A lot of the comments in here seem to be focused on mobile devices, but this law applies to basically every general computing device.
Here are the definitions from the bill in a more reasonable order than they are presented there:
> "DEVICE" MEANS ANY GENERAL-PURPOSE COMPUTING DEVICE THAT CAN ACCESS A COVERED APPLICATION STORE OR DOWNLOAD AN APPLICATION.
> "COVERED APPLICATION STORE" MEANS A PUBLICLY AVAILABLE INTERNET WEBSITE, SOFTWARE APPLICATION, ONLINE SERVICE, OR PLATFORM THAT DISTRIBUTES AND FACILITATES THE DOWNLOAD OF APPLICATIONS FROM THIRD-PARTY DEVELOPERS TO USERS OF DEVICES.
> "APPLICATION" MEANS A SOFTWARE APPLICATION THAT MAY BE RUN OR DIRECTED BY A USER ON A DEVICE.
> "DEVELOPER" MEANS A PERSON THAT WRITES, CREATES, MAINTAINS, OR CONTROLS AN APPLICATION.
The law applies to Operating System providers that runs on such a device:
> "OPERATING SYSTEM PROVIDER" MEANS A PERSON THAT DEVELOPS, LICENSES, OR CONTROLS THE OPERATING SYSTEM SOFTWARE ON A DEVICE.
Basically every Linux distro falls under this. Never mind the fact that OS providers don't really have control over where you run their code. If my device doesn't have a network card, does that mean my OS can skip this?
This also is not privacy preserving. It does require the device only report what age bracket a user belongs too, but on a long enough time frame, anyone currently under that age of 18 has their age accurately disclosed, often down to their birthday.
Worse, all applications MUST query this information every time it is run, regardless of whether or not age is at play. Every time you run grep, grep needs to know how old you are:
> A DEVELOPER SHALL REQUEST AN AGE SIGNAL WITH RESPECT TO A PARTICULAR USER FROM AN OPERATING SYSTEM PROVIDER OR A COVERED APPLICATION STORE WHEN THE DEVELOPER'S APPLICATION IS DOWNLOADED AND LAUNCHED.
Now, oddly, user is defined to be minors:
> "USER" MEANS A MINOR WHO IS THE PRIMARY USER OF A DEVICE.
But, the way the law is written, the implementation necessarily applies to everyone.
It's just another in a long list of intentionally broad laws designed to make everything illegal. They shot themselves in the foot though. Since
(6) "DEVELOPER" MEANS A PERSON THAT WRITES, CREATES, MAINTAINS, OR CONTROLS AN APPLICATION
The user is a "developer" so they can just send themselves an implicit age signal without modifying any software.
This shift toward OS-level verification is an interesting architectural pivot. It’s arguably more privacy-preserving to have a "local-first" verification—where the device confirms a threshold age without sharing the underlying identity documents with every third-party site.
The real challenge will be ensuring this doesn't inadvertently entrench the gatekeeping power of major OS vendors or create a single point of failure for identity tracking. However, from a data-minimization standpoint, it feels like a more robust approach than the current fragmented landscape of requiring users to upload sensitive IDs to dozens of different websites.
will be ensuring this doesn't inadvertently entrench the gatekeeping power of major OS vendors
Just say the quiet part out loud: this is absolutely going to happen, and this is why we need to fight our hardest to stop it.
Stop being distracted by and thinking about the technical points when the whole idea itself is bad, just like WEI and the other authoritarian ideas that originated with "trusted computing".
Maybe better, but still doesn't address the underlying problem. Governments print bits of paper and citizens need to scan and upload them to be validated by a 3rd party. Lots of obvious waste there. Legislating this approach is just entrenching it. But I guess it is cheap for the government. Sane approaches require the government provide a service which 3rd parties can query age with (indirectly, via anonymizing proxy). No need for those bits of paper to be involved at all, disclosing far too much information.
> Lots of obvious waste there
Seems like a great thing then. People get annoyed, businesses that comply lose customers and money etc.
All that friction means these policies become inherently less popular regardless of anything else. While this crap work effortlessly out of the box is just outright dystopian
You still have a choice whether or not to use those websites. Not sure if having spying malware built in into every OS is preferable to that..
This is why we shouldn't use passkey. The authorities (not only the US) are clearly aiming to lock down the hardware we can use. Remember, passkey has a function to restrict the freedom to choose the authenticator we want to use.
Yeah remote attestation. Any kind of remote attestation is an open door to abuse:(
What a failure as a species that parents are not trusted or believed to be capable of raising their children. Therefore let's build out the panopticon.
Query: Are there any current legal challenges to this rapid spread of age verification that have a chance of hitting the Supreme Court?
From my admittedly poor understand of legal stuff, these are largely proactive measures happening at company and state level. Congress nor Supreme Court have issued any rulings around this yet.
> chance of hitting the Supreme Court?
Why would that matter? The constitution is just a worthless scrap of paper these days
Well, it's one step closer to parents, although I doubt it will ever get there.
Only viable solution: ID tagged kids carry ID tagged phone, use ID tagged PC.
Richard Stallman's "Right to Read" from 1999 is worth another read.
Pertinent quote:
>It was also possible to bypass the copyright monitors by installing a modified system kernel. Dan would eventually find out about the free kernels, even entire free operating systems, that had existed around the turn of the century. But not only were they illegal, like debuggers—you could not install one if you had one, without knowing your computer's root password. And neither the FBI nor Microsoft Support would tell you that
Finally, sensible. I never understand why websites or apps had to do it. It's way easier, more scalable and cheaper for the OS to do it.
And more draconian.
"Our systems aren't foolproof because anyone can just boot Linux from USB. Hence we should enforce secure boot with proprietary keys and disable functionality for non attested PCs"
This is not far fetched. All Android vendors went down this path and now you can't even enable developer mode if you want your bank app to work to approve your bank loan.
Which just seems like a slippery slope. Since there is no friction and users are not annoyed anymore governments will just continue requiring more and more spyware to be added to all software/devices.
IMHO requiring every to submit notarized paper forms to access Facebook/whtvr would be the best solution
How is Linux going to do this?
I don't know but as Linux powers the entire world, include 2/3rd of the world's smartphone, I'm sure they'll find a way.
Well it’s obviously technically feasible (which seems like the least relevant part) if you want to have zero privacy because every single general purpose computer has unremovable spyware builtin..
Surely you most see that this is a bureaucratic impossibility. It's not a technical issue.
What absolute creeps. Major major amplification of the war on general purpose computing. It's absurd how governments are so willing to just make demands of products, are so intent on being product managers making their lists of how they want the world to run.
There's just shy of 200 countries in the world. That's a lot of product managers already! But if provinces/regions/us states all decide they too can define how software has to work, we are up to thousands of little emperors all telling the world how we have to think, how we have to compute.
It's frelling disgusting.
This effort here has similar vibes to Chrome's Digital Credentials API. Which can be privacy preserving, but where site's can demand basically whatever they want. Either way, each site is returned material, that it then has to verify. So we are back to only approved identity working. And it seems unlikely credential issuers will willingly work with anything but 1st tier browsers/OSes. https://developer.chrome.com/blog/digital-credentials-api-sh...
It feels like a sure creeping doom that the internet is not going to be available in many places, except by commercial OSes that use DRM and attestation to deny users access to their own systems. This is against mankind, and imo, against every spiritual fiber that made man a great creature & arose us to what we are. To deny us a view of the world is to deny us from being toolmakers, is to mame our senses. This is an affront to our humankind. This making the machines infernal.
> we are up to thousands of little emperors all telling the world how we have to think, how we have to compute
Imho that’s one of the best outcomes i.e. companies which will try to comply with all of the rules will go out of business or move to a less dystopian jurisdiction. Then there will be a lot economic pressure to build networking and payment systems which allow working around all this crap.
If on the order hand it’s actually streamlined and works without any friction nobody will lose their jobs/tax revenue and governments will come up with even more and even more dystopian shit.
Age verification sucks but realistically this is a feature that iOS and Android already have and it's better than "upload a photo of your ID which we promise to delete but actually won't" age verification.
More friction -> less users -> lower revenue -> more companies lobbying against these policies. Seems like a good thing.
Trusted 3rd parties I choose myself?
I trust the postal service here, more than Apple or Google. Just recently opened a bank account via their online service.
It seems to me that this is timed curiously close to google getting rid of side loading on android. Is this something that’s being planned behind the scenes?
I mean, if android allows sideloading anyone would be easily able to get around these checks am I right?
> if android allows sideloading anyone would be easily able to get around these checks
Not really. You’d have Android attest to the check. If you are running a modified Android, it can’t attest. If you’re side loading, unless it messes with the attention logic, it should be fine. Like, Apple Pay could still work even if iOS permitted side loading.