Compliance with U.S. age verification laws

Discussion for recent laws requiring operating system vendors (including Linux distros) in states like California and Colorado to ask for the user’s age on account creation, and then provide an age range to any app that asks for it (California introduces age verification law for all operating systems, including Linux and SteamOS — user age verified during OS account setup | Tom's Hardware).

I personally never want to see BS like this in NixOS. I’d rather someone open a PR adding a message to the documentation saying “NixOS is not intended for use in the states of California, Colorado, …” Or is NixOS going to add a mandatory field to users.users.<name> for specifying this and break everyone’s configurations? Is anyone who has a public fork of nixpkgs prior to such an implementation now liable as an operating system vendor?

I think it would be foolish not to assume that this is just the first step to requiring photo ID verification implementation in all operating systems.

The NixOS Foundation is registered in the Netherlands as a non-profit. I say the community does not change anything at all, as it is completely out of the jurisdiction of a province of another country to dictate impossible and unenforceable fiat like this.

Knowing that the foundation is in the Netherlands makes me feel quite a bit better, thank you! I would still worry about nixpkgs forks on GitHub though, as this can make anyone an OS vendor. I wouldn’t trust vagueness in the state laws on these matters to be for the benefit of such people.

I doubt NixOS will add anything. At least not until there is some agreed upon interface for the data exchange.

Maybe Linux itself will eventually want to see a DoB in the passwd file for any user UID >= 1000? Then we will have to act.

Though currently I think, it’s easier for the entirety of Linux to just miss out on 2 or 3 states worth of users, rather than to develop a system that a majority of users would patch out anyway.

My bet is that we will package whatever libagebracket becomes required dependency of Chromium for that purpose. I think self-reporting no-liability-for-end-user schemes won’t get much pushback for $US_CA_AGE_BRACKET or something like that becoming a standard.

In this case I’d let Red Hat and similar ones to take point. And then if those do something which would be meaningful in NixOS, let’s consider it. Similarly, if they do not feel like anything is needed, I very much doubt that it makes sense for NixOS to try doing something.

I mean, in practice most Linux deployments where this could apply won’t have an entity that can be prosecuted anyway. Nobody is going to run around suing people who deploy Linux to their home PCs.

This will only affect vendors who sell Linux-based devices, for whom adding some kind of age flag to their user creation sufficiently that law makers don’t complain is likely a trivial addition. Say, e.g. Valve’s steamdeck, just implement it as part of the steam client (in fact, it’s already in there), or android.

A standard for this may eventually appear, but I doubt even then that NixOS would have to explicitly do anything.

For reference, System76 has already begrudgingly committed to implementing this in Pop!_OS (System76 Responds to Laws Requiring Age Verification at the OS Level - Operating Systems & Open Source - Level1Techs Forums). This makes a little more sense though, since they sell hardware with Linux installed and can’t just stop selling to California without taking a hit.

Just to get my opinion out, because these things have been bugging me for a long time in any OS (mostly mobile stuff like Android tho): make this interactive wherever possible^[1].
Back when I used Android and installed an app that wanted internet access all I could do is either allow it, or not install it. Why not give me the option to install it but not allow it? For internet access I think this is the case for a lot of things. In this case I would want to see an alternative implementation of such a library which I can crowbar in there and replace the mechanism so instead of asking my OS, it just shows a popup, console prompt, etc. (depending on what’s available) and ask me in which of the four age brackets I want the app to think I fall. I mean.… this’d ultimately be appreciated by devs to test these mechanisms anyway.

1. Note that I am specifically talking about when/if this happens. On a wider societal (and political) level it would be great if we could shift from gatekeeping to education as a first line of defence. ↩︎

I would be surprised if this law actually gets enforced at all. Operating systems aren’t just for desktop or server use. They’re also embedded firmware on industrial machines. This legislation is like trying to enforce an encryption backdoor on Ethernet. It doesn’t make sense.

Today I learned that some BSD variant already stated in their license that beginning with '27, Desktop use of their system is forbidden for California’s residents:

https://www.midnightbsd.org/download

10000612011080×1320 170 KB

Generally speaking I think malicious compliance tends to be a good strategy, if that’s what the state of California wants than I think that they should have it good and hard.

Maybe we can create an implementation that integrates with smtpd and ships with a csv containing the email addresses of all the lawmakers who passed the bill. Then we could send helpful notification emails to them any time anyone verifies their age, thus keeping them informed of the verifications taking place and compliance with their law.

I imagine this could be a:

nixpkgs.governmentBootlicker = true;

There’s no enforceable reason to follow what california wants.

I sense a new idea for an Agenix April Fools joke “new feature”

I was curious at what the actual legislation says so thought I’d post some relevant snippets that I found interesting and some of my own thoughts as someone who contribute[s,d] to NixOS.

Here are the links:

Colorado legislation: SB26-051 Age Attestation on Computing Devices

California legislation: AB-1043 Age verification signals: software applications and online services

The Colorado legislation is mostly the same as CA from what I’ve read so I’m just going to highlight the points for CA.

“Operating system provider” means a person or entity that develops, licenses, or controls the operating system software on a computer, mobile device, or any other general purpose computing device.

So, I think anyone who forks nixpkgs could potentially fall under the category of “operating system developer”. Clearly this bill did not have open source operating systems/development pipelines in mind. As implied by other users in this thread, I suspect the only real point of enforcement will be hardware vendors and their out-of-the-box operating systems.

“Covered application store” means a publicly available internet website, software application, online service, or platform that distributes and facilitates the download of applications

So, in my view, nixpkgs probably falls into this “covered application store” category – but again, anyone can fork it, modify it, etc. – there’s no reasonable way to enforce this as literally anybody could fork nixpkgs, redistribute, modify, etc.

Ages they care about:

(1) Whether a user is under 13 years of age.

(2) Whether the user is at least 13 years of age and under 16 years of age.

(3) Whether the user is at least 16 years of age and under 18 years of age.

(4) Whether the user is at least 18 years of age.

These are my summaries of the assertions they make for operating system providers:

1. Provide a way for a user to indicate their age bracket in the operating system
2. Provide a way for a developer to consume the age of the user (see above for the ages)
3. The operating system/app store must enforce restrictions around apps and age limits (I’m assuming not allowing users to install apps that are not appropriate relative to their age)

They have a list of constraints for developers of applications but I don’t think they’re very relevant to NixOS so feel free to read those if that is interesting to you.

People – I’m guessing operating system developers – in violation of the title shall be subject to a fine:

not more than two thousand five hundred dollars ($2,500) per affected child for each negligent violation or not more than seven thousand five hundred dollars ($7,500) per affected child for each intentional violation

Due date in CA:

This title shall become operative on January 1, 2027.

I suspect that significant applications like Chrome will be updated with standards around consuming this data and present it to web applications, if there isn’t already work around this.

Regarding the point on System76, I also wanted to add that System76 is based in Colorado and probably must comply to keep persisting.

Note: As a US citizen, self-identifying Linux and privacy enthusiast, and a human being I am very against all of this and also don’t want to see this in my preferred operating system but wanted to be educated on the bill

The operating system/app store must enforce restrictions around apps and age limits (I’m assuming not allowing users to install apps that are not appropriate relative to their age)

sounds kinda impure to me

If the solution to this as bad as for unfree applications, I’m out.

I mean, it’d be pretty easy for nixpkgs, just block eval like we do for unfree applications, add an allowNsfwSoftware option. Adding the metadata for it might be a pain at this point, but it wouldn’t cause any other issues.

I honestly think that aspect would be ok even today, seems handy to prevent accidentally installing stuff I don’t want on a work device.

In theory, they ask that a legal guardian (account holder in the CA law) should be able to control the reported age bracket of the user. But indeed, not clear how effective they expect the measures against account modification by the user (without asking account holder) to be.

unfree in nixpkgs is not pretty easy. The answer to how to enable unfree applications is always “it depends”, and in some cases it’s “you can’t”.

see for example: https://stackoverflow.com/questions/77585228/how-to-allow-unfree-packages-in-nix-for-each-situation-nixos-nix-nix-wit