Colorado proposing Bill to move age verification to Operating System rather than web site
Senate Bill 26-051 reflects that pattern. The bill does not directly regulate individual websites that publish adult or otherwise restricted content. Instead, it shifts responsibility to operating system providers and app distribution infrastructure.
Under the bill, an operating system provider would be required to collect a user’s date of birth or age information when an account is established. The provider would then generate an age bracket signal and make that signal available to developers through an application programming interface when an app is downloaded or accessed through a covered application store.
App developers, in turn, would be required to request and use that age bracket signal.
Rather than mandating that every website perform its own age verification check, the bill attempts to embed age attestation within the operating system account layer and have that classification flow through app store ecosystems.
The measure represents the latest iteration in a series of Colorado efforts that have struggled to balance child safety, privacy, feasibility and constitutional limits.
https://www.biometricupdate.com/202602/colorado-moves-age-checks-from-websites-to-operating-systemsOpen linkView original on lemmus.org
This is getting ridiculous.
Linux is the only reasonable choice anymore.
Linux won't be legal in Colorado if they pass this. You'll need an account with some age-policing, ID-reporting corporation to be able to use a computing device.
How do they imagine they could enforce this though? Presumably quite selectively, based on the user's political leanings.
Are they going to check people's PCs at the state borders as they move in then?
Hands over an Apple Lisa
Not defend Democrats too much here, but they clearly have far less of a habit of doling out enforcement based on political leanings than the Republicans, even if they do enforce things quite selectively when it comes to actual leftists while letting Nazis run around with seeming impunity.
Colorado has been a solidly Blue state since the end of the W. Bush years, and even then, it was pretty split down the middle with just over half of the votes going to Bush. It's honestly been mostly-Blue-dominated since 1992. (Lauren Boebert notwithstanding)
Further, the two main sponsors of the bill are both Democrats. This genuinely seems to me to be another example of "heart in the right place but don't know what the fuck they're actually doing" which seems common for the tech illiterate and often for Democrats in general.
Once again, not saying Democrats aren't guilty of selective enforcement, just pointing out that they're far less likely to do so (or at least less likely to do so against conservatives, for genuine leftists it seems up for debate).
Now, that also means nothing in context to how other politicians can use this kind of legislation negatively, even if the writers and sponsors truly have the best of intentions. Democrats had the best intentions when it came to the PATRIOT Act and the creation of the Department of Homeland Security as well, and way back then folks like me were saying "this seems pretty dangerous, especially if we ever have a despot take control of the country and the levers for these tools" which clearly has come to pass.
How do you know what their intentions were?
Well, not all of them, obviously. Yet, for example, I tend to think Joe Biden actually did have good intentions considering the bulk of the PATRIOT Act was based on his prior legislation in the 90s, his Omnibus Counterterrorism Act. It's worth noting this was in response to a wave of US homegrown right-wing white nationalist radicalism and terrorism in the 1990's such as Waco and Ruby Ridge. The Oklahoma City Bombing would happen a month after this bill first appeared. Considering the shitstorm we're in regarding virulent white nationalist terrorism, I kind of think back when he first wrote it that it wasn't such a bad idea.
People who were more clearly war hawks like Hillary Clinton? Probably a lot less likely to have had great intentions.
Yet others, like Ron Wyden, who has been a consistent critic of the out of control national security state and voted against military intervention in Iraq in 2002 also voted for the PATRIOT Act. He also spent a great deal of time trying to amend the PATRIOT Act as well.
And as much as Democrats drink from the same well of corporate funding as Republicans, I wouldn't say the majority of the party is outright evil or don't care what happens to their constituents. Schumer obviously doesn't give a fuck, but I also don't think he's actually representative of the party as a whole as much as he just has power in a party that puts seniority over merit in intraparty politics.
It's easy to forget how much shock and terror 9/11 really did put into people which colored how quickly they foolishly signed off on the PATRIOT Act.
The left was saying that the PATRIOT Act was a bad idea from day one, just like we were with the Iraq War. People keep ignoring the left (or dismiss us as paranoid) and we keep getting proven right over and over and over again.
No shit, I was one of those people. I just don't ascribe to malice what can adequately be explained by stupidity, being out of touch, and not thinking through long-term political consequences. Once again, the Omnibus Counterterrorism Act was largely in response to white nationalist home-grown terrorism, which not having squashed that in the 90s is literally part of why we have the problems we have to day with a white nationalist government. Still didn't make it great, but I have a lot more sympathy for its origins in that era.
Unfortunately, if left unchecked, an incompetent ally is just as destructive as a malicious adversary. If you are from Colorado and take issue with this legislation you should contact your representatives and let them know that they are being idiotic since that is the only meaningful difference between the two. Overall, we can continue giving the dems a pass because they are the lesser of the evils, or we can attempt to use what little political capital we have to make them realise their errors.
You lost all credibility early on in your first statement, to anyone living in reality paying attention, your analysis is worth nothing.
What is in the actual bill? I haven't read any of this but if it was just a year of birth box at local signup then this could actually be pretty good. A sort of halfway between local only parental controls & age-policing, ID-reporting corporations.
https://leg.colorado.gov/bills/SB26-051
Here's a summary, but the text of the actual bill can be gotten by clicking on "Recent Bill (PDF)"
This looks like self-reporting. ie: no third party ID snooping badness. Am I missing something?
I don't think your missing anything, granted it doesn't make any assertions about how the data should be attained, just that they must somehow obtain it. In general it reads as requiring at the minimum parental controls on a system.
The courts should strike it down, I don't have faith they will side with the constitution, but it's clearly unconstititional and beyond the authority of the state as well, in the realm of interstate commerce which is explicitly given to the feds, whom can't be trusted either obviously.
But the 1st amendment is clearly invalidating this, forcing people to identify themselves to groups that will record everything they say or do and sell it to everyone, including the government, that will chill speech, and groups will punish people for their speech.
Too bad scotus is all in on punishing people for speech though.
I don't think it will be cut and dry on state vs federal, although if we follow trends it will get shutdown because the feds love abusing the commerce and elastic clause. And I'm not overly familiar with the Colorado constitution, but the actual text isn't actually that invasive, it makes no requirements on data collection, it only requires for it to be obtained somehow, which could be self reporting ala parental controls, it only requires that once the data is obtained that they must provide an age bracket and only and age bracket to services that request it and only services that request it.
The very act of forcing it to be collected chills freedom of speech. Leaving it undefined how it's done should make the law more likely to get overturned not less.
Knowing your age was collected, and is stored somewhere, connected to your computer, and that everything done on that computer can then be connected back to that positive ID, chills speech, as much as they might try to betray the bill of rights with this mealy mouthed attempt to surrender us to Tech.
Not really, the microsoft asshole that coded systemd wants chips on hardware for linux just like 10/11. He's going to help fuck linux the same way they fucked windows.
Bro Poettering worked for Microsoft for four years after working for Red Hat for fourteen and then left to create Amutable, and no offense, but I don't see his goals for Amutable to be about trying to force everyone to use his solution as much as giving groups who use massive numbers of Linux servers an option for something they can more securely lock down and ensure hasn't been fucked with. I don't think he's out here building a desktop distribution and telling end-users they need it for security.
This is just FUD fearmongering, especially considering how small the company is. He isn't forcing the entire ecosystem to adopt his ideas.
If you want to trust the pedomericans, that's your problem.
Dude, Poettering is literally Guatemalan by birth, grew up in Brazil, and lives in Germany. Amutable is based out of fucking Berlin!
Stop reaching.
"Guys will do literally anything but
go to therapyuse systemd."And who is he working for ? The pedomericans.
Show me who on the board of Amutable is who he is "working" for, since he's one of the founders, and most of the people involved are European, or show me the funding for Amutable that's coming from these "pedomericans" you claim or seriously shut the fuck up. Because none of what you're saying makes a lick of sense.
You don't have to like or use the tools these people create. Are you forced to use systemd? No, there are alternatives. There's valid criticisms (of which there are many for Poettering) and then there's whatever horseshit you're peddling here.
Dude you sound like a Republican talking about china being behind everything. It's time to fucking reassess and touch some fucking grass.
You might need help. If you're unwilling to seek help, then at least learn to code and, you know, read the code.
Systemd is so much easier to use, absolutely was not a mistake.
It's so fucking obvious the people who wrote this have no idea other operating systems than iOS, Windows and Android exist.
What are you on about? If they get 95% of the population with this it's still a huge win for them.
I think it is notable that it never makes assumptions about the verification method, so it could just be a simple parental control system. Granted I have no doubts that the corpos will take this as requiring Id, but the bill itself makes no such requirements.
great, for my devices then, that would be me
I fully expect this to become a move to hamper linux, or any non-windows desktop usage, because "we can't trust a user who has full access to their OS" or some other bullshit.
its not about limiting children's access to porn and other stuff, it never was.
DON'T give them ideas!
Age verification is identity verification.
It's already laughably easy to parent these days. Parental controls are on every device and require so little effort. You dont even have to pay that much attentjo - the software literally analyzes use and reports notification. It's so stupidly easy and still people can't do it. Literally ask any of supporters of this what parental control system they use and most are dumbfounded and just change the topic.
It's never about protecting kids.
Eh… I agree that age checks are dumb, but have you ever tried parental controls on most phones these days? They are all complete shit.
What? The software is incredible these days. It literally detects dangers and warns you. Check out Bark which is only 14$/mo but even Google family does a lot of that for free
I’m sorry, but paying a third party subscription for a janky solution isn’t “incredible”.
Last I looked the kid just needed to learn how to vpn and it was over. Granted that was a few years ago. But I've not seen a software solution that there wasn't a way around. Unless you get something like a Gab phone for them.
If the child ignores the parents and uses hacks to bypass parenting controls then no parenting control will ever help. It's a tool and it must be based on existing parenting foundation not replace parenting.
If a child receives a smartphone the very minimum parents must do is establish trust in the social contract between the two parties: "I give you a phone and use a privacy respecting parental control if you agree to not mess with it and keep me in the loop". If this simple base cannot be established then all parental control is moot and we failed already.
It's really not that hard. I used to think these magement and conflict parts are the hard parts of parenting but it's really not, the hard part is how much time/energy kids eat up to the point where it's easy to be lazy and not pursue management solutions which are really simple.
From what I've seen on iOS it seems pretty tied down. You can set times when they can use specific apps, choose if they can edit contacts, have contact with people not in their contacts, make it so they can't change their passcode, make it so they can't log out of their account so they can't bypass it, set up ask to buy or w.e and make it so they can't install apps without your permission or get approvals sent to you for purchasing things. You can review all their screen times for individual apps without even picking up their device... And modify it from your device.
The only real bypass would be to factory reset the phone using a computer, but to get passed the activation lock they would need the password, and you could simply put the trust phone number as the parents number, thus the phone would be a brick and the parent would be notified when they attempted(and failed) to log back into the phone.
Now instead of asking to verify age, make the parents input the age bracket and you reinvented parental controls. The correct way to protect children.
Holy fuck this is bad
Only for privacy and anonymity, companies like Google and Microsoft will do fabulously however. Who donates to him I wonder.
Colorodo democrats have always been lousy. Here they are following texas and montana and tennessee, locking down the internet with dishonest arguments. No one in reality thinks this is about protecting kids, and it's not the state's place to do so, it's the parents, it's a violation of the 1st amendment to make adults expose their identities to people recording everything they do online and using it against them, and selling it to the government.
We need to repeal these bills, and we need a popular open source of model legislation to counter-act ALEC, that writes these bills and state lawmakers just fill in the blanks, after the united corporations give them a plausible excuse to and pay them off
It is the donors influencing all of them. Corrupt fucks
Not every parent is a good steward or guardian of their children, like those who have been caught cyberbullying their own children or those who send their gay/trans children to conversion camps to "pray the gay away" or even parents who deny their children life-saving vaccination and medical procedures because it conflicts with parental beliefs. A technically proficient parent who is "protecting their kids" could easily be blocking their children from access to information that is important to the child's development just as much as the government could be.
The argument that it's always fully the parents right and no one else's is an unintentional argument in favor of parents treating children like property and normalizing the ability for parents to abuse and control their children under the guise of the false idea that a parent always knows what is best for their child. Plenty of parents shat out kids while knowing fuck-all about how the world works and definitely don't know what is best for their child.
Government is imperfect, but so are parents.
If America or any other society moves to have UBI as the basis of all things, children could have personal agency. If free housing and a monthly income is available to all, alongside free education and healthcare, a child could choose to leave their family at any time. This would go a long way to preventing abuse, allow children to fulfill their personal growth, and so much more.
Family, friendship, and community should exist because people like each other, rather than being a product of authority.
Absolutely agreed, but you're still going to need a government authority for things like UBI, free housing, and deciding at what age it is reasonable for a child to be emancipated from their parents and live on their own. Obviously a four year old probably isn't going to be capable of fully caring for themselves, even if they deserve the autonomy from their abusive parents. If I recall correctly, current emancipation laws are roughly around 13 years old, which is when a child is starting to be able to competently care for themselves. However, that still leaves over a decade of potential abusive parenting where someone needs to be raising the child whether it's a good parent, or a foster parent, or a state institution. More importantly, that decade is the most important period for a child's development, especially in terms of mental health. So whether we like it or not, there still needs to be some checks on parents just doing whatever the fuck they want to their children during that period.
If there is universal healthcare, caretakers for the elderly and the orphaned should be available. That means a young kid can ask for a caretaker and receive that aid. Kinda like an reverse adoption, where the kid chooses the parent, rather than the other way around.
The government can send a representative to households or schools with a kid under 10 years of age, with the job of asking whether they want to stay. Do this once a year, giving the kid a tablet through which they can securely send a simple survey without showing their parent what they put on it. Depending on what the kid wants, they stay with their family or can tell the state that they are unhappy with where they are.
It wouldn't be perfect, but at least it gives pathways out of bad situations.
I actually disagree, because hardware-level verification is basically the most privacy-conscious method of accurately verifying a user’s age. Rather than fighting age verification entirely, I think it’s more productive to start assuming users are under 18 until proven otherwise… Age verification is inevitable, (if you don’t like it, tor is always an option), so we should at least figure out secure and private ways of doing so. Rather than resisting it outright, present them with secure and safe ways to do it. The internet is a dark place full of a lot of creeps, and services like Roblox have proven that they will enthusiastically become nesting grounds for predators unless they’re forced to add safeguards.
Sure, it’s easy to say “just monitor your kids” but no parent can be present 24/7. And in fact, oftentimes parents end up using screen time so they can do other things like chores, without needing to watch their kid. So the “just watch your kids” argument is diametrically opposed to the reality of why parents tend to rely on screens. Sometimes you just need 15 minutes to wash the dishes, without a kid demanding your constant attention. Even I, a child-free person, can understand that. And it becomes increasingly difficult to monitor them as they grow into teens and (reasonably) start expecting their own privacy.
I’ve been saying for a while now that we need to shift to hardware verification. Your device (or for shared devices like desktops, your user account) verifies your age once. And then it doesn’t need to do so again. All of the various sites and apps can simply ask your device “hey, is this user over {age}?” And the device responds with a simple true/false. You’re not needing to give your PII to every single site you visit, and the device isn’t needing to report back to the government every time an age verification check happens. It’s all done locally. The handshake could even be cryptographically secured, to prevent tech-savvy kids from MITM’ing the age check. And then protecting kids online is as simple as not age-verifying their device (and protecting your own password on shared devices). Hell, devices like cell phones could even have the age bracket set by the parent directly, since the phone would be on the parent’s phone bill. Similarly, parents could create child accounts on their shared devices, so kids can access age-appropriate content. It won’t stop kids from getting a prepaid phone, but it’ll at least prevent them from easily verifying that phone.
And it’s also the most elegant for the user experience. As far as the adult user is concerned, they never even see an “are you over 18” verification when they visit a porn site. They simply get access to the site. And kids simply get redirected back to Google’s home page (or more realistically, a page on the porn site saying “hey you failed the age check. If you’re over 18, be sure you do that with your device before trying again, because this is the only page you’ll be able to access until then. Or if you’re under 18, click here to return to where you were before” explanation) as soon as the age check fails.
Hardware age verification is basically the best of every world. You don’t rely on a third-party service to verify your PII (which will inevitably leak it, like Discord did). You don’t need to verify with every single individual site and service. The government doesn’t get a record of every site that asks for verification. And kids are automatically prevented from stumbling across adult content.
I agree that Colorado democrats are typically the “if we cozy up to the right they might stop being mean to us” candidates. I think this bill is a poor implementation, but it’s at least done under the right premise. If we could force hardware manufacturers and/or OSes to support native age verification, it would solve a lot of the current issues that we have.
You make some good points. If what you say is true, then most countries and states won't adopt this style of verification because compromising everyone is the point. But they could probably set it up so it does compromise everyone at the hardware level.
Is it unrealistic to expect no age checks? We've lived through an entire internet without age checks, why is it different now? There aren't more creeps, the only thing that's different is our politicians feel emboldened to surrender us to tech. To use age checks as a trojan horse, to get AI behind the walls, to make us all social scores to be used secretly against us.
So I don't see it as inevitable at all, especially not in the US, with the first amendment. Not in blue states, Colorodo is the only blue state doing any of this as far as I've heard either. Because they are conservative sell outs.
So I am on the side or rejecting age checks, and calling them out for what they are, surrendering us to tech for total surveillance, and replacing every politician that has supported it.
I think the big difference is ease of access. For millennials growing up, accessing the internet basically required being at the family desktop in the middle of the living room. Phones weren’t connected to the internet, and cell phones weren’t even common yet.
And kids still got groomed, even when their only access to the internet was in a shared family space. And that began to get more prevalent as devices became smarter and more portable. Now, any 8 year old can get groomed in their own bedroom, while simply playing a video game.
It's not more common at all, we are being played by the media for this very purpose, and there is no reason we should let them win, there's no reason they should win, they are using dishonest arguments and a majority agree with us in an honest conversation. Let's' call them on their bullshit and stop them, then we can keep your less worse option for when something has to be done, and keep it to show how compromising us is the reason, as they refuse the methods that wouldn't compromise us.
Account is created? Who said were making accounts for our operating systems
Moving the responsibility to anyone but the parents.
But who will verify the parents’ age?
The IRS.
Just think: Without legislation like this, kids will be able to see people having sex! Thus, ending their lives. Not so different from staring into the eyes of Medusa!
The amount of children exposed to sex that have died—or suffered worse consequences like early onset conservatism—may have been zero so far but the dangers are clear! We must skip right over parental involvement in child rearing and go straight to the source of the problem: Computers.
Computers have been giving everyone access to too much information for too long! We must restrict it! The first step is to get an implementation that actually works to censor information—to save the children (wink wink)—then later, we will have the tools necessary to censor whatever we want!
When glorious dictator decides that information about trans-genic mice must be erased from the Internet, we shall have the power to do so!
We must protect little Billy from seeing tits, so he can keep laser focus on preparing for the next school shooting.
Hear, hear. When I was young my friends and I wanted to see the naked boobies but because the internet had not been invented we just couldn't. It was impossible! Its not the kind of thing you find lying around!
Definitely not in ziplock bags hidden in the nearest forest to the school, put there by your older brother...
The reasoning in Australia is not about sex but cyber bullying. It’s a big problem and certainly more difficult to refute than kids watching porn.
How the fuck does age gating prevent cyber bullying? That's not an age issue, it's an asshole issue.
Oh wait, because it's not about age at all but identifying individuals who think differently when the regime. Whichever regime that is.
Like those cases where the cyberbullying was coming from the children's own fucking parents.
Protecting parent's rights to abuse their kids is a common, if unstated, goal of laws like this.
In that case reducing the amount of freedom the kid has is.. counter-productive
It will just give more control to their parents
Yes! Because cyber bullying can only happen on platforms that are designed specifically for adults. By banning children from social networks, we will have completely eliminated the problem and totally not at all created much worse problems like potentially leaking the identities of millions of people and destroying the entire concept of privacy.
(Nods head vigorously)
https://theforestscout.com/40129/in-our-opinion/how-a-childrens-game-turned-into-an-outlet-for-bullying/
I would argue that early and excessive exposure to very misogynistic porn can be damaging to a child in that it can reinforce that misogyny and bad sexual patterns/ideas.
I would also argue that it is the job of the parent or guardian of said child to make sure the information they get online (or anywhere for that matter) is age-appropriate, and not the job of the state.
These are clearly laws that are either not well thought through or (probably more likely) intentionally limiting of every citizen’s privacy. I don’t think that even if the porn or bullying or whatever problem was as bad as they say it is that this would even be justified.
When my kids were young, but old enough that they may inadvertently stumble upon porn, I told them the truth. The truth that so few explain to their children. The truth that many adults don't understand and many more completely forget.
Porn is fake.
It's not real. The sounds? Acting. The breasts? Those are fake too. The perfect skin? Makeup (or airbrush).
Even "amateur" porn is fake! As soon as someone agrees to be filmed having sex it ceases to be real.
Also, let me get this straight: Your greatest fear from children being exposed to porn is they might begin to accept mysogyny‽ As in, you think porn is the most likely place kids will be exposed to it and somehow just nod their heads‽ "Oh wow, that's totally sexist! But they're having sex so it must be OK. I'll try to be like that!" (Child nods head).
Or perhaps you think kids will be viewing so much porn—specifically, the mysogynistic kind—that it will somehow carve mysogyny into their minds?
This is so much like the beliefs of conservatives that try to ban books that mention LGBTQ people. Stop and think for a moment: How much porn did you view as a kid? How did that impact your life?
I seriously doubt it changed much. Unless, of course, you were reading Playboy for the articles.
For fuck's sake.
What are parental controls?
Every single one of these places except for maybe fucking discord already had parental controls. Fucking Roblox had pretty good parental controls. Why did none of this laws just say "hey this has to be obvious to setup if the account age is set under this limit" if ot was about protecting kids? Because its not about protecting kids.
At this point, it's probably cheaper and more effective to have proper sex education in schools...
At which age? And how?
Any age, really. You can introduce the topic gradually through learning about biology. Pollination of plants, for example. Or bird mating rituals. At primary school, we had an egg incubator where we could watch the live growth of a chicken fetus. Make it clinical and normal rather than this forbidden mysterious thing.
High schoolers should definitely be taught about safe sex and disease prevention. Also, consent and how to deal with unwanted attention, or even what to do after rape, dealing with shame etc. Heck, talk about masturbation and how it effects the body and mind.
It all needs to be laid out on the table so, in the future, these kids grow up into well informed adults and we can forget about data harvesting for surveillance.
Goodbye tech ownership in Colorado if this passes. We're moving one step closer to the government issuing out thin clients that only they control.
Not the OS.
The OS "provider"
Linus Torvalds ain't gonna check my ID. And i don't want him to, either.
Everyone was born at 00:00:00 UTC on 1 January 1970
The os provider is the one who installs it on your computer...
>.>
Well, looks like the 'above 18' box was checked by the os provider on my computer, I'm good to go!
Even better!
HOLY HELL
ENOUGH IS ENOUGH
This goes in a better direction than web sites doing it themselves, I think. The government put out an open source tool that runs locally and the browser just gets a yay/nay return code from it.
How do they secure age data? Age is most likely two characters, with a max of three characters. If there are penalties for sharing the age data when they aren't supposed to, how do they secure this? Even with cryptography a two character number with only 70-ish reasonable and expected variations is going to be difficult to secure.
How do they ensure no one who is a different age ever uses the device? "Use mom's iPad" is univseral. Does mom get in trouble for letting her child use her device, does the parent end up with the fine?
I feel like #1 and #2 are problems whether its client side or server side. As for #3 I would lean in the direction of there being a one-time check with no persistent knowledge. Like when you flash your ID to the bartender to order a drink. A client app that scans the ID and returns the answer to the requestor.
But I don't think there is any way to reliably implement this sort of thing. I think it should really just be left to parental control and monitoring.
I think part of the problem is there shouldn't be a server-side to this. Because that's opening the door to all kinds of intrusive data-collection to determine age, even if they claim it should be done "minimally." Define "minimal." That seems to fly in the face of "clear and convincing information that a user’s age is different than the age indicated by an age signal" which is a direct quote from the Bill.
And as for number 3, I don't see how no persistent knowledge could work. If the client app has read the data ("scanned the ID") that means the client-app can now store that data anywhere the client-app has write access.
Further, it's not like in real life when the bartender can scan the person up and down, look at the ID and make the assessment that McLovin is clearly underage.
If it's open source it can be verified that it's not storing the data.
And I 100% agree that software scanning an ID is an overall bad way to verify. With a CC# validation at least that shows up on my statement, but if my kid is sneaky enough to get mine out of my wallet I have no way of knowing.
On paper, I like this solution better than every app/site developer having to hack together (or outsource) their own age verification system. But I'm sure it opens up a ton of potential problems. And if it's open source, someone could just fork it and make a version that always says "yes" so unfortunately it'll never be FOSS.
Some kind of cryptographic signing of the executable could probably help with that.
Ultimately I don't believe there can ever be a foolproof solution and the emphasis should be on client-side parental controls.
It wouldn't even work on paper. All it would take to twist this into something dystopian is requiring cryptogtaphic attestation for the age range, and knowing lawmakers, they would justify it as a countermeasure for kids lying about their age. Expand the feature as a web API so websites can use the "easier" and "more secure" system-level age verification process and—oh look, now we can't use important websites without a commercial operating system.
It would be like Secure Boot but worse. At least with that you can turn it off or enroll your own keys.
The only thing this bill seems to affect are apps. It has no provision for websites, meaning kids would still have unlimited access to adult content. If a kid wants to get around browser checks, all they have to do is either install an older browser that doesn't use the OS verification, or find a plug-in that fakes it (and of course those will immediately come out).
Even worse, if the OS requires ALL software to acknowledge the age verification checks, what do you think that means? Everyone in Colorado is required to immediately spend thousands to buy all new versions of every program they use? And what happens to the software that is no longer updated? If you're lucky, you can buy something completely different and spend months rebuilding all your old information into the new system? Sounds wonderful.
I think it's pretty clear that this was written by people who are used to getting everything from the iOS store/macOS store/Microsoft store/Google Play store and have no fucking clue what using a computer that isn't "app-based" is like.
Fuck no.
They are coming for android first.
These people are idiots
Why can’t we just have better parental controls? I’m a parent and I do want to protect my kids but I will not upload a photo or anything else.
Fucking idiots don't know how operating systems work or what they're for.
If I could trust that the people in government know how computers work I'd be down but well I can't
What would be the point of that? If the check was done locally it would be trivial to spoof.
Technically, this can't work. It's a bad idea.
They want mandatory end user identification, through the backdoor. Can't tolerate any wrongthink, citizen.
Well my custom browser says my age is verified, we're all set here here. All set. Move along.
You will need to verify your age to breath the freaking air next!
Another aspect beyond making Linux legally dubious is this: How do they actually secure the age-data?
Age is generally two characters with a limited character set [0-9] even with an extremely well hashed and salted you're looking at only less than 70 combinations being very likely.
There are penalties for sharing with a third party, but what if it's trivial for a third party to exfiltrate this data?
It's aight. We have Linux anyways, who cares about Windows?
Ðen ðey'll classify linux as an 18+ þing, allowing ðem to fine to deaþ every linux website ðat doesnt comply. We still have to care about ðis because when one pillar falls, ðe rest are soon to follow.
This isn't Reddit, don't do some weird cult of not using specific letters
I used ðe correct letters, ðough? Just because "th" is more common doesnt mean ðe oðer letters are wrong. Also, you misphrased your arguement, saying "not" and accidentally flipping ðe meaning of what you said.
Nah I meant it as it's written.
I've now changed my mind though, I thought you were doing like those "never use the letter E" weirdos, and I love the Thorn character.
You keep being awesome
Ah. Þank you for clarifying, and þank you for ðe compliment! Hope you have a great day!
Sorry for the stupid question, but what would an “operating system provider” mean here? Does that mean “the organization that builds and distributes the operating system”? If so, Linux is sort of screwed in CO; even The Linux Foundation can’t act for Linux the same way Apple or Microsoft can for macOS or Windows respectively. Maybe Red Hat could, but only for their flagship distro RHEL, and the E stands for Enterprise, lest we forget.
If “operating system provider” were interpreted to mean “system administrator”, however (which is a stretch, but still), that might be a decent solution, since it has the effect of age-limiting content in an enforceable way, but keeps identity information from being centralized under a government or (single) private agency. The sysadmin for children would be parents, who are the only ones who would be providing the hardware, and that could work, especially if there was only the child’s account on the device (like a cell phone).
I dunno if the above is horribly ignorant; if so, I’m open to being more educated on the topic.
It also says the age will be acquired 'upon login', so I'm not sure how that would work with linux. More anti-tech old farts making the rules
Wish we could blame it on them being old, but the primary sponsors aren't that old. Matt Ball looks late thirties, early forties at most and Amy Paschal looks late forties, early fifties at most. I couldn't find background on their specific ages, but Matt Ball's bio refers to still raising his children, which also implies the younger side.
https://leg.colorado.gov/bills/SB26-051
https://leg.colorado.gov/legislators/matt-ball
https://leg.colorado.gov/legislators/amy-paschal
Ah, I found the official answer to my question in the definitions (definition 9):
This still leaves room for ambiguity, though, especially when it comes to Linux: is the OSP the person who installs the OS (e.g. a sysadmin)? They control the operating system on that device. Or are they the individual/organization that deems what software counts as a given operating system (e.g. Microsoft or Linus)? They develop and license the operating system that happens to be on a given device. Maybe it’s both, but the context suggests the latter more strongly to me.
GOTEM! THIS IS ALL ABOUT POWER & CONTROL, AND THESE PEOPLE WANT TO COVER THEIR ASSES TOO!
Hey Colorado. GFY and get your damn politicians under control.
First I've heard of it, dude. Don't get your knickers in a twist.
Ok but isn’t that just this?
Declared Age Range / AgeRangeService - iOS
Use Play Age Signals API - Android
Google already allows you to save your ID in Google Wallet and share specific details via NFC. Why can't I just use it to provide my year of birth?
Seriously. There are better ways to ensure privacy with identity verification.
Maybe our goverments should spend more effort to determine if it's citizens are even just alive or dead to put a dent in the half a trillion dollars the fed govt pays out to dead citizens they dont know are dead. Then we can maybe talk about how the fuck these idionts are guna conrirm th3 age of their living citizens.
Or hey heres another thought, use this effort to design a better consumer price index which is currently a huge guess of economic status based on the most minimal of factors of the tiniest sample sizes of data.
Where did you get this from? Sounds like more of the crap from DOGE where Musk had no clue how computers work so he just assumed that everyone listed in SSI was getting automatically paid.
Yeah this will end well.
They keep trying to make Linux more appealing.
As a parent, I wish someone would develop a cross platform, open source, parental control tool that preserves privacy while allowing for strong controls that are simple to use. The best I could come up with is a separate instance of Pihole that any device my kids use is linked to. It would be nice if there was a software option or something implemented in hardware that allowed parents to register the device with the user's age (no identifying info). Laws could then be passed forcing certain websites and apps to reject any users under a certain age. The restrictions could automatically lift when the user reaches a predetermined age. I'm not an expert so there are probably aspects of this I haven't thought through but it seems better than what has been implemented so far.
It's a little clunky, but you can do this with one Pi-Hole instance by using the Groups feature. In the "Groups" tab make a group for your default Pi-Hole settings (or just use the already included Default group), and then make a separate group for the additional blocked domains for your children's devices (for purposes here we'll refer to this group as "Child"). In your Lists tab, choose which Group each list should be applied to (or choose the group it should be applied to while adding the entry). In your Clients tab use the drop down menu to choose and assign devices to Groups, put all your devices in the Default group and put all your children's devices in both the Default Group and the Child Group. This way your devices will have the default blocklists and your children's will have the default plus the additional blocklists aimed to protect them specifically.
Thanks for this! I’m still relatively new to Pi-Hole. I’ll give it a look.
No problem, I've been using Pi-Hole for years but have only recently started exploring options with the Groups feature. In fact I spent a few minutes messing around with it before I wrote my original reply to make sure I was going to explain it right. Don't be afraid to hit me up with questions, I'd be happy to try to help.
I'm not in IT and only have tangential knowledge, but I would think something like corporate internet control would work for this. I know my company has blanket access restrictions with the ability to modify them on an individual basis. But I haven't the slightest idea how to implement that. I think all of my company device data goes through a tunnel.
You’d think so, but I promise you that a teenager will work their way around most internet based blocks eventually. The thing that gets you in a corpo environment is that they fully log your browsing, so yeah you managed to find fuckmyfacesilly.com that wasn’t blocked, but you’re going to have a little talk with management as soon as someone checks the logs.
Are you telling me I can’t fire my kids if they find a way around? Seriously though, my kids are still relatively young so the pihole solution should work for a bit. Neither will figure out how to change DNS settings for a while.
If you're allowing full-client-logs on Pi-Hole, anything that passes through it will be seen in your Pi-Hole logs in the same way.
Yeah but most parents aren’t going to be checking those logs.
Honestly your best bet is to use a paid service, which I hate because it adds yet another cost to raising kids. It would just be great if device manufacturers could get their shit together and not relegate parental controls to the third party market.
Have you checked your modem/Wi-Fi router?
Sounds Dumb, I know, but many have them baked in.
It may not be perfect, but it covers all devices unless you can login.
I did. My router runs a version of OpenWRT and while I can blacklist certain domains, I can’t add lists of domains. They have to be added one by one. The pi-hole solution is much easier. I can add an entire list for social media. I can add a list that forces search engines to use safe search.
Year of the Linux desktop inbound.
Apple already has iCloud age settings
You know what ? If this law is only imposed on commercial operating systems, and I can make my free OS lie and say I'm 100+ ; then maybe this could work.
No, you'll only be able to access the internet on approved devices. Anything that isn't under their full control will be disallowed.
I've been a longtime mobile and web developer, have a teenage kid with a phone, and am a big privacy advocate (card-carrying member of ACLU and EFF). As a parent, I don't want my kid exposed to cyber-bullying, toxic social media, or algorithmic bullshit.
And I will tell you this: the operating system is 100% where you want to do age verification.
I don't want individual social media sites, dodgy third-party orgs, or government agencies scanning our faces or IDs. Under a family sharing plan, the OS already knows how old the kid is. Any site wanting to gate access can privately ask the OS if age > X without spilling their PII. Same concept as OAuth. An opaque, encrypted token indicating GO or NO-GO.
Raging that they shouldn't do any of this is just idiotic. Unfettered access got us CSAM, kids getting radicalized, or bullied to the point of self-harm. Fuck that.
From a technical point of view, having OS-level verification is the least worst, and in my technical opinion, the best option.
As a software engineer that works on virtualization and is interested in software freedom, this law terrifies me because it's a trojan horse for something much much worse than the already shitty status quo: remote attestation.
No, it's the last place you want to do this check. Let me explain: because users control the PCs they buy right now, meaning they can install any OS and programa the so wish to install; governments at some point will decide that they cannot trust the results given by any OS.
The only way for governments will be to actually trust third parties (again) that will check properties in your computer through a module that controls the whole computer and users don't have access to.
This is called remote attestation: https://www.eff.org/deeplinks/2023/08/your-computer-should-say-what-you-tell-it-say-1
With this technology, users don't decide what programa they can install and run, they can't even decide what websites can they visit.
It's a brutal encroachment on the computer freedom you have enjoyed up to now, and the perfect tool for an authoritarian government to enforce what can you watch and in general, can do with your computer.
If this law is approved, I guarantee you it will spread and will have expanded versions requiring remote attestation. (Don't worry, lobbyists will find a way to sell remote attestation preserves privacy to make it go down easier)
The end result is a nightmare-fueling scenario where someone like Peter Thiel through Persona not only has your information because it needed to verify to create the account in your computer, but Microsoft also has it, and governments through Microsoft may decide to limit which platforms you can access (X or something worse), if also if you've been a bad citizen, if you can run programs in any computer that can be legally sold.
All in all, this law is incredibly dangerous in the current political climate where even supposedly democratic governments are pushing for more authoritarian controls to digital life. And I'm surprised organisations like EFF haven't seen this yet
I'll caveat this by saying IANAL. But the way I read Bill 26-051 is that it's looking to implement "user age attestation" not "device or application" (WEI). Two separate things.
Age Attestation requires the OS (or really, the cloud service that implements account-level authorization) and come up with an "age signal." It prohibits using third-party non-public data, and puts the burden on the OS for managing the Go/No Go process. No PII leaves the device.
The alternative is dystopian, poorly managed KYC/AML over-reaches. Under the guise of anti-fraud/anti-gambling, these will reach deep into our communal shorts. They could well soon require individual biometric verification (iris scans, face contour maps, fingerprints, etc). No, thanks.
WEI is a separate story. It's trying to cut down on malicious apps and maybe stop individual sites doing browser fingerprinting. It can only work on systems with single-points of app installation (without side-loading) and devices already locked down with hardware TPMs. So far, that only covers iOS. All the other systems (Linux, Mac, Windows, and Android) let you install your own system-level code without having to go through the One Official appstore. And with WASM, the browser makes it all moot.
Personally, I think WEI is a total waste of time. Trying to squeeze the toothpaste back into the tube. But it's solving a different problem than age verification.
Not to say the Colorado bill is perfect. There is a truck-sized app vs. website loophole in it, so kids can still access social media sites from the browser vs their phones. But the OS can offer an API that browsers can vend to websites without every site rolling their own crappy system. It also doesn't account for a clever kid figuring out how to create a separate adult-appearing user account. Because of course, they will.
Saying it's parental responsibility is unrealistic. I've helped folks set up Screentime, router-level filters, and even Circle (in-home ARP spoofing box, and mobile VPN + fine-grain URL filtering). There are ways around all of it. Besides, the kids can still get exposed to utter bilge via school-approved sites like Zoom, YouTube, or Google Drive. Let's not even bother with messaging apps or in-game chat. This is all assuming parents have the time or knowledge to set things up and manage the filters.
We're not trying to be over-controlling, stop the kids from dancing too close at the prom, or yuck their yum. But as parents, we do want to have some sort of say in what they're exposed to online before their brains have the capacity to process them. The risk to their mental health is real, and just YOLOing it hasn't worked out too well.
I'm sure there's a lot of subtle behind-the-scenes stuff in the Colorado bill. I'll wait to hear what EFF or Mike Masnick have to say about it. But as a techie, app developer, and parent, it reads like the least-worst way to keep a minor away from nasty crap without requiring every one of us to scan our faces and provide IDs to every rando website.
Oh, what's that you're using? It's Linux? Sure that's fine, just make sure the age verification check works on it.
Wait, what do you mean you have "root access"? Why do you keep repeating "it's my hardware and I own it"? You removed the age check system? You can do that! Hey, he's not supposed to be able to do that!
Colorado proposes bill to ban open source operating systems
Crap.... I was right </Edit
As a parent, systems and web developer of both open source and proprietary software. This would single-handedly be one of the most damaging things to ever happen to the world of personal computing.
It's a horribly bad opinion. It's the same old problem with client-side anti-chest. You can't trust the hardware. If the user has full access to the computer, then they can do whatever they want with it. This is a core issue in security modelling. So what's the answer? Try to lock down the system. This is why anti-cheat software, to play a video game, has more access to your computer's hardware than you do as a user. Full access to every single file, data in memory, webcams, things on screen, etc.
What's going to happen if it becomes mandated that age checks must happen in the OS? We're going to get computers so locked down that you won't be able to open a .txt file without some kind of authentication check.
No thanks. I'm happy to avoid every single age-check required service.
I won't repeat what I said in the sibling thread.
But I don't see anywhere in this specific Colorado bill trying to restrict OS level features or go anywhere near open-source. As a parent, if I put little Timmy on Arch and give him root access, I don't get to bitch about what they do online.
This is about a single signal (kid/no kid) at the user-auth level, without slurping up PII and shipping it off into the ether.
Because the people proposing the bill don't understand or know what open source is.
I guess my example "realization of open source" dialogue wasn't in your face enough, eh?
You claim to be a developer, but seem to not understand the fundamental truth of "you can't trust the user's computer". The proposed law, would make it law that operating systems have some mechanism to verify age. Now if it's a law to guarantee the verification flag is available, then that would also mandate the mechanism be free from tampering, otherwise the law means literally nothing and is unenforceable.
So once they learn about open source, root access, jailbreaking, etc, those things will very quickly become illegal.
As I said in my other comment, this problem has been attempted with gaming client-side anti-cheat for decades now. There's a reason most online games still are riddled with cheaters, despite anti-cheat software being near Orwellian in what they can do.
Age verification is nothing more than the new guise of forced online tracking.
Dear lord I hate being right!
https://www.pcgamer.com/software/operating-systems/a-new-california-law-says-all-operating-systems-including-linux-need-to-have-some-form-of-age-verification-at-account-setup/
These are all the Least Worst solutions. I humbly disagree.
Sounds good. Might even encourage more people to move to a privacy respecting OSs.