If I’m not mistaken, Meta has been lobbying heavily for all of these age-verification bills lately.
It seems their strategy is to externalize their responsibility to verify age themselves, and thus reduce their exposure to liabilities when child protection acts like COPPA are violated.
It should be externalized to a degree. Facebook shouldn't be the ones verifying age, but there should be a trusted 3rd party service that does that, which just tells facebook "yes this user is old enough to use your service" or "no they're not old enough".
It abso-fucking-lutely should not be at the OS level though, for so many reasons. Even the implementation alone would be a nightmare. Do I need to input my ID to use a fridge or toaster oven? Ridiculous.
We don't externalize age verification when buying alcohol or visiting the strip club. It's on the responsibility of those establishments to verify age.
I'm surprised that people think this is some new 'save-the-children' thing ? Didn't Zuck say like 10 years ago, you should not be allowed to be anonymous on the internet ? This just seems on-brand at this point.
A different approach that would keep incentives properly aligned is for Facebook (et al) to publish labels in website headers asserting the age (and other) suitability of content on various sections of the site. It would then be up to client software (eg a browser) to refuse to display sites that are unsuitable for kids on devices that have been configured for kid use.
As there has been a market failure for decades at this point, it would be reasonable to give this a legislative nudge - spelling out the specific labels, requiring large websites to publish the appropriate labels, and requiring large device manufacturers to include parental controls functionality. The labels would be defined such that a website not declaring labels (small, foreign, configuration mistake, etc) would simply not be shown by software configured with parental controls, preserving the basic permissionless nature of the Internet we take for granted.
But as it stands, this mandate being pushed is horribly broken - both for subjecting all users to the age verification regime, and also for being highly inflexible for parents who have opinions about what their kids should be seeing that differ from corporate attorneys!
Except none of these bills (California or the one in question) as currently written require an ID to actually be verified, merely that the user provide an age. This seems intentional as it's seems to solve the user journey where a parent is able to set a reasonable default by simply setting up an associated account age at account creation. It's effectively just standardizing parental controls.
I think this is a reasonable balance without being invasive as there's now a defined path to do reasonable parenting without being a sysadmin and operators cannot claim ignorance because the user input a random birthday. The information leaked is also fairly minimal so even assuming ads are using that as signal, it doesn't add too many bits to tracking compared to everything else. I think the California bill needs a bit of work to clarify what exactly this applies to (e.g. exclude servers) but I also think this is a reasonable framework to satisfy this debate.
I've seen the argument that this could lead to actual age verification but I think that's a line that's clearly definable and could be fought separately.
I want to be able to hire a licensed Identity Service Provider that gets all of my verified identity data in an encrypted token and let me register it with the OS, and control what amount of the data I expose to apps, with age verification being one of the lower levels of access.
I pay the company to verify me, I am their customer. They take on the liability of the OS makers and app makers of age verification.
If you have a valid token signed by a licensed IDS that verified your age in your OS, that's all anyone needs to know.
So we have to pay some 3rd party service to hoard information about Children? Why we want to set that up? Why would we want to take that power from the parents and give it to some company?
So, they want to profit off children, but do nothing to protect them?
> but there should be a trusted 3rd party service that does that
Gee, if only Facebook would use their incredible might to create this, rather than trying to rob our representative government from underneath us.
> It abso-fucking-lutely should not be at the OS level though
It's not my problem. It shouldn't involve me at all. I don't use social media and I think if you let your kids on there unsupervised you have a screw loose.
If social media, alcohol, drugs, gambling, phones are so, so, so bad for children. Just ban them from children.
We were completely fine 30 years ago without any phone. They will survive. They will probably thrive because now they have to learn how to hack the system.
Instead, we just give them everything they need and all the thinking they do is scrolling.
Sometimes even things that are good for Meta are good for the rest of us. This law, and the one in California, mean that liability is disclaimed as long as the parent selects an age above 18 for the child. It's like a section 230 for age protection. Meta supports this because they won't be liable for wrong age inputs, and we should also support this because it doesn't verify age in any other way.
We should support something that does the minimum to accomplish the goal. As luck would have it, we don't need to do anything because parental controls already exist, and apps like YouTube already have a "kid mode". But for some reason, people are very attached to the idea of getting that number. Your age. It isn't enough to have a boolean isAdult. Oh no, they want to know how old you are, and they want that number to follow tou everywhere you go. View a site on your PC and then load it in incognito to create an account and comment? Oh look, this person we've identified as pockauppet age 99 or whatever viewed the page, then someone registered aged 99 and commented on that same page. This is a data goldmine. But I guess we're not against sharing data anymore.
He doesn't want to have to stand up, turn around and apologize to parents on behalf of an asleep at the wheel Congress again.
At some level I don't blame him. It is also a bit strange how in that act alone he showed more accountability than most of the politicians that were questioning him, never mind most executives. I suppose Josh Hawley wants to be liable for personal lawsuits for his acts of Congress too... people cringe at his "robotic" demeanor but I can't remember the last time someone turned and faced people and apologized like this. Most people asked to do the same (even in front of the same body) never do.
If a company relies on self reported ages, they don't "know" it well enough to satisfy COPPA. Probably. I'm not a lawyer but I do keep up with the latest in privacy enforcement and I think this is the way things are headed.
For the record, I'm against age verification laws. But I think companies are pushing for them because of liabilities they face under other laws, not because they would actually like to have the data.
Facebook has always been there for only one reason; for people who don't value privacy.
Nothing less, nothing more.
Most things that are not suitable for children were recognized so long ago that it was decades, centuries, or millennia before anybody living was ever born.
Like porn, when it got on the web it has always been instinctively gatekept as traditionally as possible, and complaints which do arise over the decades are addressed by the websites in ways that measure up to how you expect a company to act. Consistent with the way they truly don't want underage visitors to their websites at all.
Those complaints are now dwarfed by what parents are saying about Facebook in particular.
Facebook, and now Meta, is just not something that previous generations had to deal with, so it didn't get handled in a very adult way as it should have been from the beginning. And it only got worse as it got bigger.
If it wasn't worse for their kids than porn, parents wouldn't be screaming so much louder than ever.
I guess it turns out the combination of fundamentally devaluing privacy across-the-board including minors is the main problem, and then the idea of hooking them early, like cigarette companies would do with as much habit-forming reinforcement as possible, is what leverages the lack of overall privacy through the roof.
What's really needed is bold gatekeeping on Meta's digressions alone, they should be the ones to aggressively keep everyone underage off their site. Like they really mean it, which has not existed before. That's what's been wrong the whole time, the internet was so much better before Facebook came along with their anti-privacy mission, and it got put on steroids.
Reining in Meta alone should be big enough to be noticeable, no-one else has a shred of responsibility by comparison.
Facebook has invested $billions in these underage crowds and they want to know exactly when everyone else on the internet turns a certain age even if they are not on Facebook.
Don't give it to them no matter how much they pay.
It would be the complete opposite of an advanced thinker who wants to respond by compromising more people's privacy across the regular internet, when Meta is the primary source of the problem, and they're who stand to benefit the more privacy is compromised in any way, child or adult.
Like my 19th century grandmother would say, "what's wrong with some people?"
It's amazing how many things We The People want our government to do that go ignored year after year, but the moment corporations want something laws get pushed through at lightning speeds. Does anyone actually think that masses of regular people in Illinois were begging their government to force operating systems to tell every website and advertiser how old their children are? They weren't. A small number of corporations with lots of money wanted that though. Bribing matters a lot more than voting.
How should they do it? Surely they don't have a responsibility to do something that nobody knows how to do?
There have been numerous cases in history where governments have attempted to legislate the outcome they want without regard to how that might be done or if it was possible in the first place. Obviously it can never deliver the results they want.
It would be like passing a law to say every company must operate an office on the moon, and then saying that companies lobbying for an advanced NASA space program is them externalising their responsibility.
They could require government ID to sign up and an adult sponsor to certify accounts for kids. Plus a limit on how many accounts an adult can sponsor.
It would be a mess, but solve the problem. It’s not that we don’t have the technology, we just don’t want to because the friction would decimate user numbers and engagement; it would be much simpler to regulate (e.g. usage limits on minors); and minors are less monetizable, which would lead to lower CPM on ads.
Then there’s the legal liability if you know someone is a minor and they’re sending nudes, for example. And the privacy concerns of tying that back to de-anonymized individuals.
But obviously I wouldn’t believe that social media companies care about user privacy on behalf of people.
It's up to parents to parent. It's not up to the government, and Facebook pushing this shit is evil.
It's not about protecting children. It's about increasing adtech intrusion, protecting revenue from liability, pushing against anonymity, and for all the various apparatus of power, it's about increasing leverage and control over speech.
bad take man. these companies don't care about kids; they just want to take the responsivity off of themselves. they don't actually put any money towards child safety.
With all the LLM bots they need a new way to sort out the people from the machines to not lose ad revenue and to help their spook friends.
It's better for them if this "responsibility" rests with another organisation, they don't get blamed as much when the information leaks and it is replaceable.
Really, I’m surprised that for all of the discussions on HN around these individual statewide acts that I see so little discussion of Meta as a primary force pushing them.
That's the correct strategy, if anyone sues meta, meta can bring their age verifier into the lawsuit and blame them. It makes sense from a business perspective, insurance perspective. etc...
Meta is definitely helping to push this, but they aren't having to push very hard because its already in the zeitgeist. It's a classic moral panic. Millennials are raising kids and turning into their boomer parents.
Millennials had their hippie era in their 20s (same stuff their parents did rebranded as "hipster" instead of "hippie," where instead of building a lifestyle of free love and bong hits in the Haight-Ashbury, they built a lifestyle of free love and bong hits in Williamsburg Brooklyn).
Now in their 30s-40s they've moved to the suburbs, they're voting Reagan, and are falling for hysterical media-driven moral panics about "what kids these days are up to" just like their Boomer parents did in the 80s-90s.
What's even more funny about all these "social media is evil" legislative proposals, they're motivated by the idea of what social media used to be when millennials were in college...which doesn't even exist anymore.
The classic narrative that teens are depressed because they're seeing what parties they didn't get invited to is wildly outdated now. Social media isn't social anymore (see Tiktok), it's just algorithmic short form TV. Nobody is seeing content from their peers anymore.
In reality, most modern research on social media finds little to no affect on teen mental health. But of course, if you have ulterior motives to undermine privacy or shirk corporate responsibility under the cover of "saving the kids," this moral panic is an already burning flame waiting to be stoked.
What does this bill have to do with age verification?
It legally mandates the existence of a required "age" field in user account records, a user interface to populate it during account setup, a mechanism for service providers to read this field, and that providers act as if it has been populated accurately.
As someone who has been the de facto "system administrator" for my family's computer systems since kindergarten, this has to be one of the stupidest policies I've ever seen gain traction.
I think it will be an extension of parental control and shift that accountability/responsibility upwards; Meta is not anyone's real life parents anyway.
This coordinated state level attack on the legislative process is crazy. These people can't seem to be bothered to do the basics of governing, but they always find time to do this cross-state nightmare fuel.
State government is always the worst for this sort of garbage legislation. The number of "economically-impactful" regulatory pages generated by state governments far outpaces the federal government in the US. And plenty of it is just corporate or influential NIMBY appeasement.
It is a fault in part in the government designed with bits and pieces of "honor system" and "well no one will ever do that!"; and the governed unable or unwilling to enact consequences.
It's kinda convenient because every service needs to ask you for the age now because they can't serve under 13s in a lot of cases. Having it be a simple API would be a decent convenience, no?
If you connect it with a permission system where you can choose whether to provide this information (e.g. >13 as a bool or age as an integer or the birthday as a date) that can't be too bad I guess?
It WOULD be nice if it only got used appropriately. But in 2026 its just one more metric to narrow down your profile for advertisers. Wouldn't it be convenient if you could just opt-out of tracking with a convenient API like the literal "do not track" header in browsers? It exists, but none of the people who SHOULD use it pay it any attention except as, ironically, another metric used to track people.
Not to mention that computing is a global thing, and in order for this to be useful it would definitely have to be providing more specific information than just a bool. Maybe chats require 13+, but pornography requires 18+. Maybe those ages are different based on location. All advertisers would need to do is ping the various different checks to get your actual or at least very approximate age.
This kind of thing is a slippery slope, and its ripe for abuse by doxxers, advertisers and big brother himself. Burn this with fire. I'm totally in agreement with the others that suggest stuff like this should b just get banned from getting introduced and reintroduced constantly trying to sneak it in as a rider or hidden provision. The people DON'T want it.
It's a brute-force solution, for a problem with many simpler and limited solutions. This is being pushed so hard for it's intended side-effects. The goal is not to protect children, and it never has been. The goal is to eliminate anonymity on the internet
It's forcing all OSs to do something that only a few should be doing. The correct way to do this is for the interested parties to form an association that does four things.
1. Creates a protocol with desired signals (country and a variable list of whatever others i.e. age,state) that clients (including browsers) CAN choose to use and forward.
2. Create an api OSs CAN implement to inform clients of those signals and if they can be overidden in the client. (Possibly even create an OS or service to run on OSs that implements it, parents can choose to install specific OS or service)
3. A open source server for governments to specify common classes of content and what to do when a specific SIGNAL (from the protocol in 1) is recieved (Serve content to SIGNAL group/serve content to everyone/never serve content). And what to do if content isn't in a class it recognizes(Serve content/not serve content). Association could also be extend it's duties to coordinate a list of types of content.
4. Maintain an authoritative list of servers by country so that those hosting services can reach the servers hosted in 3. So that webservers can visit those servers to find what they can serve if they wish to apply the law for that jurisdiction.
Horrible because it does codify less freedom and censorship. The advantages are that for a jurisdiction liability can fall on the right actor.
If you run a website/app you worry only if your in a jurisdiction that mandates you use the protocol and can easily geoblock crazy countries by using that signal and choose if a jurisdiction you want to deal with is worth the effort of coding for or whether you want to ignore that countries laws.
If you are a user you can choose to install the API or use an OS that implements it or an OS that spoofs it with only the liability of your jurisdiction. If you are a parent you can use an OS(or install a service) to implement it on your kids accounts.
If your an OS developer you can add functionality if desired/appropriate.
If you are a country you can specify what signals you use/require and can specify required signals (i.e. US may request the State signal so it can decide if it needs other signals to evaluate whether to serve "Social Media" content (i.e. age in the case of state=california)).
Not perfect but actually keeps punishment/enforcement to appropriate jurisdiction and means you can actually gracefully avoid liability for sites in broken jurisdictions rather than either kowtowing or being in breach. Also means it can be implemented in client if you don't want it on your OS or want the convenience of not being asked age without the ridiculous other stuff.
The law as is written mainly targets social media platforms. For an OS to comply, all it needs to do is provide a field during account creation that records the user's date of birth as supplied by the user. There is no onus on the operator to confirm the veracity of this information, or even record it anywhere other than the local OS install itself. I think we're safe.
Slippery slopes are a logical fallacy. Every single decision moving you down the slope is intentional. No sliding occurs if nothing actively pushes things down the slide.
Accordingly, it is never too late to lobby against these things.
But you're effectively asking a third party application, running in a browser no less (i already understand that a browser exposes WAY too much os level information), to query the OS for age information.
Several issues, one OS developers will likely use this to fully identify all users. Apple, Google and Microsoft would rather have legal identities tied to all activity, and this is an easy pretext.
Second, there's no certainty about how courts might interpret compliance. If the intent of the law is to positively identify minors, a user editable field may not be interpreted as sufficient to comply. We don't know what the safe level of identification will be outside of trying the law in court. Who wants to be on the bad side of that?
One way is that you log in under a guest account and the guest account requires you to indicate your age. After your session is over, guest account logs out.
Another way is that the library has two sets of computers, ones set for adults, ones set for minors. You need access card to use computer and the librarian will give you the age-appropriate access card.
Another way is computers are set for restrictive (child) account by default. If you need adult access you have to ask librarian to unlock it.
I don't like this whole thing, but compared to what I was fearing would happen, this idea is nowhere near as bad.
What I expected was that we'd end up with the OS vendors actually being mandated to really do age verification, and then submitting that using Web Credentials and Secure Attestation so that the far end could trust the whole thing, locking open-source OS's out of the mix and creating more of a walled garden online than we already have. I was guessing it would become a simple checkbox on e.g. Cloudflare - "[ ] allow adult users only" or whatever - and that it would end up with vast swathes of the internet going off limits for anyone not on closed-source systems.
Now, it looks like this is just a way for parents to tell the OS "this is a kid account" and have it flow through to websites so they can easily proactively block kids from connecting without having to implement any of that crap. Yes, it's much potentially easier for a child to circumvent; but any kid who can get around that sort of thing from within an OS could probably just wipe/reinstall anyway, so who cares?
As a parent whose kids are continually trying to see what trouble they can get into, I appreciate that I will get one more potential weapon in the fight.
Can someone tell me whether I am being a fool by actually being a bit relieved it's going this way?
> Can someone tell me whether I am being a fool by actually being a bit relieved it's going this way?
You're being a fool by actually being a bit relieved it's going this way.
These bills are meant to nudge the overton window[0] of digital politics in the direction of mandating realtime identity verification for all forms of computing. Advertisers want it, governments want it, _bad people and bad governments want it_. By pushing a very small and "weak" legally-required form of user identification on everything under the guise of "saving the kids", all involved parties can point at those who disagree and say "Look, if you disagree you must want to hurt children!" And so the bills pass, and a weak form of identity verification passes and is enforced. Then it'll be shown it doesn't work, and the proposed solution will be to make these identity verification laws more intrusive and more restrictive. Repeat ad-nauseum.
Well, ok. That is what I was fearing, after all. Perhaps I was anchored into the worse position and now am accepting a slight erosion of rights since it's not the entire thing, all at once... the slippery slope is not always a fallacy, after all.
LOL. Well said...Seems as if we're on some dystopian track that's eventually going to transform a RealID card into something like a Common Access Card (or worse).
What do you think comes after this? This is just a first step towards exactly requiring age verification at the OS/Store level... Then comes ever more restrictive and intrusive tracking and eliminating all anonymity as a final goal.
Time to start throwing up hobby BBS sites... and I think in this case text mode interfaces over web might be an advantage.
Websites can send down a single header indicating adult content. The device, the parent setup to indicate the users age, can respect that. Legitimate adult websites will not show the content. There is no need for any verification beyond that or it's just government mandated surveillance.
> There is no need for any verification beyond that or it's just government mandated surveillance.
There is no verification beyond that in these sorts of bills (CA, CO, IL). It's the parent's responsibility to watch their kids when they set up an account.
> Legitimate adult websites will not show the content.
This is a big problem (that won't necessarily be solved by this particular legislation, granted). There are already voluntary rating HTML tags websites can add to indicate parental control software should block them, but they're voluntary and non-standardized. Websites can choose not to comply with no real-world consequences. And I don't think platforms like Reddit or X, which are ostensibly all-ages social media but also have an abundance of adult content, are properly set up to serve tags like that on NSFW posts but not other ones.
It's a tricky problem to solve, and, imo, it's one the tech industry has demonstrated it doesn't have any desire to solve itself, hence legislation starting to get involved.
> Websites can send down a single header indicating adult content.
It sounds at first glance like a no-brainer that websites shouldn't have access to any information and the enforcement should be done at a local level (like the current voluntary HTML tags that locally installed parental control software can sometimes read). But some websites might want to display alternate content to minors-- e.g. a Wikipedia article with some images withheld, or Reddit sending a user back to an all-ages subreddit instead of just fully breaking or failing to load when the user stumbles upon something 18+. For anything like that, the website will need to know in some form that the user isn't able to see 18+ content.
Yeah, the laws in CA, CO, and now IL are essentially just mandating generally available OS's implement a standardized, local parental control system.
Detractors will say parents should just install existing parental control software, even though it's existed in its current form for decades and is obviously not effective. And they'll say it should be the parents' responsibility to enforce what their kids are doing with computers, while ignoring the fact that these laws provide tools allowing parents to do just that (the parents are the ones responsible for supervising their kids when they create accounts to ensure they're not lying about their age-- if the kids lie during setup, it's on the parents).
Anyone with kids will probably acknowledge that it's much easier supervising your kid once when they first set up an account on a new device than it would be to supervise them 24/7 when they're using the internet. But for some reason, lots of people without kids are in a panic about having to type in any date older than 18 years ago. The arguments I've heard against it are almost all slippery-slope (e.g. "they're gonna do this first, and then add ID requirements next year, because that's what I fear will happen.")
> The arguments I've heard against it are almost all slippery-slope (e.g. "they're gonna do this first, and then add ID requirements next year, because that's what I fear will happen.")
Because that's exactly what will happen. This is battlespace preparation for the destruction of anonymity on the internet, because politicians find this inconvenient.
> Yeah, the laws in CA, CO, and now IL are essentially just mandating generally available OS's implement a standardized, local parental control system.
Except what about my OS which doesn't have parental controls and can't reasonably be expected to provide them because who's gonna do it and be responsible for it?
> The arguments I've heard against it are almost all slippery-slope (e.g. "they're gonna do this first, and then add ID requirements next year, because that's what I fear will happen.")
And the arguments for it don't promise to fight tooth and nail not to make sure it's not slippery. If the slope does turn out to be slippery, today's proponents will be tomorrow's Hindsight Harrys (e.g. "the cat's already out of the bag, if you cared so much you should have fought this back when we all saw it coming").
The argument about the California bill is not that it is a slippery slope, but that it was drafted by people with zero domain knowledge. It applies equally to toaster ovens as well as iPhones.
> while ignoring the fact that these laws provide tools allowing parents to do just that
These tools are called "parental controls" and already exist - we don't need laws to compel their production.
...unless, of course, the true aim is to use this as a beachhead for further expansion of privacy-violating requirements.
You write this off as a "slippery-slope" argument, but given that there are already quite a few tools that do what this law aims for, what's the point?
The parents can already do that. Its called "parenting". The fact that they won't even though there are (non-required!) tools they could be using to do so is baffling to me.
> if the kids lie during setup, it's on the parents
Pretty much a "Yes, and?" scenario. See above.
> The arguments I've heard against it are almost all slippery-slope (e.g. "they're gonna do this first, and then add ID requirements next year, because that's what I fear will happen.")
I get where you're going, but precisely this. These things always start slow... then fast. The old adage "first they came for x, then y" is not a joke or an exaggeration. It is pretty much historic observation. I've lived long enough to know that whenever someone invokes the "think of the children" defense, there's always a catch.
People are making way too big a deal of this IMO. This is basically the OS equivalent of that checkbox you click to enter a porn website that gets exposed to Meta, so they can claim that they did what they all the they could to protect children if they get sued by parents. Any determined kid would figure out a way around this, but I can see it stopping younger and less determined kids, and it's a useful tool for parents.
It does not stop at the check box. Someone is going to sue Google/Apple when a 13 year old gets on a porn site. Then Google/Apple will introduce "verification" that requires linking your identity to your device, and attesting this to the "operator" (porn site). Then every person using any OS is tracked, on every website and app, all the time, by law. And Linux becomes illegal without it.
This is not a theory. Laws requiring this are going through the state and federal level right now.
Unlike the California law, I seemed to be in the minority in this opinion, this one does seem to require programs like grep to ask for a users age bracket.
> (b) An operator shall request a signal with respect to a
particular user from an operating system provider or a covered
application store when the application is downloaded and
launched.
Unlike the California law I do not see anything that restricts this to child accounts only.
So let say I have a program:
print("Hello, World!")
and I want to publish it to say npm or nixos, or some linux distribution. Not with out violating this law. This application needs to request the users age brackets at least at 'downloaded and launched' optimistically that means once on first launch, but potentially needs to be requested on each launch of the application. So lets fix the program
Microsoft has already made the installation of Windows a fucking nightmare with MS account requirements. Imagine when they are forcing every new device to not only have 50+ TOPS for Copilot, but also a tiny little internal mass spectrometer autosampler which will prick your finger as you login and analyze blood to carbon date the age of the user.
constitutional amendment to criminalise corporate lobbying with severe penalties - including capital punishment and confiscation of entire corporation.
Unfortunately, a rhetorical knee-jerk response that it needs universal, specific counter legislation for a "permanent fix" is panacea, magical thinking.
The root cause is a corrupt government doing the bidding of a few rich people and other countries. Fixing that will be very difficult but is nonetheless necessary and possible to largely thwart legislators from working against their own ostensible constituency.
>"Operating system provider" means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.
I.e Linux will most likely to be immune, since its not tied to a particular computer.
Which just means Linux stay winning. It already made big headway in the video game space, so its prime to take over personal computing too.
it's entirely possible such nonsense is all show, and wouldn't be passed, however.
i'm from illinois, worked in california, and no longer live in either. from afar, it seems that whatever california bureaucrats propose, after a short delay, gets proposed by their little sibling bureaucrats in illinois.
People here seem very against this, but I don't really see it. This only require to have a form asking about your age and provide an API to read it, right?
Surely I'm missing something? Is the backlash due to fear of a slippery slope?
There are basically 2 possibilities with the outcome of this law: It's rather so full of holes as to be meaningless, or it's so invasive as to force open source projects to try to geofence Illinois (which wouldn't be effective either, but might be the kind of compliance theatre we'll see from maintainers worried about liability).
Linux distros always have a "root" user. Does that user have to be asked its age before being usable? What about docker containers, which often come with a non-root user? What about installation media, which is often a perfectly usable OS? It would either have to be so easy to get around this law that most kids could do it easily, or so overzealously enforced as to disrupt the entire cloud industry.
what is the solution then to age gating apps that the public feels should be age gated? (TikTok, Instagram, etc). it seems like every app implementing its own guessing system would have even more holes, right?
this is one where I am sympathetic. the moment when someone, with their parent, is setting up a device seems like the best point to check age. right?
> It's rather so full of holes as to be meaningless, or it's so invasive as to force open source projects to try to geofence Illinois.
My guess reading the law as linked is that it's much closer to the former than the latter. That being said, you're right that it does bring a bunch of headache alongside with it for little-to-no benefits.
What if I don't want my computer asking for my age and providing an API to give up that information? Why is the government mandating software devs to add bloat and privacy violating features to operating systems?
The slippery slope isn't a fallacy in this case as we've seen the pot slowly come to a boil after 9/11 with various laws like the Patriot Act, FISA, etc. and classified programs within the NSA (and I'm sure all the three letters) which violate the rights of Americans everyday. Now it's a coordinated effort across multiple western countries all of a sudden to introduce laws around verifying your age. It's clear where this is going.
I guess I'm more surprised by the intensity of the backlash this generates here. I agree with you that mandating (weak) OS APIs like this the right approach, but that alone wouldn't warrant the severe reaction this is getting right?
People lie, so there would need to be some kind of proof provided, right? How much data will one need to give up to use a computer? Where/how is that data stored? What else will it be used for? What happens when it’s hacked? How will test systems or servers work? If I want a computer that isn’t linked to the rest of my ecosystem, can I still do that or will age verification require I login with a cloud account?
There are so many ways for this to go badly or simply be annoying.
I’m a guy in my 40s with no kids. I shouldn’t need to deal with all of this. Let the parents turn on parental controls for their kids; don’t force it on everyone.
If Meta needs to find a way to verify age, then that is also their problem. They are trying to make it the world’s problem. I don’t use any Meta products, so again I would question why I need to care about this… why will it become my problem?
The slippery slope then comes in addition to all of this.
It seems Apple already implemented their age verification API. I got prompted for it when opening the MyChart app a few weeks ago. The API used in that case only sends a Boolean if the user is over 18 or not, this is the best of the bad options. However, they have other APIs to get other data from a digital ID. The user is at the whim of the API the developer chooses to use. They can say no, but then they can’t use the app. I’m not sure how Apple validated my age, as I hadn’t loaded an ID into my wallet, but my Apple account is nearly 18 years old, so that might be good enough? If I were to get a Mac and just want to use a local account, then what happens? Can I not verify my age? Will I be able to use the computer or be locked out of the browser? These are some of the fears I have if they take this too far. Maybe some of them are unfounded, but I guess time will tell.
Laws exist that dictate what apps are allowed to do depending on the user's age. This means that in order to follow the law they must collect the user's age. If collecting the user's age is a common requirement of apps it makes sense for the operating system to expose an easy way to do that to make app development easier on that platform.
I am very pro social media regulation (with regards to age gating) due to the evidenced harm it causes, and which court cases have shown these companies are well aware of internally; with that said, this is an attempt by social media companies to shift liability to keep business as usual/status quo. This is no different than what oil companies have done, cigarette companies, chemical companies who have polluted at scale while knowing the harm, etc.
Meta and TikTok (and YouTube shorts to an extent) are the new Sackler family and Purdue pharma. They will hold on to these profit and power engines as long and hard as possible. They will not stop causing the harm unless forced to with regulation.
Purdue sold less than 4% of the prescription opioid pain pills in the U.S. from 2006 to 2012. They were a scapegoat for pill farm doctors and an incredible lack of personal responsibility from prescribers, pharmacists and patients.
to me, it's both the slippery slope argument and the lack of real reason other than "protecting minors". operating systems were designed to run the program/programs. You can make applications use this API to determine the user age, or you can just...ask the user in the application itself. I also don't see why this is a requirement rather than an option the same way I don't see why having a Microsoft account is required to install windows or access to internet (without the current workarounds) or even those password reset questions and to some extent asking for first and last name. If I want to add those information, let me do that myself or when i use said software, don't make it a hard requirement.
The bill itself sort of goes against its "purpose". If the purpose is to make a convenient API for stores to know their user, and avoid showing them certain content then why did the bill state:
"If an operator has internal clear and convincing
information that a user's age is different than the age
indicated by a signal received in accordance with this
Section, the operator shall use that information as the
primary indicator of the user's age."
because many people lie in those forms. Many people on steam will select they were born in 1900, including myself. So how will this API help? the only way for it to be useful is if they later require full verification.
The way I see it (to strongman the bill's position) is that by mandating it at account creation, an adult/parent can ensure that the age is properly set for a minor/child.
That being said, I don't think this bill was that well thought out as the implication are far reaching (will I need to enter an age when provisioning a VM?).
I mostly see it as a clumsy attempt to provide a mechanism for age-category attestation in a way that is more privacy-friendly than Texas's "upload-your-id" law.
I think the implication is that this law is incredibly bad. I don't mean for privacy, I mean for fulfilling it's purpose. This will prevent approximately zero kids from accessing whatever.
What that means is that we will have to amp it up, if we want to achieve it's purpose. So, that's not a slippery slope, that's a prophecy.
When we get cryptographically backed identity verification on all computing, that will legitimately be the end of computing as we know it.
If it is so simple - that ensures nothing, faked easily - then what's the point wasting efforts on it? Why to complicate things? Why spend time and efforts to do it? And annoy with one more tiny thing on top of the hundrends? Why not just not doing it?
Or, in contrary, when it is very reliable, so it can map a very specific real person to a reliable and true birth date, then f off binding myself to a randome computer account that gives it out to whomever is asking it!
The backlash is from Meta trying of assign liabilities of their business practices on people who may not even be users.
Yes, this is just the beginning of a huge swath of innocent APIs to identify people on the internet. Meta isn’t going to stop, and neither will governments.
The government is not allowed to specify what your software you run on your local personal computer or how that software should work. This is a first amendment issue, it’s been defeated before, it will be defeated again. If this were ever upheld, you will immediately have legislation attempting to force OS makers to spy on users, add backdoors, and so on.
Edit: also, before the same jackass from the last few discussions on this mentions “muh ADA” again, the ADA has never been shown to apply to an OS in court nor does it mention anything about operating systems.
This is the framework for requiring government ID to use online services, which increasingly power even local computing (thanks to DRM and cloud services).
They want to abolish anonymous use of internet services, because anonymous publishing at scale is powerful and dangerous to incumbents when they can’t retaliate with malicious prosecution, police harassment, or assassination.
The "one weird trick" that all government hates? Stop forcing OSes to function with accounts. "User account" is an artifact of UNIX. You don't need an account to start a car, send and email, nor boot an operating system. I know it's hard to grasp, but it's true.
The "User account" of the OS are the security contexts. You can say everything should be a single security context, and this is how a lot of people have been operating their MS Windows machines, logging in as admin constantly, but this is a stupid idea and comes with risks. Even when you say the OS can have a second root account, that the user never gets to use, you have two user accounts.
Growing up, I vividly remember user accounts being important for our families personas on Windows XP. There's definitely a place for them, but there should be an option to not use one.
Unless your specifically calling out accounts that require online registration for the OS. I'm vehemently against that requirement.
> the Children's Social Media Safety Act
>
> provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both
Thank goodness kids can't lie about their age!
> provide an operator who has requested a signal with respect to a particular user a signal that identifies the user's age by category
Wait - if this is just to pass a signal to an operator ("social media site"), why can't the "operator" just ask for the age themselves?
This is why Meta is forcing this legislation through nation-wide. They are forcing Google/Apple to take the liability, despite it not actually being Google or Apple that's providing the "harmful" social media. Meta are doing this state-by-state so nobody can track that it's them. Easier than pushing at a federal level, and raises fewer red flags from news media.
Since Google and Apple won't want to accept this liability either, the next step is requiring digital IDs and third-party verification to prove the user is of age. This will enable tracking of all users, whatever app or website they go to. Bills requiring this are already being passed at state and federal level.
I wonder how this will mix wit federal laws saying you aren't allowed to track users under the age of 13yo? Will this then be forced as a browser API/header passed to every server/request?
From articles I've seen, it's mostly Facebook lobbying to "pass the buck" upstream to the OS level to actually inquire... this of course will blead into the OS provided "store" interfaces most likely. And while, likely mostly targeting Apple and Google, MS/Windows and Linux are definitely going to be catching stray bullets. In particular vendors with Linux pre-installed... hence System 76 adding the feature to PopOS. Who knows if/how this will come about in practice or how consistently.
Even if open source operating systems comply and add such a feature, what's to stop individual people from removing this and blocking the API requests before they install the OS? Or providing dummy responses? They're open source, after all.
Is the government going to require some sort of automated checks that verify every person who connects to the internet has this API on their OS and go after individuals that aren't in compliance?
In a perfect world the right way to protect children from digital dangers is by proper parenting. In the real world the government steps in so that the next generation doesn't come up crippled. The solution is imperfect and might be a privacy nightmare but is better than nothing. There is a lot of bad parenting in preventing digital-related problems in children.
For what I understand, OpenBSD could just patch useradd so that the age category is mentionned in the comment field of /etc/passwd or a random text file in /etc.
Haiku could just run an automatic dialog asking you if you are minor, in Illinois or California and write a text file with the corresponding age category of said person.
These bills do not mandate that the user cannot modify that information AFAIK.
By adding a simple birthdate field to your account info and a system API of some sort for retrieving the account owner's age range, same as everyone else.
I didn't know a single company could just pay politicians state-by-state to pass a given law - in my country that would be a crime, but it seems in the US this is how the legislation process works :)
> What recourse would Illinois (!) have against open-source operating systems?
None but them corporations sure do. And with a little cash in the right place I'm sure they can push recourse onto people of power. We really need to end political lobbying one of these days
There's something I've never seen a good answer to: why is this being mandated in the OS vs requiring it for apps - or classes of apps? There's plenty of parental controls already available for browsers - after verifying the user's age on startup, why not add a header field that the browser inserts along with AgentID (for example) and call it a day?
1. It's easier to download a new browser than reinstall your OS.
2. Plenty of websites make their own apps, and then you're back to just having every website under the sun trying to verify everyone's age to know who to show explicit content to.
What are they going to do to enforce this? Take down open source projects that "operate" in Illinois because a user downloaded the software there? Absolute joke and everyone should treat it that way; advanced compliance here means implicit support for the surveillance state.
If allowing children access to social media is dangerous, then why aren't they enforcing existing child abuse and child endangerment laws? Throw the parents in prison for failing to control their children.
Every single sponsor of this bill is a Democrat. Why is that? I would think they’re against the type of puritanical moralizing that is behind most age verification bills.
Oh I remember. I just assumed things have changed enough, and that the threat of theocratic ideology - what’s behind project 2025 - would have made such stances unacceptable. My guess is this has more to do with lobbying and donor interest.
Literally every single thing you linked to is completely unrelated to the topic at hand.
Those are all specifically targeted at mobile app stores—which already verify age—and have nothing to do with general purpose operating systems or their account creation.
Try moving the goalposts more carefully next time.
The pragmatic Richard that wrote that book is long gone I'm afraid.
Today his blog is filled with weird rants against voter ID, the Iran conflict, and a list of other countries he dislikes because they have national ID cards and this is a bad thing apparently.
For someone who is a renowned world traveler, you would think he has heard of passports by now.
Not a peep about these bills that could have a very real impact on an operating system he invented (gah-noo).
Then again, since he's never installed it himself*, account creation is not something he would have to deal with or care about.
When I need to use my computer, I'm not thinking about someone else's crusade. I have crusades of my own to fail miserably at and I need all the help I can get from whatever products function best.
I was talking about middle grounds and finding a workable/tolerable solution a few days ago, but as I'm entitled to, I've changed my mind now that I've found out freaking zuckerberg is behind all this. it isn't the will of the people.
That's what has me down about US politics big time. Even the most extreme voices in politics (warren, sanders, aoc,etc..) don't even come close to holding these people accountable. I don't care about taxing them, I care about prison time for interfering with a democracy like this (not retroactively of course). No one is even entertaining properly criminalizing such behavior. Even they made it illegal, they'll just make it a fine a billionaire can pay like an oopsie parking ticket.
These ruling class types have always been there, and human nature is such that they will always be there. But you have to understand, this isn't feudal era England, the government and society isn't built to tolerate them. Their behavior as such is parasitical and only leads to destruction of society. In their parasitism, they've fooled themselves into believing their wealth can shield them. But the nature of the parasite is such that it can't live without a viable host.
Whatever you believe about billionaires controlling politicians, it's much much worse than you think.
What the hell is going on. Why does it seem like largely out of nowhere there is suddenly such a dramatic push on age verification and internet censorship popping up literally all over the world at the same time.
Fuck this "think of the children" unnecessary, astroturfed, privacy invasive corporate corruption of government. This is just the opening salvo in erosion of individual rights.
A few people have replied saying Meta lobbying, but the bills Meta is known to have lobbied for seem to be the ones that require actual age verification that would tend to increase the amount of personal data Meta gets.
Meta's lobbying spending is cited for states not doing that kind of bill, but that's their total lobbying spending in that state.
These new bills in the style of the California one do not require any actual age verification and don't give any information to sites or apps other than the age range that whoever made the user account on the device entered.
It is essentially just requiring a simple parental control mechanism be provided by the OS which provides a way for parents to set age ranges for the accounts of their children and an API that apps that need to check age can query.
On a Unix or Unix like system this could be as simple as having the command to create a user account ask for age or birthdate and store that somewhere (maybe a new field in /etc/passwd) and then adding a getage() function to the standard library that apps can call to get the age range for the current user.
From the "we want to slurp up everything we can about you" point of view usually associated with Meta it is not obvious why Meta would support this approach.
Age checks can broadly be divided into 3 categories.
1. Done entirely on the local system, with only the result being revealed to the app/site that is asking. Age information comes from the owner/administrator of the system. I.e., the parental control approach.
2. Done using the local system and some external source of age information like your government. Only the result is revealed to the app/site that is asking.
3. Verification is done directly with the site that is asking, or through a third party. You have to supply sensitive documents like your government ID to the site or the third party.
#3 is terrible for privacy and anonymity. The red state laws tend to be in this category.
#2 depends on the details. There may be ways using the timing of the communications between your system and your ID supplier (e.g., your government) and the communications between your system and the site you are proving ID to that could allow the site and the government to get more information that you want them to. There are cryptographic ways to prevent that, especially if the device has a hardware security module. It thus comes down to with #2 that you really need to look at the details.
I'm not sure if any US state is taking this approach. The EU is, with cryptography to make it GDPR compatible and allow anonymous verification. Google and Apple are also working on such systems.
#1 is basically equivalent to the "Are you 18+" dialogs on many adult web sites, except moves to the device and the admin can if they wish prevent non-admin users from lying.
It is not really surprising that blue states are tending more toward #1, especially considering that several of them are among the states that have the strongest state privacy and data protection laws.
Because Meta's got the government breathing down their neck to confirm that everyone who interacts with their site is of appropriate age due to COPPA. They don't want to do that kind of verification themselves so they're backing legislation to compel the OS to do it.
If I’m not mistaken, Meta has been lobbying heavily for all of these age-verification bills lately.
It seems their strategy is to externalize their responsibility to verify age themselves, and thus reduce their exposure to liabilities when child protection acts like COPPA are violated.
It should be externalized to a degree. Facebook shouldn't be the ones verifying age, but there should be a trusted 3rd party service that does that, which just tells facebook "yes this user is old enough to use your service" or "no they're not old enough".
It abso-fucking-lutely should not be at the OS level though, for so many reasons. Even the implementation alone would be a nightmare. Do I need to input my ID to use a fridge or toaster oven? Ridiculous.
Or, and hear me out, _maybe our computers shouldn't spy on us in the first place_?
80 replies →
> It should be externalized to a degree.
Why?
We don't externalize age verification when buying alcohol or visiting the strip club. It's on the responsibility of those establishments to verify age.
26 replies →
I'm surprised that people think this is some new 'save-the-children' thing ? Didn't Zuck say like 10 years ago, you should not be allowed to be anonymous on the internet ? This just seems on-brand at this point.
A different approach that would keep incentives properly aligned is for Facebook (et al) to publish labels in website headers asserting the age (and other) suitability of content on various sections of the site. It would then be up to client software (eg a browser) to refuse to display sites that are unsuitable for kids on devices that have been configured for kid use.
As there has been a market failure for decades at this point, it would be reasonable to give this a legislative nudge - spelling out the specific labels, requiring large websites to publish the appropriate labels, and requiring large device manufacturers to include parental controls functionality. The labels would be defined such that a website not declaring labels (small, foreign, configuration mistake, etc) would simply not be shown by software configured with parental controls, preserving the basic permissionless nature of the Internet we take for granted.
But as it stands, this mandate being pushed is horribly broken - both for subjecting all users to the age verification regime, and also for being highly inflexible for parents who have opinions about what their kids should be seeing that differ from corporate attorneys!
Except none of these bills (California or the one in question) as currently written require an ID to actually be verified, merely that the user provide an age. This seems intentional as it's seems to solve the user journey where a parent is able to set a reasonable default by simply setting up an associated account age at account creation. It's effectively just standardizing parental controls.
I think this is a reasonable balance without being invasive as there's now a defined path to do reasonable parenting without being a sysadmin and operators cannot claim ignorance because the user input a random birthday. The information leaked is also fairly minimal so even assuming ads are using that as signal, it doesn't add too many bits to tracking compared to everything else. I think the California bill needs a bit of work to clarify what exactly this applies to (e.g. exclude servers) but I also think this is a reasonable framework to satisfy this debate.
I've seen the argument that this could lead to actual age verification but I think that's a line that's clearly definable and could be fought separately.
23 replies →
I want to be able to hire a licensed Identity Service Provider that gets all of my verified identity data in an encrypted token and let me register it with the OS, and control what amount of the data I expose to apps, with age verification being one of the lower levels of access.
I pay the company to verify me, I am their customer. They take on the liability of the OS makers and app makers of age verification.
If you have a valid token signed by a licensed IDS that verified your age in your OS, that's all anyone needs to know.
> trusted 3rd party service
So we have to pay some 3rd party service to hoard information about Children? Why we want to set that up? Why would we want to take that power from the parents and give it to some company?
> Facebook shouldn't be the ones verifying age
So, they want to profit off children, but do nothing to protect them?
> but there should be a trusted 3rd party service that does that
Gee, if only Facebook would use their incredible might to create this, rather than trying to rob our representative government from underneath us.
> It abso-fucking-lutely should not be at the OS level though
It's not my problem. It shouldn't involve me at all. I don't use social media and I think if you let your kids on there unsupervised you have a screw loose.
If social media, alcohol, drugs, gambling, phones are so, so, so bad for children. Just ban them from children.
We were completely fine 30 years ago without any phone. They will survive. They will probably thrive because now they have to learn how to hack the system.
Instead, we just give them everything they need and all the thinking they do is scrolling.
1 reply →
I guess the point is: delegate to kernel, then “oh, people with root can bypass with modules? Secure Boot!”
2 replies →
The porn industry already figured this out and it’s super simple. Requires zero personal information.
https://www.rtalabel.org/index.html
And just which third party do you trust with your identity?
The trusted third-party is, in part, meant to be a society of responsible parents.
Yea, it's called Mom & Dad.
> but there should be a trusted 3rd party service that does that
No, there shouldn't be any such thing; everyone pushing for any shape of this should just bugger off.
Sometimes even things that are good for Meta are good for the rest of us. This law, and the one in California, mean that liability is disclaimed as long as the parent selects an age above 18 for the child. It's like a section 230 for age protection. Meta supports this because they won't be liable for wrong age inputs, and we should also support this because it doesn't verify age in any other way.
We should support something that does the minimum to accomplish the goal. As luck would have it, we don't need to do anything because parental controls already exist, and apps like YouTube already have a "kid mode". But for some reason, people are very attached to the idea of getting that number. Your age. It isn't enough to have a boolean isAdult. Oh no, they want to know how old you are, and they want that number to follow tou everywhere you go. View a site on your PC and then load it in incognito to create an account and comment? Oh look, this person we've identified as pockauppet age 99 or whatever viewed the page, then someone registered aged 99 and commented on that same page. This is a data goldmine. But I guess we're not against sharing data anymore.
2 replies →
He doesn't want to have to stand up, turn around and apologize to parents on behalf of an asleep at the wheel Congress again.
At some level I don't blame him. It is also a bit strange how in that act alone he showed more accountability than most of the politicians that were questioning him, never mind most executives. I suppose Josh Hawley wants to be liable for personal lawsuits for his acts of Congress too... people cringe at his "robotic" demeanor but I can't remember the last time someone turned and faced people and apologized like this. Most people asked to do the same (even in front of the same body) never do.
https://youtu.be/yUAfRod2xgI
Don't kid yourself, Meta already knows the age of all its users, at least within the broad categories that this bill defines.
Yes, but they want to show children content that is not appropriate, then claim ignorance.
1 reply →
If a company relies on self reported ages, they don't "know" it well enough to satisfy COPPA. Probably. I'm not a lawyer but I do keep up with the latest in privacy enforcement and I think this is the way things are headed.
For the record, I'm against age verification laws. But I think companies are pushing for them because of liabilities they face under other laws, not because they would actually like to have the data.
Legally, there's a difference between "knowing" and "accurate enough for loose cannon advertisers".
Facebook has always been there for only one reason; for people who don't value privacy.
Nothing less, nothing more.
Most things that are not suitable for children were recognized so long ago that it was decades, centuries, or millennia before anybody living was ever born.
Like porn, when it got on the web it has always been instinctively gatekept as traditionally as possible, and complaints which do arise over the decades are addressed by the websites in ways that measure up to how you expect a company to act. Consistent with the way they truly don't want underage visitors to their websites at all.
Those complaints are now dwarfed by what parents are saying about Facebook in particular.
Facebook, and now Meta, is just not something that previous generations had to deal with, so it didn't get handled in a very adult way as it should have been from the beginning. And it only got worse as it got bigger.
If it wasn't worse for their kids than porn, parents wouldn't be screaming so much louder than ever.
I guess it turns out the combination of fundamentally devaluing privacy across-the-board including minors is the main problem, and then the idea of hooking them early, like cigarette companies would do with as much habit-forming reinforcement as possible, is what leverages the lack of overall privacy through the roof.
What's really needed is bold gatekeeping on Meta's digressions alone, they should be the ones to aggressively keep everyone underage off their site. Like they really mean it, which has not existed before. That's what's been wrong the whole time, the internet was so much better before Facebook came along with their anti-privacy mission, and it got put on steroids.
Reining in Meta alone should be big enough to be noticeable, no-one else has a shred of responsibility by comparison.
Facebook has invested $billions in these underage crowds and they want to know exactly when everyone else on the internet turns a certain age even if they are not on Facebook.
Don't give it to them no matter how much they pay.
It would be the complete opposite of an advanced thinker who wants to respond by compromising more people's privacy across the regular internet, when Meta is the primary source of the problem, and they're who stand to benefit the more privacy is compromised in any way, child or adult.
Like my 19th century grandmother would say, "what's wrong with some people?"
It's amazing how many things We The People want our government to do that go ignored year after year, but the moment corporations want something laws get pushed through at lightning speeds. Does anyone actually think that masses of regular people in Illinois were begging their government to force operating systems to tell every website and advertiser how old their children are? They weren't. A small number of corporations with lots of money wanted that though. Bribing matters a lot more than voting.
How should they do it? Surely they don't have a responsibility to do something that nobody knows how to do?
There have been numerous cases in history where governments have attempted to legislate the outcome they want without regard to how that might be done or if it was possible in the first place. Obviously it can never deliver the results they want.
It would be like passing a law to say every company must operate an office on the moon, and then saying that companies lobbying for an advanced NASA space program is them externalising their responsibility.
They could require government ID to sign up and an adult sponsor to certify accounts for kids. Plus a limit on how many accounts an adult can sponsor.
It would be a mess, but solve the problem. It’s not that we don’t have the technology, we just don’t want to because the friction would decimate user numbers and engagement; it would be much simpler to regulate (e.g. usage limits on minors); and minors are less monetizable, which would lead to lower CPM on ads.
Then there’s the legal liability if you know someone is a minor and they’re sending nudes, for example. And the privacy concerns of tying that back to de-anonymized individuals.
But obviously I wouldn’t believe that social media companies care about user privacy on behalf of people.
10 replies →
It's up to parents to parent. It's not up to the government, and Facebook pushing this shit is evil.
It's not about protecting children. It's about increasing adtech intrusion, protecting revenue from liability, pushing against anonymity, and for all the various apparatus of power, it's about increasing leverage and control over speech.
bad take man. these companies don't care about kids; they just want to take the responsivity off of themselves. they don't actually put any money towards child safety.
1 reply →
With all the LLM bots they need a new way to sort out the people from the machines to not lose ad revenue and to help their spook friends.
It's better for them if this "responsibility" rests with another organisation, they don't get blamed as much when the information leaks and it is replaceable.
I think their strategy is to just sell more software. Liability was cut by buying the presidency.
Yes
https://www.reddit.com/r/LinusTechTips/comments/1rsn1tm/it_a...
Really, I’m surprised that for all of the discussions on HN around these individual statewide acts that I see so little discussion of Meta as a primary force pushing them.
16 replies →
I think? the most recent version of that post is https://web.archive.org/web/20260314074025/https://www.reddi..., which is "awaiting moderator approval"
1 reply →
And discussed on HN: <https://news.ycombinator.com/item?id=47410870>.
That's the correct strategy, if anyone sues meta, meta can bring their age verifier into the lawsuit and blame them. It makes sense from a business perspective, insurance perspective. etc...
Meta is definitely helping to push this, but they aren't having to push very hard because its already in the zeitgeist. It's a classic moral panic. Millennials are raising kids and turning into their boomer parents.
Millennials had their hippie era in their 20s (same stuff their parents did rebranded as "hipster" instead of "hippie," where instead of building a lifestyle of free love and bong hits in the Haight-Ashbury, they built a lifestyle of free love and bong hits in Williamsburg Brooklyn).
Now in their 30s-40s they've moved to the suburbs, they're voting Reagan, and are falling for hysterical media-driven moral panics about "what kids these days are up to" just like their Boomer parents did in the 80s-90s.
What's even more funny about all these "social media is evil" legislative proposals, they're motivated by the idea of what social media used to be when millennials were in college...which doesn't even exist anymore.
The classic narrative that teens are depressed because they're seeing what parties they didn't get invited to is wildly outdated now. Social media isn't social anymore (see Tiktok), it's just algorithmic short form TV. Nobody is seeing content from their peers anymore.
In reality, most modern research on social media finds little to no affect on teen mental health. But of course, if you have ulterior motives to undermine privacy or shirk corporate responsibility under the cover of "saving the kids," this moral panic is an already burning flame waiting to be stoked.
> teens are depressed because they're seeing what parties they didn't get invited to
More modern version: my experiences don’t look like the Instagram shots, my body doesn’t look like theirs, etc.
> modern research on social media finds little to no affect on teen mental health
Sounds like you know what you’re talking about, but if you have references I would read them.
How about research on the effects of social media on academic performance?
No disagreement at all that this is another power and surveillance grab.
1 reply →
What does this bill have to do with age verification?
It legally mandates the existence of a required "age" field in user account records, a user interface to populate it during account setup, a mechanism for service providers to read this field, and that providers act as if it has been populated accurately.
As someone who has been the de facto "system administrator" for my family's computer systems since kindergarten, this has to be one of the stupidest policies I've ever seen gain traction.
Is there a problem with this? Most users are using an iPhone and most iPhones already know the accurate age of their user
I think it will be an extension of parental control and shift that accountability/responsibility upwards; Meta is not anyone's real life parents anyway.
People will just forge IDs with LLMs. This measure is basically unenforceable, and wastes everyone's time and money.
I’ve heard Android is a more common OS. In any case, if your OS fails to ask a user their age, it’s banned.
7 replies →
This coordinated state level attack on the legislative process is crazy. These people can't seem to be bothered to do the basics of governing, but they always find time to do this cross-state nightmare fuel.
State government is always the worst for this sort of garbage legislation. The number of "economically-impactful" regulatory pages generated by state governments far outpaces the federal government in the US. And plenty of it is just corporate or influential NIMBY appeasement.
It is a fault in part in the government designed with bits and pieces of "honor system" and "well no one will ever do that!"; and the governed unable or unwilling to enact consequences.
It's kinda convenient because every service needs to ask you for the age now because they can't serve under 13s in a lot of cases. Having it be a simple API would be a decent convenience, no?
If you connect it with a permission system where you can choose whether to provide this information (e.g. >13 as a bool or age as an integer or the birthday as a date) that can't be too bad I guess?
I haven't read the whole thing of course.
It WOULD be nice if it only got used appropriately. But in 2026 its just one more metric to narrow down your profile for advertisers. Wouldn't it be convenient if you could just opt-out of tracking with a convenient API like the literal "do not track" header in browsers? It exists, but none of the people who SHOULD use it pay it any attention except as, ironically, another metric used to track people.
Not to mention that computing is a global thing, and in order for this to be useful it would definitely have to be providing more specific information than just a bool. Maybe chats require 13+, but pornography requires 18+. Maybe those ages are different based on location. All advertisers would need to do is ping the various different checks to get your actual or at least very approximate age.
This kind of thing is a slippery slope, and its ripe for abuse by doxxers, advertisers and big brother himself. Burn this with fire. I'm totally in agreement with the others that suggest stuff like this should b just get banned from getting introduced and reintroduced constantly trying to sneak it in as a rider or hidden provision. The people DON'T want it.
It's a brute-force solution, for a problem with many simpler and limited solutions. This is being pushed so hard for it's intended side-effects. The goal is not to protect children, and it never has been. The goal is to eliminate anonymity on the internet
Exactly. Slowly the screws will be tightened, saying "oh the age gates are too loose" and will need ID verification, step by step.
What if someone else is using the computer/phone/etc?
No, because "Operating System Provider" is either too vague, or too imposing on free operating system developers.
Having a radio option for <13, 13–15, 16–17, and 18+ on account creation and a syscall to query that is not a huge imposition for OS.
1 reply →
We got rid of the IDENT protocol a long time ago because it was stupid.
You mean because it was being used as a doxxing tool.
Argumentation 101: “it’s stupid” isn’t a reason.
It's forcing all OSs to do something that only a few should be doing. The correct way to do this is for the interested parties to form an association that does four things.
1. Creates a protocol with desired signals (country and a variable list of whatever others i.e. age,state) that clients (including browsers) CAN choose to use and forward.
2. Create an api OSs CAN implement to inform clients of those signals and if they can be overidden in the client. (Possibly even create an OS or service to run on OSs that implements it, parents can choose to install specific OS or service)
3. A open source server for governments to specify common classes of content and what to do when a specific SIGNAL (from the protocol in 1) is recieved (Serve content to SIGNAL group/serve content to everyone/never serve content). And what to do if content isn't in a class it recognizes(Serve content/not serve content). Association could also be extend it's duties to coordinate a list of types of content.
4. Maintain an authoritative list of servers by country so that those hosting services can reach the servers hosted in 3. So that webservers can visit those servers to find what they can serve if they wish to apply the law for that jurisdiction.
Horrible because it does codify less freedom and censorship. The advantages are that for a jurisdiction liability can fall on the right actor.
If you run a website/app you worry only if your in a jurisdiction that mandates you use the protocol and can easily geoblock crazy countries by using that signal and choose if a jurisdiction you want to deal with is worth the effort of coding for or whether you want to ignore that countries laws.
If you are a user you can choose to install the API or use an OS that implements it or an OS that spoofs it with only the liability of your jurisdiction. If you are a parent you can use an OS(or install a service) to implement it on your kids accounts.
If your an OS developer you can add functionality if desired/appropriate.
If you are a country you can specify what signals you use/require and can specify required signals (i.e. US may request the State signal so it can decide if it needs other signals to evaluate whether to serve "Social Media" content (i.e. age in the case of state=california)).
Not perfect but actually keeps punishment/enforcement to appropriate jurisdiction and means you can actually gracefully avoid liability for sites in broken jurisdictions rather than either kowtowing or being in breach. Also means it can be implemented in client if you don't want it on your OS or want the convenience of not being asked age without the ridiculous other stuff.
The law as is written mainly targets social media platforms. For an OS to comply, all it needs to do is provide a field during account creation that records the user's date of birth as supplied by the user. There is no onus on the operator to confirm the veracity of this information, or even record it anywhere other than the local OS install itself. I think we're safe.
It's the start of a very slippery slope.
https://theintercept.com/2026/03/17/government-surveillance-...
Slippery slopes are a logical fallacy. Every single decision moving you down the slope is intentional. No sliding occurs if nothing actively pushes things down the slide.
Accordingly, it is never too late to lobby against these things.
18 replies →
But you're effectively asking a third party application, running in a browser no less (i already understand that a browser exposes WAY too much os level information), to query the OS for age information.
Several issues, one OS developers will likely use this to fully identify all users. Apple, Google and Microsoft would rather have legal identities tied to all activity, and this is an easy pretext.
Second, there's no certainty about how courts might interpret compliance. If the intent of the law is to positively identify minors, a user editable field may not be interpreted as sufficient to comply. We don't know what the safe level of identification will be outside of trying the law in court. Who wants to be on the bad side of that?
And we will finally have the year of the Linux desktop!
1 reply →
And how will you use a library computer?
There's a couple of ways that could go down.
One way is that you log in under a guest account and the guest account requires you to indicate your age. After your session is over, guest account logs out.
Another way is that the library has two sets of computers, ones set for adults, ones set for minors. You need access card to use computer and the librarian will give you the age-appropriate access card.
Another way is computers are set for restrictive (child) account by default. If you need adult access you have to ask librarian to unlock it.
2 replies →
Seems like a slippery slope. Now the infrastructure is there to ask apple, Google and microsoft to confirm identity with selfies over the internet.
That infrastructure is literally already there. It's done and live in some areas.
Couldn't the OS just opt out of social media? I wouldn't mind promising that I won't engage in social media online.
I don't like this whole thing, but compared to what I was fearing would happen, this idea is nowhere near as bad.
What I expected was that we'd end up with the OS vendors actually being mandated to really do age verification, and then submitting that using Web Credentials and Secure Attestation so that the far end could trust the whole thing, locking open-source OS's out of the mix and creating more of a walled garden online than we already have. I was guessing it would become a simple checkbox on e.g. Cloudflare - "[ ] allow adult users only" or whatever - and that it would end up with vast swathes of the internet going off limits for anyone not on closed-source systems.
Now, it looks like this is just a way for parents to tell the OS "this is a kid account" and have it flow through to websites so they can easily proactively block kids from connecting without having to implement any of that crap. Yes, it's much potentially easier for a child to circumvent; but any kid who can get around that sort of thing from within an OS could probably just wipe/reinstall anyway, so who cares?
As a parent whose kids are continually trying to see what trouble they can get into, I appreciate that I will get one more potential weapon in the fight.
Can someone tell me whether I am being a fool by actually being a bit relieved it's going this way?
> Can someone tell me whether I am being a fool by actually being a bit relieved it's going this way?
You're being a fool by actually being a bit relieved it's going this way.
These bills are meant to nudge the overton window[0] of digital politics in the direction of mandating realtime identity verification for all forms of computing. Advertisers want it, governments want it, _bad people and bad governments want it_. By pushing a very small and "weak" legally-required form of user identification on everything under the guise of "saving the kids", all involved parties can point at those who disagree and say "Look, if you disagree you must want to hurt children!" And so the bills pass, and a weak form of identity verification passes and is enforced. Then it'll be shown it doesn't work, and the proposed solution will be to make these identity verification laws more intrusive and more restrictive. Repeat ad-nauseum.
0: https://en.wikipedia.org/wiki/Overton_window
Well, ok. That is what I was fearing, after all. Perhaps I was anchored into the worse position and now am accepting a slight erosion of rights since it's not the entire thing, all at once... the slippery slope is not always a fallacy, after all.
You shouldn't be downvoted for this, the problem is exactly as you described.
LOL. Well said...Seems as if we're on some dystopian track that's eventually going to transform a RealID card into something like a Common Access Card (or worse).
What do you think comes after this? This is just a first step towards exactly requiring age verification at the OS/Store level... Then comes ever more restrictive and intrusive tracking and eliminating all anonymity as a final goal.
Time to start throwing up hobby BBS sites... and I think in this case text mode interfaces over web might be an advantage.
Websites can send down a single header indicating adult content. The device, the parent setup to indicate the users age, can respect that. Legitimate adult websites will not show the content. There is no need for any verification beyond that or it's just government mandated surveillance.
> There is no need for any verification beyond that or it's just government mandated surveillance.
There is no verification beyond that in these sorts of bills (CA, CO, IL). It's the parent's responsibility to watch their kids when they set up an account.
> Legitimate adult websites will not show the content.
This is a big problem (that won't necessarily be solved by this particular legislation, granted). There are already voluntary rating HTML tags websites can add to indicate parental control software should block them, but they're voluntary and non-standardized. Websites can choose not to comply with no real-world consequences. And I don't think platforms like Reddit or X, which are ostensibly all-ages social media but also have an abundance of adult content, are properly set up to serve tags like that on NSFW posts but not other ones.
It's a tricky problem to solve, and, imo, it's one the tech industry has demonstrated it doesn't have any desire to solve itself, hence legislation starting to get involved.
> Websites can send down a single header indicating adult content.
It sounds at first glance like a no-brainer that websites shouldn't have access to any information and the enforcement should be done at a local level (like the current voluntary HTML tags that locally installed parental control software can sometimes read). But some websites might want to display alternate content to minors-- e.g. a Wikipedia article with some images withheld, or Reddit sending a user back to an all-ages subreddit instead of just fully breaking or failing to load when the user stumbles upon something 18+. For anything like that, the website will need to know in some form that the user isn't able to see 18+ content.
Yeah, the laws in CA, CO, and now IL are essentially just mandating generally available OS's implement a standardized, local parental control system.
Detractors will say parents should just install existing parental control software, even though it's existed in its current form for decades and is obviously not effective. And they'll say it should be the parents' responsibility to enforce what their kids are doing with computers, while ignoring the fact that these laws provide tools allowing parents to do just that (the parents are the ones responsible for supervising their kids when they create accounts to ensure they're not lying about their age-- if the kids lie during setup, it's on the parents).
Anyone with kids will probably acknowledge that it's much easier supervising your kid once when they first set up an account on a new device than it would be to supervise them 24/7 when they're using the internet. But for some reason, lots of people without kids are in a panic about having to type in any date older than 18 years ago. The arguments I've heard against it are almost all slippery-slope (e.g. "they're gonna do this first, and then add ID requirements next year, because that's what I fear will happen.")
> The arguments I've heard against it are almost all slippery-slope (e.g. "they're gonna do this first, and then add ID requirements next year, because that's what I fear will happen.")
Because that's exactly what will happen. This is battlespace preparation for the destruction of anonymity on the internet, because politicians find this inconvenient.
> Yeah, the laws in CA, CO, and now IL are essentially just mandating generally available OS's implement a standardized, local parental control system.
Except what about my OS which doesn't have parental controls and can't reasonably be expected to provide them because who's gonna do it and be responsible for it?
1 reply →
> The arguments I've heard against it are almost all slippery-slope (e.g. "they're gonna do this first, and then add ID requirements next year, because that's what I fear will happen.")
And the arguments for it don't promise to fight tooth and nail not to make sure it's not slippery. If the slope does turn out to be slippery, today's proponents will be tomorrow's Hindsight Harrys (e.g. "the cat's already out of the bag, if you cared so much you should have fought this back when we all saw it coming").
The argument about the California bill is not that it is a slippery slope, but that it was drafted by people with zero domain knowledge. It applies equally to toaster ovens as well as iPhones.
1 reply →
> while ignoring the fact that these laws provide tools allowing parents to do just that
These tools are called "parental controls" and already exist - we don't need laws to compel their production.
...unless, of course, the true aim is to use this as a beachhead for further expansion of privacy-violating requirements.
You write this off as a "slippery-slope" argument, but given that there are already quite a few tools that do what this law aims for, what's the point?
8 replies →
The parents can already do that. Its called "parenting". The fact that they won't even though there are (non-required!) tools they could be using to do so is baffling to me.
> if the kids lie during setup, it's on the parents
Pretty much a "Yes, and?" scenario. See above.
> The arguments I've heard against it are almost all slippery-slope (e.g. "they're gonna do this first, and then add ID requirements next year, because that's what I fear will happen.")
I get where you're going, but precisely this. These things always start slow... then fast. The old adage "first they came for x, then y" is not a joke or an exaggeration. It is pretty much historic observation. I've lived long enough to know that whenever someone invokes the "think of the children" defense, there's always a catch.
4 replies →
Next thing you know they'll stamp your ID at the hardware level at point of purchase.
Well, your MAC is already stamped, and is on the outside label of the box sometimes...
this is completely insane. we need some kind of constitutional amendment to get rid of all this kind legislation forever.
People are making way too big a deal of this IMO. This is basically the OS equivalent of that checkbox you click to enter a porn website that gets exposed to Meta, so they can claim that they did what they all the they could to protect children if they get sued by parents. Any determined kid would figure out a way around this, but I can see it stopping younger and less determined kids, and it's a useful tool for parents.
It does not stop at the check box. Someone is going to sue Google/Apple when a 13 year old gets on a porn site. Then Google/Apple will introduce "verification" that requires linking your identity to your device, and attesting this to the "operator" (porn site). Then every person using any OS is tracked, on every website and app, all the time, by law. And Linux becomes illegal without it.
This is not a theory. Laws requiring this are going through the state and federal level right now.
Unlike the California law, I seemed to be in the minority in this opinion, this one does seem to require programs like grep to ask for a users age bracket.
> (b) An operator shall request a signal with respect to a particular user from an operating system provider or a covered application store when the application is downloaded and launched.
Unlike the California law I do not see anything that restricts this to child accounts only.
So let say I have a program:
and I want to publish it to say npm or nixos, or some linux distribution. Not with out violating this law. This application needs to request the users age brackets at least at 'downloaded and launched' optimistically that means once on first launch, but potentially needs to be requested on each launch of the application. So lets fix the program
There we go, now the code is compliant with my imagined ageBracket module.
Wouldn't a some kind of technical standard proposal be a more sensible way to do this than trying to pass OS laws state by state?
1 reply →
Microsoft has already made the installation of Windows a fucking nightmare with MS account requirements. Imagine when they are forcing every new device to not only have 50+ TOPS for Copilot, but also a tiny little internal mass spectrometer autosampler which will prick your finger as you login and analyze blood to carbon date the age of the user.
1 reply →
How would this work for e.g. RTOS or even TempleOS?!
Does the hidden Minix installation on every Intel CPU with the Intel Management Engine count?
constitutional amendment to criminalise corporate lobbying with severe penalties - including capital punishment and confiscation of entire corporation.
Unfortunately, a rhetorical knee-jerk response that it needs universal, specific counter legislation for a "permanent fix" is panacea, magical thinking.
The root cause is a corrupt government doing the bidding of a few rich people and other countries. Fixing that will be very difficult but is nonetheless necessary and possible to largely thwart legislators from working against their own ostensible constituency.
I actually see the golden lining here
>"Operating system provider" means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.
I.e Linux will most likely to be immune, since its not tied to a particular computer.
Which just means Linux stay winning. It already made big headway in the video game space, so its prime to take over personal computing too.
All the distros are the providers here. The Linux kernel is not an operating system.
1 reply →
> since its not tied to a particular computer.
That's a really weird and nonsensical reading of "operating system software on a computer".
Wouldn't that include using it on any cloud service that let's you pick it?
it's entirely possible such nonsense is all show, and wouldn't be passed, however.
i'm from illinois, worked in california, and no longer live in either. from afar, it seems that whatever california bureaucrats propose, after a short delay, gets proposed by their little sibling bureaucrats in illinois.
This is 100% true
This. IL and MA follow whatever CA does with a few year lag. Considerations of sanity never enter into the discussion.
4 replies →
It has already passed the Colorado senate.
[flagged]
> For the record, I don’t care enough about age verification. Whether the law passes or not, I don’t really care.
Sounds like there actually would be some benefit commenting about it on HN.
7 replies →
People here seem very against this, but I don't really see it. This only require to have a form asking about your age and provide an API to read it, right?
Surely I'm missing something? Is the backlash due to fear of a slippery slope?
There are basically 2 possibilities with the outcome of this law: It's rather so full of holes as to be meaningless, or it's so invasive as to force open source projects to try to geofence Illinois (which wouldn't be effective either, but might be the kind of compliance theatre we'll see from maintainers worried about liability).
Linux distros always have a "root" user. Does that user have to be asked its age before being usable? What about docker containers, which often come with a non-root user? What about installation media, which is often a perfectly usable OS? It would either have to be so easy to get around this law that most kids could do it easily, or so overzealously enforced as to disrupt the entire cloud industry.
"so full of holes as to be meaningless"
what is the solution then to age gating apps that the public feels should be age gated? (TikTok, Instagram, etc). it seems like every app implementing its own guessing system would have even more holes, right?
this is one where I am sympathetic. the moment when someone, with their parent, is setting up a device seems like the best point to check age. right?
am I missing something?
8 replies →
> It's rather so full of holes as to be meaningless, or it's so invasive as to force open source projects to try to geofence Illinois.
My guess reading the law as linked is that it's much closer to the former than the latter. That being said, you're right that it does bring a bunch of headache alongside with it for little-to-no benefits.
What if I don't want my computer asking for my age and providing an API to give up that information? Why is the government mandating software devs to add bloat and privacy violating features to operating systems?
The slippery slope isn't a fallacy in this case as we've seen the pot slowly come to a boil after 9/11 with various laws like the Patriot Act, FISA, etc. and classified programs within the NSA (and I'm sure all the three letters) which violate the rights of Americans everyday. Now it's a coordinated effort across multiple western countries all of a sudden to introduce laws around verifying your age. It's clear where this is going.
Meanwhile Epstein and the pedo elite are untouchable and with no surveillance of course.
6 replies →
I don't really see any good arguments in favor of it, so why do it? There's no reason my OS needs to know anything about me.
I guess I'm more surprised by the intensity of the backlash this generates here. I agree with you that mandating (weak) OS APIs like this the right approach, but that alone wouldn't warrant the severe reaction this is getting right?
5 replies →
People lie, so there would need to be some kind of proof provided, right? How much data will one need to give up to use a computer? Where/how is that data stored? What else will it be used for? What happens when it’s hacked? How will test systems or servers work? If I want a computer that isn’t linked to the rest of my ecosystem, can I still do that or will age verification require I login with a cloud account?
There are so many ways for this to go badly or simply be annoying.
I’m a guy in my 40s with no kids. I shouldn’t need to deal with all of this. Let the parents turn on parental controls for their kids; don’t force it on everyone.
If Meta needs to find a way to verify age, then that is also their problem. They are trying to make it the world’s problem. I don’t use any Meta products, so again I would question why I need to care about this… why will it become my problem?
The slippery slope then comes in addition to all of this.
It seems Apple already implemented their age verification API. I got prompted for it when opening the MyChart app a few weeks ago. The API used in that case only sends a Boolean if the user is over 18 or not, this is the best of the bad options. However, they have other APIs to get other data from a digital ID. The user is at the whim of the API the developer chooses to use. They can say no, but then they can’t use the app. I’m not sure how Apple validated my age, as I hadn’t loaded an ID into my wallet, but my Apple account is nearly 18 years old, so that might be good enough? If I were to get a Mac and just want to use a local account, then what happens? Can I not verify my age? Will I be able to use the computer or be locked out of the browser? These are some of the fears I have if they take this too far. Maybe some of them are unfounded, but I guess time will tell.
[flagged]
1 reply →
Why should an OS demand personal information from its users? It creates an unnecessary risk that the information will be leaked.
Laws exist that dictate what apps are allowed to do depending on the user's age. This means that in order to follow the law they must collect the user's age. If collecting the user's age is a common requirement of apps it makes sense for the operating system to expose an easy way to do that to make app development easier on that platform.
4 replies →
I am very pro social media regulation (with regards to age gating) due to the evidenced harm it causes, and which court cases have shown these companies are well aware of internally; with that said, this is an attempt by social media companies to shift liability to keep business as usual/status quo. This is no different than what oil companies have done, cigarette companies, chemical companies who have polluted at scale while knowing the harm, etc.
Meta and TikTok (and YouTube shorts to an extent) are the new Sackler family and Purdue pharma. They will hold on to these profit and power engines as long and hard as possible. They will not stop causing the harm unless forced to with regulation.
https://en.wikipedia.org/wiki/Sackler_family
https://en.wikipedia.org/wiki/Opioid_epidemic_in_the_United_...
https://www.profgalloway.com/addiction-economy/
Purdue sold less than 4% of the prescription opioid pain pills in the U.S. from 2006 to 2012. They were a scapegoat for pill farm doctors and an incredible lack of personal responsibility from prescribers, pharmacists and patients.
1 reply →
> This is an attempt by social media companies to shift liability to keep business as usual/status quo.
Do you mind expanding on why that is? Is it because it allows them to say "well the API told us they're adults so we're all good"?
1 reply →
>keep business as usual/status quo.
Umm isn’t that what we want? Or are you suggesting there should be some other legislation in place?
2 replies →
That's exactly how I see it. Verification should be on the social media platforms not your OS.
to me, it's both the slippery slope argument and the lack of real reason other than "protecting minors". operating systems were designed to run the program/programs. You can make applications use this API to determine the user age, or you can just...ask the user in the application itself. I also don't see why this is a requirement rather than an option the same way I don't see why having a Microsoft account is required to install windows or access to internet (without the current workarounds) or even those password reset questions and to some extent asking for first and last name. If I want to add those information, let me do that myself or when i use said software, don't make it a hard requirement.
The bill itself sort of goes against its "purpose". If the purpose is to make a convenient API for stores to know their user, and avoid showing them certain content then why did the bill state: "If an operator has internal clear and convincing information that a user's age is different than the age indicated by a signal received in accordance with this Section, the operator shall use that information as the primary indicator of the user's age."
because many people lie in those forms. Many people on steam will select they were born in 1900, including myself. So how will this API help? the only way for it to be useful is if they later require full verification.
The way I see it (to strongman the bill's position) is that by mandating it at account creation, an adult/parent can ensure that the age is properly set for a minor/child.
That being said, I don't think this bill was that well thought out as the implication are far reaching (will I need to enter an age when provisioning a VM?).
I mostly see it as a clumsy attempt to provide a mechanism for age-category attestation in a way that is more privacy-friendly than Texas's "upload-your-id" law.
1 reply →
I think the implication is that this law is incredibly bad. I don't mean for privacy, I mean for fulfilling it's purpose. This will prevent approximately zero kids from accessing whatever.
What that means is that we will have to amp it up, if we want to achieve it's purpose. So, that's not a slippery slope, that's a prophecy.
When we get cryptographically backed identity verification on all computing, that will legitimately be the end of computing as we know it.
If it is so simple - that ensures nothing, faked easily - then what's the point wasting efforts on it? Why to complicate things? Why spend time and efforts to do it? And annoy with one more tiny thing on top of the hundrends? Why not just not doing it?
Or, in contrary, when it is very reliable, so it can map a very specific real person to a reliable and true birth date, then f off binding myself to a randome computer account that gives it out to whomever is asking it!
There is no good in this story.
The backlash is from Meta trying of assign liabilities of their business practices on people who may not even be users.
Yes, this is just the beginning of a huge swath of innocent APIs to identify people on the internet. Meta isn’t going to stop, and neither will governments.
The government is not allowed to specify what your software you run on your local personal computer or how that software should work. This is a first amendment issue, it’s been defeated before, it will be defeated again. If this were ever upheld, you will immediately have legislation attempting to force OS makers to spy on users, add backdoors, and so on.
Edit: also, before the same jackass from the last few discussions on this mentions “muh ADA” again, the ADA has never been shown to apply to an OS in court nor does it mention anything about operating systems.
This is the framework for requiring government ID to use online services, which increasingly power even local computing (thanks to DRM and cloud services).
They want to abolish anonymous use of internet services, because anonymous publishing at scale is powerful and dangerous to incumbents when they can’t retaliate with malicious prosecution, police harassment, or assassination.
Please explain how this law (or the CA one for that matter) require government IDs. It is worded specifically to _not_ require ID.
1 reply →
The "one weird trick" that all government hates? Stop forcing OSes to function with accounts. "User account" is an artifact of UNIX. You don't need an account to start a car, send and email, nor boot an operating system. I know it's hard to grasp, but it's true.
> You don't need an account to start a car, …
Don’t say this too loud please, I don’t honestly think we’re too far from this reality, at least from an “Overton Window” point of view.
Some cars already have accounts. If you don't pick one, it assumes the prior one is being reused - so de facto it's already here.
[flagged]
What's the "user account" for an iPhone? Sure you might have to sign into icloud, but that's not mandatory. It's effectively a single user system.
i'm sure there is some sorta root user on that system if you go digging far enough?? or am i just ignorant
The "User account" of the OS are the security contexts. You can say everything should be a single security context, and this is how a lot of people have been operating their MS Windows machines, logging in as admin constantly, but this is a stupid idea and comes with risks. Even when you say the OS can have a second root account, that the user never gets to use, you have two user accounts.
You're conflating profiles with user accounts. "Admin user" didn't exist until Windows NT. You don't need permission to change your clothes!
Growing up, I vividly remember user accounts being important for our families personas on Windows XP. There's definitely a place for them, but there should be an option to not use one.
Unless your specifically calling out accounts that require online registration for the OS. I'm vehemently against that requirement.
Nice username btw.
Thank goodness kids can't lie about their age!
Wait - if this is just to pass a signal to an operator ("social media site"), why can't the "operator" just ask for the age themselves?
Answer: they don't want to be liable and get fined $400 Million, like Meta got fined, for letting kids on social media. (https://www.nytimes.com/2022/09/05/business/meta-children-da...)
This is why Meta is forcing this legislation through nation-wide. They are forcing Google/Apple to take the liability, despite it not actually being Google or Apple that's providing the "harmful" social media. Meta are doing this state-by-state so nobody can track that it's them. Easier than pushing at a federal level, and raises fewer red flags from news media.
Since Google and Apple won't want to accept this liability either, the next step is requiring digital IDs and third-party verification to prove the user is of age. This will enable tracking of all users, whatever app or website they go to. Bills requiring this are already being passed at state and federal level.
I wonder how this will mix wit federal laws saying you aren't allowed to track users under the age of 13yo? Will this then be forced as a browser API/header passed to every server/request?
Yeah but if so, what does it have to do with the OS itself, i.e. outside the browser?
From articles I've seen, it's mostly Facebook lobbying to "pass the buck" upstream to the OS level to actually inquire... this of course will blead into the OS provided "store" interfaces most likely. And while, likely mostly targeting Apple and Google, MS/Windows and Linux are definitely going to be catching stray bullets. In particular vendors with Linux pre-installed... hence System 76 adding the feature to PopOS. Who knows if/how this will come about in practice or how consistently.
Even if open source operating systems comply and add such a feature, what's to stop individual people from removing this and blocking the API requests before they install the OS? Or providing dummy responses? They're open source, after all.
Is the government going to require some sort of automated checks that verify every person who connects to the internet has this API on their OS and go after individuals that aren't in compliance?
In a perfect world the right way to protect children from digital dangers is by proper parenting. In the real world the government steps in so that the next generation doesn't come up crippled. The solution is imperfect and might be a privacy nightmare but is better than nothing. There is a lot of bad parenting in preventing digital-related problems in children.
How will public libraries comply?
Presumably they'll burn down the libraries.
Find your rep and let them know you do not approve: https://www.elections.il.gov/electionoperations/districtloca...
Curious how OpenBSD or Haiku will comply.
For what I understand, OpenBSD could just patch useradd so that the age category is mentionned in the comment field of /etc/passwd or a random text file in /etc.
Haiku could just run an automatic dialog asking you if you are minor, in Illinois or California and write a text file with the corresponding age category of said person.
These bills do not mandate that the user cannot modify that information AFAIK.
I can't imagine OpenBSD would be bothered by laws specific to a very small selection of US states.
By adding a simple birthdate field to your account info and a system API of some sort for retrieving the account owner's age range, same as everyone else.
Tbh they probably don't care about anyone other than Microsoft or Apple, though it's certainly not written that way.
OpenBSD devs have signaled noncompliance from their Canadian fortress of freedom.
I didn't know a single company could just pay politicians state-by-state to pass a given law - in my country that would be a crime, but it seems in the US this is how the legislation process works :)
Apparently you can file your arugements against it: https://www.ilga.gov/house/hearings/details/3062/22570/Creat...
i look forward to the police showing up and explaining to me how computing is a privilege, not a right
What recourse would Illinois have against open-source operating systems? Anyone can roll their own Linux distro and share it with whomever they want.
> What recourse would Illinois (!) have against open-source operating systems?
None but them corporations sure do. And with a little cash in the right place I'm sure they can push recourse onto people of power. We really need to end political lobbying one of these days
There's something I've never seen a good answer to: why is this being mandated in the OS vs requiring it for apps - or classes of apps? There's plenty of parental controls already available for browsers - after verifying the user's age on startup, why not add a header field that the browser inserts along with AgentID (for example) and call it a day?
1. It's easier to download a new browser than reinstall your OS.
2. Plenty of websites make their own apps, and then you're back to just having every website under the sun trying to verify everyone's age to know who to show explicit content to.
What are they going to do to enforce this? Take down open source projects that "operate" in Illinois because a user downloaded the software there? Absolute joke and everyone should treat it that way; advanced compliance here means implicit support for the surveillance state.
These people are just so clueless. All they will find is that everybody on the internet is an adult.
If allowing children access to social media is dangerous, then why aren't they enforcing existing child abuse and child endangerment laws? Throw the parents in prison for failing to control their children.
>If allowing children access to social media is dangerous, then why aren't they enforcing existing child abuse and child endangerment laws?
Because there's no remotely compelling evidence for this and it'd be thrown out by a judge as a huge parental rights violation.
So the justification for these age restrictions is bogus then?
Every single sponsor of this bill is a Democrat. Why is that? I would think they’re against the type of puritanical moralizing that is behind most age verification bills.
You must be too young to remember Tipper Gore...
https://en.wikipedia.org/wiki/Tipper_Gore
Oh I remember. I just assumed things have changed enough, and that the threat of theocratic ideology - what’s behind project 2025 - would have made such stances unacceptable. My guess is this has more to do with lobbying and donor interest.
they love money and facebook has the cash to bribe them
"I like money." - Frito Pendejo
What is the reasoning behind this exactly? Yeah, I know Meta is behind it, but surely they will throw it out if it is absord, right... right?
The most progressive states doing exactly what their constituents elected them to do. I don't understand why everyone is so surprised.
"Progressive states" like Utah, Texas, and Louisiana?
https://le.utah.gov/~2025/bills/static/SB0142.html
https://capitol.texas.gov/tlodocs/89R/billtext/html/SB02420S...
https://www.legis.la.gov/Legis/ViewDocument.aspx?d=1427667
Literally every single thing you linked to is completely unrelated to the topic at hand.
Those are all specifically targeted at mobile app stores—which already verify age—and have nothing to do with general purpose operating systems or their account creation.
Try moving the goalposts more carefully next time.
1 reply →
Why would California be dumb alone, let's show them we can be too... I don't know how else to read this.
My future OS: https://agelesslinux.org
three states passing the same template bill in three months isn't organic legislation
How can any of this be implemented in simpler OSes like freedos?
Read and share "Free Software, Free Society" now.
Richard Stallman advised us about it long ago.
Thank god Plan9 got relicensed into GPL. 9front might not totally free, but it's a step in case GNU+Linux gets utterly broken.
And, yes, please, go try Trisquel (novice users), GUIX (experts) and Hyperbola (experts and protocol purists).
Avoid every Google, Amazon, Facebook, Apple, Netflix service with nonfree JS.
The pragmatic Richard that wrote that book is long gone I'm afraid.
Today his blog is filled with weird rants against voter ID, the Iran conflict, and a list of other countries he dislikes because they have national ID cards and this is a bad thing apparently.
For someone who is a renowned world traveler, you would think he has heard of passports by now.
Not a peep about these bills that could have a very real impact on an operating system he invented (gah-noo).
Then again, since he's never installed it himself*, account creation is not something he would have to deal with or care about.
* https://www.youtube.com/watch?v=umQL37AC_YM
Maybe the solution is as simple as having an adult create your account for you.
Like paying a homeless guy to buy you booze or cigarettes, not that anyone would ever do that.
When I need to use my computer, I'm not thinking about someone else's crusade. I have crusades of my own to fail miserably at and I need all the help I can get from whatever products function best.
“Use of this computer is illegal in the state of Illinois - your friendly neighborhood SWAT team has been notified.”
What is their intent with this, for an OS?
How old is root?
$today - 1970-01-01T00:00:00
I was talking about middle grounds and finding a workable/tolerable solution a few days ago, but as I'm entitled to, I've changed my mind now that I've found out freaking zuckerberg is behind all this. it isn't the will of the people.
That's what has me down about US politics big time. Even the most extreme voices in politics (warren, sanders, aoc,etc..) don't even come close to holding these people accountable. I don't care about taxing them, I care about prison time for interfering with a democracy like this (not retroactively of course). No one is even entertaining properly criminalizing such behavior. Even they made it illegal, they'll just make it a fine a billionaire can pay like an oopsie parking ticket.
These ruling class types have always been there, and human nature is such that they will always be there. But you have to understand, this isn't feudal era England, the government and society isn't built to tolerate them. Their behavior as such is parasitical and only leads to destruction of society. In their parasitism, they've fooled themselves into believing their wealth can shield them. But the nature of the parasite is such that it can't live without a viable host.
Whatever you believe about billionaires controlling politicians, it's much much worse than you think.
here is the date I will put out....
1 10 0000
or even better
1 10 -2000
This will turn into most useless set of laws ever
Karens making stupid bills. What is and what is not an OS?
What the hell is going on. Why does it seem like largely out of nowhere there is suddenly such a dramatic push on age verification and internet censorship popping up literally all over the world at the same time.
Meta seems to be pushing for it to cover their liability.
Fuck this "think of the children" unnecessary, astroturfed, privacy invasive corporate corruption of government. This is just the opening salvo in erosion of individual rights.
Somehow I'm not surprised. They voted for Biden in 2020 then for Kamala. Just like california with it's OS age verification.
Hey, it's mostly those northern city folk who vote blue. Down where I'm at it's all pretty much red.
Why suddenly are all of the blue states doing this BS? What is going on and what control is this affording the government?
Lobbying from Meta. They do not want to do age-verification themselves (and pay for it).
See the actors behind this here (Meta is a big one): https://tboteproject.com/
Blue states: paternalism over your property, liberty for your body
Red states: paternalism over your body, liberty for your property
except for during covid, where there was a weird reversal.
5 replies →
Meta is behind a huge amount of it, they have funded the majority of these
Meta is lobbying with millions for it.
A few people have replied saying Meta lobbying, but the bills Meta is known to have lobbied for seem to be the ones that require actual age verification that would tend to increase the amount of personal data Meta gets.
Meta's lobbying spending is cited for states not doing that kind of bill, but that's their total lobbying spending in that state.
These new bills in the style of the California one do not require any actual age verification and don't give any information to sites or apps other than the age range that whoever made the user account on the device entered.
It is essentially just requiring a simple parental control mechanism be provided by the OS which provides a way for parents to set age ranges for the accounts of their children and an API that apps that need to check age can query.
On a Unix or Unix like system this could be as simple as having the command to create a user account ask for age or birthdate and store that somewhere (maybe a new field in /etc/passwd) and then adding a getage() function to the standard library that apps can call to get the age range for the current user.
From the "we want to slurp up everything we can about you" point of view usually associated with Meta it is not obvious why Meta would support this approach.
Age checks can broadly be divided into 3 categories.
1. Done entirely on the local system, with only the result being revealed to the app/site that is asking. Age information comes from the owner/administrator of the system. I.e., the parental control approach.
2. Done using the local system and some external source of age information like your government. Only the result is revealed to the app/site that is asking.
3. Verification is done directly with the site that is asking, or through a third party. You have to supply sensitive documents like your government ID to the site or the third party.
#3 is terrible for privacy and anonymity. The red state laws tend to be in this category.
#2 depends on the details. There may be ways using the timing of the communications between your system and your ID supplier (e.g., your government) and the communications between your system and the site you are proving ID to that could allow the site and the government to get more information that you want them to. There are cryptographic ways to prevent that, especially if the device has a hardware security module. It thus comes down to with #2 that you really need to look at the details.
I'm not sure if any US state is taking this approach. The EU is, with cryptography to make it GDPR compatible and allow anonymous verification. Google and Apple are also working on such systems.
#1 is basically equivalent to the "Are you 18+" dialogs on many adult web sites, except moves to the device and the admin can if they wish prevent non-admin users from lying.
It is not really surprising that blue states are tending more toward #1, especially considering that several of them are among the states that have the strongest state privacy and data protection laws.
Because Meta's got the government breathing down their neck to confirm that everyone who interacts with their site is of appropriate age due to COPPA. They don't want to do that kind of verification themselves so they're backing legislation to compel the OS to do it.
Agelesslinux
[dead]
[dead]
Too much for Dem's state.