Several US states, the country of Brazil, and I’m sure other places in the world have enacted or are planning to enact laws that would place the burden of age verification of users on the shoulders of operating system makers. The legal landscape is quite fragmented at this point, and there’s no way to tell which way these laws will go, with tons of uncertainties around to whom these laws would apply, if it targets accounts for application store access or the operating system as a whole, what constitutes an operating system in the first place, and many more. Still, these laws are already forcing major players like Apple to implement sharing self-reported age brackets with application developers (at least in iOS), so there’s definitely something happening here.
In recent weeks, the open source world has also been confronted with the first consequences of these laws, as both systemd and xdg-desktop-portal have responded to operating system-level age verification laws in, among other places, California and Colorado, by adding birthDate to userdb (on systemd’s side) and developing an age verification portal (on xdg-desktop-portal’s side) for use by Flatpaks. The age verification portal would then use the value set in usrdb’s birthDate as its data source. The value in birthDate would only be modifiable by an administrator, but can be read by users, applications, and so on.
Crucially, this field is entirely optional, and distributions, desktop environments, and users are under zero obligation to use it or to enter a truthful value. In fact, contrary to countless news items and comments about these additions, nothing about this even remotely constitutes as “age verification”, as nothing – not the government, not the distribution or desktop environments, not the user – has to or even can verify anything. If these changes make it to your distribution, you don’t have to suddenly show your government ID, scan your face, or link your computer to some government-run verification service, or even enter anything anywhere in the first place.
Furthermore, while the xdg-desktop-portal’s proposals are still fluid and subject to change, consensus seems to be to only share age brackets with applications, instead of full birth dates or specific ages – assuming anything has even been entered in the birthDate field in the first place. Even if your Linux distribution and/or desktop environment implements everything needed to support these changes and expose them to you in a nice user interface, everything about it is optional and under your full control. The field is of the same type as the existing fields emailAddress, realName, and location, which are similarly entirely optional and can be left empty if desired.
Taken in isolation, then, as it currently stands, there’s really not much meat to these changes at all. The primary reason to implement these changes is to minimally comply with the new laws in California, Colorado, Brazil, and other places, and it’s understandable why the people involved would want to do so. If they do not, they could face lawsuits, fines, or worse, and I don’t know about you, but I wouldn’t want to be on the receiving end of the western world’s most incompetent justice system. Aside from that, these changes make it possible to build robust parental controls, which isn’t mentioned in the original commits to systemd, but is clearly the main focal point of xdg-desktop-portal’s proposal.
This all seems well and good, but given today’s political climate in the United States, as well as the course of history, that “as it currently stands” is doing a lot of heavy lifting. Rightfully so, a lot of people are worried about where this could lead. Sure, today these are just inconsequential, optional changes in response to what seems to be misguided legislation, but what happens once these laws are tightened, become more demanding, and start requiring a lot more than just a self-reported age bracket?
In Texas, for instance, H.B. 1131 requires any commercial entity, including websites, that contains more than one-third “sexual material harmful to minors” to implement age verification tools using things like government-issued IDs or bank transaction data to verify visitors’ ages before allowing them in. The UK has a similar law on the books, too. It’s not difficult to imagine how some other law will eventually shift this much stricter, actual age verification from websites and applications into operating systems instead. What will systemd’s and xdg-desktop-portal’s developers do, then? Will they comply as readily then as they do now?
This is a genuine worry, especially if you already belong to a group targeted by the current US administration, or were face-scanned by ICE at a protest. Large groups of especially religious extremists consider anything that’s LGBTQ+ to be “sexual material harmful to minors”, even if it’s just something normal like a gay character in a TV show. It’s not hard to imagine how age verification laws, especially if they force age verification at the operating system level, can become weaponised to target the LGBTQ+ community, other minorities, and people protesting the Trump regime.
You may think this won’t affect you, since you’re using an open source operating system like desktop Linux or one of the BSDs, and surely they are principled enough to ignore such dangerous laws and simply not comply at all, right? Sadly, here’s where the idealism and principles of the open source world are going to meet the harsh boot of reality; while open source software has a picturesque image of talented youngsters hacking away in their bedrooms, the reality is that most of the popular open source operating systems are actually hugely complex operations that require a ton of funding, and that funding is often managed by foundations. And guess where most popular Linux distributions’ and BSD variants’ foundations are located?
Developers from all over the world may contribute to Debian, but all of its financials and trademarks are managed by Software in the Public Interest, domiciled in New York State. Fedora is part of Red Hat, owned by IBM, and we all know IBM. Arch Linux’ donations are also managed by Software in the Public Interest. The Gentoo Foundation is domiciled in New Mexico. The FreeBSD Foundation is domiciled in Boulder, Colorado. The NetBSD Foundation is domiciled in Delaware. Ubuntu is a Canonical product, a company headquartered in London, UK, a country with strict age verification laws for websites and applications. Hell, even Haiku, Inc. is domiciled in New York State. I could go on, but you get the gist: all of these projects manage their donations, financials, trademarks, and related issues in the United States (or the UK for Ubuntu).
It’s relatively easy for these projects to take a principled stance against the relatively limited age verification laws that exist today, but what about if and when these laws are expanded to infiltrate the very operating systems we use? It’s easy to resist the boot when it’s pressing down on some porn website or a sex worker’s OnlyFans page, but once that same boot is pressing down on your own throat? That’s a whole different story. Will Debian, FreeBSD, or Fedora still stand their ground when the organisations managing their donations, finances, and trademarks become the target of lawsuits or the US justice system, because they refuse to implement age verification?
I sincerely doubt it.
And this is why I am of two minds about this issue. On the one hand, I fully understand that the various developers involved with these efforts want to make sure they follow the law and avoid getting fined – or worse – especially since compliance requires so little at this time. On top of that, these changes make it possible to implement a fairly robust set of parental controls in a centralised way, keeping the data involved where it makes sense, so it also brings a number of benefits for users. There really isn’t anything to worry about when looking at these changes in isolation.
On the other hand, though, I also understand the fears and worries from people who see these changes as the first capitulation to age verification, nicely making the bed for much stricter age verification laws I’m sure certain parts of the political compass are already dreaming about. With so many Linux distributions, BSD variants, and even alternative operating systems having their legal domiciles in the United States, it’s not unreasonable to assume they’re going to fold under any possible legal pressure that comes with such laws.
I’m not rushing to replace my Fedora KDE installations with something else at this point, but I’m definitely going to explore my options on at least one of my machines and go from there, so I at least won’t be caught with my pants down in the future. The world isn’t ending, age verification hasn’t come to Linux, but we’d all do well to remain skeptical and prepare for when it does make its way into our open source operating systems.
Ignoring the technical issues, I think this is inevitable in the current global environment, secular egalitarianism is being crushed by radical agendas on both the left and right. The people in power are more interested in income than equality. Radicals and fundamentalists on either extreme have the very same agenda, left or right, they want to control thought. East or West, Christian, Buddhist or Muslim, it makes no difference, the technical argument and the opposition by techno-savvy individuals won’t really help. They are a drop in the ocean.
The vast bulk of the public buy computers at a big box store, they won’t have a legitimate choice.
I have always been surprised that you chose Fedora over OpenSUSE.
OpenSUSE Tumbleweed is an excellent Plasma-based rolling release which is governed by a European company. I have used SuSE distros for decades, and while I have tried others (sometimes for years) I always return to SUSE for its solidity and sensible configuration.
Except SuSE is up for sale again[1], and at its current valuation there are only a handful of US and Chinese companies with the money to buy it. I’m not sure which would be worse; a US company would of course force it to comply with the subject of Thom’s article, and a Chinese company big enough to buy it is sure to be controlled by the Chinese government, well known for its heavy handed censorship and desire to use technology to spy on and otherwise oppress its citizens.
[1] https://itsfoss.com/news/suse-for-sale-again/
There aren’t many distros that aren’t US/UK controlled in some way. Would be great if someone could fork Debian, but I guess that’s too big a job.
There’s Devuan, a fork of Debian without systemd. It’s a part of Dyne.org which is based in The Netherlands, but being a Debian fork most of its software is still a part of Debian, and its developers, like Debian’s, come from all over the world. As I understand it, despite being a fork it is still dependent on upstream — much like Ubuntu, MX Linux, and other Debian derivatives — so it may not be what you’re looking for.
My personal favorite Linux distro is Void. It originated in Spain but like Devuan, is a worldwide project. It eschews systemd for purely practical reasons: The Void team maintains a musl variant that is not compatible with systemd, so for simplicity’s sake both the glibc and musl versions share the same init and system supervisor (runit). Years and years of distro-hopping on my part and I always come back to Void; it’s simple, powerful, fast as hell, like a well tuned race car that still has great road manners.
Getting outside of the Linux sphere, there’s OpenBSD. It’s based in Canada, extremely well documented, super simple to learn to use yet extremely flexible and powerful when you want to do more than run a simple server or workstation. The only downside is that it’s not as performant as Linux or the other BSDs; on powerful enough hardware it’s not a big deal and there are tweaks that can be done at the expense of lessened security, but it’s a solid choice and is always in my back pocket if things ever go south with Void.
Cheers! I’m checking out Void right now. As ever, there are use cases that ultimately call the shots…
I wonder why people are talking about these changes as if all these “age verifications” even matter.
The endgame is so transparent it’s not even funny: the goal is not to “protect minors” but to ensure that there are no anonymity on the Internet. It’s clear that social networks, messengers and other tools that US used to instigate “color revolutions” no longer work reliably, and, in fact, other countries have learned to use these same tools to destabilize US.
That means that time when anonymous access was useful have come to an end and it would be eliminated.
What exactly would be used as pretext is entirely unimportant, but “protect the kids” is probably hardest slogan to resist, thus it’s used here.
But it was never about protection of kids, it’s, quite obviously, about government’s ability to find physical person behind every single message that you read on the internet.
zde,
It is all transparent, and they are basically bragging at this point.
The “compelled speech”, forcing Linux developers into writing code they don’t want to include is blatantly unconstitutional. But they have enough people that could be lulled with “for the children”, they don’t fear any repercussions.
Remember, compelled speech is one of the essential tenants for fascism. And let’s call this what it is.
I’m imagining a time when ID info is mandated into every OS and is required to access your bank account, or government websites. Such a thing could become a default part of the internet landscape. I have nothing to hide, but government surveillance is incredibly dangerous, as people in the US are presently discovering .