Europe Pub (PieFed)On the unfortunate need for an "age verification" API for legal compliance reasons in some U.S. states
fossilesquelists.ubuntu.com/archives/ubuntu-devel/2026-MarâŠ
75 Comments
Comments from other communities
Is it really not as easy for them as saying âhey btw donât use this distro if youâre in Californiaâ and fully expecting nobody to comply? Iâm not sure if Ubuntu is based in Cali in which case I can see it being more difficult.
Also this âage bracketâ thing seems to have an obvious flaw in that any application thatâs running semi-regularly can just poll the API every day and find out the userâs DOB by checking when they roll into the next bracket. Itâs actually leaking more data about children than about adults in that case. Brilliant.
KevinCanonical seems to be based in the UK, going off of the Wikipedia page
deafboyOn the other hand, itâs one of the least intrusive proposals Iâve heard in this round of debate. The parent flags the account as a child, the browser sends one (or more, in this case) extra bit indicating if it should receive the adult content (whatever it might be) or not.
No ID verification, no face scanning, no credit card checks, no companies building profiles of everybody on earth and sharing them with shady institutions. Plus, it pushes the responsibility back to the parents, who (hopefully) know the child the best, and can adjust the restrictions either way if needed.
Now I can finally accept that the age verification issue is merely âcontroversialâ, instead of absolutely evil global conspiracy.
On the other hand, itâs one of the least intrusive proposals Iâve heard in this round of debate.
It matters not, itâs still intrusive, and itâs the foot-in-the-door to demand more.
If you let a nazi peek into your bar and stay, itâs a nazi bar.
Canonical: âletâs make age verification a DBUS requirement!â
Omg, how can they suck so much! Next time I open that thread, Iâm gonna surely find a proposal for systemd-ageverificationd!
I think the obvious problem that those mailing list proposals are missing is that even implementing the minutest part of this law is little more than a âfoot in the doorâ thing. Once the law is passed and a compliant vendor publishes, that sets jurisprudence so that Christofascists can update the law strengthening the requirements, such as adding a user photo (which IIRC account service already supports via $HOME/.face!), LGBTQ+ status, National ID Document, etc.
The correct option in Linuxland is simply to WONTFIX, and if any California and Colorado corporate users whine about it, well, thatâs what they voted for. Wanna fix it? Kick your bad leaders out of office.
My message to Ubuntu and all Linux distros is simple:
DONâT OBEY FASCISM IN ADVANCE!
Mugita SokioCanonical can kiss my behind if they want to implement digital ID.
Itâs not though. Itâs literally asking the user âhow old are you?â and not even caring if they lie. Itâs not even requiring a date, just a number of years.
Itâs not even requiring a date, just a number of years.
Several posts in the mailing list thread specifically mention adding Y, M, D fields for DOB.
As an option, so it can automatically increment the brackets.
Which gives away the whole birthday because applications requesting the age bracket can memorize values and notice what day they change.
That is a good point. Websites also if they are visited daily or if a web beacon or such can access the API.
Manually adjusting the brackets until 18+ (or just lying about the precise date) would grant more privacy. I can see making that trade-off though.
kbalSomebody should go ahead and make an âis-user-oldâ command that just reads from /etc/age.txt and returns YES, NO, or IDK.
A âgood faith effort to complyâ with a bad faith law is to pipe /dev/yes to the API.
Also showing lawmakers how easy it is means even more laws down the pipeline to really make development disgusting because âit worked before, right?â
They are building the framework piece by piece. First the API is âHonour Basedâ then it goes to âProve Itâ. For once it looks like baby steps instead of full blown head in a toilet of fresh shit like usual. Build your off line libraries, soon the only way to win will be not to play
I mean.. thereâs nothing stopping anyone from setting their age to 100 years old. Itâs not like they are adding any sort of identification check, from what I gather. Just doing the minimum to comply.
For now
I might have a lot of fun things that arenât legal in California. Never thought my OS would be one, but here we are.
If people went out of their way to learn a damn thing about computers, and all-consuming jobs didnât force entire generations raised without parents, and maybe they didnât let their 6 year olds on social media / online gaming / whatever unsupervised, maybe thereâd be more backlash to the state and corporations trying to step in as parental figures.
âŠWish that wasnât too frigginâ much to ask.
Servers and data centers have zero business knowing anything about whoâs behind my machine by default.
Does FreeDOS need to comply with this law? After all these years, a new 21h interrupt!
Does it have accounts?
No, or at least I hope it donât. DOS never had user accounts to begin with as it was always single-user, or at least the variants everyone is familiar with (MS-DOS, PC-DOS, DR-DOS, FreeDOS). There was a short-lived Multiuser DOS sold by Novell, but none of us on this thread have probably ever even seen it in the wild let alone heard of it outside of a wiki page.
The only way you couldâve locked others out of your DOS PC back when that platform was relevant, was to physically lock them out of turning your PC on while you were away, to which there were multiple keyed power switch locks to do exactly this sold, and even then, this only applied to either the original 5150, XT, or AT, or clones thereof which used the original-style PSU with the big switch on the side of the case, as outside of physically locking people out of your PC with a power switch lock, there was no user control back then.
Oh, an addendum to this, the original AT also had a keyboard lock built in so you could also straight-up disable the keyboard if you were away and lock others out that way, in addition to installing a power switch lock on the side. Basically, the only form of user control you had in the DOS era was a physical lock of some kind, as you have no user accounts to lock out to begin with on that platform.
That is an interesting option. Is there such a thing as a Linux distro without accounts?
Why is there a need to comply with foolish laws? Iâm sure I type stuff on lemmy.ml or elsewhere on the internet that doesnât comply with some idiot law somewhere in like Myanmar or the DPRK. Why would I concern myself with those laws.
You donât need to take remote places like DPRK. Trust me, most Lemmy instances donât follow the laws of 27 European Union countries.
Can you share an example which laws and in what way are broken?
I support Palestine Action. From the river to the sea, Palestine must be free.
There: Iâve broken British and Australian laws.
Youâre not an instance though
Non of these countries belong to the European Union.
Iâm not a lawyer, but Iâm pretty sure they donât follow the GDPR (and I donât think it would even be possible given the federated nature).
People who live in California, if anyone bothers to enforce it, would have two options:
It should be implemented as âThis is only required if you live in Californiaâ during setup. However, this does sound completely unenforceable. If I have a connecting flight through LA, will they send a swat team to pick me up at the airport for not setting it up and using the WiFi?
Would they actually go after the people?
I expect the law would place the responsibility on the companies managing / distributing the OS. Thatâs the reason companies are complying. People can always look for alternatives.. Iâm sure there will always be homemade distros without stuff like this made by ragtag groups / communities without much of a corporate structure behind.
Itâs one more tool in the bag that the State can wield against us. My more conspiratorial thinking as this as an accidental part of the frame work of how they create the slave knowledge worker class since anyone who actually works in tech will disable this. That way they can sweatshop devs into fixing bad AI code without paying them.
As a European living in Canada, itâs quite annoying to think about having to do extra stuff (even if it is very minimal) because one state in America passes a stupid law.
Letâs not forget all the new cookie banners everyone deals with now.
Personally, I think this first response nails it.
https://lists.ubuntu.com/archives/ubuntu-devel/2026-March/043515.html
Linux is not sold. So you either need to force users to install this on their systems, or go eat rocks.
Enterprise distros on the other hand.. Need to do this.
I would also interpret it this way, though Californiaâs government is profoundly technologically incompetent, despite being the home of âSilicon Valley.â
Knowing California, they would try to twist the word âvendorâ to cover any entity that does any kind of business, similar to how they dismantled interstate commerce protections for the entire country. If that didnât work, they would argue that donations make something a vendor.
The situation is stupid and I am long past tired of idiots pushing idiocy on others en masse.
Canonical bending the knee already? That was quick.
But also not surprising at all TBH
Why not say âwe wonât sell to any customers in Californiaâ and be done with it? If someone goes out of their way to install Ubuntu on their system, itâs up to them. Also, how is that going to work for OSes in the cloud? Will CI pipelines need to be age gated?
Because not selling your product to the 5th largest economy in the world is a dumb idea.
Except the whole point is that itâs free and youâre not selling anything anyways.
Ubuntu is in fact sold and supported and that generates most of the money to fund itâs development.
The rest of the US is still available?
California on its own is the 5th largest economy in the world.
It recently overtook Japan, so itâs 4th nowâŠ
And the rest of the US is unimportant?
Not unimportant, just irrelevant to this conversation, this is about California.
It is not. Leave California and serve the rest of the country.
This is perhaps a controversial statement from someone who is fed up with all this age verification stuff, but having the user age be set on account creation (without providing ID or anything dumb like that) doesnât seem that bad.
It just feels like a way to standardise parental controls. Instead of having to roll their own age verification stuff, software like Discord can rely on the UserAccountStorage value.
If it were possible to plug into a browser in a standard, privacy conscious way, it also reduces the need for third party parental control browser extensions, which I imagine can be a bit sketchy.
OSes collect and expose language and locale information anyway. What harm is age bands in addition to that?
Currently itâs self reported, but if itâs complied with and then they inevitably say now it needs id they can just block all the self reports until id is provided. This is the same tactic of marginally moving the line that has been happening for years
Sure. But at that point distros can just say âno use in California lolâ and enjoy the free market share from disgruntled totally-not-californian Windows users.
I thought similarly that a minimally privacy invasive set up like sending a âIâm over/under 18â signal that didnât require verifying government ID/live face scans/AI âage approximationâ would be a good idea, but I now think that this system would fall over very quickly due to the client and server not being able to trust each other in this environment.
The client app, be it browser, chat, game etc, canât trust that the server it is communicating with isnât acting nefariously, or is just collecting more data to be used for profiling.
An example would be a phishing advert that required a user to âVerify their Discord accountâ, gets the username and age bracket signal and dumps it into a list that is made available to groomers [1].
Conversely, the server canât trust that the client is sending accurate information. [2]
Even in the proposal linked, itâs a DBUS service that âcan be implemented by arbitrary applications as a distro sees fitâ - there would be nothing to stop such a DBUS service returning differing age brackets based on the userâs preference or intention.
This lack of trust would land us effectively back to âIâm over 18, honestâ click throughs that âarenât enoughâ for lawmakers currently, and I think there would be a requirement in short order to have âeffective age verification at account creation for the age bracket signalâ with all the privacy invasive steps we all hate, and securing these client apps to prevent tampering.
At best, services wouldnât trust the age bracket signal and still use those privacy invasive steps, joining the âDo Not Trackâ header and chocolate teapot for usefulness, and at worst ânon verified clients/serversâ (ie not Microsoft/Apple/Goolge/Meta/Amazon created) would be prevented from connecting.
The allure of the simplicity and minimal impact of the laws is whatâs giving this traction, and I think the proposals are just propelling us toward a massive patch of black ice, sloped or otherwise.
Having said that, I canât blame the devs for making an effort here, as it is a law, regardless of how lacking it is.
[1] I realise âWonât someone think of the children!â is massively overused by authoritarians, give me some slack with my example :) [2] Whilst the California/Colorado laws seem to make allowance for âpeople lieâ, this is going to get re-implemented elsewhere without these exemptions.
I can see the slippery slope argument, however it overlooks the fact that countries/states are already willing to implement the non-privacy systems.
If these systems take off, it will give privacy advocates the ability to point at Californiaâs system and say âlook, they have a system that is as effective as the strong assurance stuff but without the people sending you angry emails.â
I see it as almost a âreverse slippry slopeâ. A way for people to push for less strict verification.
Yeah countries and states are relatively happy with the non-privacy systems as they âworkâ.
My principle problem is I cannot see this system âworkingâ to the satisfaction of the seemingly incessant voices who donât want a child to see something that they shouldnât, where âsomethingâ is nebulous and seems to change with who you ask and at regular intervals.
Iâm probably very jaded - Iâd love to be proven wrong and this system works as a least worst option, but Iâm in the UK and we recently seem hell bent on choosing the worst option offered.
My condolences - Iâm in the UK as well and wouldnât wish that on anyone.
If I may offer an alternate perspective: Politicians donât actually care about any of this, they just want votes. Californiaâs system allows them to say âLook, we solved child safety!â without having to deal with people complaining about privacy. If thereâs an existing system in place, itâs easier for politicians to say âwe already solved this!â and ignore those voices.
It also puts the guilt on parents. If this system in place, and you complain about your child seeing tiddy online, the question is going to be âwhy didnât you set the age correctly then?â.
⊠Of course this might be me just being optimistic. I really hope we, as a species, grow out of this new age puritanism and government overreach.
Standardized parental controls would be great, actually. But it should be proper parental controls, not whatever this is. Because at the end of the day, the parent* should be involved in what their child is up to, and allow (or not) based on what the child needs and/or wants, instead of whatever we are doing now.
Or, to put it another way, if your teen has read Games of Thrones (the physical books), I donât see much of a point in forbidding them from going to the wiki of it, and Iâd be hard pressed to justify stopping them from talking about it online with other people who have read the books. The tools should allow for this kind of nuance, because actual people are going to use it and these kind of situations happen all the time.
* some parents are awful and would abuse this, see LGBT+ related things, but thatâs a social issue, not a technological issue.
Agreed, but at this point I think itâs worth taking what we can get.
In theory yes.
Whatâs bad though is that itâs meaningless. Sure the OS can say you are 10 years old or 100 years old and you canât change it⊠but then you open a page in your browser which runs a virtual machine and that VM now says you are, arbitrarily 50 years old. The VM is just another piece of software but put it in fullscreen (if you want) and voila, you are back to declaring whatever age you want to any application or Web page within that VM. If thatâs feasible (and I fail to see how it wouldnât, see countless examples in https://archive.org/details/software or https://docs.linuxserver.io/images/docker-webtop/ even though thatâs running on another machine, so imagine that was a SaaS) then only people who arenât aware of this might provide a meaningful information on the actual age but thatâs temporary, the same way more and more people now learn to use a VPN.
I mean, ultimately it can always be worked around⊠even if you were to add stronger forms of identification, a kid can take the parents card / ID / DNA sample / whatever when they are distracted and verify themselves. If a kid is smart enough to set up a VM like that they are smart enough to deceive adults. Teenagers have been finding easy ways to get to forbidden stuff for centuries.
Iâd much prefer if the source of trust is in the local device, in the OS, that is responsibility of the family to control, and not on some remote third party service offered by some organization in who knows where with connections with who knows who. If parents donât properly limit the local user account of their kids, or restrict access to the places they donât want, itâs their responsibility. Set up proxies, blockers and lock the OS locally, but donât mess up the internet for the rest of us.
Thatâs my point of Internet Archive software and emulation section : no need to be smart, open a Web page that provides a VM and voila. You donât have to do anything hard, only understand the concept and know where to find a VM.
Also if itâs properly all in the browser (no backend setup, no tailscale, which Iâm not sure it can be done due to networking, but maybe) then any static host can have it, heck even download a .html and open it would do. In such a situation I canât imagine it can be blocked/limited at all.
Yes I also would much prefer everything to be done locally and have no 3rd party that ultimately I wonât trust (one just has to look at leaks from large companies to understand why) still âitâs their responsibilityâ when I tried to demonstrate itâs fundamentally impossible when emulation exists is a fundamental problem.
PS: FWIW https://ktock.github.io/qemu-demo/
If somehow age verification is mandated everywhere, this I could get behind. It would be like saying youâre 18+ on a porn website.
Itâd be stronger than that, since kids shouldnât have admin rights on their pcs and couldnât claim to be over 18.
Then focus on that instead of pushing age laws.
And we all know this âThink of the childrenâ is never about the children.
Next will be compliance through secureboot and TPM.
Isnât this an example of pushing for standardisation of parental controls?
Standardization of optional parental controls (and accessibility while weâre at it) would benefit most linux distros imho.
Someone else had brought up in the past few days that parents either donât know that parental controls like this exist. Or they donât care.
This law puts that age setting front and center and allows apps, like Discord, so say âno <13 year oldsâ. I think where this maybe gets tricky is if an app says âonly <13 year oldsâ. As like people have said there is nothing stopping people from lying, and that is a two-way street.
No. All this law does it promote more data collection and impose more restrictions.
They donât care about the children and, even if they did, itâs the parentsâ job to parent them.
Leaving it to parents is the reason why we are in this mess.
Parental controls means the control is done by the parents.. not by the companies. I donât need to tell any company what age bracket my kid might be, all I need is for them to tell me how can I block / restrict access to their services in my parent-controlled network (or how to allow them, if using allowlist).
Standardization of parental controls would be if routers and/or the OS of the devices came with standardized proxy settings that allowed privoxy-style blocking of sites in a customizable way so we can decide which services to allow⊠with perhaps blocklists / allowlists circulating in a similar way as adblockers do.
âWe have to comply with the lawâ. This has become Russia or China where the sheep people do whatever an oligarchy dictate. Wasnât it a democracy? Do the majority of people really want this?
In the end we get what we deserve for being just sheep that obey.
âWhat are we a bunch of Asians?â
Also China isnât run by an âoligarchyâ but by a dictatorship of the communist party via a mandate of the masses (they execute CEOs and rich people there, we let them rape kids and commit horrific crimes of greed and fine them less than they made off that crime). Russia is but so is the west and I prefer the term capitalists or if you prefer the original French âbourgeoisieâ.
There was a study from one of the big ivy league universities that showed that in the US the people donât get what they want, popular policy is consistently not passed nor popular will acted on. Princeton I think.
So itâs not what people per se want, itâs what the ruling class (capitalists in the west) wants. And theyâve decided that because the rate of profit falls and their demand for profit grows that they need to put the population under lock and key because theyâve made economic conditions worse and theyâre going to get worse yet. They need a police state to control the workers who might want better conditions or gasp to take some or all of their wealth. This is part of that.
This is also because China is rising and they are terrified of people seeing a more equal, just society that can be created through socialism. They are terrified of dissenting voices so they want to remove anonymity so they can terrorize dissidents and opponents into silence. They saw what happened with their attempts at narrative shaping in Gaza, they are deeply alarmed that tik tok wonât be the last thing, a new one could pop up anywhere, right now they play whack a mole, they want to control the whole thing top to bottom.
As to people being sheep. Itâs more like theyâre beaten down. You defeat this today they come back in a year and then again and again. They have all the money, all the time and are willing to wear people down, use their capitalist owned media to propagandize and sensationalize for this until the people are exhausted and stop fighting it so hard. People work long hours, they take home less money than ever, the government openly abuses people, the police donât act fairly and persecute black people, thereâs a sense of there being no fairness and not enough time. The people are also mis-educated. Theyâre led to believe thereâs this big problem, they donât understand technology and passively accept their leadership has some amount of good will in how they pass laws and govern to address real problems the bourgeois press has done its job of propagandizing them for. They canât see the whole picture because of these facts.
Almost all one-party systems meet the definition of a oligarchy. Also not via a mandate of the masses, not anymore, read about how Xi Jinping came to be the general secretary.
You could have worded this a bit better, it reads as âbeing rich is enough to get you executedâ and not as âbeing rich doesnât make you exempt from capital punishmentâ. Thereâs plenty of those over there ofc, over a thousand billionaires.
Bit irrelevant because all states seek to control the workers, thatâs how states work. And why all communistic political ideologies aim to abolish the state at some point.
Edit: To be clear, I agree with you in general. I just got bugged a bit by those three things đ
You do not. You are misinformed and propagandized. Your choice of examples revealed that clearly and nothing you say can refute that fact. Read Marx, read Lenin, your understanding of the state is lacking.
For one, anyone educated would understand that Americans are the best example of sheep in the world and that many Europeans are good second examples. The British for example with their high tolerance for a surveillance, laws that criminalize all manners of small trivialities, etc, etc. Educate yourself.
I appreciate that you feel strongly, but being this agressive and calling the other person âpropagandizedâ and telling them to âeducate yourselfâ, and not adresing any point made, just makes you seem irrational. You are acting like a redditor, be better.
Iâve read Marx and Lenin, their work while fundamental to quite a lot of socialist movements, is now mostly outdated. Read something modern, there are more relevant analysis of workers material conditions. Do you want some recommendations?
This doesnât connect to anything I wrote btw.
You willing to go to jail then? Or just asking others to do so?
Yes. If US law mandates that I have to run around naked and screaming when in a supermarket I simply wonât do it because it says so. Mostly because US laws have absolute no effect in Denmark. Except those bastards in our government who decided US soldiers on Danish soil would be above Danish law, but thatâs another discussionâŠ
But if I were in the US, well, itâs my device and its open source, so whoâs stopping me? And if my US-backed Fedora distro is getting affected, who is stopping me from going SUSE, Mint, Manjaro, or some other European distro?
I love how you came up with a completely different scenario to answer âyesâ to .
Iâm absolutely willing to go to jail. Many human rights have been won thanks to people who went to jail to defend them. And in any case weâre already in jail. It may be a spacious jail now, but theyâll shrink it more and more.
Asking others to do so? By no means no. If they donât want a democracy, then good for them. They only need to bow their head down and obey. And later on, maybe, they must even watch out not to protest, because that wonât be allowed by the law either.
It would be interesting if most US citizens were actually trying to get into jail⊠free room and board and probably the collapse of the US penal system.
Doubt
I donât agree with this law, but having an age verification API as an open-source modular component is the best way to do it. Build in privacy controls and permissions so you know whatâs being sent, where, and when. Make sure we know to edit $HOME/.config/systemd/ageverificationd/birthday.conf whenever we want (yeah, I wouldnât be surprised if systemd handled this, too).
Donât forget the off switch and donât give it unnecessary dependencies. Let me be able to install it if I need it (spoilers: I wonât) and if you include it by default, let me be able to remove it without removing the whole GUI.
I really hope they call the kernel module suck_my_ass so I can sudo modprobe -r suck_my_ass
I know everyone here is obsessed with freaking out over the legislation.
But I think the author is wrong, they should just add this to accountservice and Debian will pick it up in 5-10 years and thatâs fine.
I actually thing the tendency to over engineer this solution to make back porting easier is worse than the milktoast Californian law.
I think they should add the word âFuckâ to all age verification prompts until they, too, get censored.