[ekr____]

OP is certainly right that a lot of this legislation is written in ways that are hard to interpret and that often seem like they would have undesirable side effects even under the assumption that the basic idea is good (whether that's actually true is a whole different question).

In the specific case of CA AB1043: (1) Systems are required to ask the user for their age and just trust whatever they say (2) Applications are required to query the system for the user's age range. Other enacted and proposed device-based age assurance mandates have different properties.

This post goes into quite a bit of detail about the various points of concern: https://educatedguesswork.org/posts/device-based-age-assuran...

[Aurornis]

I think this legislation is as dumb as everyone else does, but it also seems like the cheapest way for everyone to agree that we did something about the moral panic without actually giving up anything. It doesn’t do anything with ID or privacy or even actual verification. There’s no complicated auth dance to do with government services to verify our age tokens or whatever the latest Rube Goldberg machine “zero knowledge” age check proposal is.

I’ve been shocked at how many HN comments always come out in favor of age related legislation and heavy government regulation when the topic comes up. The pro-regulation commenters always seem to assume the age checks would never apply to them because they don’t have use TikTok or Facebook or other services, yet few realize that there aren’t going to be laws written in a way that only apply to a couple named companies you don’t use anyway. If we age verification laws then they’re going to be everywhere.

I personally hope this legislation dies and we can be done with this silly exercise, but if we’re stuck with age verification moral panic than a simple OS-level switch that we set once and then forget about seems like the least intrusive form of “age verification” we can get away with.

[hypeatei]

I disagree with your overall sentiment that this is benign because it's ineffectual in its current state. If anything, this is going to warm people up to the idea of government mandated prompts gathering personal information in their OS, and legislators in 2030 (or whenever) are going to say: "this isn't working, lets build on top of that prompt we already have and make it verify IDs"

In other words, I think this first bit of legislation had to be watered down to not receive too much backlash. This is the governments first plunge into mandating things on the frontend.

[ben-schaaf]

> This is the governments first plunge into mandating things on the frontend.

ADA mandates computer accessibility, as frequently interpreted by courts. CCPA & GDPR mandate a whole bunch of stuff. Hardly the first plunge.

[hypeatei]

In the context of surveillance, yes it is. I know the EU is looking down the barrel of chat control, but I'm pretty sure this California law has already been passed and goes into effect January 2027.

[iamnothere]

ADA has only ever been interpreted to apply to services. No prior law has ever been applied to specify how an OS should function.

This law violates the first amendment and will be overturned. Until then it must be resisted.

[ekr____]

> I personally hope this legislation dies and we can be done with this silly exercise, but if we’re stuck with age verification moral panic than a simple OS-level switch that we set once and then forget about seems like the least intrusive form of “age verification” we can get away with.

Just for clarification. CA AB1043 was signed back in 2025 and takes effect January 1 2027.

[motbus3]

I think the writing has both intentions. Both implicate companies to comply as well for the mass to not defend. If it was not, there wouldn't be a guy on TV saying that there are 5000 possible pedo cases that are not being investigated and that's why they need it.

Anyone with more than 2 brain cells can put it together

[shevy-java]

> I’ve been shocked at how many HN comments always come out in favor of age related legislation and heavy government regulation when the topic comes up.

Where do you see that? HN is overwhelmingly critical of age sniffing.

[kmeisthax]

You're on the right path, but the "something" politicians want to do is specifically "regulate Facebook's patent harms to children". Facebook's counter-argument is: "we don't have a legally ironclad way to check user age, it should be Apple and Google's job". So the politicians want to write a law to make it Apple and Google's job to check age.

In other words, all of these age verification laws are here predominantly to indemnify Facebook from a growing wave of child endangerment lawsuits in a way that will ensure Facebook doesn't have to kick off even a single teen from their platforms. That's why the "verification" is just a date and an age range bucket.

My personal opinion is that these laws are stupid, but not harmful to Linux users, and that everyone angry at systemd for complying is shooting the wrong guy. Your real target is Facebook and you should be yelling at your local representative to make this bill not target Linux distros.

[bityard]

No, we can also be mad at the systemd guys for their very mid attempt at complying with an idiotic and unenforceable law, when the default of doing nothing was objectively the best option for them AND their end users.

[AnthonyMouse]

> Systems are required to ask the user for their age and just trust whatever they say

If you're going to do anything like this, this is the thing they actually get right. It removes the inconvenience, privacy invasion, forced use of corporate verifiers with perverse incentives, etc. Meanwhile if the user is actually a child then their age is set by their parent.

> Applications are required to query the system for the user's age range.

This is classic legislative stupidity. Applications are required to query the user's age range even if they contain no age-restricted content? Brilliant.

[ekr____]

>> Systems are required to ask the user for their age and just trust whatever they say > > This is the thing they actually get right. It removes the inconvenience, privacy invasion, forced use of corporate verifiers with perverse incentives, etc. Meanwhile if the user is actually a child then their age is set by their parent.

Well, maybe. For instance, if a child buys their own device they could set the age to whatever they want.

>> Applications are required to query the system for the user's age range. > > This is classic legislative stupidity. Applications are required to query the user's age range even if they contain no age-restricted content? Brilliant.

Note that AB1043 doesn't actually impose much in the way of requirements about age restricted content. Rather, the way it works is that the developer is then assumed to have "actual knowledge" of the user's age (See 1798.501(b)(2)(A)) and then has to behave accordingly in other age-restricted contexts.

[lokar]

I see it as fairly benign.

It requires the device/computer have a way to set the age. If you don't want to set your real age, that's fine. If you are a kid, your parent will probably have set it for you (it's really a feature for the parent, and they don't have to use it).

It then establishes that apps can know your age group, sufficient to comply with existing (and I suppose future) content age-restriction laws (where today they can dodge and say they did not know).

It's a pretty incremental step, and fairly minimal (in the range of all options proposed around the world). We can try it and see how it goes.

[simion314]

> For instance, if a child buys their own device

Then the law can make it illegal to sell smartphones or computers to 12 years olds or we could just ask the parents to do a bit of work and ensure their children is not buying devices behind their backs.

The idea is to make it easy for responsible parents to give a device to their children and make it easy for legal websites to block minors from adult content. We can't get perfect results but good enough could shut upo the complainers and maybe we get them do things like educating parents on how to proceed when they gift a device to a child.

[AnthonyMouse]

> For instance, if a child buys their own device they could set the age to whatever they want.

If a child has the money to buy a device without the parent knowing about it then they could just buy a used device that has already been configured with an account or pay a high school senior to set one up on their new device.

> Rather, the way it works is that the developer is then assumed to have "actual knowledge" of the user's age (See 1798.501(b)(2)(A)) and then has to behave accordingly in other age-restricted contexts.

How is mkdir or python3 supposed to "behave accordingly in other age-restricted contexts"? And if the answer is that its behavior is entirely unmodified, why is it required to do something without effect?

Also, who is the "developer" of a thirty year old project with thousands of contributors and multiple forks? All of them? None of them? The last one to make a commit, even if they're outside the jurisdiction?

[ekr____]

> > For instance, if a child buys their own device they could set the age to whatever they want.

> If a child has the money to buy a device without the parent knowing about it then they could just buy a used device that has already been configured with an account or pay a high school senior to set one up on their new device.

Yes, agreed. I'm just describing how it works.

> > Rather, the way it works is that the developer is then assumed to have "actual knowledge" of the user's age (See 1798.501(b)(2)(A)) and then has to behave accordingly in other age-restricted contexts.

>How is mkdir or python3 supposed to "behave accordingly in other age-restricted contexts"? And if the answer is that its behavior is entirely unmodified, why is it required to do something without effect?

I agree this is undesirable. See: https://educatedguesswork.org/posts/device-based-age-assuran...

> Also, who is the "developer" of a thirty year old project with thousands of contributors and multiple forks? All of them? None of them? The last one to make a commit, even if they're outside the jurisdiction?

This unspecified in the current text.

[rickydroll]

One could interpret the age verification operation must run for every command executed in interactive or non-interactive mode.

[AnthonyMouse]

It sounds like you want to automate the invisible purposeless no-op. Is that allowed?

[rickydroll]

I was thinking ways to implement with malicious compliance

[cozzyd]

A minor using python3 isn't allowed to import flask

[gzread]

> This is classic legislative stupidity. Applications are required to query the user's age range even if they contain no age-restricted content? Brilliant.

This is classic programmer stupidity attempting to read the law in the stupidest possible way. No - if the application needs to know the user's age because of a content restriction, it shall query the system for that, instead of getting it some other way. Unlike computer code, laws are understood by humans in a context.

[AnthonyMouse]

> This is classic programmer stupidity attempting to read the law in the stupidest possible way.

Except you're the one missing the context. What they're trying to do with that provision is force everybody to check if someone is designated as a minor so they can't claim that they didn't know. If they let you choose whether to check then you choosing not to check could make it harder to punish you when there is a dispute about whether something should have been shown to a minor, so they wrote it in a way that lets them punish you more easily if you check and also punish you more easily (for not checking) if you don't.

The problem then follows that everyone is stupidly required to check even when it's totally unambiguous there is nothing to be done with the information, because of the risk of someone trying to punish anyone who doesn't check in order to prevent the precedent that some people aren't required to and correspondingly can't be assumed to have knowledge of someone's age.

[gzread]

Sensible people are pointing out that it means if you need to know if the user is a minor, you're required to check this new thing. You, however, are trying to claim grep has to check if the user is over 18. It does not.