What I'm confused about is how the proposed bills would apply to servers.
Like, in general, a software change to add an "age class" attribute to user accounts and a syscall "what's this attribute for the current user account" would satisfy the California bill and that's a relatively minor change (the bad part is the NY bill that allegedly requires technical verification of whatever the user claimed).
The weird issue is how should that attribute be filled for the 'root' or 'www-data' user of a linux machine I have on the cloud. Or, to put aside open source for that matter, the Administrator account on a Windows Active Directory system.
Because "user accounts" don't necessarily any mapping (much less a 1-to-1 mapping) to a person; many user accounts are personal but many are not.
We're all going to have to use service accounts created on Windows Server 2003 or RHEL 4, otherwise they won't be old enough and will require manual login from an of-age administrator
I am now waiting for Gruber (daringfireball.net) to post another rant about how terrible EU regulation is.
Zero-knowledge proofs are the way to go for this type of thing, I find it mind-boggling that the US lets itself be bamboozled into complete lack of privacy.
I am from EU, and contrary to age verification laws in general.
My stance is that if somebody is a minor, his/her/their parents/tutors/legal guardian are responsible for what they can/cannot do online, and that the mechanism to enforce that is parental control on devices.
Having said that, open-source zero-knowledge proofs are infinitely less evil (I refuse to say "better") than commercial cloud-based age monitoring baked into every OS
> Having said that, open-source zero-knowledge proofs are infinitely less evil (I refuse to say "better") than commercial cloud-based age monitoring baked into every OS
To be honest, I worry that the framing of this legislation and ZKP generally presents a false dichotomy, where second-option bias[1] prevails because of the draconian first option.
There's always another option: don't implement age verification laws at all.
App and website developers shouldn't be burdened with extra costly liability to make sure someone's kids don't read a curse word, parents can use the plethora of parental controls on the market if they're that worried.
> App and website developers shouldn't be burdened with extra costly liability
Why not? Physical businesses have liability if they provide age restricted items to children. As far as I know, strip clubs are liable for who enters. Selling alcohol to a child carries personal criminal liability for store clerks. Assuming society decides to restrict something from children, why should online businesses be exempt?
On who should be responsible, parents or businesses, historically the answer has been both. Parents have decision making authority. Businesses must not undermine that by providing service to minors.
> Physical businesses have liability if they provide age restricted items to children.
These are often clear cut. They're physical controlled items. Tobacco, alcohol, guns, physical porn, and sometimes things like spray paint.
The internet is not. There are people who believe discussions about human sexuality (ie "how do I know if I'm gay?") should be age restricted. There are people who believe any discussion about the human form should be age restricted. What about discussions of other forms of government? Plenty would prefer their children not be able to learn about communism from anywhere other than the Victims of Communism Memorial Foundation.
The landscape of age restricting information is infinitely more complex than age restricting physical items. This complexity enables certain actors to censor wide swaths of information due to a provider's fear of liability.
This is closer to a law that says "if a store sells an item that is used to damage property whatsoever, they are liable", so now the store owner must fear the full can of soda could be used to break a window.
That's not a problem of age verification. That's a problem of what qualifies for liability and what is protected speech, and the same questions do exist in physical space (e.g. Barnes and Noble carrying books with adult themes/language).
So again, assuming we have decided to restrict something (and there are clear lines online too like sites dedicated to porn, or sites that sell alcohol (which already comes with an ID check!)), why isn't liability for online providers the obvious conclusion?
App and website developers shouldn't be burdened with extra costly liability to make sure someone's kids don't read a curse word, parents can use the plethora of parental controls on the market if they're that worried.
App and website operators should add one static header. [1] That's it, nothing more. Site operators could do this in their sleep.
User-agents must look for said header [1] and activate parental controls if they were enabled on the device by a parent. That's it, nothing more. No signalling to a website, no leaking data, no tracking, no identifying. A junior developer could do this in their sleep.
None of this will happen of course as bribery (lobbying) is involved.
My personal stance: If a site wants me to verify anything I will not do business with them. If a government site wants this, they will keep wanting. If I run a small website I will ignore this nonsense. If they bother me the site moves to Tor.
Yes! This is the way, give parents the ABILITY to advertise the users age to browsers, apps and everything in between. Only target cooperations, do not target open source projects. Fine websites for not using this API (ex: porn sites). Assume an adult if not present.
> Fine websites for not using this API (ex: porn sites).
Recent posters here are clear that porn sites are setting every available signal that they are serving adult-only content.
According to them, you are targeting the wrong audience.
Facebook/Instagram studying how to get young users addicted should be of greater concern. I have my doubts about the effectiveness of age-based blocking there, though.
Both are problems, porn sites have also targeted children and any non-enforced age “verification” on these sites is simply plausible deniability that isn’t plausible at all
> give parents the ABILITY to advertise the users age to browsers, apps and everything in between.
Accounts and Applications to services that provide countent are set to a country-specific age rating restrictions (PG, 12+, 18+, whatever). That's it.
None of the things you mentioned have any point to concern themself with the age or age-bracket of the user in front of the device. This can and will be abused. This is very obvious. Think about it.
That is what I meant by age(-rating), you are correct. However, drop country specifics - too complicated. Age brackets are enough: child, preteen, teen, adult. At around 16-17 these should be dropped anyway since at that point people are smart enough to get around these measures anyway and usually have non-parent controlled devices.
This is a great solution to the stated problem. The issue is that nobody is actually trying to solve the stated problem. This is a terrible solution to the real 'problem' which is the lack of surveillance power and information control.
>This is a great solution to the stated problem. The issue is that nobody is actually trying to solve the stated problem. This is a terrible solution to the real 'problem' which is the lack of surveillance power and information control.
So on the Sony consoles I created an account for my child and guess what they have implemented some stuff to block children from adult content on some stuff.
So if Big Tech would actually want to prevent laws to be created could make it easy for a parent to setup the account for a child (most children this days have mobile stuff and consoles so they could start with those), we just need the browsers to read the age flag from the OS and put it in a header, then the websites owners can respect that flag.
I know that someone would say that some clever teen would crack their locked down windows/linux to change the flag but this is a super rare case, we should start with the 99% cases, mobile phones and consoles are already locked down so an OS API that tells the browser if this is an child account and a browser header would solve the issue, most porn websites or similar adult sites would have no reason not to respect this header , it would make their job easier then say Steam having to always popup a birth date thing when a game is mature.
That's why I suggested kernel enforced security (simple syscall) that applications could implement and are incredibly hard to spoof / create tools and workarounds for, but I got downvoted to hell.
Permission restricted registry entry (already exists) and a syscall that reads it (already exists) for windows and a file that requires sudo to edit (already exists) and a syscall to read it (already exists). Works on every distro automatically as well including android phones since they run the linux kernel anyway. Apple can figure it out and they already have appleid.
For linux we have the users and groups concept, the distro can add an adult group and when you give your child a linux a device and create the account you would just chose adulr or minor , or enter a birthdate. No freedom lost for the geeks that install Ubuntu or Arch for themselves and we do not need some extra hardware for the rare cases where a child has access to soem computer and he also can wipe it and install Linux on it. Distro makes can make the live usb default user to be set as not adult. Good enough solutions are easy but I do not understand why Big Tech (Google and Apple) did not work on a standard for this. (maybe both Apple and Google profits would suffer if they did)
Three states now implement this solution that you just called a great solution, and most of HN still hates it. Are they seeing something that you're not? https://news.ycombinator.com/item?id=47357294
This is what I think. I saw someone else on HN suggested provide an `X-User-Age` header to these sites, and provide parents with a password protected page to set that in the browser/OS.
Responsibility should be on the website to not provide the content if the header is sent with an inappropriate age, and for the parent to set it up on the device, or to not provide a child a device without child-safe restrictions.
It seems very obviously simple to me, and I don't see why any of these other systems have gained steam everywhere all of a sudden (apart from a desire to enhance tracking).
"mechanism to enforce that is parental control on devices."
Meh, I use it, but it's super annoying and I think that with my Daughter I'll take a different approach (but it will be some years before that is relevant).
On Android: The kid can easily go on Snapchat (after approval of install of course, and then you can just see their "friends") before Pokemon Go (just a pain to get working, it keeps presenting some borked version which led to a lot of confusion at first). I just lied about his age in a bunch of places at some point. Snapchat is horrible and sick from our experiences in the first week.
On Windows: It's a curated set of websites (and no FireFox) or access to everything. It's not even workable for just school. Granting kids access to our own minercraft servers: My god, I felt dirty about what the other parents had to go through to enable that.
The steelman argument is that parents are not necessarily up to date on the technology, and cannot reasonably be expected to supervise teenagers 24/7 up to the age of 18. Compare movie ratings or alcohol laws, for example: there's a non-parental obligation on third parties not to provide alcohol to children or let them in to R18 showings.
But the implementation matters, and almost all of these bills internationally are being done in bad faith by coordinated big-money groups against technologically illiterate and reactionary populist governments.
(if we really want to get into an argument, there's what the UK calls "Gillick competence": the ability of children to seek medical treatment without the knowledge and against the will of their parents)
In the UK parents can give children alcohol below the age of 18. parents get to make the final decision at home so I do not think its really comparable.
I would personally favour allowing parents to buy drinks for children below the current limits (18 without a meal, 16 for wine, beer and cider with a meal).
The alternative to this is empowering parents by regulating SIM cards (child safe cards already exist) and allowing parents to control internet connectivity either through the ISP or at the router - far better than regulating general purpose devices. The devices come with sensible defaults that parents can change.
Everyone shouldn't have to lose their privacy just because you're too lazy to use parental controls or give your kids devices that are made for children.
The other stance is that most parents are not capable of winning a battle against tech giants for the mind of their children, just as parents were not capable of winning this fight with tobacco and alcohol companies.
They want it because it absolves them of responsibility for what their app does to kids. They can then just point to the existence of an already working mechanism for parents to intervene. The alternative would be for each app to implement stringent age verification or redesign itself to avoid addictive patterns. Neither option is good for their earnings.
I have personally worked with parents trying to prevent their children from using social media and it’s nearly impossible. Kids are almost always more tech savvy than their parents and unlike smoking it’s nearly impossible to tell a child is doing so without watching them 100% of the time.
Disingenuous, but I'm sure you know that and were being intentionally so. The government is not using alcohol age laws as a justification to place a camera in your bedroom to make sure you aren't sneaking booze, but it is using internet age laws as a justification to surveil your entire life in a world which is becoming increasingly digital-mandatory to participate in government services or the economy. Nobody had a problem with internet age laws when "are you over 13? yes/no" was legally sufficient.
> Having said that, open-source zero-knowledge proofs are infinitely less evil (I refuse to say "better") than commercial cloud-based age monitoring baked into every OS
Parent prefers more control by parents over zero-knowledge proof
If that was your point, I don't think your previous comment did a very good job of making it at all.
I do think parental controls can be and are abused for evil, but they're still better than the alternative. Zero-knowledge proof is not an alternative, and to suggest that it is is misunderstanding the situation. These laws are proposed and funded by people who want complete surveillance of the population. Zero-knowledge proof is, therefore, explicitly contrary to the goal and will never be implemented under any circumstances. Suggesting that it can be muddies the issue and tricks people into supporting legislation that exists only to be used against them.
In a benevolent dictatorship, sure, go for a zero-knowledge proof verification as your solution. In the reality of democracy, where politicians are corporate puppets who cloak surveillance laws in "think of the children" to rally support from the masses, we need to convince people to see through the lie and reject the proposals outright while reassuring them that they can protect the children themselves via parental controls. You will never be able to sufficiently inform 50.1% of the population of any country of what zero-knowledge proof even means, let alone convince them to support age verification laws but strictly conditional on ZKP requirements. That level of nuance is far too much to ask of millions of people who are not technically-informed, and idealism needs to give way to pragmatism if we wish to avoid the worst-case scenario.
Same here, EU citizen who thinks parents should do some parenting, after all. However, try to confront "modern" parents with your position. Many of them will fight you immediately, because they think the state is supposed to do their work... Its a very concerning development.
Even with ZKP this is still highly problematic, it create difficulty for undocumented people to access the web, create ton of phishing opportunity, reinforce censorship on most site (as they will now all need to be minor compliant or need age verification), reinforce the chilling effect and make the web even less crawlable/archivable (or you need to give a valid citizen ID to your crawler/archiver).
With no proof it will protect anyone from proven harm.
>it create difficulty for undocumented people to access the web
Why is this such a sticking point in US politics? If the "undocumented" people aren't supposed to be in the country in the first place, why should rest of society cater to them? Even if you're against age verification for other reasons, dragging in the immigration angle is just going to alienate the other half of the population who don't share your view on undocumented people, and is a great way to turn a non-partisan issue into a partisan one. It's kind of like campaigning for medicare for all, and then listing "free abortions and gender affirming surgery" as one of the arguments for it.
The same argument could be said for other age verification methods. Nothing stops a kid from getting their older cousin to verify their identity for something and it will never be possible to prevent this.
The people proposing these laws presumably think imperfect enforcement is better than no enforcement at all. In the non-zero-knowledge case, it's possible to revoke falsely shared credentials.
Though the EU is at large keeping it's composure with this. My only criticism towards the EU as an EU citizen is how slow and bureaucratic the EU is and that decisions that should be made on the fly are dragged on forever.
That said, government agencies have been doing a terrible job at keeping the private information of citizens safe. But it is nowhere nearly as bad as the US. My best childhood friend died in very questionable circumstances in 2009 in the US in very questionable circumstances. He had a US citizenship and we never really found out what had happened(to the point where we never really got any definitive proof that he had died). But that didn't stop me from trying and I was blown away by the fact that I could log into a US government website, register with a burner mail, pay 2 bucks with an anonymous gift credit/debit card and get a scanned copy of his death certificate in my email. And I didn't even have to provide his passport/id/anything. Just his name.
Point is, the US has been terrible at privacy for as long as I can remember. It is probably worse now with Facebook and Ellison holding TikTok.
The critical thing is not so much "Americans" as "big money". Big Russian money is also a threat. Big Chinese money .. well, there's a bit of that about, but it doesn't seem to have shown up at the legislation influencing layer.
Oh, that's a different topic: as someone from and living in eastern Europe, there's not a single doubt in my mind that the biggest threat to any civilization is russia by a long shot. The alarming part is that the current US administration hasn't got a single clue of history, suffers from chronic incompetence and the whole superiority complex and fanboying russia as a consequence - those pose a threat. In the context of the conversation, the incompetence is arguably the biggest facepalm moment.
Most civilization is not in Eastern Europe though, Russia is not a threat outside of its immediate proximity and its relative strength has only lessened over the decades
Russia is not a _physical_ threat outside of its immediate proximity.
But they invest large amounts of money to propaganda channels everywhere, have direct military influence in large parts of Africa, are known to poison people in the UK and elsewhere, etc.
> its relative strength has only lessened over the decades
Russia is not a _physical_ threat outside of its immediate proximity.
But they invest large amounts of money to propaganda channels everywhere, have direct military influence in large parts of Africa, are known to poison people in the UK and elsewhere, etc.
At this point the US is arguably a much larger threat to random small countries. "We will make so much money if we find a reason to attack <your country>" is the real threat, if any. Of course, far behind other existential threats.
Experience is no good reason to make a blanket statement about a country and all its people, especially not when it's made with such an assertive voice.
Is it not? Have you heard about a TV program called the news? They have caused more death to eastern Europe than Hitler did in WW2 and is continuing to do so, has infiltrated countries and governments for generations, actively threatens everyone on daily basis and the entirety of their social media (domestically and expats/immigrants/spies) is nothing but endless wishes for death of anyone that is not russian. Westerners see that through the prism of "out of sight, out of mind" + language barrier, but the threat is neither out of sight, nor out of mind. Spend a few hours on bellingcat and you'll quickly change your mind.
> Experience is no good reason to make a blanket statement about a country and all its people
> Is it not?
No, and no part of your comment really seems to argue otherwise? I know about current world events. Your argument was that "experience" is a good enough reason to make a blanket statement about a country and all its people, and you doubled down on it, so it's not even like I'm constructing a strawman here or anything.
It's just wild to me how far this kind of blind hate goes. If "experience" is enough to say that a country is a bigger threat to civilization(!) than, lets say, pandemics, natural disasters, global nuclear war, etc., then there really remains no basis for any kind of healthy discussion. At that point it's just blind hatred.
I've never been subtle about how I feel about russians: Private properties confiscated. Several instances of terminal diseases in my family as a direct consequence of their actions. Several instances of people spending their entire lives in concentration camps, several instances of people being thrown out of hospitals and let to die in the streets. To the point where I barely have any living relatives. And in recent years, death of a number of close friends. And I am supposed to have a different feelings? Come back to me when you go through the same.
I'm sorry, I don't mean to invalidate your own experiences. I understand the need for hyperbole, and I also cannot even begin to understand the pain and suffering that you must have experienced. I'm not talking about that.
I'm trying to steer the conversation to stay factual, because I usually appreciate HN for its clear communication style. Sorry for offending you and I'm sorry if I've caused you further suffering. Let's not continue this conversation.
I think this is entirely reasonable given the history of Russia vs Eastern Europe, but especially the invasion of Ukraine. Russia is currently being held at the Dnipro river, but Putin has stated his intention to "recapture" most of the former USSR.
> Putin has stated his intention to "recapture" most of the former USSR.
I keep hearing this but I struggle to find any sources, beyond articles like [1] which are... not particularly good sources, even a reddit comment would be a better primary source than that.
I'm not trying to be combative, I just genuinely struggle to find primary sources, probably because I'm using the wrong keywords or something.
I understand the reasoning, but I would love to actually see/read/hear/whatever where Putin "states" this desire explicitly!
That's a book by Aleksandr Dugin, not Putin. I was asking specifically if there are ANY sources for the recurring statement that Putin wants to conquer back former USSR states. I see why its concerning, and how Dugin's close ties to the government are interesting, but I do not see a quote, or any other source, where Putin explicitly STATES this intent. I don't see it.
Surely I'm missing something here. Putin's 2023 "The Concept of the Foreign Policy of the Russian Federation" also does not state conquering back former USSR states. Where is it? If he states it so clearly that people keep quoting it, surely there must be a source for it? Sorry if I'm a PITA.
To be clear, I'm interested in this because this would be a fantastic argument to bring to discussions, but without having seen a source, I don't think I could.
Imagine that someone writes a post saying something outrageous. And imagine that Trump retweets it. He didn't say it... but he kind of did.
I think Dugin's book is like that. Sure, Dugin said it, not Putin. But IIRC Putin did some things to make Dugin's book more influential. I forget the specifics - making it required reading in the Russian military academies, maybe?
There have been other statements by Russian politicians who are widely regarded as Putin's mouthpieces. Medvedev, certain key figures in the Russian parliament. I know I've seen that, though I don't recall the specifics.
So Putin maybe didn't say it. And yet, his endorsed mouthpieces (more than one) do say it.
You said "without having seen a source". Well, I didn't give you one. But if you want to look, I have given some places to start.
I fully get that! I understand how people get to that conclusion. What I don't understand is why I repeatedly see people online, also on HN (as you can see), who claim that Putin "stated" that he wants to rebuild the USSR, when I can't find any source that he did.
> making it required reading in the Russian military academies, maybe
Yeah, I think he did.
> So Putin maybe didn't say it.
That's my concern. When people make the statement that he did, when he didn't, they essentially preempt any reasonably discussion and start it off on the entirely wrong foot.
If I want to have a discussion with my neighbor about him not cleaning up his own trash, surely I would not start the discussion with "you LOVE living in trash, don't you", even if I can reasonably deduce that he does. It just turns the entire discussion hostile to make claims that aren't supported, and it weakens all subsequent arguments!
But does it start the discussion off on the entirely wrong foot? If Putin endorses Dugin's book, requiring the military academies to read it, don't we have fairly high confidence that it is at least close to Putin's position?
So I don't think it's the entirely wrong foot. It's a shortcut and an imprecision, but the point (that Putin actually thinks this) seems to be valid. (Though one should have less than 100% certainty that it represents his position - but with Putin, that should apply to a direct quote as well.)
No, the way to go is the California way. The device owner (root user) can enter the age of the user. Restrictions are applied based on that. Nothing is verified.
Seeming as this affect everyone .. Is there anything like and Open Collective .. grassroots consortium, to put together strong sensible zero-knowledge proof based policy examples that could be given to law-makers instead of this shadowy surveillance Trojan horse nonsense?
These bills also need to be opposed on a legal/political level.
Something I realized last night is that people who lie about their age to send false signals may inadvertently open themselves up to CFAA liability (a felony). So this is a serious matter for users who want to maintain anonymity.
CFAA has been narrowed in scope through legal decisions but AFAIK it still applies to anyone using false information to bypass security measures. In my view, a federal prosecutor could easily make the argument that age gating is a security measure. You’re welcome to be a test case if you disagree!
Every single Linux kernel currently operating within the borders of any of these states should turn itself off and refuse to boot until an update is installed after these bills are rolled back.
We should also update all FOSS license terms to explicitly exclude Meta or any affilites from using any software licensed under them.
I probably don't have all the info on the various laws across the US and EU that are being pushed, but I'm confused why Linux distros don't just update their licensing and add a notice on the installation screen that it is illegal to run their OS in places where these laws exist?
Heck, Linus Torvalds should just add an amendment to the next release of the Linux Kernel that makes it illegal to use in any jurisdiction that requires age verification laws.
This would obviously cause such a massive disruption (especially in California) that the age laws would have to be rolled back immediately.
This seems like a no-brainer to me but I am admittedly ignorant on this situation. I'm sure there's a good reason why this isn't happening if anyone cares to explain.
That would be a violation of the copyright law or the GPL licence - you aren't permitted to take GPL code and redistribute it with some extra restrictions added on to it.
If it's not (fully) your code, you aren't free to set the licence conditions; Linus can't do that without getting approval from 100% (not 99% or so) of authors who contributed code.
What one can do is add an informative disclaimer saying "To the best of our knowledge, installing or running this thing in California is prohibited - we permit to do whatever you want with it, but how you'll comply with that law is your business".
The Linux kernel is licensed GPLv2. The GPLv2 license forbids adding addition terms that further restrict the use of the software.
A "Linux distro" is not the Linux kernel. It's possible for some distros to add such license terms to their distribution media, but others like Debian and Debian-based ones adhere to the GPL so no go.
Because they want market share, and throwing a hissyfit over being asked to add an "I am over 18" checkbox is not good PR. If Debian starts refusing to work in California because it doesn't want to add a checkbox, it will simply be replaced by someone who adds that checkbox and doesn't throw the fit.
If this was somehow introduced without anyone noticing and deployed, imagine the damage it would cause.
If we're fantasizing here, I like to imagine two major OS makers trying to comply these laws, fail miserably, and let FOSS OSes and kernels more recognition in the desktop market.
Honestly, like the Left-pad incident [1], getting things to go suddenly dark is extremely effective at getting people to drop everything else to fix an issue.
Ideally, getting these servers to auto turn off the day this goes into effect ("In compliance with this new law, Linux is now temporarily unusable. Please <call to action>.") would be glorious for getting the bill staved off, or killed.
It would hurt some productivity, but that is a risk these lawmakers taking donations are probably willing to make.
"some"? It would hurt a lot of productivity lol. If all linux boxes turned themselves off suddenly, I think the internet would fall over pretty fast. I dont know how much of the internet runs on windows or apple (or others), but I cant imagine it's very much
When I moved from Sweden to Ireland and realized the Swedish central address registry makes moving fantastically easy, I started dreaming of a central registry where consumers and producers could meet. I can give my supplier access to exactly the information they need, and nothing else. I can revoke access when I feel like it. Like OAuth2 for personal data. They can subscribe to updates. It could be a federated protocol.
Not saying I think it's a good idea to provide the year of birth to all sites, but (session ID, year of birth) is the only information they would need. The problem is proving who's behind the keyboard at the time of asking, which would require challenge-response, and is why I think this should be an online platform, not a hardware PKI gadget with keys inevitably tied to individuals.
Knowing what we know about the current environment, each company is going to start selling everything they know about you to anybody who's willing to pay. Enforcing privacy is hard not because it's not possible, but companies have greater financial incentives to just breach your privacy to track and manipulate us.
AI companies are also donating tens of millions to these PACs and others that are promoting age verification laws, it lets them sell AI content rating systems using their models.
I’m curious why Meta would benefit. Meta seems wholly unnecessary, the verification can be done at the OS level, completely in the hands of Apple/Alphabet and maybe Microsoft.
If anything, Meta’s utility would seem to shrink if the OS handles proof of being a real person.
Regulatory capture through a higher barrier to entry. Any social media platform that wants to compete with Meta's portfolio will now also need to have an age-verification system in place (which is guaranteed to introduce higher costs). Meta can likely afford to eat the costs here as a tradeoff for the higher impact on smaller players.
It also gives them more information on users as a bonus. Further, verification with a real ID is also a quite effective barrier against excessive bots.
Look beyond the CA law, states have already passed laws that put the liability on app and website developers to ensure users aren't kids, there's no passing the buck to Apple or Google.
Meta's entire business model lives on ad deals that are not on the frontend. They are in the data business and this campaign is to get access to more data without an option to opt out. Who takes the data doesn't really matter.
The same sort of thing is happening for the 3d printer laws. Some company is trying to legislate its own software into ubiquity (guns first, then copyright enforcement) and then double-dip by charging both IP holders and printer manufacturers for their "services".
This was the thing the saws-all (or whatever it was called, the brake that stops you from cutting your fingers off with the table saw) tried, right? I don't know if it succeeded but the idea was a government mandate for an otherwise good idea. Everyone then pays more.
I don't understand it .
There are so many ways to child-proof a device .
Google Family Link and the Apple equivalent .
Use cloudflares Family dns (blocks porn websites etc ..)
Instead of just creating a course that explains how to child-proof a device, we have to surveil everyone.
for ~2 decades i have attended events, written to my representatives, proposed solutions to whoever i can, and encouraged my students to do the same as various attempts are made to strip regular people of their privacy. for ~2 decades now, i have been trying to fight this fight.
one scary observation is that each year, less and less people care. at least, this is true among my students. plenty of them believe the 'protect the children' line and are more than willing to do whatever the government/big tech suggests. or they just shrug ("what difference would i make?").
for context, i teach at a college level, in tech. a few of my classes are from the cybersec program, one of the programs that should understand and care about the implications of bills like these, and even the majority of them do not care about this stuff anymore. they grew up with instagram and facebook and cameras everywhere. they grew up knowing that any little fuck up they have is recorded and posted online. they know that by the time they go to college, all of their data has already been leaked a few times. they never really had an expectation of privacy in the first place, so it just isnt a big deal.
as someone who interacts with this next generation of "hackers" on a daily basis... the concept of cypherpunk is gone. i got into this field because of my beliefs. they are going into this field because they want a chance at buying a house some day, and know that big tech has big bucks.
i am tired. and i recognize that this is exactly what they (lobbyists, meta, etc.) want! but i am tired and discouraged. more and more i find myself having to actively fight the urge to give up. i am not ready to give up just yet... but, i am sorry to say that as someone closer to retirement than i am comfortable admitting, i only have so much energy left.
Damn, had to scroll a couple of comments to find this:
Anthropic donated $20 million to Public First Action, a PAC that promotes Republican Senator Marsha Blackburn and her sponsored Kids Online Safety Act (KOSA), a bill that will force everyone to scan their faces and IDs to use the internet under the guise of saving the children.
The legislative angle taken by companies like Anthropic is that they will provide the censorship gatekeeping infrastructure to scan all user-generated content that gets posted online for "appropriateness", guaranteeing AI providers a constant firehose of novel content they can train on and get paid for the free training. AI companies will also get paid to train on videos of everyone's faces and IDs.
As for why Blackburn supports KOSA:
Asked what conservatives’ top priorities should be right now, Senator Blackburn answered, “protecting minor children from the transgender [sic] in this culture and that influence.” She then talked about how KOSA could address this problem, and named social media platforms as places “where children are being indoctrinated.”
If Anthropic, the PACs it supports and Blackburn get their way with KOSA, the end result will be that anything posted on the internet will be able to be traced back to you.
Christ on a crutch, had they donated $25k or something you'd figure it was just a rounding error, but why this much from a company that isn't profitable? This is doing nothing to disabuse me of my theory 90% of "Startup Culture" is just an excuse for rich people to move money around. "Need to get your stoned mope of a C student a head-start on a resume that will let him stay gainfully employed? Well, I just brokered a VC deal for these kids that want to throw micro-concerts in parking spaces, we'll get your boy in as Senior Music Programmer."
That is the most serious thing you can do, and the most effective.
Do you know how democracy works? There are these people called representatives. They are hired by you. They pass laws. They only get to continue having a job if people like you vote for them. When you tell them "I don't like the law you are passing", they are hearing "the people who hire me are angry with me". The more people that are angry at what they're doing, the more their job is at risk.
They do what the lobbyists say because somebody else is doing the work, and they get paid (by the lobbyist). But they won't have a job to get paid for if the voters don't vote for them again. So your entire defense against tyranny and bad laws is you speaking out. If you never talk to your reps (or vote), you're telling them you don't care what kind of government it is, and they really will do whatever they want.
You have to tell them how you feel, along with all the rest of us. That's the only power we have.
In addition to that, tell everyone you know. Your friends, family, coworkers, the dude running the local gas station. Explain to them why government-mandated surveillance of everything they do on a computer is a bad idea. Ask them to talk to their reps.
TLDR: Meta want to push all the age verification requirements onto the OS makers (Apple, Google, everyone else gets caught in the crossfire) so that they don’t have to do anything AND they want it done in such a way that they can use it to profile people to push them targeted ads.
Its like they want to keep being seen as the bad guys.
I think this is also a way of getting ahead of any “ban social media for teens and preteens” bills that might pop up in the US. They do not want repeats of Australia! By adding age verification into the operating system they can deflect responsibility but also respond to legislators with a scalpel rather than getting sledge-hammered.
I want reverse age verification that lists the ages of every social network post. I think a lot of people that criticize social network toxicity don't realize their interlocutors are half their age. It's not one-to-one, meaning maturity doesn't follow from age, but I think there would be some affordances made in both directions. A younger person would be less surprised that a 60+ yr old would hold certain views. And vice versa.
The idea that it might cost "someone" $2 every time a user opens and app AND it sends a bunch of private data to a 3rd party is completely dystopian, let alone everything else.
And a serious question: with deepest respect to the author for their extraordinarily impressive time and effort in this investigation... Why was this not already flagged by political reporters or investigative journalists? I'm not American so maybe I don't understand the media structure over there but it feels like SOMEONE should have been all over this way before it's gotten to the point described in this post.
When a megacorp funds a network of non-profits to lobby a bunch of politicians, draft legislation, and tell them to take it to committee, that can happen without much visibility, especially when it's been orchestrated at the state level, as this has. Where does any of this show up until there's a vote called on it? And even, then, someone has to be watching, and then figure out what it is, and if there's a story there, and they're not going to get any help from anyone because everyone involved knows how the public is going to feel about it.
Compare this to what the EU built. The EU Digital Identity Wallet under eIDAS 2.0 is open-source, self-hostable, and uses zero-knowledge proofs. You can prove you're over 18 without revealing your birth date, your name, or anything else. No per-check fees, no proprietary SDKs, no data going to a vendor's cloud. The EU's Digital Services Act puts age verification obligations on Very Large Online Platforms (45M+ monthly users), not on operating systems. FOSS projects that don't act as intermediary services are explicitly outside scope. Micro and small enterprises get additional exemptions.
The US bills assume every operating system is built by a corporation with the infrastructure and revenue to absorb these costs. The EU started from the opposite assumption and built accordingly.
Just another reminder of how we need to protect what we have in the EU (not a guarantee, but at least a chance of fair dealing and a sustained commitment to civic values). Now that the mask has fully fallen, we have to take every step possible to root out American influence.
QWACs exist to provide a more stringent and user-accessible way to assert a website's identity, mostly to foil phishing and other exploits that regular certificate systems don't address well. Where does this cross into censorship at all?
Oh, stop. Tinfoil-hatting like this is how privacy and internet freedom activism gets a bad rap.
QWAC certs are only for "high value" sites: banks, government services, etc. They can only be issued by "Qualified Trust Service Providers" (e.g. digisign, D-TRUST, etc -- not governments), and cost many hundreds of euros. Your blog and mastodon instance and 98% of businesses just aren't affected.
People operating in "high risk" sectors that need access to payment infra (porn, drugs, etc) are, as always, going to have a hard time. That's a worthy conversation, but nothing about QWAC or eIDAS is about "the government not issuing certs to people they don't like".
It's not really tinfoil hatting, EU countries already deny privileges based on political affiliation and so on. Germany shut down a Muslim cultural center for refusing to censor a speech by someone who came from Gaza, merely because of the fact they came from Gaza. Limiting government power is still something the EU needs - they're not all good.
This is how total control of a platform always starts. Google starts with Android and just does digital signing for applications through their store. Until they achieve control of the platform, then suddenly you can't load your own applications without them signing it either.
Secure Boot is just a technology for those that need it, until Microsoft decides it's mandatory for everyone.
I don't understand why nobody in the comments is freaked out about this. This isn't just "oh Google knows my age", or "oh politicians being corrupt again!" This is "the government made a law that every computer in the world must track every person's identity and send it to the cloud".
No offline devices. Commercial vendors get your biometric data (and the equivalent of your driver's license / SSN). Every application on the OS can query your data.
If you think it stops with one bill, after they get all the infrastructure for this in place? You're fooling yourself. The whole point of this is to identify you, on every web page you visit, every app you open, on every device you own. Once bills are passed, it's very hard to get them revoked or nullified.
This is the most aggregious, authoritarian, Big Brother government surveillance system ever devised, and it's already law. I am fucking terrified.
(Yes, the EU has a less horrifying version of this. But Google, Apple, and Microsoft still control most of the devices in the world, and they are US companies.)
How much do you want to bet that Amutable, via its founder's control of the systemd codebase and ability to drive change, will be first-in-line to force a switch to its variant of systemd, along with a module for age verification?
I don't see it as coincidence that with all these laws passing, suddenly he announces a secure, "controlled", "locked down" version of systemd. Why, RedHat and Ubuntu can simply drop in this new variant, pay a small fee, and be done with compliance.
America will just get behind even more as years pass behind Europe in terms of proper regulation of the digital economy, which benefits citizens instead of companies and rich billionaries.
The reason is that europeans have nothing to win from those "winner-take-all" platforms the US has built in the past decades. Europe has built zero of them.
It contributes very little to Europe's GDP or the overall being of the european. And in some cases, it eats Europe's GDP, moving economic activity back to the US. This is different than for Americans which big tech is a net-positive contributor to society in my POV, mainly because how much economic activity $ it generates.
Big techs provide huge paychecks and made a lot of people rich in the US, and most of its GDP growth in the last decade. But it's a double-edged sword.
They will make laws in favor of them in detriment of the average American, while minting more billionaries than Europe could ever dream of.
Europe will take a long time to get the digital revolution the US already did, but it'll mostly come from regulations and government initiatives. And will be net-positive for humans living in Euope, not for owners of corporations.
Oh look, the Heritage Foundation, the ones who wrote up the "Project 2025" agenda for most of the corruption and authoritarianism that has plagued America in the last year.
The very last people you should trust when it comes to "protecting the children."
To me it feels that the age verfication (adult de-anonymisation) push, at least in Europe, is coming more from the increasingly-authoritarian left as a reaction to the rise of the online right and Musk's Twitter.
(Maybe some unspoken element of concern over social media bots, too - as they evolve from spamming copy+pasted comments to being near-indistinguisable from actual human accounts?)
It would be interesting to see a similar lobbying breakdown for the EU and UK. I bet it's still Meta with other right wing actors. The left rarely has the money for this kind of lobbying scale
Heritage has been laying waste to America my whole life. They basically planned all of Reagan's legislative agenda, too, just like Project 2025 is doing today. In very real ways, they and their vision are America (a system is what it does, not what it says it does).
This truly is the best democracy money can buy. As long as money and/or favors change hands in exchange for getting favorable laws passed, it's just legalized bribery and buying off your own "democracy".
And it snowballs, the more favorable laws someone buys, the more favorable their position, and the more they can buy in the future. The transition from "democratic facade" to "outright oligarchy" will be swift and seamless.
Like, in general, a software change to add an "age class" attribute to user accounts and a syscall "what's this attribute for the current user account" would satisfy the California bill and that's a relatively minor change (the bad part is the NY bill that allegedly requires technical verification of whatever the user claimed).
The weird issue is how should that attribute be filled for the 'root' or 'www-data' user of a linux machine I have on the cloud. Or, to put aside open source for that matter, the Administrator account on a Windows Active Directory system.
Because "user accounts" don't necessarily any mapping (much less a 1-to-1 mapping) to a person; many user accounts are personal but many are not.
Zero-knowledge proofs are the way to go for this type of thing, I find it mind-boggling that the US lets itself be bamboozled into complete lack of privacy.
My stance is that if somebody is a minor, his/her/their parents/tutors/legal guardian are responsible for what they can/cannot do online, and that the mechanism to enforce that is parental control on devices.
Having said that, open-source zero-knowledge proofs are infinitely less evil (I refuse to say "better") than commercial cloud-based age monitoring baked into every OS
To be honest, I worry that the framing of this legislation and ZKP generally presents a false dichotomy, where second-option bias[1] prevails because of the draconian first option.
There's always another option: don't implement age verification laws at all.
App and website developers shouldn't be burdened with extra costly liability to make sure someone's kids don't read a curse word, parents can use the plethora of parental controls on the market if they're that worried.
[1] https://rationalwiki.org/wiki/Appeal_to_the_minority#Second-...
Why not? Physical businesses have liability if they provide age restricted items to children. As far as I know, strip clubs are liable for who enters. Selling alcohol to a child carries personal criminal liability for store clerks. Assuming society decides to restrict something from children, why should online businesses be exempt?
On who should be responsible, parents or businesses, historically the answer has been both. Parents have decision making authority. Businesses must not undermine that by providing service to minors.
These are often clear cut. They're physical controlled items. Tobacco, alcohol, guns, physical porn, and sometimes things like spray paint.
The internet is not. There are people who believe discussions about human sexuality (ie "how do I know if I'm gay?") should be age restricted. There are people who believe any discussion about the human form should be age restricted. What about discussions of other forms of government? Plenty would prefer their children not be able to learn about communism from anywhere other than the Victims of Communism Memorial Foundation.
The landscape of age restricting information is infinitely more complex than age restricting physical items. This complexity enables certain actors to censor wide swaths of information due to a provider's fear of liability.
This is closer to a law that says "if a store sells an item that is used to damage property whatsoever, they are liable", so now the store owner must fear the full can of soda could be used to break a window.
So again, assuming we have decided to restrict something (and there are clear lines online too like sites dedicated to porn, or sites that sell alcohol (which already comes with an ID check!)), why isn't liability for online providers the obvious conclusion?
App and website operators should add one static header. [1] That's it, nothing more. Site operators could do this in their sleep.
User-agents must look for said header [1] and activate parental controls if they were enabled on the device by a parent. That's it, nothing more. No signalling to a website, no leaking data, no tracking, no identifying. A junior developer could do this in their sleep.
None of this will happen of course as bribery (lobbying) is involved.
My personal stance: If a site wants me to verify anything I will not do business with them. If a government site wants this, they will keep wanting. If I run a small website I will ignore this nonsense. If they bother me the site moves to Tor.
[1] - https://news.ycombinator.com/item?id=46152074
Where do you go to vote for this option?
Recent posters here are clear that porn sites are setting every available signal that they are serving adult-only content.
According to them, you are targeting the wrong audience.
Facebook/Instagram studying how to get young users addicted should be of greater concern. I have my doubts about the effectiveness of age-based blocking there, though.
> give parents the ABILITY to advertise the users age to browsers, apps and everything in between.
Accounts and Applications to services that provide countent are set to a country-specific age rating restrictions (PG, 12+, 18+, whatever). That's it.
None of the things you mentioned have any point to concern themself with the age or age-bracket of the user in front of the device. This can and will be abused. This is very obvious. Think about it.
So on the Sony consoles I created an account for my child and guess what they have implemented some stuff to block children from adult content on some stuff.
So if Big Tech would actually want to prevent laws to be created could make it easy for a parent to setup the account for a child (most children this days have mobile stuff and consoles so they could start with those), we just need the browsers to read the age flag from the OS and put it in a header, then the websites owners can respect that flag.
I know that someone would say that some clever teen would crack their locked down windows/linux to change the flag but this is a super rare case, we should start with the 99% cases, mobile phones and consoles are already locked down so an OS API that tells the browser if this is an child account and a browser header would solve the issue, most porn websites or similar adult sites would have no reason not to respect this header , it would make their job easier then say Steam having to always popup a birth date thing when a game is mature.
Let's go back to parenting: yes, world is a scary place if you get into it unprepared.
Permission restricted registry entry (already exists) and a syscall that reads it (already exists) for windows and a file that requires sudo to edit (already exists) and a syscall to read it (already exists). Works on every distro automatically as well including android phones since they run the linux kernel anyway. Apple can figure it out and they already have appleid.
Responsibility should be on the website to not provide the content if the header is sent with an inappropriate age, and for the parent to set it up on the device, or to not provide a child a device without child-safe restrictions.
It seems very obviously simple to me, and I don't see why any of these other systems have gained steam everywhere all of a sudden (apart from a desire to enhance tracking).
Meh, I use it, but it's super annoying and I think that with my Daughter I'll take a different approach (but it will be some years before that is relevant).
On Android: The kid can easily go on Snapchat (after approval of install of course, and then you can just see their "friends") before Pokemon Go (just a pain to get working, it keeps presenting some borked version which led to a lot of confusion at first). I just lied about his age in a bunch of places at some point. Snapchat is horrible and sick from our experiences in the first week.
On Windows: It's a curated set of websites (and no FireFox) or access to everything. It's not even workable for just school. Granting kids access to our own minercraft servers: My god, I felt dirty about what the other parents had to go through to enable that.
As a parent, sure, that is my stance as well. What... what other stances are there even? How would they work?
But the implementation matters, and almost all of these bills internationally are being done in bad faith by coordinated big-money groups against technologically illiterate and reactionary populist governments.
(if we really want to get into an argument, there's what the UK calls "Gillick competence": the ability of children to seek medical treatment without the knowledge and against the will of their parents)
I would personally favour allowing parents to buy drinks for children below the current limits (18 without a meal, 16 for wine, beer and cider with a meal).
The alternative to this is empowering parents by regulating SIM cards (child safe cards already exist) and allowing parents to control internet connectivity either through the ISP or at the router - far better than regulating general purpose devices. The devices come with sensible defaults that parents can change.
Maybe a majority of people today agree with that, but I know I don't and I never hear that assumption debated directly.
TBH many parents done exactly that by giving phones/tablet already to kids in strollers
"You‘re reading about evolution! Not in my house"
Examples: most children believe in the same religion as their parents, and can visit friends and places only if/when allowed by their parents.
This is simply extending the same level of control to the internet.
Government-mandated restrictions are completely another level.
Who controls your age if you want to see an R-rated movie?
This is simply extending the same level of control to the internet.
More control for parents is a completely different level.
Does the US have a zero-knowledge proof system that is mentioned in the discussion?
> Having said that, open-source zero-knowledge proofs are infinitely less evil (I refuse to say "better") than commercial cloud-based age monitoring baked into every OS
Parent prefers more control by parents over zero-knowledge proof
I do think parental controls can be and are abused for evil, but they're still better than the alternative. Zero-knowledge proof is not an alternative, and to suggest that it is is misunderstanding the situation. These laws are proposed and funded by people who want complete surveillance of the population. Zero-knowledge proof is, therefore, explicitly contrary to the goal and will never be implemented under any circumstances. Suggesting that it can be muddies the issue and tricks people into supporting legislation that exists only to be used against them.
In a benevolent dictatorship, sure, go for a zero-knowledge proof verification as your solution. In the reality of democracy, where politicians are corporate puppets who cloak surveillance laws in "think of the children" to rally support from the masses, we need to convince people to see through the lie and reject the proposals outright while reassuring them that they can protect the children themselves via parental controls. You will never be able to sufficiently inform 50.1% of the population of any country of what zero-knowledge proof even means, let alone convince them to support age verification laws but strictly conditional on ZKP requirements. That level of nuance is far too much to ask of millions of people who are not technically-informed, and idealism needs to give way to pragmatism if we wish to avoid the worst-case scenario.
With no proof it will protect anyone from proven harm.
Why is this such a sticking point in US politics? If the "undocumented" people aren't supposed to be in the country in the first place, why should rest of society cater to them? Even if you're against age verification for other reasons, dragging in the immigration angle is just going to alienate the other half of the population who don't share your view on undocumented people, and is a great way to turn a non-partisan issue into a partisan one. It's kind of like campaigning for medicare for all, and then listing "free abortions and gender affirming surgery" as one of the arguments for it.
That said, government agencies have been doing a terrible job at keeping the private information of citizens safe. But it is nowhere nearly as bad as the US. My best childhood friend died in very questionable circumstances in 2009 in the US in very questionable circumstances. He had a US citizenship and we never really found out what had happened(to the point where we never really got any definitive proof that he had died). But that didn't stop me from trying and I was blown away by the fact that I could log into a US government website, register with a burner mail, pay 2 bucks with an anonymous gift credit/debit card and get a scanned copy of his death certificate in my email. And I didn't even have to provide his passport/id/anything. Just his name.
Point is, the US has been terrible at privacy for as long as I can remember. It is probably worse now with Facebook and Ellison holding TikTok.
I don't mean to be the average gloating US citizen, but I'm pretty sure we're the largest threat to the Earth.
The root of the problem is Russia, always has been.
Surely you meant this as hyperbole, right? If not, I would love your reasoning as to why its a bigger threat than literally anything and anyone else.
Reasoning: experience.
But they invest large amounts of money to propaganda channels everywhere, have direct military influence in large parts of Africa, are known to poison people in the UK and elsewhere, etc.
> its relative strength has only lessened over the decades Russia is not a _physical_ threat outside of its immediate proximity.
But they invest large amounts of money to propaganda channels everywhere, have direct military influence in large parts of Africa, are known to poison people in the UK and elsewhere, etc.
> Is it not?
No, and no part of your comment really seems to argue otherwise? I know about current world events. Your argument was that "experience" is a good enough reason to make a blanket statement about a country and all its people, and you doubled down on it, so it's not even like I'm constructing a strawman here or anything.
It's just wild to me how far this kind of blind hate goes. If "experience" is enough to say that a country is a bigger threat to civilization(!) than, lets say, pandemics, natural disasters, global nuclear war, etc., then there really remains no basis for any kind of healthy discussion. At that point it's just blind hatred.
I'm trying to steer the conversation to stay factual, because I usually appreciate HN for its clear communication style. Sorry for offending you and I'm sorry if I've caused you further suffering. Let's not continue this conversation.
I keep hearing this but I struggle to find any sources, beyond articles like [1] which are... not particularly good sources, even a reddit comment would be a better primary source than that.
I'm not trying to be combative, I just genuinely struggle to find primary sources, probably because I'm using the wrong keywords or something.
I understand the reasoning, but I would love to actually see/read/hear/whatever where Putin "states" this desire explicitly!
[1] https://gppreview.com/2015/02/12/putins-dream-reborn-ussr-un...
Surely I'm missing something here. Putin's 2023 "The Concept of the Foreign Policy of the Russian Federation" also does not state conquering back former USSR states. Where is it? If he states it so clearly that people keep quoting it, surely there must be a source for it? Sorry if I'm a PITA.
To be clear, I'm interested in this because this would be a fantastic argument to bring to discussions, but without having seen a source, I don't think I could.
I think Dugin's book is like that. Sure, Dugin said it, not Putin. But IIRC Putin did some things to make Dugin's book more influential. I forget the specifics - making it required reading in the Russian military academies, maybe?
There have been other statements by Russian politicians who are widely regarded as Putin's mouthpieces. Medvedev, certain key figures in the Russian parliament. I know I've seen that, though I don't recall the specifics.
So Putin maybe didn't say it. And yet, his endorsed mouthpieces (more than one) do say it.
You said "without having seen a source". Well, I didn't give you one. But if you want to look, I have given some places to start.
> making it required reading in the Russian military academies, maybe
Yeah, I think he did.
> So Putin maybe didn't say it.
That's my concern. When people make the statement that he did, when he didn't, they essentially preempt any reasonably discussion and start it off on the entirely wrong foot.
If I want to have a discussion with my neighbor about him not cleaning up his own trash, surely I would not start the discussion with "you LOVE living in trash, don't you", even if I can reasonably deduce that he does. It just turns the entire discussion hostile to make claims that aren't supported, and it weakens all subsequent arguments!
So I don't think it's the entirely wrong foot. It's a shortcut and an imprecision, but the point (that Putin actually thinks this) seems to be valid. (Though one should have less than 100% certainty that it represents his position - but with Putin, that should apply to a direct quote as well.)
once you get this you stop asking why the tech details are the way they are.
These bills also need to be opposed on a legal/political level.
Something I realized last night is that people who lie about their age to send false signals may inadvertently open themselves up to CFAA liability (a felony). So this is a serious matter for users who want to maintain anonymity.
We should also update all FOSS license terms to explicitly exclude Meta or any affilites from using any software licensed under them.
Heck, Linus Torvalds should just add an amendment to the next release of the Linux Kernel that makes it illegal to use in any jurisdiction that requires age verification laws.
This would obviously cause such a massive disruption (especially in California) that the age laws would have to be rolled back immediately.
This seems like a no-brainer to me but I am admittedly ignorant on this situation. I'm sure there's a good reason why this isn't happening if anyone cares to explain.
If it's not (fully) your code, you aren't free to set the licence conditions; Linus can't do that without getting approval from 100% (not 99% or so) of authors who contributed code.
What one can do is add an informative disclaimer saying "To the best of our knowledge, installing or running this thing in California is prohibited - we permit to do whatever you want with it, but how you'll comply with that law is your business".
A "Linux distro" is not the Linux kernel. It's possible for some distros to add such license terms to their distribution media, but others like Debian and Debian-based ones adhere to the GPL so no go.
If this was somehow introduced without anyone noticing and deployed, imagine the damage it would cause.
If we're fantasizing here, I like to imagine two major OS makers trying to comply these laws, fail miserably, and let FOSS OSes and kernels more recognition in the desktop market.
Ideally, getting these servers to auto turn off the day this goes into effect ("In compliance with this new law, Linux is now temporarily unusable. Please <call to action>.") would be glorious for getting the bill staved off, or killed.
It would hurt some productivity, but that is a risk these lawmakers taking donations are probably willing to make.
1 - https://en.wikipedia.org/wiki/Npm_left-pad_incident
Not saying I think it's a good idea to provide the year of birth to all sites, but (session ID, year of birth) is the only information they would need. The problem is proving who's behind the keyboard at the time of asking, which would require challenge-response, and is why I think this should be an online platform, not a hardware PKI gadget with keys inevitably tied to individuals.
If anything, Meta’s utility would seem to shrink if the OS handles proof of being a real person.
It also gives them more information on users as a bonus. Further, verification with a real ID is also a quite effective barrier against excessive bots.
https://www.eff.org/deeplinks/2025/12/congresss-crusade-age-...
Instead of just creating a course that explains how to child-proof a device, we have to surveil everyone.
one scary observation is that each year, less and less people care. at least, this is true among my students. plenty of them believe the 'protect the children' line and are more than willing to do whatever the government/big tech suggests. or they just shrug ("what difference would i make?").
for context, i teach at a college level, in tech. a few of my classes are from the cybersec program, one of the programs that should understand and care about the implications of bills like these, and even the majority of them do not care about this stuff anymore. they grew up with instagram and facebook and cameras everywhere. they grew up knowing that any little fuck up they have is recorded and posted online. they know that by the time they go to college, all of their data has already been leaked a few times. they never really had an expectation of privacy in the first place, so it just isnt a big deal.
as someone who interacts with this next generation of "hackers" on a daily basis... the concept of cypherpunk is gone. i got into this field because of my beliefs. they are going into this field because they want a chance at buying a house some day, and know that big tech has big bucks.
i am tired. and i recognize that this is exactly what they (lobbyists, meta, etc.) want! but i am tired and discouraged. more and more i find myself having to actively fight the urge to give up. i am not ready to give up just yet... but, i am sorry to say that as someone closer to retirement than i am comfortable admitting, i only have so much energy left.
I’d write my senator but they won’t do shit. Is there anything that can seriously be done?
Do you know how democracy works? There are these people called representatives. They are hired by you. They pass laws. They only get to continue having a job if people like you vote for them. When you tell them "I don't like the law you are passing", they are hearing "the people who hire me are angry with me". The more people that are angry at what they're doing, the more their job is at risk.
They do what the lobbyists say because somebody else is doing the work, and they get paid (by the lobbyist). But they won't have a job to get paid for if the voters don't vote for them again. So your entire defense against tyranny and bad laws is you speaking out. If you never talk to your reps (or vote), you're telling them you don't care what kind of government it is, and they really will do whatever they want.
You have to tell them how you feel, along with all the rest of us. That's the only power we have.
In addition to that, tell everyone you know. Your friends, family, coworkers, the dude running the local gas station. Explain to them why government-mandated surveillance of everything they do on a computer is a bad idea. Ask them to talk to their reps.
Ideas? Time to spin up a local LLM for some editing advice.
Its like they want to keep being seen as the bad guys.
And a serious question: with deepest respect to the author for their extraordinarily impressive time and effort in this investigation... Why was this not already flagged by political reporters or investigative journalists? I'm not American so maybe I don't understand the media structure over there but it feels like SOMEONE should have been all over this way before it's gotten to the point described in this post.
https://en.wikipedia.org/wiki/Qualified_website_authenticati...
QWAC certs are only for "high value" sites: banks, government services, etc. They can only be issued by "Qualified Trust Service Providers" (e.g. digisign, D-TRUST, etc -- not governments), and cost many hundreds of euros. Your blog and mastodon instance and 98% of businesses just aren't affected.
People operating in "high risk" sectors that need access to payment infra (porn, drugs, etc) are, as always, going to have a hard time. That's a worthy conversation, but nothing about QWAC or eIDAS is about "the government not issuing certs to people they don't like".
Secure Boot is just a technology for those that need it, until Microsoft decides it's mandatory for everyone.
No offline devices. Commercial vendors get your biometric data (and the equivalent of your driver's license / SSN). Every application on the OS can query your data.
If you think it stops with one bill, after they get all the infrastructure for this in place? You're fooling yourself. The whole point of this is to identify you, on every web page you visit, every app you open, on every device you own. Once bills are passed, it's very hard to get them revoked or nullified.
This is the most aggregious, authoritarian, Big Brother government surveillance system ever devised, and it's already law. I am fucking terrified.
(Yes, the EU has a less horrifying version of this. But Google, Apple, and Microsoft still control most of the devices in the world, and they are US companies.)
Because it's hopeless? It's been proven time and time again there's nothing the average person can do to fight this sort of thing.
It's just better to sit back and watch as everything gets ruined.
$70 million is chump change for Meta, yet is far more money than I’ll ever have and does so much to influence state legislation.
https://news.ycombinator.com/item?id=47361235
https://github.com/upper-up/meta-lobbying-and-other-findings...
I don't see it as coincidence that with all these laws passing, suddenly he announces a secure, "controlled", "locked down" version of systemd. Why, RedHat and Ubuntu can simply drop in this new variant, pay a small fee, and be done with compliance.
Corporations literally buy the laws they want and Silicon Valley is the newest lobbying monster. Genuinely terrifying.
The reason is that europeans have nothing to win from those "winner-take-all" platforms the US has built in the past decades. Europe has built zero of them.
It contributes very little to Europe's GDP or the overall being of the european. And in some cases, it eats Europe's GDP, moving economic activity back to the US. This is different than for Americans which big tech is a net-positive contributor to society in my POV, mainly because how much economic activity $ it generates.
Big techs provide huge paychecks and made a lot of people rich in the US, and most of its GDP growth in the last decade. But it's a double-edged sword.
They will make laws in favor of them in detriment of the average American, while minting more billionaries than Europe could ever dream of.
Europe will take a long time to get the digital revolution the US already did, but it'll mostly come from regulations and government initiatives. And will be net-positive for humans living in Euope, not for owners of corporations.
The very last people you should trust when it comes to "protecting the children."
(Maybe some unspoken element of concern over social media bots, too - as they evolve from spamming copy+pasted comments to being near-indistinguisable from actual human accounts?)
I want to open my wallet. It should be the top comment.
And it snowballs, the more favorable laws someone buys, the more favorable their position, and the more they can buy in the future. The transition from "democratic facade" to "outright oligarchy" will be swift and seamless.