Rendered at 21:37:14 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
uyzstvqs 2 days ago [-]
People need to understand the difference between age indication and age verification. Two very different things. Age indication is a completely private and realistically as-effective alternative to the invasive age verification.
Age _indication_ means that when you set up your device or create a user account, you enter a date of birth for the user. The OS then provides a native API to return a user's age bracket (not full date-of-birth). If the user is a minor, the OS will require parental authentication in some way to modify the setting again. This can all be done completely offline. It works because parents almost always buy the devices used by children, and can enter the correct date-of-birth during setup.
Age _verification_ means that some online service has to verify your age, and collects a bunch of (meta)data in the process. This is highly problematic for privacy, security, and the open internet.
txrx0000 2 days ago [-]
There are two things very very wrong with the California law, which you call "age indication".
1) The parental responsibility is given to the wrong people. You're basically being forced by law to give all apps and websites your child's age on request, and then trusting those online platforms to serve the right content (lol). It should be the other way around. The apps and websites should broadcast the age rating of their content, and the OS fetches that age rating, and decides whether the content is appropriate by comparing the age rating to the user's age. The user's age, or age bracket, or any information about the user at all, should not leave the user's computer.
2) The age API is not "completely private". It's a legally-mandated data point that can be used to track a user across apps and websites. We must reject all legally-mandated tracking data points because it sets the precedent for even more mandatory tracking to be added in the future. We should not be providing an API that makes it easier for web platforms to get their hands on user data!
For many years, certain tech companies, SIGs, and governments have fought against technologies that could enable real digital parenting, all while claiming to do the opposite and "protecting children". They craft a narrative to convince you that top-down digital surveillance and access-control is for your own good, but it's time we reject that and flip their narrative upside down: https://news.ycombinator.com/item?id=47472805
heavyset_go 2 days ago [-]
> For many years, certain tech companies, SIGs, and governments have fought against technologies that could enable real digital parenting, all while claiming to do the opposite and "protecting children". They craft a narrative to convince you that top-down digital surveillance and access-control is for your own good, but it's time we reject that and flip their narrative upside down
> 1) The parental responsibility is given to the wrong people. You're basically being forced by law to give all apps and websites your child's age on request, and then trusting those online platforms to serve the right content (lol). It should be the other way around. The apps and websites should broadcast the age rating of their content, and the OS fetches that age rating, and decides whether the content is appropriate by comparing the age rating to the user's age. The user's age, or age bracket, or any information about the user at all, should not leave the user's computer.
FWIW, this is not quite an accurate description of AB1043, in at least three respects:
1. Apps don't get your exact age, just an age range.
2. Websites don't get your age at all.
3. AB1043 itself doesn't mandate any content restrictions; it just says that the app now has "actual knowledge" of the user's age. That's not to say that there aren't other laws which require age-specific behaviors, but this particular one is pretty thi on this.
In addition, I certainly understand the position that the age range shouldn't leave the computer, but I'm not sure how well that works technically, assuming you want age-based content restrictions. First, a number of the behaviors that age assurance laws want to restrict are hard to implement client side. For example, the NY SAFE For Kids act forbids algorithmic feeds, and for obvious reasons that's a lot easier to do on the server. Second, even if you do have device-side filtering, it's hard to prevent the site/app from learning what age brackets are in place, because they can experimentally provide content with different age markings and see what's accepted and what's blocked. Cooper, Arnao, and I discuss this in some more detail on pp 39--42 of our report on Age Assurance: https://kgi.georgetown.edu/research-and-commentary/age-assur...
I'm not saying that this makes a material difference in how you should feel about AB 1043, just trying to clarify the technical situation.
txrx0000 2 days ago [-]
Thanks for the clarification.
Regarding what to do with algorithmic feeds, instead of forcing platforms like Facebook to be less evil, we should give parents the ability to simply uninstall Facebook, and prevent it from being installed by the child. We could implement a password lock for app installation/updates at the OS-level that can be enabled in the phone's settings, that works like Linux's sudo. Every time you install/uninstall/update an app, it asks for a password. Then parents would be able to choose which apps can run on their child's device.
Notice their strategy: these companies make it hard/impossible for you to uninstall preloaded apps, and they make it hard to develop competing apps and OSes, and they degrade the non-preloaded software UX on purpose, which creates the artificial need to filter the feeds in existing platforms that these companies control. They also monopolize the app store and gatekeep which apps can be listed on it, and which OS APIs non-affliated apps can use. Instead of accepting that and settling with just filtering those existing platforms' feeds, we should have the option to abandon them entirely.
We need the phone hardware companies to open-source their device firmware, drivers, and let the device owner lock/unlock the bootloader with a password, so that we could never have a situation like the current one where OSes come preinstalled with bloat like TikTok or Facebook, and the bootloader is locked so you can't even install a different OS and your phone becomes a brick when they stop providing updates. If we allow software competition, then child protection would have never been a problem in the first place because people would be able to make child-friendly toy apps and toy OSes, and control what apps and OS can run on the hardware they purchased. Parents would have lots of child-friendly choices. This digital parenting problem was manufactured by the same companies trying to sell us a "solution" like this Cali bill or in other cases ID verification, which coincidentally makes it easier for them to track people online.
kelnos 2 days ago [-]
> instead of forcing platforms like Facebook to be less evil, we should give parents the ability to simply uninstall Facebook, and prevent it from being installed by the child.
Isn't that how parental controls already work?
There are problems, though:
1. The kids want to use Facebook. If parent A refuses to let their kid use Facebook, then kids B, C, D, E, F... all use Facebook and kid A becomes a social outcast. This actually happens. (Well, now it's other apps; kids don't use Facebook anymore.) This is similar to the mobile-phones-in-schools problem: if a parent doesn't let their kid bring a phone to school, and all the other parents do, that creates social isolation. When the school district bans the phones, it solves the problem for everyone. (So it's a collective action problem, really.)
2. Web browsers. Unless the parent is going to uninstall and disallow web browser use, the kid can still sign into whatever service they want using the web browser. I don't think parental controls block specific sites, and even if they do, there are ways around that, certainly.
I am very often the person who says that parents should actually parent their kids and not rely on the government to nanny them. But in this case I think there actually is value to the government making laws that make Facebook (etc.) less evil. And as a bonus, maybe they'll be forced to be less evil to adults too!
wolvoleo 3 hours ago [-]
> The kids want to use Facebook. If parent A refuses to let their kid use Facebook, then kids B, C, D, E, F... all use Facebook and kid A becomes a social outcast. This actually happens. (Well, now it's other apps; kids don't use Facebook anymore.) This is similar to the mobile-phones-in-schools problem: if a parent doesn't let their kid bring a phone to school, and all the other parents do, that creates social isolation. When the school district bans the phones, it solves the problem for everyone. (So it's a collective action problem, really.)
If so many people give their kids phones and so few don't, why ban them in the first place? Clearly the vast majority of parents are fine with their kids having one.
You're just inventing a problem then. Or worse, implement a conservative talking point.
pyuser583 3 hours ago [-]
Had this problem with my kid - social media caused serious mental health issues. Toxic content in kids areas.
But taking it away was worse.
Once “not using it” isn’t an option, government intervention becomes reasonable.
txrx0000 2 days ago [-]
1. The current norm of social siloing apps was created by these tech companies in the first place. What regulators can do is discourage anti-competitive practices that lock users into specific software and hardware platforms. If there's plenty of competition for every kind of social app, and competition for OSes, and users could freely choose and move between them, then not having a particular app would not result in social isolation. This affects adults as well.
2. The OS has a firewall. But it's currently not user-controllable on your phone. Phone companies have decided you don't need that feature. But actually, they can easily implement a nice UI in the settings for the firewall and lock it behind a password, then parents would be able to use it to block individual websites. We can even make it possible to import/export site lists as a txt file so that you can download/share a curated block list that you or other parents made, to block many things at once. You could also do this for your entire home WiFi network in your WiFi router's settings, if your router's firmware has that feature.
And yeah, I agree that we should make the platforms less evil in general. But I think the way to do that is to give people the ability to easily ditch bad platforms and build new ones. Let the platforms actually compete, then the best will prevail. Right now, they don't prevail because of layers and layers of anti-competitive barriers. It would take great technical effort to regulate all the tricks these tech companies use, that's why I propose dealing with it at the root: make it so that all computer/phone hardware manufacturers must open-source their device drivers and firmware, and let the user lock/unlock the bootloader and install alternative OSes. If we do this, then the entire software ecosystem will fix itself over time along with all the downstream problems.
lloeki 2 days ago [-]
> Phone companies have decided you don't need that feature.Bu actually, they can easily implement a nice UI in the settings for the firewall and lock it behind a password, then parents would be able to use it to block individual websites.
iOS: Settings > Screen Time > Content & Privacy Restrictions > Toggle on
Then same area:
- App Installations & Purchases: disallow all
- App Store, Media, Web & Games > Web Content > Limit Adult Websites > Fill in allowlist and/or denylist, or Only Approved Websites and fill in allowlist
txrx0000 1 days ago [-]
Apple is indeed better than most other companies on #2. But that's because it's the worst offender on #1. Its strategy is to appear to be the model company that cares about user rights and privacy, in hopes of capturing everyone in their closed-source walled garden that's already surveiling you at the OS level.
They're a part of the corp-gov surveillance complex [0]. This is the real threat behind the age verification push. The feds already have mass surveillance capabilities in iOS and macOS, and even Windows and most Android distros, but not on most open-source Linux distros, so they're starting to force it legally in the open. They're desperate because Linux is about to outcompete the enshittified Windows on desktops.
It's possible to mandate effective parental controls and then say "it's illegal to give your child access to facebook" and then just see what happens. You don't have to jump straight to making it technologically guaranteed by construction, maybe it's enough to just give parents the tools and an excuse to say no.
We don't need DNA testing locks on cans of beer that won't let you drink from them unless you're an adult, do we? It's perfectly possible for a parent to buy their child all the beer they want, and there's nothing stopping the children from trying to peer pressure them into it, and in many countries it's not even generally illegal to let your child drink beer! And yet almost all parents are able to almost completely enforce a reasonable level of restricted access, simply because society frowns upon it.
aaztehcy 1 days ago [-]
[dead]
iririririr 2 days ago [-]
[dead]
miki123211 2 days ago [-]
If we accept the premise that age restrictions of any kind are good (which, just to be clear, I don't think we should), there are good reasons for tailoring your content based on the user's age.
Imagine you're a streaming service, trying to show a list of movies that a user can watch. If you can only communicate age restrictions to the OS, but can't actually check the users age, you have a choice of showing a list of movies that some users won't actually be able to watch, or a list of movies limited to those appropriate for all ages. Neither are great options.
If you can check the user's age bracket, you can actually tailor the list to what the user can realistically watch.
txrx0000 2 days ago [-]
The user can voluntarily give the platform their age by typing it into their account profile in that streaming app. You can already do this right now. No laws required.
The problem at hand is we have a new law that forces everyone to give their age to every app. It's mandatory personal info collection.
exe34 2 days ago [-]
There are only about 120 versions to target if you pick each individual age - or a handful if you bracket it. You can simply create a lookup table for eachage group and let the user's device decide which one to show.
packetlost 2 days ago [-]
1. I don’t see how that’s better in any real way. You can infer the exact same information as querying the range and it makes dynamic behavior based on age range (ex. access to age restricted chat rooms as an obvious example) completely impossible.
2. Is it meaningfully more identifying than User-Agent? There’s dozens of other datapoints for uniquely identifying a user. If we get a few high profile lawsuits because advertising companies knowingly showed harmful ads to children, I’d consider it a win. Age is not that interesting of a data point.
throwaway173738 2 days ago [-]
I wouldn’t focus on whether it’s “identifying” but whether it’s revealing. Young teenagers are a very high-value target for advertisers. They are very impressionable, and they provide a proxy for advertisers for their parents’ money. So this law essentially makes it mandatory to share that information with advertisers. And also by proxy, predators.
packetlost 2 days ago [-]
It also makes it explicitly illegal to do use it for such purposes. While I agree on the point, I think in practice it changes little. I also think it could be a net positive, because now there’s no plausible deniability about the targets age, opening up a decent amount of liability for exploitative practices targeting children specifically.
kelnos 2 days ago [-]
> I don’t see how that’s better in any real way.
It's so much better. In the one case, the OS is leaking age information (even if just an age range) to every service it talks to. In the other case, the OS isn't telling anyone anything, and is just responding to the age rating that the app/service advertises.
packetlost 2 days ago [-]
That response reveals exactly the same information.
gzread 2 days ago [-]
How would you implement a feed of mixed content? Say you're YouTube and some videos are about puppies and some videos are about guns? How would you hide only the gun videos from the homepage when the user is under 16?
hdgvhicv 23 hours ago [-]
Why does YouTube allow videos about guns but not boobs?
txrx0000 2 days ago [-]
1. Depends on how it's implemented. It won't identify you to individual platforms if the OS filters on a per-app or per-website basis. And yeah, there would be no dynamic behavior based on age, as that would enable tracking based on age. I don't think any kind of API is the ideal solution though, it's just better than the malicious one being mandated in the Cali bill. Instead of an API, it's simpler and more effective to just have an app installation lock (like sudo on Linux) and a firewall for website blocking with a nice UI in the phone's settings, locked behind a password/pin.
2. Other data points like User-Agent are not required by law, and browsers already spoof user agent by default. I agree that there are other data points we need to address, but the problem in this specific case is the slippery slope of legally-mandated data points. And I don't think winning high profile lawsuits is a real "win", it just exposes problem which we already know in this case. Keep in mind those people can get away with the Epstein files.
Ferret7446 2 days ago [-]
> The apps and websites should broadcast the age rating of their content, and the OS fetches that age rating, and decides whether the content is appropriate by comparing the age rating to the user's age.
How would you make that happen? Many websites would not be subject to your jurisdiction.
txrx0000 2 days ago [-]
Assume they're 18+ then.
But even that's still not a great solution. I outline a better solution that doesn't require any legal enforcement at all, in the link at the bottom of my original comment.
ekr____ 2 days ago [-]
We're actually seeing this play out right now with the server-based age assurance systems which are already widely deployed and mandated under the UK Online Safety Act and laws in about 25 US States. In many cases, the sites just comply, presumably because they are worried that the regulators have a way to reach them even if they aren't hosted in the relevant jurisdiction. In some cases, however, the sites just ignore the regulations or tell the regulators to pound sand, as 4Chan is doing with UK OfCom: https://www.bbc.com/news/articles/c624330lg1ko
kelnos 2 days ago [-]
So? The same problem exists for having the OS broadcast the user's age range to all apps/services/websites: the service outside your jurisdiction doesn't have to actually restrict content based on age.
At least with the reverse system (services broadcast an age rating), you have some nice properties:
1. You can set it up so that if the service doesn't broadcast an age rating, access is denied.
2. You aren't leaking age information (even if it's just a range) to random websites outside your jurisdiction.
charcircuit 2 days ago [-]
Apps need to know the age of the user in order to follow the law. There will always need to be a way for apps to get the age of the user. If the OS does not give anything the apps will have to implement it themselves.
heavyset_go 2 days ago [-]
It's a distinction that hinges on one law from one state that doesn't reflect the reality of the dozens of laws in dozens of states, nor proposed federal legislation, that all require age verification via AI face scans and ID uploads.
That's to say, this distinction is meaningless unless you're planning on blocking every jurisdiction outside of California so you can just adhere to its age verification laws and no one else's.
EmbarrassedHelp 2 days ago [-]
The issue though with "age indication" is that it creates an additional flag that can be used to fingerprint users. But it is infinitely preferable to any sort of age verification or age assurance.
ekr____ 2 days ago [-]
I like the term "age indication". Thank you.
If I may nitpick, the conventional term for systems which attempt to determine the user's age is "age assurance". This covers a variety of techniques, which are typically broken down into:
* Age estimation, which is based on statistical models of some physical characteristic (e.g., facial age estimation).
* Age verification, which uses identity documents such as driver's licenses.
* Age inference, which tries to determine the user's age range from some identifier, e.g., by using your email address to see how old your account is.
These distinctions aren't perfect by any means, and it's not uncommon to see "age verification" used for all three of these together but more typically people are using "age assurance".
cmovq 2 days ago [-]
> The OS then provides a native API to return a user's age bracket (not full date-of-birth)
Call the API every day, when the age bracket changes you can infer the date-of-birth.
Havoc 2 days ago [-]
That's just setting things up for a smoother slippery slope...
As appealing as the private part sounds I genuinely think it may make the situation worse here by facilitating the transition & muddying the waters
kelseyfrog 24 hours ago [-]
Why reach for a slippery slope fallacy when plenty of other fallacies will do? Have you considered reworking your argument to use proof by assertion or even the moralistic fallacy[1]? You might get better milage out of those.
We all have opinions, mine is you’re just incredibly naïve if you don’t understand that these laws are a shim to establish an eventual chain that links TPM to your license to end anonymous Internet usage.
gzread 2 days ago [-]
And you're incredibly naive if you think the TPM-linked internet usage isn't a shim to put a camera in your toilet bowl.
user3939382 22 hours ago [-]
First they say they need your age, then they say they need proof. We already have a huge sudden trend of online services requiring your license, so your absurd comparison is a ridiculous non-sequitur.
fasterik 1 days ago [-]
The distinction doesn't matter in this case. The fundamental question is whether a government can compel a decentralized open-source project to change its codebase. If you believe code is speech, it's a violation of the right to free expression.
Even if you think adding "age indication" to a project is harmless, you have to consider the precedent this is setting for compelled speech in the future, potentially by regimes that you are not politically aligned with.
ddtaylor 2 days ago [-]
A pointless slippery slope to attempt to stand on that points directly at the Overton Window being drawn around this.
dzikimarian 2 days ago [-]
Is it? A lot of parents uses Family Link and similar solutions, which are way more invasive than that.
ddtaylor 1 days ago [-]
Those are examples of software people choose to use voluntarily. The context here is government removing that choice and forcing you to use something under the conditions they set.
I'm sure there are parental controls for many that go too far or not far enough. A reminder of why the government trying to solve parenting problems is likely to fail like most of their other attempts, such as failing to stop people from growing plants.
dzikimarian 9 hours ago [-]
I agree to some extent, but who should make parental controls reasonable then? What corporations deliver is both invasive and ineffective.
ddtaylor 1 hours ago [-]
The market decides. Google and Apple both compete and there are other disruptors. I worked on an education product in 2018 and it would contact third-party services like Khan Academy or Duolingo. And if a child had not earned enough measurable results, they would be unable to access non-educational content.
rixed 2 days ago [-]
Most importantly, people need to understand how indication leads to verification.
shevy-java 2 days ago [-]
In both cases the operating system stores information it has zero business with.
gzread 2 days ago [-]
The operating system already stores your full name. Isn't that a problem?
MarsIronPI 1 days ago [-]
Not necessarily your real full name. Plus on Unix systems full name is not a required field in /etc/passwd.
ekr____ 2 days ago [-]
OP is certainly right that a lot of this legislation is written in ways that are hard to interpret and that often seem like they would have undesirable side effects even under the assumption that the basic idea is good (whether that's actually true is a whole different question).
In the specific case of CA AB1043: (1) Systems are required to ask the user for their age and just trust whatever they say (2) Applications are required to query the system for the user's age range. Other enacted and proposed device-based age assurance mandates have different properties.
I think this legislation is as dumb as everyone else does, but it also seems like the cheapest way for everyone to agree that we did something about the moral panic without actually giving up anything. It doesn’t do anything with ID or privacy or even actual verification. There’s no complicated auth dance to do with government services to verify our age tokens or whatever the latest Rube Goldberg machine “zero knowledge” age check proposal is.
I’ve been shocked at how many HN comments always come out in favor of age related legislation and heavy government regulation when the topic comes up. The pro-regulation commenters always seem to assume the age checks would never apply to them because they don’t have use TikTok or Facebook or other services, yet few realize that there aren’t going to be laws written in a way that only apply to a couple named companies you don’t use anyway. If we age verification laws then they’re going to be everywhere.
I personally hope this legislation dies and we can be done with this silly exercise, but if we’re stuck with age verification moral panic than a simple OS-level switch that we set once and then forget about seems like the least intrusive form of “age verification” we can get away with.
hypeatei 2 days ago [-]
I disagree with your overall sentiment that this is benign because it's ineffectual in its current state. If anything, this is going to warm people up to the idea of government mandated prompts gathering personal information in their OS, and legislators in 2030 (or whenever) are going to say: "this isn't working, lets build on top of that prompt we already have and make it verify IDs"
In other words, I think this first bit of legislation had to be watered down to not receive too much backlash. This is the governments first plunge into mandating things on the frontend.
ben-schaaf 2 days ago [-]
> This is the governments first plunge into mandating things on the frontend.
ADA mandates computer accessibility, as frequently interpreted by courts. CCPA & GDPR mandate a whole bunch of stuff. Hardly the first plunge.
iamnothere 23 hours ago [-]
ADA has only ever been interpreted to apply to services. No prior law has ever been applied to specify how an OS should function.
This law violates the first amendment and will be overturned. Until then it must be resisted.
hypeatei 1 days ago [-]
In the context of surveillance, yes it is. I know the EU is looking down the barrel of chat control, but I'm pretty sure this California law has already been passed and goes into effect January 2027.
ekr____ 2 days ago [-]
> I personally hope this legislation dies and we can be done with this silly exercise, but if we’re stuck with age verification moral panic than a simple OS-level switch that we set once and then forget about seems like the least intrusive form of “age verification” we can get away with.
Just for clarification. CA AB1043 was signed back in 2025 and takes effect January 1 2027.
motbus3 2 days ago [-]
I think the writing has both intentions. Both implicate companies to comply as well for the mass to not defend. If it was not, there wouldn't be a guy on TV saying that there are 5000 possible pedo cases that are not being investigated and that's why they need it.
Anyone with more than 2 brain cells can put it together
kmeisthax 2 days ago [-]
You're on the right path, but the "something" politicians want to do is specifically "regulate Facebook's patent harms to children". Facebook's counter-argument is: "we don't have a legally ironclad way to check user age, it should be Apple and Google's job". So the politicians want to write a law to make it Apple and Google's job to check age.
In other words, all of these age verification laws are here predominantly to indemnify Facebook from a growing wave of child endangerment lawsuits in a way that will ensure Facebook doesn't have to kick off even a single teen from their platforms. That's why the "verification" is just a date and an age range bucket.
My personal opinion is that these laws are stupid, but not harmful to Linux users, and that everyone angry at systemd for complying is shooting the wrong guy. Your real target is Facebook and you should be yelling at your local representative to make this bill not target Linux distros.
bityard 2 days ago [-]
No, we can also be mad at the systemd guys for their very mid attempt at complying with an idiotic and unenforceable law, when the default of doing nothing was objectively the best option for them AND their end users.
shevy-java 2 days ago [-]
> I’ve been shocked at how many HN comments always come out in favor of age related legislation and heavy government regulation when the topic comes up.
Where do you see that? HN is overwhelmingly critical of age sniffing.
AnthonyMouse 2 days ago [-]
> Systems are required to ask the user for their age and just trust whatever they say
If you're going to do anything like this, this is the thing they actually get right. It removes the inconvenience, privacy invasion, forced use of corporate verifiers with perverse incentives, etc. Meanwhile if the user is actually a child then their age is set by their parent.
> Applications are required to query the system for the user's age range.
This is classic legislative stupidity. Applications are required to query the user's age range even if they contain no age-restricted content? Brilliant.
ekr____ 2 days ago [-]
>> Systems are required to ask the user for their age and just trust whatever they say
>
> This is the thing they actually get right. It removes the inconvenience, privacy invasion, forced use of corporate verifiers with perverse incentives, etc. Meanwhile if the user is actually a child then their age is set by their parent.
Well, maybe. For instance, if a child buys their own device they could
set the age to whatever they want.
>> Applications are required to query the system for the user's age range.
>
> This is classic legislative stupidity. Applications are required to query the user's age range even if they contain no age-restricted content? Brilliant.
Note that AB1043 doesn't actually impose much in the way of requirements about age restricted content. Rather, the way it works is that the developer is then assumed to have "actual knowledge" of the user's age (See 1798.501(b)(2)(A)) and then has to behave accordingly in other age-restricted contexts.
lokar 2 days ago [-]
I see it as fairly benign.
It requires the device/computer have a way to set the age. If you don't want to set your real age, that's fine. If you are a kid, your parent will probably have set it for you (it's really a feature for the parent, and they don't have to use it).
It then establishes that apps can know your age group, sufficient to comply with existing (and I suppose future) content age-restriction laws (where today they can dodge and say they did not know).
It's a pretty incremental step, and fairly minimal (in the range of all options proposed around the world). We can try it and see how it goes.
simion314 2 days ago [-]
> For instance, if a child buys their own device
Then the law can make it illegal to sell smartphones or computers to 12 years olds or we could just ask the parents to do a bit of work and ensure their children is not buying devices behind their backs.
The idea is to make it easy for responsible parents to give a device to their children and make it easy for legal websites to block minors from adult content. We can't get perfect results but good enough could shut upo the complainers and maybe we get them do things like educating parents on how to proceed when they gift a device to a child.
AnthonyMouse 2 days ago [-]
> For instance, if a child buys their own device they could set the age to whatever they want.
If a child has the money to buy a device without the parent knowing about it then they could just buy a used device that has already been configured with an account or pay a high school senior to set one up on their new device.
> Rather, the way it works is that the developer is then assumed to have "actual knowledge" of the user's age (See 1798.501(b)(2)(A)) and then has to behave accordingly in other age-restricted contexts.
How is mkdir or python3 supposed to "behave accordingly in other age-restricted contexts"? And if the answer is that its behavior is entirely unmodified, why is it required to do something without effect?
Also, who is the "developer" of a thirty year old project with thousands of contributors and multiple forks? All of them? None of them? The last one to make a commit, even if they're outside the jurisdiction?
ekr____ 2 days ago [-]
> > For instance, if a child buys their own device they could set the age to whatever they want.
> If a child has the money to buy a device without the parent knowing about it then they could just buy a used device that has already been configured with an account or pay a high school senior to set one up on their new device.
Yes, agreed. I'm just describing how it works.
> > Rather, the way it works is that the developer is then assumed to have "actual knowledge" of the user's age (See 1798.501(b)(2)(A)) and then has to behave accordingly in other age-restricted contexts.
>How is mkdir or python3 supposed to "behave accordingly in other age-restricted contexts"? And if the answer is that its behavior is entirely unmodified, why is it required to do something without effect?
> Also, who is the "developer" of a thirty year old project with thousands of contributors and multiple forks? All of them? None of them? The last one to make a commit, even if they're outside the jurisdiction?
This unspecified in the current text.
rickydroll 2 days ago [-]
One could interpret the age verification operation must run for every command executed in interactive or non-interactive mode.
AnthonyMouse 2 days ago [-]
It sounds like you want to automate the invisible purposeless no-op. Is that allowed?
cozzyd 2 days ago [-]
A minor using python3 isn't allowed to import flask
gzread 2 days ago [-]
>
This is classic legislative stupidity. Applications are required to query the user's age range even if they contain no age-restricted content? Brilliant.
This is classic programmer stupidity attempting to read the law in the stupidest possible way. No - if the application needs to know the user's age because of a content restriction, it shall query the system for that, instead of getting it some other way. Unlike computer code, laws are understood by humans in a context.
AnthonyMouse 13 hours ago [-]
> This is classic programmer stupidity attempting to read the law in the stupidest possible way.
Except you're the one missing the context. What they're trying to do with that provision is force everybody to check if someone is designated as a minor so they can't claim that they didn't know. If they let you choose whether to check then you choosing not to check could make it harder to punish you when there is a dispute about whether something should have been shown to a minor, so they wrote it in a way that lets them punish you more easily if you check and also punish you more easily (for not checking) if you don't.
The problem then follows that everyone is stupidly required to check even when it's totally unambiguous there is nothing to be done with the information, because of the risk of someone trying to punish anyone who doesn't check in order to prevent the precedent that some people aren't required to and correspondingly can't be assumed to have knowledge of someone's age.
renegat0x0 2 days ago [-]
Article asks what next. I know what's next.
It is similar with crypto wars. They try and try until they have backdoor everywhere.
About verification they will try to implement WEI on browsers, and verification on os.
It is a crusade to make you always identifiable. Companies and governments want it so much because it is so valuable to them, it adds so much power over people.
So what's next. They will move borders here, and there. Every year.
usrbinenv 2 days ago [-]
Of course, it's pretty easy to see through this: introduce law in a few states, but now every OS needs to comply and because it's hard to actually tell which country/state user is in, they'd just have to implement it for everyone. It will be verification through some third party. You can opt out, but then major websites will be forced to deny you access (by, for example, Cloudflare) unless your OS provides a verified and signed certificate of your age. Then it's done: nothing will be possible without an ID, which means no dissent will be tolerated.
nout 2 days ago [-]
It's interesting that the package managers become choke points that can be used for government overreach. Luckily Linux is open source so I expect there will be options that just don't do this from principle.
Otherwise my Intel NUC server with Debian is 2 years old, so I expect the honest age would be 2 years? I may have parts for some old PCs to put together that could get adult software I guess...
awesome_dude 2 days ago [-]
For me, the big issue is going to be mobile devices (phones, and tablets to a lesser degree)
I've already had it up to my back teeth with Google arbitrarily updating things such that the on/off button was hijacked, preventing me from switch the device off, instead triggering an interaction with freaking Gemini (what sort of IDIOT thought doing that to a device was a good idea)
I'm seriously trying to find a way to no longer run Apple or Google OS based phones - which puts me in the "Linux" or "Graphene" market
nout 2 days ago [-]
I think more folks are now interested in the "Linux" or "Graphene" market and since the phone hardware development is not as rapid as it used to be (from 1yr cycle to more than 2yr cycle), I think this gives more stability and wiggle room for folks to do Linux and/or Graphene. I'm patiently waiting for what happens with the Motorola + Graphene integration/plan. If they provide good hardware + preinstalled Graphene, I'd buy it.
jmclnx 2 days ago [-]
This is a no win situation and I think systemd is making this change too early. But I have read that field is optional.
But my main concern with this is applications like Firefox will eventually require this systemd age specific field and a standard systemd function to call. That means this age field will need to be populated and thus locking out the *BSDs and non-systemd Linux.
If that happens, this makes the systemd critics 100% right, systemd is being forced upon all distros by various upstream applocations.
Bender 2 days ago [-]
My gaming machines that I do not browse the web with have systemd (CachyOS) but my daily drivers do not. Should a website lock me out because I don't have some age API then in my view the problem has solved itself. The website has effectively blocked itself without me having to given the one and only correct way to age gate a site in my view is with the RTA header [1] that would trigger parental controls if optionally enabled on ones device. Every other path that involves exchanging data whether verified or not, anonymized or not can only lead to future evil shenanigans.
>But my main concern with this is applications like Firefox will eventually require this systemd age specific field and a standard systemd function to call. That means this age field will need to be populated and this locking out the *BSDs and non-systemd Linux.
The risk is real, and the solution is to move away from systemd now, not wait until it's too late. Whatever conveniences it brings over other init systems are certainly not enough to justify giving up online anonymity forever.
skydhash 2 days ago [-]
> Whatever conveniences it brings over other init systems
You see people rave about the greatness of systemd, then they turn to deploy their applications using Docker and some s6 config.
stevenalowe 2 days ago [-]
NO, DO NOT COMPLY WITH FORCED SPEECH
Might seem harmless now but it won’t next time, and you will have already capitulated
cyberge99 2 days ago [-]
Age verification in the OS is one milestone of a greater objective: removing anonymity on the internet
stephbook 2 days ago [-]
how?
vaylian 2 days ago [-]
It establishes that operating systems have the necessary infrastructure to reveal information about their users in a standardized way to other systems on the internet.
Once that is established, it is easier for politicians to push for newer laws that add more features to reveal even more information. Politicians can propose any unrealistic law they want. But it is much easier for them, to convince a necessary majority, when there is technical infrastructure already in place. "We are already doing X, why don't we just also do Y?". Or: "Country A has already X, why don't we also do X?"
PinkSheep 7 hours ago [-]
This forewarning is underestimated. Russia had begun it's path to Internet censorship through "think of the children" and to fight piracy. Started off as simple DNS and IP blocks, mandatory for all B2C ISPs. Now every egress international connection is being analyzed by DPI, VPNs, SSH are broken: the traffic inspection and interception (TCP RST among other things) has to be circumvented. Major messenger apps are blocked: WhatsApp, Telegram (intermittent connectivity), Viber etc. to force people to use the unencrypted local app (an FB Messenger equivalent, called "Max" by VK).
There are now plans to expand the traffic analysis systems' aggregate bandwidth to nearly 1 petabits/s (sic) by 2030 with the expected total budget of 59B Roubles (470M USD).
pharrington 2 days ago [-]
This is actually nuts. You can't even constantly implement "age verification" at the system level in a way that makes sense across world cultures.
The only sane way to do this is you were playing along with arbitrary legislative age-gaters would be to add a generic "additional user info" blob to the account fields, if it didn't already exist.
garganzol 2 days ago [-]
Let's restrict this plague to California/UK only. If Gulag wants to be a Gulag, let them be.
nephihaha 21 hours ago [-]
It's a global project not a local one. It is linked directly to the digital ID programme and CBDC.
lschueller 2 days ago [-]
Quite spooky imaging that apple might create by that a fully verified pii database for half of gen z and every coming gen users
stephbook 2 days ago [-]
They know this about every user.
They have access to every message you send. They know where your device is at every time of day. Your name is all over the entries in your wallet, be they tickets, SF bus ticket or.. your credit cards.
mtndew4brkfst 2 days ago [-]
Why would it be more spooky if Apple in particular did this vs all the other hardware vendors that ship a pre-installed OS?
2 days ago [-]
dizhn 12 hours ago [-]
Wondering which jurisdiction will be the first to make it a crime to enter false information in the age field for their kids.
supliminal 2 days ago [-]
Is 9front impacted?
dwedge 2 days ago [-]
If these laws come in in their current form, it might be worth archiving ISOs like 9front because I'm sure at least one project will just close its doors
tombert 2 days ago [-]
I've been running NixOS for awhile, which is very firmly integrated with systemd.
I wonder if it's time to try something like sixos or Guix SD.
iamnothere 23 hours ago [-]
At least NixOS has signaled disinterest in this, and as an NL project it’s beyond CA legal reach. They also disable userdb by default, so this is irrelevant unless you enable it.
Cyph0n 2 days ago [-]
Setting aside the ridiculous nature of this move towards OS-level verification, NixOS (and Guix) is the last distro to worry about when it comes to age verification.
Why? Given the nature of how NixOS works (config-driven), the maintainers have plausible deniability: if push comes to shove, they can shift the burden to users and have them enable the age verification service as part of their NixOS config.
htx80nerd 2 days ago [-]
Artix (Arch) and MX Linux (Debian) are very nice
tombert 2 days ago [-]
Oh I only use distros that are declarative like NixOS.
I've run Arch in the past and I liked it just fine, but they are ultimately different than how I like running my computer.
Shank 2 days ago [-]
It seems incredibly silly to me that this is being rushed into systemd and other linux components. I understand Apple making changes, and even Canonical, but systemd is not run by one corporation and there is no reason to adhere to a badly written law. Why play along with the charade? If root is root, the "age verification" field does not make any sense.
Why are these changes being made on a worldwide basis when the laws that have been introduced are a relatively small fraction of the world? California isn't going to go after individual systemd maintainers. Will California go after Torvalds? I doubt it. Apple? Surely, but this is, quite frankly, a ridiculous thing to even suggest for inclusion into these setups.
gizmo686 2 days ago [-]
Open source is driven by contributions. Most of the time, if someone wants a feature, implements the feature, and submits a reasonable PR to a project, that project will have the feature. In this case, the PR appears to have been written by someone who is not a regular SystemD contributor, and (through a bit of Googling) works for a FinTech company with no obvious interest. I can't comment on why that individual wanted to add support.
However, once someone added support, the question for SystemD is not if it is worth implementing, but if it is worth merging. At this point, it becomes a simple case of "the most intolerant wins". For people who care about complying with CA style laws, this feature is critical. For people who don't care, this feature is fine. I doubt it will even make it on mosts lists of SystemD feature bloat that most people don't care about.
This is the same reason a bunch of the food in your pantry is certified kosher. No one is going to not buy something because it is kosher. But if paying a thousand dollars a year to put a small circle-u symbol on the back of your box can increase sales by 1% among observant Jews, most companies are going to do it.
jjmarr 2 days ago [-]
> No one is going to not buy something because it is kosher. But if paying a thousand dollars a year to put a small circle-u symbol on the back of your box can increase sales by 1% among observant Jews, most companies are going to do it.
Contrary to perceived politics, many Muslims will eat kosher food because it's a superset of halal rules (excl. alcohol).
It's a globally consolidated certification through organizations like the Orthodox Union. This is unlike halal which is local and has many scammers offering to pencil whip compliance. This means many Muslims will prefer kosher to "halal" food to avoid due diligence on the certification agency.
To tie this into age-verification, companies and ecosystems will use the strictest method that makes them globally compliant. Consumers will prefer that convenience even in the presence of intense political beliefs.
A bank that uses seamless OS-level age checks everywhere will win against one asking manually in the jurisdictions it isn't required.
razingeden 2 days ago [-]
I hope everyone’s bank knows how old they are— what with all the documentation we have to cough up to keep us safe from Terrorism , patriot act, 9/11, never forget, etc
nine_k 2 days ago [-]
> systemd is not run by one corporation
Two corporations, e.g. Canonical and Red Hat, might suffice.
I hope everybody remembers how systemd was thrust upon the community by having Gnome largely depend on it. This was mostly done by efforts of Red Hat, and that sufficed.
ChocolateGod 2 days ago [-]
IIRC all that's been done is a field has been added to store the user date of birth and a protocol that can be used to retrieve said date.
That's it.
Cyph0n 2 days ago [-]
Okay, but why do this now? If it’s such an important feature and unrelated to the barrage of legislation, why was this not implemented a few months or years ago?
jcgl 14 hours ago [-]
Because someone came with a pull request for this; this additional field was meant to support a feature in something else they were working on (an xdg portal). It was a simple PR that addressed a need that the programmer had. And it was accepted.
lunar_rover 2 days ago [-]
California has both vendors and clients that are big enough to warrant immediate compliance. A very measurable chunk of Linux is from corporations, most major advancements are corporate backed in some way.
stackghost 2 days ago [-]
>It seems incredibly silly to me that this is being rushed into systemd [...]
Making user-hostile changes seems exactly on-brand for systemd, to my mind.
RcouF1uZ4gsC 2 days ago [-]
> Will my system believe me? And how about their system, whoever “they” are? If not, then what else will I need to do to prove my birth date and age? Who will check if root can’t be trusted? How will they check?
If they ever seize your computer, they can probably also tack on computer fraud charges
ur-whale 2 days ago [-]
Carry permit to operate a compiler is in our near future.
userbinator 2 days ago [-]
Richard Stallman's "Right to Read" is worth reading again, because it portrays a very similar scenario.
heavyset_go 2 days ago [-]
Never forget what they did to encryption
sunshine-o 2 days ago [-]
The story reads like an april fool.
For root to manage privileges in an OS, isn't a group the most straitforward way?
Can't flatpak read the groups of an user?
motbus3 2 days ago [-]
I think you miss the point
(But who am I)
the simple fact you sending the same signal over and over again, with all other signals your browser send, it will be another key to make you apart.
They don't care if you lie. Important that you lie the same story every time.
And after having your dob, who could easily be a flag if you are less than 18, they could easily request your name, or a document number, but I think it will be much better, it will have some ISP and/or Device ID.
ekr____ 2 days ago [-]
It actually is more like a flag in most cases. Specifically, in the case of AB1043, you enter your age or your DOB but then the OS provides an age range (<13, 13-15, 16-17, 18+).
Also, while some bills do seem to require browsers to promulgate age data to websites (e.g., NY SB102A [0]), AB1043 does not. Rather, it requires the browser
to read the age range just like any other app, but does't say anything about providing it to sites.
I wonder, why California law mandates systems that the rest of the world should use? Does California have such massive market?
duskdozer 1 days ago [-]
>The economy of the State of California is the largest in the United States, with a $4.048 trillion gross state product (GSP) as of 2024.[2] It is the largest sub-national economy in the world. If California were an independent nation, it would rank as the fourth largest economy in the world in nominal terms, behind Germany and ahead of Japan.
SystemD is now a spyware and therefore any Linux distribution that i using it. Period.
johnny22 2 days ago [-]
no it is not.. not yet anyways
5o1ecist 14 hours ago [-]
[dead]
hanisong 2 days ago [-]
[dead]
Ms-J 2 days ago [-]
[flagged]
looperhacks 2 days ago [-]
[flagged]
cmckn 2 days ago [-]
Why does it exist?
skywhopper 2 days ago [-]
Because some implementers will need or want to use it.
dmitrygr 2 days ago [-]
>This systemd change is absurdly overdiscussed. It's a field for a number, no verification, no enforcement for anything.
> And no, I do not accept the slippery slope fallacy.
aka:
$OBVIOUSLY_DUMB_OVERREACHING_EASILY_ABUSED_POLICY is absurdly overdiscussed. It's $ABSURDLY_REDUCTIONIST_VIEW. And no, I do not accept $HISTORICALY_VERY_LIKELY_OUTCOME fallacy.
dwedge 2 days ago [-]
[flagged]
htx80nerd 2 days ago [-]
[flagged]
tomhow 2 days ago [-]
This is not an acceptable comment on HN. It breaks several guidelines:
Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes.
Comments should get more thoughtful and substantive, not less, as a topic gets more divisive.
When disagreeing, please reply to the argument instead of calling names. "That is idiotic; 1 + 1 is 2, not 3" can be shortened to "1 + 1 is 2, not 3."
Please don't fulminate. Please don't sneer, including at the rest of the community.
This is stupid. The age should be in the passwd gecos field or somewhere else in the user's config directory. Not in systemd. Unix-ike systems are multiuser. Now I wonder what age to put in the root, adm or games accounts.
ben-schaaf 1 days ago [-]
Systemd actually manages /etc/passwd, /etc/group, /etc/shadow, etc. using a json database called userdb. Adding a field to systemd's userdb is how you add a gecos field.
jcgl 14 hours ago [-]
Look up systemd-userdb (the systemd component that added this field). Like the sibling comment said, this is basically equivalent to adding a GECOS field. A totally optional field.
pgt 2 days ago [-]
Fellow software engineers, what are we doing here? Why are we letting the EU / UK define the future of software?
DrinkyBird 2 days ago [-]
1. The UK and EU are rather large markets that they don’t want to miss out on.
2. There are software engineers in the UK and EU.
3. This specific implementation by Apple is not actually required by any UK or EU law, to my knowledge.
4. This specifically is or will be required by the laws of some US states and other countries.
kgwxd 1 days ago [-]
1 Since when is Linux about marketing? And who is "they"?
2 Devs for companies can start working with proprietary OSes for the businesses they sell their soul to.
3 Who cares what apple is doing.
4 And systemd should not be liable for upholding any of them.
looperhacks 2 days ago [-]
Maybe carefully read TFA - the age verification came from a Californian law
Age _indication_ means that when you set up your device or create a user account, you enter a date of birth for the user. The OS then provides a native API to return a user's age bracket (not full date-of-birth). If the user is a minor, the OS will require parental authentication in some way to modify the setting again. This can all be done completely offline. It works because parents almost always buy the devices used by children, and can enter the correct date-of-birth during setup.
Age _verification_ means that some online service has to verify your age, and collects a bunch of (meta)data in the process. This is highly problematic for privacy, security, and the open internet.
1) The parental responsibility is given to the wrong people. You're basically being forced by law to give all apps and websites your child's age on request, and then trusting those online platforms to serve the right content (lol). It should be the other way around. The apps and websites should broadcast the age rating of their content, and the OS fetches that age rating, and decides whether the content is appropriate by comparing the age rating to the user's age. The user's age, or age bracket, or any information about the user at all, should not leave the user's computer.
2) The age API is not "completely private". It's a legally-mandated data point that can be used to track a user across apps and websites. We must reject all legally-mandated tracking data points because it sets the precedent for even more mandatory tracking to be added in the future. We should not be providing an API that makes it easier for web platforms to get their hands on user data!
For many years, certain tech companies, SIGs, and governments have fought against technologies that could enable real digital parenting, all while claiming to do the opposite and "protecting children". They craft a narrative to convince you that top-down digital surveillance and access-control is for your own good, but it's time we reject that and flip their narrative upside down: https://news.ycombinator.com/item?id=47472805
The EFF has a good series related to this[1].
[1] https://www.eff.org/deeplinks/2026/03/rep-finke-was-right-ag...
FWIW, this is not quite an accurate description of AB1043, in at least three respects:
1. Apps don't get your exact age, just an age range.
2. Websites don't get your age at all.
3. AB1043 itself doesn't mandate any content restrictions; it just says that the app now has "actual knowledge" of the user's age. That's not to say that there aren't other laws which require age-specific behaviors, but this particular one is pretty thi on this.
In addition, I certainly understand the position that the age range shouldn't leave the computer, but I'm not sure how well that works technically, assuming you want age-based content restrictions. First, a number of the behaviors that age assurance laws want to restrict are hard to implement client side. For example, the NY SAFE For Kids act forbids algorithmic feeds, and for obvious reasons that's a lot easier to do on the server. Second, even if you do have device-side filtering, it's hard to prevent the site/app from learning what age brackets are in place, because they can experimentally provide content with different age markings and see what's accepted and what's blocked. Cooper, Arnao, and I discuss this in some more detail on pp 39--42 of our report on Age Assurance: https://kgi.georgetown.edu/research-and-commentary/age-assur...
I'm not saying that this makes a material difference in how you should feel about AB 1043, just trying to clarify the technical situation.
Regarding what to do with algorithmic feeds, instead of forcing platforms like Facebook to be less evil, we should give parents the ability to simply uninstall Facebook, and prevent it from being installed by the child. We could implement a password lock for app installation/updates at the OS-level that can be enabled in the phone's settings, that works like Linux's sudo. Every time you install/uninstall/update an app, it asks for a password. Then parents would be able to choose which apps can run on their child's device.
Notice their strategy: these companies make it hard/impossible for you to uninstall preloaded apps, and they make it hard to develop competing apps and OSes, and they degrade the non-preloaded software UX on purpose, which creates the artificial need to filter the feeds in existing platforms that these companies control. They also monopolize the app store and gatekeep which apps can be listed on it, and which OS APIs non-affliated apps can use. Instead of accepting that and settling with just filtering those existing platforms' feeds, we should have the option to abandon them entirely.
We need the phone hardware companies to open-source their device firmware, drivers, and let the device owner lock/unlock the bootloader with a password, so that we could never have a situation like the current one where OSes come preinstalled with bloat like TikTok or Facebook, and the bootloader is locked so you can't even install a different OS and your phone becomes a brick when they stop providing updates. If we allow software competition, then child protection would have never been a problem in the first place because people would be able to make child-friendly toy apps and toy OSes, and control what apps and OS can run on the hardware they purchased. Parents would have lots of child-friendly choices. This digital parenting problem was manufactured by the same companies trying to sell us a "solution" like this Cali bill or in other cases ID verification, which coincidentally makes it easier for them to track people online.
Isn't that how parental controls already work?
There are problems, though:
1. The kids want to use Facebook. If parent A refuses to let their kid use Facebook, then kids B, C, D, E, F... all use Facebook and kid A becomes a social outcast. This actually happens. (Well, now it's other apps; kids don't use Facebook anymore.) This is similar to the mobile-phones-in-schools problem: if a parent doesn't let their kid bring a phone to school, and all the other parents do, that creates social isolation. When the school district bans the phones, it solves the problem for everyone. (So it's a collective action problem, really.)
2. Web browsers. Unless the parent is going to uninstall and disallow web browser use, the kid can still sign into whatever service they want using the web browser. I don't think parental controls block specific sites, and even if they do, there are ways around that, certainly.
I am very often the person who says that parents should actually parent their kids and not rely on the government to nanny them. But in this case I think there actually is value to the government making laws that make Facebook (etc.) less evil. And as a bonus, maybe they'll be forced to be less evil to adults too!
If so many people give their kids phones and so few don't, why ban them in the first place? Clearly the vast majority of parents are fine with their kids having one.
You're just inventing a problem then. Or worse, implement a conservative talking point.
But taking it away was worse.
Once “not using it” isn’t an option, government intervention becomes reasonable.
2. The OS has a firewall. But it's currently not user-controllable on your phone. Phone companies have decided you don't need that feature. But actually, they can easily implement a nice UI in the settings for the firewall and lock it behind a password, then parents would be able to use it to block individual websites. We can even make it possible to import/export site lists as a txt file so that you can download/share a curated block list that you or other parents made, to block many things at once. You could also do this for your entire home WiFi network in your WiFi router's settings, if your router's firmware has that feature.
And yeah, I agree that we should make the platforms less evil in general. But I think the way to do that is to give people the ability to easily ditch bad platforms and build new ones. Let the platforms actually compete, then the best will prevail. Right now, they don't prevail because of layers and layers of anti-competitive barriers. It would take great technical effort to regulate all the tricks these tech companies use, that's why I propose dealing with it at the root: make it so that all computer/phone hardware manufacturers must open-source their device drivers and firmware, and let the user lock/unlock the bootloader and install alternative OSes. If we do this, then the entire software ecosystem will fix itself over time along with all the downstream problems.
iOS: Settings > Screen Time > Content & Privacy Restrictions > Toggle on
Then same area:
- App Installations & Purchases: disallow all
- App Store, Media, Web & Games > Web Content > Limit Adult Websites > Fill in allowlist and/or denylist, or Only Approved Websites and fill in allowlist
They're a part of the corp-gov surveillance complex [0]. This is the real threat behind the age verification push. The feds already have mass surveillance capabilities in iOS and macOS, and even Windows and most Android distros, but not on most open-source Linux distros, so they're starting to force it legally in the open. They're desperate because Linux is about to outcompete the enshittified Windows on desktops.
[0] https://en.wikipedia.org/wiki/Edward_Snowden#Revelations
We don't need DNA testing locks on cans of beer that won't let you drink from them unless you're an adult, do we? It's perfectly possible for a parent to buy their child all the beer they want, and there's nothing stopping the children from trying to peer pressure them into it, and in many countries it's not even generally illegal to let your child drink beer! And yet almost all parents are able to almost completely enforce a reasonable level of restricted access, simply because society frowns upon it.
Imagine you're a streaming service, trying to show a list of movies that a user can watch. If you can only communicate age restrictions to the OS, but can't actually check the users age, you have a choice of showing a list of movies that some users won't actually be able to watch, or a list of movies limited to those appropriate for all ages. Neither are great options.
If you can check the user's age bracket, you can actually tailor the list to what the user can realistically watch.
The problem at hand is we have a new law that forces everyone to give their age to every app. It's mandatory personal info collection.
2. Is it meaningfully more identifying than User-Agent? There’s dozens of other datapoints for uniquely identifying a user. If we get a few high profile lawsuits because advertising companies knowingly showed harmful ads to children, I’d consider it a win. Age is not that interesting of a data point.
It's so much better. In the one case, the OS is leaking age information (even if just an age range) to every service it talks to. In the other case, the OS isn't telling anyone anything, and is just responding to the age rating that the app/service advertises.
2. Other data points like User-Agent are not required by law, and browsers already spoof user agent by default. I agree that there are other data points we need to address, but the problem in this specific case is the slippery slope of legally-mandated data points. And I don't think winning high profile lawsuits is a real "win", it just exposes problem which we already know in this case. Keep in mind those people can get away with the Epstein files.
How would you make that happen? Many websites would not be subject to your jurisdiction.
But even that's still not a great solution. I outline a better solution that doesn't require any legal enforcement at all, in the link at the bottom of my original comment.
At least with the reverse system (services broadcast an age rating), you have some nice properties:
1. You can set it up so that if the service doesn't broadcast an age rating, access is denied.
2. You aren't leaking age information (even if it's just a range) to random websites outside your jurisdiction.
That's to say, this distinction is meaningless unless you're planning on blocking every jurisdiction outside of California so you can just adhere to its age verification laws and no one else's.
If I may nitpick, the conventional term for systems which attempt to determine the user's age is "age assurance". This covers a variety of techniques, which are typically broken down into:
* Age estimation, which is based on statistical models of some physical characteristic (e.g., facial age estimation).
* Age verification, which uses identity documents such as driver's licenses.
* Age inference, which tries to determine the user's age range from some identifier, e.g., by using your email address to see how old your account is.
These distinctions aren't perfect by any means, and it's not uncommon to see "age verification" used for all three of these together but more typically people are using "age assurance".
Call the API every day, when the age bracket changes you can infer the date-of-birth.
As appealing as the private part sounds I genuinely think it may make the situation worse here by facilitating the transition & muddying the waters
1. https://en.wikipedia.org/wiki/List_of_fallacies
Even if you think adding "age indication" to a project is harmless, you have to consider the precedent this is setting for compelled speech in the future, potentially by regimes that you are not politically aligned with.
I'm sure there are parental controls for many that go too far or not far enough. A reminder of why the government trying to solve parenting problems is likely to fail like most of their other attempts, such as failing to stop people from growing plants.
In the specific case of CA AB1043: (1) Systems are required to ask the user for their age and just trust whatever they say (2) Applications are required to query the system for the user's age range. Other enacted and proposed device-based age assurance mandates have different properties.
This post goes into quite a bit of detail about the various points of concern: https://educatedguesswork.org/posts/device-based-age-assuran...
I’ve been shocked at how many HN comments always come out in favor of age related legislation and heavy government regulation when the topic comes up. The pro-regulation commenters always seem to assume the age checks would never apply to them because they don’t have use TikTok or Facebook or other services, yet few realize that there aren’t going to be laws written in a way that only apply to a couple named companies you don’t use anyway. If we age verification laws then they’re going to be everywhere.
I personally hope this legislation dies and we can be done with this silly exercise, but if we’re stuck with age verification moral panic than a simple OS-level switch that we set once and then forget about seems like the least intrusive form of “age verification” we can get away with.
In other words, I think this first bit of legislation had to be watered down to not receive too much backlash. This is the governments first plunge into mandating things on the frontend.
ADA mandates computer accessibility, as frequently interpreted by courts. CCPA & GDPR mandate a whole bunch of stuff. Hardly the first plunge.
This law violates the first amendment and will be overturned. Until then it must be resisted.
Just for clarification. CA AB1043 was signed back in 2025 and takes effect January 1 2027.
Anyone with more than 2 brain cells can put it together
In other words, all of these age verification laws are here predominantly to indemnify Facebook from a growing wave of child endangerment lawsuits in a way that will ensure Facebook doesn't have to kick off even a single teen from their platforms. That's why the "verification" is just a date and an age range bucket.
My personal opinion is that these laws are stupid, but not harmful to Linux users, and that everyone angry at systemd for complying is shooting the wrong guy. Your real target is Facebook and you should be yelling at your local representative to make this bill not target Linux distros.
Where do you see that? HN is overwhelmingly critical of age sniffing.
If you're going to do anything like this, this is the thing they actually get right. It removes the inconvenience, privacy invasion, forced use of corporate verifiers with perverse incentives, etc. Meanwhile if the user is actually a child then their age is set by their parent.
> Applications are required to query the system for the user's age range.
This is classic legislative stupidity. Applications are required to query the user's age range even if they contain no age-restricted content? Brilliant.
Well, maybe. For instance, if a child buys their own device they could set the age to whatever they want.
>> Applications are required to query the system for the user's age range. > > This is classic legislative stupidity. Applications are required to query the user's age range even if they contain no age-restricted content? Brilliant.
Note that AB1043 doesn't actually impose much in the way of requirements about age restricted content. Rather, the way it works is that the developer is then assumed to have "actual knowledge" of the user's age (See 1798.501(b)(2)(A)) and then has to behave accordingly in other age-restricted contexts.
It requires the device/computer have a way to set the age. If you don't want to set your real age, that's fine. If you are a kid, your parent will probably have set it for you (it's really a feature for the parent, and they don't have to use it).
It then establishes that apps can know your age group, sufficient to comply with existing (and I suppose future) content age-restriction laws (where today they can dodge and say they did not know).
It's a pretty incremental step, and fairly minimal (in the range of all options proposed around the world). We can try it and see how it goes.
Then the law can make it illegal to sell smartphones or computers to 12 years olds or we could just ask the parents to do a bit of work and ensure their children is not buying devices behind their backs.
The idea is to make it easy for responsible parents to give a device to their children and make it easy for legal websites to block minors from adult content. We can't get perfect results but good enough could shut upo the complainers and maybe we get them do things like educating parents on how to proceed when they gift a device to a child.
If a child has the money to buy a device without the parent knowing about it then they could just buy a used device that has already been configured with an account or pay a high school senior to set one up on their new device.
> Rather, the way it works is that the developer is then assumed to have "actual knowledge" of the user's age (See 1798.501(b)(2)(A)) and then has to behave accordingly in other age-restricted contexts.
How is mkdir or python3 supposed to "behave accordingly in other age-restricted contexts"? And if the answer is that its behavior is entirely unmodified, why is it required to do something without effect?
Also, who is the "developer" of a thirty year old project with thousands of contributors and multiple forks? All of them? None of them? The last one to make a commit, even if they're outside the jurisdiction?
> If a child has the money to buy a device without the parent knowing about it then they could just buy a used device that has already been configured with an account or pay a high school senior to set one up on their new device.
Yes, agreed. I'm just describing how it works.
> > Rather, the way it works is that the developer is then assumed to have "actual knowledge" of the user's age (See 1798.501(b)(2)(A)) and then has to behave accordingly in other age-restricted contexts.
>How is mkdir or python3 supposed to "behave accordingly in other age-restricted contexts"? And if the answer is that its behavior is entirely unmodified, why is it required to do something without effect?
I agree this is undesirable. See: https://educatedguesswork.org/posts/device-based-age-assuran...
> Also, who is the "developer" of a thirty year old project with thousands of contributors and multiple forks? All of them? None of them? The last one to make a commit, even if they're outside the jurisdiction?
This unspecified in the current text.
This is classic programmer stupidity attempting to read the law in the stupidest possible way. No - if the application needs to know the user's age because of a content restriction, it shall query the system for that, instead of getting it some other way. Unlike computer code, laws are understood by humans in a context.
Except you're the one missing the context. What they're trying to do with that provision is force everybody to check if someone is designated as a minor so they can't claim that they didn't know. If they let you choose whether to check then you choosing not to check could make it harder to punish you when there is a dispute about whether something should have been shown to a minor, so they wrote it in a way that lets them punish you more easily if you check and also punish you more easily (for not checking) if you don't.
The problem then follows that everyone is stupidly required to check even when it's totally unambiguous there is nothing to be done with the information, because of the risk of someone trying to punish anyone who doesn't check in order to prevent the precedent that some people aren't required to and correspondingly can't be assumed to have knowledge of someone's age.
It is similar with crypto wars. They try and try until they have backdoor everywhere.
About verification they will try to implement WEI on browsers, and verification on os.
It is a crusade to make you always identifiable. Companies and governments want it so much because it is so valuable to them, it adds so much power over people.
So what's next. They will move borders here, and there. Every year.
Otherwise my Intel NUC server with Debian is 2 years old, so I expect the honest age would be 2 years? I may have parts for some old PCs to put together that could get adult software I guess...
I've already had it up to my back teeth with Google arbitrarily updating things such that the on/off button was hijacked, preventing me from switch the device off, instead triggering an interaction with freaking Gemini (what sort of IDIOT thought doing that to a device was a good idea)
I'm seriously trying to find a way to no longer run Apple or Google OS based phones - which puts me in the "Linux" or "Graphene" market
But my main concern with this is applications like Firefox will eventually require this systemd age specific field and a standard systemd function to call. That means this age field will need to be populated and thus locking out the *BSDs and non-systemd Linux.
If that happens, this makes the systemd critics 100% right, systemd is being forced upon all distros by various upstream applocations.
[1] - https://news.ycombinator.com/item?id=46152074
The risk is real, and the solution is to move away from systemd now, not wait until it's too late. Whatever conveniences it brings over other init systems are certainly not enough to justify giving up online anonymity forever.
You see people rave about the greatness of systemd, then they turn to deploy their applications using Docker and some s6 config.
Might seem harmless now but it won’t next time, and you will have already capitulated
Once that is established, it is easier for politicians to push for newer laws that add more features to reveal even more information. Politicians can propose any unrealistic law they want. But it is much easier for them, to convince a necessary majority, when there is technical infrastructure already in place. "We are already doing X, why don't we just also do Y?". Or: "Country A has already X, why don't we also do X?"
There are now plans to expand the traffic analysis systems' aggregate bandwidth to nearly 1 petabits/s (sic) by 2030 with the expected total budget of 59B Roubles (470M USD).
The only sane way to do this is you were playing along with arbitrary legislative age-gaters would be to add a generic "additional user info" blob to the account fields, if it didn't already exist.
They have access to every message you send. They know where your device is at every time of day. Your name is all over the entries in your wallet, be they tickets, SF bus ticket or.. your credit cards.
I wonder if it's time to try something like sixos or Guix SD.
Why? Given the nature of how NixOS works (config-driven), the maintainers have plausible deniability: if push comes to shove, they can shift the burden to users and have them enable the age verification service as part of their NixOS config.
I've run Arch in the past and I liked it just fine, but they are ultimately different than how I like running my computer.
Why are these changes being made on a worldwide basis when the laws that have been introduced are a relatively small fraction of the world? California isn't going to go after individual systemd maintainers. Will California go after Torvalds? I doubt it. Apple? Surely, but this is, quite frankly, a ridiculous thing to even suggest for inclusion into these setups.
This is the same reason a bunch of the food in your pantry is certified kosher. No one is going to not buy something because it is kosher. But if paying a thousand dollars a year to put a small circle-u symbol on the back of your box can increase sales by 1% among observant Jews, most companies are going to do it.
Contrary to perceived politics, many Muslims will eat kosher food because it's a superset of halal rules (excl. alcohol).
It's a globally consolidated certification through organizations like the Orthodox Union. This is unlike halal which is local and has many scammers offering to pencil whip compliance. This means many Muslims will prefer kosher to "halal" food to avoid due diligence on the certification agency.
To tie this into age-verification, companies and ecosystems will use the strictest method that makes them globally compliant. Consumers will prefer that convenience even in the presence of intense political beliefs.
A bank that uses seamless OS-level age checks everywhere will win against one asking manually in the jurisdictions it isn't required.
Two corporations, e.g. Canonical and Red Hat, might suffice.
I hope everybody remembers how systemd was thrust upon the community by having Gnome largely depend on it. This was mostly done by efforts of Red Hat, and that sufficed.
That's it.
Making user-hostile changes seems exactly on-brand for systemd, to my mind.
If they ever seize your computer, they can probably also tack on computer fraud charges
For root to manage privileges in an OS, isn't a group the most straitforward way?
Can't flatpak read the groups of an user?
the simple fact you sending the same signal over and over again, with all other signals your browser send, it will be another key to make you apart. They don't care if you lie. Important that you lie the same story every time.
And after having your dob, who could easily be a flag if you are less than 18, they could easily request your name, or a document number, but I think it will be much better, it will have some ISP and/or Device ID.
Also, while some bills do seem to require browsers to promulgate age data to websites (e.g., NY SB102A [0]), AB1043 does not. Rather, it requires the browser to read the age range just like any other app, but does't say anything about providing it to sites.
[0] https://www.nysenate.gov/legislation/bills/2025/S8102/amendm...
https://en.wikipedia.org/wiki/Economy_of_California
So yeah it's pretty big.
> And no, I do not accept the slippery slope fallacy.
aka:
$OBVIOUSLY_DUMB_OVERREACHING_EASILY_ABUSED_POLICY is absurdly overdiscussed. It's $ABSURDLY_REDUCTIONIST_VIEW. And no, I do not accept $HISTORICALY_VERY_LIKELY_OUTCOME fallacy.
Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes.
Comments should get more thoughtful and substantive, not less, as a topic gets more divisive.
When disagreeing, please reply to the argument instead of calling names. "That is idiotic; 1 + 1 is 2, not 3" can be shortened to "1 + 1 is 2, not 3."
Please don't fulminate. Please don't sneer, including at the rest of the community.
https://news.ycombinator.com/newsguidelines.html
2. There are software engineers in the UK and EU.
3. This specific implementation by Apple is not actually required by any UK or EU law, to my knowledge.
4. This specifically is or will be required by the laws of some US states and other countries.
2 Devs for companies can start working with proprietary OSes for the businesses they sell their soul to.
3 Who cares what apple is doing.
4 And systemd should not be liable for upholding any of them.