Age checks creep into Linux as systemd gets a DOB field After weeks of debate, code to record user age was finally merged into the Linux world's favorite system management daemon. Pull request #40954 to the systemd project is titled "userdb: add birthDate field to JSON user records." It's a new function for the existing userdb service, which adds a field to hold the user's date of …
Why will they have to?
Because it's the law in jurisdictions that are financially important to the companies behind Linux.
Obviously savvy users will remove it, but if you're an exec at a company like Canonical, are you really going to risk it? Would you really want to be the first poster child for the "think of the children's" brigades lawyers?
The law may be stupid, but it is still the law.
> Obviously savvy users will remove it
Not necessarily. Many savvy users will ditch such a distro entirely once they have to start distrusting and keeping an eye on their own computer, once it starts putting external interests over their own.
We've been through this with DRM, telemetry, clipper chips, legislative backdoors, etc.
It's worth a glance at this draft legislation to begin to understand what the driving forces are for this - below is an excerpt:
SEC. 3. App store obligations.
(a) In general.—Each covered app store provider shall—
(1) at the time an individual creates an account with the covered app store provider—
(A) request age information from the individual; and
(B) verify the individual’s age category using a commercially available method or process that is reasonably designed to ensure accuracy
If the age verification is built into the OS... then companies won't have to implement it themselves... and it's being funded behind the scenes by companies like meta who are spending tens of millions on lobbying groups.
If they don;t have to build it into their products, they can continue to push their vitriolic products on kids and damage their mental health whilst getting them addicted to the hate they push at them... ya know... like all drug dealers do.
Your mom.
This could be a comedy sketch.
My Mum having to phone the police helpline in order for them to talk her through how to verify my age on my computer. "Madam, first you need to bring up a command prompt. Now start typing..." Mum, "Sorry, what's a command prompt?" Obviously, I can't help. I've not used Unix since the 90s - I can't remember anything...
Although I have got an old Lenovo laptop, which has been orphaned by Windows 11, that I'm seriously thinking about having a go at Linux. At which point, will I need my Mum to confirm my age? I think I'd rather eat the laptop (or kill myself) than try to teach Mum a new computer system... The only one she's ever been completely happy with was Windows Phone, I've had more problems with her iPhone and iPads than I had with that. Maybe she's just weird?
"> Who is going to verify the age you enter into Fedora you downloaded for free and installed yourself is true?
Nobody, but fortunately the law does not require anyone to, either."
YET. And that is exactly the problem with asking for the DOB in the first place. It's not what it's to be used for now, it's for what they will use it for in the future.
It should not be allowed, and thankfully I fully believe that there will be good enough people out there to provide us with an OS that won't ask for this check. So I have no worry on that front.
What I worry about is the end game of what all of this age verfication will lead to. That, I do not like. That, I worry about. And that is what the question should be all about.
I think I'll simply use the date of the Epoch† as the DoB‡
†Which as we all know, is 1Jan1970...unless you're Micros~1, in which case it is 1Jan1900, except when it is 31Dec1899... That'll keep 'em guessing!
‡What, you want my DoB, not that of the underpinnings of the OS itself?!? Cheeky bastard! Here's a hammer, there's the beach...
To comply with the law
Who is going to enforce it? If country X decides that operating systems must ask for and verify age, how are they going to force Fedora to comply? If they don't, how can they block downloads of Fedora? They can block fedoraproject.org, but there are a LOT of mirrors out there.
Fedora maybe isn't the best example since a country could prevent Red Hat from doing business there if they didn't go along with whatever in Fedora, but there are plenty of Linux distros that don't have a commercial arm that can be twisted.
At the moment nobody, but I suspect future legislation will require an Android style system to validate the system, combined with age verification services. On Android Play Protect runs in the ARM TrustZone and downloads a daily binary that it runs to validate your system.
The point in checking age is simply compliance with what appear to be poorly thought out, feel-good laws. There's no point in railing against software system providers. They're just the messengers. What would be needed to prevent this sort of nonsense would be better lawmakers. Not much chance of THAT I fear.
The age restriction check is not the end goal, the "think of the children" step is just the first boiling frogs step in implementing ID verification.
There are so many checks and restrictions already and it's never enough.
The same people implementing this will say as you have done "look at all the people managing to work around our law, we have to go a step further" until they get to the end goal of a copy of the Chinese system of ID checks for online access and all your activity tied to the ID with punishment for doing anything deemed out of line. That is where this is heading.
I try to take these proposals at face value. But when I read into the details and see the lobbying behind it, I am constantly drawn toward the conclusion that identifying all internet users, from the moment they connect to the moment they disconnect, is the real end goal.
But isn't this what we need - on device age indication (not verification) for child accounts instead of wholesale privacy invasion for everyone in the name of age verification?
California's law just allows an age to be entered by the way, so systemd managed to get it wrong, which is shocking and has certainly never happened before. But because it's systemd we're stuck with it now.
"But isn't this what we need - on device age indication (not verification) for child accounts instead of wholesale privacy invasion for everyone in the name of age verification?"
Exactly. If I could access age restricted sites just by having an age-range token on my computer I would seize on that option as an alternative to handing over some serious personal information to numerous third parties who may be doing anything they like with that data.
But don't expect to convince those who reject age-range tokens and prefer forcing everyone to hand over name, address, dob, social security number, passport and driver license details to everyone who insists on having it.
If this anti age-range token movement was being encouraged by the very people who want to grab personal info it wouldn't surprise me.
It's a date. It should also allow an age which can be updated when the administrator wants, according to the California law. That is preferable as it's not as high resolution as DOB. Even better would be if systemd has an API which returns the possible age ranges in the region and which one the user falls within but it sounds like it's not doing that either.
That is NY's next age verification law, not California's age indication law. California's law specifies on-device parental controls and I'll take them.
Or would you prefer banning computers for children until they reach 16/18? That's impossible, so really it means no parental controls on any device at all.
You seem to think there is an existing concept of "child account". There isn't. Just user account. If the concept is to be introduced how do you ensure that children only use a child account? How do you ensure that an administrator creates the appropriate account type?
Ah - a solution. All accounts become child accounts, then there's no way round that.
Don't you see this is where it's all going?
We are not dealing with one law, we are dealing with several, all drawn up by different legislatures. You won't be able to pick and choose which one you meet, you'll need to meet all, including the most draconian if only because the least will be too ineffective to achieve the proponents' aims. The consequence will be everyone using a computer, whether or not they're in these jurisdictions will be expected to hand over PII to identify themselves (whatever that may mean - I leave it as an exercise for yourself to work out what it means and how it might be accomplished) to some outfit with no ability to withstand the attention they'll get due to the data the'll be hoarding. That will happen because the OS will implement it universally to avoid getting sued by these tinpot dictators.
I recognise the problem* but this is not the way to solve it. All too often the response to something which is already illegal is to introduce new legislation instead of enforcing that which exists. In this particular instance it looks rather like introducing a technical offence that's easily defined and prosecuted rather than taking the hard route of prosecuting the actual offence, whatever that might be. That's laziness and useless because it fails to tackle the real issues.
The personal computer and the internet are too fundamental to the modern economy to have this sort of nonsense imposed by the technically ignorant to get us itno that situation.
* I spent about a third of my working life as a forensic biologist. It's a branch for FS that deals largely with assaults both physical and sexual. One of the Lab's cases in my time was the Kincora House boys home - look i up. If it had been my office mate who was in court the morning that case arrived rather than the other way about it might have been myself who became the reporting officer. I did help with the scene work as did all the other biologists.
"But isn't this what we need - on device age indication (not verification) for child accounts instead of wholesale privacy invasion for everyone in the name of age verification?"
That wouldn't be enough for the ToTC lot. Even if you can't see the possibility, they can: child who's a good deal more competent than parent enters 1991 into DoB field.
Without verification an indication means nothing. If it were introduced without things wouldn't rest there.
The device administrator enters the age, not the child.
The age indication follows the parents' wishes about how they want to raise their children. That means everything.
You're talking about some hypothetical future instead of useful tools which are helpful for parents. If a Chinese-style social credit system is introduced by the US, it won't be because of on-device parental controls which have existed in one form or another since the 2000s.
> The device administrator enters the age, not the child.
I was the administrator, at 14. Granted it was a TRS-80 with an audio tape drive,....
My 14 year old, in 1998, got a friend to hack my dual boot loader so that he could load Windows for gaming when he wanted.
At 35 I worked for an 18 year old who was brilliant at 13.
The children pwn the computers.
YMMV
AAC
No, this isn't what we need. All your age indication versus verification thing does is to point out that it could be worse. Helpfully, that's always true, even under New York's or the UK's laws; I could always find a way for it to be even more dystopian. That someone could conceive of a way to do it worse doesn't mean the less bad one is acceptable.
To prove that we need this, you'd need to demonstrate why. One reason a lot of us oppose this is that we think it won't stop here. But you're arguing on the basis that we don't know that so we can't base our opposition on that. I disagree, but let's go with it for now. The reason I think it will eventually become stronger is that self-identification of age means children are no more protected than they were before. Parents who would set this and prevent their children from unsetting it already had plenty of tools. Those who didn't use those tools won't use this one. Therefore, it doesn't achieve any outcome we don't already have. We don't need this not just because it will lead to negative consequences on its own*, and I'm quite confident it will, but also because it doesn't do anything. If I'm correct, then the legislators who started here will recognize that it doesn't do anything and replace it with something that does which I will dislike. If you are correct, then legislators will ignore the fact that it doesn't do anything and nobody is advantaged.
* For example, more privacy leaks for anyone who is honest to this system. This method stores the full date of birth. Ah, but you've predicted that and have a suggestion: report age groups (child/teen/adult), not dates. Great suggestion, except the law doesn't allow for age groups, just age, and if the age is reported down to the year, then when it changes, software with access to it, eventually including websites according to the legislation, can establish the birth date anyway. That could be counteracted, for example by not reporting someone has gotten older until a random number of days after their birthday, but it's not clear if that's legal and it would involve plenty more thought for a privacy advantage most programmers don't care about.
The change is this would make them parental controls part of the first run process on starting up the device for the first time so parents will be guided into setting the controls. Also the data is minimal as it is just DOB or age or both, there is no other paraphernalia or opening of online accounts required. MS, Google, and Apple's parental controls require more PII from the parent (e.g. e-mail address, address, credit card number in Google's case). So these are genuine improvements to the status quo.
The California law allows for DOB or age and converts it into one out of four age ranges, so this is not merely my suggestion.
systemd is not helpful because it doesn't implement age or age ranges, it just bloated a bit more without thinking through the functionality beforehand or the consequences afterwards, as is usual for systemd.
> Also the data is minimal as it is just DOB or age or both
Just a bit of mandatory PII. Just a currently minor framework.
Just the tip.
> MS, Google, and Apple's parental controls require more PII from the parent (e.g. e-mail address, address, credit card number in Google's case).
Then the parents can give up their PII if they want their kids to have devices but restrict what they can do. Or the parents can build a "kid-friendly" walled garden. Or they can be involved parents and not rely on a digital babysitter.
But right now, my computer requires zero PII from me out of the box, and I'm not going to give up my PII because other people are parents.
Which law? It's not just whatever law you're thinking of. It's all the other laws going through various legislatures at the minute and all the ones that bandwagon jumpers are going to come up with in the future. Every eejit legislator who thinks ToTC will get him a few votes is coming up with a fresh one, all different and ALL failing to tackle the underlying problems. They'll do that because it's easier that doing the hard work of actually prosecuting real offences against children.
In my career I've been a small part of the investigation into what turned out to have been long running offences by the staff in a children's' home.
Much later, but still a couple of decades ago, I was involved in the IT side of the implementation of a system which was supposed to ensure that the sort of offenders in the Kincora case couldn't get to work with children.
We're still seeing prosecutions which, in one way is good because it means that it's sometimes being taken seriously but not often enough. One recent report of a case told how it wasn't prosecuted earlier because when the police caught escaped victims their reports weren't taken seriously and they were sent back to more abuse.
That angers me. It's a problem that's been recognised for decades, is allowed to continue but in the meantime we have those who should be ensuring that effective action is taken faffing around applying their patent nostrums to the fundamental framework of our economy.
"The change is this would make them parental controls part of the first run process on starting up the device for the first time so parents will be guided into setting the controls."
The change is that the user's age is reported to everyone who asks and there are penalties for anything the government decides haven't sufficiently asked and taken action on that data. I don't consider that a thing that needs to happen, nor do I think that is justified when the benefit you're claiming is just that parents will have a slightly easier time setting up parental controls. An argument which isn't even true since all they'll have an easier time doing is entering a date of birth in a box; any rules controlling what the user is or isn't allowed to do are going to be as complex to set up as they were before. Parents have had plenty of options for controlling machines, not only including things from Microsoft, Apple, and Google. You've also overstated the requirements some of those place on people doing the controlling.
The change is that the user's age is reported to everyone who asks
This is not true, age ranges are reported and not to everyone who asks.
there are penalties for anything the government decides haven't sufficiently asked and taken action on that data
Not for the parent or the child.
Parents have had plenty of options for controlling machines, not only including things from Microsoft, Apple, and Google.
That's all the major commercial OSes for most commercial devices and all require more PII than this law.
You've also overstated the requirements some of those place on people doing the controlling.
Sorry?
"This is not true, age ranges are reported and not to everyone who asks."
Just software and websites who are mandated to ask for it if they do anything that might be restricted in age (undefined). Anyone who has another reason to want that value can get it too because there's no registration system for the API, not that one would help with anything. Or in other words, anyone who asks. I concede the age range point if we assume that everything works perfectly. And it's true that the penalties aren't on the parents or children, just the people who write software, possibly including contributors to anything open source, and websites and applications that might allow some child to see something that maybe is a problem. Nothing dangerous there.
"That's all the major commercial OSes for most commercial devices and all require more PII than this law."
I may not have been sufficiently clear. If you've got a Windows device, you can get parental control software from people other than Microsoft. If you've got an Android device, you have options other than Google. Both allow you to avoid the login requirements and both have been available for a decade or three. If you have an Apple device, that's where you've overstated the requirements since those restrictions can be implemented without any account if a parent spends about five minutes trying and, on Mac OS, you still have third-party options. These are also bad comparisons because the restrictions from every one of those companies, with their additional requirements, offer specific control over what is allowed whereas age indication does not. Any one of those parental control options lets the parent decide to deny access in hours they don't like along with a dashboard of other locks they can activate. A birth date in a box does ... nothing until another law forces it to. If the parent wants to shut off access at night let alone anything more complex, they still have to use the tools they already had.
Also known as Lovejoy's Law (https://en.wikipedia.org/wiki/Think_of_the_children)
And not sure if the shade was intentional at the end of the article for not mentioning Devuan. It's been around a long time, and I've been using it as my daily driver since 2018, whereas I've never even heard of Adélie.
> Also known as Lovejoy's Law (https://en.wikipedia.org/wiki/Think_of_the_children)
I try not to repeat myself too much. Did you not read the 1st 2 articles to which this is a follow up?
Note that in #2
https://www.theregister.com/2026/03/10/foss_age_verification_2/
... I did specifically mention Lovejoy's law by name and link to an explanation. What more can I do? Every article can't contain a full recap of all the earlier ones. They'd get fractally longer.
> And not sure if the shade was intentional at the end of the article for not mentioning Devuan. It's been around a long time, and I've been using it as my daily driver since 2018, whereas I've never even heard of Adélie.
That was the POINT.
The point was to highlight some of the _lesser-known_ systemd-free distros, and I chose the small rhetorical flourish of selecting a trio that _started with the same letter_.
It was not some comprehensive list. There are whole websites devoted to cataloging systemd-free distros:
https://nosystemd.org/
That's not what this article was about. And that is why I did not include a whole list, just an alphabetised subset. Instead I attempted to make a point by starting at the top of the list and pointing out that even from just the first letter of the alphabet there were 4 candidates.
The reason for those specific ones was that:
Number 1 directly refers back to Garuda and Arch because that was the starting point for 50% of the article: Garuda in specific and Arch in general. So, specifically name and call out the systemd-free variant of Arch.
#2. they all start with "A" and after Artix they are in _alphabetical order_: a*D*elie -> a*L*pine -> a*N*tix
#3. Devuan is of course famously based on Debian: that is its selling point. That's _why_ the other article that day was about antiX, which is _also_ a systemd-free Debian which has stricter rules on inclusion than Devuan, as I spelled out in the article about antiX:
https://www.theregister.com/2026/03/24/antix_26_bonsai_trixie/
This wasn't a comprehensive list, it was just products beginning with A, and antiX also begins with an A.
#4. The reason _why_ this was not meant to be a comprehensive list is that IMHO there is no point repeatedly mentioning the best known distros. Another reader also emailed to ask why I didn't mention Slackware. The way you can tell that it's not comprehensive is that _they all begin with A._ This is why it does not include distros beginning with D and S.
would never pass on age checks to save their own arses.......... would they.......... would they................. would..... they ?
Plus it saves them the cost of actually verifying how old their addicts are.
(and given whats appearing on my farcebok feed, its becoming a sewer instead of a gutter with the amount of inflammatory AI slop thats being pumped out and then published by fakebook who are only too happy to take the money and run)
Quote: "....Stores the user's birth date for age verification....."
So...at Linux install time, the person doing the install (root?) needs to supply a birth date.
- How would this be verified? Machine is off-line! Yup...I was born on 1-Jan-1906!!!!!!
Machine still offline. Create new users. More fake "birth dates".
Machine goes online. What now? Linux distributions provide automation to check root and user birth dates? SURELY NOT! How?
This is a complete day-dream!
> Linux needs a random-dob-inserter
That would be a bad idea in terms of privacy. It would be a piece of information that could be used to track a user, as if it is truly random not many people would have that DoB, therefore it becomes useful in tracking the user, it makes fingerprinting (e.g. browser useragent string + OS + kerenel version + DoB ....) more accurate.
Better would be for everyone to use the exact same DoB, that means it can't be used as a data-point to fingerprint someone (if everyone or a large segment of users use it).
But the downsides of everyone using the exact same DoB would be new legislation that could make the O/S vendor legally responsible for verifying that age ...
Another security problem with this is a lot of businesses and government agencies in the US use the identifier "last for of social security number", this along with date of birth drastically reduces the number of potential first 5 numbers that could match the last 4 and give you an accurate number for that person.
Linux needs a random-dob-inserter
Ageless Linux --- https://agelesslinux.org/
"How would this be verified?"
It won't be. The relevant laws (at least the ones I've seen) don't require anyone to verify it.
The scenario the legislation (at least the California one) envisages is parental control. A parent sets up an account for a child and enters the child's date of birth. They enter it accurately because they *want* age controls to be applied to their child's usage. The whole mechanism is designed around the parent-as-sysadmin, effectively. There's no envisaged external/government verification of the DoB.
If you are your own sysadmin, or your sysadmin doesn't want age restrictions applied to you, you enter whatever the heck you like. It seems pretty clear by implication that the law thinks this is fine.
"They enter it accurately because they *want* age controls to be applied to their child's usage."
And there is a major part of the problem ... As a parent, NO I DO NOT! I refuse to abdicate my responsibilities to my child.
I, personally, will make that decision based on the maturity of my child, not some time-stamp on a birth certificate because some grifting politician who has never met me (or my kid) says so.
Actually, I made those decisions based on her maturity a few decades ago ... and she is making those decisions for her own child today.
It's not an abdication of responsibilities, it's like not buying a disc or game of setting the channel lock on the TV for content which you don't think is appropriate for your child. That's a parent being responsible.
A few decades ago all you had to do was unplug the TV or have just one in the living room. Things have got more complicated since then so denying parents the tools to parent is hardly helpful or even the meritorious action that you think it is.
The trouble with "age" as a number is that it's only correct for a maximum of one year. After that it needs changing annually, forever, on the anniversary of the person's DoB. For which updating you need to know the person's DoB.
At least DoB is a constant for each person (except, perhaps "born again" Christians?).
I reckon the might be a statistical spike in births on 1 Jan 1970 if this ever becomes commonly used. That'll confuse the historians of the future!
However entering just an age doesn't need to be accurate, just a value roughly in line with how the parent wants to parent their children based on the kind of content available for that age.
It also allows the Meta group of apps, Snapchat, TikTok, X, etc... to be completely nerfed as according to their own T&Cs they shouldn't be used by any child under 13, so just enter a value under that age.
And you see why we have a problem with it. For those bans to work, people need to identify themselves. It wouldn't work if sellers of alcohol just asked people "by the way, before I sell you these, are you a child?", and if one tried, they would be in violation of the law and would be punished. So with California's current law, this does nothing. If nothing is acceptable, don't bother passing this; we've already got that. If nothing is not acceptable, they're going to take another step to enforce that the entered data is accurate and we have major problems with that, problems I'm sure you will start to ignore when they're mandated but have so far acknowledged in order to defend this useless thing.
> For those bans to work, people need to identify themselves. It wouldn't work if sellers of alcohol just asked people "by the way, before I sell you these, are you a child?"
No. When I buy alcohol, nobody asks. Nobody needs to. I'm old enough. If they insisted on mindlessly scanning my ID, then I'd take my business elsewhere or just skip it rather than have my ID databased. Don't need a drink that bad.
They've also sold to me before. Haven't gotten younger since last time. Big difference between glancing at a new customer's ID once and performing a mandated, digital check every time, which creates a boatload more data in the audit trail. Digital age-gate interactions will perform the latter.
What the supporters of this are missing is just how many people don't want to suffer consequences because of someone else's kid. They generally feel the same way in airplanes and restaurants. It should come as no surprise that many adults prefer adult spaces and being around other adults. (and that's not using "adult" as a euphemism)
The Internet is an adult space. Computers are an adult space. Proponents of these identification laws want to change that for everyone, rather than taking responsibility for creating and managing their own exception. Why do so many nice resorts have a "kid's pool" away from the ones for adults on holiday? If parents want computing and the Internet to be "kid friendly" then there's nothing stopping them from building their own walled garden.
The kids are the exception, not the adults, and everyone who thinks this is about "porn" is wrong. El Reg is not an "adult" site, but I can say that age verification is some giant fucking bullshit, and if a parent doesn't want their kid reading my language, that's on them. Otherwise, censorship spreads nearly everywhere. Imagine if you couldn't use bad language or discuss mature topics outside of age gated establishments.
If you were near the target age, do you think it would work the same way? Not to mention that some politicians are willing to accept that method too. Just take your picture, they'll guess at the age, if it guesses young whether correctly or not you're locked out, that picture will be treated in accordance with privacy law [data will be stored for auditing requirements or something like that and we haven't had a ransomware incident since last year].
The point remains the same; actual age bans are implemented with more than the honor system. The argument for why California's approach isn't a problem is that, since it is the honor system, we don't have a reason to worry. Not only is that incorrect, but because that system is so ineffective, it's very unlikely to stay there.
The kids are the exception, not the adults, and everyone who thinks this is about "porn" is wrong. El Reg is not an "adult" site, but I can say that age verification is some giant fucking bullshit, and if a parent doesn't want their kid reading my language, that's on them. Otherwise, censorship spreads nearly everywhere. Imagine if you couldn't use bad language or discuss mature topics outside of age gated establishments.
I think you've hit on something, AC. What we have here is the holier-than-thou-polloi's dear, sweet innocent (!) sprog to be "protected" from all that foul, vile swill that the interwebz provides, without having to take the active, ongoing responsibility to make the (likely unpopular) decisions to make sure that said sprog are truly protected (for whatever value of "protected" is appropriate -- for them). That would take too much work. No, much easier for them to simply force everyone to conform to a cookie-cutter approach. Do they care if you, or I, or anyone else, fits into their cookie cutter? Go ahead...ask them. You won't be surprised by their answer.
This doesn't do nothing, it guides parents through on-device parental controls on first run and gives them the tools to ensure that a device that is not always within their view will be used in a way that they originally agreed with their child (and it's not always the child's fault, apps and commercial app stores push other apps through advertising).
If for some reason something like NY's proposed age verification law for devices comes to fruition then you'll see me continue to argue against it, as I have done up until now. You also see me argue against how Australia and the UK's laws allow third parties to have access to ID documents, as I have done until now. You'll also see me argue for the EU's proposed tokenised age verification. If you were to argue that the EU's tokenised age verification could be rug-pulled from beneath everyone's feet into something worse in the future then I'll entertain your argument more seriously than any argument you have against on-device parental controls, but something to be debated under another article about the EU's age verification.
To extend the alcohol sellers analogy a bit: is the landlord (owner of the building the alcohol seller shop is in) liable for the alcohol seller not properly checking age of customers?
And, in this example, is the computer OS the landlord, or the alcohol seller? Or maybe the shop itself, actually. (I'm hurting my own brain a bit here).
What I'm getting at: it seems rather shaky, disingenuous, etc. to hold a computer OS (or rather, its devs and distributors) responsible for the content provided by companies and individuals at the other end of the internet wire. Of course, those companies are keen to avoid responsibility, so...
I can't help thinking some unscrupulous lobbyist for facemeta et al pitched this scheme to dim politician(s) with an example like "we require an operator license at a certain age to drive a car, right? And an OS is just like a car, right?"
"Perhaps the smoking ban for under 16s or alcohol ban for under 18s should be lifted because someone's big brother can buy them instead?"
We have the situation that if I put a packet of paracetamol in my shopping in some cases the checkout operator has to call someone to confirm that I (in my 80s) am old enough.
Funny thing is, that is my actual birthdate. I have the honour of being constantly reminded just how many seconds old I am when digging around in Unix-y times. And I'm still often caught offguard when some error has zeroed out a timestamp and I start wondering why my birthdate is cropping up in various fields.
This appears to be an exercise in box checking. The post says "birthDate is excluded from user_record_self_modifiable_fields(), so only administrators can set or change it via homectl". So if you install your system and have root then you can change it post-install or during the install. The only children affected by this would be those whose parents do the install for them and do not give them root access (for as long it takes them to work out how to gain root and change it themselves).
every distro has a bootable "live FS" image for a USB drive in which the USB image boots up with easy root access. chroot to your mounted OS and voila! or, just change the root PW for the booted OS. or add 'su' to sudoers.d . whichever.
This is so pathetically trivial that my forehead has a giant red mark on it from all of the face-palming...
If I type sudo, the usual state of affairs is it asks for a password. If the parent gives the child the root password or puts their child's account in the sudoers list then that's their decision. Likewise if they want to set the age to 18 when their child isn't. Other parents will decide not to.
Please provide the legal theory by which you assert that the GDPR is being directly violated. I don't know what 'this' is in your second sentence because the context is ambiguous.
Whatever legal theory you provide, someone will probably say that you're a moron who doesn't understand the GDPR. As a moron who doesn't understand the GDPR, I can attest that I am not the AC who will inevitably call you one in a humorous attempt to implicate me for having written this paragraph. If you don't have a legal theory to back up your assertion, it's fine to admit that you don't. I don't like the opinions of unqualified (in the sense that you have not qualified yourself to me, not that you possess no qualifications with which to do so) individuals being represented as absolute facts.
I think that we're probably on the same side of the debate. I'm confused and tired, I don't want to read the GDPR again, and if you've got a solid argument then I'd like to use it myself.
G'night!
Now I'm no fancy lawyer but to my understanding it actually explicitly permits mandatory collection where required by law. It does prohibit collection without a clear purpose so I guess one could argue that in jurisdictions without such a dumb law, enforcing DOB collection could be a violation (since there is no law and hence no purpose to collect). I guess if the distro maintainers really care they'll have to tie it to localization settings somehow.
There are no jurisdictions that require DoB collection in this context.
Brazil requires an "over 18" verification, California an age band indication (not verified, simply indicated).
There are however several jurisdictions that prohibit collection of this data without a specific legal justification - one of which is California, in fact, as DoB is PII.
The breach occurs because it is collecting and broadcasting considerably more personal data than is necessary.
All this just confirms what I've long suspected -- the people making systemd haven't a clue what Linux is. Obviously, per Dunning-Kreuger, they'll consider themselves experts but if they stopped and looked at a real system then they'd understand that there are a lot of system "users" with only one or two actually being human. Its quite easy to add age as a user property but potentially rather pointless, especially if root can override it.
I'm prepared to add it just to shut people up. Its one of those things that you'll never win an argument about so just give 'em what they want. It will be an ongoing situation, though -- it will require constant patching as they realize it won't do what they think it should. We'll just have to roll with it until the focus, and accompanying battles, shift elsewhere. The urge to control "for your own good" is deeply embedded in some people, its what defines them, and handling them can waste a lot of energy.
BTW -- Speaking as a parent its actually far easier to teach the kids how to use stuff responsibly than to police their behavior around the clock. Kids are naturally curious so saying "you can't" is actually an open invitation for them to prove you wrong (and if they're a teenager then they're likely to succeed).
A cynical take, which I don't claim to be entirely accurate: the systemd folk have one overriding principle -- the expansion and spread of systemd. They believe that OSes which are perceived to be "age band declaration ready" will be more likely to be adopted by big dumb corporations.
Thus, if systemd can "get out in front of this issue" it will allow systemd to continue spreading, even beyond what the likes of Red Hat-IBM corporate would accomplish.
So Linux stores the DOB in systemd, IOS elsewhere, Android elsewhere, WIndows elsewhere etc etc.
How does that DOB get to the end point internet based services, there is no standardized API like HTML within these laws.
So yeah, so every OS has it saved in a different location and now every application that needs it now needs to add in a IF THEN ELSE ELSE ELSE ELSE ... clause depending on the OS of the device. And what happens when it comes across Devuan...can you then no longer use that remote service to download stuff.
On top of this, someone needs to tag every app or using the exception rule, every app that is considered child inappropriate...who does this work...is their some government censor that does this?.
Sure some of the standard apps stores (apple/android) might be some of the way to this tagging but what of the LInux app stores. What of all the Linux apps that aren't in what is considered a "store" where you download the source and compile or off the beaten track OS'es like OpenIndiana?
Logic would say (not that politicians have logic) that kids run IOS or Android cause that's what runs on phones and that's where all the apps are. Maybe some kids run Windows on a tablet but sure as hell, kids are not running Linux on a phone (cause no apps) nor running Linux on a tablet or a PC (no apps).
So target the OS'es that 99.9% of the kids use and leave Linux, BSD etc alone.
Bluck
Yep, either target the app store, the app owners (looking at you, Facebook), or teach parents to assume some sort of parental responsibility!
I mean, let's take this to its logical conclusion:
All beaches closed off - gates available that allow those over a certain age access to the water.
The same for pavements and roads - it's bloody dangerous for a 2 year old to be walking down a pavement of a busy road on their own. Don't blame the parents! Fence off ALL roads, and close those that don't comply!
Obviously, ALL kettles, ovens, and hobs need this built in too - safety conscious parents adding childproof controls is just not good enough. EVERY kettle, oven and hob EVERYWHERE needs age verification!
Front seat car doors? Ditto.
The list goes on. And "if you don't agree, you must be a paedo."
Probably because is_adult() requires the subtraction of DoB from the current time, which is a complicated operation including calendar oddities and timezones. The "adult" age might vary with country, and purpose of asking (e.g. "wants to marry", "wants to drive a car", "wants to drink alcohol").
dob_check() presumably just provides a date, which the requesting code can then use as it wants.
> Probably because is_adult() requires the subtraction of DoB from the current time, which is a complicated operation including calendar oddities and timezones. The "adult" age might vary with country, and purpose of asking (e.g. "wants to marry", "wants to drive a car", "wants to drink alcohol").
dob_check() presumably just provides a date, which the requesting code can then use as it wants.
That requires the requesting code to be familiar with the laws of every situation in every country.
Yes, at least the countries in which it's expected to operate and the laws applying to them. If I was told to implement age verification, I would want to do as little of that as possible since I don't want to be the one at fault when someone changes the law. Much better for that to be someone else's problem, which it is if I give the age data and let someone else decide what consequences that's supposed to have. Since I care about user privacy, I still prefer the option where the user's age is the user's business and if some software wants to know it, it's that software that can go about finding it out.
So you're suggesting projects should enforce foreign law, carrying out the wishes of politicians who govern places where they don't live and they don't operate? Should they enforce policies which their own elected leaders believe are harmful and don't support? Should they be part of a control structure which their own nation believes violates human rights?
Should the Tor Project attempt to block users from China?
After we're done age gating, should software also come with a signed manifest of where it's legal and where it's not? What about websites? Should I block Chinese users if my site expresses opinions about Tiananmen Square or contains depictions of Winnie-the-Pooh?
There's a bedrock principle in play here. Free software should come down on the side of...freedom.
No, I am not suggesting that. I am saying that code which chooses to care about following laws would need to include checks for those laws they care about. The alternative of having a system component try to do that for them is equally invasive and more disruptive. Any project needs to decide what they're going to do with laws like this. It wouldn't be difficult for everyone to decide that they're going to ignore California's law. That's quite easy for everyone who doesn't live in California, though anyone inside California has to make the hard decision of whether to break that law or stop contributing. If, however, they decide they are not willing to ignore that law, then my original comments about where I'd put the code whose existence is already an axiom apply.
"That requires the requesting code to be familiar with the laws of every situation in every country."
Those promoting the laws will tell you that it only needs to act in their country which shouldn't be anything more than a minor problem. i doubt some of them could find another country on a map if it had a saucer-sized pin stuck in it.
The app store would send an additional field with the age, filtering would be done by the app store program on the computer (e.g. Linux Mint Software Manager).
MS and Apple certainly aren't rewriting each binary in the OS so it checks the age or messing around with WinGet to comply with the law, so why should Linux distros?
"How does that DOB get to the end point internet based services, there is no standardized API like HTML within these laws."
The requirement would for the OS to provide a standard API.
As fro Devuan, the answer there is simple. As a Devuan user I primarily use the Devuan repository. For anything alse, do you think the FOSS community is going to go along with implementing this on any other download mirrors? Really????
Linux is open source. Patches that make the system reply to an age query with "going on 99" will be trivial and popular.
We got here because workable policies that protect kids would cost sites like YouTube, Facebook, TikTok, Instagram, and all the porn sites way too much money. To protect kids from harmful contents these sites need to be liable for the damage and be forced to use strong identity for each user. Anything else is just politicians "doing something" about the problem.
> We got here because workable policies that protect kids would cost sites like YouTube, Facebook, TikTok, Instagram, and all the porn sites way too much money.
We got here because involved and attentive parenting would cost parents too much time they could have spent on sites like YouTube, Facebook, TikTok, Instagram, and all the porn sites.
these sites need to be liable for the damage and be forced to use strong identity for each user
The problem with that is that it hurts others. Examples of people who need there to not be "strong identity" include :
* People under repressive regimes who hold views not acceptable to that regime - which is rapidly looking like it includes the USA !
* People who are trying to stay alive when certain medical options are forbidden by law - think women forbidden from getting an abortion even though not doing so risks them dying
* People trying to get away from abusive relationships
* Whistleblowers
* and a few others that don't come to mind right now
Also, anything workable means handing over personal information to people who have no need to know it. Would you, for example, be happy to use an age verification scheme run by ... perhaps Palantir, as long as they pinky swear they won't use your information for anything other than age verification ? And even if the service is run by honest people, thing how many data breaches there have been lately ?
And then there's scope for government scope creep - it's age verification for porn sites today, what does it cover tomorrow ?
it's age verification for porn sites today, what does it cover tomorrow
Well, since everyone dumped their period tracking apps due to fear about the data ending up with the government in Red states. Maybe systemd should add another date to the user file to track that while they are at it.
BC handy for those that identify as the Messiah*, as I'm sure a lot of teh people behind the PITA that is sytsemd must have a bit of a Messiah complex
* like all things religious lots of arguments - is it 1 AD is it a few years BC**
** I'm an atheist so I don't care (though do get depressed that to some degree zealous religious belief is making WW3 more likely )
People are really overstating this. All this does is add a data field into a list of dozens of other entirely optional data fields. If you have a systemd-based distro then you already had an operating system with a data field to store your name, email and location. Those fields are all empty and you can fill them with whatever you want.
If you really think these laws will go away because you puff out your cheeks and cross your arms then you don't know anything about the real world. They're just trying to comply with the law in the most minimal way permissible.
You fail to recognise the rest of the world does not want their sh!te ... period. If systemd wants to appease the clowns they call politicians in the US, fine make a 'Cali' edition, but leave the rest of us out of their supposed 'moral' thin edge of the wedge data grab Bullshit crusade.
Lets see them lead by example, I'll believe it when the force Larry Lawnmower push that into Solaris ... until then it's just US Domestic right wing nut job sophistry .. and should be confined as such.
That's not what this is doing. Is anyone going to read the actual thing? It's just a data field. If you're unfortunate enough to live within one of these jurisdictions you enter any date into that field, if you're not you don't. Also, these attestation laws aren't about access to the operating system, they're about passing age attestation to applications that request it.
No, it's not. It is a field with nothing attached to it. The dangerous stuff will be the stuff built to attach to it. If something forces you to enter something in that field, that will be a lot more damaging. If something makes it possible for a website to read that field, that will be a lot more damaging. Systemd has not done either of those things. The law would likely require people to do them, though I wouldn't be surprised if they don't enforce it too much, but that code would be elsewhere, for my examples in the distributions' installers and in web browsers respectively.
Yes, if the DoB field is later used to implement restrictions on installing or what webpages you can browse (for example, Wikipedia) and it's not possible to trivially change the DoB field to one that allows unrestricted installing or access, or if removing that field from the software is prevented, that is not free software.
systemd was already no longer free software since a while ago, considering systemd is slop-developed now, with the copy-pasting of random code in disregard of the license via a LLM.
But, yer 'ono(u)r, I'm technically inclined ... I have never used systemd, nor flatpack, outside of the testing lab. Where I found both to be quite lacking, and thus not usable for my purposes.
With that said, I have personally spoken with my elected representatives on this subject, and pointed out it's myriad flaws. Two of them tried to argue with me ("think of the children!"), but eventually calmed down enough to listen. Both tentatively agreed by the time we hung up. Gawd/ess only knows if I did any good, but at least I tried. Have you?
Yes, I know, those of you who have representation who have been forbidden by the Speaker to talk to their constituents might have problems emulating this ... I rather suspect that you lot need to take a more long-range look at issues, and vote accordingly.
I hate "teams" in politics. You aren't meant to cheer on one side no matter what.
Do they actually blindly think "he's our guy, he must be good" or do they literally vote for someone they don't like? No wonder things are so bad when they don't even have to pretend to hold the citizens interest.
Republicans were discouraged by their leadership (IE Speaker of the House) from having town halls last fall because there are a lot of upset citizens. The GOP leadership didn't want the news cycles of ugly town halls during the election. I doubt things have improved much with ICE murdering people in Minneapolis, or the current long lines at airport TSA checkpoints. I'd go look up some news stories, they shouldn't be hard to find, but I suspect you've already made up your mind so I won't waste my time.
How ironic it is that systemd has folded to the pressure like a cheap lawn chair, not unlike many of the lawfirms and universities folded to pressure from the orange goon and his pressure campaign. Puts the systemd/init script debate in a whole new light. Meta has an issue and now the Linux community suffers. Something doesn't add up there.
At least there is some justice in New Mexico where a jury returned a $375,000,000.00 verdict against Meta for child-endangerment and its failure to warn or make safe.
So what now, you go to install Linux but can't access a shell without entering root's birthday on first boot? Will 11/11/11 work?
I can't stand the orange goon just as much as anyone, but let's just bear in mind that these particular age bills have come from the blue side (as has 3D printing attestation). It seems that a lot of people don't realise that neither party is your friend and it all comes together to build a very ugly picture.
I have some news that may surprise you. There are places that are not in the US and many of us live in them. Even more surprising: blue and red don't necessarily have the same connotations here. We see it as just ill-informed politicians' crap, and not even the usual category of ill-informed US politicians' crap.
"We are sure that Meta would never consider passing the buck on the important subject of protecting children online"
I concur… Meta would not pause for a single klepto quecto·second before expediting that pail… well… beyond the pale.
I've never looked at systemd code before but I thought I'd have a quick look at the changes for this:
https://github.com/dylanmtaylor/systemd/blob/acb6624fa19ddd68f9433fb0838db119fe18c3ed/src/shared/user-record.h#L271
It's a struct tm......
And this has gone through review and found it's way in to the codebase. The enshitification of Unix continues.
For those not in the know a struct tm has a time component plus: day in year; week in year and isdst and timezone offsets.
The code uses Some special year value to determine "not set".
If one were writing proper code it would be just year, month, day and possibly a is-set property.
To be clear this is internal systemd code - I haven't looked at how they store it or expose it via any interfaces but it just points to sloppy implementation to have this sort of data modelling in your codebase.
For those bemoaning that Systemd devs or any other FOSS software are implementing a facility to record ages of user, they are just trying to get ahead on what the law says they will have to do. And just like any laws you might not like it, but if you don't follow it then there will be legal repercussions. And its the politicians that vote to implement these ill thought out laws that you need to direct your ire towards.
I don't think ages checks are going to go away anytime soon, Australia and the UK already have them, and its not just California that is bringing them in the US its also a bunch of other states proposing they have similar laws so the devs are just preparing to be able to comply with what they maybe legally be obliged to do across the whole world. So I can see why it would make sense to record the DOB then let an API extract out an age range or provide a token to say this user is over or under 18 than record several different bits of info for different jurisdictions.
I predict that the way things are going within the next decade there will be more countries and states requiring some sort of age checks than those that don't. And while i don't like where things are going with age checks, if it is going to become widely adopted then I prefer the option of setting my age once at the OS level and an API that tells any website or app that i am 18+. Than the individual age verification checks we currently have in the UK, which needs to be done for every different app or service and often that personal info is getting sent off to 3rd parties.
I don't think ages checks are going to go away anytime soon, Australia and the UK already have them, and its not just California that is bringing them in the US
The way I see it is that California has proposed a more relaxed form of age attestation which leaks less identity information than others require.
And, for all their efforts to reduce exposure of identity information, they are being told to fuck off.
If you don't want lax age attestation you are going to have to endure rigorous age verification which means handing over identity exposing information.
I really don't understand why anyone would choose to have the latter, how providing no identifying information is seen as more evil than providing it.
> And, for all their efforts to reduce exposure of identity information, they are being told to fuck off.
Or how about not exposing identity information, period?
> If you don't want lax age attestation you are going to have to endure rigorous age verification which means handing over identity exposing information.
I won't be. Easy enough to get around.
If you don't want lax age attestation you are going to have to endure rigorous age verification which means handing over identity exposing information.
I really don't understand why anyone would choose to have the latter, how providing no identifying information is seen as more evil than providing it.
I don't need ANY age verification. If I had young children, I still wouldn't need it because I would know their age already. I would control what they have access to.
Here is a big difference in age verification at the device and age verification at the site; if I don't want to verify my age to Meta or Discord, I can choose to not use their platforms. If I am forced to verify at the device and choose to not participate, I can no longer use a cell phone, tablet, or computer. That would mean I would no longer be a member of society and couldn't access government services. It would be difficult to access banking or pay bills as well.
That becomes forced compliance. In the US we had that already, it's called RealID. It was supposed to be the One ID That Rules Them All. All we had to do is show extra documentation when we got our state ID. Oh, and states had to send all our personal info to the Feds. Even Red states balked at the Federal overreach, waiting until the last minute to change over. They told us if we didn't go to RealID we could no longer board aircraft. Now, with the SAVE act RealID is no longer sufficient, we'll need additional info or a valid passport to register to vote. This is how the world works. You are naïve if you think California's verification law is the end of it.
"they are just trying to get ahead on what the law says they will have to do"
Which law? Those already passed, those in the legislatures or those yet to come? (Echoes of Scrooge's Christmases are not inappropriate.) In what jurisdictions? Why should our OSes be controlled by the political machinations of what looks increasingly like a failed state?
"Australia and the UK already have them"
I don't know about Oz. The UK law applies to web sites not OSes so on the one hand it's a smaller scope but on the other it calls for verification so is far, far more intrusive. Be careful what you wish for - you might get it.
California did recently pass an Assembly Bill to retroactively protect gender identity change information disclosure. Perhaps Linux distributions should make the new user enrollment form have a checkbox "I identify as 18 years or older" ?
(I'm trying to be snarky here.) The whole idea of adding a DOB field into user accounts is IMNSHO stupid.
Everyone write to ubuntu stating you WILL change distribution if they implement this.
The moderators on the Ubuntu forums are Fascist bully boys who delete any comment regarding how these changes should NOT be in the distribution.
There is too much yankie fascists taking control of open source and destroying free speech.
This has NOTHING to do with protecting children. It is the exact opposite.
It it ti do with the pedophile elite wanting to avoid scrutiny.
