Age verification isn’t sage verification inside OSes • The Register

Opinion There are two ways to look at the California Assembly Bill 1043, known as The Digital Age Assurance Act or DAAA. One is to say it is a 2025 law requiring operating systems and app stores to implement age verification during account setup to protect minors online. The other is to note that the law is all the worst things a law can be.

It is vague, using terms that allude but do not define. It sets specific and punitive fines for non-compliance, without specifying what non-compliance looks like. It will have a chilling effect on innovation by creating a foggily fearsome landscape of liability. It does not fix that which it claims to be fixable, and it breaks that which ought not to be broken. In the words of the General Confession in the Anglican Book of Common Prayer: there is no health in it.

It is incoherent and tautologous. It talks of “digital signals” between OS, application stores, and apps. This excludes, one surmises, all those analog signals that developers would be tempted to use. Yodeling, perhaps, or interpretive dance. It talks of “age verification” without verification. It applies to users “on a computer, a mobile device, or any other general purpose computing device that can access a covered application store or download an application.” We can run Doom on smart toothbrushes. Everything is a general purpose computer if you stare at it hard enough, sayeth Turing. Not all operating systems have user accounts, saith FreeDOS, And what of smart TVs, which all ages can simultaneously use?

Let’s play nice and assume that by divine intervention, the golden age envisioned by the lawmakers comes to pass on January 1, 2027. Computing devices that can download software have all users age-verified, and all app stores and apps can request this information before running. This implies that devices not running the latest compliant OSs will no longer be able to download or run software as the “digital signal” required will be entirely missing. Will this entirely freeze the development of vintage computing emulators? Will it lead to a forced hardware upgrade supernova that makes Windows 11 look like a gentle burp? Will spinning up a hundred new VMs on AWS need more form filling than importing and registering a vintage Porsche? How old is root?

Who knows? Californian lawmakers certainly don’t, which given that state’s global pre-eminence in matters digital paints an unspeakably vast intellectual chasm between governors and governed.

Then we get to FOSS, the contemplation of which in the light of the DAAA raises new philosophical questions for the ages. Is Github a ‘covered applications store’? How would that work with the DAAA? In general, no one person or organization creates an open source operating system. They are packages of components from all over. A GNU Linux distro, which is what most people mean by “Linux,” has the Linux kernel, the GNU components, one or more desktop environments, one or more package managers, and whatever functional focus the distro managers choose.

Where DAAA compliance fits in here, what it would look like, and whether a theoretical DAAA package maintainer would be responsible very much depends on how the assumption in the law that there’s always a single entity behind an OS can be squared with the very different reality.

Not that it matters. It is open source. Patching out DAAA components will be within the competence of a five-year-old koala. Unless, of course, the DAAA is implemented with a legally mandated, cryptographically assured, centrally controlled verification system. In that case, the koala may need to be slightly older — but as this level of forced technology is completely antithetical to FOSS, the issue is unlikely to arise.

The DAAA and its analogs in other American states are pure theater, quintessential magical thinking. It parallels the eternal insistence by governments that weakening encryption by putting in a back door doesn’t make it weaker. They don’t know how this can be made to happen, but they know it can be if only the industry is made to think about it hard enough. The law would have all the empty power of a pious wish, were it not pre-weaponized with company-crippling fines.

There is hope. The Texas Senate Bill 2420 (the App Store Accountability Act) has been suspended by a federal court. That law, which forced age verification on apps, got blocked for a likely violation of the First Amendment by being too broad. It’s an obtuse way of weeding out badly conceived, technically illiterate, potentially dangerous legislation, but we’ll take it.

Forget age verification for operating systems, but bring in clue verification for politicians. You have to be this tall to ride, my friends. ®