00:00:00So apparently there's a new law from California that require Linux distros to need my age
00:00:04and tell my age to every application, and even worse, other laws are being made elsewhere
00:00:09to do the exact same thing. Like I expect Windows to violate my privacy when I install
00:00:13it, but not on Linux distro and I've seen so much confusion about what's happening
00:00:16at the moment, so let's dive in and see what's going on.
00:00:24Now I'm no legal eagle but here's the TLDR of what this law is. It's called the Digital
00:00:29Age Assurance Act and it comes into effect on January 1st, 2027. It says that operating
00:00:34system providers must prompt users to declare their birth date or age during an initial set
00:00:38up process and this information is then sorted into one of four age brackets. Under 13, 13
00:00:44to under 16, 16 to under 18 and 18 or older. Then the system must offer a real-time API
00:00:49that app developers can query whenever someone downloads or launches an application and this
00:00:54will return only the age bracket they're in, not their exact age. Penalties for non-compliance
00:00:59of this are $2,500 per affected child for negligent violations and up to $7,500 per child
00:01:06for intentional violations. But here's the most important part and to
00:01:09me, the most absurd part. At the moment, this relies entirely on self reporting. There is
00:01:13no requirement for photo ID, facial recognition or biometric scans. Users simply just type
00:01:18in their age. Now I'm not a fan of any of those methods being used. It's an absolute violation
00:01:23of your privacy, but if you'll excuse me for a second, what the fuck is the point of this
00:01:27law? Do you think a 13 year old kid is going to be honest about their age? When I was 13,
00:01:32half of my accounts said that I was a hundred years old. Like what is the point of this law?
00:01:36We tried it before with social media and porn sites and now we have new laws requiring your
00:01:41ID to use them. So excuse me if I'm a little bit worried that that's exactly where this
00:01:45is going to head. It's just seemingly becoming clear that lawmakers in nearly every country
00:01:50are trying to strip away our privacy and hand it over to companies like Palantir. I mean
00:01:54similar laws are already being worked on in Colorado and New York and over in the EU and
00:01:58it's just always the same blanket excuse of protecting children because it's such an easy
00:02:03way to sell this and it's just so annoying. Even worse though, you can always tell these
00:02:07laws are written by people with no understanding of technology. They were clearly just thinking
00:02:11about Apple and Microsoft when they wrote this one as they define an operating system provider
00:02:16as any organization that develops licenses or controls the operating system software on
00:02:20a computer, mobile device or any other general purpose computing device. That means it includes
00:02:26basically everything. Every Linux distro, Ubuntu, Debian, Arch, Fedora. It includes all of them.
00:02:32And one of the biggest issues with that, I mean there are so many, but first of all most
00:02:36of these have no account system. It is just a completely local user. There is no cloud
00:02:40account that needs to be signed into like there is with Apple and Microsoft. So how do you
00:02:44even begin to enforce this on these distros or even know that someone is using one of them?
00:02:48The distro maintainers don't know this information themselves as there is no cloud setup. Then
00:02:53there's also the fact that many of these distros are just maintained by indie developers and
00:02:57volunteers and there are no legal teams or no budgets. So who would we go after if there
00:03:01was a violation in one of these distros? Do you go after an individual developer and find
00:03:05him? Like no one thought about Linux when they wrote this law. And you can tell that by the
00:03:09fact that this law doesn't even exempt server-side Linux installations. So will every server,
00:03:15every VM and maybe even a container need to verify my age? What about my smart lightbulb
00:03:20that might have Linux installed on it to get it to work? What is the scope of this law?
00:03:24It's just absolutely absurd. And so far I've only spoken about the operating system side
00:03:28of things. If we take a look at the app side of things where developers are expected to
00:03:31query this API for the age bracket the user is in when someone installs or opens up their
00:03:37application, they actually define covered application store so broadly in this law that it can include
00:03:41command line package managers like apt or homebrew. So apparently every time I go to install a
00:03:46package, it's going to need to ask for my age from the API. Then the package itself when
00:03:50I run it is also going to need my age. Like this law is seemingly requiring every single
00:03:55app developer, every single app store and every single operating system to implement age verification.
00:04:02And that just seems a little bit insane to me. Now I could probably rant about this for
00:04:05a lot longer, but that's probably not healthy for me. So let's just take a look at what other
00:04:08Linux distros and operating systems have said about this law.
00:04:12One developer who contributes to the privacy focus kick secure and who nix projects actually
00:04:16posted a technical proposal to the Ubuntu developers mailing list. He proposed a new D bus interface
00:04:21that could be adopted by any Linux distribution. The idea is to store age data as root owned
00:04:26files that aren't readable by regular applications. So it only shares the bare minimum that the
00:04:31law requires. And it's actually a pretty privacy focused approach all things considered, but
00:04:35this was just a proposal and canonical. The company behind Ubuntu has been a little bit
00:04:40cautious here. The VP of engineering actually said that they're reviewing the legislation
00:04:44with their legal counsel and they have no concrete plans or how or even if they're going to implement
00:04:48a change. The other more severe approach that you could take though is the one that midnight
00:04:52BSD have. They've actually modified that license to exclude California users altogether until
00:04:57they have a better plan for this, which is kind of hilarious to me that there is now
00:05:01a license that specifically excludes California. Overall, this is just an incredibly annoying
00:05:06situation where the law is incredibly vague. It's technically illiterate and practically
00:05:10unenforceable on half of the things that it claims to cover. And it's just opening the
00:05:14door for way worse legislation in the future. So if you are from California, Colorado, or
00:05:19any other place where laws like this are being pushed, I highly recommend you find a way to
00:05:22contact your representative and try and get this fixed. Let me know what you think about
00:05:26this law in the comments down below or if I've gone a little bit crazy. And while you're down
00:05:30there, subscribe and as always, see you in the next one.