* This approach is the _most consistent_ with retaining anonymity on the internet, while actually helping parents with their issues. If any age-relevant gatekeeping needs to be made on the internet at all, this is the one I find acceptable.
* this is because the act very specifically does NOT require age _verification_ ie using third-parties to verify whether the claimed age is correct. Rather, it is piggybacking on the baked-in assumption, that parents will set up the device for their kids, indicating on first install what the age/DoB is, then handing over the device -a setting which can, presumably, only be modified with parental consent
* yes, there are edge cases, esp in OSS, and yes, it would be nice to iron those out -but the risk = probability x impact calculus on this is very very low.
* If retaining anonymity on the internet is of value to you, don't let the perfect be the enemy of good enough.
I understand where you’re coming from, but I respectfully disagree with some of the points you made:
* It’s ambiguous how your proposed parental setup and control process would work for anything other than walled gardens like Apple’s ecosystem. On an OS like Debian, does that mean a child can’t have the root password in case they use to it change the age? Does that mean we need a second password that needs to be entered in addition to the root password to change the age? Will Arduinos and similar devices also need to be age gated?
* Those edge cases might seem small, but read broadly they would require substantial, invasive, and perhaps even impossible changes to how FOSS works. If the law isn’t changed and FOSS doesn’t adapt, this basically means the entire space will exist in a legal gray area where an overzealous prosecutor could easily kill everything.
* This is not a matter of “perfect vs good enough”, this is a major slippery slope to go down. Also, this doesn’t mean age _verification_ will simply go away.
So if it's an application that runs within the os that the parent enables and does not collect or send any personal info that sounds reasonable. But if has to be embedded into the OS that's going to present problems I can only imagine.
that would be fine if the embedding means all applications can leverage this functionality - like how accessibility is embedded into the OS rather than per-app.
The only problem is if this embedding requires third-party verification (which i dont believe it is), or require some sort of hardware attestation to a remote server (so you cannot modify the OS to turn it off if you wish as a non-parent).
To me, flexibility and choice is paramount. The parents have the responsibility to monitor their child, and this tool should help when the parents opt-in for it. It should not be enforced on all computer users arbitrarily without a parental opt-in first.
“Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.
So… DNS servers are “covered application stores”, right? As is PyPI or GitHub or any other such service. S3 and such, too — lots of facilitating going on.
And I’m wondering… lots of things are general purpose computers. Are servers covered? How about embedded systems? Lots of embedded systems are quite general purpose.
> So… DNS servers are “covered application stores”, right? As is PyPI or GitHub or any other such service. S3 and such, too — lots of facilitating going on.
"Facilitate" implies an active role in the participation of the activity, rather than a purely passive role. A DNS server no more facilitates distribution of an application than the power company providing power does.
PyPI and Github aren't facilitating the download of applications, they're literally platforms for downloading them. If they aren't covered by the law's definition of "application store" [1], then the law itself is badly written, since they're platforms whose primary purpose is to let you download software!
[1] Whether or not the law's provisions should apply to them is a different policy question, but as a category, they are definitely things like application stores.
On the one hand the legislation seems unimplementable for many OS makers, not just FOSS ones.
(The issue of "primary owner of the device" being the most problematic.)
Equally the concept of "app store" is different for different OS's. iOS and Android are clear. Mac and Windows are mostly "download and run from website" (although both want to pivot to appstore, with varying degrees of success.)
Then we need to wonder if yum and apt are stores, given that they aren't actually owned by "linux".
In truth though it kinda doesn't matter. It's trivial to add an "age" field to account creation. It's trivial for users to enter any date they like. So on the one hand it's easy for OS makers to comply, it's easy for users to lie.
Presumably if the law could have mandated age checks then would have, so I'm not even sure thus is slippery slope. Most minors don't have photo ID. Most desktop hardware doesn't have a camera (at the time of account creation.)
This feels like performative law-making. Vague language. Unenforceable user participation.
> Then we need to wonder if yum and apt are stores
IMO this is quite simple - as they provide software, they are "stores" too. Although I think most would associate a store with e. g. MS store, Apple store and so forth.
The word "store" is weird though. Would it not be easier to use different words? Anyone providing software for download; and perhaps add a size threshold to stop pestering small business or solo users. This really seems to target Linux here.
Annoyingly? Ironically? The best technical implementation of this law would be to make it possible for the "device owner" to tell the OS to set a flag that the user was under age. Never send the age, never send anything else. Just have a global variable indicating that the user is under age that can be accessed by the browser.
Now what would happen after that?
First oses would have to implement the above in a way that could not be bypassed, pretty much impossible if the child has access to the device.
Then you would need to require that websites honor that token or any similar token no matter how it was implemented ... https MITM etc. good luck with that.
Finally once all the implementation and enforcement hurdles are complete every website out there would immediately know that the user browsing was a child and all the trackers and ad networks on the web would immediately start targeting those users because children are marks.
Now you need even more laws and regulations to protect the children from being targeted by advertising companies, and good luck with enforcing that.
"It probably does not apply to you" and "Laws are usually applied as intended" and "You'll probably be ok" is what i keep hearing.
None of that addresses "if you get unlucky and some prosecutor decides to help his career by prosecuting you as an enabler-of-child-inappropriate-whatever-it-is". YOLOing away one's freedom on "probably" seems risky, and there is no reward to be had for doing it.
The only sane solution is to simply add "not for use in california" to all OSs, until California gets its collective head out of its collective rectum.
Four of the biggest OSes (iOS, macOS, Android, and Chrome OS) are made in California by the companies who pushed this legislation through. Never going to happen.
The Digital Age Assurance Act is a disaster both in concept and in its statutory language. Its author(s) seem to be entirely unaware of how software is distributed outside of walled gardens like Apple’s ecosystem. If I’m understanding the law correctly, then even software like Homebrew would have to implement some kind of integration with macOS to detect a user’s age. On a naive level, I’m surprised such an obviously flawed bill was passed and signed in California, where there are so many tech companies and lobbyists. The realist in me, however, realizes that tech companies don’t care about the privacy and software supply chain impacts and might even want these impacts to happen as a way of consolidating their control over the market. As an American progressive, it disappoints me that the only thing progressives and conservatives seem to agree is stripping ordinary people of any semblance of anonymity or privacy in the name of “safety”.
IIRC there wasn’t anything about the OS needing to validate the info, just ask for it at setup and provide it when requested. Part of me wonders if this was just an attempt to stake out a position as to what a law of this sort, that still respects privacy, might look like.
I dunno. I don’t love it. But if a dumb age-range flag became “the thing” to check, well, that’s be less invasive than uploading an ID or something.
Stallman was, once again, right. We need free software and hardware more than ever because of idiotic laws like this. Because of the decentralized development model, there is no single company or developer that can be unfairly targeted and coerced into adding anti-features such as age verification or encryption backdoors. California can shove its requests where the sun don't shine.
It is indeed strange that California suddenly became a lobbyist's paradise. Louis Rossmann doesn't have an infinite number of time available and he is more an East Coast person, even after having left New York, but it would be really interesting to see which lobbyists drafted that law. It will probably be copy/pasted to more states soon.
I'm almost certain we will live to see "they can't fine all of us" get torn to shreds in real time as government language models patrol the 'net for software projects that lack an age verification call.
Why, we could even see a legal requirement for code repositories to run one themselves, constantly scanning for compliance. That way the compute cost is offloaded properly on the citizenry :)
Did they? Or is it regulatory capture? MS is really pushing their online MS account thing, Apple and Google already have online accounts associated with your OS profile. It feels a lot like regulatory capture...
Counterpoint to peeps on this thread:
* This approach is the _most consistent_ with retaining anonymity on the internet, while actually helping parents with their issues. If any age-relevant gatekeeping needs to be made on the internet at all, this is the one I find acceptable.
* this is because the act very specifically does NOT require age _verification_ ie using third-parties to verify whether the claimed age is correct. Rather, it is piggybacking on the baked-in assumption, that parents will set up the device for their kids, indicating on first install what the age/DoB is, then handing over the device -a setting which can, presumably, only be modified with parental consent
* yes, there are edge cases, esp in OSS, and yes, it would be nice to iron those out -but the risk = probability x impact calculus on this is very very low.
* If retaining anonymity on the internet is of value to you, don't let the perfect be the enemy of good enough.
I understand where you’re coming from, but I respectfully disagree with some of the points you made:
* It’s ambiguous how your proposed parental setup and control process would work for anything other than walled gardens like Apple’s ecosystem. On an OS like Debian, does that mean a child can’t have the root password in case they use to it change the age? Does that mean we need a second password that needs to be entered in addition to the root password to change the age? Will Arduinos and similar devices also need to be age gated?
* Those edge cases might seem small, but read broadly they would require substantial, invasive, and perhaps even impossible changes to how FOSS works. If the law isn’t changed and FOSS doesn’t adapt, this basically means the entire space will exist in a legal gray area where an overzealous prosecutor could easily kill everything.
* This is not a matter of “perfect vs good enough”, this is a major slippery slope to go down. Also, this doesn’t mean age _verification_ will simply go away.
So if it's an application that runs within the os that the parent enables and does not collect or send any personal info that sounds reasonable. But if has to be embedded into the OS that's going to present problems I can only imagine.
> But if has to be embedded into the OS
that would be fine if the embedding means all applications can leverage this functionality - like how accessibility is embedded into the OS rather than per-app.
The only problem is if this embedding requires third-party verification (which i dont believe it is), or require some sort of hardware attestation to a remote server (so you cannot modify the OS to turn it off if you wish as a non-parent).
To me, flexibility and choice is paramount. The parents have the responsibility to monitor their child, and this tool should help when the parents opt-in for it. It should not be enforced on all computer users arbitrarily without a parental opt-in first.
> while actually helping parents with their issues.
> that parents will set up the device for their kids
Are the devices parents are currently setting up lacking these controls? Is there no third party software which can achieve this?
Then why is it a crime with an associated fine for me to provide an OS which does not have one? How have I failed to "help parents with their issues?"
What a crappy law.
> Section 1798.500(e)(1) states:
“Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications from third-party developers to users of a computer, a mobile device, or any other general purpose computing that can access a covered application store or can download an application.
So… DNS servers are “covered application stores”, right? As is PyPI or GitHub or any other such service. S3 and such, too — lots of facilitating going on.
And I’m wondering… lots of things are general purpose computers. Are servers covered? How about embedded systems? Lots of embedded systems are quite general purpose.
> So… DNS servers are “covered application stores”, right? As is PyPI or GitHub or any other such service. S3 and such, too — lots of facilitating going on.
"Facilitate" implies an active role in the participation of the activity, rather than a purely passive role. A DNS server no more facilitates distribution of an application than the power company providing power does.
PyPI and Github aren't facilitating the download of applications, they're literally platforms for downloading them. If they aren't covered by the law's definition of "application store" [1], then the law itself is badly written, since they're platforms whose primary purpose is to let you download software!
[1] Whether or not the law's provisions should apply to them is a different policy question, but as a category, they are definitely things like application stores.
I guess we will have to replace the OS of every system that can play a violent and inappropriate videogame, like Doom.
Christ, that would make Google, Dell, Netgear, and Comcast a "covered application store".
This isn't a law. It's a prayer.
DNS doesn't generally distribute applications, so no it doesn't apply.
but it facilitates the download.
This is an intentionally vague law, and seems like the governor is more than happy to call for amendments: https://www.gov.ca.gov/wp-content/uploads/2025/10/AB-1043-Si...
On the one hand the legislation seems unimplementable for many OS makers, not just FOSS ones.
(The issue of "primary owner of the device" being the most problematic.)
Equally the concept of "app store" is different for different OS's. iOS and Android are clear. Mac and Windows are mostly "download and run from website" (although both want to pivot to appstore, with varying degrees of success.)
Then we need to wonder if yum and apt are stores, given that they aren't actually owned by "linux".
In truth though it kinda doesn't matter. It's trivial to add an "age" field to account creation. It's trivial for users to enter any date they like. So on the one hand it's easy for OS makers to comply, it's easy for users to lie.
Presumably if the law could have mandated age checks then would have, so I'm not even sure thus is slippery slope. Most minors don't have photo ID. Most desktop hardware doesn't have a camera (at the time of account creation.)
This feels like performative law-making. Vague language. Unenforceable user participation.
> Then we need to wonder if yum and apt are stores
IMO this is quite simple - as they provide software, they are "stores" too. Although I think most would associate a store with e. g. MS store, Apple store and so forth.
The word "store" is weird though. Would it not be easier to use different words? Anyone providing software for download; and perhaps add a size threshold to stop pestering small business or solo users. This really seems to target Linux here.
yum and apt are binaries that reference config files et. al. to search a url tree via a manifest, they are no more stores than curl or wget.
curl and wget surely facilitates the download.
No one could interpret yum or apt as stores on their own. The "store" would be the repository that the software is coming from.
They’ll just slap a “Not for use in California” label over the download page then move on with their lives
Annoyingly? Ironically? The best technical implementation of this law would be to make it possible for the "device owner" to tell the OS to set a flag that the user was under age. Never send the age, never send anything else. Just have a global variable indicating that the user is under age that can be accessed by the browser.
Now what would happen after that?
First oses would have to implement the above in a way that could not be bypassed, pretty much impossible if the child has access to the device.
Then you would need to require that websites honor that token or any similar token no matter how it was implemented ... https MITM etc. good luck with that.
Finally once all the implementation and enforcement hurdles are complete every website out there would immediately know that the user browsing was a child and all the trackers and ad networks on the web would immediately start targeting those users because children are marks.
Now you need even more laws and regulations to protect the children from being targeted by advertising companies, and good luck with enforcing that.
This is a mess.
"It probably does not apply to you" and "Laws are usually applied as intended" and "You'll probably be ok" is what i keep hearing.
None of that addresses "if you get unlucky and some prosecutor decides to help his career by prosecuting you as an enabler-of-child-inappropriate-whatever-it-is". YOLOing away one's freedom on "probably" seems risky, and there is no reward to be had for doing it.
The only sane solution is to simply add "not for use in california" to all OSs, until California gets its collective head out of its collective rectum.
"Designed by Apple in California, not for use in California" would be quite the statement.
FWIW, only the attorney general can bring cases, not district attorneys or individuals.
Four of the biggest OSes (iOS, macOS, Android, and Chrome OS) are made in California by the companies who pushed this legislation through. Never going to happen.
The Digital Age Assurance Act is a disaster both in concept and in its statutory language. Its author(s) seem to be entirely unaware of how software is distributed outside of walled gardens like Apple’s ecosystem. If I’m understanding the law correctly, then even software like Homebrew would have to implement some kind of integration with macOS to detect a user’s age. On a naive level, I’m surprised such an obviously flawed bill was passed and signed in California, where there are so many tech companies and lobbyists. The realist in me, however, realizes that tech companies don’t care about the privacy and software supply chain impacts and might even want these impacts to happen as a way of consolidating their control over the market. As an American progressive, it disappoints me that the only thing progressives and conservatives seem to agree is stripping ordinary people of any semblance of anonymity or privacy in the name of “safety”.
So how does it apply? Is that the mandatory age verification clause that forces everyone into becoming a data sniffer?
California is kind of strange - on the one hand giving rise to open source; on the other hand being a lobbyist's paradise.
IIRC there wasn’t anything about the OS needing to validate the info, just ask for it at setup and provide it when requested. Part of me wonders if this was just an attempt to stake out a position as to what a law of this sort, that still respects privacy, might look like.
I dunno. I don’t love it. But if a dumb age-range flag became “the thing” to check, well, that’s be less invasive than uploading an ID or something.
As Disney took open source IP (fairy tales, etc) and pulled the ladder up behind them, so too are tech companies.
When will the AI bubble pop already? Things seem to just get worse
Stallman was, once again, right. We need free software and hardware more than ever because of idiotic laws like this. Because of the decentralized development model, there is no single company or developer that can be unfairly targeted and coerced into adding anti-features such as age verification or encryption backdoors. California can shove its requests where the sun don't shine.
It is indeed strange that California suddenly became a lobbyist's paradise. Louis Rossmann doesn't have an infinite number of time available and he is more an East Coast person, even after having left New York, but it would be really interesting to see which lobbyists drafted that law. It will probably be copy/pasted to more states soon.
I'm almost certain we will live to see "they can't fine all of us" get torn to shreds in real time as government language models patrol the 'net for software projects that lack an age verification call.
Why, we could even see a legal requirement for code repositories to run one themselves, constantly scanning for compliance. That way the compute cost is offloaded properly on the citizenry :)
Incredible that California lawmakers choose to deliberately ignore the entire tech industry (that brings California its revenue.)
Did they? Or is it regulatory capture? MS is really pushing their online MS account thing, Apple and Google already have online accounts associated with your OS profile. It feels a lot like regulatory capture...