alt Hacker NewsA new California law says all operating systems need to have age verification
Comments
There's an obvious theme with lawmakers in California—they pass laws to regulate things they have zero clue about, add them to their achievement page, cheer for themselves, and declare, "There! I've made the world a better place." There are just too many examples. For instance:
- Microstamping requirements for guns—printing a unique barcode on every bullet casing (Glock gen3 cannot be retired, thus, the auto-mode switch bug cannot be patched...)
- 3D printers should have a magical algorithm to recognize all gun parts in their tiny embedded systems
- Now, you need to verify your age... on your microwave?
At this rate, California should just go back to the Stone Age. Modern technology is simply not compatible with clueless politicians who are more eager to virtue-signal than to solve any actual problems or even borther to study the subject about the law they are going to pass. There will be more and more technology restrictions (or outright bans on use) in California because it's becoming impossible to operate anything here without getting sued or running afoul of some overreaching regulation.
Reaction 1: how would this even work with embedded systems that have no UI to input this data?
Reaction 2: it's open source, make the lawmakers do submit the changes.
Reaction 3: how would this ever be enforced? Would they outlaw downloading distributions, or even older versions of distributions? When there's no exchange of money, a law like this is seems like it would be suppression of free speech.
Reaction 4: Someone needs to maliciously comply, in advance, on all California government systems. Shutdown the phones, the Wi-Fi, the building access systems, their Web servers, data centers, alarm systems, payroll, stop lights, everything running any operating system. Get everyone to do it on the same day as an OS boycott. And don't turn things back on until the law is repealed.
Ignoring all the tedious 'no, you're a bad person for having different priorities and beliefs to me' comments that this will inevitably inspire, I have to ask: why does the operating system need to be involved in this? The intended target of the regulation seems to be app stores.
Someone has fallen victim to Politician's Logic: https://www.youtube.com/watch?v=vidzkYnaf6Y
Skimming the actual text of the law[1], I don't see anything particularly objectionable. Basically it requires a toggle when creating/editing a local user account that signals "this user is/is not a child". Applications could then tailor their content for child/not child audiences.
Which isn't to suggest that it's a good law, just not really "age verification".
[1]: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...
> [..] requires an account holder to _indicate_ [..]
i.e. this doesn't require age verification at all
just a user profile age property
> [..] interface that identifies, at a minimum, which of the following _categories_ pertains to the user [..]
so you have to give apps and similar a 13+,16+,18+,21+ hint (for US)
if combined with parent controls and reasonably implemented this can archive pretty much anything you need "causal" age verification for
- without any identification of the person, its just an age setting and parent controls do allow parents to make sure it's correct
- without face scans or similar AI
- without device attestation/non open operating systems/hardware
like any such things, it should have some added constraints (e.g. "for products sold with preinstalled operating system", "personal OS only" etc.)
but this gets surprisingly close to allowing "good enough privacy respecting" age verification
the main risk I see is that
- I might have missed some bad parts parts
- companies like MS, Google, Apple have interest in pushing malicious "industry" standards which are over-enginered, involve stuff like device attestation and IRL-persona identification to create an artificial moat/lock out of any "open/cost free" OS competition (i.e. Linux Desktop, people installing their own OS etc.).
---
"causal" age verification == for games, porn etc. not for opening a bank account, taking a loan etc. But all of that need full IRL person identification anyway so we can ignore it's use case for any child protection age verification law
----
it's still not perfect, by asking every day daily used software can find the birthdate. But vendors could take additional steps to reduce this risk in various ways, through never perfect. But nothing is perfekt.
---
Enforcement is also easy:
Any company _selling_ in California has to comply, any other case is a niche product and for now doesn't matter anyway in the large picture.
Sounds to me that this is how kids learn to spin their own operating systems (a la LFS, Gentoo)and apps.
This is how people bought personal computers when the mainframe priesthood banned them.
It appears that very soon, young people will "de facto" need to have this level of competence in order to survive and thrive in a world of "in loco parentis" operating systems and apps.
The latin reveals my age, but one thing about my age:
People my age did exactly that. We built our own hardware when there was none. We compiled (or copied) operating systems and apps. A couple of my friends wrote an operating system and a C compiler.
"My generation" created this entire internet thingy, installed and web-based apps.
Indeed, dumb-asses are going to level up young people.
Bill text appears to be a copy/paste from a similar Colorado bill that just made the rounds. Methinks there's a special interest group trying to ram this garbage through a bunch of state legislatures.
As noted at the end of the article, I suspect the impact for many OS's is going to be that they add a line in the fine print somewhere saying not for use in California.
Richard Stallman's "Right to Read" is disturbingly prescient, as usual.
Can I wash my laundry without an ID? Because my washing machine can connect to wifi, supports different user's profiles, etc, thus it has an OS.
> (g) This title does not impose liability on an operating system provider, a covered application store, or a developer that arises from the use of a device or application by a person who is not the user to whom a signal pertains.
So, this makes desktop Linux illegal, but all the software-as-a-service like Microsoft Azure and OpenAI get off scott-free?
Fantastic.
What about:
- servers living in datacenters
- realtime operating systems in embedded devices
- the Intel Management Engine
- the OS on every smart chip in credit cards and debit cards
- wireless cameras, roombas, smart TVs, smart fridges
- cars. Those automotive systems have OSes too right?
- all those IoT devices, including California’s traffic cameras
What age signals should those devices send out? Is there an exclusionary clause?
Alcohol is harmful, and you want to prevent minors from obtaining it without parental supervision. Do you pass a law requiring every car to log the age of every occupant in case the driver drives to an establishment that sells alcohol? No, that's stupid. You require the person providing the alcohol to check age only when they are about to hand over the alcohol. Until someone actually attempt to access alcohol, they should not be asked their age.
Now exchange "car" for "OS" and "alcohol" for "age-sensitive content"
How wouldn't this also apply to things like useradd(8) or simply automated user account setup, e.g. like cups, sshd, etc? Do we need to add this to vi for use in vipw on UNIX?
I actually prefer an OS-level API for Age verification rather than treating everyone as a child-by-default unless they upload their personal information to some random vendor.
BUT this is obviously not the right way to implement this.
Are lawmakers bored? Who is asking for this? Not the tax paying citizens.
I've taken trips to California in the past for both personal and professional reasons. I'm seriously reconsidering whether I'll do that again in the future.
What happens if I bring a laptop with an "illegal" OS without this unwanted "feature" into the state? Will I be denied access to public wifi in hotels and restaurants? Or will it grant me access, but snitch on me -- make a call to the state police to come deal with someone with an illegal laptop? Will I be forced to install a different OS while a police officer watches? Will my laptop be confiscated and destroyed as contraband? Will I be thrown in a California prison?
I don't want to take a risk and find out.
It's not clear that this applies where the "operating system provider" does not have "accounts". Linux should be OK, but "Ubuntu One" might have problems.
It's a good reason not to put cloud dependencies into things.
Does not require verification, no biggie, this is essentially a parental control system.
This is a really strong example of how both the left and the right have been moving away from liberalism (ie, "classical liberalism," the general belief that people should be free to make their own choices and pursue their own interests) for the past 16 years or so. A bill like this could have just as easily come from Texas.
Practically, I think this is tough. How does a business verify their 20k Linux servers in AWS? What prevents Linux users from simply modifying their code such that they no longer do age verification? I think it's easy to imagine circumventing this one law, but this is another brick in the wall. Maybe your bank stops working on Linux. Maybe major websites stop working unless they get your citizen ID and age verification data from your OS. Maybe no one makes a browser that doesn't try to grab that information.
Not joking; stock up on books and keep a collection of media that you own personally. Perhaps your linux computer will start looking a lot like your PC from the early 90s: not connected to the internet, just used for word processing, some installed games, and media.
How is this an OS concern? Shouldn't age verification be a government concern to implement a system which does a privacy preserving verification? And until such a system exists, there should be no laws about online verification at all?
I don’t see anything in that bill (https://leginfo.legislature.ca.gov/faces/billTextClient.xhtm...) that requires age verification.
It says users, on account creation, must indicate their age or birth year (or both) and that programs must have access to that info, but I don’t see any requirement about checking whether what the user enters is correct.
What does make it weird is that it requires account holders to enter that data at account creation, and it defines an account holder as ”an individual who is at least 18 years of age or a parent or legal guardian of a user who is under 18 years of age in the state”
So, kids are allowed to create an account, but then, an account holder has to enter their age or birth year.
To top it of “a parent or legal guardian who is not associated with a user’s device” is not an account holder, so let’s say a 15-year old buys a laptop or smartphone and wants to set it up. There’s nobody associated with the device, so there are no account holders. Who should enter that age info?
On many smartphones, having a grown-up create an account first won’t work, as there’s no way to set up a second account.
Yikes, these government folks just sign without even thinking or having a single clue about how the rule will work. They are completely irresponsible.
California is a confusing state, age verification for operating systems while almost releasing this monster on the public: https://www.latimes.com/california/story/2026-02-26/serial-c...
> …requires an account holder to indicate the birth date, age, or both, of the user of that device…
The way I read that, you just have to ask for an indication of age. Like when I'm not logged in to Steam and I want to look at a game with blood, it asks for a birth year and I pretend to be 109. That's not exactly "age verification." Am I missing something?
I miss the days when politicians just generally ignored computers and left us alone.
Although it appear stupid, maybe an OS level endorsement of user age is actually a more reasonable middle ground than delegating mandatory age verification to data brokers...
It still parents that usually buy the computers and set up the différents user accounts. So the responsibilities would be put back in their hands as machine owners to correctly tag kid's accounts. OS vendors would then only be responsible to accurately transmit this declarative information to requesting App/services.
Of course some smart kids are gonna find a way to bypass that (as any other mesure you can imagine, because kids are smart). But nonetheless we could have a good enough OS level declarative age for 95% uses cases and send to the trashbin all the age verification creep that is the current trend.
Is this the end of "smart" washing machines and refrigerators?
I can imagine Samsung asking for the user's age every time you want to grab a snack and refusing to unlock the door otherwise.
Or perhaps... they could add a camera to the fridge and send a stream 24/7 to their servers so they can identify the age of whoever opens the door. For complying with the laws of California, honestly!
So silly question, in theory this is like brewing beer... what if a kid wants to make an operating system?
Ah, so this is what Lennart Poettering has been cooking? [1]
It's also completely pointless because users routinely use shared accounts. It was thus on the WinXP machine at home, and still is today on iPads and android tablets. Yes, Apple has made it dysfunctional so that rich people will get one iPad per person, but many children use games and social media apps via their parents accounts. Who is going to set up an AppleID for their 8 year old? (Well I did, but normal people?)
The people who wrote this law work for Microsoft and think people have individual laptops and phones with a cellular plan. They care nothing for user privacy, in fact they want persistent digital identifies for advertising.
Hmm i think at te moment its only Linux that has by default local only accounts except if being used in some sort of SSO environment .
Microsoft has been pushing aggressively to deprecate the local and funnel everyone to Microsoft online accounts , while Android and macOS/iOS are already in such a state by default.
Coupled with the same accounts being used for online login, looks like a feature creep panopticon in the making. With Linux lucking out be default.
"For the purpose of....covered application stores."
I'd like to see that definition. My OS doesn't have an "application store", so I doubt it's impacted by this law.
"That's likely no big deal for Windows, which already requires you to enter your date of birth during the Microsoft Account setup procedure."
Not exactly true as you can do local account installs.
I wonder if you can get around the law by just having people build their own image from the source.
Governments that require age verification for operating systems to protect children also drop bombs on civilian neighborhoods, fight wars that orphan millions and tolerate child labor, exploitation, poverty.
History teaches us governments are the best at protecting children.
I seem to be doing more and more illegal things as time passes, whilst not changing my behavior at all.
Curious.
10/13/25 Chaptered by Secretary of State - Chapter 675, Statutes of 2025. 10/13/25 Approved by the Governor. 09/24/25 Enrolled and presented to the Governor at 3 p.m.
Why is this "news" today? Am I missing something?
Who is actively lobbying against the “war on root access”? Which are the NGOs/PACs/non-profits with the best track record of getting results here? FSF and EFF come to mind, but I can’t think of others and don’t know of track records for any of them.
> apply the privacy and data protections afforded to children to all consumers and prohibits an online service, product, or feature from, among other things, using dark patterns to lead or encourage children to provide personal information beyond what is reasonably expected to provide that online service, product, or feature or to forego privacy protections
My question, is if "the children" are worth protecting, why not adults? I would like to opt into not having to deal with dark patterns. Why not a age independent system, which a user can opt into and which "children" are automatically optd into.
I'm under the impression anyone doing nefarious things online are probably more-than tech savvy enough to not install an OS that rats them out...right?
Isnt that literally one of the first rules of the DNM Bible?
This is all very discussed in concrete terms of what exactly the terms of the law are, how this will be possibly implemented..etc.
But what about your outrage you all at the moral and ethical implications of this?
Isn't it possible to jam and deny with any remote auth dependency?
Recently after we spent hours getting a Chromebook set up after a "Power Wash" due to remote auth failure, it wanted the old password and there was no option but to wipe the device.
They held our homedir hostage with required remote auth.
We were not able to log into our computer and lost all of our data because of remote auth.
Secure critical systems must not have a centralized remote auth dependency that can be denied.
OK, so way at the bottom it says this:
"This title does not impose liability on an operating system provider, a covered application store, or a developer that arises from the use of a device or application by a person who is not the user to whom a signal pertains."
This is obviously a law so poorly written that it'll never pass a court challenge. Assuming anyone brings one.
Little bit picking at straws but I sure would love to find some way to punt this law. Medtronic has an insulin delivery solution which involves the distribution of a custom Android phone with a closed source app. Other fields in medicine do this as well as a matter of course, so that they can guarantee clinical operation on that particular device (rather than risk app operation on Android device fragmentation) and get OK’d by the FDA. The FDA testing process can take upwards of 4 years, and is usually cleared for -specific- operating system versions (which, by the end of testing, can be very old).
I wonder: since that operating system needs to attest and (vaguely) eventually report an age and other identifiers to a government API and app developers, will that report violate HIPAA?
clearly there's something I don't understand (or is the law just really this stupid?) - but what would this even look like for linux? every user account requires an associated age?
but users don't have a 1:1 mapping to the people that log into them. linux users that aren't used by any particular person, but by a particular _service_ are common. so are linux users that could be logged into by any number of people, and which have no specific single owner.
> "That's likely no big deal for Windows, which already requires you to enter your date of birth during the Microsoft Account setup procedure."
I've been working around the Microsoft user-creation requirement for years. Looks like they were ahead of the game. CA is marching towards private-business surveillance. What could go wrong?
That would make retro computing illegal :(
They’re trying to destroy all the best nerdy hobbies. First drones, then 3D printing, now even my precious Amiga!
I know this sounds absurd. But let me try not to be cynical and explain how we got here, according to what I understand:
First, let's admit the push for age verification laws isn't a partisan or ideological thing. It's a global trend. This California law has bipartisan sponsorship and only major org opponent is the evil G [1]. While age verification is unpopular in tech community, I imagine a lot of average adult voters agree that limiting children's access to wilder parts of the Internet is a good thing.
On this premise, the discussion is then who should be responsible for age verification. The traditional model is to require app developers / website owners to gatekeep -- like the Texas and Ohio laws that require PornHub to verify users' IDs. But such model put too much burden on small developers, and it's a privacy nightmare to have to share your PII with random apps.
This is why we see this new model. States start to believe it seems more viable to dump the responsibility on big tech / platforms. A newer Texas law is adopt this model (on top the traditional model) to require app stores to verify user age (but was recently blocked by court) [2]. And this California law pretty much also takes this model -- the OS (thinking as iOS / Android / Windows with app store) shall obtain the user age and provide "a signal regarding the users age bracket to applications available in a covered application store".
While many people here are concerning open-source OSes, and the language do cover all OSes -- my intuition is no lawmaker had ever think about them and they were not the target.
[1] https://calmatters.digitaldemocracy.org/bills/ca_202520260ab... [2] https://www.politico.com/news/2026/01/05/big-tech-won-in-tex...
I will start making a list for linux then.
rm - ok for all ages.
grep - 18+, you can obviously use this to search for porn.
find - 18+, see grep.
reboot - ok for all ages.
echo - ok for all ages.
cat - 18+, prints the porn you found directly to your terminal.
sudo - 18+, obviously.
kill - ok for all ages. This is the US, right.
ps - 18+, no peeping at other processes.