoring all the tedious 'no, you're a bad person for having different priorities and beliefs to me' comments that this will inevitably inspire, I have to ask: why does the operating system need to be involved in this? The intended target of the regulation seems to be app stores.
I think the answer is quite simply: Follow the money. General-purpose computing is scary to big, soulless corporations. They want you to rely on them, not to be able to do stuff yourself. (They want to keep that power for themselves.)
Age verification is the quickest road to ending general-purpose computing, because it plays on people's knee-jerk emotions. It won't do it by itself, but it'll goes a long way towards it.
> why does the operating system need to be involved in this?
The goal in my mind is to have an account a parent can setup for their child. This account is set up by an account with more permissions access. Then the app store depends on that OS level feature to tell what apps are can be offered to the account.
Let say the the age questions happen when you install the app store. That means if you can install the app store while logged in as the child account the child can answer whatever they want and get access to apps out side of their age range. The law could require the app to be installable and configurable from a different account then given access or installed on the child account, however at a glance that seem a larger hurdle than an os/account level parental control features.
The headline calls this age verification, but the quote in the article "(2) Provide a developer who...years of age." Make it sound way different and much more reasonable than what discord is doing.
I would much rather have OSs be mandated with parental control features than what discord is currently doing. I am going to read the bill later but here is how discord age verification could work under this law.
During account creation discord access a browser level api and verifies it server side. discord no knows if the OS account is label as for someone under 13 years, over 13 and under 16, over 16 and under 18, or over 18. Then sets their discord account with the appropriate access.
No face scan, no third party, and no government ID required.
> The goal in my mind is to have an account a parent can setup for their child. This account is set up by an account with more permissions access. Then the app store depends on that OS level feature to tell what apps are can be offered to the account.
That sounds like an OS feature that parents would like to have. Probably has some market value. Maybe just let the market figure that one out.
Or, we could have an overbroad law passed that torpedoes every open-source OS in existence. If I were MS, Google, or Apple, that'd be a great side benefit of this law. Heck, they probably already have this functionality in place.
The problem here is legally-mandated age verification, not where it is placed (although forcing it into all OSes is absolutely ...). The gains are minimal for children and the losses are gigantic for children and adults. I'm not keen to have children avoid blisters by cutting off their feet.
Put control back with the parents. Let them buy tech that restricts their children's access. This law doesn't protect children from the mountains of damaging content online.
And let all the adults run Linux if they want to without requiring Torvalds to put some kind of age question in the kernel and needing `ls` to check it every single run.
> That sounds like an OS feature that parents would like to have. Probably has some market value. Maybe just let the market figure that one out.
If there was a competitive market for OSs this probably would work, but we do not really have that. Getting the market to be competitive likely either takes considerable time, or other forms of government intervention. If there really was a competitive market then this would have been a solved problem ~15-20 years ago since parents have been complaining about this for ~25-30 years at this point.
> Or, we could have an overbroad law passed that torpedoes every open-source OS in existence. If I were MS, Google, or Apple, that'd be a great side benefit of this law. Heck, they probably already have this functionality in place.
I do not think the law does that. Either a additional feature making age/birth date entry and age bracket query available, or indicated the os is not intended for use in California, both seem to let developers continue along like normal. edit Or, I think, indicate that it is not for use by children.
> The problem here is legally-mandated age verification, not where it is placed (although forcing it into all OSes is absolutely ...). The gains are minimal for children and the losses are gigantic for children and adults. I'm not keen to have children avoid blisters by cutting off their feet.
In this case the mandate is entering an age/birth date at account creation where you can lie about said age/birth date. The benefit is the ability of an adult to set up parental controls for a child account.
> Put control back with the parents. Let them buy tech that restricts their children's access. This law doesn't protect children from the mountains of damaging content online.
This puts control in the parents hands. When they set up their child's account they can put in their child's age, or not, they can make it an adult account.
> And let all the adults run Linux if they want to without requiring Torvalds to put some kind of age question in the kernel and needing `ls` to check it every single run.
So from the literal reading of the law the age checks are only required when "a child that is the primary user of the device". It does not need to effect accounts where the primary user is not a child. Nor does it seem like any application needs to run the check every time the application is launched.
The law unfortunately does require:
> (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
So in the case where a child is the primary account/device user. The app needs to request the signal at least once when first launched, though it is not required to do anything with it. Delegating that to the package manager would make sense, but this part of the law should be modified, apps that can not use the signal for anything should not be required to request it, 'ls' for example.
I agree. The headline says "all operating systems, including Linux, need to have some form of age verification at account setup", which is pretty inaccurate.
It's just asking for some OS feature to report age. There's no verification during account setup. The app store or whatever will be doing verification by asking the OS. Still dumb to write this into law, but maybe not a bad way to handle the whole age verification panic we're going through.
Because it's the lowest common denominator between the user and every online interaction. The bill basically says provide a date-of-birth as metadata to accounts and provide an API to query the age bracket, not even the age, of the user to applications. It's a privacy-aware, mostly reasonable approach that shifts responsibility to the owner/administrator of a device to enforce it. It's basically just mandating parental controls.
I'm trying to understand how this is even a bad thing. Where is the privacy invading verification? Surely a given OS can implement the API response however it wants? If you're root, tell me your age. If you're not, (a child account), the admin (their parent) sets the age. Seems fine?
Well the problem is, there is no consensus standard. The onus is on every individual vendor to figure out how to comply. And it's so poorly written that there is no clear path to compliance. Even attempting to comply is burdensome and subjects you to a lot of legal risk. Only the largest vendors can afford to take on this risk. For others, the only winning move is not to play. Classic regulatory capture.
Even ignoring everything else, at a minimum it is backwards.
There is no reason to tell the application, and by extension their developers, how old the user is. The application should tell the user what bracket it is appropriate for and then the operating system could filter appropriately without any of the user’s identifying information leaving their system.
This is also technically superior because it moves the logic for filtering out of being custom implemented by each and every single application to a central common user-controlled location; you do not have to rely on every application developer doing it right simultaneously.
It's a lot easier to add an API that's opt-in for an application that needs it. What's the appropriate way an OS should handle an application that doesn't declare this new property? Fail open? Fail closed? It would quickly turn into a mess. IMO it's better to do it this way because the applications that need it (browsers, chat clients, etc.) will use it to provide legal shielding. This isn't a technical problem they're trying to solve, it's a legal liability one. I generally like this approach, but I think there's no reason to mandate that an application use the API, just mandate that if they do they are considered to have real knowledge of the age range of the user in question. If you provide the API, the incentive to use it is already there for the applications it's needed for the most.
Or just do what reasonable states do and create liability for distributing child inappropriate things to children, and require distributors to use a commercially reasonable way to validate age. The law doesn't need to say specifically how to do it, and it certainly doesn't need to mandate things on unrelated third parties like OS vendors and device manufacturers. The people who want to distribute adult content can work with OS vendors to develop acceptable liability shields for themselves.
So a application that wants to filter will categorize their services privately and then write custom filtering logic, but will not just categorize their services publicly? That is nonsense.
And your point about fail open versus closed also makes no sense since if there are zero repercussions to not writing filtering logic then nobody would even bother. If there is liability, then obviously everybody will fail closed and every application developer needs to evaluate and change their application to only allow acceptable usage. This is much harder if they have to write custom filtering logic instead of just publishing their data categorization.
Y'all are like Dilbert with the shock collar on, "It's not so bad." It's requiring all operating systems, apps, and online services to add age checks. It adds friction to the process of developing stuff. If there's something you do not want to do especially in California of all Goddamn places (swear to God, Wozniak would be spinning in his grave if he had one) it's add friction to the software development process with government-mandated code paths. But what do I know. This is a site actually called Hackernews, where the answer to all large-scale social problems is "that's why we need more government regulation".
Companies like OpenAI are advocating for this because it shifts the burden of responsibility off them. They don’t have to age verifying Microsoft is handling that for them.
As a startup owner, if there has to be age verification, then I'm all for doing that at the OS level. As a human with privacy concerns, I'll continue using Linux.
I think doing this on an OS level might be the most privacy focused way to do this but the issue is that this is not going to be the way this is implemented.
Like, I’m not American and in Germany we have ID cards that actually have your age encoded on an NFC chip in the card and an ID number that encodes the age. Like, age is part of the ID number and checksum.
You could totally do all of this age verification offline on device and just expose an API that offers the age of the user to applications. You’d never need to talk to the internet for this, the API just says if you are a minor or adult, the browser can pass that to websites who don’t need to collect personal data and everything is fine.
But that’s not going to happen. It’s gonna be some AI facial recognition kinda garbage that is gonna send your face in every angle to Apple or Microsoft or another third party.
As is common these days they are going to try really hard to absolve you as the user of any responsibility for the sake of protecting kids so they can’t let this be a simple offline thing where your personal information never ever have to leave the device because what if kids find a way around it? Well the obvious answer is don’t let your kids just use a computer without supervision but if people would do that we’d not be in need of this garbage anyway.
I know, but it's just weird that there are people who have such strong conviction that they would risk their reputation, livelihood, or lives for it. Then there are people like above who, even though they know it is a huge privacy violation, they are willing to back it because it would make their business a little more profitable. Just boggles the mind.
Where the hell did I ever say I backed any of it? You are making up shit in your head that simply is not there. Maybe you need a reality check, or go back to reddit.
What I did say was:
>if there has to be age verification
That is far, far different than saying I want that shit. I do not make the laws, and I wouldn't vote for it either, so please, get your head out of your ass.
I don't know, but arguably the OS version is better for privacy, as each app can just trust the signal sent by the OS instead of collecting a bunch of personal/biometric data.
until they decide that the OS now needs to collect a bunch of personal/biometric data to avoid people lying about their age or tricking the OS into sending a different signal than the OS should.
> until they decide that the OS now needs to collect...
It doesn't. The device (not the "OS") is registered with government authorities. The device is associated with a single human for the purposes of age verification. And it's a one time action at the time of association.
> why does the operating system need to be involved in this?
Well, the politicians probably meant to say “Apple, Google, Microsoft, plus maybe Sony and Nintendo”
i.e. the companies that already have biometrics, nigh-mandatory user accounts, app stores linked to real identities, parental controls, locked down attested kernels, and so on.
If phones had workable parental controls that let parents opt their kid into censorship, that’s better than the give-your-passport-to-the-porn-site approach the UK have taken.
Of course if they have applied it to every OS, not just the big corporate-controlled options, that’s a dumb choice.
The law defines an operating system provider as "a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general computing device." If the intent were to target mobile vendors or app store vendors, I would be fine with it, but that's not the text. Of course it's the case that US lawmakers often write incoherent or extremely onerous legislation and then turn around and say, like, "Oh that's obviously not what we actually meant. We don't know what any of this stuff is, it just sounded good."
Because that's the first layer that deals with user accounts, and subsequent layers commonly base off of identity information stored in there. Just like how and why every other shared interface exists.
The operating system needs to be involved because its the easiest set of actors to penalize for non-compliance.
There are essentially two desktop operating systems, Windows and macOS. Linux is a decimal point and too fractured to worry about.
There are essentially two mobile operating systems, Android and iOS. And while Android is fractured, Google still has reasonable control they can exert.
This is (weirdly) the smart way to do this type of law.
Make the consumer OS providers add an age signal. That property can be bound to an account with the inability to change it.
Behold, "universal enough" parental controls which will require only a handful of lawsuits to litigate.
> [..] requires an account holder to _indicate_ [..]
i.e. this doesn't require age verification at all
just a user profile age property
> [..] interface that identifies, at a minimum, which of the following _categories_ pertains to the user [..]
so you have to give apps and similar a 13+,16+,18+,21+ hint (for US)
if combined with parent controls and reasonably implemented this can archive pretty much anything you need "causal" age verification for
- without any identification of the person, its just an age setting and parent controls do allow parents to make sure it's correct
- without face scans or similar AI
- without device attestation/non open operating systems/hardware
like any such things, it should have some added constraints (e.g. "for products sold with preinstalled operating system", "personal OS only" etc.)
but this gets surprisingly close to allowing "good enough privacy respecting" age verification
the main risk I see is that
- I might have missed some bad parts parts
- companies like MS, Google, Apple have interest in pushing malicious "industry" standards which are over-enginered, involve stuff like device attestation and IRL-persona identification to create an artificial moat/lock out of any "open/cost free" OS competition (i.e. Linux Desktop, people installing their own OS etc.).
---
"causal" age verification == for games, porn etc. not for opening a bank account, taking a loan etc. But all of that need full IRL person identification anyway so we can ignore it's use case for any child protection age verification law
----
it's still not perfect, by asking every day daily used software can find the birthdate. But vendors could take additional steps to reduce this risk in various ways, through never perfect. But nothing is perfekt.
---
Enforcement is also easy:
Any company _selling_ in California has to comply, any other case is a niche product and for now doesn't matter anyway in the large picture.
> i.e. this doesn't require age verification at all, just a user profile age property
This is usually how they do it though. First make a dumb law with poor enforcement. People don't push back about it because it obviously won't be enforced. Wait a bit, then say "people are flagrantly violating this law, we need better enforcement". At that point it's a lot harder to say "it shouldn't be a law at all!" because nobody complained when it was brought into law.
Isn’t it more of a reflection of the current law? Age gates have long been self service (e.g., “enter your birthday”), and we have laws on the books for quite some time barring minors.
There is certainly a risk of what you’re describing with KYC tech that coming online, but I don’t know if that means it will happen.
To play devils advocate; It’s a reasonable demand from parents to control what their children are exposed to. This seems to support that.
Uh, your slippery slope argument ignores the part where websites, discord, british things, etc are literally already trying to require facial pictures, license scans, even videos of your body.
It's not privacy-respecting at all to create some side channel between your browser and OS to transmit some information about a "user profile." If this were about browser vendors it might make sense but they're targeting operating systems (presumably for the malicious vendor lock-in type of reasons you cite? idk, it's strange). I would like someone to explain how this would even be implemented securely. It's certainly non-trivial.
I've taken trips to California in the past for both personal and professional reasons. I'm seriously reconsidering whether I'll do that again in the future.
What happens if I bring a laptop with an "illegal" OS without this unwanted "feature" into the state? Will I be denied access to public wifi in hotels and restaurants? Or will it grant me access, but snitch on me -- make a call to the state police to come deal with someone with an illegal laptop? Will I be forced to install a different OS while a police officer watches? Will my laptop be confiscated and destroyed as contraband? Will I be thrown in a California prison?
> 1798.503. (a) A person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation or not more than seven thousand five hundred dollars ($7,500) per affected child for each intentional violation, which shall be assessed and recovered only in a civil action brought in the name of the people of the State of California by the Attorney General.
And there are several other provisions that further narrow the circumstances under which this law could be enforced.
If your personal computer is not being used by a child, and you're not distributing software to children or devices used by children, then there are no circumstances under which your actions could violate this law.
Sounds to me that this is how kids learn to spin their own operating systems (a la LFS, Gentoo)and apps.
This is how people bought personal computers when the mainframe priesthood banned them.
It appears that very soon, young people will "de facto" need to have this level of competence in order to survive and thrive in a world of "in loco parentis" operating systems and apps.
The latin reveals my age, but one thing about my age:
People my age did exactly that. We built our own hardware when there was none. We compiled (or copied) operating systems and apps. A couple of my friends wrote an operating system and a C compiler.
"My generation" created this entire internet thingy, installed and web-based apps.
Indeed, dumb-asses are going to level up young people.
Meanwhile, all available hardware will only allow attested operating systems that conform to regulations. All hardware that does not conform will be illegal.
Before they do this, it will be easy to lock the internet to only allow attested operating systems online.
I'm sure Xers and millennials are totally going to be okay with a visit from the school cop when their little one is caught with an illegal operating system and looking at charges that could ruin their college and job prospects.
The cheap money will run out long before then, the cop will leave, the school abandoned. There will be forever protests and skirmishes on the long march through collapse.
As noted at the end of the article, I suspect the impact for many OS's is going to be that they add a line in the fine print somewhere saying not for use in California.
You're assuming they don't want this just as much as the government. Still feel fine about self-installed Linux, but every OS and device we don't have control over, even ones powered by Linux, will be very happy to include it, assuming it's not too difficult to add.
Alcohol is harmful, and you want to prevent minors from obtaining it without parental supervision. Do you pass a law requiring every car to log the age of every occupant in case the driver drives to an establishment that sells alcohol? No, that's stupid. You require the person providing the alcohol to check age only when they are about to hand over the alcohol. Until someone actually attempt to access alcohol, they should not be asked their age.
Now exchange "car" for "OS" and "alcohol" for "age-sensitive content"
Letting someone look at a date on an ID to 2 seconds is a lot lower stakes than handing over a scan of your license, face, and who knows what else, to hundreds of companies that will do god knows what with it.
To your point, a user shouldn’t be forced to put in age details just to use an OS. That said, if an OS can send a simple Boolean to an app/site if the user is over 18 or not, I’m guessing more people would rather opt into that system vs handing over extensive details to each and every vendor who asks.
As a person in my 40s, with no kids in my house, I find all of this absurd. Let parents install some nanny software if they want, don’t force it on everyone and use “protecting children” as the scapegoat.
I think mistercheph is right to be concerned. This bill applies to all "operating system providers", defined thusly:
(g) “Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.
Regarding penalities:
1798.503. (a) A person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation or not more than seven thousand five hundred dollars ($7,500) per affected child for each intentional violation, which shall be assessed and recovered only in a civil action brought in the name of the people of the State of California by the Attorney General.
>This bill applies to all "operating system providers", ...
Not really.
>...for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store.
So the OS has to provide an age signal to apps from a "covered application store" defined as:
e) (1) “Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.
(2) “Covered application store” does not mean an online service or platform that distributes extensions, plug-ins, add-ons, or other software applications that run exclusively within a separate host application.
Wouldn’t that classification apply to Linux package managers as well?
They are publicly available online services that distribute and facilitate the download of applications from third party developers to users of a general purpose computing device.
Stallman has always been right. It's mind boggling just how right he was about everything.
The narratives are changing. All these locks and controls used to be about curbing copyright infringement. Now that AI has more or less rendered copyright irrelevant it's turned into a straight up attempt to control the population. They're barely even making excuses anymore.
> Stallman has always been right. It's mind boggling just how right he was about everything.
Mind boggling right about not allowing GCC to be used as a library, his comments on Jeffrey Esptein, a refusal to in any way compromise (e.g. the GNU/Linux meme), etc...
Oh and a recognition that free software, while nice, does not in any way solve the underlying issues he claims it does. Similarly to how letting everyone walk around their local water treatment facility and perform chemical tests doesn't really work and instead the state regulates and hires experts to monitor the water supply...
Nothing wrong with that move from a strategic point of view. The objective was to leverage GCC and make others play ball. People who wanted GCC should have been forced to do things the free software way.
Only problem with this is it turned out GCC didn't provide enough leverage. Replacing GCC wasn't difficult enough. People implemented LLVM instead and the rest is history.
Compare that to Linux which literally leaves companies behind in the dust when they refuse to merge. No kernel ABI stability: if out-of-tree stuff gets broken it's not their problem. Companies have a choice: play ball or pay the maintenance costs required to keep up with the biggest free software project ever. That's how it should be.
> his comments on Jeffrey Esptein
By "everything" I of course meant his ideas on computer freedom which is the context of this thread. I don't know or care about his opinions on Epstein.
> a refusal to in any way compromise
As he should. If anything he's not extreme enough. Compromise is the root of many evils.
> a recognition that free software, while nice, does not in any way solve the underlying issues he claims it does
Do you disagree with his description of Epstein as a serial rapist? Do you disagree with Stallman's position that Epstein should be described according to the specific crimes he committed: rape instead of using much more vague terms that also encompass much less severe crimes which Epstein himself used to downplay and obscure the actual crimes he committed?
> (g) This title does not impose liability on an operating system provider, a covered application store, or a developer that arises from the use of a device or application by a person who is not the user to whom a signal pertains.
So, this makes desktop Linux illegal, but all the software-as-a-service like Microsoft Azure and OpenAI get off scott-free?
Free computers are too subversive. If left unchecked, they can wipe out entire sectors of the economy, and with cryptography they can defeat police, judges, spies, militaries.
The sentence you quoted says that folks who are required to comply with the law are not also required to ensure that the person currently using the device or application is the same one who entered their age or birth date into the OS's "how old are you?" database. [0]
It is true that this law is as bad as the recent Oklahoma one for small, non-corporate Linux distros... but that sentence you quoted has nothing to do with that problem.
[0] If we were speaking in person, I'd love to have you walk me through that sentence and explain to me, piece by piece, how you came to the conclusion that you did. Doing it remotely like this would be too tedious.
It's also completely pointless because users routinely use shared accounts. It was thus on the WinXP machine at home, and still is today on iPads and android tablets. Yes, Apple has made it dysfunctional so that rich people will get one iPad per person, but many children use games and social media apps via their parents accounts. Who is going to set up an AppleID for their 8 year old? (Well I did, but normal people?)
The people who wrote this law work for Microsoft and think people have individual laptops and phones with a cellular plan. They care nothing for user privacy, in fact they want persistent digital identifies for advertising.
How wouldn't this also apply to things like useradd(8) or simply automated user account setup, e.g. like cups, sshd, etc? Do we need to add this to vi for use in vipw on UNIX?
Worse. Google has to add this to all the machines in their data centers? Imagine the expansion of DevOps BS this will enable:
Vendors will need support stuff like "account holder is 12msec old, and can access adult content". They can even create a special certification for it.
useradd has the Other category at setup. Could you argue that anything which allows arbitrary text information to be input into a user account that could be passed on to other applications technically fulfills the requirement, as the user could indicate age on the account?
Little bit picking at straws but I sure would love to find some way to punt this law. Medtronic has an insulin delivery solution which involves the distribution of a custom Android phone with a closed source app. Other fields in medicine do this as well as a matter of course, so that they can guarantee clinical operation on that particular device (rather than risk app operation on Android device fragmentation) and get OK’d by the FDA. The FDA testing process can take upwards of 4 years, and is usually cleared for -specific- operating system versions (which, by the end of testing, can be very old).
I wonder: since that operating system needs to attest and (vaguely) eventually report an age and other identifiers to a government API and app developers, will that report violate HIPAA?
It's not clear that this applies where the "operating system provider" does not have "accounts". Linux should be OK, but "Ubuntu One" might have problems.
It's a good reason not to put cloud dependencies into things.
this is why I am building a communications software that has no concept of accounts, devices can connect and keys are generated on device and blind to relaying/directing server/network. people can only connect directly with other people/devices. there is no concept of lists of people/devices to connect to, you need to know someone/have access to the device to connect.
no accounts to compromise. no passwords to remember. end point devices control their connectivity. no vpn needed to connect, no intermediary to see all traffic and peer traffic is specifically what is needed/allowed/requested, not a wide open network connection/accounts to be compromised
The bill doesn't define "accounts", so it's entirely possible local users that a human signs into would count.
The saving grace is that obviously they have no idea what a Linux distribution is, and only the Attorney General can bring action, so there isn't much risk of the AG suing Debian.
The argument is that they are selling a product they know is "spoiled", but the analogy breaks down and actually becomes more like you allow your children to smoke cigarettes or dink alcohol regularly. They often knew they were lying and saying they were over 13 to access services, but hey, your kid can't be the only not one smoking cigarettes or drinking, right?
The way people ask for things like this is "Young people shouldn't be allowed to do X" and "Websites shouldn't be allowed to collect user data to determine if the people are underage" and so on. The intersection of all the things that "tax paying citizens" want is usually something patently absurd.
I think it's one peg below intel agencies. It's the local gov agencies that want that power. The 3 letter peeps can already tell who writes what, both at scale and targeted.
Interesting theory considering that this California approach does not de-anonymize you, and the approach Germany is working on, as part of an EU wide effort, also does not de-anonymize you.
Certain politicians that are concerned about "the young people are being radicalized online" about certain topics, uncomfortable to said politicians (left / right dialectic doesn't matter, especially not in America). They know that their monopoly over brainwashing children in public schools matters a lot. So, their solution is to shut off any access to any site where you can discuss topics anonymously by forcing more and more regulation to shut down said sites.
Yes, yes, free speech and everything, you just have to first give the OS your phone number, credit card number, drink a verification can and please also... you do want to still keep your job, right?
As others have pointed out, this is just a foot in the door. There's also a part of the law this article doesn't cover that requires EVERY application to query this information on every launch, regardless of whether or not the application has any age related limitations.
So it looks like the law only requires it on first launch. Which makes sense if the application can only be run from that one account. Apps that can be launched from multiple accounts are not singled out in the law, but the spirt of the law would have you checking what account is launching the app and are they in the correct age range.
That's not a guarantee. It's up to how the courts interpret that and. Given that this law is meant to handle a moving target like age, I fully expect them to interpret it as its disjunctive form.
I was just at some .gov site from another HN post. It asked are you Over 18, I clicked No out of curiosity. Showed Access Denied, but the buttons stayed. I clicked Yes, and got in. I don't attribute to stupidity that which is clear malice. They'd don't actually give a flying fuck about what "kids" can get to, they only care about controlling everyone, of every age, as much as they possibly can.
I agree, I don’t like it as much as you do. I’m just saying nothing short of a mandated TPM will actually enforce this. I think they know that.
I think this is mostly for show to stay relevant wrt. What is happening in the courts. This is the Same play as it always been for registration “are you over the age of 13?”
Which begs the question if Microsoft's stubborn insistence on TPM 2.0 for Windows 11 to operate was something planned out in advance of this law being proposed.
I know this sounds absurd. But let me try not to be cynical and explain how we got here, according to what I understand:
First, let's admit the push for age verification laws isn't a partisan or ideological thing. It's a global trend. This California law has bipartisan sponsorship and only major org opponent is the evil G [1]. While age verification is unpopular in tech community, I imagine a lot of average adult voters agree that limiting children's access to wilder parts of the Internet is a good thing.
On this premise, the discussion is then who should be responsible for age verification. The traditional model is to require app developers / website owners to gatekeep -- like the Texas and Ohio laws that require PornHub to verify users' IDs. But such model put too much burden on small developers, and it's a privacy nightmare to have to share your PII with random apps.
This is why we see this new model. States start to believe it seems more viable to dump the responsibility on big tech / platforms. A newer Texas law is adopt this model (on top the traditional model) to require app stores to verify user age (but was recently blocked by court) [2]. And this California law pretty much also takes this model -- the OS (thinking as iOS / Android / Windows with app store) shall obtain the user age and provide "a signal regarding the users age bracket to applications available in a covered application store".
While many people here are concerning open-source OSes, and the language do cover all OSes -- my intuition is no lawmaker had ever think about them and they were not the target.
this looks like law created for age or identity verification providers (persona etc). No one would build it from scratch. It will be passed to these providers.
> apply the privacy and data protections afforded to children to all consumers and prohibits an online service, product, or feature from, among other things, using dark patterns to lead or encourage children to provide personal information beyond what is reasonably expected to provide that online service, product, or feature or to forego privacy protections
My question, is if "the children" are worth protecting, why not adults? I would like to opt into not having to deal with dark patterns. Why not a age independent system, which a user can opt into and which "children" are automatically optd into.
10/13/25 Chaptered by Secretary of State - Chapter 675, Statutes of 2025.
10/13/25 Approved by the Governor.
09/24/25 Enrolled and presented to the Governor at 3 p.m.
Hmm i think at te moment its only Linux that has by default local only accounts except if being used in some sort of SSO environment .
Microsoft has been pushing aggressively to deprecate the local and funnel everyone to Microsoft online accounts , while Android and macOS/iOS are already in such a state by default.
Coupled with the same accounts being used for online login, looks like a feature creep panopticon in the making. With Linux lucking out be default.
Who is actively lobbying against the “war on root access”? Which are the NGOs/PACs/non-profits with the best track record of getting results here? FSF and EFF come to mind, but I can’t think of others and don’t know of track records for any of them.
I couldn't have said it better myself. My loved ones don't share my opinion, which makes me wonder if I'm sane or if they're not exercising their freedom.
It’s a shit law, but it’s publisher- and distributor-targeted, so the overly-dramatic armchair-rebels in the forum can calm themselves; nobody’s coming after the person with a Linux machine bc it’s not compliant. Because it’s a state law, Cali will have geo-fenced app stores and this’ll just accelerate the breakout from manufacturer-maintained app stores. Websites that host downloads will just have a user attestation that they’re not Californians and be hosted abroad. There’s also no verification method; it’s literally just a requirement that account creation asks for an age - something websites do all the time and is not remotely burdensome, just ask all the ones convinced my DoB is a year and 4 months after my actual.
Isn't it possible to jam and deny with any remote auth dependency?
Recently after we spent hours getting a Chromebook set up after a "Power Wash" due to remote auth failure, it wanted the old password and there was no option but to wipe the device.
They held our homedir hostage with required remote auth.
We were not able to log into our computer and lost all of our data because of remote auth.
Secure critical systems must not have a centralized remote auth dependency that can be denied.
I'm under the impression anyone doing nefarious things online are probably more-than tech savvy enough to not install an OS that rats them out...right?
Isnt that literally one of the first rules of the DNM Bible?
Will kids raised on it not know anything different? Seems a path to reduce computer literacy. Then again, being blocked from doing something I wanted is what lead me to find ways around said block. But I already had unrestricted access to the system to bend it to my will. Seems like these kinds of systems won’t allow for the user to learn how to works at all. It’s a mystery box.
One thing that's happening is that attestation is being plumbed into the web itself. CloudFlare and Apple have a collab where Safari will inject tokens that let CF know that the request is coming from a blessed device. In a world where all websites are being crushed by bot traffic, expect that Goog pushes on their own integrity initiative in Chrome in the next year or two.
It's not stated here, but is it implied that app platforms that, themselves, have an "app store", would be required to read this datum and pass it to their app store?
For example, I've got a map application on my phone that lets me download maps, widgets, POI lists, etc. from their app store. It seems like enabling that age signal through this exchange is exactly what the politicians are looking for.
A new California law says all operating systems, including Linux, need to have some form of age verification at account setup
Curious how they plan to do this. Maybe digital rights management tied to TPM. If so it will take 3 ... 2 ... 1 .... cracked ... spoofed. DVD's were cracked with Perl. Curious what language this will be cracked in.
Will this only apply to an OS with human user accounts? I wonder how autonomous agents that are operating systems running on bare hardware are defined under this strange law. Not all OS are for humans. Consider many uni-kernel applications.
clearly there's something I don't understand (or is the law just really this stupid?) - but what would this even look like for linux? every user account requires an associated age?
but users don't have a 1:1 mapping to the people that log into them. linux users that aren't used by any particular person, but by a particular _service_ are common. so are linux users that could be logged into by any number of people, and which have no specific single owner.
There’s a concerted global effort to push this legislation. It’s also been proposed in Colorado and, some version of it’s been passed in the UK and Australia.
Headline is wrong. There is no verification requirement.
All this does is require the user to select a non-verified age bracket on first boot. You can lie, just like porn sites today. I thought HNers wanted parents to govern their children's use of technology with these kinds of mechanisms.
In the US maybe, but where I am you can't fap in peace without using a VPN or have some kind of age verification. Some of them being baroque. Example:
"We analyze your email’s digital footprint (history and reputation) against trusted databases. This is often enough to confirm that you're of legal age."
It seems to come down to whether you expect the next law to be taking the enforcement mechanism away from the parent. If the law was, "major operating systems must ship parental controls that actually work" I doubt you would see much pushback. Parental controls is an oft cited reason to give your kids Apple devices. Expanding that everywhere would be great. But I don't want to have to present my government ID to use my own computer.
This thing is so broadly-written, the only thing saving you from needing to give you age to your toaster is that it's not a "general-purpose" computing device. Never mind that it can run DOOM...
I figured California would have been against the age verification on the adult sites like Texas and some other states are doing but then they go and 1UP them and decide to require age verification on the whole OS
Feel free to call me paranoid for seeing patterns where there are none but this to me looks like just one phase of a preparation for a very large event entirely unrelated to every age verification reason given thus far. I won't guess any further. "I'm a good boy."
Bill text (it’s longer, but the rest is mostly definitions of the terms used here):
1798.501. (a) An operating system provider shall do all of the following:
(1) Provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store.
(2) Provide a developer who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface that identifies, at a minimum, which of the following categories pertains to the user:
(A) Under 13 years of age.
(B) At least 13 years of age and under 16 years of age.
(C) At least 16 years of age and under 18 years of age.
(D) At least 18 years of age.
(3) Send only the minimum amount of information necessary to comply with this title and shall not share the digital signal information with a third party for a purpose not required by this title.
(b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
(2) (A) A developer that receives a signal pursuant to this title shall be deemed to have actual knowledge of the age range of the user to whom that signal pertains across all platforms of the application and points of access of the application even if the developer willfully disregards the signal.
(B) A developer shall not willfully disregard internal clear and convincing information otherwise available to the developer that indicates that a user’s age is different than the age bracket data indicated by a signal provided by an operating system provider or a covered application store.
(3) (A) Except as provided in subparagraph (B), a developer shall treat a signal received pursuant to this title as the primary indicator of a user’s age range for purposes of determining the user’s age.
(B) If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.
(4) A developer that receives a signal pursuant to this title shall use that signal to comply with applicable law but shall not do either of the following:
(A) Request more information from an operating system provider or a covered application store than the minimum amount of information necessary to comply with this title.
(B) Share the signal with a third party for a purpose not required by this title.
The definitions of the terms are completely bananas
The language is so broad it seems to cover all software that exists and is accessible via the internet, and every install of an operating system on any kind of machine
> (c) “Application” means a software application that may be run or directed by a user on a computer, a mobile device, or any other general purpose computing device that can access a covered application store or download an application.
> “Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.
> “Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.
So any piece of software you can download from the internet will be required to check this "signal" made available by the os?
> “Covered application store” means a publicly available internet website,
Client side JavaScript can be considered an application, and then ad business would need to first verify that I am over 18 in order to allow me to see their ads.
A majority of the news articles that won't load when using NoScript give an error message to the effect of "this application requires JavaScript". It would be nice to see all the unjustified overuse of heavy JS application frameworks for what could have been simple web pages lead to some significant negative consequences.
This law means that your operating system has to collect your age and make it avilable to every website/application so ad businesses can just get that data from our OS automatically and go right on serving ads without having to verify anything themselves.
So my Garmin watch, my Home Assistant OS, maybe even my Shelly devices?
I want to know who is behind these laws like this one and the 3D printer gun verification, that seem to pop up across state legislatures all at the same time.
Which seems like a silly accidental overreach of the law. If that is the way it applies.
The literal reading of the law says this only required when a child is the primary user of the device.
> (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
but 'user' here is:
> (i) “User” means a child that is the primary user of the device.
So these rules should only apply to accounts/devices where a child is the primary user.
Grep on an adult's machine would not need to check how old you are, at least with a literal reading of the law.
I do not think the law provides guidance here. The signal is only required when children are the primary device/account users. So one model would be any initial account set up is automatically considered the 'account holder' and not a child account. Then it would be prerogative of the 'account holder' to set up child accounts or not. That seems to fit into the spirt and literal parts of the law.
So grep/ls/etc are all installed as part of that 'account holder' and do not need to do any age verification.
The signal only needs to be checked when the device/account user is a child and when downloading apps. I think an unfortunate consequence here is that the literal definition of the law says package managers probably can not run on children accounts without jumping through a bunch of hoops. Which is bad for children learning code/computers/etc.
The first thing I would change about this law would be:
> (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
Any application that does not need to know a users age should not be required request the 'signal'
The whole point of the bill is to create a cause of action for the Attorney General to sue companies. In the bill, they say the damages are up to $2,500 per negligently affected child ($7,500 if intentional), so it doesn't matter how many non-children it affects. E.g. if the OS/appstore/accounts/application is in the context of a workplace that only employs adults, none of this matters.
How does that apply to windows server with active directory for a school ?
Does that mean that the admin will have to manage dob of every student when creating accounts ?
> A developer shall not willfully disregard internal clear and convincing information otherwise available to the developer that indicates that a user’s age is different than the age bracket data indicated by a signal provided by an operating system provider or a covered application store.
>If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.
So, I have a button "I'm older than 18" on my app but the signal is "under 13", I can decide that the user is older than 18 ?
> Does that mean that the admin will have to manage dob of every student when creating accounts ?
That already happens to some extent although the mechanism by which this happens might depend on the school district, etc. The `dateOfBirth` LDAP attribute is probably the most obvious method (which admittedly should probably not be used due to the ease in accessing this info in the default configuration) but there are others.
In secondary school when my account was set up we were told that our initial password (that we had to change on first logon) was our DOB
So because there is no requirement for the age to be accurate, it would be pretty easy to say "all student accounts are the age of the youngest allowed school entrant for that school year", right? That resolves the age issue and also prevents both PII leakage as well as possible school bullying opportunities.
Two important definitions that might surprise people:
(a) (1) “Account holder” means an individual who is at least 18 years of age or a parent or legal guardian of a user who is under 18 years of age in the state.
(a) (2) “Account holder” does not include a parent of an emancipated minor or a parent or legal guardian who is not associated with a user’s device.
(i) “User” means a child that is the primary user of the device.
User is the most surprising here. It really should just be minors, or non-emancipated minors. Further, I think there are interesting ways the definition of account holder and user combined play out in interpreting the rest of the law.
No. Age verification law is not a partisan or ideological thing. It's a global trend. This law is sponsored by both parties: https://calmatters.digitaldemocracy.org/bills/ca_202520260ab... , and Texas has a newer law (App Store Accountability Act) that requires app stores to verify user ages and obtain parental consent for minors.
There are already "App Store Accountability Act"s present in Texas and Utah. I believe South Dakota is the other state that has one in their House right now. So no, this isn't California being a nanny state. Actually, California's is a lot better than the ones found in other states since literally you're allowed self-attestation of your age bracket (i.e. you don't have to supply an ID or some other such mechanism for independent verification). It's literally the equivalent of what they used to do with porn sites back in the day when they would ask you if you were over 18 -- and if you said yes, well, we tried! (Gold stars for everybody!)
In all seriousness, though, this is the only way where politicians get to pretend they did something and the rest of us get to avoid getting royally screwed. If parents were given dumbed-down versions of the tools that already exist to manage corporate-owned cell phones and laptops then there'd be a lot less for people to complain about (not that it would stop perpetually incompetent parents from pointing the finger at everyone but themselves for their own failings, of course, but at least the vast majority who AREN'T those people would be satisfied).
Are there app stores on Linux? Yes, that's what FlatHub and Snap supposed to be.
So what, should Canonical just block Ubuntu downloads to anyone in the state of California? No security researcher is going to download an operating system that asks them their age for example. I feel like it draws a red line for me also.
This law is so completely insane. It sounds like it was written by some Apple fanboy to whom there is no other operating system other than Apple. The very state that spawned GNU and BSD is the same state that is not only demanding your data but enshrining its use in spyware in law.
Remember in that South Park episode where Cartman had a V-Chip[0] installed in his head and he would get shocked if he said big floppy donkey dick?
In all honesty the V-Chip was meant to protect children.
Age verification and identity assurance[1] is meant to reduce online banking fraud and combat terrorism/espionage.
Whats next outlawing encryption with Clipper Chip[2] 2.0 and saying its to save the whales? I guess we have QUIC and other DRM tech to ruin our day so it doesn't even matter.
I would prefer we drop the think of the children[3] charade and act like adults and get serious about online crime/fraud/terrorism and maximizing online banking.
The biggest problem with this thought domain is that the internet is global and we are thinking at regional, national, and state levels. For so many years everyone has heard complaints about the great firewall of China only to build our own? I guess we have no other choice since bad apples spoil the bunch[4].
I really hate this new world where one jurisdiction - California, Europe, wherever - makes a law and suddenly every other jurisdiction has to comply because the law-making jurisdiction is big enough that tech companies can't abandon it.
And since it doesn't make sense to have dozens of different versions of their apps, they write to the strictest jurisdiction's laws.
If everyone has the power to make laws that apply to everyone...it's chaos.
Beige PCs. Made to comply with German workplace-equipment laws. Yes, the Bundestag legislated the color of office equipment. That has always been the way of fhe world.
Wow, TIL. Thanks for mentioning this. I ran across this as I was researching the background:
> The "beige box" era was largely the result of strict German workplace ergonomics standards (specifically the TUV and DIN standards) that became the de facto rules for the entire global industry. The law didn't explicitly say "thou shalt use beige," but the regulations were so specific about light reflectivity and eye strain that beige (or "computer gray") was essentially the only compliant option.
IBM prepared some light-gray ThinkPad prototypes but were really committed to the black design. They negotiated with the German workplace ergonomics agency who allowed them to sell black ThinkPads but with a "not for office use" label. I wonder if something similar could be done for California's restrictions?
California Assembly Bill 1043 requires OS providers (including Linux) to add age verification at account setup, prompting users for birth date/age to signal age brackets to apps in covered stores.
It may violate privacy by enabling data collection/misuse beyond age checks, similar to UK/Discord issues; no explicit civil rights violations noted, but could restrict access for adults/minors if misapplied.
Benefits: Enables age-appropriate app content, protecting minors.
Drawbacks: Privacy risks, enforcement hurdles (e.g., Linux disclaimers like "not for California use"), aligns with global trends amplifying concerns.
An updated deep dive by Mr. AI returned the following analysis:
Official link: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
Revised pros: Enhances child safety via non-PII age brackets for app compliance; data minimization limits info shared; anticompetitive prohibitions prevent misuse; good faith shields from liability.
Revised cons: Setup requires age input, risking misuse despite safeguards; enforcement challenges for open-source OS like Linux; increased developer liability for signals; potential access restrictions from errors or misreports. No clear privacy/civil rights violations for adults/minors, but implementation costs and global trend concerns persist.
My thoughts:
California lawmakers keep turning the screw more and more to the left with AB 1043 being introduced by Democrat Buffy Wicks. Though it has bipartisan co-authors (8 Democrats, 3 Republicans) and passed the Assembly unanimously (58-0), it still feels a bit authoritarian to me. The California Assembly political divide is very left leaning with Democrats controlling 60 seats and Republicans 20 for a total of 80 with Democrats controlling a supermajority.
What's to stop someone from building their own Distro using LinuxFromScratch to bypass this new restriction? Nothing, in my view!
Which I had money cause, Florida looking good about now.
I don’t think the title is correct? All OS must have age profiles that external sources can query. There’s nothing explicit that checks the age itself in the law?
What about embedded RTOS, like WindRiver or Zephyr? What if I write a memory manager and flash storage file manager for a really barebones MCU like a PIC? It didn't even define what an operating system is. What constitutes an update? If a security patch to DOS 6 came out, would it suddenly be required to have this tech? Is z/OS going to have this tech?
Overall, I think don't think it's a bad idea for devices to be able to host an age verification system that offers requestable boolean proof of age, like if porn site demands over 18 to view, the user, regardless of age, is prompted and if they accept, it returns either a positive cryptographic claim or a cancel signal if not of age. If they don't accept the prompt, the same cancel signal goes back. The idea that this feature would need a mandate of law is dumb.
Feels like they're trying to implement a new wide-reaching protocol/spec by requiring it by law first, then expecting someone to magically develop something, and god forbid it's a different standard than anyone else's.
By next January there will be 30 different methods of age input signalling between OS and application. And then by 2030 we might have the top 3 adopted as established defacto standards.
"Self, are you 18 years old?"
"Why, yes I am."
"OK, self, please fill out a 27B stroke 6 form in your head."
"I've completed it."
"OK, self, I've validated it."
The actual age verification is being able to install windows yourself and being allowed to do so by parents. So the next thing is TPM to make sure you can't get the silly idea to reisntall it and set a different date
Sure, I'll ask where the user is located, and if they choose California, I'll ask them for their age. And if they choose over 21 I'll scold them for voting for Gavin.
Ask where the user is located and if they choose California tell them that your website/service/OS isn't available for users in CA because you will not be complying with this law and they'll have to go elsewhere.
It puts the infrastructure in place to do all of those things if a future(?), authoritarian regime wants to.
* It also reveals that visitors to any site are children, compromising their privacy and opening them up to targeted advertising
* The data will undoubtedly be added to the accumulated, traded databases so many services use
* The bill makes onerous demands of developers to consider other items that may suggest the user is actually in a different age bracket, like doing websearches for "toys" (child) or "toys" (adult) - which works what percentage of the time, exactly?
* And it's totally ineffective, since kids can look at porn anywhere they want, or internationally, regards of useless bill like this
The most egregious part of this bill is that:
* It legislates that if kids connect to a website, that website can query their age brackets (an "age signal"). This means their approximate age is revealed for kids-specific advertising, manipulation, or even sold to a pedophile group.
A DEVELOPER SHALL REQUEST AN AGE SIGNAL WITH RESPECT TO A PARTICULAR USER FROM AN OPERATING SYSTEM PROVIDER OR A COVERED APPLICATION STORE WHEN THE DEVELOPER'S APPLICATION IS DOWNLOADED AND LAUNCHED.
Basically SB 26-051 creates a mechanism that can be used to harvest the data that certain users are kids and then sell that data to anyone who will pay for it.
Data like this is traded internationally, which makes it tragic that elected lawmakers would waste time pushing a bill whose only mid-term effect would be making Colorado less attractive to developers and software companies.
The irony is that normally your kids would have been protected, by standard practices, from having their age exposed. This bill reverses that, putting your children at more risk.
The bill also would force many devices to provide age bracket data that are surprising to most people, because this part:
"DEVICE" MEANS ANY GENERAL-PURPOSE COMPUTING DEVICE THAT CAN ACCESS A COVERED APPLICATION STORE OR DOWNLOAD AN APPLICATION.
... means anything with Internet access and storage. This includes smart televisions, thermostats, tablets, smartphones, smart watches, some fitness tracking devices, some smart toilets, and so on, all potentially reporting your activity on demand, even if that back-end service has nothing to do with porn.
The bill is also poorly structured. Clearly it's intended to focus on services like app stores (Android, Apple), but by attempting to integrate support for this into operating systems, makes it available to hostile actors for any purpose worldwide. Further, it requires developers to guess whether other available information on a user might mean they're really in a different age bracket, exposing them to fines of $2500 to $7500 per minor "affected" (note: "affected" is not defined in the bill). The exemptions give blanket protection to developers working on for-internal-use software, but give no exemptions to recreational programmers. non-profit personal software, university projects, and so on, casting a chilling effect across software engineering generally.
Lastly, the bill is ineffective. Most of the web runs on Linux, a coöperative international effort, nominally controlled by one man in Finland. There is no chance of this bill's mechanism being implemented in this context. Nor will other developers be especially interested in rewriting software for this Colorado-specific bill. Further, the kids supposedly being protected from all the Colorado native porn sites would just web-browse to nearly any porn site and be outside of Colorado anyway, if not outside the US entirely.
These sponsors aren't alone. Most elected lawmakers are equally bad at technology and protecting democracy from the threats that come from chipping away at privacy protection. Bills like this appear in other states all the time, despite being toothless, easily circumvented by kids (who trivially circumvent even face photo hurdles), or radically compromising the privacy of adults (like this one).
There's also the long game, where these sometimes Democrat-led bills in various states could eventually see a much deeper-reaching federal one, where, instead of a "age signal", the user's computer must send an "ID signal", allowing all personal interactions with the Internet to be tracked, analyzed for political and other biases, and used by backbone firewalls to control exactly what people are allowed to read. Very handy for a dictator who might want to block off "fake news".
This is only a hypothesis, but one has to wonder whether sponsors to such bills even care if the bills work or pass, since either way they still get to claim they Protected the Children! even though the bills themselves violate privacy for everyone, often cause websites about breast cancer to be censored, or pave the way for authoritarian control - something this one stands out for. The only thing really surprising is that this bill wasn't sponsored by MAGA Republicans deliberately to add another paving stone to the road to national censorship.
I urge everyone to get in touch with other Colorado representatives to call for a fight against this travesty of a bill. Further, I would excoriate the two sponsors by email and phone, and tell them now that you will not reward this sort of juvenile lawmaking with your vote. Lastly, tell other people about how Matt and Amy plan to strip away their privacy in a way that puts children more at risk than doing nothing.
Aha... Interesting, I'm the sysadmin of myself so I verify myself that I'm entitled to be root on my iron. Sometimes politicians reveal themselves in their future program dreaming things like mandatory online accounts on corporatocracty-controlled servers for all...
One could cope that this regulation can not apply to Linux or other OSS operating systems. But this is only true unless the bootloaders on consumer devices are mandated to be closed next.
We already have Secure Boot, the infrastructure is in place. It is currently optional, but a law like this can change that.
> (c) “Application” means a software application that may be run or directed by a user on a computer, a mobile device, or any other general purpose computing device that can access a covered application store or download an application.
This is basically any program.
> (e) (1) “Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.
This would include any package manager like dnf/apt/pacman/etc. They facilitate download of applications from third parties.
> (g) “Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.
This sounds to me like it would include distro maintainers. They develop and/or control the OS. Also, would this include the kernel devs? How would they be responsible for the myriad of package managers.
The overall law reeks of politicians not knowing what they're legislating.
Apparently the redacted politicians that were caught raping and murdering little boys and girls in the Epstein files are entitled to a higher level of privacy than either you or me.
Buffy Wicks obviously should not be legislating APIs. But I think it's funny how badly this misinterprets the situation. The local user account on a computer has never been less relevant than it is today.
You know the non-governmental organization "Save the Children"? Maybe it's time to create a new one called "Fuck the Children" to defend people from these laws designed to mine privacy under the pretense of protecting minors.
when you force someone to signal status as a minor, you are forcing them to wear a target, hostiles will not have so much work to find minors, now they only have to contact, groom, and offend.
The fact that bill breaks kids down by specific age groups makes it seem even creepier. Want to target 13-16 year olds? Prefer kids under the age of 13? California is helping predators by making sure they can tell which group every child's username falls under!
Good luck enforcing that in linux, simply because open source community agreed to never agree on anything. The strength of anything is also its weakness, always.
Ok. No more linux in california. Forget silicon valley. Forget all the supercomputers at research establishments. Forget all the smart TVs. Forget all the cars with in-dash computers. Let's see how long california can keep its lights on without embedded linux.
In all seriousness, rather than comply, linux distros should enforce this law. Any linux install that detects itself being in california should automatically shutdown with a loud error message. I give it a week before a madmax situation develops.
It would have to be done at the license level and with litigation. Anything relying on code to be added, would be removed. And probably, trying to do the license thing would force some people to fork the software.
Reaction 2: it's open source, make the lawmakers do submit the changes.
Reaction 3: how would this ever be enforced? Would they outlaw downloading distributions, or even older versions of distributions? When there's no exchange of money, a law like this is seems like it would be suppression of free speech.
Reaction 4: Someone needs to maliciously comply, in advance, on all California government systems. Shutdown the phones, the Wi-Fi, the building access systems, their Web servers, data centers, alarm systems, payroll, stop lights, everything running any operating system. Get everyone to do it on the same day as an OS boycott. And don't turn things back on until the law is repealed.
It defines operating system in the law. This wouldn’t apply to embedded systems and WiFi routers and traffic lights and all those things. It applies to operating systems that work with associated app stores on general purpose computers or mobile phones or game consoles. That’s it.
Enforcement applies as civil fines per-child usage. So no suppression of speech by banning distribution.
(Also it’s not age verification really, it’s just a prompt that asks for your age to share as a system API for apps from above app store, no verification required)
Everything is a general purpose computer. Just look at how many things have been made to run doom. I haven't read the law specifically but if it actually does say this then that language is useless and means practically everything.
Android has associated app stores, therefore Linux must follow this at account setup ..
(I'm mostly hoping I'm just jesting here, that they'd surely not enforce it in this way, plus, who "provides" my Linux OS?)
In any event, it does seem like a very silly overreaching law, that should be highlighted, pointed out, and laughed at.
PS I have not read the law in question. I have read a PC Gamer article though, which is surely much the same.
> “User” means a child that is the primary user of the device.
It’s definitely more vague that necessary, but I’d imagine courts would readily find automated software deployment by an adult or corporation does not constitute a child using the device. Especially if done for servers or a fleet. Because then it’s pretty obvious that a child is not the primary user of the computer nor the software. Even if that software is a server that involves childish activities (eg game servers).
But I’d imagine that Linux package managers associated with a desktop operating system provider would fall under this law. And that raises questions about the software distributed by said package managers.
What’s going to happen when there’s no UI, just a shell, and they pacman -S <mything>? This law is unconstitutional based on criteria of vagueness. If they want it to stick, they need to call out the commercial app stores of Microsoft, Apple, Google, etc where a credit card is attached. Otherwise it’s too vague a term unless they define “store”.
Seems to me this would include TVs, cars, smart devices, etc. The Colorado version of this bill excludes devices used for physical purchase, so your gas pumps and POS systems would be excluded in CO. But I didn’t see that in the CA bill.
They’re both overly broad, ill-considered, frankly terrible bills that make as much sense as putting your birthday into a brewery site or Steam. Enter your birthday and we trust you. Now do that for every single one of those 100 VMs you just deployed…
If the First Amendement is to prevent a government from letting you speak, shouldn’t that also concert a government from letting you hear that speech?
If so, then this seems to go against the Forst Amendment.
Sorry, Australian here so just speculating
So, all of us-west-1?
Not yet, but it will be one day if it passes
That's not what will happen. We've already seen examples of what will happen. So let me just list them instead:
1. The Secure Boot chain for UEFI initially mandated that only OS that were signed by Microsoft would be allowed to boot on PCs where SB is enabled. This was partially rolled back after public backlash.
2. iOS devices and majority of Android devices already don't allow you to install an alternate OS or distro.
3. Platform attestation proposals like Web Environment Integrity and its Android version.
4. Mandate that every developer must register with and pay an MNC to be able to release any app on their platforms.
Basically, they'll just take away your ability to control your device in any way. Don't be surprised if it turns out that these MNCs were behind such legislations. But this legislation is especially dangerous in that it will effectively kill user-controlled general-purpose computing, even from vendors like Pine64, Framework, System76, Fairphone and Purism who are willing to offer those.
Considering the amount of damage caused by these sort of legislative BS, those who propose and vote for such bills should be investigated publicly for corruption, conflict of interests and potential treason. They should be forced to divulge any relationship, directly or indirectly, with the benefactors of these bills. On the other side, rich corporations should be banned from 'lobbying' or bribery more appropriately, in matters that they have a stake in. And they should have stiff penalties for any violations. Not those couple of million dollar slaps on their wrist. At least 5% of their annual global profits, incarceration of top executives and breaking up the company. There has to be a consequence that's uncomfortable enough, for any fairness to be reestablished. This should apply even more for those professional lobbying firms and 'industry advocacy groups'.
People also need to start strongly opposing, rejecting and condemning justifications like this that rely on the cliche tropes of CSAM, terrorism, public safety, national security, etc. None of those measures are necessary or even useful in preventing any of those. Insistence on the contrary should be treated as an admission of inability and incompetence of the respective authorities in tackling the problem. In fact, why do they assume that kids, especially teens, are unimaginative and incapable of working around the problem? They should at least be starting with awareness campaigns to get the kids and the parents on their side and empower parents to enforce parental controls, instead of reaching for such despotic measure right away. This is like banning drugs before the problem of drug addiction is addressed. Black markets exist, even for cyberspace. It will just make the problem a whole lot worse.
And finally, don't let people without clearly proven vested interests anywhere near such regulations. And choose professionals or at least competent people for taking such decisions. You can't rein in this attack on ordinary people without stemming the uncontrolled corruption in the public offices that deal with it.
Most parents lack the technical expertise to police digital devices.
I doubt the california legislature knows what a Linux even is.
All three already have identity linked accounts. Windows practically shoves it down your throat on install, for example. They'll love the excuse to finally disallow web-free accounts.
Windows servers are so back baby!
All Congress critters have staff to help write the bills and fill out the policy. You can bet your sweet bippy that there are people on staff in the California legislature who know what a Linux even is.
they would never need to know it once they learn what SecureBoot is. Any device with 1+ Gflop must have SecureBoot, and goodbye general computing.
Doesn't the bill explain all this pretty clearly? https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
>> An operating system provider shall [...] provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user [...]
>> “Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.
Your hypothetical "embedded system" almost certainly neither has an account setup process in the first place, nor is it a general-purpose computing device, a mobile phone, or a computer.
> Reaction 3: how would this ever be enforced?
Pretty easily? They enforce it against the OS vendor for not providing such a process. They aren't enforcing the correctness of the age, nor are they claiming to.
> Someone needs to maliciously comply, in advance, on all California government systems.
...what? This is a law demanding compliance from OS vendors. Whose compliance is it even demanding in government systems for them to be malicious about it?
This term doesn't seem defined in the law at all. How general is general?
Graphing calculators that support apps and Python? Of course, they don't usually have "accounts" either. But to a technologist it's a "general purpose computer" insofar as it can run new code that the user loads into it, it can definitely run games that it didn't come from the factory with, etc. It's a tiny multipurpose computing device.
- Microstamping requirements for guns—printing a unique barcode on every bullet casing (Glock gen3 cannot be retired, thus, the auto-mode switch bug cannot be patched...)
- 3D printers should have a magical algorithm to recognize all gun parts in their tiny embedded systems
- Now, you need to verify your age... on your microwave?
At this rate, California should just go back to the Stone Age. Modern technology is simply not compatible with clueless politicians who are more eager to virtue-signal than to solve any actual problems or even borther to study the subject about the law they are going to pass. There will be more and more technology restrictions (or outright bans on use) in California because it's becoming impossible to operate anything here without getting sued or running afoul of some overreaching regulation.
So we don’t have professional legislatures with long-term electability incentives or leadership goals, we have a resumé-building exercise that we call the legislature. They’re all interchangeable and within 12 years, 100% of it will be changed out.
I don't know what the solution is for California, but I don't think it's that.
Raises an interesting question of who is less popular, the Californian government or the US Senate. The experiments with long-term professional legislatures have generally not been very promising - rather than statesmen it tends to be people with a certain limpet-like staying power and a limpet-like ability to learn from their mistakes. In almost all cases people's political solution is just "well we didn't try my idea hard enough" and increasing their tenure in office doesn't really help the overall situation.
The result is that you can stay as long as people keep voting you back in, but you lose the incumbency advantage and end up with a higher turnover rate without ending up with a 100% turnover rate. And you make them learn how other parts of the government work. It wouldn't hurt a bit to see long-term members of Congress do a two-year stint in an administrative agency once in a while.
I think I'd suggest a more generous Senate term limit. Three terms (18 years) would allow for someone to see out a complete Presidential super-cycle, for example.
The word Senate is etymologically related to "senior", it's a place where you _want_ people to be able to develop a lot of institutional experience.
I’m not disagreeing with the rest of your comment, but I’m going to challenge the notion that this etymological connection carries meaning. The word comes from Roman Senate, and in that context in Latin “senior” really meant people with higher status rather than age. Latin is full of these weird double meanings. Compare to seigneur in French or señor in Spanish. Also, the House of Lords in the United Kingdom.
edit: I see the "term limits are anti-democratic" takes elsewhere in the comments, so I guess let me narrow the above ask to "someone who isn't opposed to term limits, but thinks this idea is flawed."
Put the electables in isolation cells fromwhere they one by one end up on the Tee Vee, give voters an app with AYE, NEY and Uhh? The questions are red by the winning HR lady but also appear on the app.
The applicant writes the fizzbuzz etc etc
Then, after the job interview, we give the job to the most satisfying candidate!
It's not necessary but I would also add a series of certificates and diplomas for the voter to show they actually have some kind of idea what the job involves. The level 1 certificate should be supper simple and easy to create. It will grant you 0.1 extra vote power. There could be as many levels as we want but to grow beyond [say] 50 votes should require a mythical effort impossible to attain for 99% while we aim to reserve the right to cast 5000 votes for 1 to 5 people with supper human abilities.
The top 20 should have to explain their AYE's and their NAY's to the Tee Vee audience.
https://www.youtube.com/watch?v=9OHm6FsgJM8
I think the answer may be that the difference in political systems (parliamentary vs presidential) and party systems (less two-party but with greater party discipline) solves many of the problems term limits are intended to solve in completely different ways.
Maybe a better answer would be for US states to adopt the parliamentary system? Although there is some debate about what the "republican form of government" clause means, it arguably doesn't rule out parliamentary republicanism, and Luther v Borden (1849) ruled the clause wasn't justiciable anyway. Added to that, the widespread practice in first half of the 19th century, in which governors were elected by state legislatures, was de facto the parliamentary system. I don't think there is any federal constitutional obstacle to trying this – it is just a political culture issue, it currently sits outside the state constitutional Overton window.
While you could adopt the Australia/Canada model of a figurehead state governor/lieutenant governor with a state premier, I think just having a premier but calling them "the governor" would be more feasible
Maybe. Maybe not. I don’t think it would change outcomes as much as people would think, but to scope limit this back to California again because electoral law discussions just fucking spiral anytime there’s no geographic constraint, the root of California’s lawmaking problems is that the legislature is both poorly structured and poorly balanced against the direct democratic approach we have taken for so much of our lawmaking. I don’t think that’s inherent to the non-parliamentary system we have in place, but a result of incremental rule changes stemming from decades of ballot propositions that are supposed to solve a problem, but don’t and tend to have negative knock-on effects that fly under the radar.
Or put another way: the legislature is for legislating. It doesn’t need a competing power structure, and it doesn’t need to be balanced by anything other than a good functional Executive power and a good functional independent Judiciary. If you have that as your starting point, then maybe there’s room to discuss if there are any real advantages of a Parliamentary system instead.
Presidential systems have had a terrible run if you look at Latin America. The US seemed to be an exception to the rule, but maybe recent events have shown that the US got away with a substandard political system for so long because they had so many other advantages to make up for that, now their other advantages are weakening and the US is slowly converging with Latin America
There, the professional legislators can't get anything right either.
Do you think there's a middle ground of increasing the term limits to, say, 18 or 20 years?
A much more real issue is actually age limits. If someone starts in the Senate at 40 and serves for 24 years, term limits hardly seem to be the big issue. They are retiring at a normal time, and they should still be functioning at a high level.
Conversely, someone who gets elected at 70 and then gets term-limited at 82 is still over a normal, reasonable retirement age. The typical 82 is not in the physical or mental condition to be taking on such an important, high-stakes role.
Both of my parents are in their mid-70s and are in very good mental health for their age. They are very lucid, and my Dad still works part-time as a lawyer. They are also clearly not at the same intellectual powers they were a decade or two ago. Some of it can even just come down to energy levels. I have to imagine being a good legislator requires high energy levels.
Many public companies have age limits for board members, and they even have traditional retirement ages for CEOs. In the corporate world where results matter, there is a recognition that a high-stress, high-workload, high-cognitiative ability job is not something that someone should be doing well past their prime.
Al Gore had to leave the Apple board because he turned 75. In the U.S. Senate, there are 16 people 75 and older.
That is one aspect, but not the important one. The most important element is anti-corruption. Legal bodies can always entrench themselves and their own interests. Term limits significantly weakens entrenchment...excepting when the same legal bodies inevitably gut it.
That's in fact not at all what the research says. There's a decent amount of research that suggests that they actually increase corruption. There's overwhelming evidence that they increase the power of lobbyists and interest groups.
This is a classic one of those ideas that many people intuitively "feel" makes sense but is actually just terrible policy.
> There's overwhelming evidence that they increase the power of lobbyists and interest groups.
There are a lot of factors beyond term limits that influence this kind of research. The most important detail is to remember that corruption spans more than external influence. Institutional ossification has benefits and drawbacks. The drawbacks have outweighed the benefits, historically in the US and England. It was literally baked into the US Constitution to ensure this would not repeat for the US head of state. Notably the Supreme Court was baked in as a lifetime appointment. Granted, the remaining political bodies have not followed suit, I think it's clear that this has had a negative consequence due to the aforementioned entrenchment of the political parties.
> There's overwhelming evidence that they increase the power of lobbyists and interest groups.
It is incorrect to claim that is the only effect. I also don't believe that the conclusion is correct. I do believe it's closer to your initial statement.
> it's just a way for [legislators] to not take responsibility for their voting.
ie It shows a lack of care in executing the responsibilities of the elected position, which is why they barely do anything but campaign at the federal level.
That's at an age where wizened legislators can move into advisory roles, instead of needing to find a next career.
Plenty of shitty ideas are popular based on a hope and a prayer. That’s why you don’t give in to populism. If we’re to impose any kind of limits on Congress, it has to be more intelligent than term limits.
I think its more :
if your taxable income during OR post-office exceeds (some 1,3,5 yr average) prior high watermark income, or the officeholder's salary (whichever is higher), every penny over high watermark is taxed at 99% tax rate.
That should take care of those pesky "speaking fees" and other nonsense that makes politicians rich.
If the problem is representatives using insider knowledge to enrich themselves then just hire more Inspectors General. If the problem isn't insider knowledge specifically then make whatever allows them to get rich illegal.
That should not be a profession.
Decisions should be made by people who are the most informed about the subject matter. By definition you cannot have someone who is the most informed about everything.
We elect the way we do and empower the way we do because it empowers voters to choose on a regular recurring basis who is going to provide oversight that way. When you start screwing around with the basis tenets of electoral democracy, you distort and pervert the value of an actual legislative seat and undermine the value of holding people directly responsible through elections.
Another good example is the ballot proposition system. Some things must go before voters—which is another separate wrong which would be righted—but apart from those, the ballot proposition also presents legislators an opportunity to outsource decision-making risk to voters where instead of having to take a chance of being wrong on a piece of legislation with a roll call vote, they can pass the risk off to State voters. If people voted on the issue directly, they’re not as empowered to hold the people who only put it on the ballot rather than making the decision as someone whose job is to make & pass legislation.
You want legislators to be empowered to serve their role in society so that they are also taking real risks every time they take a stand on an issue that risks pissing off their constituents.
This is not true-by-definition . It may be true, but not by-definition. If there were an omniscient person, they would be the most informed about everything.
It seems all at once, everywhere that many groups that have a vested interest in forcing precedent and compliance of non-anonymous access across the computer world. It smacks of something less-than-organic.
1. When you set up your account and it asks for your birthdate, make up any date you want that is at least far enough in the past to indicate an age older that what any site you might use that checks age requires.
2. Access things the way you've always done. All that has changed is that things that care about age checks find out you claim to be old enough.
The only people it actually materially affects on your new computer are people who cannot set up their own accounts, such as children if you have set up permissions so they have to get you to make their accounts.
Then if you want you can enter a birthdate that gives an age that says non-adult, so sites that check age will block them.
From a privacy and anonymity perspective this is essentially equivalent to sites that ask "Are you 18+?" and let you in if you click "yes" and block you if you click "no". It is just doing the asking locally and caching the result.
This puts the responsibility back on parents to do the bare minimum required in moderating their child’s activities.
Possibly it could be further mandated that the OS collect relevant rating information for each account and provide APIs with which browsers and other software could implement filtering.
And possibly it could be further mandated that web browsers adopt support for this filtering standard.
And if you want a really crazy idea you could pass a law mandating that parents configure parental controls on devices of children under (say) 12 and attach civil penalties for repeated failure to do so.
There's never any need for information about the user to be sent off to third parties, nor should we adopt schemes that will inevitably provide ammo for those advocating attested digital platforms.
Sending all the "bad" data to the client and hoping the client does the right thing outs a lot of complexity on the client. A lot easier to know things are working if the bad data doesn't ever get sent to the client - it can't display what it didn't get.
When you click on a search result, you load a new page on a different website. The new page would once again come with a header indicating the content rating. This header would be attached to all pages by law. It would be sent every time you load any page.
Assuming that the actual problem here is the difficulty of implementing reliable content filtering (ala parental controls) then the minimally invasive solution is to institute an open standard that enables any piece of software to easily implement the desired functionality. You can then further pass legislation requiring (for example) that certain classes of website (ex social media) include an indication of this as part of the header.
Concretely, an example header might look like "X-Content-Filter: 13,social-media". If it were legally mandated that all websites send such it would become trivially easy to implement filtering on device since you could simply block any site that failed to send it.
> A lot easier to know things are working if ...
Which is followed by wanting an attested OS (to make sure the value is reliably reported), followed by a process for a third party to verify a government issued ID (since the user might have lied), followed by ...
It's entirely the wrong mentality. It isn't necessary for solving the actual problem, it mandates the leaking of personal data, and it opens an entire can of worms regarding verification of reported fact.
If you imagine a world where you have a header, Accepts-Adult-Content, which takes a boolean value: you essentially have three possibilities: ?0, ?1, and absent.
How useful of a tracking signal those three options provide depends on what else is being sent —
For example, if someone is stuffing a huge amount of fingerprinting data into the User-Agent string, then this header probably doesn’t actually change anything of the posture.
As another example, if you’re in a regular browser with much of the UA string frozen, and ignoring all other headers for now, then it depends on how likely the users with that UA string to have each option: if all users of that browser always send ?0 (if they indicate themselves to be a minor) or ?1 (if they indicate themselves to be an adult or decline to indicate anything), then a request with that UA and it absent is significantly more noteworthy — because the browser wouldn’t send it — and more likely to be meaningful fingerprinting surface.
That said, adding any of this as passive fingerprinting surface seems like an idea unlikely to be worthwhile.
If you want even a weak signal, it would be much better to require user interaction for it.
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
Your toaster is not impacted. You’re turning a law that, yes, has some open questions around implementation, into a way bigger scare and conspiracy.
> operating system provider, as defined, to provide an accessible interface at account setup that requires an account holder, as defined, to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store and to provide a developer, as defined, who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface regarding whether a user is in any of several age brackets, as prescribed. The bill would require a developer to request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
Let’s be honest here. 99% of general purpose computing devices targeted at consumers make an “account” when you setup for the first time. Even Linux if just to name a home directory. It’s pretty obvious what an account is. Especially when it only applies to bundled app stores. What App Store has no account anyways?
It allows the operating system to define the interface. No patent or proprietary system. No surveillance. The law says user interface. Not graphical interface. Do with that as you will. A OS producer who has an App Store probably has a graphical interface, but if not they surely figured out how to interface with users already.
It actually requires operating systems and developers to not abuse this data or use it for anticompetitive purposes.
There is no attestation. It’s entirely self reported and unverified.
Their definition of "app store" is a mile wide: "(e) (1) “Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application."
Grats, github is an appstore. apt-get is an app store. You posting software on your own website is an app store.
Apt… yes is an App Store run by an operating system organization (Debian org). That feels pretty unsurprising. Debian’s parent organization (headquartered in the US) probably needs to comply with this.
And that right there is exactly the fucking problem. A zero profit collective “store” that publishes zero profit hobbyist “apps” is now going to have to invest in some kind of harebrained compliance scheme that will only grow from here.
In a couple of years is my “app” in Debian’s store going to require some goddamn TPS report and certification to tell California that everything is above board? It’s incredibly likely! By itself this law does nothing but lay the groundwork for regulation of “apps”, which by itself might be acceptable, but including FOSS distribution channels and hobby apps in the scope of this law is nothing short of evil. It’s laying the groundwork for a frontal assault on FOSS, and if you don’t see that then I don’t know what to tell you.
My guess is that Linux wasn’t extensively considered in the writing of this law, but when the next stage comes along and people start complaining, legislators will shrug and say “oh well, they need to comply”—and lobbyists for the big 3 proprietary software firms will back that position up. This is setting up a killshot for consumer Linux.
Reading the first analysis PDF:
> This bill, sponsored by the International Centre for Missing and Exploited Children and Children Now, seeks to require device and operating systems manufacturers to develop an age assurance signal that will be sent to application developers informing them of the age-bracket of the user who is downloading their application or entering their website. Depending on the age range of the user, a parent or guardian will have to consent prior to the user being allowed access to the platform. The bill presents a potentially elegant solution to a vexing problem underpinning many efforts to protect children online. However, there are several details to be worked out on the bill to ensure technical feasibility and that it strikes the appropriate balance between parental control and the autonomy of children, particularly older teens. The bill is supported by several parents’ organizations, including Parents for School Options, Protect our Kids, and Parents Support for Online Learning. In addition, the TransLatin Coalition and The Source LGBT+ Center are in support. The bill is opposed by Oakland Privacy, TechNet, and Chamber of Progress.
I think you’ve nailed it here. How many of these people campaigned on this issue? Where were the grassroots to push this? Where did this even come from?
Somebody, somewhere - with a heck of a lot of money - wants to see this happen. And I don’t think they have good intentions with it.
Of course they are copying the play everywhere.
TLDR: Evil people be doxxed internally not everyone.
These days the name "LLM" refers more to the architecture & usage patterns than it does to the size of model (though to be fair, even the "tiny" LLMs are huge compared to any models from 10+ years ago, so it's all relative).
You can remove the in California
Older people have already seen all the patterns, and realize you have to focus on specifics, and that helps clean up the general issue.
A realistic dynamic is the old people are comfortable with the general problems and have positioned themselves to benefit from them. Indeed, they solved the general problems that troubled them in their youth with political activism in their middle age. The young people have different political needs that require general problems to be solved.
Also young people have a terrible track record of actually identifying problems, they are pretty clueless in the main.
Or they just realize that the general problems are insoluble.
https://leg.colorado.gov/bills/SB26-051
While you are correct with this statement in this context, I would say it applies to most things in government in general.
The vast majority of lawmakers have zero experience solving any real world problems and are content spending everyone else's money to play pretend at doing so.
The reality is, most government "solutions" cause more problems than they solve, after which, they blame their predecessors for all the problems they caused and the cycle continues.
The "reality" is that propaganda heavily encourages you to ignore the government successes and only focus on the failures. I'll leave it as an exercise for the reader to determine who benefits from that.
Please, name for me one product or service that the US government has created, that people willingly buy, that has made your life tangibly better.
I can list a billion made by businesses.
Please, go for it. Just one.
Medicaid
The National Park System
I know that the next step is you explaining why these don’t count, or saying “wow only 3” or whatever, but
Oh, there's more: Medicare, Social Security, the highway system.
The whole food/medicine regulatory system is also a big one, and it's the reason a lot of US (and European) products like baby formula are imported into China, because they can be more trusted.
My bet is the GP's going to weasel out using his "that people willingly buy" language. The flawed assumption there is the government should be conceptualized as just another company selling in the market, when the government's actual role is very different.
Airlines are a great example of this. They have changed very little in the last 30 years (again, thanks to all the government regulation and red tape).
Smartphones, TVs, (and literally anything else not in the hands of the government) has also seen rapid improvements.
Anything the government handles is always rife with overspending, inefficiency, and corruption.
A company must maintain profitability to stay alive.
The government on the other hand, is $38 TRILLION dollars in the red.
Yes, the things that "people willingly buy" are the literal engine that makes all of this possible. It is not the reverse.
> Airlines are a great example of this. They have changed very little in the last 30 years (again, thanks to all the government regulation and red tape).
And thanks to regulations, we have less airline accidents than ever. Private companies are more than willing to "externalise" any accidents from cutting costs otherwise.
> Smartphones, TVs, (and literally anything else not in the hands of the government) has also seen rapid improvements.
So does government funded medical research, which improves the quality of life of people corporations deem "unprofitable".
> Anything the government handles is always rife with overspending, inefficiency, and corruption.
Because large corporations and rich donors lobby them to do so.
> A company must maintain profitability to stay alive.
So does a government, debt only lasts as long as the lender believes in your ability to pay it back.
> The government on the other hand, is $38 TRILLION dollars in the red.
And which of the Mag7 are not in debt? I remind you that if you wish to compare the USA to companies, they are literally an entity of over 300,000 people. No company employs that many people.
> Yes, the things that "people willingly buy" are the literal engine that makes all of this possible. It is not the reverse.
No, government enforced order is what allowed the engine to exist to begin with. No one would innovate if their IP could not be protected, and we would regress back into cartels if the government could not enforce private property.
The prosperity of the modern world is build upon a foundation of solid governance.
> Anything the government handles is always rife with overspending, inefficiency, and corruption.
Boy will you be surprised when you get a job.
When I ship packages, I could choose to use a service other than USPS, but I don’t, because USPS is generally cheaper and more reliable.
I strongly prefer Medicaid to my employer-provided healthcare plans because of ease of use, and if I were allowed to I would willingly pay more money into it, either via taxes or direct premium payments, when I am making too much income to qualify.
I gladly give money to the NPS every year, even though I have a choice to pay for a private campground, or other public lands agencies.
I answered the question. You can choose to believe I didn’t all you want.
> A company must maintain profitability to stay alive.
Yeah. And once it becomes a monopoly (like Comcast), it can just keep raising prices.
Where I live now, I paid $50k to get a private fiber optics line just not to deal with Comcast anymore. There were no other options. We _might_ get AT&T fiber, eventually.
But today there are other options. Starlink, for one.
But it was not profitable for them to expand normally. They can't offer drastically cheaper service than Comcast, the installation costs in cities are huge. I also have Starlink as a backup, and it's even slower than Comcast.
So yeah, government actually works better than commercial companies for most infrastructural needs. And in particular, municipal broadband is usually head-and-shoulders better than anything from large commercial companies. It has higher consumer satisfaction ratings and is cheaper on average.
I "owe" Comcast $200. They say I didn't cancel at an old apartment. I say I did. I have the email. They insist. They've sent me a letter once a year for a decade. About 2yr in it went to collections. They're still trying.
Imagine the consequences if I did that with government.
Say nothing of the fact that if I tried to pay it, Comcast would be able to take my money no problem. The government would take a check, ACH or charge me $5 to use a buggy 3rd party CC processing service.
I've had the irs write me a letter saying I owed them money. They were correct and I paid them in a couple of months. It wasn't very hard.
I don't enjoy paying taxes but I do very much enjoy the things they buy.
And their websites are well-designed and functional. There are customer support emails and phone numbers.
> Say nothing of the fact that if I tried to pay it, Comcast would be able to take my money no problem.
About that... A couple of years ago I got locked out of AT&T because I forgot to update my credit card. And I couldn't log in because it required a (you guessed it) one-time SMS password. Their "pay your bill" needed a bill number, for which I needed to log into their website.
Their fix? Visit the store.
> Imagine the consequences if I did that with government.
A couple of years ago I accidentally overpaid the IRS (I paid the capital gains tax twice, as it was already deducted during the sale by the broker) to the tune of $10k. A year later, they sent a letter asking me for clarifications. I called them, and they sent me a refund check.
> The government would take a check, ACH or charge me $5 to use a buggy 3rd party CC processing service.
And what's wrong with a check or ACH?
That's because the question is bad. It was meant to challenge the benefit of government, and a non-answer was meant to be interpreted as "government < business." But at its core is was fundamental misunderstanding of government, so if the question was answered mindlessly, it was unfairly biased towards the asker's biased conclusion.
> and to refuse them is not "weaseling out".
It'd be weaseling out of the faults of the question.
Well, they aren't willingly buying it. They are funded with taxes.
Medicaid - funded by the government, meaning people are not willingly paying for it
The National Park System - funded by the government, meaning people are not willingly paying for it
Human genome - J. Venter was the first to sequence the human genome, privately funded.
the entire space industry - Liquid fuel rockets were pioneered by Goddard, through private funding.
Radar - originated from late 19th-century experiments on radio wave reflection, pioneered by Heinrich Hertz in 1886. While Christian Hülsmeyer patented a "telemobiloscope" for ship detection in 1904
The proto-Internet - Pioneered by Samuel Morse, see "The Victorian Internet" by Tom Standage. Privately funded.
Optical data storage - Invented by D Gregg, https://en.wikipedia.org/wiki/David_Paul_Gregg, at a private company.
Nuclear energy - a very long list of contributors. See "The Making of the Atomic Bomb".
And so on.
Sure, some companies participated in the process. But it was a government that did it.
It's been more than 50 years and private companies haven't been able to match it.
The greatest technical achievement of mankind was done by a government. Private industry could, at best, help.
Sorry all the other things you name are great. But the winner is government.
Quite a stretch to say the Atomic Bomb was privately funded!!!
The original Whittle engine was developed with private funds.
From "The Development Of Jet And Turbine Aero Engines" by Gunston:
pg 123: of which £200 came from an old lady who ran a corner shop near Whittle's parents in Coventry
pg 123: But a direct request to Air Ministry for a research contract in October 1936 brought flat rejection,
pg 124: Whittle could see that the only possible way to proceed was to take the gigantic gamble of running a complete engine.
pg 125: Indeed, there was little money for anything. While the RAF backed Whittle in every way they could - for example, by not requiring him to take the usual examination for promotion to Squadron Leader - the Air Ministry contributed nothing to Power Jets until May 1938, and Whittle had to watch every penny. He nearly cracked under the strain, which in fact was to get worse for seven years, not because of the Problems in developing the engine, but from the suspicion and enmity with which he was regarded by officials and manufacturers, and by the outrageous behaviour of the Company picked by the Air Ministry to produce his engine.
(Whittle's engine first ran in 1937).
It isn't possible to untangle its development and claim one or the other.
https://www.energy.gov/hgeo/articles/does-early-investment-s... https://en.wikipedia.org/wiki/Fracking_in_the_United_States https://clearpath.org/tech-101/hydraulic-fracturing-a-public...
Things work here and nobody seems to be passing the "oops my unintended side effects and clueless regulations messed things up horribly." Or, if they do, it is at something like 1/10th the level.
We didn't start warning label spam everywhere. We don't have weird propositions that are causing run-away housing prices. There aren't bar codes on our 3d printers, or cookie banner requirements on every website. Well, ok we do, but that nonsense all came in from other places.
We did pass laws to lower PFAS/PFOAS. That seems reasonable. Government can work.
Most of those are a reaction rather than the cause. People want to move to california, it creates a different set of problems for california vs Massachusetts
I wish I was joking. They get audited yet? Pretty sure that was a ballot measure that passed by a huge margin years back and last I checked they were stalling...
The sheer size, economic volume and cultural diversity of CA presents a pretty unique set of issues.
Zero basis in fact. We’re in the wealthiest nation on the planet. Most of us live better than any previous generation. To claim all that success is completely in spite of government is ridiculous.
Who do you think printed it. Who signed the bill?
The US can just print money and receive goods in exchange of literal paper. Or just put an extra zero in a bank account and receive goods in exchange.
And if a certain yahoo decides they want in the money printing scheme...who do you think is going to send the goons with guns to prevent the government monopoly in creating literal wealth.
U. S. by far the largest current-account deficit (over $1.2 trillion).
U.S. has the largest goods trade deficit (over $1 trillion).
I don't know much about guns, but I assume that would be on the hammer? Couldn't you remove that "microstamping" by lightly filing down the hammer or just using it a bunch and causing some wear?
I think they've learned from the anti-gun lobbyists and are now pushing to end anonymity on the internet the same way.
What part of the bill makes you think this would apply to a microwave? https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
And what part makes you think you need to verify your age, as opposed to just specifying it? Nobody is requiring any verification. The only requirement is on there being an interface for you to input whatever age you want to input.
come to think of it, maybe there is something good about this law. :D
Not to mention all the printers, routers, etc that run freertos/thread x/vxworks.
He may be our next president and this becomes an executive order.
What's even more curious is that the California voters seem not care at all. As long as the government can collect more taxes with more altruistic slogans, the voters will stay happy.
Some people think all problems should be fixed with regulation.
Some people think all problems should be fixed with free market / responsibility.
California and liberals tend to lean to the former. A place like Texas and conservatives tend to lean to the latter.
I think both camps are crazy because it’s a case-by-case basis where you need to consider second and third order effects. But man talk to a die hard regulation supporter or die hard free market supporter and you just want to say “the world isn’t just simple rules like that.”
Anyone buying or selling a microwave with an app store deserves this mess.
If California starts knocking on the door of random distros and hobby OSes designed for power users or servers with 2000 average monthly downloads then I'll go to bat defending them.
Though to re-iterate, I'm pretty sure the requirements here are for asking a user to set an age, not to do age verification, so if you did want to comply it would mean adding a Date field to your setup flow and then wiring that up to applications that ask for it.
Technology has never been tge limiting factor. Politicak will is.
it is because any government regulation over user identifiers in an operating system (and left to grow and fester according to political wont) will chill free speech (code, data) and assembly (the ability to share code and data with others unsupervised).
[0] https://news.ycombinator.com/item?id=46521179
People who dont understand the problem must pass a solution that makes people feel good. Clean needles, homeless hotels, etc. If they dont make things worse, that is a win.
What it takes to become a “successful” politician is typically not what it takes to define good policy.
All this does is require the user to select a non-verified age bracket on first boot. You can lie, just like porn sites today. I thought HNers wanted parents to govern their children's use of technology with these kinds of mechanisms.
> There's an obvious theme with lawmakers in California—they pass laws to regulate things they have zero clue about, add them to their achievement page, cheer for themselves, and declare, "There! I've made the world a better place."
There's an obvious theme with HN posters about politics—they make cheap drive-by comments about regulations they have zero clue about, based on articles they haven't actually read, cheer for themselves, and declare, "There! I've shown why I'm smarter than all these politics people."
This is the age verification requirement which you rudely and incorrectly said doesn't exist. Nothing is done with the data (for now) but age is in fact verified on the assumption that the user doesn't lie.
Instead of lengthy condescending missives about the behavior of other users, you should instead write "I'm sorry for being negative and bringing down the quality of discussion."
The original post was low effort flame baiting. There's an argument to be made that it should be ignored, but it's hard to say.
When the law and it's execution are undermined and weak, it becomes the cudgel of fickle changing power, i.e. it is applied selectively and it means nothing to people except when they are being beat in the head with it, at which point they only regret having been caught, successfully undermining the social and political fabric of a nation.
Having a bad law with a weak enforcement mechanism isn't quite the thing to be boasting about you seem to think it is.
Eh, sounds kinda reasonable. Ammo already has unique serial numbers embedded in the butt of every cartridge (in some countries, not sure about the US), and guns do leave somewhat unique marks on the bullets upon firing so... sure, why not. Surprised it took that long TBF, the necessary technology has been commercially available since the early 90s, I think?
> 3D printers should have a magical algorithm to recognize all gun parts in their tiny embedded systems
Yeah, this one's seems unnecessary. Is weapon manufacturing without a license a crime? If yes, then whoever 3D-prints a gun can be prosecuted normally.
> Now, you need to verify your age... on your microwave?
Or on your gas stove. A travesty, really: I was taught how to operate a stove when I was in the second grade and never burned any houses down, thank you very much.
Even people who didn’t want to break the law might find themselves on the receiving end of law-enforcement if the firing pin wears such that the micro stamping is no longer identifiable.
The micro stamping law does nothing to prevent the flow of guns to people who should not have them, and does everything to prevent the use or purchase of guns by people who can lawfully own them - which is the whole point of a law like this. The people who make these laws are well aware of this.
The age verification law, coupled with the proposed hardware attestation that our good friend Lennart poettering is working on will ensure that anonymity on the Internet is gone. This is precisely what lawmakers are aiming for. And just like the micro stamping law, the intent of the law is not the literal word of the law.
I'm curious, so if (when?) California ends up successfully hunting down some criminals with this, what is your new position going to be? They were going to get caught anyway, or something like that?
Legitimate gun users will, at best, use their weapon in self defense, in which case they'll be sitting there waiting when the police arrive, so no need for microstamping.
The "crime of passion" so popular in TV shows are few and far between, and there's usually a huge amount of other evidence.
I'm no democrat, although I'm sure as hell no republican, and as a resident of the state, I'm also a routine critic of the California state government.
I agree that a lot of their activities are indeed, performance art in nature.
However I do agree with the identification requirements on guns and ammo.
You can't shoot someone with a computer, no matter what OS you run.
The idea that lethal weaponry is the same as any other consumer product is just not accurate.
No, you can just target-lock them. The computer database (and now, LLM) is probably the biggest threat to freedom in existence. You can keep your popgun. They'll know where it is, and come with bigger ones.
China be doing some pretty heavy-duty damage with computers, but age-gates won't stop them.
You can't put the genie of firearms back in the bottle any more than Hollywood can put the genie of p2p file sharing back in the bottle. Trying to do so is like trying to unscramble eggs. It doesn't matter how valid your desires or justifications for attempting to so are, it's an act of banging your own head against the cold, hard wall of reality.
I don't have a stance here on what "the right" policies around gun control are but it is clearly a much wider field than just a preplanned assassination with diy parts.
A non-exhaustive list of a few very different scenarios that are all involved with anything touching or rejecting gun control:
- highly motivated, DIY-in-the-basement assassination plots like you mentioned - hunting for food - hunting for fun - wilderness safety - organized crime and gang related violence - mass shootings at things like concerts, sporting events, colleges. Sub point of mass shootings at schools where the law requires children to be. - gun violence involved with suddenly escalating impromptu violence like road rage and street/bar fights - systematic intimidation / domestic terrorism of particular groups or areas - gun related suicides
All of these are very very different. None of them have perfect answers but that doesn't make thinking about it "an act of banging your own head against the cold, hard wall of reality" nor does it make anyone interested in working on some of these problems naive or stupid like you imply.
If you're being earnest or maybe jaded, I'd say dont give up hope and don't let perfect be the enemy of good.
If you're just being a dick then so be it, maybe someone else gets something out of this comment.
That kind of mistake is common here, but I don't think it is due to a failure of logic. I think it is something deeper.
I've noticed that people who have worked deeply and/or a long time as developers tend to lose the ability to see things as a continuum. They see them as quantized, often as binary.
That's also why there are so many slippery slope arguments made around here that go from even the most mild initial step almost immediately to a dystopian hellscape.
This is prevalent enough that it arguably should be considered an occupational hazard for developers and the resultant damage to non-binary thinking ability considered to be a work related mental disability with treatment for it covered by workers compensation.
A way to protect against developing this condition is to early in your career seriously study something where you have to do a lot of non-binary thinking and there are often aren't any fully right answers.
A good start would be make part of the degree requirement for a bachelor's degree in computer science (and maybe any hard science or engineering) in common law countries a semester of contract law and a semester of torts. Teach these exactly like those same courses are taught in first year law school. Both contracts and torts are full of things that require flexible, non-binary, thinking.
> 3D printers should have a magical algorithm to recognize all gun parts in their tiny embedded systems
Color scanners and printers have long had algorithms to recognize currency and prevent its reproduction, implemented with the technology of decades ago. It seems relatively simple to implement gun part recognition today, especially with the recent leap in image recognition capability.
(Rants and takedowns, IME, may entertain fellow believers, but signal a comment that's going to go well beyond any facts.)
With 3d shapes of non-governmental origin this is at best difficult and at worst intractable. Consider the fact that many parts of a gun can be split into multiple printable pieces to be later assembled, making it very nontrivial to decipher the role of the shape.
With currency, the government has the controls for the supply of the target shape (it can encode hidden signals onto banknotes) and effectively controls the relroduction side (through the pressure on printer manufacturers). But it cannot control the supply of gun-part-shapes (it is not the only source for it), and since the problem is likely intractable - neither can it enforce the control on the 3d printing side.
Paper money being almost non-fungible is a great achievement, but is it as easy to make any mesh nonfungible as well?
> Paper money being almost non-fungible is a great achievement
Going off on a tangent: Many people in technology and in the public look at cash as backward, boring, even socially embarassing technology. I think few it's amazing technology, an incredible hack: tech we struggle to implement in computers is implemented highly successfully and reliably in a piece of paper.
Not doing anything and preserving maximum agency is an entirely valid choice.
And it's sits fine with you because you are the one who wouldn't pay the price for this "simple image recognition capability". Except you would pay of course, indirectly but at least you wouldn't know for sure so your conscience would feel at ease.
rm - ok for all ages.
grep - 18+, you can obviously use this to search for porn.
find - 18+, see grep.
reboot - ok for all ages.
echo - ok for all ages.
cat - 18+, prints the porn you found directly to your terminal.
sudo - 18+, obviously.
kill - ok for all ages. This is the US, right.
ps - 18+, no peeping at other processes.
> cat - 18+, prints the porn you found directly to your terminal.
Sound good in theory, until you realise that any teenager knows perfectly well how to trivially get around the lack of `cat` to read their terminal smut:
reboot - you never know what the sysadmin might have loading on boot, unsafe as it could load porn
echo - ASCII art would like to have a word
kill - I know the US will have mixed feelings, but communicating with other processes might allow them to send you porn
I'm not so sure, who knows what woke UEFI and edgy motherboard vendors are putting up as splash screens these days. And the law doesn't even consider those since they aren't part of the OS!
Which isn't to suggest that it's a good law, just not really "age verification".
[1]: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
> good faith effort to comply with this title, taking into consideration available technology and any reasonable technical limitations or outages
could easily be read as meaning "facial recognition technology exists and is available, not using it is a business decision, failure to use it removes the good faith protection".
If the lawmakers didn't intend this, then they didn't need to add all the wiggle words that'll let the courts expand the scope of this law.
* The signal has to be made available to both apps and websites
* So if you dutifully input valid ages for your computer users, now any groomer with a website or an app can find out who's a kid and who isn't. You just put a target on your kid's back.
* A fair share of parents will realize this, and in order to protect their children, will willfully noncomply. So now we'll have a bunch of kids surfing the net with a flag saying they're an adult and it's okay to show them adult content.
* Some apps/websites will end up relying on this signal instead of some real age verification, which means that in places like porn sites where there's a decent argument for blocking access from kids, it'll get harder. Or your kid will get random porn ads on websites or something.
So basically unless this thing is thrown out by the courts, California lawmakers have just increased the number of kids who get groomed and the number of kids who get shown porn.
Mind boggling that something this bad passed.
Since I do not see a solution, and you see identifying children as a risk, what do you see as a solution for kids being in the same spaces as adults? Do you see a reasonable implementation to separate them, that doesn't have the "we know which accounts are children" problem? Maybe there's something in between?
Also, I think it's important to understand the life of a modern child, who's in front of a screen 7.5 hours a day on average [1], with that increasingly being social media, half having unrestricted access to the internet [2].
I hate government control/nanny state, but I think 5 year olds watching gore websites, watching other children die for fun, is probably not ok (I saw this at the dentist). People are really stupid, and many parents are really shitty. What do you do? Maybe nothing is the answer?
[1] https://www.aacap.org/AACAP/Families_and_Youth/Facts_for_Fam...
[2] https://fosi.org/parental-controls-for-online-safety-are-und...
Then, software on the user's computer can filter without revealing any information about the user.
I'm not going to say that's impossible but the number of sites that do the right thing and reduce risk are going to vastly outnumber that. And 90% of those kids already have targets on their backs by virtue of the sites they visit.
"useradd bob" is an "account setup". does that need age verification too? haha
Someone has fallen victim to Politician's Logic: https://www.youtube.com/watch?v=vidzkYnaf6Y
Age verification is the quickest road to ending general-purpose computing, because it plays on people's knee-jerk emotions. It won't do it by itself, but it'll goes a long way towards it.
The goal in my mind is to have an account a parent can setup for their child. This account is set up by an account with more permissions access. Then the app store depends on that OS level feature to tell what apps are can be offered to the account.
Let say the the age questions happen when you install the app store. That means if you can install the app store while logged in as the child account the child can answer whatever they want and get access to apps out side of their age range. The law could require the app to be installable and configurable from a different account then given access or installed on the child account, however at a glance that seem a larger hurdle than an os/account level parental control features.
The headline calls this age verification, but the quote in the article "(2) Provide a developer who...years of age." Make it sound way different and much more reasonable than what discord is doing.
I would much rather have OSs be mandated with parental control features than what discord is currently doing. I am going to read the bill later but here is how discord age verification could work under this law.
During account creation discord access a browser level api and verifies it server side. discord no knows if the OS account is label as for someone under 13 years, over 13 and under 16, over 16 and under 18, or over 18. Then sets their discord account with the appropriate access.
No face scan, no third party, and no government ID required.
That sounds like an OS feature that parents would like to have. Probably has some market value. Maybe just let the market figure that one out.
Or, we could have an overbroad law passed that torpedoes every open-source OS in existence. If I were MS, Google, or Apple, that'd be a great side benefit of this law. Heck, they probably already have this functionality in place.
The problem here is legally-mandated age verification, not where it is placed (although forcing it into all OSes is absolutely ...). The gains are minimal for children and the losses are gigantic for children and adults. I'm not keen to have children avoid blisters by cutting off their feet.
Put control back with the parents. Let them buy tech that restricts their children's access. This law doesn't protect children from the mountains of damaging content online.
And let all the adults run Linux if they want to without requiring Torvalds to put some kind of age question in the kernel and needing `ls` to check it every single run.
If there was a competitive market for OSs this probably would work, but we do not really have that. Getting the market to be competitive likely either takes considerable time, or other forms of government intervention. If there really was a competitive market then this would have been a solved problem ~15-20 years ago since parents have been complaining about this for ~25-30 years at this point.
> Or, we could have an overbroad law passed that torpedoes every open-source OS in existence. If I were MS, Google, or Apple, that'd be a great side benefit of this law. Heck, they probably already have this functionality in place.
I do not think the law does that. Either a additional feature making age/birth date entry and age bracket query available, or indicated the os is not intended for use in California, both seem to let developers continue along like normal. edit Or, I think, indicate that it is not for use by children.
> The problem here is legally-mandated age verification, not where it is placed (although forcing it into all OSes is absolutely ...). The gains are minimal for children and the losses are gigantic for children and adults. I'm not keen to have children avoid blisters by cutting off their feet.
In this case the mandate is entering an age/birth date at account creation where you can lie about said age/birth date. The benefit is the ability of an adult to set up parental controls for a child account.
> Put control back with the parents. Let them buy tech that restricts their children's access. This law doesn't protect children from the mountains of damaging content online.
This puts control in the parents hands. When they set up their child's account they can put in their child's age, or not, they can make it an adult account.
> And let all the adults run Linux if they want to without requiring Torvalds to put some kind of age question in the kernel and needing `ls` to check it every single run.
So from the literal reading of the law the age checks are only required when "a child that is the primary user of the device". It does not need to effect accounts where the primary user is not a child. Nor does it seem like any application needs to run the check every time the application is launched.
The law unfortunately does require:
> (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
So in the case where a child is the primary account/device user. The app needs to request the signal at least once when first launched, though it is not required to do anything with it. Delegating that to the package manager would make sense, but this part of the law should be modified, apps that can not use the signal for anything should not be required to request it, 'ls' for example.
It's just asking for some OS feature to report age. There's no verification during account setup. The app store or whatever will be doing verification by asking the OS. Still dumb to write this into law, but maybe not a bad way to handle the whole age verification panic we're going through.
There is no reason to tell the application, and by extension their developers, how old the user is. The application should tell the user what bracket it is appropriate for and then the operating system could filter appropriately without any of the user’s identifying information leaving their system.
This is also technically superior because it moves the logic for filtering out of being custom implemented by each and every single application to a central common user-controlled location; you do not have to rely on every application developer doing it right simultaneously.
And your point about fail open versus closed also makes no sense since if there are zero repercussions to not writing filtering logic then nobody would even bother. If there is liability, then obviously everybody will fail closed and every application developer needs to evaluate and change their application to only allow acceptable usage. This is much harder if they have to write custom filtering logic instead of just publishing their data categorization.
I do wonder who benefits from all the propaganda causing this kind of kneejerk reaction though.
Like, I’m not American and in Germany we have ID cards that actually have your age encoded on an NFC chip in the card and an ID number that encodes the age. Like, age is part of the ID number and checksum.
You could totally do all of this age verification offline on device and just expose an API that offers the age of the user to applications. You’d never need to talk to the internet for this, the API just says if you are a minor or adult, the browser can pass that to websites who don’t need to collect personal data and everything is fine.
But that’s not going to happen. It’s gonna be some AI facial recognition kinda garbage that is gonna send your face in every angle to Apple or Microsoft or another third party.
As is common these days they are going to try really hard to absolve you as the user of any responsibility for the sake of protecting kids so they can’t let this be a simple offline thing where your personal information never ever have to leave the device because what if kids find a way around it? Well the obvious answer is don’t let your kids just use a computer without supervision but if people would do that we’d not be in need of this garbage anyway.
have you literally ever met a kid?
I'm not the one making laws about age verification, so I'm not sure how you get off blaming me for anything.
Look at the thread on Block’s layoffs while they are profitable.
What I did say was:
>if there has to be age verification
That is far, far different than saying I want that shit. I do not make the laws, and I wouldn't vote for it either, so please, get your head out of your ass.
It doesn't. The device (not the "OS") is registered with government authorities. The device is associated with a single human for the purposes of age verification. And it's a one time action at the time of association.
> Android
> iOS
> MŚ Windows
:)
Well, the politicians probably meant to say “Apple, Google, Microsoft, plus maybe Sony and Nintendo”
i.e. the companies that already have biometrics, nigh-mandatory user accounts, app stores linked to real identities, parental controls, locked down attested kernels, and so on.
If phones had workable parental controls that let parents opt their kid into censorship, that’s better than the give-your-passport-to-the-porn-site approach the UK have taken.
Of course if they have applied it to every OS, not just the big corporate-controlled options, that’s a dumb choice.
I guess we'll just have to trust that our legislators are technologically savvy...
The "why" is also clear: deflecting/shifting responsibility.
There are essentially two desktop operating systems, Windows and macOS. Linux is a decimal point and too fractured to worry about.
There are essentially two mobile operating systems, Android and iOS. And while Android is fractured, Google still has reasonable control they can exert.
This is (weirdly) the smart way to do this type of law.
Make the consumer OS providers add an age signal. That property can be bound to an account with the inability to change it.
Behold, "universal enough" parental controls which will require only a handful of lawsuits to litigate.
i.e. this doesn't require age verification at all
just a user profile age property
> [..] interface that identifies, at a minimum, which of the following _categories_ pertains to the user [..]
so you have to give apps and similar a 13+,16+,18+,21+ hint (for US)
if combined with parent controls and reasonably implemented this can archive pretty much anything you need "causal" age verification for
- without any identification of the person, its just an age setting and parent controls do allow parents to make sure it's correct
- without face scans or similar AI
- without device attestation/non open operating systems/hardware
like any such things, it should have some added constraints (e.g. "for products sold with preinstalled operating system", "personal OS only" etc.)
but this gets surprisingly close to allowing "good enough privacy respecting" age verification
the main risk I see is that
- I might have missed some bad parts parts
- companies like MS, Google, Apple have interest in pushing malicious "industry" standards which are over-enginered, involve stuff like device attestation and IRL-persona identification to create an artificial moat/lock out of any "open/cost free" OS competition (i.e. Linux Desktop, people installing their own OS etc.).
---
"causal" age verification == for games, porn etc. not for opening a bank account, taking a loan etc. But all of that need full IRL person identification anyway so we can ignore it's use case for any child protection age verification law
----
it's still not perfect, by asking every day daily used software can find the birthdate. But vendors could take additional steps to reduce this risk in various ways, through never perfect. But nothing is perfekt.
---
Enforcement is also easy:
Any company _selling_ in California has to comply, any other case is a niche product and for now doesn't matter anyway in the large picture.
This is usually how they do it though. First make a dumb law with poor enforcement. People don't push back about it because it obviously won't be enforced. Wait a bit, then say "people are flagrantly violating this law, we need better enforcement". At that point it's a lot harder to say "it shouldn't be a law at all!" because nobody complained when it was brought into law.
There is certainly a risk of what you’re describing with KYC tech that coming online, but I don’t know if that means it will happen.
To play devils advocate; It’s a reasonable demand from parents to control what their children are exposed to. This seems to support that.
This is considerably better than all of those.
What happens if I bring a laptop with an "illegal" OS without this unwanted "feature" into the state? Will I be denied access to public wifi in hotels and restaurants? Or will it grant me access, but snitch on me -- make a call to the state police to come deal with someone with an illegal laptop? Will I be forced to install a different OS while a police officer watches? Will my laptop be confiscated and destroyed as contraband? Will I be thrown in a California prison?
I don't want to take a risk and find out.
The only remedies listed are:
> 1798.503. (a) A person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation or not more than seven thousand five hundred dollars ($7,500) per affected child for each intentional violation, which shall be assessed and recovered only in a civil action brought in the name of the people of the State of California by the Attorney General.
And there are several other provisions that further narrow the circumstances under which this law could be enforced.
If your personal computer is not being used by a child, and you're not distributing software to children or devices used by children, then there are no circumstances under which your actions could violate this law.
This is how people bought personal computers when the mainframe priesthood banned them.
It appears that very soon, young people will "de facto" need to have this level of competence in order to survive and thrive in a world of "in loco parentis" operating systems and apps.
The latin reveals my age, but one thing about my age:
People my age did exactly that. We built our own hardware when there was none. We compiled (or copied) operating systems and apps. A couple of my friends wrote an operating system and a C compiler.
"My generation" created this entire internet thingy, installed and web-based apps.
Indeed, dumb-asses are going to level up young people.
Nah. It follows that computers will be required to only boot age restriction compliant operating systems, as verified by digital signatures.
This is of course just MacOS and Windows.
Before they do this, it will be easy to lock the internet to only allow attested operating systems online.
Now exchange "car" for "OS" and "alcohol" for "age-sensitive content"
To your point, a user shouldn’t be forced to put in age details just to use an OS. That said, if an OS can send a simple Boolean to an app/site if the user is over 18 or not, I’m guessing more people would rather opt into that system vs handing over extensive details to each and every vendor who asks.
As a person in my 40s, with no kids in my house, I find all of this absurd. Let parents install some nanny software if they want, don’t force it on everyone and use “protecting children” as the scapegoat.
- servers living in datacenters
- realtime operating systems in embedded devices
- the Intel Management Engine
- the OS on every smart chip in credit cards and debit cards
- wireless cameras, roombas, smart TVs, smart fridges
- cars. Those automotive systems have OSes too right?
- all those IoT devices, including California’s traffic cameras
What age signals should those devices send out? Is there an exclusionary clause?
I think mistercheph is right to be concerned. This bill applies to all "operating system providers", defined thusly:
(g) “Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.
Regarding penalities:
1798.503. (a) A person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation or not more than seven thousand five hundred dollars ($7,500) per affected child for each intentional violation, which shall be assessed and recovered only in a civil action brought in the name of the people of the State of California by the Attorney General.
Not really.
>...for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store.
So the OS has to provide an age signal to apps from a "covered application store" defined as:
e) (1) “Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.
(2) “Covered application store” does not mean an online service or platform that distributes extensions, plug-ins, add-ons, or other software applications that run exclusively within a separate host application.
So things like Windows, Android and iOS...
They are publicly available online services that distribute and facilitate the download of applications from third party developers to users of a general purpose computing device.
The narratives are changing. All these locks and controls used to be about curbing copyright infringement. Now that AI has more or less rendered copyright irrelevant it's turned into a straight up attempt to control the population. They're barely even making excuses anymore.
Mind boggling right about not allowing GCC to be used as a library, his comments on Jeffrey Esptein, a refusal to in any way compromise (e.g. the GNU/Linux meme), etc...
Oh and a recognition that free software, while nice, does not in any way solve the underlying issues he claims it does. Similarly to how letting everyone walk around their local water treatment facility and perform chemical tests doesn't really work and instead the state regulates and hires experts to monitor the water supply...
Nothing wrong with that move from a strategic point of view. The objective was to leverage GCC and make others play ball. People who wanted GCC should have been forced to do things the free software way.
Only problem with this is it turned out GCC didn't provide enough leverage. Replacing GCC wasn't difficult enough. People implemented LLVM instead and the rest is history.
Compare that to Linux which literally leaves companies behind in the dust when they refuse to merge. No kernel ABI stability: if out-of-tree stuff gets broken it's not their problem. Companies have a choice: play ball or pay the maintenance costs required to keep up with the biggest free software project ever. That's how it should be.
> his comments on Jeffrey Esptein
By "everything" I of course meant his ideas on computer freedom which is the context of this thread. I don't know or care about his opinions on Epstein.
> a refusal to in any way compromise
As he should. If anything he's not extreme enough. Compromise is the root of many evils.
> a recognition that free software, while nice, does not in any way solve the underlying issues he claims it does
Elaborate.
Do you disagree with his description of Epstein as a serial rapist? Do you disagree with Stallman's position that Epstein should be described according to the specific crimes he committed: rape instead of using much more vague terms that also encompass much less severe crimes which Epstein himself used to downplay and obscure the actual crimes he committed?
If so, why?
So, this makes desktop Linux illegal, but all the software-as-a-service like Microsoft Azure and OpenAI get off scott-free?
Fantastic.
They absolutely want to make it illegal.
The sentence you quoted says that folks who are required to comply with the law are not also required to ensure that the person currently using the device or application is the same one who entered their age or birth date into the OS's "how old are you?" database. [0]
It is true that this law is as bad as the recent Oklahoma one for small, non-corporate Linux distros... but that sentence you quoted has nothing to do with that problem.
[0] If we were speaking in person, I'd love to have you walk me through that sentence and explain to me, piece by piece, how you came to the conclusion that you did. Doing it remotely like this would be too tedious.
The people who wrote this law work for Microsoft and think people have individual laptops and phones with a cellular plan. They care nothing for user privacy, in fact they want persistent digital identifies for advertising.
Vendors will need support stuff like "account holder is 12msec old, and can access adult content". They can even create a special certification for it.
>> useradd -G under13usergroup username
I wonder: since that operating system needs to attest and (vaguely) eventually report an age and other identifiers to a government API and app developers, will that report violate HIPAA?
It's a good reason not to put cloud dependencies into things.
no accounts to compromise. no passwords to remember. end point devices control their connectivity. no vpn needed to connect, no intermediary to see all traffic and peer traffic is specifically what is needed/allowed/requested, not a wide open network connection/accounts to be compromised
The saving grace is that obviously they have no idea what a Linux distribution is, and only the Attorney General can bring action, so there isn't much risk of the AG suing Debian.
These companies have fewer ethics than a minimum-wage liquor store clerk when it comes to caring about the age of their users.
What parents should be doing is enabling age controls.
Which means those age control features need to exist.
So the state is making sure the features exist.
There's no verification. The headline is a lie. It's just an account setting that parents can use if they want to.
I think it's one peg below intel agencies. It's the local gov agencies that want that power. The 3 letter peeps can already tell who writes what, both at scale and targeted.
Yes, yes, free speech and everything, you just have to first give the OS your phone number, credit card number, drink a verification can and please also... you do want to still keep your job, right?
> when the application is downloaded and launched
So it looks like the law only requires it on first launch. Which makes sense if the application can only be run from that one account. Apps that can be launched from multiple accounts are not singled out in the law, but the spirt of the law would have you checking what account is launching the app and are they in the correct age range.
So we're already pretty deep in the law deciding what shape of computing you're allowed to do. What makes you think it will stop here?
I guess let me show a slope I found over here, just past the boiling frogs, watch your footing though, it's recently been greased and is quite steep.
I think this is mostly for show to stay relevant wrt. What is happening in the courts. This is the Same play as it always been for registration “are you over the age of 13?”
Wedge.
First, let's admit the push for age verification laws isn't a partisan or ideological thing. It's a global trend. This California law has bipartisan sponsorship and only major org opponent is the evil G [1]. While age verification is unpopular in tech community, I imagine a lot of average adult voters agree that limiting children's access to wilder parts of the Internet is a good thing.
On this premise, the discussion is then who should be responsible for age verification. The traditional model is to require app developers / website owners to gatekeep -- like the Texas and Ohio laws that require PornHub to verify users' IDs. But such model put too much burden on small developers, and it's a privacy nightmare to have to share your PII with random apps.
This is why we see this new model. States start to believe it seems more viable to dump the responsibility on big tech / platforms. A newer Texas law is adopt this model (on top the traditional model) to require app stores to verify user age (but was recently blocked by court) [2]. And this California law pretty much also takes this model -- the OS (thinking as iOS / Android / Windows with app store) shall obtain the user age and provide "a signal regarding the users age bracket to applications available in a covered application store".
While many people here are concerning open-source OSes, and the language do cover all OSes -- my intuition is no lawmaker had ever think about them and they were not the target.
[1] https://calmatters.digitaldemocracy.org/bills/ca_202520260ab... [2] https://www.politico.com/news/2026/01/05/big-tech-won-in-tex...
My question, is if "the children" are worth protecting, why not adults? I would like to opt into not having to deal with dark patterns. Why not a age independent system, which a user can opt into and which "children" are automatically optd into.
Why is this "news" today? Am I missing something?
Microsoft has been pushing aggressively to deprecate the local and funnel everyone to Microsoft online accounts , while Android and macOS/iOS are already in such a state by default.
Coupled with the same accounts being used for online login, looks like a feature creep panopticon in the making. With Linux lucking out be default.
[1] https://news.ycombinator.com/item?id=46784572
Curious.
Recently after we spent hours getting a Chromebook set up after a "Power Wash" due to remote auth failure, it wanted the old password and there was no option but to wipe the device.
They held our homedir hostage with required remote auth.
We were not able to log into our computer and lost all of our data because of remote auth.
Secure critical systems must not have a centralized remote auth dependency that can be denied.
Isnt that literally one of the first rules of the DNM Bible?
For example, I've got a map application on my phone that lets me download maps, widgets, POI lists, etc. from their app store. It seems like enabling that age signal through this exchange is exactly what the politicians are looking for.
Curious how they plan to do this. Maybe digital rights management tied to TPM. If so it will take 3 ... 2 ... 1 .... cracked ... spoofed. DVD's were cracked with Perl. Curious what language this will be cracked in.
but users don't have a 1:1 mapping to the people that log into them. linux users that aren't used by any particular person, but by a particular _service_ are common. so are linux users that could be logged into by any number of people, and which have no specific single owner.
Really? Can you expand on the version of Australian legislation that requires an OS to have age verification?
The AU legislation I'm aware of requires various social media sites to verify that users of those sites are not under some age, 16 or so.
That is not a constraint on the OS or on potential users, that's a legal requirement for Social Service providers.
https://www.abc.net.au/news/2025-07-11/age-verification-sear...
It appears that the Australian and UK versions don't go as far as what seems to have been proposed in the US.
It's useful to get a feel on the policies and differences being rolled out before going over the skies and extrapolating from misconceptions.
All this does is require the user to select a non-verified age bracket on first boot. You can lie, just like porn sites today. I thought HNers wanted parents to govern their children's use of technology with these kinds of mechanisms.
In the US maybe, but where I am you can't fap in peace without using a VPN or have some kind of age verification. Some of them being baroque. Example:
"We analyze your email’s digital footprint (history and reputation) against trusted databases. This is often enough to confirm that you're of legal age."
Won't kids just lie about their age, like they do to sign up with social media?
What if more than one person uses the pc?
What if it is sold?
If the OS is open source, then the user could remove the software code to collect the data.
This is protect-young-people theater.
If
If not, why not? You need age verification before you even create an account.
This thing is so broadly-written, the only thing saving you from needing to give you age to your toaster is that it's not a "general-purpose" computing device. Never mind that it can run DOOM...
also: what's download? in embedded sphere, flashing a firmware is often reffered to as download. That's an industry standard term.
Bill text (it’s longer, but the rest is mostly definitions of the terms used here):
1798.501. (a) An operating system provider shall do all of the following:
(1) Provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store.
(2) Provide a developer who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface that identifies, at a minimum, which of the following categories pertains to the user:
(A) Under 13 years of age.
(B) At least 13 years of age and under 16 years of age.
(C) At least 16 years of age and under 18 years of age.
(D) At least 18 years of age.
(3) Send only the minimum amount of information necessary to comply with this title and shall not share the digital signal information with a third party for a purpose not required by this title.
(b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
(2) (A) A developer that receives a signal pursuant to this title shall be deemed to have actual knowledge of the age range of the user to whom that signal pertains across all platforms of the application and points of access of the application even if the developer willfully disregards the signal.
(B) A developer shall not willfully disregard internal clear and convincing information otherwise available to the developer that indicates that a user’s age is different than the age bracket data indicated by a signal provided by an operating system provider or a covered application store.
(3) (A) Except as provided in subparagraph (B), a developer shall treat a signal received pursuant to this title as the primary indicator of a user’s age range for purposes of determining the user’s age.
(B) If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.
(4) A developer that receives a signal pursuant to this title shall use that signal to comply with applicable law but shall not do either of the following:
(A) Request more information from an operating system provider or a covered application store than the minimum amount of information necessary to comply with this title.
(B) Share the signal with a third party for a purpose not required by this title.
The language is so broad it seems to cover all software that exists and is accessible via the internet, and every install of an operating system on any kind of machine
> (c) “Application” means a software application that may be run or directed by a user on a computer, a mobile device, or any other general purpose computing device that can access a covered application store or download an application.
> “Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.
> “Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.
So any piece of software you can download from the internet will be required to check this "signal" made available by the os?
Client side JavaScript can be considered an application, and then ad business would need to first verify that I am over 18 in order to allow me to see their ads.
Ultimate ad blocker.
I want to know who is behind these laws like this one and the 3D printer gun verification, that seem to pop up across state legislatures all at the same time.
The literal reading of the law says this only required when a child is the primary user of the device.
> (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
but 'user' here is:
> (i) “User” means a child that is the primary user of the device.
So these rules should only apply to accounts/devices where a child is the primary user.
Grep on an adult's machine would not need to check how old you are, at least with a literal reading of the law.
So grep/ls/etc are all installed as part of that 'account holder' and do not need to do any age verification.
The signal only needs to be checked when the device/account user is a child and when downloading apps. I think an unfortunate consequence here is that the literal definition of the law says package managers probably can not run on children accounts without jumping through a bunch of hoops. Which is bad for children learning code/computers/etc.
The first thing I would change about this law would be:
> (b) (1) A developer shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
Any application that does not need to know a users age should not be required request the 'signal'
Does that mean that the admin will have to manage dob of every student when creating accounts ?
> A developer shall not willfully disregard internal clear and convincing information otherwise available to the developer that indicates that a user’s age is different than the age bracket data indicated by a signal provided by an operating system provider or a covered application store.
>If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.
So, I have a button "I'm older than 18" on my app but the signal is "under 13", I can decide that the user is older than 18 ?
That already happens to some extent although the mechanism by which this happens might depend on the school district, etc. The `dateOfBirth` LDAP attribute is probably the most obvious method (which admittedly should probably not be used due to the ease in accessing this info in the default configuration) but there are others.
In secondary school when my account was set up we were told that our initial password (that we had to change on first logon) was our DOB
(a) (1) “Account holder” means an individual who is at least 18 years of age or a parent or legal guardian of a user who is under 18 years of age in the state.
(a) (2) “Account holder” does not include a parent of an emancipated minor or a parent or legal guardian who is not associated with a user’s device.
(i) “User” means a child that is the primary user of the device.
User is the most surprising here. It really should just be minors, or non-emancipated minors. Further, I think there are interesting ways the definition of account holder and user combined play out in interpreting the rest of the law.
And I'll have to give a fake ID to our automated CI pipelines, I guess.
Right now I'm on an ESP32 with free RTOS, will I need to add a keyboard and display just for age verification?
What's next? Chinese style social credit? You’ll need 800 points to run a sudo command?
Free society? Mass surveillance. The West is becoming more of a nanny state like China every year.
In all seriousness, though, this is the only way where politicians get to pretend they did something and the rest of us get to avoid getting royally screwed. If parents were given dumbed-down versions of the tools that already exist to manage corporate-owned cell phones and laptops then there'd be a lot less for people to complain about (not that it would stop perpetually incompetent parents from pointing the finger at everyone but themselves for their own failings, of course, but at least the vast majority who AREN'T those people would be satisfied).
They should also require background checks for gun safes.
This is just not going to be a thing on Linux.
Are there app stores on Linux? Yes, that's what FlatHub and Snap supposed to be.
So what, should Canonical just block Ubuntu downloads to anyone in the state of California? No security researcher is going to download an operating system that asks them their age for example. I feel like it draws a red line for me also.
This law is so completely insane. It sounds like it was written by some Apple fanboy to whom there is no other operating system other than Apple. The very state that spawned GNU and BSD is the same state that is not only demanding your data but enshrining its use in spyware in law.
In all honesty the V-Chip was meant to protect children.
Age verification and identity assurance[1] is meant to reduce online banking fraud and combat terrorism/espionage.
Whats next outlawing encryption with Clipper Chip[2] 2.0 and saying its to save the whales? I guess we have QUIC and other DRM tech to ruin our day so it doesn't even matter.
I would prefer we drop the think of the children[3] charade and act like adults and get serious about online crime/fraud/terrorism and maximizing online banking.
The biggest problem with this thought domain is that the internet is global and we are thinking at regional, national, and state levels. For so many years everyone has heard complaints about the great firewall of China only to build our own? I guess we have no other choice since bad apples spoil the bunch[4].
[0]https://en.wikipedia.org/wiki/V-chip [1]https://pages.nist.gov/800-63-3/sp800-63-3.html [2]https://en.wikipedia.org/wiki/Clipper_chip [3]https://en.wikipedia.org/wiki/Think_of_the_children [4]https://en.wikipedia.org/wiki/Bad_apples
And since it doesn't make sense to have dozens of different versions of their apps, they write to the strictest jurisdiction's laws.
If everyone has the power to make laws that apply to everyone...it's chaos.
> The "beige box" era was largely the result of strict German workplace ergonomics standards (specifically the TUV and DIN standards) that became the de facto rules for the entire global industry. The law didn't explicitly say "thou shalt use beige," but the regulations were so specific about light reflectivity and eye strain that beige (or "computer gray") was essentially the only compliant option.
California Assembly Bill 1043 requires OS providers (including Linux) to add age verification at account setup, prompting users for birth date/age to signal age brackets to apps in covered stores. It may violate privacy by enabling data collection/misuse beyond age checks, similar to UK/Discord issues; no explicit civil rights violations noted, but could restrict access for adults/minors if misapplied. Benefits: Enables age-appropriate app content, protecting minors. Drawbacks: Privacy risks, enforcement hurdles (e.g., Linux disclaimers like "not for California use"), aligns with global trends amplifying concerns.
An updated deep dive by Mr. AI returned the following analysis:
Official link: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm... Revised pros: Enhances child safety via non-PII age brackets for app compliance; data minimization limits info shared; anticompetitive prohibitions prevent misuse; good faith shields from liability. Revised cons: Setup requires age input, risking misuse despite safeguards; enforcement challenges for open-source OS like Linux; increased developer liability for signals; potential access restrictions from errors or misreports. No clear privacy/civil rights violations for adults/minors, but implementation costs and global trend concerns persist.
My thoughts: California lawmakers keep turning the screw more and more to the left with AB 1043 being introduced by Democrat Buffy Wicks. Though it has bipartisan co-authors (8 Democrats, 3 Republicans) and passed the Assembly unanimously (58-0), it still feels a bit authoritarian to me. The California Assembly political divide is very left leaning with Democrats controlling 60 seats and Republicans 20 for a total of 80 with Democrats controlling a supermajority.
What's to stop someone from building their own Distro using LinuxFromScratch to bypass this new restriction? Nothing, in my view!
Which I had money cause, Florida looking good about now.
Overall, I think don't think it's a bad idea for devices to be able to host an age verification system that offers requestable boolean proof of age, like if porn site demands over 18 to view, the user, regardless of age, is prompted and if they accept, it returns either a positive cryptographic claim or a cancel signal if not of age. If they don't accept the prompt, the same cancel signal goes back. The idea that this feature would need a mandate of law is dumb.
By next January there will be 30 different methods of age input signalling between OS and application. And then by 2030 we might have the top 3 adopted as established defacto standards.
somewhat related-ish https://xkcd.com/927/ :)
"Self, are you 18 years old?" "Why, yes I am." "OK, self, please fill out a 27B stroke 6 form in your head." "I've completed it." "OK, self, I've validated it."
useradd...
That isn’t age verification at all
To be wrong, one must understand what one is talking about.
Sigh.
Colorado Senate Bill "26-051"
The actual bill and links to its two sponsors Matt Ball and Amy Paschal.
It puts the infrastructure in place to do all of those things if a future(?), authoritarian regime wants to.* It also reveals that visitors to any site are children, compromising their privacy and opening them up to targeted advertising
* The data will undoubtedly be added to the accumulated, traded databases so many services use
* The bill makes onerous demands of developers to consider other items that may suggest the user is actually in a different age bracket, like doing websearches for "toys" (child) or "toys" (adult) - which works what percentage of the time, exactly?
* And it's totally ineffective, since kids can look at porn anywhere they want, or internationally, regards of useless bill like this
The most egregious part of this bill is that:
* It legislates that if kids connect to a website, that website can query their age brackets (an "age signal"). This means their approximate age is revealed for kids-specific advertising, manipulation, or even sold to a pedophile group.
A DEVELOPER SHALL REQUEST AN AGE SIGNAL WITH RESPECT TO A PARTICULAR USER FROM AN OPERATING SYSTEM PROVIDER OR A COVERED APPLICATION STORE WHEN THE DEVELOPER'S APPLICATION IS DOWNLOADED AND LAUNCHED.
Basically SB 26-051 creates a mechanism that can be used to harvest the data that certain users are kids and then sell that data to anyone who will pay for it.
Data like this is traded internationally, which makes it tragic that elected lawmakers would waste time pushing a bill whose only mid-term effect would be making Colorado less attractive to developers and software companies.
The irony is that normally your kids would have been protected, by standard practices, from having their age exposed. This bill reverses that, putting your children at more risk.
The bill also would force many devices to provide age bracket data that are surprising to most people, because this part:
"DEVICE" MEANS ANY GENERAL-PURPOSE COMPUTING DEVICE THAT CAN ACCESS A COVERED APPLICATION STORE OR DOWNLOAD AN APPLICATION.
... means anything with Internet access and storage. This includes smart televisions, thermostats, tablets, smartphones, smart watches, some fitness tracking devices, some smart toilets, and so on, all potentially reporting your activity on demand, even if that back-end service has nothing to do with porn.
The bill is also poorly structured. Clearly it's intended to focus on services like app stores (Android, Apple), but by attempting to integrate support for this into operating systems, makes it available to hostile actors for any purpose worldwide. Further, it requires developers to guess whether other available information on a user might mean they're really in a different age bracket, exposing them to fines of $2500 to $7500 per minor "affected" (note: "affected" is not defined in the bill). The exemptions give blanket protection to developers working on for-internal-use software, but give no exemptions to recreational programmers. non-profit personal software, university projects, and so on, casting a chilling effect across software engineering generally.
Lastly, the bill is ineffective. Most of the web runs on Linux, a coöperative international effort, nominally controlled by one man in Finland. There is no chance of this bill's mechanism being implemented in this context. Nor will other developers be especially interested in rewriting software for this Colorado-specific bill. Further, the kids supposedly being protected from all the Colorado native porn sites would just web-browse to nearly any porn site and be outside of Colorado anyway, if not outside the US entirely.
These sponsors aren't alone. Most elected lawmakers are equally bad at technology and protecting democracy from the threats that come from chipping away at privacy protection. Bills like this appear in other states all the time, despite being toothless, easily circumvented by kids (who trivially circumvent even face photo hurdles), or radically compromising the privacy of adults (like this one).
There's also the long game, where these sometimes Democrat-led bills in various states could eventually see a much deeper-reaching federal one, where, instead of a "age signal", the user's computer must send an "ID signal", allowing all personal interactions with the Internet to be tracked, analyzed for political and other biases, and used by backbone firewalls to control exactly what people are allowed to read. Very handy for a dictator who might want to block off "fake news".
This is only a hypothesis, but one has to wonder whether sponsors to such bills even care if the bills work or pass, since either way they still get to claim they Protected the Children! even though the bills themselves violate privacy for everyone, often cause websites about breast cancer to be censored, or pave the way for authoritarian control - something this one stands out for. The only thing really surprising is that this bill wasn't sponsored by MAGA Republicans deliberately to add another paving stone to the road to national censorship.
I urge everyone to get in touch with other Colorado representatives to call for a fight against this travesty of a bill. Further, I would excoriate the two sponsors by email and phone, and tell them now that you will not reward this sort of juvenile lawmaking with your vote. Lastly, tell other people about how Matt and Amy plan to strip away their privacy in a way that puts children more at risk than doing nothing.
Accomplishes three things: Demonizes age verification, big tech gets to dodge it, cedes more control of your PC.
We already have Secure Boot, the infrastructure is in place. It is currently optional, but a law like this can change that.
> (c) “Application” means a software application that may be run or directed by a user on a computer, a mobile device, or any other general purpose computing device that can access a covered application store or download an application.
This is basically any program.
> (e) (1) “Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.
This would include any package manager like dnf/apt/pacman/etc. They facilitate download of applications from third parties.
> (g) “Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.
This sounds to me like it would include distro maintainers. They develop and/or control the OS. Also, would this include the kernel devs? How would they be responsible for the myriad of package managers.
The overall law reeks of politicians not knowing what they're legislating.
when you force someone to signal status as a minor, you are forcing them to wear a target, hostiles will not have so much work to find minors, now they only have to contact, groom, and offend.
this proposed law actually endangers minors.
My TV, my fridge, my 30 year-old TI-82, my sprinkler system… my mom’s pacemaker.
And will I have to verify again when I switch to command line? =P
What a joke.
In all seriousness, rather than comply, linux distros should enforce this law. Any linux install that detects itself being in california should automatically shutdown with a loud error message. I give it a week before a madmax situation develops.