What's the deal with "age verification" and computers?

As of today, California and Brazil — portentous, beloved economic zones — have laws in the books requiring operating system distributors to enforce a feature that collects the age of the account user at account creation time.  The laws also require the operating system to unconditionally send that information to applications and app stores which request it. Any operating system distributor who ships an operating system which does not perform these functions faces heavy monetary penalties.

Illinois, Colorado and New York are in various stages of considering or adopting similar laws. So are various European nations. There are various small details in which the laws differ among jurisdictions, but fundamentally they are modeled after the same goals.

The first thing you should know is that these laws are being lobbied by a coalition of both Big Tech (Microsoft, Google, Apple) and a number of NGOs such as Common Sense Media [heh] under the guise of protecting children.  The legislation is also being sold as a "compromise" because it requires no personal information collection at any point...

...so far.

I am going to tell you why this is a very sophisticated form of deceit — and why this is also a proverbial nose of the camel under the tent. And I'm also going to tell you what the end game is; in other words, how it looks like once the camel is fully inside the tent.  I am a veteran of the tech industry; I know the tech involved and I know how this story ends, if its current trajectory continues.

The first observation one might have about this age snitching feature is that it should be fairly easy to bypass.  Right?

Well, no. If you have Windows or Mac on your system, which by the way involves more than 90% of you reading this, it's probably going to be impossible to bypass. Mac devices already require you to sign in with an Apple account to use the device or set it up. And if they don't somehow, you will be required to do that. And that already comes with an age verification step. Windows 11 has removed the local account feature on setup, and as recently as a few months ago, they removed any and all workarounds that permitted you to use your computer without signing in with a Microsoft account. And Google devices legendarily nudge you to set up the device with a Google account, but if you won't do it, you can't use their app store.

(Perhaps you believe that people were coincidentally habituated to use computers 100% registered with Big Tech. Now that you know they were advocating for this law requiring personal information at first use, you probably can deduce why they are, ahem, coincidentally, uniquely positioned to comply with the laws.)

Now is the time when you, a a cunning, free-thinking individual, point exclaims "Hang on. I could just install Linux. Linux is not gonna pull any of this shit on me, right?"

Do you think Linux distributors are going to face thousands or millions of dollars in fines for distributing an operating system that doesn't have the misfeatures these laws require?

Mind you, there is no exception for open source or hobbyist software.  Unlike other laws passed before, this law  is not limiting its targeting solely to commercial companies or platforms.  Everyone is ordered to obey.  Even if you ship a custom spin of Fedora in your spare time.

Predictably, Ubuntu maker Canonical and  Pop! OS maker System76 have already announced their intention to (in the case of System76, begrudgingly) comply with this law. They are looking at implementation plans to require, at account setup, that an age is registered with the account, and also to ship a D-Bus service, installed and active by default, that presumably will be used by app stores and applications to get the OS to surrender the alleged age of the user.

At that point, what incentives do other Linux distributions have to resist, "no, we're not going to ship this?" The software is going to be written whether they like it or not, it's likely going to become the default of every desktop session out there simply for ease of maintenance reasons, and anyone is at risk of exorbitant fines if they don't ship it or don't enable it by default. Distributors and desktops have to fold, like a cheap suit, which is exactly what they're doing. Because it's really that, or you can say goodbye to desktop Linux forever — and let's be honest, desktop Linux is in no bargaining position.

For most distribution makers, it's also not an option to say, "we're not going to distribute our software in California, Colorado or Brazil." For starters, those are large markets. In abandoning those markets, they lose substantial market share. Furthermore, copies of this legislation are beginning to appear everywhere, and it's likely that they will pass. So it's not a long-term option for them to say, "we'll just move to another jurisdiction."

Also, at this time, it's not even clear what's going to be the story for Linux distributions' repositories of software. Currently, they are just simply download servers. They collect no information from your computer and that is by design. The law requires this to change, so repositories in the future will have to collect at least your age, whether fake or real, or else the distributors face the same fines. Furthermore, it is not even clear if this mandate will also require the upstream software developers to be actively involved in the process. You can see what this does to the Linux distribution ecosystem: it absolutely wrecks it. Only the biggest players can stay alive. You and your hobby distro can suck eggs. Even I might not be able to distribute my applications in the uncertainty of this new legal environment. Look, I like you as a user of my apps, but I'm not going to prison for you.

(By the way, everything I just said about desktop Linux applies equally to Whonix, to Qubes OS, to Android, and any operating systems based on Android / AOSP, and any other operating systems shipping on phones. This is not limited to laptops or desktop computers.  This is coming. At once. Everywhere.)

 You may think this is bad. You may have reasonable privacy concerns about this feature — what right has an application store to the age of the user? Why do adults have to comply with this? These are all good questions.

But a more poignant observation is that you are being ordered to do something which is completely pointless — ship or use software that demands an age in a form, with nothing to prevent falsifying the response. I mean, you can just lie about your age when you log in for the first time, right? Nothing in the law requires that operating system distributors verify this information. You can say you are 39, even if you are 13. Hell, if you know what you are doing, you can just disable the age service and the computer will just let you in anyway.

Comically absurd, eh?

My friend, as the meme says: you think things are bad; well, they're about to get much worse.

Do you, dear reader, think that "age collection" is going to stay that way?

It won't. The future of this intervention in computing is already gamed out — and I'm going to tell you how it will go.

Of course the legislators passing these laws know full well that you can just lie on a form in your computer. They might appear to be stupid for political purposes, but they certainly are not. They already have thought out what's going to be needed in order for people to prevent lying on those computers that they want people to register with.

The first piece of the puzzle is called software attestation. It's well-known, widely-used tech. It will largely solve the noncompliance and malicious compliance problems — and nearly everything is in place to begin requiring it — especially on Big Tech's products, but quite frankly, pretty much on any modern computer, especially including phones, and regardless of OS.

If I were to make my popular app, which you use daily, require valid attestation, then you, the discerning individual who disabled some systems software you object to, would be 100% unable to use your beloved app.

This, by the way, is not fiction.  It already happens to Android users, because it's already a deployed reality. If you install any version of Android not explicitly deemed genuine by Google, quite a few applications (fortunately still a minority, but many banking apps are in that minority) will simply error out before starting, perhaps grumbling at you because your system "has not passed the Google Play Integrity checks".

I hope you can see where this is going.

The logical next step for the legislators to take is obvious: to extend the current requirement of the law so that computer systems must provide this information —which they will already be collecting and providing by law— protected by some form of attestation.

Except, as we studied before, you can't just do attestation solely on the age you entered (perhaps fraudulently), when you created your account. That is technically impossible. As we saw before, attestation requires that the entire device be verified that it hasn't been tampered with. Otherwise, you could modify code that the age service depends on, which would falsify your age at will — and the whole exercise would be just as useless as the current law is.

Who is going to oppose this?

Well, Microsoft is not going to. Windows basically refuses to work, at least in full operational capacity, unless Secure Boot is enabled and the system can provide attestation. You already have to give your age to Microsoft when you log into a Windows computer. Their OS has that information on you already and can reliably attest to it.

Macs and iPhones have integrity tests. These tests can be extended so that Macs can provide that information. If you change  the software in your Mac that provides that age information to the apps or app stores, Macs can be made to stop providing the information or reliably signal that they have been tampered with.

This leaves Linux... and things aren't looking that good "for the resistance" in the Linux side either. Most Linux distributors support Secure Boot, and those who don't are going the way of the dodo. It would be trivial to extend the secure boot mechanism on Linux desktops to also take into account now-critical system software, like the age attestation service — and if you change that software, your system won't even boot the next time you restart it. Perhaps you, the enterprising hacker, decide to go into the BIOS settings and disable Secure Boot. Well, when you do that, the computer can no longer reliably perform attestation, indicating that whatever your age attestation service says is no longer trustworthy.

By the way, as time passed in this dystopian future, and this seemingly inoffensive legislation was largely adopted worldwide, many Linux distributions (particularly hobbyist distributions) simply closed up shop because they could no longer afford to take the legal risk that users of their distributions may falsify their age records, which their software is ordered to submit to app stores.

You now have a choice of distro between Ubuntu and Red Hat, possibly with a substantially reduced set of applications available for you to download using your favorite package manager. Both snitch on your age. All three app stores (assuming Flathub doesn't go six feet under) by law refuse to work unless your computer snitches to them.  There is obviously no Whonix because its very premise is illegal after 2026 — heck, Tor itself may no longer be maintained, their developers probably having thrown in the towel because they divined what I will tell you shortly.

If you compile and install your own software from source, run a modified Linux distribution, your modifications are highly likely to defeat attestation. Congratulations, you are now a digital pariah. Apps you install from official sources may simply refuse to work, or worse, app stores won't serve you.

Here is the crux of the issue.  A legal attestation requirement to use computing devices in practice is the end of open computing, not by accident — by design. You are legislatively denied the freedoms to lawfully run and modify your own software on your computer, however you see fit. Your computer is effectively downgraded to the class of computing devices a PlayStation or an Xbox belongs to — for them to own and for you to merely rent, even if you paid full price. Testing or modifying your own software casually becomes an activity so cumbersome, most open source developers throw in the towel. If we define the purpose of the thing as what it does, then legally mandated attestation exists to suppress unaffiliated, hobby and independent software makers, surrendering all computing to closed source and Big Tech.

Before someone clever mentions it: I'm sure someone will invent a dispensation procedure for free software developers to obtain a  "developer certificate" analogous to Apple's own developer program, but this would require you to surrender your ID. So you will  certainly no longer be able to develop any software, either casually or anonymously, for any platform. For safety, you know. And even if you, as a developer, surrender to these onerous requirements, you, your photo and your home address are now on a list. You better not even consider developing any software that could be used for subversive purposes.  Oh, I just remembered — wasn't Google trying to do exactly that to Android developers just a few months ago?  So, this is not fiction either.

We're not done yet.  Things will get worse, because the legal impositions on tech will have forced enormous changes in sociocultural expectations of computer users (that means everyone alive). Everything you read so far — which sounds  Kafkaesque and insane here in the year 2026 — will be normalized in the future.

At this point in the Faustian bargain, everybody has been accustomed to entering private information to log into their system, even if they are radical trans anarchist Linux users. Furthermore, for their computers to be more useful than a space heater, they also must have valid attestation going, so modifying your own computer has become totally impractical and effectively unthinkable for 99.9% of the people who use computers or phones.

The legislators can move to the next step. With all the technical prerequisites in place, they can legislate a new demand that websites request that age information from your computer. Websites can definitely do that — secure communication protocols are the norm, and HTTP extensions are invented all the time. In fact, it's easier than ever before to make this demand, because attestation is normalized, and you are expected to have it working to even be using a computer at all; making the browser send attestation info after a permission popup is technically small fries. Ergo, website owners cannot muster a single technical reason why they cannot comply — so they will just have to obey. Heck, Google already widely uses attestation for their computer systems — they have every incentive to open up their process and standardize it via the W3C or the IETF. So it's a done deal. Meanwhile, voters — for whom a computer is a magical talisman like a microwave oven — don't see a problem with any of this either, because nothing changes in practice from their perspective  "Stupid popup! What do you mean websites don't know my age? I put it in the computer thingie already, don't they know that?". If you doubt me, watch the average person's response to EU cookie popups, ant how quickly the (legitimate) complaints subsided as people got used to them.

So far, we've been only discussing the age requirement, which could easily be forged, even though everybody has the technical elements in place to make it unforgeable.

So why not make it unforgeable by legislative means? 

Why not legislate that your computer must also carry and surrender your government issued ID — or some part thereof — which you must supply in order to interact with any online presence, whether it be an application or a website? A digital wallet, so to speak. Weren't there popular operating system makers already offering that as a feature? It's much easier to just click OK on the damn share ID popup!  Why even register with websites anymore... Surely, legislators will also order computer makers to make sure that the ID is protected with the latest forms of unbreakable encryption tied up to the personal account of the user using the computer. Presto, score 2 for more positive legal burdens on all personal computer software makers, score 0 for the freedom to develop and distribute the software you see fit to do.

At this point, you may see legislators engage in another form of deceit. Maybe the legislators will say that their law merely makes it optional for your ID to be flashed to websites (most certainly not optional for some, like social media!). But would it not be useful and actually even more expedient for website operators to just request the ID by default, like some often request your location even without legitimate purpose? And what would people respond with by default ? Hm. Let's think about it.  What do people do today, when they are shown the stupid European cookies question?  Truly, this scenario is a marketer's (and a spammer's, and a stalker's) wet dream.

And, you know, it's important to protect kids from online predators. After all, isn't this why you started being asked for your age, when you registered with your computer for the first time?

Under those circumstances, maybe you can visit Wikipedia and not present an ID (although I find it unlikely that Wikipedia would be exempted from it). Social media, phone apps, banking, none of it is going to work without you showing the digital ID (or equivalent to the law) that is now effectively mandatory.

At this point of habituation to digital ID, legislators can just declare it a crime to use a computer without an ID. It's really a minor amendment to the U.S. Computer Fraud and Abuse Act. Obviously attempting to tamper with your own computer's security may already be interpreted as a crime under that law (or they can simply charge you under the DMCA).  And what objections would you have to not showing your papers anyway? Everybody else is doing it, or they are just not online anymore.

But, what about the children? Well, this sequence of events, starting with the requirement of personal information, ends up guaranteeing that every sexual predator working for a web site or app seller has 100% certainty of which users are children, so they can now directly target the children for predation.  Oops!  Curious!  Isn't that precisely what we were told we wanted to avoid?

This is an effortful guess at the sequence of steps we will take, to get to a future where you cannot do absolutely anything online (or perhaps any computing at all) without you being identified by your identity. With an ever growing expectation that you do everything online, this increasingly looks like you will not be doing anything at all, unless you comply.

Now you know what the end game is.

And all it took to get here was the progressive yet ultimately total annihilation of free software, open computing, and privacy expectation.  And let's be blunt here: quite a few legislators, NGOs and corporations have known for a very long time that free and open computing is a portentous obstacle, an enemy, that to this day prevents them from enacting their wildest control freak dreams. They could not be happier if they managed to put an end to free and open computing.

I am quite surprised that Linux distributors and open source advocates have not yet sounded the alarm; perhaps they think (incorrectly) they are very smart, and therefore this will not affect them.  Maybe they assume that, because we have had open computing before, we will continue to have open computing in the future. Maybe they are simply less intelligent than I gave them credit for in the past.  I hope I am — I want to be — wrong about that.

I, for one, am concerned. We're standing at the gates a disaster for both free software and privacy; if this disaster comes to pass, I fear no one will ever be able to roll it back.