Comment by bmitch3020
1 day ago
Reaction 1: how would this even work with embedded systems that have no UI to input this data?
Reaction 2: it's open source, make the lawmakers do submit the changes.
Reaction 3: how would this ever be enforced? Would they outlaw downloading distributions, or even older versions of distributions? When there's no exchange of money, a law like this is seems like it would be suppression of free speech.
Reaction 4: Someone needs to maliciously comply, in advance, on all California government systems. Shutdown the phones, the Wi-Fi, the building access systems, their Web servers, data centers, alarm systems, payroll, stop lights, everything running any operating system. Get everyone to do it on the same day as an OS boycott. And don't turn things back on until the law is repealed.
While there are some enforcement questions here, especially around non commercial OSes, most of your reactions are clearly based on the headline alone.
It defines operating system in the law. This wouldn’t apply to embedded systems and WiFi routers and traffic lights and all those things. It applies to operating systems that work with associated app stores on general purpose computers or mobile phones or game consoles. That’s it.
Enforcement applies as civil fines per-child usage. So no suppression of speech by banning distribution.
(Also it’s not age verification really, it’s just a prompt that asks for your age to share as a system API for apps from above app store, no verification required)
> It defines operating system in the law.
No, it doesn't.
It defines the following terms: "account holder", "age bracket data", "application", "child", "covered application store", "developer", "operating system provider", "signal", and "user".
> This wouldn’t apply to embedded systems and WiFi routers and traffic lights and all those things. It applies to operating systems that work with associated app stores on general purpose computers or mobile phones or game consoles.
Presumably, this based on reading the language that in the definition of "operating system developer", and then for some reason adding in "game consoles" (the actual language in both of those includes "a computer, mobile device, or any other general purpose computing [device".
(I've also rarely seen such a poorly-crafted set of definitions; the definitions in the law are in several places logically inconsistent with the provisions in which they are applied, and in other places circular on their own or by way of mutual reference to other terms defined in the law, such that you cannot actually identify what the definitions include without first starting with knowledge of what they include.)
From the bill:
> "Covered application store” does not mean an online service or platform that distributes extensions, plug-ins, add-ons, or other software applications that run exclusively within a separate host application
There is a reasonable argument that a linux distribution is, itself, a host application. This is clearly an argument against their intention... but makes perfect sense to me. With this argument, the law does not apply to pretty much any environment where the applications are scheduled and run by a supervising process, at least by my reading.
1 reply →
In typical jury trials, the jury is instructed that any terms not defined in the relevant statutes are to have their common-sense, ordinary meanings as understood by the jury. The jury is usually also selected to be full of reasonable, moderate people, and folks who are overly pedantic usually get excused during voir dire.
Do you really think a pool of 12 people off the street is going to consider an embedded system, wi-fi router, or traffic light as an "operating system" under this law? Particularly since they don't even have accounts or users as a common-sense member of the public would understand them?
10 replies →
" It applies to operating systems that work with associated app stores on general purpose computers or mobile phones or game consoles. That’s it"
Everything is a general purpose computer. Just look at how many things have been made to run doom. I haven't read the law specifically but if it actually does say this then that language is useless and means practically everything.
Wood is edible when processed correctly, but it's not legally considered "food" because there are a bunch of nontrivial steps to get it into that state. Likewise, any reasonable interpretation of "general purpose computer" in this context by a judge would not include your microwave oven just because someone with skill and finesse could transform it into a cursed Doom arcade machine.
Laws are interpreted by people trained to fill in the blanks[1] with a best guess of the legislative body's intent. And the intent here seems pretty clear: to regulate computing devices that let end users easily install software from a centralized catalog.
[1] which we all do subconsciously in day-to-day speech, because all language is ultimately subjective
1 reply →
vague laws are put in place so that they can be used selectively to punish particular victims while letting friends through the nets
8 replies →
> (Also it’s not age verification really, it’s just a prompt that asks for your age to share as a system API for apps from above app store, no verification required)
It's not enough to adhere to the age signal:
> (3) (A) Except as provided in subparagraph (B), a developer shall treat a signal received pursuant to this title as the primary indicator of a user’s age range for purposes of determining the user’s age.
> (B) If a developer has internal clear and convincing information that a user’s age is different than the age indicated by a signal received pursuant to this title, the developer shall use that information as the primary indicator of the user’s age.
Developers are still burdened with additional liability if they have reason to believe users are underage, even if their age flag says otherwise.
The only way to mitigate this liability is to confirm your users are of age with facial and ID scans, that is why age verification systems are implemented that way: doing so minimizes liability for developers/providers and it's cheap.
> Developers are still burdened with additional liability if they have reason to believe users are underage, even if their age flag says otherwise.
This is true, but
> The only way to mitigate this liability is to confirm your users are of age with facial and ID scans,
This doesn’t follow. It says “if” the developer has clear reason, it doesn’t obligate the developer to collect additional information or build a profile.
I read this as - if you in the course of business come across evidence a user is under age, you can’t ignore it. For example - “you have to ban a user if they post comments saying they are actually underage”
1 reply →
Is a repository on a linux machine an app store? Are custom repositories app stores? Does this mean that now most automated deployments are now not automated? If they can be automated, does that mean that having the automation by default makes sense?
The law defines a user as a child running software on a general purpose computer.
> “User” means a child that is the primary user of the device.
It’s definitely more vague that necessary, but I’d imagine courts would readily find automated software deployment by an adult or corporation does not constitute a child using the device. Especially if done for servers or a fleet. Because then it’s pretty obvious that a child is not the primary user of the computer nor the software. Even if that software is a server that involves childish activities (eg game servers).
But I’d imagine that Linux package managers associated with a desktop operating system provider would fall under this law. And that raises questions about the software distributed by said package managers.
2 replies →
Android systems use Linux as their operating system, and the law applies to operating systems.
Android has associated app stores, therefore Linux must follow this at account setup ..
(I'm mostly hoping I'm just jesting here, that they'd surely not enforce it in this way, plus, who "provides" my Linux OS?)
In any event, it does seem like a very silly overreaching law, that should be highlighted, pointed out, and laughed at.
PS I have not read the law in question. I have read a PC Gamer article though, which is surely much the same.
3 replies →
The language in the bill says operating system “or” application store. Isn't that then implying any operating system that would download applications, even if it doesn’t come from a store. But IANAL.
Seems to me this would include TVs, cars, smart devices, etc. The Colorado version of this bill excludes devices used for physical purchase, so your gas pumps and POS systems would be excluded in CO. But I didn’t see that in the CA bill.
They’re both overly broad, ill-considered, frankly terrible bills that make as much sense as putting your birthday into a brewery site or Steam. Enter your birthday and we trust you. Now do that for every single one of those 100 VMs you just deployed…
Just the idea of requiring age verification to admin each VM in a fleet of VMs makes me chuckle.
> per-child usage
If the First Amendement is to prevent a government from letting you speak, shouldn’t that also concert a government from letting you hear that speech?
If so, then this seems to go against the Forst Amendment.
Sorry, Australian here so just speculating
By that logic, my NAS (TOS6) falls under that category.
Servers still kinda fit.
So, all of us-west-1?
> Also it’s not age verification really
Not yet, but it will be one day if it passes
Continually surprised by politicians wanting an OS to do what a parent should be doing. Why not just mandate that all devices with access control capabilities implement parental controls, and then mandate that all adults enable controls before handing a device to a minor? For devices that are incapable of user access control, the same rules as a knife, chainsaw or gun apply.
[dead]
Only wealthy parents (upper middle class or better) have the time or energy to do anything other than work, put food on the table, and do basic child care.
Most parents lack the technical expertise to police digital devices.
[dead]
This isn’t so heavy handed. The purpose of age signaling is so that a parent can set in one place an age, and then federal privacy protections under COPPA and state protections under the AADC kick in.
It would just be unenforced for all platforms except windows, apple and android.
I doubt the california legislature knows what a Linux even is.
The big three will love this. They'll implement the feature, then they get to dob in Linux and friends and get them buried in regulatory lawsuits.
All three already have identity linked accounts. Windows practically shoves it down your throat on install, for example. They'll love the excuse to finally disallow web-free accounts.
Windows servers are so back baby!
It’s only enforced by the CA Attorney General, and I’d be surprised to see a threat, let alone a lawsuit, against Linux on this. Not to say this is ideal.
> I doubt the california legislature knows what a Linux even is.
All Congress critters have staff to help write the bills and fill out the policy. You can bet your sweet bippy that there are people on staff in the California legislature who know what a Linux even is.
Exactly. This is obviously targeted at these three, and in those cases will be a massive improvement over forcing every site operator to start collecting photo ID.
>I doubt the california legislature knows what a Linux even is.
they would never need to know it once they learn what SecureBoot is. Any device with 1+ Gflop must have SecureBoot, and goodbye general computing.
It’s the V-chip and Clipper chip madness all over again. While they are at it can they start requiring the rich, famous, and powerful to get age verification before interacting with people to prevent another Epstein?
It’s political theater. “See? We did something. Vote for us again.”
2 replies →
To small to be of any concern.
> Reaction 3: how would this ever be enforced? Would they outlaw downloading distributions, or even older versions of distributions? When there's no exchange of money, a law like this is seems like it would be suppression of free speech.
That's not what will happen. We've already seen examples of what will happen. So let me just list them instead:
1. The Secure Boot chain for UEFI initially mandated that only OS that were signed by Microsoft would be allowed to boot on PCs where SB is enabled. This was partially rolled back after public backlash.
2. iOS devices and majority of Android devices already don't allow you to install an alternate OS or distro.
3. Platform attestation proposals like Web Environment Integrity and its Android version.
4. Mandate that every developer must register with and pay an MNC to be able to release any app on their platforms.
Basically, they'll just take away your ability to control your device in any way. Don't be surprised if it turns out that these MNCs were behind such legislations. But this legislation is especially dangerous in that it will effectively kill user-controlled general-purpose computing, even from vendors like Pine64, Framework, System76, Fairphone and Purism who are willing to offer those.
Considering the amount of damage caused by these sort of legislative BS, those who propose and vote for such bills should be investigated publicly for corruption, conflict of interests and potential treason. They should be forced to divulge any relationship, directly or indirectly, with the benefactors of these bills. On the other side, rich corporations should be banned from 'lobbying' or bribery more appropriately, in matters that they have a stake in. And they should have stiff penalties for any violations. Not those couple of million dollar slaps on their wrist. At least 5% of their annual global profits, incarceration of top executives and breaking up the company. There has to be a consequence that's uncomfortable enough, for any fairness to be reestablished. This should apply even more for those professional lobbying firms and 'industry advocacy groups'.
People also need to start strongly opposing, rejecting and condemning justifications like this that rely on the cliche tropes of CSAM, terrorism, public safety, national security, etc. None of those measures are necessary or even useful in preventing any of those. Insistence on the contrary should be treated as an admission of inability and incompetence of the respective authorities in tackling the problem. In fact, why do they assume that kids, especially teens, are unimaginative and incapable of working around the problem? They should at least be starting with awareness campaigns to get the kids and the parents on their side and empower parents to enforce parental controls, instead of reaching for such despotic measure right away. This is like banning drugs before the problem of drug addiction is addressed. Black markets exist, even for cyberspace. It will just make the problem a whole lot worse.
And finally, don't let people without clearly proven vested interests anywhere near such regulations. And choose professionals or at least competent people for taking such decisions. You can't rein in this attack on ordinary people without stemming the uncontrolled corruption in the public offices that deal with it.
March 1st is now officially malicious compliance day.
> how would this even work with embedded systems that have no UI to input this data?
Doesn't the bill explain all this pretty clearly? https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
>> An operating system provider shall [...] provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user [...]
>> “Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.
Your hypothetical "embedded system" almost certainly neither has an account setup process in the first place, nor is it a general-purpose computing device, a mobile phone, or a computer.
> Reaction 3: how would this ever be enforced?
Pretty easily? They enforce it against the OS vendor for not providing such a process. They aren't enforcing the correctness of the age, nor are they claiming to.
> Someone needs to maliciously comply, in advance, on all California government systems.
...what? This is a law demanding compliance from OS vendors. Whose compliance is it even demanding in government systems for them to be malicious about it?
> general-purpose computing device
This term doesn't seem defined in the law at all. How general is general?
Graphing calculators that support apps and Python? Of course, they don't usually have "accounts" either. But to a technologist it's a "general purpose computer" insofar as it can run new code that the user loads into it, it can definitely run games that it didn't come from the factory with, etc. It's a tiny multipurpose computing device.
Laws in the US aren't taken as literal as in civil law systems. The intent and precedent is what carries much more weight in the end. Graph calculators are unlikely to be tested in court because it's irrelevant with respect to what this law is trying to accomplish.
https://en.wikipedia.org/wiki/Common_law
I often see laws discussed here and people finding some edge case and presenting this as a gotcha. The reality is that it's unlikely to matter.
Does your pocket calculator with Python have an account setup process?
2 replies →
i see you're a problem solver
> Reaction 3: how would this ever be enforced? Would they outlaw downloading distributions
They can outlaw you from using those distributions and/or scare the maintainers so there won't be distributions anymore. And if you want to use a desktop computer rent one from an hyperscaler, tied to a credit card and access it from a tablet with age verification. I don't know if I should add /s
you're pointing out that it doesn't make sense
the point of laws like these isn't to make sense, it's to be annoying