AB-1043 “Age verification signals: software applications and online services.”
Text https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB1043
Other info https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260AB1043
California AB 1043 signed. Mandatory os-level, device-level, app store, and even developer-required age verification for all computing devices.
Well, that’s disappointing.
EDIT: Actually, this is atrocious. I’m so fucking tired of being force fed shit in the name of “think of the children.” I don’t live in California but it’s pretty bad precedent.
These are laws ghosts written by surveillance capitalist oligarchs. Privacy/sec communities have been suspecting this for decades, and especially since the Snowden leaks and big techs evolution since.
Forget the historical examples, and all the conspiracy denialism from Dems/liberals about the authoritarian attack vector of, and risks to democracy posed by, a secret police and surveillance state… Imagine implementing this draconian shit in a country that is currently being overthrown by a fascist regime. It’s almost like the Dem/Liberal political class is a controlled opposition working for the same oligarchs as the R’s — hell bent on returning the serfs to feudalism — huh?
This is why I consider America to be suffering from a propaganda-induced mental-illness epidemic, and I mean the average American; all the non-voters and average D, just as much as the average R. Sure, the R’s are the most mentally-ill, but this isn’t a fucking contest. The media the average D’s consume has been oligarch-owned for decades, too. They consistently fall in line and support neoliberal, oligarch-financed, corporate-whores like Newsom, time and time again. Instead of viewing him and all of his analogues as an enemy of the people — vital to the success of oligarchy and fascism — they view him as a voice of reason and leader. They’ve been okay with funding blatant genocide the entire time (most still are). They’ve been okay with the destruction of the working class and economic mobility for over 5 decades. They were okay with the Fox News FASCIST STATE MEDIA propaganda operation acting in plain site, for 30 god damn years. The R’s didn’t occur in a vacuum. The D’s were a vital player in the R’s success.
Now here, as always, we have the D’s/liberals continuing to construct big brother FOR FASCISM, even in the final hour, when the coup is almost complete, while acting like they are doing it to “protect” the working class, instead of to enslave them.
This shit is evil, I don’t care what your fucking excuse is knock it the fuck off right now
But when Newsom runs for president, he’ll be able to say he protected the children! Why don’t you want to protect the children, Fluffy Kitty Cat?? Why do you revel in the abuse and exploitation of children??? HOW MANY SUFFERING CHILDREN DO YOU HAVE IN YOUR BASEMENT TORTURE DUNGEON???
Newsom would be a terrible president. We need to break the fake ‘protect the children’ mentality that makes evil bills like this (that don’t protect children ever) possible in the fist place.
That’s never going to happen because people love that shit. Politicians love it because it’s an easy moral win, and constituents love it because it reinforces their world view (the person I voted for is actually doing something good, it must mean my opinions are right).
I think the real solution is education, so people understand the underlying problem. A politician could say that we should imprison all adult males to protect the children (citing the overwhelming amount of child abuse committed by men), but even the smoothest of brains can see how stupid that is.
Idk if it’s possible to educate people about privacy at the scale that’s needed to permanently prevent these kinds of stupid laws… It’s probably hopeless, at least while Gen X and older are still alive and voting.
And this is going to be implemented on the hundreds of thousands of Linux based servers in Datacenters…. How? Not to mention BSD based systems, hypervisors, IoT devices, etc.
Last friday I did a rollout of 36 servers. Looking forwards to having to input an age bracked for the intended users on each and every one of them. The intended users being other computers mostly. Do I use their install date, their date of boot, os compilation date?
Use Jan 1st 1970 as their DOB
As always: laws apply to the poor, not the rich.
Holy crap. As a consequence they’re outlawing open source operating system, as you can easily recompile with the OS level age verification disabled.
Great idea to give politicians the tools for mass surveilance and censorship. At no point will a authoritarian get into political power and use these technologies for his own benefit.
Their egoism and dumbness drives these politicians to become terrible terrible evil people.
How could this pass without a huge public outcry? All the developers in California, have they said nothing because they could be fired?
As a politically engaged California voter, I didn’t hear a peep about this. My state assembly and senate reps will be hearing from me.
It’s the Good Side ™ mandating this, so it’s good policy.
First off, this page references quite a few bills passed, some of which I like and some of which make me concerned, but let’s focus on AB-1043. You can find the text of the actual bill here.
Here’s the more relevant excerpt:
1798.501.
(a) An operating system provider shall do all of the following:
(1) Provide an accessible interface at account setup that requires an account holder to indicate the birth date, age, or both, of the user of that device for the purpose of providing a signal regarding the user’s age bracket to applications available in a covered application store.
(2) Provide a developer who has requested a signal with respect to a particular user with a digital signal via a reasonably consistent real-time application programming interface that identifies, at a minimum, which of the following categories pertains to the user:
(A) Under 13 years of age.
(B) At least 13 years of age and under 16 years of age.
© At least 16 years of age and under 18 years of age.
(D) At least 18 years of age.
(3) Send only the minimum amount of information necessary to comply with this title and shall not share the digital signal information with a third party for a purpose not required by this title.Basically OSes will have to have a prompt during setup that asks for age/birthdate to determine the legal age category they user fits in.
Then the OS has to provide some sort of API that provides that category to apps/websites that request it so they can gate content/features appropriately.
IMO this doesn’t seem that bad. It’s basically taking the “I solemnly swear I’m over 18” checkbox away from websites and just requiring it once OS wide (or at least per user account).
I particularly like the specification of #3 requiring only the minimum info required to comply be sent and nothing more.
This actually seems like an attempt to curb all the ID collecting privacy nightmares that are happening lately with poorer implementations.
This actually seems like an attempt to curb all the ID collecting privacy nightmares that are happening lately with poorer implementations.
I’m not convinced it is. If it were, they could make it an opt-in feature for parents rather than a mandatory feature that forces people to lie. While less unreasonable, it still normalizes an un-necessary thing.
If society really wanted to protect children, we could actually start punishing the known, famous child rape perpetrators. But instead, the Catholic Church still gets enormous tax benefits, the Boy Scouts still exist, the Joe Paterno statue was put back in the stadium at the demand of the fans, Prince Adnrew isn’t in jail, and Donald Trump is President. And people will read this comment and be more triggered that I didn’t name some other prominent pedophile that still walks free. This sort of legislation in the name of protecting children is just a giant, society-wide virtue-signaling delusion.
The law does not exempt server OS and non-interactive software or software that doesn’t need age verification for any reason (like a calculator or offline text editor). It’s a nightmare for those reasons alone.
2027 is way too soon for developers to need to implement this because operating systems will first have to decide on the shape of the “signal”, and there will necessarily be knee-jerk “fuck you” reactions. Then verification needs to be implemented in hundreds of different programming languages and paradigms. Then developers can start to implement. I guess all my little toy applications that are publicly available on GitHub are now out of compliance, fuck me though.
See my other comment on this post for a longer breakdown of why I believe this is utterly stupid.
Worked at a software dev that was so niche we basically had a monopoly by default. No one is touching that software outside the workplace. Laughing thinking about tomorrow’s meetings.
“Seriously? We have to add age verification?!”
like a calculator
Can still be used to write 80085. Gotta protect the children.
This is not going to work for its intended purpose for obvious reasons, but you make a good point about moving the burden from websites to OS vendors. That could hopefully make life easier for everyone. It’s what I think should have happened with the GDPR cookie banner nonsense: require website operators to respect a browser-level “functional cookies only” option, but with the same harsh penalties for those that ignore it.
But the concerning part to me is that eventually, some desperate attention whoring politician is going to take the “protect the children” angle in the future by introducing a bill that updates this to require more invasive spying at the OS level to verify ages more accurately. And of course, the tech giants will eagerly oblige.
that’s interesting. @[email protected] which one is misleading, this parent comment or the post title?
Not sure to be honest, I just updated the title to be strictly the same as the one of the page linked
Newsom is taking serious advantage of his current position as “good cop”, the repugnicans being the bad cop. Their eventual goal is the same though.
President and Gavin Newsome would not shut down alligator alcatraz, nor would he stop ice. We know fromexperience
So this will just be one more charge to add to a person having their computer investigated.
Is there something I’m missing here? It sounds like it’s saying when initially setting up a device, it’s requiring to ask the if the age of the primary user of the device is under 18, and their age/birthdate to calculate differing degrees of ratings for thresholds at 13/16/18 as the user ages. It’s not requesting anything beyond age/birthdate and isn’t attempting to verify that with ID, also doesn’t care about either of those if they state that the user is over 18. All in all, this feels like the best method you could do for the purpose that the bill expresses, literally protecting kids online. This is voluntary self reporting by the device owner. Presumably the parent is the one doing the initial device setup. If you’d prefer to not enter your kids birthdate, just say the primary user of the device is over 18.
Yes, you are missing things.
How does this work with virtual machines that have service account “users” that I deploy?
The definition of application is so broad that it seems to cover any kind of software, even if it does not actually interact with a user, but merely provides system functionality (like your network device discovery daemon e.g. bonjour/avahi, or device drivers) just because you can download it.
Any software you can retrieve from the Internet and “launch” is required to collect user age data. Like your graphics card settings app, your PDF reader, a calculator. I can’t figure out what they’re supposed to do with it though, so it’s a lot of work for no reason.
WTF is “launch” supposed to mean? Install? Open?
I guess every little toy app I put on GitHub is now going to be subject to this? If I fork an old application that doesn’t provide the interface, am I now responsible for doing so even if I only use it on my own devices?
What about software developer by people that aren’t in California and don’t want to be bothered? Can I now not use their calculator or spreadsheet or text editor applications because they don’t collect age verification signals?
2027 is way too soon because there’s no way all the Operating Systems have decided on the shapes of their signals, so I can’t even start figuring out how to implement in any of the 5 programming languages I have used to develop apps.
Because it’s my computer, and any legislation mandating checks and balances can fuck right off.
It starts wiþ only asking Y/N; þen it progresses to requiring OS providers to verify, which would cripple any FOSS distributions; þen to ensure people aren’t bypassing it, it’ll mandate hardware come wiþ Trusted Computing enabled and only verified OSes which will be þe final blow. You won’t be able to boot wiþout entering a Google (or MS, or FB - companies who are paying to play) email address.
It’s a next progression of KYC and complete surveillance.
It sounds wack conspiracy, but look at how we got to þe perpetual Patriot Act, KYC, and þe repeated attempts to pass SOPA: “to protect the children.” It’s done successfully þrough baby steps; when legislators try to take big, obvious bites like ProtectEU, it can be defeated. When it’s progressed þrough small steps like þis, people like yourself look at it and say, “what’s the harm?”
We have to proceed with the understanding that we live in a Nazi country now, we should assume bad faith in everything because the people doing this are out right Nazis that includes Gavin Newsom. I don’t trust that man for a second
“what’s the harm?”
Missed one! Gotcha Sxan!
What’s KYC?
Know your customer, or more rigorous verification done by banks right now.
y do u mak ur txt hrd 2 reed
It has “age verification signals” which is kind of creepy, but yeah there’s nothing in this requiring identification.
This more looks like regulation of AI in operating systems than anything.
Not just AI, but an easier way for developers to ensure COPPA compliance. If anything this leads to more privacy, as it is already illegal to store a bunch of kinds of info that can be used to market to anyone under 13. Right now developers have to ask the users age whenever they create an account, install a game/app, or visit a website. Theoretically, this could get rid of all of those prompts.
Honestly, I’m tempted to say I’m a child on all my devices if it will automatically prevent cookies and other methods of tracking/advertising.
tempted to say I’m a child on all my devices if it will automatically prevent cookies and other methods of tracking/advertising.
Just use the “do not track” header. (1).
That’s to say: it will not work. This is step one, and it’ll have the same result as the do not track header. You can’t force a Qatari or Malaysian developer to care about US courts.
Thus comes step 2 after the uselesness of this bill becomes apparent. Make it usefull by mandating automated censors at OS or application level. Outlawing general purpuse computing and open source software where people can deactivate this important safety feature. That’s the way the EU wants to do it with mandatory EU LLMs in applications.
Otherwise they can choose to go the China route and firewall on network level, to make sure all subjects have access to only government approved, safe information. For the children.
But it’s best to put the frog into cold water first.
Reads like they intend to check the OS age account signal from the OS Provider rather than a signal from the OS itself.
Not sure how they can expect OS Providers that don’t store user data to just…start doing that.
Not sure how they can expect OS Providers that don’t store user data to just…start doing that.
For your privacy we legally have to start invading your privacy.
“How will privacy and anonymity be attacked?” […] like so many other “computer hacker” items, as a tool for the “Four Horsemen”: drug-dealers, money-launderers, terrorists, and pedophiles.
Front doors and opaque walls hide these groups too. Maybe those ought to be banned too
Welcome to the land of the free and home of the …
If you’re in the Microsoft, Apple, or Google OS ecosystem, or use one of the appstores, it’s likely they already have this age information, or could verify it via indirect means (credit card checks, public records, etc).
If you have set up a family plan, then they already know the age of the children to enable access to appstores.
What the OS will do is likely store some sort of validated token or system level cookie that says “adult = true” and we’ll never even hear about it. My guess is Unix-based distros will do it too and avoid having to piss-off customers by implementing third-party attestation, or worse, per website.
The reason the European systems had to ask for a third-party verification system with you having to upload IDs and all that was exactly because the OS didn’t do this. Now, it’s going to be done once (and not require any user interaction) and that will be that.
Personally, if implemented properly, I think it’s a much better system than having them upload private data to some nebulous third party. That’s a big IF. They could cock it up and make everyone upload face scans and pictures of IDs. In which case we’ll be back to rubber masks and stupid override games we’ve seen.
The reason the European systems had to ask for a third-party verification system with you having to upload IDs and all that was exactly because the OS didn’t do this.
That’s not the reason? You can both not do it on OS level, and also not do it by third party. There’s no reason for either OS or third party to have this private information.
Guys, it’s OK. I uploaded my passport to the cloud. My Linux distro says it’s all good.
