Several US states, the country of Brazil, and I’m sure other places in the world have enacted or are planning to enact laws that would place the burden of age verification of users on the shoulders of operating system makers. The legal landscape is quite fragmented at this point, and there’s no way to tell which way these laws will go, with tons of uncertainties around to whom these laws would apply, if it targets accounts for application store access or the operating system as a whole, what constitutes an operating system in the first place, and many more. Still, these laws are already forcing major players like Apple to implement sharing self-reported age brackets with application developers (at least in iOS), so there’s definitely something happening here.
In recent weeks, the open source world has also been confronted with the first consequences of these laws, as both systemd and xdg-desktop-portal have responded to operating system-level age verification laws in, among other places, California and Colorado, by adding birthDate to userdb (on systemd’s side) and developing an age verification portal (on xdg-desktop-portal’s side) for use by Flatpaks. The age verification portal would then use the value set in usrdb’s birthDate as its data source. The value in birthDate would only be modifiable by an administrator, but can be read by users, applications, and so on.
Crucially, this field is entirely optional, and distributions, desktop environments, and users are under zero obligation to use it or to enter a truthful value. In fact, contrary to countless news items and comments about these additions, nothing about this even remotely constitutes as “age verification”, as nothing – not the government, not the distribution or desktop environments, not the user – has to or even can verify anything. If these changes make it to your distribution, you don’t have to suddenly show your government ID, scan your face, or link your computer to some government-run verification service, or even enter anything anywhere in the first place.
Furthermore, while the xdg-desktop-portal’s proposals are still fluid and subject to change, consensus seems to be to only share age brackets with applications, instead of full birth dates or specific ages – assuming anything has even been entered in the birthDate field in the first place. Even if your Linux distribution and/or desktop environment implements everything needed to support these changes and expose them to you in a nice user interface, everything about it is optional and under your full control. The field is of the same type as the existing fields emailAddress, realName, and location, which are similarly entirely optional and can be left empty if desired.
Taken in isolation, then, as it currently stands, there’s really not much meat to these changes at all. The primary reason to implement these changes is to minimally comply with the new laws in California, Colorado, Brazil, and other places, and it’s understandable why the people involved would want to do so. If they do not, they could face lawsuits, fines, or worse, and I don’t know about you, but I wouldn’t want to be on the receiving end of the western world’s most incompetent justice system. Aside from that, these changes make it possible to build robust parental controls, which isn’t mentioned in the original commits to systemd, but is clearly the main focal point of xdg-desktop-portal’s proposal.
This all seems well and good, but given today’s political climate in the United States, as well as the course of history, that “as it currently stands” is doing a lot of heavy lifting. Rightfully so, a lot of people are worried about where this could lead. Sure, today these are just inconsequential, optional changes in response to what seems to be misguided legislation, but what happens once these laws are tightened, become more demanding, and start requiring a lot more than just a self-reported age bracket?
In Texas, for instance, H.B. 1131 requires any commercial entity, including websites, that contains more than one-third “sexual material harmful to minors” to implement age verification tools using things like government-issued IDs or bank transaction data to verify visitors’ ages before allowing them in. The UK has a similar law on the books, too. It’s not difficult to imagine how some other law will eventually shift this much stricter, actual age verification from websites and applications into operating systems instead. What will systemd’s and xdg-desktop-portal’s developers do, then? Will they comply as readily then as they do now?
This is a genuine worry, especially if you already belong to a group targeted by the current US administration, or were face-scanned by ICE at a protest. Large groups of especially religious extremists consider anything that’s LGBTQ+ to be “sexual material harmful to minors”, even if it’s just something normal like a gay character in a TV show. It’s not hard to imagine how age verification laws, especially if they force age verification at the operating system level, can become weaponised to target the LGBTQ+ community, other minorities, and people protesting the Trump regime.
You may think this won’t affect you, since you’re using an open source operating system like desktop Linux or one of the BSDs, and surely they are principled enough to ignore such dangerous laws and simply not comply at all, right? Sadly, here’s where the idealism and principles of the open source world are going to meet the harsh boot of reality; while open source software has a picturesque image of talented youngsters hacking away in their bedrooms, the reality is that most of the popular open source operating systems are actually hugely complex operations that require a ton of funding, and that funding is often managed by foundations. And guess where most popular Linux distributions’ and BSD variants’ foundations are located?
Developers from all over the world may contribute to Debian, but all of its financials and trademarks are managed by Software in the Public Interest, domiciled in New York State. Fedora is part of Red Hat, owned by IBM, and we all know IBM. Arch Linux’ donations are also managed by Software in the Public Interest. The Gentoo Foundation is domiciled in New Mexico. The FreeBSD Foundation is domiciled in Boulder, Colorado. The NetBSD Foundation is domiciled in Delaware. Ubuntu is a Canonical product, a company headquartered in London, UK, a country with strict age verification laws for websites and applications. Hell, even Haiku, Inc. is domiciled in New York State. I could go on, but you get the gist: all of these projects manage their donations, financials, trademarks, and related issues in the United States (or the UK for Ubuntu).
It’s relatively easy for these projects to take a principled stance against the relatively limited age verification laws that exist today, but what about if and when these laws are expanded to infiltrate the very operating systems we use? It’s easy to resist the boot when it’s pressing down on some porn website or a sex worker’s OnlyFans page, but once that same boot is pressing down on your own throat? That’s a whole different story. Will Debian, FreeBSD, or Fedora still stand their ground when the organisations managing their donations, finances, and trademarks become the target of lawsuits or the US justice system, because they refuse to implement age verification?
I sincerely doubt it.
And this is why I am of two minds about this issue. On the one hand, I fully understand that the various developers involved with these efforts want to make sure they follow the law and avoid getting fined – or worse – especially since compliance requires so little at this time. On top of that, these changes make it possible to implement a fairly robust set of parental controls in a centralised way, keeping the data involved where it makes sense, so it also brings a number of benefits for users. There really isn’t anything to worry about when looking at these changes in isolation.
On the other hand, though, I also understand the fears and worries from people who see these changes as the first capitulation to age verification, nicely making the bed for much stricter age verification laws I’m sure certain parts of the political compass are already dreaming about. With so many Linux distributions, BSD variants, and even alternative operating systems having their legal domiciles in the United States, it’s not unreasonable to assume they’re going to fold under any possible legal pressure that comes with such laws.
I’m not rushing to replace my Fedora KDE installations with something else at this point, but I’m definitely going to explore my options on at least one of my machines and go from there, so I at least won’t be caught with my pants down in the future. The world isn’t ending, age verification hasn’t come to Linux, but we’d all do well to remain skeptical and prepare for when it does make its way into our open source operating systems.
Ignoring the technical issues, I think this is inevitable in the current global environment, secular egalitarianism is being crushed by radical agendas on both the left and right. The people in power are more interested in income than equality. Radicals and fundamentalists on either extreme have the very same agenda, left or right, they want to control thought. East or West, Christian, Buddhist or Muslim, it makes no difference, the technical argument and the opposition by techno-savvy individuals won’t really help. They are a drop in the ocean.
The vast bulk of the public buy computers at a big box store, they won’t have a legitimate choice.
Whats a radical left agenda that applies here? No seriously, whats an agenda the radical left is putting forward to crush secular egalitariansim in either the IT field or in general?
Both the left and right want restrictions on free speech, both sides block debate, debates that would normally define an egalitarian society. How that plays out varies greatly ranging from passive aggressive to open abuse, on issues such as hate seech, diversity, gender, religion, racism, etc., etc.. Neither the left or right are above guilt. The first step to fixing a problem is admitting it’s existence.
You’ll have to provide an example on how the radical left is pushing for age verification in Linux, otherwise it sounds just like general whataboutism that always come up when someone is critisizing the drift towards autocracy.
Brazil under Lula has passed a law that mandates age verification on all operating systems including Linux. A lot of governments around the world, both left-wing and right-wing are pushing for age verification with the goal of tracking all electronic communications in preparation for the rollout of Central Bank Digital Currencies that can be used to de-bank anyone who says something they don’t like
That’s a generalized answer to a very specific question. Your response is meaningless. I’ll ask too: What radical left agenda is at play in the age verification issue? Please be specific, because shouting “both sides!” is a commonly used tool of the far-right MAGA/Nazi crowd to try to distract from their fascist positions and actions.
That is a very biased answer to a very biased question.
Can’t you just open your eyes ? what is the dominant political party of Brazil, Colorado and California, which have adopted the age verification law so far ? is it the right ?
oh and “Your response is meaningless/far-right/Nazi/fascist” is a commonly used tool of the far-left crowd to try to distract from their radical and intolerant positions and actions.
I accept the information provided by @Magnusmaster, because I do not personally know if the current Brazilian government is left or right leaning, but I do know of other left leaning governments are also introducing age verification. So it’s obviously incompatible to somehow assert age verification is a right leaning policy, when it’s being implemented by left leaning authorities. But in fairness,
The origins of fascism are in socialist movements, not the political right, movements that were historically hijacked by radicals / extremists who themselves may have been right leaning, just as current moderate left or right are now being hijacked on this issue.
It’s easy and human to confuse the motivation with the mechanism, the problem is ultimately extremism and not necessarily or specifically left or right.
For this can of worms we can thank corporations, entities that obfuscate and diminish social responsibility in favour of profit.
I have always been surprised that you chose Fedora over OpenSUSE.
OpenSUSE Tumbleweed is an excellent Plasma-based rolling release which is governed by a European company. I have used SuSE distros for decades, and while I have tried others (sometimes for years) I always return to SUSE for its solidity and sensible configuration.
Except SuSE is up for sale again[1], and at its current valuation there are only a handful of US and Chinese companies with the money to buy it. I’m not sure which would be worse; a US company would of course force it to comply with the subject of Thom’s article, and a Chinese company big enough to buy it is sure to be controlled by the Chinese government, well known for its heavy handed censorship and desire to use technology to spy on and otherwise oppress its citizens.
[1] https://itsfoss.com/news/suse-for-sale-again/
Oh, no! I’d missed that. The list of potential buyers in the linked article does make a depressing read.
There aren’t many distros that aren’t US/UK controlled in some way. Would be great if someone could fork Debian, but I guess that’s too big a job.
There’s Devuan, a fork of Debian without systemd. It’s a part of Dyne.org which is based in The Netherlands, but being a Debian fork most of its software is still a part of Debian, and its developers, like Debian’s, come from all over the world. As I understand it, despite being a fork it is still dependent on upstream — much like Ubuntu, MX Linux, and other Debian derivatives — so it may not be what you’re looking for.
My personal favorite Linux distro is Void. It originated in Spain but like Devuan, is a worldwide project. It eschews systemd for purely practical reasons: The Void team maintains a musl variant that is not compatible with systemd, so for simplicity’s sake both the glibc and musl versions share the same init and system supervisor (runit). Years and years of distro-hopping on my part and I always come back to Void; it’s simple, powerful, fast as hell, like a well tuned race car that still has great road manners.
Getting outside of the Linux sphere, there’s OpenBSD. It’s based in Canada, extremely well documented, super simple to learn to use yet extremely flexible and powerful when you want to do more than run a simple server or workstation. The only downside is that it’s not as performant as Linux or the other BSDs; on powerful enough hardware it’s not a big deal and there are tweaks that can be done at the expense of lessened security, but it’s a solid choice and is always in my back pocket if things ever go south with Void.
Cheers! I’m checking out Void right now. As ever, there are use cases that ultimately call the shots…
I wonder why people are talking about these changes as if all these “age verifications” even matter.
The endgame is so transparent it’s not even funny: the goal is not to “protect minors” but to ensure that there are no anonymity on the Internet. It’s clear that social networks, messengers and other tools that US used to instigate “color revolutions” no longer work reliably, and, in fact, other countries have learned to use these same tools to destabilize US.
That means that time when anonymous access was useful have come to an end and it would be eliminated.
What exactly would be used as pretext is entirely unimportant, but “protect the kids” is probably hardest slogan to resist, thus it’s used here.
But it was never about protection of kids, it’s, quite obviously, about government’s ability to find physical person behind every single message that you read on the internet.
zde,
It is all transparent, and they are basically bragging at this point.
The “compelled speech”, forcing Linux developers into writing code they don’t want to include is blatantly unconstitutional. But they have enough people that could be lulled with “for the children”, they don’t fear any repercussions.
Remember, compelled speech is one of the essential tenants for fascism. And let’s call this what it is.
I’m imagining a time when ID info is mandated into every OS and is required to access your bank account, or government websites. Such a thing could become a default part of the internet landscape. I have nothing to hide, but government surveillance is incredibly dangerous, as people in the US are presently discovering .
They wouldn’t add ID info to the OS if they just wanted it for banks and government websites. They want it so your ID is stored next to every social media post, every chat message and every IP packet you send in their government database so if you do anything they don’t like they can deduct Social Credit points and maybe just ban your Central Bank Digital Currency wallet so you will never be able to purchase anything ever again, starve to death and then the government can just seize all your stuff.
It’s pretty obvious by now there’s a radical push to completely de-anonymise the internet. It appears to be headed by multinational corporations and pro-world government/globalist groups. How much is planned vs group think we might never really know. The end result is this ever creeping surveillance into our digital lives. We need to be pushing harder for anonymous internet access. It’s like speech. Without anonymous speech you don’t have free speech. Without anonymous voting your vote is controlled. The same applies to our digital lives, without privacy/security our digital lives will be controlled/censored and it will be at the expense of the masses for the enrichment of the few.
Darkmage,
Let me pour gasoline to the fire:
https://www.yahoo.com/news/articles/reddit-user-uncovers-behind-meta-154717384.html
I wonder if simply being managed (to an extent) by SPI isn’t such a great risk. A small non-profit organisation. If it were to come under pressure from US legislators, and thus affecting Debian or ffmpeg, it would be reasonably simple to establish a new entity elsewhere in the world.
This is one of the better articles I have seen on this issue. I heard my Linux distro of choice is doing nothing right now and has no plans to do anything. They believe these laws will eventually be struck down by the US supreme court. To be honest, I think they will be upheld and eventually be replaced by a Federal Law 🙁
OpenBSD is in Canada, and anyone who who has ever used OpenBSD can pretty much guess what there response will be, if they even bother to comment 🙂
If these laws become a real thing, I believe long time Linux users will move to OpenBSD or a distro outside of the US. But as for others, like how people let meta, microsoft, twitter walk all over their rights, they will probably submit.
I expect all the crackers are celebrating these laws, they get to harvest nice easy to find personal information.
Age verification is totally exaggerated as Thom says, i upgraded to ios 26.4 on my ipad air 4 over the weekend, ignored the verification prompt on first boot and can confirm that nothing has changed at all, no restrctions, no usablity issues, no web sites blocked, no search results filtered and the ipad is on a vpn 100% of time, it is a smoke screen that can be ignored.
Garakei,
Do you actually reside in any of the affected regions?
https://techcrunch.com/2026/02/24/apple-rolls-out-age-verification-tools-worldwide-to-comply-with-growing-web-of-child-safety-laws/
Assuming apple uses the same mechanism as other geofenced IOS features (like the EU government mandating users have a right to use alternative app stores), then a VPN may not be enough…
https://www.techradar.com/computing/software/no-third-party-iphone-app-stores-wont-work-outside-europe-even-with-a-vpn
Of course nothing is ever totally foolproof and people have been able to trick apple location services.
https://downrightnifty.me/blog/2025/02/27/eu-features-outside.html
Age verification could get stricter as more laws come into effect and the lawsuits fly.
Yep I am in the UK and received the age verification request after installing iOS 26.4 on my iPad Air (clicked on the setup later button), no issues so far.
Garakei,
Is anything meant to be blocked in the UK? It wasn’t mentioned in the article.
I am curious what the process looks like for installing an age verified application, but my point was that people living outside a covered jurisdiction may not experience the restrictions.